oss-fuzz and fuzzer files #551

Signed-off-by: 0x34d <ajsinghyadav00@gmail.com>

README.md

@@ -368,6 +368,17 @@ To enable code coverage, use:
          --directory src --capture --output-file gcov.info
     genhtml gcov.info --output-directory coverage
 
+## Fuzzing
+libfuzzer:
+
+```
+export CC=clang
+export CXX=clang++
+
+sh ./tests/build.sh ASan
+sh ./tests/build.sh Run
+```
+
 ## Embedding
 
 To embed lldpd into an existing system, there are two point of entries:

configure.ac

@@ -146,6 +146,21 @@ elif test x"$hardening" != x"no"; then
 fi
   ])
 
+#Fuzzer
+AC_ARG_ENABLE([fuzzer],
+  AS_HELP_STRING([--enable-fuzzer],
+    [Enable fuzzing @<:@default=no@:>@]),
+  [
+case "$enableval" in
+    no) fuzzer= ;;
+    yes) fuzzer="-fsanitize=fuzzer" ;;
+    *) fuzzer="$enableval" ;;
+esac
+if test x"$fuzzer" != x; then
+  AC_SUBST([FUZZENGINE], ["$fuzzer"])
+fi
+  ])
+
 # Code coverage
 AC_ARG_ENABLE([gcov],
   AS_HELP_STRING([--enable-gcov],
@@ -404,6 +419,7 @@ AC_SUBST([LLDP_CFLAGS])
 AC_SUBST([LLDP_CPPFLAGS])
 AC_SUBST([LLDP_LDFLAGS])
 AC_SUBST([LLDP_BIN_LDFLAGS])
+AM_CONDITIONAL([BUILD_FUZZER], [test x"$fuzzer" != x])
 AM_CONDITIONAL([HAVE_CHECK], [test x"$have_check" = x"yes"])
 AM_CONDITIONAL([USE_SNMP], [test x"$with_snmp" = x"yes"])
 AM_CONDITIONAL([USE_XML], [test x"$with_xml" = x"yes"])

tests/Makefile.am

@@ -63,4 +63,11 @@ check_PROGRAMS += $(TESTS)
 
 endif
 
+if BUILD_FUZZER
+noinst_PROGRAMS = fuzz-decode
+fuzz-decode_CFLAGS=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fPIE
+fuzz-decode_SOURCES = decode.c
+fuzz-decode_LDADD = $(LDADD) $(FUZZENGINE)
+endif
+
 MOSTLYCLEANFILES = *.pcap

tests/build-fuzzer.sh

@@ -0,0 +1,30 @@
+#!/bin/bash -eu
+
+build(){
+   export CFLAGS="$1"
+   export CXXFLAGS="$1"
+
+   ./autogen.sh
+   ./configure CC="$CC" CFLAGS="$CFLAGS" LDFLAGS="$CFLAGS" \
+      --enable-fuzzer=yes --disable-shared --disable-hardening --enable-pie
+
+   make -j$(nproc)
+   mkdir -p tests/seed/fuzz-decode_Corpus
+}
+
+run(){
+   cd tests
+   ./fuzz-decode seed/fuzz-decode_Corpus seed/fuzz-decode_seed_corpus
+}
+
+help(){
+   echo "use: ./$0 ASan | UBSan | MSan | Run"
+}
+
+case $1 in
+   ASan) build "-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" ;;
+   UBSan) build "-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -fsanitize=fuzzer-no-link" ;;
+   MSan) build "-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory -fsanitize-memory-track-origins -fsanitize=fuzzer-no-link" ;;
+   run) run $2 ;;
+   *) help ;;
+esac

tests/decode.c

@@ -58,6 +58,69 @@ tohex(char *str, size_t len)
 		exit(5); \
 	}
 
+int decode(char *frame, int size,
+    struct lldpd_hardware *hardware, struct lldpd_chassis **nchassis, struct lldpd_port **nport) {
+	/* For decoding, we only need a very basic hardware */
+	memset(hardware, 0, sizeof(struct lldpd_hardware));
+	hardware->h_mtu = 1500;
+	strlcpy(hardware->h_ifname, "test", sizeof(hardware->h_ifname));
+
+	int decoded = 0;
+	if (lldp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a LLDP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a LLDP frame\n");
+		decoded = 1;
+	}
+#if defined ENABLE_CDP || defined ENABLE_FDP
+	if (cdp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a CDP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a CDP frame\n");
+		decoded = 1;
+	}
+#endif
+#ifdef ENABLE_SONMP
+	if (sonmp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a SONMP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a SONMP frame\n");
+		decoded = 1;
+	}
+#endif
+#ifdef ENABLE_EDP
+	if (edp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a EDP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a EDP frame\n");
+		decoded = 1;
+	}
+#endif
+	return decoded;
+}
+
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+
+#define kMinInputLength 30
+#define kMaxInputLength 1500
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	if (size < kMinInputLength || size > kMaxInputLength){
+		return 0;
+	}
+	struct lldpd_hardware hardware;
+	struct lldpd_chassis *nchassis = NULL;
+	struct lldpd_port *nport = NULL;
+	if (!decode((char*)data, (int)size, &hardware, &nchassis, &nport)) {
+		return -1;
+	}
+	lldpd_port_cleanup(nport, 1); free(nport);
+	lldpd_chassis_cleanup(nchassis, 1);
+	return 0;
+}
+
+#else
+
 int
 main(int argc, char **argv)
 {
@@ -87,47 +150,11 @@ main(int argc, char **argv)
 	memcpy(&rechdr, buf + sizeof(hdr), sizeof(rechdr));
 	assert(len >= sizeof(hdr) + sizeof(rechdr) + rechdr.incl_len);
 
-	/* For decoding, we only need a very basic hardware */
 	struct lldpd_hardware hardware;
-	memset(&hardware, 0, sizeof(struct lldpd_hardware));
-	hardware.h_mtu = 1500;
-	strlcpy(hardware.h_ifname, "test", sizeof(hardware.h_ifname));
-
-	char *frame = buf + sizeof(hdr) + sizeof(rechdr);
 	struct lldpd_chassis *nchassis = NULL;
 	struct lldpd_port *nport = NULL;
-	int decoded = 0;
-	if (lldp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a LLDP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a LLDP frame\n");
-		decoded = 1;
-	}
-#if defined ENABLE_CDP || defined ENABLE_FDP
-	if (cdp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a CDP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a CDP frame\n");
-		decoded = 1;
-	}
-#endif
-#ifdef ENABLE_SONMP
-	if (sonmp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a SONMP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a SONMP frame\n");
-		decoded = 1;
-	}
-#endif
-#ifdef ENABLE_EDP
-	if (edp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a EDP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a EDP frame\n");
-		decoded = 1;
-	}
-#endif
-	if (!decoded) exit(1);
+	if (!decode(buf + sizeof(hdr) + sizeof(rechdr), rechdr.incl_len, &hardware, &nchassis, &nport))
+		exit(1);
 
 	printf("Chassis:\n");
 	printf(" Index: %" PRIu16 "\n", nchassis->c_index);
@@ -245,3 +272,5 @@ main(int argc, char **argv)
 #endif
 	exit(0);
 }
+
+#endif