/src/fluent-bit/tests/internal/fuzzers/utils_fuzzer.c

Source
/*  Fluent Bit
 *  ==========
 *  Copyright (C) 2019-2021 The Fluent Bit Authors
 *  Copyright (C) 2015-2018 Treasure Data Inc.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */

#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include <msgpack.h>
#include <fluent-bit/flb_mem.h>
#include <fluent-bit/flb_utils.h>
#include <fluent-bit/flb_slist.h>
#include <fluent-bit/flb_gzip.h>
#include <fluent-bit/flb_hash_table.h>
#include <fluent-bit/flb_uri.h>
#include <fluent-bit/flb_hash.h>
#include <fluent-bit/flb_regex.h>
#include "flb_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    TIMEOUT_GUARD

    if (size < 750) {
        return 0;
    }

    /* Set fuzzer-malloc chance of failure */
    flb_malloc_mod = 25000;
    flb_malloc_p = 0;

    uint64_t ran_hash = *(uint64_t *)data;
    char *null_terminated1 = get_null_terminated(25, &data, &size);
    char *null_terminated2 = get_null_terminated(25, &data, &size);
    char *null_terminated3 = get_null_terminated(25, &data, &size);

    /* Prepare a general null-terminated string */
    char *null_terminated = (char*)malloc(size+1);
    null_terminated[size] = '\0';
    memcpy(null_terminated, data, size);

    /* Fuzzing of flb_utils.c */
    int sec;
    long nsec;
    size_t new_size;
    char *prot    = NULL;
    char *host    = NULL;
    char *port    = NULL;
    char *uri     = NULL;
    char *new_dst = NULL;

    if (flb_utils_write_str_buf(null_terminated, size, &new_dst, &new_size) == 0) {
        flb_free(new_dst);
    }

    struct mk_list *list = flb_utils_split(null_terminated, 'A', 3);
    if (list != NULL) {
        flb_utils_split_free(list);
    }
    struct mk_list *list2 = flb_utils_split_quoted(null_terminated, 'A', 3);
    if (list2 != NULL) {
        flb_utils_split_free(list2);
    }

    if (flb_utils_url_split(null_terminated, &prot, &host, &port, &uri) == 0) {
        flb_free(prot);
        flb_free(port);
        flb_free(host);
        flb_free(uri);
    }

    char *split_protocol = NULL;
    char *split_username = NULL;
    char *split_password = NULL;
    char *split_host     = NULL;
    char *split_port     = NULL;
    if (flb_utils_proxy_url_split(null_terminated, &split_protocol,
            &split_username, &split_password, &split_host, &split_port) == 0) {
        if (split_protocol) {
            flb_free(split_protocol);
        }
        if (split_username) {
            flb_free(split_username);
        }
        if (split_password) {
            flb_free(split_password);
        }
        if (split_host) {
            flb_free(split_host);
        }
        if (split_port) {
            flb_free(split_port);
        }
    }


    flb_utils_size_to_bytes(null_terminated);
    flb_utils_time_split(null_terminated, &sec, &nsec);
    flb_utils_time_to_seconds(null_terminated);
    flb_utils_bool(null_terminated);
    flb_utils_hex2int(null_terminated, size);

    /* Fuzzong of flb_uri.c */
    struct flb_uri *uri2 = NULL;
    uri2 = flb_uri_create(null_terminated);
    if (uri2 != NULL) {
        flb_uri_get(uri2, (int)data[0]);
        flb_uri_dump(uri2);
        flb_uri_destroy(uri2);
    }
    flb_sds_t encoded = flb_uri_encode((char*)data, size);
    if (encoded != NULL) {
        flb_sds_destroy(encoded);
    }

    /* Fuzzing of flb_hash.c */
    struct flb_hash_table *ht = NULL;
    ht = flb_hash_table_create((int)(data[2] % 0x04),
                               (size_t)data[0],
                               (int)data[1]);
    if (ht != NULL) {
        flb_hash_table_add(ht, null_terminated, size, null_terminated, size);

        char *out_buf = NULL;
        size_t out_size;
        flb_hash_table_get(ht, null_terminated, size, (void **)&out_buf, &out_size);

        /* now let's create some more instances */
        char *instances1[128] = { NULL };
        char *instances2[128] = { NULL };
        for (int i = 0; i < 128; i++) {
            char *in1 = malloc(3);
            char *in2 = malloc(3);
            memcpy(in1, data+(i*4), 2);
            memcpy(in2, data+(i*4)+2, 2);
            in1[2] = '\0';
            in2[2] = '\0';
            flb_hash_table_add(ht, in1, 2, in2, 2);
            instances1[i] = in1;
            instances2[i] = in2;
        }

        for(int i = 0; i < 20; i++) {
            char *hash_out_buf;
            size_t hash_out_size;
            flb_hash_table_get_by_id(ht, (int)data[i], null_terminated,
                                    (const char **)&hash_out_buf, &hash_out_size);
        }

        flb_hash_table_del(ht, null_terminated1);
        flb_hash_table_exists(ht, ran_hash);
        flb_hash_table_del_ptr(ht, null_terminated2, strlen(null_terminated2), NULL);
        flb_hash_table_get_ptr(ht, null_terminated3, strlen(null_terminated3));

        flb_hash_table_destroy(ht);
        for (int i =0; i<128; i++) {
            flb_free(instances1[i]);
            flb_free(instances2[i]);
        }
    }

    /* sds */
    flb_sds_t fs = flb_sds_create_len((const char*)data, size);
    if (fs != NULL) {
        fs = flb_sds_cat_esc(fs, "AAABBBCCC", 9, "ABC", 3);
        if (fs != NULL) {
            flb_sds_destroy(fs);
        }
    }

    /* Fuzzing of flb_gzip.c */
    void *str = NULL;
    size_t len;
    void *out_data = NULL;
    size_t out_len;
    if (flb_gzip_compress((char*)data, size, &str, &len) != -1) {
        flb_gzip_uncompress(str, len, &out_data, &out_len);
    }
    if (str != NULL) {
        free(str);
    }
    if (out_data != NULL) {
        free(out_data);
    }
    void *out_data2 = NULL;
    size_t out2_len;
    int uncompress_ret = flb_gzip_uncompress((char*)data, size, &out_data2, &out2_len);
    if (uncompress_ret != -1 && out_data2 != NULL) {
        flb_free(out_data2);
    }

    /* Fuzzing the sha routines */
    struct flb_hash sha512;
    uint8_t buf[64];

    flb_hash_init(&sha512, FLB_HASH_SHA512);
    flb_hash_update(&sha512, (unsigned char *) null_terminated, 32);
    flb_hash_update(&sha512, (unsigned char *) null_terminated+32, 32);
    flb_hash_update(&sha512, (unsigned char *) null_terminated+64, 32);
    flb_hash_finalize(&sha512, buf, sizeof(buf));
    flb_hash_cleanup(&sha512);

    /* regex */
    char *pregex = "^(?<INT>[^ ]+) (?<FLOAT>[^ ]+) (?<BOOL>[^ ]+) (?<STRING>.+)$";
    flb_regex_init();
    struct flb_regex *freg = flb_regex_create(pregex);
    if (freg != NULL) {
        flb_regex_match(freg, (unsigned char*)null_terminated, size);
        flb_regex_destroy(freg);
    }
    flb_regex_exit();

    /* slist */
    struct mk_list list3;
    flb_slist_create(&list3);
    flb_sds_t slist_str = flb_sds_create_len((const char*)data, size);
    flb_slist_add_sds(&list3, slist_str);
    flb_slist_entry_get(&list3, 100);
    flb_slist_dump(&list3);
    flb_slist_destroy(&list3);


    /* General cleanup */
    flb_free(null_terminated);
    flb_free(null_terminated1);
    flb_free(null_terminated2);
    flb_free(null_terminated3);
    return 0;
}

Coverage Report

Created: 2024-09-19 07:08

Line	Count	Source
1		/* Fluent Bit
2		* ==========
3		* Copyright (C) 2019-2021 The Fluent Bit Authors
4		* Copyright (C) 2015-2018 Treasure Data Inc.
5		*
6		* Licensed under the Apache License, Version 2.0 (the "License");
7		* you may not use this file except in compliance with the License.
8		* You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing, software
13		* distributed under the License is distributed on an "AS IS" BASIS,
14		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15		* See the License for the specific language governing permissions and
16		* limitations under the License.
17		*/
18
19		#include <stdint.h>
20		#include <string.h>
21		#include <stdlib.h>
22		#include <msgpack.h>
23		#include <fluent-bit/flb_mem.h>
24		#include <fluent-bit/flb_utils.h>
25		#include <fluent-bit/flb_slist.h>
26		#include <fluent-bit/flb_gzip.h>
27		#include <fluent-bit/flb_hash_table.h>
28		#include <fluent-bit/flb_uri.h>
29		#include <fluent-bit/flb_hash.h>
30		#include <fluent-bit/flb_regex.h>
31		#include "flb_fuzz_header.h"
32
33		int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
34	1.91k	{
35	1.91k	TIMEOUT_GUARD
36
37	1.89k	if (size < 750) {
38	42	return 0;
39	42	}
40
41		/* Set fuzzer-malloc chance of failure */
42	1.85k	flb_malloc_mod = 25000;
43	1.85k	flb_malloc_p = 0;
44
45	1.85k	uint64_t ran_hash = (uint64_t )data;
46	1.85k	char *null_terminated1 = get_null_terminated(25, &data, &size);
47	1.85k	char *null_terminated2 = get_null_terminated(25, &data, &size);
48	1.85k	char *null_terminated3 = get_null_terminated(25, &data, &size);
49
50		/* Prepare a general null-terminated string */
51	1.85k	char null_terminated = (char)malloc(size+1);
52	1.85k	null_terminated[size] = '\0';
53	1.85k	memcpy(null_terminated, data, size);
54
55		/* Fuzzing of flb_utils.c */
56	1.85k	int sec;
57	1.85k	long nsec;
58	1.85k	size_t new_size;
59	1.85k	char *prot = NULL;
60	1.85k	char *host = NULL;
61	1.85k	char *port = NULL;
62	1.85k	char *uri = NULL;
63	1.85k	char *new_dst = NULL;
64
65	1.85k	if (flb_utils_write_str_buf(null_terminated, size, &new_dst, &new_size) == 0) {
66	1.85k	flb_free(new_dst);
67	1.85k	}
68
69	1.85k	struct mk_list *list = flb_utils_split(null_terminated, 'A', 3);
70	1.85k	if (list != NULL) {
71	1.85k	flb_utils_split_free(list);
72	1.85k	}
73	1.85k	struct mk_list *list2 = flb_utils_split_quoted(null_terminated, 'A', 3);
74	1.85k	if (list2 != NULL) {
75	1.77k	flb_utils_split_free(list2);
76	1.77k	}
77
78	1.85k	if (flb_utils_url_split(null_terminated, &prot, &host, &port, &uri) == 0) {
79	413	flb_free(prot);
80	413	flb_free(port);
81	413	flb_free(host);
82	413	flb_free(uri);
83	413	}
84
85	1.85k	char *split_protocol = NULL;
86	1.85k	char *split_username = NULL;
87	1.85k	char *split_password = NULL;
88	1.85k	char *split_host = NULL;
89	1.85k	char *split_port = NULL;
90	1.85k	if (flb_utils_proxy_url_split(null_terminated, &split_protocol,
91	1.85k	&split_username, &split_password, &split_host, &split_port) == 0) {
92	62	if (split_protocol) {
93	62	flb_free(split_protocol);
94	62	}
95	62	if (split_username) {
96	30	flb_free(split_username);
97	30	}
98	62	if (split_password) {
99	8	flb_free(split_password);
100	8	}
101	62	if (split_host) {
102	36	flb_free(split_host);
103	36	}
104	62	if (split_port) {
105	62	flb_free(split_port);
106	62	}
107	62	}
108
109
110	1.85k	flb_utils_size_to_bytes(null_terminated);
111	1.85k	flb_utils_time_split(null_terminated, &sec, &nsec);
112	1.85k	flb_utils_time_to_seconds(null_terminated);
113	1.85k	flb_utils_bool(null_terminated);
114	1.85k	flb_utils_hex2int(null_terminated, size);
115
116		/* Fuzzong of flb_uri.c */
117	1.85k	struct flb_uri *uri2 = NULL;
118	1.85k	uri2 = flb_uri_create(null_terminated);
119	1.85k	if (uri2 != NULL) {
120	1.85k	flb_uri_get(uri2, (int)data[0]);
121	1.85k	flb_uri_dump(uri2);
122	1.85k	flb_uri_destroy(uri2);
123	1.85k	}
124	1.85k	flb_sds_t encoded = flb_uri_encode((char*)data, size);
125	1.85k	if (encoded != NULL) {
126	1.85k	flb_sds_destroy(encoded);
127	1.85k	}
128
129		/* Fuzzing of flb_hash.c */
130	1.85k	struct flb_hash_table *ht = NULL;
131	1.85k	ht = flb_hash_table_create((int)(data[2] % 0x04),
132	1.85k	(size_t)data[0],
133	1.85k	(int)data[1]);
134	1.85k	if (ht != NULL) {
135	1.80k	flb_hash_table_add(ht, null_terminated, size, null_terminated, size);
136
137	1.80k	char *out_buf = NULL;
138	1.80k	size_t out_size;
139	1.80k	flb_hash_table_get(ht, null_terminated, size, (void **)&out_buf, &out_size);
140
141		/* now let's create some more instances */
142	1.80k	char *instances1[128] = { NULL };
143	1.80k	char *instances2[128] = { NULL };
144	232k	for (int i = 0; i < 128; i++) {
145	230k	char *in1 = malloc(3);
146	230k	char *in2 = malloc(3);
147	230k	memcpy(in1, data+(i*4), 2);
148	230k	memcpy(in2, data+(i*4)+2, 2);
149	230k	in1[2] = '\0';
150	230k	in2[2] = '\0';
151	230k	flb_hash_table_add(ht, in1, 2, in2, 2);
152	230k	instances1[i] = in1;
153	230k	instances2[i] = in2;
154	230k	}
155
156	37.8k	for(int i = 0; i < 20; i++) {
157	36.0k	char *hash_out_buf;
158	36.0k	size_t hash_out_size;
159	36.0k	flb_hash_table_get_by_id(ht, (int)data[i], null_terminated,
160	36.0k	(const char **)&hash_out_buf, &hash_out_size);
161	36.0k	}
162
163	1.80k	flb_hash_table_del(ht, null_terminated1);
164	1.80k	flb_hash_table_exists(ht, ran_hash);
165	1.80k	flb_hash_table_del_ptr(ht, null_terminated2, strlen(null_terminated2), NULL);
166	1.80k	flb_hash_table_get_ptr(ht, null_terminated3, strlen(null_terminated3));
167
168	1.80k	flb_hash_table_destroy(ht);
169	232k	for (int i =0; i<128; i++) {
170	230k	flb_free(instances1[i]);
171	230k	flb_free(instances2[i]);
172	230k	}
173	1.80k	}
174
175		/* sds */
176	1.85k	flb_sds_t fs = flb_sds_create_len((const char*)data, size);
177	1.85k	if (fs != NULL) {
178	1.85k	fs = flb_sds_cat_esc(fs, "AAABBBCCC", 9, "ABC", 3);
179	1.85k	if (fs != NULL) {
180	1.85k	flb_sds_destroy(fs);
181	1.85k	}
182	1.85k	}
183
184		/* Fuzzing of flb_gzip.c */
185	1.85k	void *str = NULL;
186	1.85k	size_t len;
187	1.85k	void *out_data = NULL;
188	1.85k	size_t out_len;
189	1.85k	if (flb_gzip_compress((char*)data, size, &str, &len) != -1) {
190	1.85k	flb_gzip_uncompress(str, len, &out_data, &out_len);
191	1.85k	}
192	1.85k	if (str != NULL) {
193	1.85k	free(str);
194	1.85k	}
195	1.85k	if (out_data != NULL) {
196	1.85k	free(out_data);
197	1.85k	}
198	1.85k	void *out_data2 = NULL;
199	1.85k	size_t out2_len;
200	1.85k	int uncompress_ret = flb_gzip_uncompress((char*)data, size, &out_data2, &out2_len);
201	1.85k	if (uncompress_ret != -1 && out_data2 != NULL) {
202	1	flb_free(out_data2);
203	1	}
204
205		/* Fuzzing the sha routines */
206	1.85k	struct flb_hash sha512;
207	1.85k	uint8_t buf[64];
208
209	1.85k	flb_hash_init(&sha512, FLB_HASH_SHA512);
210	1.85k	flb_hash_update(&sha512, (unsigned char *) null_terminated, 32);
211	1.85k	flb_hash_update(&sha512, (unsigned char *) null_terminated+32, 32);
212	1.85k	flb_hash_update(&sha512, (unsigned char *) null_terminated+64, 32);
213	1.85k	flb_hash_finalize(&sha512, buf, sizeof(buf));
214	1.85k	flb_hash_cleanup(&sha512);
215
216		/* regex */
217	1.85k	char *pregex = "^(?<INT>[^ ]+) (?<FLOAT>[^ ]+) (?<BOOL>[^ ]+) (?<STRING>.+)$";
218	1.85k	flb_regex_init();
219	1.85k	struct flb_regex *freg = flb_regex_create(pregex);
220	1.85k	if (freg != NULL) {
221	1.85k	flb_regex_match(freg, (unsigned char*)null_terminated, size);
222	1.85k	flb_regex_destroy(freg);
223	1.85k	}
224	1.85k	flb_regex_exit();
225
226		/* slist */
227	1.85k	struct mk_list list3;
228	1.85k	flb_slist_create(&list3);
229	1.85k	flb_sds_t slist_str = flb_sds_create_len((const char*)data, size);
230	1.85k	flb_slist_add_sds(&list3, slist_str);
231	1.85k	flb_slist_entry_get(&list3, 100);
232	1.85k	flb_slist_dump(&list3);
233	1.85k	flb_slist_destroy(&list3);
234
235
236		/* General cleanup */
237	1.85k	flb_free(null_terminated);
238	1.85k	flb_free(null_terminated1);
239	1.85k	flb_free(null_terminated2);
240	1.85k	flb_free(null_terminated3);
241	1.85k	return 0;
242	1.89k	}