/src/gss-ntlmssp/fuzzing/fuzz-accept-sec-context.c

Source (jump to first uncovered line)
/* Copyright 2023 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include <string.h>

#include <krb5.h>
#include <gssapi.h>
#include "gss_ntlmssp.h"

extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
    OM_uint32 maj_stat, min_stat;

    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
    gss_name_t client_name = GSS_C_NO_NAME;
    gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;

    /* Each fuzz input contains multiple tokens preceded by a length field.
     * Process them in turn with gss_accept_sec_context while
     * GSS_S_CONTINUE_NEEDED is set
     */
    do {
        unsigned short token_length;

        gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER;

        if (Size < sizeof(token_length))
            break;

        token_length = *(unsigned short *)Data;

        Data += sizeof(token_length);
        Size -= sizeof(token_length);

        if (token_length == 0 || token_length > Size)
            break;

        input_token.length = token_length;
        input_token.value = malloc(token_length);
        memcpy(input_token.value, Data, token_length);

        Data += token_length;
        Size -= token_length;

        maj_stat = gssntlm_accept_sec_context(
            &min_stat,
            &ctx,
            GSS_C_NO_CREDENTIAL, /* server_creds */
            &input_token,
            GSS_C_NO_CHANNEL_BINDINGS, /* input_bindings */
            &client_name,
            NULL, /* mech_type */
            &output_token,
            NULL, /* ret_flags */
            NULL, /* time */
            &deleg_cred
        );

        gss_release_buffer(&min_stat, &input_token);
        gss_release_buffer(&min_stat, &output_token);
    } while(maj_stat == GSS_S_CONTINUE_NEEDED);

    gss_release_name(&min_stat, &client_name);
    gss_release_cred(&min_stat, &deleg_cred);

    gss_delete_sec_context(&min_stat, &ctx, GSS_C_NO_BUFFER);

    return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/* Copyright 2023 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12		#include <string.h>
13
14		#include <krb5.h>
15		#include <gssapi.h>
16		#include "gss_ntlmssp.h"
17
18		extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
19	1.23k	{
20	1.23k	OM_uint32 maj_stat, min_stat;
21
22	1.23k	gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
23	1.23k	gss_name_t client_name = GSS_C_NO_NAME;
24	1.23k	gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
25
26		/* Each fuzz input contains multiple tokens preceded by a length field.
27		* Process them in turn with gss_accept_sec_context while
28		* GSS_S_CONTINUE_NEEDED is set
29		*/
30	2.25k	do {
31	2.25k	unsigned short token_length;
32
33	2.25k	gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER;
34
35	2.25k	if (Size < sizeof(token_length))
36	18	break;
37
38	2.23k	token_length = (unsigned short )Data;
39
40	2.23k	Data += sizeof(token_length);
41	2.23k	Size -= sizeof(token_length);
42
43	2.23k	if (token_length == 0 \|\| token_length > Size)
44	24	break;
45
46	2.21k	input_token.length = token_length;
47	2.21k	input_token.value = malloc(token_length);
48	2.21k	memcpy(input_token.value, Data, token_length);
49
50	2.21k	Data += token_length;
51	2.21k	Size -= token_length;
52
53	2.21k	maj_stat = gssntlm_accept_sec_context(
54	2.21k	&min_stat,
55	2.21k	&ctx,
56	2.21k	GSS_C_NO_CREDENTIAL, /* server_creds */
57	2.21k	&input_token,
58	2.21k	GSS_C_NO_CHANNEL_BINDINGS, /* input_bindings */
59	2.21k	&client_name,
60	2.21k	NULL, /* mech_type */
61	2.21k	&output_token,
62	2.21k	NULL, /* ret_flags */
63	2.21k	NULL, /* time */
64	2.21k	&deleg_cred
65	2.21k	);
66
67	2.21k	gss_release_buffer(&min_stat, &input_token);
68	2.21k	gss_release_buffer(&min_stat, &output_token);
69	2.21k	} while(maj_stat == GSS_S_CONTINUE_NEEDED);
70
71	0	gss_release_name(&min_stat, &client_name);
72	1.23k	gss_release_cred(&min_stat, &deleg_cred);
73
74	1.23k	gss_delete_sec_context(&min_stat, &ctx, GSS_C_NO_BUFFER);
75
76	1.23k	return 0;
77	1.23k	}

Coverage Report

Created: 2025-07-18 06:42