Coverage Report

Created: 2025-08-26 06:04

/src/hostap/tests/fuzzing/eap-mschapv2-peer/eap-mschapv2-peer.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * EAP-SIM peer fuzzer
3
 * Copyright (c) 2019, Jouni Malinen <j@w1.fi>
4
 *
5
 * This software may be distributed under the terms of the BSD license.
6
 * See README for more details.
7
 */
8
9
#include "utils/includes.h"
10
11
#include "utils/common.h"
12
#include "eap_peer/eap_methods.h"
13
#include "eap_peer/eap_config.h"
14
#include "eap_peer/eap_i.h"
15
#include "../fuzzer-common.h"
16
17
int eap_peer_sim_register(void);
18
19
struct eap_method * registered_eap_method = NULL;
20
21
22
struct eap_method * eap_peer_method_alloc(int version, int vendor,
23
            enum eap_type method,
24
            const char *name)
25
4.90k
{
26
4.90k
  struct eap_method *eap;
27
4.90k
  eap = os_zalloc(sizeof(*eap));
28
4.90k
  if (!eap)
29
0
    return NULL;
30
4.90k
  eap->version = version;
31
4.90k
  eap->vendor = vendor;
32
4.90k
  eap->method = method;
33
4.90k
  eap->name = name;
34
4.90k
  return eap;
35
4.90k
}
36
37
38
int eap_peer_method_register(struct eap_method *method)
39
4.90k
{
40
4.90k
  registered_eap_method = method;
41
4.90k
  return 0;
42
4.90k
}
43
44
45
static struct eap_peer_config eap_mschapv2_config = {
46
  .identity = (u8 *) "user",
47
  .identity_len = 4,
48
  .password = (u8 *) "password",
49
  .password_len = 8,
50
};
51
52
struct eap_peer_config * eap_get_config(struct eap_sm *sm)
53
3.03M
{
54
3.03M
  return &eap_mschapv2_config;
55
3.03M
}
56
57
58
const u8 * eap_get_config_identity(struct eap_sm *sm, size_t *len)
59
1.54M
{
60
1.54M
  static const char *id = "user";
61
62
1.54M
  *len = os_strlen(id);
63
1.54M
  return (const u8 *) id;
64
1.54M
}
65
66
67
const u8 * eap_get_config_password(struct eap_sm *sm, size_t *len)
68
1.49M
{
69
1.49M
  struct eap_peer_config *config = eap_get_config(sm);
70
71
1.49M
  *len = config->password_len;
72
1.49M
  return config->password;
73
1.49M
}
74
75
76
const u8 * eap_get_config_password2(struct eap_sm *sm, size_t *len, int *hash)
77
8.42k
{
78
8.42k
  struct eap_peer_config *config = eap_get_config(sm);
79
80
8.42k
  *len = config->password_len;
81
8.42k
  if (hash)
82
8.42k
    *hash = !!(config->flags & EAP_CONFIG_FLAGS_PASSWORD_NTHASH);
83
8.42k
  return config->password;
84
8.42k
}
85
86
87
const u8 * eap_get_config_new_password(struct eap_sm *sm, size_t *len)
88
0
{
89
0
  *len = 3;
90
0
  return (const u8 *) "new";
91
0
}
92
93
94
void eap_sm_request_identity(struct eap_sm *sm)
95
7.73k
{
96
7.73k
}
97
98
99
void eap_sm_request_password(struct eap_sm *sm)
100
23.1k
{
101
23.1k
}
102
103
104
void eap_sm_request_new_password(struct eap_sm *sm)
105
328
{
106
328
}
107
108
109
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
110
1.22k
{
111
1.22k
  const u8 *pos, *end;
112
1.22k
  struct eap_sm *sm;
113
1.22k
  void *priv;
114
1.22k
  struct eap_method_ret ret;
115
116
1.22k
  wpa_fuzzer_set_debug_level();
117
118
1.22k
  eap_peer_mschapv2_register();
119
1.22k
  sm = os_zalloc(sizeof(*sm));
120
1.22k
  if (!sm)
121
0
    return 0;
122
1.22k
  priv = registered_eap_method->init(sm);
123
1.22k
  os_memset(&ret, 0, sizeof(ret));
124
125
1.22k
  pos = data;
126
1.22k
  end = pos + size;
127
128
1.48M
  while (end - pos > 2) {
129
1.48M
    u16 flen;
130
1.48M
    struct wpabuf *buf, *req;
131
132
1.48M
    flen = WPA_GET_BE16(pos);
133
1.48M
    pos += 2;
134
1.48M
    if (end - pos < flen)
135
72
      break;
136
1.48M
    req = wpabuf_alloc_copy(pos, flen);
137
1.48M
    if (!req)
138
0
      break;
139
1.48M
    wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - request", req);
140
1.48M
    buf = registered_eap_method->process(sm, priv, &ret, req);
141
1.48M
    wpa_hexdump_buf(MSG_MSGDUMP, "fuzzer - local response", buf);
142
1.48M
    wpabuf_free(req);
143
1.48M
    wpabuf_free(buf);
144
1.48M
    pos += flen;
145
1.48M
  }
146
147
1.22k
  registered_eap_method->deinit(sm, priv);
148
1.22k
  os_free(registered_eap_method);
149
1.22k
  os_free(sm);
150
151
1.22k
  return 0;
152
1.22k
}