/src/libsrtp/fuzzer/fuzzer.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* By Guido Vranken <guidovranken@gmail.com> -- |
2 | | * https://guidovranken.wordpress.com/ */ |
3 | | |
4 | | #include <stdio.h> |
5 | | #include <string.h> |
6 | | #include <stdlib.h> |
7 | | #include <stdbool.h> |
8 | | #include <limits.h> |
9 | | #include "srtp.h" |
10 | | #include "srtp_priv.h" |
11 | | #include "fuzzer.h" |
12 | | #include "mt19937.h" |
13 | | #include "testmem.h" |
14 | | |
15 | | /* Global variables */ |
16 | | static bool g_no_align = false; /* Can be enabled with --no_align */ |
17 | | static bool g_post_init = |
18 | | false; /* Set to true once past initialization phase */ |
19 | | static bool g_write_input = false; |
20 | | |
21 | | #ifdef FUZZ_32BIT |
22 | | #include <sys/mman.h> |
23 | | static bool g_no_mmap = false; /* Can be enabled with --no_mmap */ |
24 | | static void *g_mmap_allocation = |
25 | | NULL; /* Keeps current mmap() allocation address */ |
26 | | static size_t g_mmap_allocation_size = |
27 | | 0; /* Keeps current mmap() allocation size */ |
28 | | #endif |
29 | | |
30 | | /* Custom allocator functions */ |
31 | | |
32 | | static void *fuzz_alloc(const size_t size, const bool do_zero) |
33 | 996k | { |
34 | 996k | void *ret = NULL; |
35 | | #ifdef FUZZ_32BIT |
36 | | bool do_malloc = true; |
37 | | #endif |
38 | 996k | bool do_mmap, mmap_high = true; |
39 | | |
40 | 996k | if (size == 0) { |
41 | 401k | size_t ret; |
42 | | /* Allocations of size 0 are not illegal, but are a bad practice, since |
43 | | * writing just a single byte to this region constitutes undefined |
44 | | * behavior per the C spec. glibc will return a small, valid memory |
45 | | * region |
46 | | * whereas OpenBSD will crash upon writing to it. |
47 | | * Intentionally return a pointer to an invalid page to detect |
48 | | * unsound code efficiently. |
49 | | * fuzz_free is aware of this pointer range and will not attempt |
50 | | * to free()/munmap() it. |
51 | | */ |
52 | 401k | ret = 0x01 + (fuzz_mt19937_get() % 1024); |
53 | 401k | return (void *)ret; |
54 | 401k | } |
55 | | |
56 | | /* Don't do mmap()-based allocations during initialization */ |
57 | 595k | if (g_post_init == true) { |
58 | | /* Even extract these values if --no_mmap is specified. |
59 | | * This keeps the PRNG output stream consistent across |
60 | | * fuzzer configurations. |
61 | | */ |
62 | 595k | do_mmap = (fuzz_mt19937_get() % 64) == 0 ? true : false; |
63 | 595k | if (do_mmap == true) { |
64 | 9.73k | mmap_high = (fuzz_mt19937_get() % 2) == 0 ? true : false; |
65 | 9.73k | } |
66 | 595k | } else { |
67 | 0 | do_mmap = false; |
68 | 0 | } |
69 | | |
70 | | #ifdef FUZZ_32BIT |
71 | | /* g_mmap_allocation must be NULL because we only support a single |
72 | | * concurrent mmap allocation at a time |
73 | | */ |
74 | | if (g_mmap_allocation == NULL && g_no_mmap == false && do_mmap == true) { |
75 | | void *mmap_address; |
76 | | if (mmap_high == true) { |
77 | | mmap_address = (void *)0xFFFF0000; |
78 | | } else { |
79 | | mmap_address = (void *)0x00010000; |
80 | | } |
81 | | g_mmap_allocation_size = size; |
82 | | |
83 | | ret = mmap(mmap_address, g_mmap_allocation_size, PROT_READ | PROT_WRITE, |
84 | | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); |
85 | | |
86 | | if (ret == MAP_FAILED) { |
87 | | /* That's okay -- just return NULL to the caller */ |
88 | | |
89 | | ret = NULL; |
90 | | |
91 | | /* Reset this for the sake of cleanliness */ |
92 | | g_mmap_allocation_size = 0; |
93 | | } |
94 | | /* ret not being MAP_FAILED does not mean that ret is the requested |
95 | | * address (mmap_address). That's okay. We're not going to perform |
96 | | * a munmap() on it and call malloc() instead. It won't gain us |
97 | | * anything. |
98 | | */ |
99 | | |
100 | | g_mmap_allocation = ret; |
101 | | do_malloc = false; |
102 | | } |
103 | | |
104 | | if (do_malloc == true) |
105 | | #endif |
106 | 595k | { |
107 | 595k | ret = malloc(size); |
108 | 595k | } |
109 | | |
110 | | /* Mimic calloc() if so requested */ |
111 | 595k | if (ret != NULL && do_zero) { |
112 | 35.5k | memset(ret, 0, size); |
113 | 35.5k | } |
114 | | |
115 | 595k | return ret; |
116 | 996k | } |
117 | | |
118 | | /* Internal allocations by this fuzzer must on one hand (sometimes) |
119 | | * receive memory from mmap(), but on the other hand these requests for |
120 | | * memory may not fail. By calling this function, the allocation is |
121 | | * guaranteed to succeed; it first tries with fuzz_alloc(), which may |
122 | | * fail if it uses mmap(), and if that is the case, memory is allocated |
123 | | * via the libc allocator (malloc, calloc) which should always succeed */ |
124 | | static void *fuzz_alloc_succeed(const size_t size, const bool do_zero) |
125 | 996k | { |
126 | 996k | void *ret = fuzz_alloc(size, do_zero); |
127 | 996k | if (ret == NULL) { |
128 | 0 | if (do_zero == false) { |
129 | 0 | ret = malloc(size); |
130 | 0 | } else { |
131 | 0 | ret = calloc(1, size); |
132 | 0 | } |
133 | 0 | } |
134 | | |
135 | 996k | return ret; |
136 | 996k | } |
137 | | |
138 | | void *fuzz_calloc(const size_t nmemb, const size_t size) |
139 | 0 | { |
140 | | /* We must be past srtp_init() to prevent that that function fails */ |
141 | 0 | if (g_post_init == true) { |
142 | | /* Fail 1 in 64 allocations on average to test whether the library |
143 | | * can deal with this properly. |
144 | | */ |
145 | 0 | if ((fuzz_mt19937_get() % 64) == 0) { |
146 | 0 | return NULL; |
147 | 0 | } |
148 | 0 | } |
149 | | |
150 | 0 | return fuzz_alloc(nmemb * size, true); |
151 | 0 | } |
152 | | |
153 | | static bool fuzz_is_special_pointer(void *ptr) |
154 | 1.05M | { |
155 | | /* Special, invalid pointers introduced when code attempted |
156 | | * to do size = 0 allocations. |
157 | | */ |
158 | 1.05M | if ((size_t)ptr >= 0x01 && (size_t)ptr < (0x01 + 1024)) { |
159 | 401k | return true; |
160 | 655k | } else { |
161 | 655k | return false; |
162 | 655k | } |
163 | 1.05M | } |
164 | | |
165 | | void fuzz_free(void *ptr) |
166 | 1.05M | { |
167 | 1.05M | if (fuzz_is_special_pointer(ptr) == true) { |
168 | 401k | return; |
169 | 401k | } |
170 | | |
171 | | #ifdef FUZZ_32BIT |
172 | | if (g_post_init == true && ptr != NULL && ptr == g_mmap_allocation) { |
173 | | if (munmap(g_mmap_allocation, g_mmap_allocation_size) == -1) { |
174 | | /* Shouldn't happen */ |
175 | | abort(); |
176 | | } |
177 | | g_mmap_allocation = NULL; |
178 | | } else |
179 | | #endif |
180 | 655k | { |
181 | 655k | free(ptr); |
182 | 655k | } |
183 | 655k | } |
184 | | |
185 | | static srtp_err_status_t fuzz_srtp_protect(srtp_t srtp_sender, |
186 | | void *hdr, |
187 | | size_t *len, |
188 | | size_t mki) |
189 | 21.0k | { |
190 | 21.0k | size_t out_len = *len + SRTP_MAX_TRAILER_LEN; |
191 | 21.0k | srtp_err_status_t s = |
192 | 21.0k | srtp_protect(srtp_sender, hdr, *len, hdr, &out_len, mki); |
193 | 21.0k | *len = out_len; |
194 | 21.0k | return s; |
195 | 21.0k | } |
196 | | |
197 | | static srtp_err_status_t fuzz_srtp_unprotect(srtp_t srtp_sender, |
198 | | void *hdr, |
199 | | size_t *len, |
200 | | size_t mki) |
201 | 122k | { |
202 | 122k | return srtp_unprotect(srtp_sender, hdr, *len, hdr, len); |
203 | 122k | } |
204 | | |
205 | | static srtp_err_status_t fuzz_srtp_protect_rtcp(srtp_t srtp_sender, |
206 | | void *hdr, |
207 | | size_t *len, |
208 | | size_t mki) |
209 | 133k | { |
210 | 133k | size_t out_len = *len + SRTP_MAX_SRTCP_TRAILER_LEN; |
211 | 133k | srtp_err_status_t s = |
212 | 133k | srtp_protect_rtcp(srtp_sender, hdr, *len, hdr, &out_len, mki); |
213 | 133k | *len = out_len; |
214 | 133k | return s; |
215 | 133k | } |
216 | | |
217 | | static srtp_err_status_t fuzz_srtp_unprotect_rtcp(srtp_t srtp_sender, |
218 | | void *hdr, |
219 | | size_t *len, |
220 | | size_t mki) |
221 | 2.67k | { |
222 | 2.67k | return srtp_unprotect_rtcp(srtp_sender, hdr, *len, hdr, len); |
223 | 2.67k | } |
224 | | |
225 | | /* Get protect length functions */ |
226 | | |
227 | | static srtp_err_status_t fuzz_srtp_get_protect_length(const srtp_t srtp_ctx, |
228 | | size_t mki, |
229 | | size_t *length) |
230 | 21.0k | { |
231 | 21.0k | return srtp_get_protect_trailer_length(srtp_ctx, mki, length); |
232 | 21.0k | } |
233 | | |
234 | | static srtp_err_status_t fuzz_srtp_get_protect_rtcp_length( |
235 | | const srtp_t srtp_ctx, |
236 | | size_t mki, |
237 | | size_t *length) |
238 | 133k | { |
239 | 133k | return srtp_get_protect_rtcp_trailer_length(srtp_ctx, mki, length); |
240 | 133k | } |
241 | | |
242 | | static uint8_t *extract_key(const uint8_t **data, |
243 | | size_t *size, |
244 | | const size_t key_size) |
245 | 16.6k | { |
246 | 16.6k | uint8_t *ret; |
247 | 16.6k | if (*size < key_size) { |
248 | 29 | return NULL; |
249 | 29 | } |
250 | | |
251 | 16.6k | ret = fuzz_alloc_succeed(key_size, false); |
252 | 16.6k | EXTRACT(ret, *data, *size, key_size); |
253 | | |
254 | 16.6k | return ret; |
255 | 16.6k | } |
256 | | |
257 | | static srtp_master_key_t *extract_master_key(const uint8_t **data, |
258 | | size_t *size, |
259 | | const size_t key_size, |
260 | | bool simulate, |
261 | | bool *success) |
262 | 429k | { |
263 | 429k | srtp_master_key_t *ret = NULL; |
264 | 429k | uint16_t mki_id_size; |
265 | | |
266 | 429k | if (simulate == true) { |
267 | 219k | *success = false; |
268 | 219k | } |
269 | | |
270 | 429k | EXTRACT_IF(&mki_id_size, *data, *size, sizeof(mki_id_size)); |
271 | | |
272 | 429k | if (*size < key_size + mki_id_size) { |
273 | 9.79k | goto end; |
274 | 9.79k | } |
275 | | |
276 | 419k | if (simulate == true) { |
277 | 209k | *data += key_size + mki_id_size; |
278 | 209k | *size -= key_size + mki_id_size; |
279 | 209k | *success = true; |
280 | 209k | goto end; |
281 | 209k | } |
282 | | |
283 | 209k | ret = fuzz_alloc_succeed(sizeof(srtp_master_key_t), false); |
284 | 209k | ret->key = fuzz_alloc_succeed(key_size, false); |
285 | | |
286 | 209k | ret->mki_id = fuzz_alloc_succeed(mki_id_size, false); |
287 | | |
288 | 209k | EXTRACT(ret->key, *data, *size, key_size); |
289 | 209k | EXTRACT(ret->mki_id, *data, *size, mki_id_size); |
290 | 429k | end: |
291 | 429k | return ret; |
292 | 209k | } |
293 | | |
294 | | static srtp_master_key_t **extract_master_keys(const uint8_t **data, |
295 | | size_t *size, |
296 | | const size_t key_size, |
297 | | size_t *num_master_keys) |
298 | 13.6k | { |
299 | 13.6k | const uint8_t *data_orig = *data; |
300 | 13.6k | size_t size_orig = *size; |
301 | 13.6k | size_t i = 0; |
302 | | |
303 | 13.6k | srtp_master_key_t **ret = NULL; |
304 | | |
305 | 13.6k | *num_master_keys = 0; |
306 | | |
307 | | /* First pass -- dry run, determine how many keys we want and can extract */ |
308 | 223k | while (1) { |
309 | 223k | uint8_t do_extract_master_key; |
310 | 223k | bool success; |
311 | 223k | if (*size < sizeof(do_extract_master_key)) { |
312 | 274 | goto next; |
313 | 274 | } |
314 | 223k | EXTRACT(&do_extract_master_key, *data, *size, |
315 | 223k | sizeof(do_extract_master_key)); |
316 | | |
317 | | /* Decide whether to extract another key */ |
318 | 223k | if ((do_extract_master_key % 2) == 0) { |
319 | 3.56k | break; |
320 | 3.56k | } |
321 | | |
322 | 219k | extract_master_key(data, size, key_size, true, &success); |
323 | | |
324 | 219k | if (success == false) { |
325 | 9.82k | break; |
326 | 9.82k | } |
327 | | |
328 | 209k | (*num_master_keys)++; |
329 | 209k | } |
330 | | |
331 | 13.6k | next: |
332 | 13.6k | *data = data_orig; |
333 | 13.6k | *size = size_orig; |
334 | | |
335 | | /* Allocate array of pointers */ |
336 | 13.6k | ret = fuzz_alloc_succeed(*num_master_keys * sizeof(srtp_master_key_t *), |
337 | 13.6k | false); |
338 | | |
339 | | /* Second pass -- perform the actual extractions */ |
340 | 223k | for (i = 0; i < *num_master_keys; i++) { |
341 | 209k | uint8_t do_extract_master_key; |
342 | 209k | EXTRACT_IF(&do_extract_master_key, *data, *size, |
343 | 209k | sizeof(do_extract_master_key)); |
344 | | |
345 | 209k | if ((do_extract_master_key % 2) == 0) { |
346 | 0 | break; |
347 | 0 | } |
348 | | |
349 | 209k | ret[i] = extract_master_key(data, size, key_size, false, NULL); |
350 | | |
351 | 209k | if (ret[i] == NULL) { |
352 | | /* Shouldn't happen */ |
353 | 0 | abort(); |
354 | 0 | } |
355 | 209k | } |
356 | | |
357 | 13.6k | end: |
358 | 13.6k | return ret; |
359 | 13.6k | } |
360 | | |
361 | | static srtp_policy_t *extract_policy(const uint8_t **data, size_t *size) |
362 | 35.8k | { |
363 | 35.8k | srtp_policy_t *policy = NULL; |
364 | 35.8k | struct { |
365 | 35.8k | uint8_t srtp_crypto_policy_func; |
366 | 35.8k | size_t window_size; |
367 | 35.8k | uint8_t allow_repeat_tx; |
368 | 35.8k | uint8_t ssrc_type; |
369 | 35.8k | uint32_t ssrc_value; |
370 | 35.8k | uint8_t num_xtn_hdr; |
371 | 35.8k | uint8_t do_extract_key; |
372 | 35.8k | uint8_t do_extract_master_keys; |
373 | 35.8k | } params; |
374 | | |
375 | 35.8k | EXTRACT_IF(¶ms, *data, *size, sizeof(params)); |
376 | | |
377 | 35.5k | params.srtp_crypto_policy_func %= sizeof(fuzz_srtp_crypto_policies) / |
378 | 35.5k | sizeof(fuzz_srtp_crypto_policies[0]); |
379 | 35.5k | params.allow_repeat_tx %= 2; |
380 | 35.5k | params.ssrc_type %= |
381 | 35.5k | sizeof(fuzz_ssrc_type_map) / sizeof(fuzz_ssrc_type_map[0]); |
382 | | |
383 | 35.5k | policy = fuzz_alloc_succeed(sizeof(*policy), true); |
384 | | |
385 | 35.5k | fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func] |
386 | 35.5k | .crypto_policy_func(&policy->rtp); |
387 | 35.5k | fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func] |
388 | 35.5k | .crypto_policy_func(&policy->rtcp); |
389 | | |
390 | 35.5k | if (policy->rtp.cipher_key_len > MAX_KEY_LEN) { |
391 | | /* Shouldn't happen */ |
392 | 0 | abort(); |
393 | 0 | } |
394 | | |
395 | 35.5k | policy->ssrc.type = fuzz_ssrc_type_map[params.ssrc_type].srtp_ssrc_type; |
396 | 35.5k | policy->ssrc.value = params.ssrc_value; |
397 | | |
398 | 35.5k | if ((params.do_extract_key % 2) == 0) { |
399 | 16.6k | policy->key = extract_key(data, size, policy->rtp.cipher_key_len); |
400 | | |
401 | 16.6k | if (policy->key == NULL) { |
402 | 29 | fuzz_free(policy); |
403 | 29 | return NULL; |
404 | 29 | } |
405 | 16.6k | } |
406 | | |
407 | 35.4k | if (params.num_xtn_hdr != 0) { |
408 | 21.1k | const size_t xtn_hdr_size = params.num_xtn_hdr * sizeof(int); |
409 | 21.1k | if (*size < xtn_hdr_size) { |
410 | 79 | fuzz_free(policy->key); |
411 | 79 | fuzz_free(policy); |
412 | 79 | return NULL; |
413 | 79 | } |
414 | 21.0k | policy->enc_xtn_hdr = fuzz_alloc_succeed(xtn_hdr_size, false); |
415 | 21.0k | EXTRACT(policy->enc_xtn_hdr, *data, *size, xtn_hdr_size); |
416 | 21.0k | policy->enc_xtn_hdr_count = params.num_xtn_hdr; |
417 | 21.0k | } |
418 | | |
419 | 35.4k | if ((params.do_extract_master_keys % 2) == 0) { |
420 | 13.6k | policy->keys = extract_master_keys( |
421 | 13.6k | data, size, policy->rtp.cipher_key_len, &policy->num_master_keys); |
422 | 13.6k | if (policy->keys == NULL) { |
423 | 0 | fuzz_free(policy->key); |
424 | 0 | fuzz_free(policy->enc_xtn_hdr); |
425 | 0 | fuzz_free(policy); |
426 | 0 | return NULL; |
427 | 0 | } |
428 | 13.6k | } |
429 | | |
430 | 35.4k | policy->window_size = params.window_size; |
431 | 35.4k | policy->allow_repeat_tx = params.allow_repeat_tx; |
432 | 35.4k | policy->next = NULL; |
433 | | |
434 | 35.7k | end: |
435 | 35.7k | return policy; |
436 | 35.4k | } |
437 | | |
438 | | static srtp_policy_t *extract_policies(const uint8_t **data, size_t *size) |
439 | 6.40k | { |
440 | 6.40k | srtp_policy_t *curpolicy = NULL, *policy_chain = NULL; |
441 | | |
442 | 6.40k | curpolicy = extract_policy(data, size); |
443 | 6.40k | if (curpolicy == NULL) { |
444 | 240 | return NULL; |
445 | 240 | } |
446 | | |
447 | 6.16k | policy_chain = curpolicy; |
448 | | |
449 | 35.4k | while (1) { |
450 | 35.4k | uint8_t do_extract_policy; |
451 | 35.4k | EXTRACT_IF(&do_extract_policy, *data, *size, sizeof(do_extract_policy)); |
452 | | |
453 | | /* Decide whether to extract another policy */ |
454 | 35.0k | if ((do_extract_policy % 2) == 0) { |
455 | 5.54k | break; |
456 | 5.54k | } |
457 | | |
458 | 29.4k | curpolicy->next = extract_policy(data, size); |
459 | 29.4k | if (curpolicy->next == NULL) { |
460 | 210 | break; |
461 | 210 | } |
462 | 29.2k | curpolicy = curpolicy->next; |
463 | 29.2k | } |
464 | | |
465 | 6.16k | end: |
466 | 6.16k | return policy_chain; |
467 | 6.16k | } |
468 | | |
469 | | static uint32_t *extract_remove_stream_ssrc(const uint8_t **data, |
470 | | size_t *size, |
471 | | uint8_t *num_remove_stream) |
472 | 2.68k | { |
473 | 2.68k | uint32_t *ret = NULL; |
474 | 2.68k | uint8_t _num_remove_stream; |
475 | 2.68k | size_t total_size; |
476 | | |
477 | 2.68k | *num_remove_stream = 0; |
478 | | |
479 | 2.68k | EXTRACT_IF(&_num_remove_stream, *data, *size, sizeof(_num_remove_stream)); |
480 | | |
481 | 2.53k | if (_num_remove_stream == 0) { |
482 | 1.67k | goto end; |
483 | 1.67k | } |
484 | | |
485 | 862 | total_size = _num_remove_stream * sizeof(uint32_t); |
486 | | |
487 | 862 | if (*size < total_size) { |
488 | 612 | goto end; |
489 | 612 | } |
490 | | |
491 | 250 | ret = fuzz_alloc_succeed(total_size, false); |
492 | 250 | EXTRACT(ret, *data, *size, total_size); |
493 | | |
494 | 250 | *num_remove_stream = _num_remove_stream; |
495 | | |
496 | 2.68k | end: |
497 | 2.68k | return ret; |
498 | 250 | } |
499 | | |
500 | | static uint32_t *extract_set_roc(const uint8_t **data, |
501 | | size_t *size, |
502 | | uint8_t *num_set_roc) |
503 | 2.68k | { |
504 | 2.68k | uint32_t *ret = NULL; |
505 | 2.68k | uint8_t _num_set_roc; |
506 | 2.68k | size_t total_size; |
507 | | |
508 | 2.68k | *num_set_roc = 0; |
509 | 2.68k | EXTRACT_IF(&_num_set_roc, *data, *size, sizeof(_num_set_roc)); |
510 | 2.52k | if (_num_set_roc == 0) { |
511 | 1.33k | goto end; |
512 | 1.33k | } |
513 | | |
514 | | /* Tuples of 2 uint32_t's */ |
515 | 1.18k | total_size = _num_set_roc * sizeof(uint32_t) * 2; |
516 | | |
517 | 1.18k | if (*size < total_size) { |
518 | 586 | goto end; |
519 | 586 | } |
520 | | |
521 | 600 | ret = fuzz_alloc_succeed(total_size, false); |
522 | 600 | EXTRACT(ret, *data, *size, total_size); |
523 | | |
524 | 600 | *num_set_roc = _num_set_roc; |
525 | | |
526 | 2.68k | end: |
527 | 2.68k | return ret; |
528 | 600 | } |
529 | | |
530 | | static void free_policies(srtp_policy_t *curpolicy) |
531 | 8.22k | { |
532 | 8.22k | size_t i; |
533 | 43.6k | while (curpolicy) { |
534 | 35.4k | srtp_policy_t *next = curpolicy->next; |
535 | | |
536 | 35.4k | fuzz_free(curpolicy->key); |
537 | | |
538 | 245k | for (i = 0; i < curpolicy->num_master_keys; i++) { |
539 | 209k | fuzz_free(curpolicy->keys[i]->key); |
540 | 209k | fuzz_free(curpolicy->keys[i]->mki_id); |
541 | 209k | fuzz_free(curpolicy->keys[i]); |
542 | 209k | } |
543 | | |
544 | 35.4k | fuzz_free(curpolicy->keys); |
545 | 35.4k | fuzz_free(curpolicy->enc_xtn_hdr); |
546 | 35.4k | fuzz_free(curpolicy); |
547 | | |
548 | 35.4k | curpolicy = next; |
549 | 35.4k | } |
550 | 8.22k | } |
551 | | |
552 | | static uint8_t *run_srtp_func(const srtp_t srtp_ctx, |
553 | | const uint8_t **data, |
554 | | size_t *size) |
555 | 142k | { |
556 | 142k | uint8_t *ret = NULL; |
557 | 142k | uint8_t *copy = NULL, *copy_2 = NULL; |
558 | | |
559 | 142k | struct { |
560 | 142k | uint16_t size; |
561 | 142k | uint8_t srtp_func; |
562 | 142k | uint32_t mki; |
563 | 142k | uint8_t stretch; |
564 | 142k | } params_1; |
565 | | |
566 | 142k | struct { |
567 | 142k | uint8_t srtp_func; |
568 | 142k | uint32_t mki; |
569 | 142k | } params_2; |
570 | 142k | size_t ret_size; |
571 | | |
572 | 142k | EXTRACT_IF(¶ms_1, *data, *size, sizeof(params_1)); |
573 | 140k | params_1.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]); |
574 | | |
575 | 140k | if (*size < params_1.size) { |
576 | 98 | goto end; |
577 | 98 | } |
578 | | |
579 | | /* Enforce 4 byte alignment */ |
580 | 140k | if (g_no_align == false) { |
581 | 140k | params_1.size -= params_1.size % 4; |
582 | 140k | } |
583 | | |
584 | 140k | if (params_1.size == 0) { |
585 | 77 | goto end; |
586 | 77 | } |
587 | | |
588 | 140k | ret_size = params_1.size; |
589 | 140k | if (srtp_funcs[params_1.srtp_func].protect == true) { |
590 | | /* Intentionally not initialized to trigger MemorySanitizer, if |
591 | | * applicable */ |
592 | 136k | size_t alloc_size; |
593 | | |
594 | 136k | if (srtp_funcs[params_1.srtp_func].get_length( |
595 | 136k | srtp_ctx, params_1.mki, &alloc_size) != srtp_err_status_ok) { |
596 | 1 | goto end; |
597 | 1 | } |
598 | | |
599 | 136k | copy = fuzz_alloc_succeed(ret_size + alloc_size, false); |
600 | 136k | } else { |
601 | 4.17k | copy = fuzz_alloc_succeed(ret_size, false); |
602 | 4.17k | } |
603 | | |
604 | 140k | EXTRACT(copy, *data, *size, params_1.size); |
605 | | |
606 | 140k | if (srtp_funcs[params_1.srtp_func].srtp_func( |
607 | 140k | srtp_ctx, copy, &ret_size, params_1.mki) != srtp_err_status_ok) { |
608 | 455 | fuzz_free(copy); |
609 | 455 | goto end; |
610 | 455 | } |
611 | | // fuzz_free(copy); |
612 | | |
613 | 140k | fuzz_testmem(copy, ret_size); |
614 | | |
615 | 140k | ret = copy; |
616 | | |
617 | 140k | EXTRACT_IF(¶ms_2, *data, *size, sizeof(params_2)); |
618 | 139k | params_2.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]); |
619 | | |
620 | 139k | if (ret_size == 0) { |
621 | 0 | goto end; |
622 | 0 | } |
623 | | |
624 | 139k | if (srtp_funcs[params_2.srtp_func].protect == true) { |
625 | | /* Intentionally not initialized to trigger MemorySanitizer, if |
626 | | * applicable */ |
627 | 17.9k | size_t alloc_size; |
628 | | |
629 | 17.9k | if (srtp_funcs[params_2.srtp_func].get_length( |
630 | 17.9k | srtp_ctx, params_2.mki, &alloc_size) != srtp_err_status_ok) { |
631 | 0 | goto end; |
632 | 0 | } |
633 | | |
634 | 17.9k | copy_2 = fuzz_alloc_succeed(ret_size + alloc_size, false); |
635 | 121k | } else { |
636 | 121k | copy_2 = fuzz_alloc_succeed(ret_size, false); |
637 | 121k | } |
638 | | |
639 | 139k | memcpy(copy_2, copy, ret_size); |
640 | 139k | fuzz_free(copy); |
641 | 139k | copy = copy_2; |
642 | | |
643 | 139k | if (srtp_funcs[params_2.srtp_func].srtp_func( |
644 | 139k | srtp_ctx, copy, &ret_size, params_2.mki) != srtp_err_status_ok) { |
645 | 274 | fuzz_free(copy); |
646 | 274 | ret = NULL; |
647 | 274 | goto end; |
648 | 274 | } |
649 | | |
650 | 139k | fuzz_testmem(copy, ret_size); |
651 | | |
652 | 139k | ret = copy; |
653 | | |
654 | 142k | end: |
655 | 142k | return ret; |
656 | 139k | } |
657 | | |
658 | | void fuzz_srtp_event_handler(srtp_event_data_t *data) |
659 | 129k | { |
660 | 129k | fuzz_testmem(data, sizeof(srtp_event_data_t)); |
661 | 129k | if (data->session != NULL) { |
662 | 129k | fuzz_testmem(data->session, sizeof(*data->session)); |
663 | 129k | } |
664 | 129k | } |
665 | | |
666 | | static void fuzz_write_input(const uint8_t *data, size_t size) |
667 | 0 | { |
668 | 0 | FILE *fp = fopen("input.bin", "wb"); |
669 | |
|
670 | 0 | if (fp == NULL) { |
671 | | /* Shouldn't happen */ |
672 | 0 | abort(); |
673 | 0 | } |
674 | | |
675 | 0 | if (size != 0 && fwrite(data, size, 1, fp) != 1) { |
676 | 0 | printf("Cannot write\n"); |
677 | | /* Shouldn't happen */ |
678 | 0 | abort(); |
679 | 0 | } |
680 | | |
681 | 0 | fclose(fp); |
682 | 0 | } |
683 | | |
684 | | int LLVMFuzzerInitialize(int *argc, char ***argv) |
685 | 2 | { |
686 | 2 | char **_argv = *argv; |
687 | 2 | int i; |
688 | 2 | bool no_custom_event_handler = false; |
689 | | |
690 | 2 | if (srtp_init() != srtp_err_status_ok) { |
691 | | /* Shouldn't happen */ |
692 | 0 | abort(); |
693 | 0 | } |
694 | | |
695 | 13 | for (i = 0; i < *argc; i++) { |
696 | 11 | if (strcmp("--no_align", _argv[i]) == 0) { |
697 | 0 | g_no_align = true; |
698 | 11 | } else if (strcmp("--no_custom_event_handler", _argv[i]) == 0) { |
699 | 0 | no_custom_event_handler = true; |
700 | 11 | } else if (strcmp("--write_input", _argv[i]) == 0) { |
701 | 0 | g_write_input = true; |
702 | 0 | } |
703 | | #ifdef FUZZ_32BIT |
704 | | else if (strcmp("--no_mmap", _argv[i]) == 0) { |
705 | | g_no_mmap = true; |
706 | | } |
707 | | #endif |
708 | 11 | else if (strncmp("--", _argv[i], 2) == 0) { |
709 | 0 | printf("Invalid argument: %s\n", _argv[i]); |
710 | 0 | exit(0); |
711 | 0 | } |
712 | 11 | } |
713 | | |
714 | 2 | if (no_custom_event_handler == false) { |
715 | 2 | if (srtp_install_event_handler(fuzz_srtp_event_handler) != |
716 | 2 | srtp_err_status_ok) { |
717 | | /* Shouldn't happen */ |
718 | 0 | abort(); |
719 | 0 | } |
720 | 2 | } |
721 | | |
722 | | /* Fully initialized -- past this point, simulated allocation failures |
723 | | * are allowed to occur */ |
724 | 2 | g_post_init = true; |
725 | | |
726 | 2 | return 0; |
727 | 2 | } |
728 | | |
729 | | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
730 | 3.21k | { |
731 | 3.21k | uint8_t num_remove_stream; |
732 | 3.21k | uint32_t *remove_stream_ssrc = NULL; |
733 | 3.21k | uint8_t num_set_roc; |
734 | 3.21k | uint32_t *set_roc = NULL; |
735 | 3.21k | srtp_t srtp_ctx = NULL; |
736 | 3.21k | srtp_policy_t *policy_chain = NULL, *policy_chain_2 = NULL; |
737 | 3.21k | uint32_t randseed; |
738 | 3.21k | static bool firstrun = true; |
739 | | |
740 | 3.21k | if (firstrun == true) { |
741 | | /* TODO version check etc and send it to MSAN */ |
742 | 3.21k | } |
743 | | |
744 | | #ifdef FUZZ_32BIT |
745 | | /* Free the mmap allocation made during the previous iteration, if |
746 | | * applicable */ |
747 | | fuzz_free(g_mmap_allocation); |
748 | | #endif |
749 | | |
750 | 3.21k | if (g_write_input == true) { |
751 | 0 | fuzz_write_input(data, size); |
752 | 0 | } |
753 | | |
754 | 3.21k | EXTRACT_IF(&randseed, data, size, sizeof(randseed)); |
755 | 3.21k | fuzz_mt19937_init(randseed); |
756 | 3.21k | srand(randseed); |
757 | | |
758 | | /* policy_chain is used to initialize the srtp context with */ |
759 | 3.21k | if ((policy_chain = extract_policies(&data, &size)) == NULL) { |
760 | 28 | goto end; |
761 | 28 | } |
762 | | /* policy_chain_2 is used as an argument to srtp_update later on */ |
763 | 3.18k | if ((policy_chain_2 = extract_policies(&data, &size)) == NULL) { |
764 | 212 | goto end; |
765 | 212 | } |
766 | | |
767 | | /* Create context */ |
768 | 2.97k | if (srtp_create(&srtp_ctx, policy_chain) != srtp_err_status_ok) { |
769 | 289 | goto end; |
770 | 289 | } |
771 | | |
772 | | // free_policies(policy_chain); |
773 | | // policy_chain = NULL; |
774 | | |
775 | | /* Don't check for NULL result -- no extractions is fine */ |
776 | 2.68k | remove_stream_ssrc = |
777 | 2.68k | extract_remove_stream_ssrc(&data, &size, &num_remove_stream); |
778 | | |
779 | | /* Don't check for NULL result -- no extractions is fine */ |
780 | 2.68k | set_roc = extract_set_roc(&data, &size, &num_set_roc); |
781 | | |
782 | 2.68k | { |
783 | 2.68k | uint8_t *ret; |
784 | 2.68k | int i = 0, j = 0; |
785 | | |
786 | 142k | while ((ret = run_srtp_func(srtp_ctx, &data, &size)) != NULL) { |
787 | 139k | fuzz_free(ret); |
788 | | |
789 | | /* Keep removing streams until the set of SSRCs extracted from the |
790 | | * fuzzer input is exhausted */ |
791 | 139k | if (i < num_remove_stream) { |
792 | 1.11k | if (srtp_stream_remove(srtp_ctx, remove_stream_ssrc[i]) != |
793 | 1.11k | srtp_err_status_ok) { |
794 | 91 | goto end; |
795 | 91 | } |
796 | 1.02k | i++; |
797 | 1.02k | } |
798 | | |
799 | | /* Keep setting and getting ROCs until the set of SSRC/ROC tuples |
800 | | * extracted from the fuzzer input is exhausted */ |
801 | 139k | if (j < num_set_roc * 2) { |
802 | 1.51k | uint32_t roc; |
803 | 1.51k | if (srtp_stream_set_roc(srtp_ctx, set_roc[j], set_roc[j + 1]) != |
804 | 1.51k | srtp_err_status_ok) { |
805 | 84 | goto end; |
806 | 84 | } |
807 | 1.42k | if (srtp_stream_get_roc(srtp_ctx, set_roc[j + 1], &roc) != |
808 | 1.42k | srtp_err_status_ok) { |
809 | 48 | goto end; |
810 | 48 | } |
811 | 1.37k | j += 2; |
812 | 1.37k | } |
813 | | |
814 | 139k | if (policy_chain_2 != NULL) { |
815 | | /* TODO srtp_update(srtp_ctx, policy_chain_2); */ |
816 | | |
817 | | /* Discard after using once */ |
818 | 1.78k | free_policies(policy_chain_2); |
819 | 1.78k | policy_chain_2 = NULL; |
820 | 1.78k | } |
821 | 139k | } |
822 | 2.68k | } |
823 | | |
824 | 3.21k | end: |
825 | 3.21k | free_policies(policy_chain); |
826 | 3.21k | free_policies(policy_chain_2); |
827 | 3.21k | fuzz_free(remove_stream_ssrc); |
828 | 3.21k | fuzz_free(set_roc); |
829 | 3.21k | if (srtp_ctx != NULL) { |
830 | 2.68k | srtp_dealloc(srtp_ctx); |
831 | 2.68k | } |
832 | 3.21k | fuzz_mt19937_destroy(); |
833 | | |
834 | 3.21k | return 0; |
835 | 2.68k | } |