/src/libsrtp/fuzzer/fuzzer.c
Line | Count | Source |
1 | | /* By Guido Vranken <guidovranken@gmail.com> -- |
2 | | * https://guidovranken.wordpress.com/ */ |
3 | | |
4 | | #include <stdio.h> |
5 | | #include <string.h> |
6 | | #include <stdlib.h> |
7 | | #include <stdbool.h> |
8 | | #include <limits.h> |
9 | | #include "srtp.h" |
10 | | #include "srtp_priv.h" |
11 | | #include "fuzzer.h" |
12 | | #include "mt19937.h" |
13 | | #include "testmem.h" |
14 | | |
15 | | /* Global variables */ |
16 | | static bool g_no_align = false; /* Can be enabled with --no_align */ |
17 | | static bool g_post_init = |
18 | | false; /* Set to true once past initialization phase */ |
19 | | static bool g_write_input = false; |
20 | | |
21 | | #ifdef FUZZ_32BIT |
22 | | #include <sys/mman.h> |
23 | | static bool g_no_mmap = false; /* Can be enabled with --no_mmap */ |
24 | | static void *g_mmap_allocation = |
25 | | NULL; /* Keeps current mmap() allocation address */ |
26 | | static size_t g_mmap_allocation_size = |
27 | | 0; /* Keeps current mmap() allocation size */ |
28 | | #endif |
29 | | |
30 | | /* Custom allocator functions */ |
31 | | |
32 | | static void *fuzz_alloc(const size_t size, const bool do_zero) |
33 | 2.03M | { |
34 | 2.03M | void *ret = NULL; |
35 | | #ifdef FUZZ_32BIT |
36 | | bool do_malloc = true; |
37 | | #endif |
38 | 2.03M | bool do_mmap, mmap_high = true; |
39 | | |
40 | 2.03M | if (size == 0) { |
41 | 1.12M | size_t ret; |
42 | | /* Allocations of size 0 are not illegal, but are a bad practice, since |
43 | | * writing just a single byte to this region constitutes undefined |
44 | | * behavior per the C spec. glibc will return a small, valid memory |
45 | | * region |
46 | | * whereas OpenBSD will crash upon writing to it. |
47 | | * Intentionally return a pointer to an invalid page to detect |
48 | | * unsound code efficiently. |
49 | | * fuzz_free is aware of this pointer range and will not attempt |
50 | | * to free()/munmap() it. |
51 | | */ |
52 | 1.12M | ret = 0x01 + (fuzz_mt19937_get() % 1024); |
53 | 1.12M | return (void *)ret; |
54 | 1.12M | } |
55 | | |
56 | | /* Don't do mmap()-based allocations during initialization */ |
57 | 905k | if (g_post_init == true) { |
58 | | /* Even extract these values if --no_mmap is specified. |
59 | | * This keeps the PRNG output stream consistent across |
60 | | * fuzzer configurations. |
61 | | */ |
62 | 905k | do_mmap = (fuzz_mt19937_get() % 64) == 0 ? true : false; |
63 | 905k | if (do_mmap == true) { |
64 | 14.9k | mmap_high = (fuzz_mt19937_get() % 2) == 0 ? true : false; |
65 | 14.9k | } |
66 | 905k | } else { |
67 | 0 | do_mmap = false; |
68 | 0 | } |
69 | | |
70 | | #ifdef FUZZ_32BIT |
71 | | /* g_mmap_allocation must be NULL because we only support a single |
72 | | * concurrent mmap allocation at a time |
73 | | */ |
74 | | if (g_mmap_allocation == NULL && g_no_mmap == false && do_mmap == true) { |
75 | | void *mmap_address; |
76 | | if (mmap_high == true) { |
77 | | mmap_address = (void *)0xFFFF0000; |
78 | | } else { |
79 | | mmap_address = (void *)0x00010000; |
80 | | } |
81 | | g_mmap_allocation_size = size; |
82 | | |
83 | | ret = mmap(mmap_address, g_mmap_allocation_size, PROT_READ | PROT_WRITE, |
84 | | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); |
85 | | |
86 | | if (ret == MAP_FAILED) { |
87 | | /* That's okay -- just return NULL to the caller */ |
88 | | |
89 | | ret = NULL; |
90 | | |
91 | | /* Reset this for the sake of cleanliness */ |
92 | | g_mmap_allocation_size = 0; |
93 | | } |
94 | | /* ret not being MAP_FAILED does not mean that ret is the requested |
95 | | * address (mmap_address). That's okay. We're not going to perform |
96 | | * a munmap() on it and call malloc() instead. It won't gain us |
97 | | * anything. |
98 | | */ |
99 | | |
100 | | g_mmap_allocation = ret; |
101 | | do_malloc = false; |
102 | | } |
103 | | |
104 | | if (do_malloc == true) |
105 | | #endif |
106 | 905k | { |
107 | 905k | ret = malloc(size); |
108 | 905k | } |
109 | | |
110 | | /* Mimic calloc() if so requested */ |
111 | 905k | if (ret != NULL && do_zero) { |
112 | 32.6k | memset(ret, 0, size); |
113 | 32.6k | } |
114 | | |
115 | 905k | return ret; |
116 | 2.03M | } |
117 | | |
118 | | /* Internal allocations by this fuzzer must on one hand (sometimes) |
119 | | * receive memory from mmap(), but on the other hand these requests for |
120 | | * memory may not fail. By calling this function, the allocation is |
121 | | * guaranteed to succeed; it first tries with fuzz_alloc(), which may |
122 | | * fail if it uses mmap(), and if that is the case, memory is allocated |
123 | | * via the libc allocator (malloc, calloc) which should always succeed */ |
124 | | static void *fuzz_alloc_succeed(const size_t size, const bool do_zero) |
125 | 2.03M | { |
126 | 2.03M | void *ret = fuzz_alloc(size, do_zero); |
127 | 2.03M | if (ret == NULL) { |
128 | 0 | if (do_zero == false) { |
129 | 0 | ret = malloc(size); |
130 | 0 | } else { |
131 | 0 | ret = calloc(1, size); |
132 | 0 | } |
133 | 0 | } |
134 | | |
135 | 2.03M | return ret; |
136 | 2.03M | } |
137 | | |
138 | | void *fuzz_calloc(const size_t nmemb, const size_t size) |
139 | 0 | { |
140 | | /* We must be past srtp_init() to prevent that that function fails */ |
141 | 0 | if (g_post_init == true) { |
142 | | /* Fail 1 in 64 allocations on average to test whether the library |
143 | | * can deal with this properly. |
144 | | */ |
145 | 0 | if ((fuzz_mt19937_get() % 64) == 0) { |
146 | 0 | return NULL; |
147 | 0 | } |
148 | 0 | } |
149 | | |
150 | 0 | return fuzz_alloc(nmemb * size, true); |
151 | 0 | } |
152 | | |
153 | | static bool fuzz_is_special_pointer(void *ptr) |
154 | 2.09M | { |
155 | | /* Special, invalid pointers introduced when code attempted |
156 | | * to do size = 0 allocations. |
157 | | */ |
158 | 2.09M | if ((size_t)ptr >= 0x01 && (size_t)ptr < (0x01 + 1024)) { |
159 | 1.12M | return true; |
160 | 1.12M | } else { |
161 | 971k | return false; |
162 | 971k | } |
163 | 2.09M | } |
164 | | |
165 | | void fuzz_free(void *ptr) |
166 | 2.09M | { |
167 | 2.09M | if (fuzz_is_special_pointer(ptr) == true) { |
168 | 1.12M | return; |
169 | 1.12M | } |
170 | | |
171 | | #ifdef FUZZ_32BIT |
172 | | if (g_post_init == true && ptr != NULL && ptr == g_mmap_allocation) { |
173 | | if (munmap(g_mmap_allocation, g_mmap_allocation_size) == -1) { |
174 | | /* Shouldn't happen */ |
175 | | abort(); |
176 | | } |
177 | | g_mmap_allocation = NULL; |
178 | | } else |
179 | | #endif |
180 | 971k | { |
181 | 971k | free(ptr); |
182 | 971k | } |
183 | 971k | } |
184 | | |
185 | | static srtp_err_status_t fuzz_srtp_protect(srtp_t srtp_sender, |
186 | | void *hdr, |
187 | | size_t *len, |
188 | | size_t mki) |
189 | 29.4k | { |
190 | 29.4k | size_t out_len = *len + SRTP_MAX_TRAILER_LEN; |
191 | 29.4k | srtp_err_status_t s = |
192 | 29.4k | srtp_protect(srtp_sender, hdr, *len, hdr, &out_len, mki); |
193 | 29.4k | *len = out_len; |
194 | 29.4k | return s; |
195 | 29.4k | } |
196 | | |
197 | | static srtp_err_status_t fuzz_srtp_unprotect(srtp_t srtp_sender, |
198 | | void *hdr, |
199 | | size_t *len, |
200 | | size_t mki) |
201 | 101k | { |
202 | 101k | return srtp_unprotect(srtp_sender, hdr, *len, hdr, len); |
203 | 101k | } |
204 | | |
205 | | static srtp_err_status_t fuzz_srtp_protect_rtcp(srtp_t srtp_sender, |
206 | | void *hdr, |
207 | | size_t *len, |
208 | | size_t mki) |
209 | 105k | { |
210 | 105k | size_t out_len = *len + SRTP_MAX_SRTCP_TRAILER_LEN; |
211 | 105k | srtp_err_status_t s = |
212 | 105k | srtp_protect_rtcp(srtp_sender, hdr, *len, hdr, &out_len, mki); |
213 | 105k | *len = out_len; |
214 | 105k | return s; |
215 | 105k | } |
216 | | |
217 | | static srtp_err_status_t fuzz_srtp_unprotect_rtcp(srtp_t srtp_sender, |
218 | | void *hdr, |
219 | | size_t *len, |
220 | | size_t mki) |
221 | 2.37k | { |
222 | 2.37k | return srtp_unprotect_rtcp(srtp_sender, hdr, *len, hdr, len); |
223 | 2.37k | } |
224 | | |
225 | | /* Get protect length functions */ |
226 | | |
227 | | static srtp_err_status_t fuzz_srtp_get_protect_length(const srtp_t srtp_ctx, |
228 | | size_t mki, |
229 | | size_t *length) |
230 | 29.4k | { |
231 | 29.4k | return srtp_get_protect_trailer_length(srtp_ctx, mki, length); |
232 | 29.4k | } |
233 | | |
234 | | static srtp_err_status_t fuzz_srtp_get_protect_rtcp_length( |
235 | | const srtp_t srtp_ctx, |
236 | | size_t mki, |
237 | | size_t *length) |
238 | 105k | { |
239 | 105k | return srtp_get_protect_rtcp_trailer_length(srtp_ctx, mki, length); |
240 | 105k | } |
241 | | |
242 | | static uint8_t *extract_key(const uint8_t **data, |
243 | | size_t *size, |
244 | | const size_t key_size) |
245 | 17.8k | { |
246 | 17.8k | uint8_t *ret; |
247 | 17.8k | if (*size < key_size) { |
248 | 35 | return NULL; |
249 | 35 | } |
250 | | |
251 | 17.8k | ret = fuzz_alloc_succeed(key_size, false); |
252 | 17.8k | EXTRACT(ret, *data, *size, key_size); |
253 | | |
254 | 17.8k | return ret; |
255 | 17.8k | } |
256 | | |
257 | | static srtp_master_key_t *extract_master_key(const uint8_t **data, |
258 | | size_t *size, |
259 | | const size_t key_size, |
260 | | bool simulate, |
261 | | bool *success) |
262 | 1.15M | { |
263 | 1.15M | srtp_master_key_t *ret = NULL; |
264 | 1.15M | uint16_t mki_id_size; |
265 | | |
266 | 1.15M | if (simulate == true) { |
267 | 578k | *success = false; |
268 | 578k | } |
269 | | |
270 | 1.15M | EXTRACT_IF(&mki_id_size, *data, *size, sizeof(mki_id_size)); |
271 | | |
272 | 1.15M | if (*size < key_size + mki_id_size) { |
273 | 4.87k | goto end; |
274 | 4.87k | } |
275 | | |
276 | 1.14M | if (simulate == true) { |
277 | 574k | *data += key_size + mki_id_size; |
278 | 574k | *size -= key_size + mki_id_size; |
279 | 574k | *success = true; |
280 | 574k | goto end; |
281 | 574k | } |
282 | | |
283 | 574k | ret = fuzz_alloc_succeed(sizeof(srtp_master_key_t), false); |
284 | 574k | ret->key = fuzz_alloc_succeed(key_size, false); |
285 | | |
286 | 574k | ret->mki_id = fuzz_alloc_succeed(mki_id_size, false); |
287 | | |
288 | 574k | EXTRACT(ret->key, *data, *size, key_size); |
289 | 574k | EXTRACT(ret->mki_id, *data, *size, mki_id_size); |
290 | 1.15M | end: |
291 | 1.15M | return ret; |
292 | 574k | } |
293 | | |
294 | | static srtp_master_key_t **extract_master_keys(const uint8_t **data, |
295 | | size_t *size, |
296 | | const size_t key_size, |
297 | | size_t *num_master_keys) |
298 | 9.38k | { |
299 | 9.38k | const uint8_t *data_orig = *data; |
300 | 9.38k | size_t size_orig = *size; |
301 | 9.38k | size_t i = 0; |
302 | | |
303 | 9.38k | srtp_master_key_t **ret = NULL; |
304 | | |
305 | 9.38k | *num_master_keys = 0; |
306 | | |
307 | | /* First pass -- dry run, determine how many keys we want and can extract */ |
308 | 583k | while (1) { |
309 | 583k | uint8_t do_extract_master_key; |
310 | 583k | bool success; |
311 | 583k | if (*size < sizeof(do_extract_master_key)) { |
312 | 336 | goto next; |
313 | 336 | } |
314 | 583k | EXTRACT(&do_extract_master_key, *data, *size, |
315 | 583k | sizeof(do_extract_master_key)); |
316 | | |
317 | | /* Decide whether to extract another key */ |
318 | 583k | if ((do_extract_master_key % 2) == 0) { |
319 | 4.15k | break; |
320 | 4.15k | } |
321 | | |
322 | 578k | extract_master_key(data, size, key_size, true, &success); |
323 | | |
324 | 578k | if (success == false) { |
325 | 4.89k | break; |
326 | 4.89k | } |
327 | | |
328 | 574k | (*num_master_keys)++; |
329 | 574k | } |
330 | | |
331 | 9.38k | next: |
332 | 9.38k | *data = data_orig; |
333 | 9.38k | *size = size_orig; |
334 | | |
335 | | /* Allocate array of pointers */ |
336 | 9.38k | ret = fuzz_alloc_succeed(*num_master_keys * sizeof(srtp_master_key_t *), |
337 | 9.38k | false); |
338 | | |
339 | | /* Second pass -- perform the actual extractions */ |
340 | 583k | for (i = 0; i < *num_master_keys; i++) { |
341 | 574k | uint8_t do_extract_master_key; |
342 | 574k | EXTRACT_IF(&do_extract_master_key, *data, *size, |
343 | 574k | sizeof(do_extract_master_key)); |
344 | | |
345 | 574k | if ((do_extract_master_key % 2) == 0) { |
346 | 0 | break; |
347 | 0 | } |
348 | | |
349 | 574k | ret[i] = extract_master_key(data, size, key_size, false, NULL); |
350 | | |
351 | 574k | if (ret[i] == NULL) { |
352 | | /* Shouldn't happen */ |
353 | 0 | abort(); |
354 | 0 | } |
355 | 574k | } |
356 | | |
357 | 9.38k | end: |
358 | 9.38k | return ret; |
359 | 9.38k | } |
360 | | |
361 | | static srtp_policy_t *extract_policy(const uint8_t **data, size_t *size) |
362 | 32.9k | { |
363 | 32.9k | srtp_policy_t *policy = NULL; |
364 | 32.9k | struct { |
365 | 32.9k | uint8_t srtp_crypto_policy_func; |
366 | 32.9k | size_t window_size; |
367 | 32.9k | uint8_t allow_repeat_tx; |
368 | 32.9k | uint8_t ssrc_type; |
369 | 32.9k | uint32_t ssrc_value; |
370 | 32.9k | uint8_t num_xtn_hdr; |
371 | 32.9k | uint8_t do_extract_key; |
372 | 32.9k | uint8_t do_extract_master_keys; |
373 | 32.9k | } params; |
374 | | |
375 | 32.9k | EXTRACT_IF(¶ms, *data, *size, sizeof(params)); |
376 | | |
377 | 32.6k | params.srtp_crypto_policy_func %= sizeof(fuzz_srtp_crypto_policies) / |
378 | 32.6k | sizeof(fuzz_srtp_crypto_policies[0]); |
379 | 32.6k | params.allow_repeat_tx %= 2; |
380 | 32.6k | params.ssrc_type %= |
381 | 32.6k | sizeof(fuzz_ssrc_type_map) / sizeof(fuzz_ssrc_type_map[0]); |
382 | | |
383 | 32.6k | policy = fuzz_alloc_succeed(sizeof(*policy), true); |
384 | | |
385 | 32.6k | fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func] |
386 | 32.6k | .crypto_policy_func(&policy->rtp); |
387 | 32.6k | fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func] |
388 | 32.6k | .crypto_policy_func(&policy->rtcp); |
389 | | |
390 | 32.6k | if (policy->rtp.cipher_key_len > MAX_KEY_LEN) { |
391 | | /* Shouldn't happen */ |
392 | 0 | abort(); |
393 | 0 | } |
394 | | |
395 | 32.6k | policy->ssrc.type = fuzz_ssrc_type_map[params.ssrc_type].srtp_ssrc_type; |
396 | 32.6k | policy->ssrc.value = params.ssrc_value; |
397 | | |
398 | 32.6k | if ((params.do_extract_key % 2) == 0) { |
399 | 17.8k | policy->key = extract_key(data, size, policy->rtp.cipher_key_len); |
400 | | |
401 | 17.8k | if (policy->key == NULL) { |
402 | 35 | fuzz_free(policy); |
403 | 35 | return NULL; |
404 | 35 | } |
405 | 17.8k | } |
406 | | |
407 | 32.5k | if (params.num_xtn_hdr != 0) { |
408 | 11.3k | const size_t xtn_hdr_size = params.num_xtn_hdr * sizeof(int); |
409 | 11.3k | if (*size < xtn_hdr_size) { |
410 | 96 | fuzz_free(policy->key); |
411 | 96 | fuzz_free(policy); |
412 | 96 | return NULL; |
413 | 96 | } |
414 | 11.2k | policy->enc_xtn_hdr = fuzz_alloc_succeed(xtn_hdr_size, false); |
415 | 11.2k | EXTRACT(policy->enc_xtn_hdr, *data, *size, xtn_hdr_size); |
416 | 11.2k | policy->enc_xtn_hdr_count = params.num_xtn_hdr; |
417 | 11.2k | } |
418 | | |
419 | 32.4k | if ((params.do_extract_master_keys % 2) == 0) { |
420 | 9.38k | policy->keys = extract_master_keys( |
421 | 9.38k | data, size, policy->rtp.cipher_key_len, &policy->num_master_keys); |
422 | 9.38k | if (policy->keys == NULL) { |
423 | 0 | fuzz_free(policy->key); |
424 | 0 | fuzz_free(policy->enc_xtn_hdr); |
425 | 0 | fuzz_free(policy); |
426 | 0 | return NULL; |
427 | 0 | } |
428 | 9.38k | } |
429 | | |
430 | 32.4k | policy->window_size = params.window_size; |
431 | 32.4k | policy->allow_repeat_tx = params.allow_repeat_tx; |
432 | 32.4k | policy->next = NULL; |
433 | | |
434 | 32.8k | end: |
435 | 32.8k | return policy; |
436 | 32.4k | } |
437 | | |
438 | | static srtp_policy_t *extract_policies(const uint8_t **data, size_t *size) |
439 | 7.19k | { |
440 | 7.19k | srtp_policy_t *curpolicy = NULL, *policy_chain = NULL; |
441 | | |
442 | 7.19k | curpolicy = extract_policy(data, size); |
443 | 7.19k | if (curpolicy == NULL) { |
444 | 276 | return NULL; |
445 | 276 | } |
446 | | |
447 | 6.91k | policy_chain = curpolicy; |
448 | | |
449 | 32.4k | while (1) { |
450 | 32.4k | uint8_t do_extract_policy; |
451 | 32.4k | EXTRACT_IF(&do_extract_policy, *data, *size, sizeof(do_extract_policy)); |
452 | | |
453 | | /* Decide whether to extract another policy */ |
454 | 31.9k | if ((do_extract_policy % 2) == 0) { |
455 | 6.18k | break; |
456 | 6.18k | } |
457 | | |
458 | 25.7k | curpolicy->next = extract_policy(data, size); |
459 | 25.7k | if (curpolicy->next == NULL) { |
460 | 220 | break; |
461 | 220 | } |
462 | 25.5k | curpolicy = curpolicy->next; |
463 | 25.5k | } |
464 | | |
465 | 6.91k | end: |
466 | 6.91k | return policy_chain; |
467 | 6.91k | } |
468 | | |
469 | | static uint32_t *extract_remove_stream_ssrc(const uint8_t **data, |
470 | | size_t *size, |
471 | | uint8_t *num_remove_stream) |
472 | 2.99k | { |
473 | 2.99k | uint32_t *ret = NULL; |
474 | 2.99k | uint8_t _num_remove_stream; |
475 | 2.99k | size_t total_size; |
476 | | |
477 | 2.99k | *num_remove_stream = 0; |
478 | | |
479 | 2.99k | EXTRACT_IF(&_num_remove_stream, *data, *size, sizeof(_num_remove_stream)); |
480 | | |
481 | 2.81k | if (_num_remove_stream == 0) { |
482 | 1.64k | goto end; |
483 | 1.64k | } |
484 | | |
485 | 1.16k | total_size = _num_remove_stream * sizeof(uint32_t); |
486 | | |
487 | 1.16k | if (*size < total_size) { |
488 | 913 | goto end; |
489 | 913 | } |
490 | | |
491 | 255 | ret = fuzz_alloc_succeed(total_size, false); |
492 | 255 | EXTRACT(ret, *data, *size, total_size); |
493 | | |
494 | 255 | *num_remove_stream = _num_remove_stream; |
495 | | |
496 | 2.99k | end: |
497 | 2.99k | return ret; |
498 | 255 | } |
499 | | |
500 | | static uint32_t *extract_set_roc(const uint8_t **data, |
501 | | size_t *size, |
502 | | uint8_t *num_set_roc) |
503 | 2.99k | { |
504 | 2.99k | uint32_t *ret = NULL; |
505 | 2.99k | uint8_t _num_set_roc; |
506 | 2.99k | size_t total_size; |
507 | | |
508 | 2.99k | *num_set_roc = 0; |
509 | 2.99k | EXTRACT_IF(&_num_set_roc, *data, *size, sizeof(_num_set_roc)); |
510 | 2.79k | if (_num_set_roc == 0) { |
511 | 1.58k | goto end; |
512 | 1.58k | } |
513 | | |
514 | | /* Tuples of 2 uint32_t's */ |
515 | 1.21k | total_size = _num_set_roc * sizeof(uint32_t) * 2; |
516 | | |
517 | 1.21k | if (*size < total_size) { |
518 | 541 | goto end; |
519 | 541 | } |
520 | | |
521 | 676 | ret = fuzz_alloc_succeed(total_size, false); |
522 | 676 | EXTRACT(ret, *data, *size, total_size); |
523 | | |
524 | 676 | *num_set_roc = _num_set_roc; |
525 | | |
526 | 2.99k | end: |
527 | 2.99k | return ret; |
528 | 676 | } |
529 | | |
530 | | static void free_policies(srtp_policy_t *curpolicy) |
531 | 9.21k | { |
532 | 9.21k | size_t i; |
533 | 41.6k | while (curpolicy) { |
534 | 32.4k | srtp_policy_t *next = curpolicy->next; |
535 | | |
536 | 32.4k | fuzz_free(curpolicy->key); |
537 | | |
538 | 606k | for (i = 0; i < curpolicy->num_master_keys; i++) { |
539 | 574k | fuzz_free(curpolicy->keys[i]->key); |
540 | 574k | fuzz_free(curpolicy->keys[i]->mki_id); |
541 | 574k | fuzz_free(curpolicy->keys[i]); |
542 | 574k | } |
543 | | |
544 | 32.4k | fuzz_free(curpolicy->keys); |
545 | 32.4k | fuzz_free(curpolicy->enc_xtn_hdr); |
546 | 32.4k | fuzz_free(curpolicy); |
547 | | |
548 | 32.4k | curpolicy = next; |
549 | 32.4k | } |
550 | 9.21k | } |
551 | | |
552 | | static uint8_t *run_srtp_func(const srtp_t srtp_ctx, |
553 | | const uint8_t **data, |
554 | | size_t *size) |
555 | 122k | { |
556 | 122k | uint8_t *ret = NULL; |
557 | 122k | uint8_t *copy = NULL, *copy_2 = NULL; |
558 | | |
559 | 122k | struct { |
560 | 122k | uint16_t size; |
561 | 122k | uint8_t srtp_func; |
562 | 122k | uint32_t mki; |
563 | 122k | uint8_t stretch; |
564 | 122k | } params_1; |
565 | | |
566 | 122k | struct { |
567 | 122k | uint8_t srtp_func; |
568 | 122k | uint32_t mki; |
569 | 122k | } params_2; |
570 | 122k | size_t ret_size; |
571 | | |
572 | 122k | EXTRACT_IF(¶ms_1, *data, *size, sizeof(params_1)); |
573 | 120k | params_1.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]); |
574 | | |
575 | 120k | if (*size < params_1.size) { |
576 | 78 | goto end; |
577 | 78 | } |
578 | | |
579 | | /* Enforce 4 byte alignment */ |
580 | 120k | if (g_no_align == false) { |
581 | 120k | params_1.size -= params_1.size % 4; |
582 | 120k | } |
583 | | |
584 | 120k | if (params_1.size == 0) { |
585 | 50 | goto end; |
586 | 50 | } |
587 | | |
588 | 120k | ret_size = params_1.size; |
589 | 120k | if (srtp_funcs[params_1.srtp_func].protect == true) { |
590 | | /* Intentionally not initialized to trigger MemorySanitizer, if |
591 | | * applicable */ |
592 | 108k | size_t alloc_size; |
593 | | |
594 | 108k | if (srtp_funcs[params_1.srtp_func].get_length( |
595 | 108k | srtp_ctx, params_1.mki, &alloc_size) != srtp_err_status_ok) { |
596 | 2 | goto end; |
597 | 2 | } |
598 | | |
599 | 108k | copy = fuzz_alloc_succeed(ret_size + alloc_size, false); |
600 | 108k | } else { |
601 | 12.2k | copy = fuzz_alloc_succeed(ret_size, false); |
602 | 12.2k | } |
603 | | |
604 | 120k | EXTRACT(copy, *data, *size, params_1.size); |
605 | | |
606 | 120k | if (srtp_funcs[params_1.srtp_func].srtp_func( |
607 | 120k | srtp_ctx, copy, &ret_size, params_1.mki) != srtp_err_status_ok) { |
608 | 580 | fuzz_free(copy); |
609 | 580 | goto end; |
610 | 580 | } |
611 | | // fuzz_free(copy); |
612 | | |
613 | 119k | fuzz_testmem(copy, ret_size); |
614 | | |
615 | 119k | ret = copy; |
616 | | |
617 | 119k | EXTRACT_IF(¶ms_2, *data, *size, sizeof(params_2)); |
618 | 118k | params_2.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]); |
619 | | |
620 | 118k | if (ret_size == 0) { |
621 | 0 | goto end; |
622 | 0 | } |
623 | | |
624 | 118k | if (srtp_funcs[params_2.srtp_func].protect == true) { |
625 | | /* Intentionally not initialized to trigger MemorySanitizer, if |
626 | | * applicable */ |
627 | 26.8k | size_t alloc_size; |
628 | | |
629 | 26.8k | if (srtp_funcs[params_2.srtp_func].get_length( |
630 | 26.8k | srtp_ctx, params_2.mki, &alloc_size) != srtp_err_status_ok) { |
631 | 0 | goto end; |
632 | 0 | } |
633 | | |
634 | 26.8k | copy_2 = fuzz_alloc_succeed(ret_size + alloc_size, false); |
635 | 91.9k | } else { |
636 | 91.9k | copy_2 = fuzz_alloc_succeed(ret_size, false); |
637 | 91.9k | } |
638 | | |
639 | 118k | memcpy(copy_2, copy, ret_size); |
640 | 118k | fuzz_free(copy); |
641 | 118k | copy = copy_2; |
642 | | |
643 | 118k | if (srtp_funcs[params_2.srtp_func].srtp_func( |
644 | 118k | srtp_ctx, copy, &ret_size, params_2.mki) != srtp_err_status_ok) { |
645 | 316 | fuzz_free(copy); |
646 | 316 | ret = NULL; |
647 | 316 | goto end; |
648 | 316 | } |
649 | | |
650 | 118k | fuzz_testmem(copy, ret_size); |
651 | | |
652 | 118k | ret = copy; |
653 | | |
654 | 122k | end: |
655 | 122k | return ret; |
656 | 118k | } |
657 | | |
658 | | void fuzz_srtp_event_handler(srtp_event_data_t *data) |
659 | 107k | { |
660 | 107k | fuzz_testmem(data, sizeof(srtp_event_data_t)); |
661 | 107k | if (data->session != NULL) { |
662 | 107k | fuzz_testmem(data->session, sizeof(*data->session)); |
663 | 107k | } |
664 | 107k | } |
665 | | |
666 | | static void fuzz_write_input(const uint8_t *data, size_t size) |
667 | 0 | { |
668 | 0 | FILE *fp = fopen("input.bin", "wb"); |
669 | |
|
670 | 0 | if (fp == NULL) { |
671 | | /* Shouldn't happen */ |
672 | 0 | abort(); |
673 | 0 | } |
674 | | |
675 | 0 | if (size != 0 && fwrite(data, size, 1, fp) != 1) { |
676 | 0 | printf("Cannot write\n"); |
677 | | /* Shouldn't happen */ |
678 | 0 | abort(); |
679 | 0 | } |
680 | | |
681 | 0 | fclose(fp); |
682 | 0 | } |
683 | | |
684 | | int LLVMFuzzerInitialize(int *argc, char ***argv) |
685 | 2 | { |
686 | 2 | char **_argv = *argv; |
687 | 2 | int i; |
688 | 2 | bool no_custom_event_handler = false; |
689 | | |
690 | 2 | if (srtp_init() != srtp_err_status_ok) { |
691 | | /* Shouldn't happen */ |
692 | 0 | abort(); |
693 | 0 | } |
694 | | |
695 | 13 | for (i = 0; i < *argc; i++) { |
696 | 11 | if (strcmp("--no_align", _argv[i]) == 0) { |
697 | 0 | g_no_align = true; |
698 | 11 | } else if (strcmp("--no_custom_event_handler", _argv[i]) == 0) { |
699 | 0 | no_custom_event_handler = true; |
700 | 11 | } else if (strcmp("--write_input", _argv[i]) == 0) { |
701 | 0 | g_write_input = true; |
702 | 0 | } |
703 | | #ifdef FUZZ_32BIT |
704 | | else if (strcmp("--no_mmap", _argv[i]) == 0) { |
705 | | g_no_mmap = true; |
706 | | } |
707 | | #endif |
708 | 11 | } |
709 | | |
710 | 2 | if (no_custom_event_handler == false) { |
711 | 2 | if (srtp_install_event_handler(fuzz_srtp_event_handler) != |
712 | 2 | srtp_err_status_ok) { |
713 | | /* Shouldn't happen */ |
714 | 0 | abort(); |
715 | 0 | } |
716 | 2 | } |
717 | | |
718 | | /* Fully initialized -- past this point, simulated allocation failures |
719 | | * are allowed to occur */ |
720 | 2 | g_post_init = true; |
721 | | |
722 | 2 | return 0; |
723 | 2 | } |
724 | | |
725 | | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
726 | 3.61k | { |
727 | 3.61k | uint8_t num_remove_stream; |
728 | 3.61k | uint32_t *remove_stream_ssrc = NULL; |
729 | 3.61k | uint8_t num_set_roc; |
730 | 3.61k | uint32_t *set_roc = NULL; |
731 | 3.61k | srtp_t srtp_ctx = NULL; |
732 | 3.61k | srtp_policy_t *policy_chain = NULL, *policy_chain_2 = NULL; |
733 | 3.61k | uint32_t randseed; |
734 | 3.61k | static bool firstrun = true; |
735 | | |
736 | 3.61k | if (firstrun == true) { |
737 | | /* TODO version check etc and send it to MSAN */ |
738 | 3.61k | } |
739 | | |
740 | | #ifdef FUZZ_32BIT |
741 | | /* Free the mmap allocation made during the previous iteration, if |
742 | | * applicable */ |
743 | | fuzz_free(g_mmap_allocation); |
744 | | #endif |
745 | | |
746 | 3.61k | if (g_write_input == true) { |
747 | 0 | fuzz_write_input(data, size); |
748 | 0 | } |
749 | | |
750 | 3.61k | EXTRACT_IF(&randseed, data, size, sizeof(randseed)); |
751 | 3.61k | fuzz_mt19937_init(randseed); |
752 | 3.61k | srand(randseed); |
753 | | |
754 | | /* policy_chain is used to initialize the srtp context with */ |
755 | 3.61k | if ((policy_chain = extract_policies(&data, &size)) == NULL) { |
756 | 35 | goto end; |
757 | 35 | } |
758 | | /* policy_chain_2 is used as an argument to srtp_update later on */ |
759 | 3.57k | if ((policy_chain_2 = extract_policies(&data, &size)) == NULL) { |
760 | 241 | goto end; |
761 | 241 | } |
762 | | |
763 | | /* Create context */ |
764 | 3.33k | if (srtp_create(&srtp_ctx, policy_chain) != srtp_err_status_ok) { |
765 | 344 | goto end; |
766 | 344 | } |
767 | | |
768 | | // free_policies(policy_chain); |
769 | | // policy_chain = NULL; |
770 | | |
771 | | /* Don't check for NULL result -- no extractions is fine */ |
772 | 2.99k | remove_stream_ssrc = |
773 | 2.99k | extract_remove_stream_ssrc(&data, &size, &num_remove_stream); |
774 | | |
775 | | /* Don't check for NULL result -- no extractions is fine */ |
776 | 2.99k | set_roc = extract_set_roc(&data, &size, &num_set_roc); |
777 | | |
778 | 2.99k | { |
779 | 2.99k | uint8_t *ret; |
780 | 2.99k | int i = 0, j = 0; |
781 | | |
782 | 122k | while ((ret = run_srtp_func(srtp_ctx, &data, &size)) != NULL) { |
783 | 119k | fuzz_free(ret); |
784 | | |
785 | | /* Keep removing streams until the set of SSRCs extracted from the |
786 | | * fuzzer input is exhausted */ |
787 | 119k | if (i < num_remove_stream) { |
788 | 1.18k | if (srtp_stream_remove(srtp_ctx, remove_stream_ssrc[i]) != |
789 | 1.18k | srtp_err_status_ok) { |
790 | 103 | goto end; |
791 | 103 | } |
792 | 1.08k | i++; |
793 | 1.08k | } |
794 | | |
795 | | /* Keep setting and getting ROCs until the set of SSRC/ROC tuples |
796 | | * extracted from the fuzzer input is exhausted */ |
797 | 119k | if (j < num_set_roc * 2) { |
798 | 1.24k | uint32_t roc; |
799 | 1.24k | if (srtp_stream_set_roc(srtp_ctx, set_roc[j], set_roc[j + 1]) != |
800 | 1.24k | srtp_err_status_ok) { |
801 | 63 | goto end; |
802 | 63 | } |
803 | 1.17k | if (srtp_stream_get_roc(srtp_ctx, set_roc[j + 1], &roc) != |
804 | 1.17k | srtp_err_status_ok) { |
805 | 57 | goto end; |
806 | 57 | } |
807 | 1.12k | j += 2; |
808 | 1.12k | } |
809 | | |
810 | 119k | if (policy_chain_2 != NULL) { |
811 | | /* TODO srtp_update(srtp_ctx, policy_chain_2); */ |
812 | | |
813 | | /* Discard after using once */ |
814 | 1.98k | free_policies(policy_chain_2); |
815 | 1.98k | policy_chain_2 = NULL; |
816 | 1.98k | } |
817 | 119k | } |
818 | 2.99k | } |
819 | | |
820 | 3.61k | end: |
821 | 3.61k | free_policies(policy_chain); |
822 | 3.61k | free_policies(policy_chain_2); |
823 | 3.61k | fuzz_free(remove_stream_ssrc); |
824 | 3.61k | fuzz_free(set_roc); |
825 | 3.61k | if (srtp_ctx != NULL) { |
826 | 2.99k | srtp_dealloc(srtp_ctx); |
827 | 2.99k | } |
828 | 3.61k | fuzz_mt19937_destroy(); |
829 | | |
830 | 3.61k | return 0; |
831 | 2.99k | } |