/src/libsrtp/fuzzer/fuzzer.c
Line | Count | Source |
1 | | /* By Guido Vranken <guidovranken@gmail.com> -- |
2 | | * https://guidovranken.wordpress.com/ */ |
3 | | |
4 | | #include <stdio.h> |
5 | | #include <string.h> |
6 | | #include <stdlib.h> |
7 | | #include <stdbool.h> |
8 | | #include <limits.h> |
9 | | #include "srtp.h" |
10 | | #include "srtp_priv.h" |
11 | | #include "fuzzer.h" |
12 | | #include "mt19937.h" |
13 | | #include "testmem.h" |
14 | | |
15 | | /* Global variables */ |
16 | | static bool g_no_align = false; /* Can be enabled with --no_align */ |
17 | | static bool g_post_init = |
18 | | false; /* Set to true once past initialization phase */ |
19 | | static bool g_write_input = false; |
20 | | |
21 | | #ifdef FUZZ_32BIT |
22 | | #include <sys/mman.h> |
23 | | static bool g_no_mmap = false; /* Can be enabled with --no_mmap */ |
24 | | static void *g_mmap_allocation = |
25 | | NULL; /* Keeps current mmap() allocation address */ |
26 | | static size_t g_mmap_allocation_size = |
27 | | 0; /* Keeps current mmap() allocation size */ |
28 | | #endif |
29 | | |
30 | | /* Custom allocator functions */ |
31 | | |
32 | | static void *fuzz_alloc(const size_t size, const bool do_zero) |
33 | 4.88k | { |
34 | 4.88k | void *ret = NULL; |
35 | | #ifdef FUZZ_32BIT |
36 | | bool do_malloc = true; |
37 | | #endif |
38 | 4.88k | bool do_mmap, mmap_high = true; |
39 | | |
40 | 4.88k | if (size == 0) { |
41 | 0 | size_t ret; |
42 | | /* Allocations of size 0 are not illegal, but are a bad practice, since |
43 | | * writing just a single byte to this region constitutes undefined |
44 | | * behavior per the C spec. glibc will return a small, valid memory |
45 | | * region |
46 | | * whereas OpenBSD will crash upon writing to it. |
47 | | * Intentionally return a pointer to an invalid page to detect |
48 | | * unsound code efficiently. |
49 | | * fuzz_free is aware of this pointer range and will not attempt |
50 | | * to free()/munmap() it. |
51 | | */ |
52 | 0 | ret = 0x01 + (fuzz_mt19937_get() % 1024); |
53 | 0 | return (void *)ret; |
54 | 0 | } |
55 | | |
56 | | /* Don't do mmap()-based allocations during initialization */ |
57 | 4.88k | if (g_post_init == true) { |
58 | | /* Even extract these values if --no_mmap is specified. |
59 | | * This keeps the PRNG output stream consistent across |
60 | | * fuzzer configurations. |
61 | | */ |
62 | 4.88k | do_mmap = (fuzz_mt19937_get() % 64) == 0 ? true : false; |
63 | 4.88k | if (do_mmap == true) { |
64 | 57 | mmap_high = (fuzz_mt19937_get() % 2) == 0 ? true : false; |
65 | 57 | } |
66 | 4.88k | } else { |
67 | 0 | do_mmap = false; |
68 | 0 | } |
69 | | |
70 | | #ifdef FUZZ_32BIT |
71 | | /* g_mmap_allocation must be NULL because we only support a single |
72 | | * concurrent mmap allocation at a time |
73 | | */ |
74 | | if (g_mmap_allocation == NULL && g_no_mmap == false && do_mmap == true) { |
75 | | void *mmap_address; |
76 | | if (mmap_high == true) { |
77 | | mmap_address = (void *)0xFFFF0000; |
78 | | } else { |
79 | | mmap_address = (void *)0x00010000; |
80 | | } |
81 | | g_mmap_allocation_size = size; |
82 | | |
83 | | ret = mmap(mmap_address, g_mmap_allocation_size, PROT_READ | PROT_WRITE, |
84 | | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); |
85 | | |
86 | | if (ret == MAP_FAILED) { |
87 | | /* That's okay -- just return NULL to the caller */ |
88 | | |
89 | | ret = NULL; |
90 | | |
91 | | /* Reset this for the sake of cleanliness */ |
92 | | g_mmap_allocation_size = 0; |
93 | | } |
94 | | /* ret not being MAP_FAILED does not mean that ret is the requested |
95 | | * address (mmap_address). That's okay. We're not going to perform |
96 | | * a munmap() on it and call malloc() instead. It won't gain us |
97 | | * anything. |
98 | | */ |
99 | | |
100 | | g_mmap_allocation = ret; |
101 | | do_malloc = false; |
102 | | } |
103 | | |
104 | | if (do_malloc == true) |
105 | | #endif |
106 | 4.88k | { |
107 | 4.88k | ret = malloc(size); |
108 | 4.88k | } |
109 | | |
110 | | /* Mimic calloc() if so requested */ |
111 | 4.88k | if (ret != NULL && do_zero) { |
112 | 0 | memset(ret, 0, size); |
113 | 0 | } |
114 | | |
115 | 4.88k | return ret; |
116 | 4.88k | } |
117 | | |
118 | | /* Internal allocations by this fuzzer must on one hand (sometimes) |
119 | | * receive memory from mmap(), but on the other hand these requests for |
120 | | * memory may not fail. By calling this function, the allocation is |
121 | | * guaranteed to succeed; it first tries with fuzz_alloc(), which may |
122 | | * fail if it uses mmap(), and if that is the case, memory is allocated |
123 | | * via the libc allocator (malloc, calloc) which should always succeed */ |
124 | | static void *fuzz_alloc_succeed(const size_t size, const bool do_zero) |
125 | 4.88k | { |
126 | 4.88k | void *ret = fuzz_alloc(size, do_zero); |
127 | 4.88k | if (ret == NULL) { |
128 | 0 | if (do_zero == false) { |
129 | 0 | ret = malloc(size); |
130 | 0 | } else { |
131 | 0 | ret = calloc(1, size); |
132 | 0 | } |
133 | 0 | } |
134 | | |
135 | 4.88k | return ret; |
136 | 4.88k | } |
137 | | |
138 | | void *fuzz_calloc(const size_t nmemb, const size_t size) |
139 | 0 | { |
140 | | /* We must be past srtp_init() to prevent that that function fails */ |
141 | 0 | if (g_post_init == true) { |
142 | | /* Fail 1 in 64 allocations on average to test whether the library |
143 | | * can deal with this properly. |
144 | | */ |
145 | 0 | if ((fuzz_mt19937_get() % 64) == 0) { |
146 | 0 | return NULL; |
147 | 0 | } |
148 | 0 | } |
149 | | |
150 | 0 | return fuzz_alloc(nmemb * size, true); |
151 | 0 | } |
152 | | |
153 | | static bool fuzz_is_special_pointer(void *ptr) |
154 | 12.2k | { |
155 | | /* Special, invalid pointers introduced when code attempted |
156 | | * to do size = 0 allocations. |
157 | | */ |
158 | 12.2k | if ((size_t)ptr >= 0x01 && (size_t)ptr < (0x01 + 1024)) { |
159 | 0 | return true; |
160 | 12.2k | } else { |
161 | 12.2k | return false; |
162 | 12.2k | } |
163 | 12.2k | } |
164 | | |
165 | | void fuzz_free(void *ptr) |
166 | 12.2k | { |
167 | 12.2k | if (fuzz_is_special_pointer(ptr) == true) { |
168 | 0 | return; |
169 | 0 | } |
170 | | |
171 | | #ifdef FUZZ_32BIT |
172 | | if (g_post_init == true && ptr != NULL && ptr == g_mmap_allocation) { |
173 | | if (munmap(g_mmap_allocation, g_mmap_allocation_size) == -1) { |
174 | | /* Shouldn't happen */ |
175 | | abort(); |
176 | | } |
177 | | g_mmap_allocation = NULL; |
178 | | } else |
179 | | #endif |
180 | 12.2k | { |
181 | 12.2k | free(ptr); |
182 | 12.2k | } |
183 | 12.2k | } |
184 | | |
185 | | static srtp_err_status_t fuzz_srtp_protect(srtp_t srtp_sender, |
186 | | void *hdr, |
187 | | size_t *len, |
188 | | size_t mki) |
189 | 0 | { |
190 | 0 | size_t out_len = *len + SRTP_MAX_TRAILER_LEN; |
191 | 0 | srtp_err_status_t s = |
192 | 0 | srtp_protect(srtp_sender, hdr, *len, hdr, &out_len, mki); |
193 | 0 | *len = out_len; |
194 | 0 | return s; |
195 | 0 | } |
196 | | |
197 | | static srtp_err_status_t fuzz_srtp_unprotect(srtp_t srtp_sender, |
198 | | void *hdr, |
199 | | size_t *len, |
200 | | size_t mki) |
201 | 1 | { |
202 | 1 | return srtp_unprotect(srtp_sender, hdr, *len, hdr, len); |
203 | 1 | } |
204 | | |
205 | | static srtp_err_status_t fuzz_srtp_protect_rtcp(srtp_t srtp_sender, |
206 | | void *hdr, |
207 | | size_t *len, |
208 | | size_t mki) |
209 | 1 | { |
210 | 1 | size_t out_len = *len + SRTP_MAX_SRTCP_TRAILER_LEN; |
211 | 1 | srtp_err_status_t s = |
212 | 1 | srtp_protect_rtcp(srtp_sender, hdr, *len, hdr, &out_len, mki); |
213 | 1 | *len = out_len; |
214 | 1 | return s; |
215 | 1 | } |
216 | | |
217 | | static srtp_err_status_t fuzz_srtp_unprotect_rtcp(srtp_t srtp_sender, |
218 | | void *hdr, |
219 | | size_t *len, |
220 | | size_t mki) |
221 | 0 | { |
222 | 0 | return srtp_unprotect_rtcp(srtp_sender, hdr, *len, hdr, len); |
223 | 0 | } |
224 | | |
225 | | /* Get protect length functions */ |
226 | | |
227 | | static srtp_err_status_t fuzz_srtp_get_protect_length(const srtp_t srtp_ctx, |
228 | | size_t mki, |
229 | | size_t *length) |
230 | 0 | { |
231 | 0 | return srtp_get_protect_trailer_length(srtp_ctx, mki, length); |
232 | 0 | } |
233 | | |
234 | | static srtp_err_status_t fuzz_srtp_get_protect_rtcp_length( |
235 | | const srtp_t srtp_ctx, |
236 | | size_t mki, |
237 | | size_t *length) |
238 | 1 | { |
239 | 1 | return srtp_get_protect_rtcp_trailer_length(srtp_ctx, mki, length); |
240 | 1 | } |
241 | | |
242 | | static uint8_t *extract_key(const uint8_t **data, |
243 | | size_t *size, |
244 | | const size_t key_size) |
245 | 5.06k | { |
246 | 5.06k | uint8_t *ret; |
247 | 5.06k | if (*size < key_size) { |
248 | 181 | return NULL; |
249 | 181 | } |
250 | | |
251 | 4.88k | ret = fuzz_alloc_succeed(key_size, false); |
252 | 4.88k | EXTRACT(ret, *data, *size, key_size); |
253 | | |
254 | 4.88k | return ret; |
255 | 5.06k | } |
256 | | |
257 | | static bool extract_and_add_key(srtp_policy_t policy, |
258 | | const uint8_t **data, |
259 | | size_t *size, |
260 | | size_t key_size, |
261 | | size_t salt_size) |
262 | 2.33k | { |
263 | 2.33k | bool added = false; |
264 | 2.33k | uint8_t *salt = NULL; |
265 | 2.33k | uint8_t *key = extract_key(data, size, key_size); |
266 | 2.33k | if (key == NULL) { |
267 | 95 | return false; |
268 | 95 | } |
269 | | |
270 | 2.24k | salt = extract_key(data, size, salt_size); |
271 | 2.24k | if (salt == NULL) { |
272 | 86 | goto end; |
273 | 86 | } |
274 | | |
275 | 2.15k | if (srtp_policy_add_key(policy, key, key_size, salt, salt_size, NULL, 0) == |
276 | 2.15k | srtp_err_status_ok) { |
277 | 2.15k | added = true; |
278 | 2.15k | } |
279 | | |
280 | 2.24k | end: |
281 | 2.24k | fuzz_free(salt); |
282 | 2.24k | fuzz_free(key); |
283 | 2.24k | return added; |
284 | 2.15k | } |
285 | | |
286 | | static bool extract_and_add_master_key(srtp_policy_t policy, |
287 | | const uint8_t **data, |
288 | | size_t *size, |
289 | | size_t key_size, |
290 | | size_t salt_size) |
291 | 745 | { |
292 | 745 | bool added = false; |
293 | 745 | uint8_t *key = NULL; |
294 | 745 | uint8_t *salt = NULL; |
295 | 745 | uint16_t mki_id_size = 0; |
296 | 745 | const uint8_t *mki = NULL; |
297 | 745 | srtp_err_status_t status; |
298 | | |
299 | 745 | EXTRACT_IF(&mki_id_size, *data, *size, sizeof(mki_id_size)); |
300 | | |
301 | 740 | if (*size < key_size + salt_size + mki_id_size) { |
302 | 449 | return false; |
303 | 449 | } |
304 | | |
305 | 291 | if (mki_id_size > SRTP_MAX_MKI_LEN) { |
306 | 47 | *data += key_size + salt_size + mki_id_size; |
307 | 47 | *size -= key_size + salt_size + mki_id_size; |
308 | 47 | return false; |
309 | 47 | } |
310 | | |
311 | 244 | key = extract_key(data, size, key_size); |
312 | 244 | if (key == NULL) { |
313 | 0 | return false; |
314 | 0 | } |
315 | 244 | salt = extract_key(data, size, salt_size); |
316 | 244 | if (salt == NULL) { |
317 | 0 | goto end; |
318 | 0 | } |
319 | 244 | mki = *data; |
320 | 244 | *data += mki_id_size; |
321 | 244 | *size -= mki_id_size; |
322 | | |
323 | 244 | if (mki_id_size > 0) { |
324 | 17 | status = srtp_policy_use_mki(policy, mki_id_size); |
325 | 17 | if (status != srtp_err_status_ok) { |
326 | 0 | goto end; |
327 | 0 | } |
328 | 17 | } |
329 | | |
330 | 244 | status = srtp_policy_add_key(policy, key, key_size, salt, salt_size, mki, |
331 | 244 | mki_id_size); |
332 | 244 | if (status != srtp_err_status_ok) { |
333 | 91 | goto end; |
334 | 91 | } |
335 | | |
336 | 153 | added = true; |
337 | | |
338 | 249 | end: |
339 | 249 | fuzz_free(salt); |
340 | 249 | fuzz_free(key); |
341 | 249 | return added; |
342 | 153 | } |
343 | | |
344 | | static srtp_policy_t extract_policy(const uint8_t **data, size_t *size) |
345 | 6.55k | { |
346 | 6.55k | srtp_policy_t policy = NULL; |
347 | 6.55k | srtp_profile_t profile; |
348 | 6.55k | size_t key_size; |
349 | 6.55k | size_t salt_size; |
350 | 6.55k | srtp_err_status_t status; |
351 | 6.55k | struct { |
352 | 6.55k | uint8_t srtp_profile; |
353 | 6.55k | size_t window_size; |
354 | 6.55k | uint8_t allow_repeat_tx; |
355 | 6.55k | uint8_t ssrc_type; |
356 | 6.55k | uint32_t ssrc_value; |
357 | 6.55k | uint8_t num_xtn_hdr; |
358 | 6.55k | uint8_t do_extract_key; |
359 | 6.55k | uint8_t do_extract_master_keys; |
360 | 6.55k | } params; |
361 | | |
362 | 6.55k | EXTRACT_IF(¶ms, *data, *size, sizeof(params)); |
363 | | |
364 | 5.71k | params.srtp_profile %= |
365 | 5.71k | sizeof(fuzz_srtp_profiles) / sizeof(fuzz_srtp_profiles[0]); |
366 | 5.71k | params.allow_repeat_tx %= 2; |
367 | 5.71k | params.ssrc_type %= |
368 | 5.71k | sizeof(fuzz_ssrc_type_map) / sizeof(fuzz_ssrc_type_map[0]); |
369 | 5.71k | profile = fuzz_srtp_profiles[params.srtp_profile].profile; |
370 | | |
371 | 5.71k | status = srtp_policy_create(&policy); |
372 | 5.71k | if (status != srtp_err_status_ok || policy == NULL) { |
373 | 0 | return NULL; |
374 | 0 | } |
375 | | |
376 | 5.71k | status = srtp_policy_set_profile(policy, profile); |
377 | 5.71k | if (status != srtp_err_status_ok) { |
378 | 879 | srtp_policy_destroy(policy); |
379 | 879 | return NULL; |
380 | 879 | } |
381 | | |
382 | 4.83k | key_size = srtp_profile_get_master_key_length(profile); |
383 | 4.83k | salt_size = srtp_profile_get_master_salt_length(profile); |
384 | 4.83k | if (key_size + salt_size > SRTP_MAX_KEY_LEN) { |
385 | | /* Shouldn't happen for a public profile. */ |
386 | 0 | abort(); |
387 | 0 | } |
388 | | |
389 | 4.83k | status = srtp_policy_set_ssrc( |
390 | 4.83k | policy, (srtp_ssrc_t){ |
391 | 4.83k | .type = fuzz_ssrc_type_map[params.ssrc_type].srtp_ssrc_type, |
392 | 4.83k | .value = params.ssrc_value, |
393 | 4.83k | }); |
394 | 4.83k | if (status != srtp_err_status_ok) { |
395 | 1.17k | srtp_policy_destroy(policy); |
396 | 1.17k | return NULL; |
397 | 1.17k | } |
398 | | |
399 | 3.65k | if (profile != srtp_profile_null_null && (params.do_extract_key % 2) == 0) { |
400 | 2.33k | if (!extract_and_add_key(policy, data, size, key_size, salt_size)) { |
401 | 181 | srtp_policy_destroy(policy); |
402 | 181 | return NULL; |
403 | 181 | } |
404 | 2.33k | } |
405 | | |
406 | 3.47k | if (params.num_xtn_hdr != 0) { |
407 | 948 | const size_t xtn_hdr_size = params.num_xtn_hdr; |
408 | 948 | size_t copy_size = xtn_hdr_size; |
409 | 948 | if (*size < xtn_hdr_size) { |
410 | 140 | srtp_policy_destroy(policy); |
411 | 140 | return NULL; |
412 | 140 | } |
413 | 808 | if (copy_size > SRTP_MAX_NUM_ENC_HDR_XTND_IDS) { |
414 | 167 | copy_size = SRTP_MAX_NUM_ENC_HDR_XTND_IDS; |
415 | 167 | } |
416 | 5.30k | for (size_t i = 0; i < copy_size; i++) { |
417 | 4.49k | (void)srtp_policy_add_enc_hdr_xtnd_id(policy, (*data)[i]); |
418 | 4.49k | } |
419 | 808 | *data += xtn_hdr_size; |
420 | 808 | *size -= xtn_hdr_size; |
421 | 808 | } |
422 | | |
423 | 3.33k | if (profile != srtp_profile_null_null && |
424 | 2.48k | (params.do_extract_master_keys % 2) == 0) { |
425 | 1.94k | while (1) { |
426 | 1.94k | uint8_t do_extract_master_key; |
427 | 1.94k | EXTRACT_IF(&do_extract_master_key, *data, *size, |
428 | 1.94k | sizeof(do_extract_master_key)); |
429 | | |
430 | 1.94k | if ((do_extract_master_key % 2) == 0) { |
431 | 1.19k | break; |
432 | 1.19k | } |
433 | | |
434 | 745 | if (!extract_and_add_master_key(policy, data, size, key_size, |
435 | 745 | salt_size)) { |
436 | 592 | break; |
437 | 592 | } |
438 | 745 | } |
439 | 1.79k | } |
440 | | |
441 | 3.33k | status = srtp_policy_set_window_size(policy, params.window_size); |
442 | 3.33k | if (status != srtp_err_status_ok) { |
443 | 835 | srtp_policy_destroy(policy); |
444 | 835 | return NULL; |
445 | 835 | } |
446 | 2.49k | status = srtp_policy_set_allow_repeat_tx(policy, params.allow_repeat_tx); |
447 | 2.49k | if (status != srtp_err_status_ok) { |
448 | 0 | srtp_policy_destroy(policy); |
449 | 0 | return NULL; |
450 | 0 | } |
451 | | |
452 | 3.35k | end: |
453 | 3.35k | return policy; |
454 | 2.49k | } |
455 | | |
456 | | static void extract_more_policies_to_session(const uint8_t **data, |
457 | | size_t *size, |
458 | | srtp_t srtp_ctx) |
459 | 2.24k | { |
460 | 2.26k | while (1) { |
461 | 2.26k | uint8_t do_extract_policy; |
462 | 2.26k | srtp_policy_t policy = NULL; |
463 | 2.26k | EXTRACT_IF(&do_extract_policy, *data, *size, sizeof(do_extract_policy)); |
464 | | |
465 | | /* Decide whether to extract another policy */ |
466 | 2.25k | if ((do_extract_policy % 2) == 0) { |
467 | 1.55k | break; |
468 | 1.55k | } |
469 | | |
470 | 707 | policy = extract_policy(data, size); |
471 | 707 | if (policy == NULL) { |
472 | 693 | break; |
473 | 693 | } |
474 | | |
475 | 14 | if (srtp_ctx != NULL) { |
476 | 14 | (void)srtp_stream_add(srtp_ctx, policy); |
477 | 14 | } |
478 | 14 | srtp_policy_destroy(policy); |
479 | 14 | } |
480 | | |
481 | 2.24k | end: |
482 | 2.24k | return; |
483 | 2.24k | } |
484 | | |
485 | | static uint32_t *extract_remove_stream_ssrc(const uint8_t **data, |
486 | | size_t *size, |
487 | | uint8_t *num_remove_stream) |
488 | 10 | { |
489 | 10 | uint32_t *ret = NULL; |
490 | 10 | uint8_t _num_remove_stream; |
491 | 10 | size_t total_size; |
492 | | |
493 | 10 | *num_remove_stream = 0; |
494 | | |
495 | 10 | EXTRACT_IF(&_num_remove_stream, *data, *size, sizeof(_num_remove_stream)); |
496 | | |
497 | 5 | if (_num_remove_stream == 0) { |
498 | 4 | goto end; |
499 | 4 | } |
500 | | |
501 | 1 | total_size = _num_remove_stream * sizeof(uint32_t); |
502 | | |
503 | 1 | if (*size < total_size) { |
504 | 1 | goto end; |
505 | 1 | } |
506 | | |
507 | 0 | ret = fuzz_alloc_succeed(total_size, false); |
508 | 0 | EXTRACT(ret, *data, *size, total_size); |
509 | |
|
510 | 0 | *num_remove_stream = _num_remove_stream; |
511 | |
|
512 | 10 | end: |
513 | 10 | return ret; |
514 | 0 | } |
515 | | |
516 | | static uint32_t *extract_set_roc(const uint8_t **data, |
517 | | size_t *size, |
518 | | uint8_t *num_set_roc) |
519 | 10 | { |
520 | 10 | uint32_t *ret = NULL; |
521 | 10 | uint8_t _num_set_roc; |
522 | 10 | size_t total_size; |
523 | | |
524 | 10 | *num_set_roc = 0; |
525 | 10 | EXTRACT_IF(&_num_set_roc, *data, *size, sizeof(_num_set_roc)); |
526 | 5 | if (_num_set_roc == 0) { |
527 | 4 | goto end; |
528 | 4 | } |
529 | | |
530 | | /* Tuples of 2 uint32_t's */ |
531 | 1 | total_size = _num_set_roc * sizeof(uint32_t) * 2; |
532 | | |
533 | 1 | if (*size < total_size) { |
534 | 0 | goto end; |
535 | 0 | } |
536 | | |
537 | 1 | ret = fuzz_alloc_succeed(total_size, false); |
538 | 1 | EXTRACT(ret, *data, *size, total_size); |
539 | | |
540 | 1 | *num_set_roc = _num_set_roc; |
541 | | |
542 | 10 | end: |
543 | 10 | return ret; |
544 | 1 | } |
545 | | |
546 | | static uint8_t *run_srtp_func(const srtp_t srtp_ctx, |
547 | | const uint8_t **data, |
548 | | size_t *size) |
549 | 10 | { |
550 | 10 | uint8_t *ret = NULL; |
551 | 10 | uint8_t *copy = NULL, *copy_2 = NULL; |
552 | | |
553 | 10 | struct { |
554 | 10 | uint16_t size; |
555 | 10 | uint8_t srtp_func; |
556 | 10 | uint32_t mki; |
557 | 10 | uint8_t stretch; |
558 | 10 | } params_1; |
559 | | |
560 | 10 | struct { |
561 | 10 | uint8_t srtp_func; |
562 | 10 | uint32_t mki; |
563 | 10 | } params_2; |
564 | 10 | size_t ret_size; |
565 | | |
566 | 10 | EXTRACT_IF(¶ms_1, *data, *size, sizeof(params_1)); |
567 | 5 | params_1.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]); |
568 | | |
569 | 5 | if (*size < params_1.size) { |
570 | 3 | goto end; |
571 | 3 | } |
572 | | |
573 | | /* Enforce 4 byte alignment */ |
574 | 2 | if (g_no_align == false) { |
575 | 2 | params_1.size -= params_1.size % 4; |
576 | 2 | } |
577 | | |
578 | 2 | if (params_1.size == 0) { |
579 | 1 | goto end; |
580 | 1 | } |
581 | | |
582 | 1 | ret_size = params_1.size; |
583 | 1 | if (srtp_funcs[params_1.srtp_func].protect == true) { |
584 | | /* Intentionally not initialized to trigger MemorySanitizer, if |
585 | | * applicable */ |
586 | 1 | size_t alloc_size; |
587 | | |
588 | 1 | if (srtp_funcs[params_1.srtp_func].get_length( |
589 | 1 | srtp_ctx, params_1.mki, &alloc_size) != srtp_err_status_ok) { |
590 | 0 | goto end; |
591 | 0 | } |
592 | | |
593 | 1 | copy = fuzz_alloc_succeed(ret_size + alloc_size, false); |
594 | 1 | } else { |
595 | 0 | copy = fuzz_alloc_succeed(ret_size, false); |
596 | 0 | } |
597 | | |
598 | 1 | EXTRACT(copy, *data, *size, params_1.size); |
599 | | |
600 | 1 | if (srtp_funcs[params_1.srtp_func].srtp_func( |
601 | 1 | srtp_ctx, copy, &ret_size, params_1.mki) != srtp_err_status_ok) { |
602 | 0 | fuzz_free(copy); |
603 | 0 | goto end; |
604 | 0 | } |
605 | | // fuzz_free(copy); |
606 | | |
607 | 1 | fuzz_testmem(copy, ret_size); |
608 | | |
609 | 1 | ret = copy; |
610 | | |
611 | 1 | EXTRACT_IF(¶ms_2, *data, *size, sizeof(params_2)); |
612 | 1 | params_2.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]); |
613 | | |
614 | 1 | if (ret_size == 0) { |
615 | 0 | goto end; |
616 | 0 | } |
617 | | |
618 | 1 | if (srtp_funcs[params_2.srtp_func].protect == true) { |
619 | | /* Intentionally not initialized to trigger MemorySanitizer, if |
620 | | * applicable */ |
621 | 0 | size_t alloc_size; |
622 | |
|
623 | 0 | if (srtp_funcs[params_2.srtp_func].get_length( |
624 | 0 | srtp_ctx, params_2.mki, &alloc_size) != srtp_err_status_ok) { |
625 | 0 | goto end; |
626 | 0 | } |
627 | | |
628 | 0 | copy_2 = fuzz_alloc_succeed(ret_size + alloc_size, false); |
629 | 1 | } else { |
630 | 1 | copy_2 = fuzz_alloc_succeed(ret_size, false); |
631 | 1 | } |
632 | | |
633 | 1 | memcpy(copy_2, copy, ret_size); |
634 | 1 | fuzz_free(copy); |
635 | 1 | copy = copy_2; |
636 | | |
637 | 1 | if (srtp_funcs[params_2.srtp_func].srtp_func( |
638 | 1 | srtp_ctx, copy, &ret_size, params_2.mki) != srtp_err_status_ok) { |
639 | 1 | fuzz_free(copy); |
640 | 1 | ret = NULL; |
641 | 1 | goto end; |
642 | 1 | } |
643 | | |
644 | 0 | fuzz_testmem(copy, ret_size); |
645 | |
|
646 | 0 | ret = copy; |
647 | |
|
648 | 10 | end: |
649 | 10 | return ret; |
650 | 0 | } |
651 | | |
652 | | void fuzz_srtp_event_handler(srtp_event_data_t *data) |
653 | 1 | { |
654 | 1 | fuzz_testmem(data, sizeof(srtp_event_data_t)); |
655 | 1 | if (data->session != NULL) { |
656 | 1 | fuzz_testmem(data->session, sizeof(*data->session)); |
657 | 1 | } |
658 | 1 | } |
659 | | |
660 | | static void fuzz_write_input(const uint8_t *data, size_t size) |
661 | 0 | { |
662 | 0 | FILE *fp = fopen("input.bin", "wb"); |
663 | |
|
664 | 0 | if (fp == NULL) { |
665 | | /* Shouldn't happen */ |
666 | 0 | abort(); |
667 | 0 | } |
668 | | |
669 | 0 | if (size != 0 && fwrite(data, size, 1, fp) != 1) { |
670 | 0 | printf("Cannot write\n"); |
671 | | /* Shouldn't happen */ |
672 | 0 | abort(); |
673 | 0 | } |
674 | | |
675 | 0 | fclose(fp); |
676 | 0 | } |
677 | | |
678 | | int LLVMFuzzerInitialize(int *argc, char ***argv) |
679 | 2 | { |
680 | 2 | char **_argv = *argv; |
681 | 2 | int i; |
682 | 2 | bool no_custom_event_handler = false; |
683 | | |
684 | 2 | if (srtp_init() != srtp_err_status_ok) { |
685 | | /* Shouldn't happen */ |
686 | 0 | abort(); |
687 | 0 | } |
688 | | |
689 | 13 | for (i = 0; i < *argc; i++) { |
690 | 11 | if (strcmp("--no_align", _argv[i]) == 0) { |
691 | 0 | g_no_align = true; |
692 | 11 | } else if (strcmp("--no_custom_event_handler", _argv[i]) == 0) { |
693 | 0 | no_custom_event_handler = true; |
694 | 11 | } else if (strcmp("--write_input", _argv[i]) == 0) { |
695 | 0 | g_write_input = true; |
696 | 0 | } |
697 | | #ifdef FUZZ_32BIT |
698 | | else if (strcmp("--no_mmap", _argv[i]) == 0) { |
699 | | g_no_mmap = true; |
700 | | } |
701 | | #endif |
702 | 11 | } |
703 | | |
704 | 2 | if (no_custom_event_handler == false) { |
705 | 2 | if (srtp_install_event_handler(fuzz_srtp_event_handler) != |
706 | 2 | srtp_err_status_ok) { |
707 | | /* Shouldn't happen */ |
708 | 0 | abort(); |
709 | 0 | } |
710 | 2 | } |
711 | | |
712 | | /* Fully initialized -- past this point, simulated allocation failures |
713 | | * are allowed to occur */ |
714 | 2 | g_post_init = true; |
715 | | |
716 | 2 | return 0; |
717 | 2 | } |
718 | | |
719 | | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
720 | 3.61k | { |
721 | 3.61k | uint8_t num_remove_stream; |
722 | 3.61k | uint32_t *remove_stream_ssrc = NULL; |
723 | 3.61k | uint8_t num_set_roc; |
724 | 3.61k | uint32_t *set_roc = NULL; |
725 | 3.61k | srtp_t srtp_ctx = NULL; |
726 | 3.61k | srtp_policy_t policy = NULL; |
727 | 3.61k | srtp_policy_t policy_2 = NULL; |
728 | 3.61k | uint32_t randseed; |
729 | 3.61k | static bool firstrun = true; |
730 | | |
731 | 3.61k | if (firstrun == true) { |
732 | | /* TODO version check etc and send it to MSAN */ |
733 | 3.61k | } |
734 | | |
735 | | #ifdef FUZZ_32BIT |
736 | | /* Free the mmap allocation made during the previous iteration, if |
737 | | * applicable */ |
738 | | fuzz_free(g_mmap_allocation); |
739 | | #endif |
740 | | |
741 | 3.61k | if (g_write_input == true) { |
742 | 0 | fuzz_write_input(data, size); |
743 | 0 | } |
744 | | |
745 | 3.61k | EXTRACT_IF(&randseed, data, size, sizeof(randseed)); |
746 | 3.61k | fuzz_mt19937_init(randseed); |
747 | 3.61k | srand(randseed); |
748 | | |
749 | | /* policy is used to initialize the srtp context with */ |
750 | 3.61k | if ((policy = extract_policy(&data, &size)) == NULL) { |
751 | 1.13k | goto end; |
752 | 1.13k | } |
753 | | |
754 | | /* Create context */ |
755 | 2.47k | if (srtp_create(&srtp_ctx, policy) != srtp_err_status_ok) { |
756 | 239 | goto end; |
757 | 239 | } |
758 | | |
759 | | /* Add additional policies extracted for initial stream setup */ |
760 | 2.23k | extract_more_policies_to_session(&data, &size, srtp_ctx); |
761 | | |
762 | | /* policy_2 is used as an argument for post-create stream additions */ |
763 | 2.23k | if ((policy_2 = extract_policy(&data, &size)) == NULL) { |
764 | 2.22k | goto end; |
765 | 2.22k | } |
766 | | |
767 | | /* Consume any additional policies from this second extraction phase */ |
768 | 10 | extract_more_policies_to_session(&data, &size, NULL); |
769 | | |
770 | | /* Don't check for NULL result -- no extractions is fine */ |
771 | 10 | remove_stream_ssrc = |
772 | 10 | extract_remove_stream_ssrc(&data, &size, &num_remove_stream); |
773 | | |
774 | | /* Don't check for NULL result -- no extractions is fine */ |
775 | 10 | set_roc = extract_set_roc(&data, &size, &num_set_roc); |
776 | | |
777 | 10 | { |
778 | 10 | uint8_t *ret; |
779 | 10 | int i = 0, j = 0; |
780 | | |
781 | 10 | while ((ret = run_srtp_func(srtp_ctx, &data, &size)) != NULL) { |
782 | 0 | fuzz_free(ret); |
783 | | |
784 | | /* Keep removing streams until the set of SSRCs extracted from the |
785 | | * fuzzer input is exhausted */ |
786 | 0 | if (i < num_remove_stream) { |
787 | 0 | if (srtp_stream_remove(srtp_ctx, remove_stream_ssrc[i]) != |
788 | 0 | srtp_err_status_ok) { |
789 | 0 | goto end; |
790 | 0 | } |
791 | 0 | i++; |
792 | 0 | } |
793 | | |
794 | | /* Keep setting and getting ROCs until the set of SSRC/ROC tuples |
795 | | * extracted from the fuzzer input is exhausted */ |
796 | 0 | if (j < num_set_roc * 2) { |
797 | 0 | uint32_t roc; |
798 | 0 | if (srtp_stream_set_roc(srtp_ctx, set_roc[j], set_roc[j + 1]) != |
799 | 0 | srtp_err_status_ok) { |
800 | 0 | goto end; |
801 | 0 | } |
802 | 0 | if (srtp_stream_get_roc(srtp_ctx, set_roc[j + 1], &roc) != |
803 | 0 | srtp_err_status_ok) { |
804 | 0 | goto end; |
805 | 0 | } |
806 | 0 | j += 2; |
807 | 0 | } |
808 | | |
809 | 0 | if (policy_2 != NULL) { |
810 | 0 | (void)srtp_stream_add(srtp_ctx, policy_2); |
811 | | |
812 | | /* Discard after using once */ |
813 | 0 | srtp_policy_destroy(policy_2); |
814 | 0 | policy_2 = NULL; |
815 | 0 | } |
816 | 0 | } |
817 | 10 | } |
818 | | |
819 | 3.61k | end: |
820 | 3.61k | srtp_policy_destroy(policy); |
821 | 3.61k | srtp_policy_destroy(policy_2); |
822 | 3.61k | fuzz_free(remove_stream_ssrc); |
823 | 3.61k | fuzz_free(set_roc); |
824 | 3.61k | if (srtp_ctx != NULL) { |
825 | 2.23k | srtp_dealloc(srtp_ctx); |
826 | 2.23k | } |
827 | 3.61k | fuzz_mt19937_destroy(); |
828 | | |
829 | 3.61k | return 0; |
830 | 10 | } |