/src/net-snmp/testing/fuzzing/snmp_transport_fuzzer.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright (c) 2021, Net-snmp authors |
3 | | * All rights reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that the following conditions are met: |
7 | | * |
8 | | * * Redistributions of source code must retain the above copyright notice, this |
9 | | * list of conditions and the following disclaimer. |
10 | | * |
11 | | * * Redistributions in binary form must reproduce the above copyright notice, |
12 | | * this list of conditions and the following disclaimer in the documentation |
13 | | * and/or other materials provided with the distribution. |
14 | | * |
15 | | * * Neither the name of the copyright holder nor the names of its |
16 | | * contributors may be used to endorse or promote products derived from |
17 | | * this software without specific prior written permission. |
18 | | * |
19 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
20 | | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
21 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
22 | | * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE |
23 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
24 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
25 | | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
26 | | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
27 | | * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
28 | | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
29 | | */ |
30 | | #include <net-snmp/net-snmp-config.h> |
31 | | #include <net-snmp/net-snmp-includes.h> |
32 | | #include "../../snmplib/transports/snmpIPBaseDomain.h" |
33 | | #include <net-snmp/library/snmpUDPIPv6Domain.h> |
34 | | #include <net-snmp/library/snmpIPXDomain.h> |
35 | | #include <stddef.h> |
36 | | #include <stdint.h> |
37 | | #include <stdlib.h> |
38 | | #include "ada_fuzz_header.h" |
39 | | |
40 | | int |
41 | | LLVMFuzzerInitialize(int *argc, char ***argv) |
42 | 32 | { |
43 | 32 | if (getenv("NETSNMP_DEBUGGING") != NULL) { |
44 | | /* |
45 | | * Turn on all debugging, to help understand what |
46 | | * bits of the parser are running. |
47 | | */ |
48 | 0 | snmp_enable_stderrlog(); |
49 | 0 | snmp_set_do_debugging(1); |
50 | 0 | debug_register_tokens(""); |
51 | 0 | } |
52 | 32 | return 0; |
53 | 32 | } |
54 | | |
55 | | int |
56 | | LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) |
57 | 783 | { |
58 | | /* |
59 | | * Force the fuzzer to create larger strings as we use |
60 | | * a lot of the data. |
61 | | */ |
62 | 783 | if (size < 550) { |
63 | 19 | return 0; |
64 | 19 | } |
65 | 764 | af_gb_init(); |
66 | | |
67 | 764 | const uint8_t *data2 = data; |
68 | 764 | size_t size2 = size; |
69 | | |
70 | 764 | netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_APPTYPE, |
71 | 764 | "testprog"); |
72 | | |
73 | 764 | init_snmp_transport(); |
74 | 764 | netsnmp_tdomain_init(); |
75 | | |
76 | | /* |
77 | | * Main fuzzing logic |
78 | | */ |
79 | 764 | char *prefix = af_gb_get_null_terminated(&data2, &size2); |
80 | 764 | char *fmt_data = af_gb_get_null_terminated(&data2, &size2); |
81 | 764 | netsnmp_transport *t2 = NULL; |
82 | 764 | if (prefix && fmt_data) { |
83 | 764 | free(netsnmp_ipv6_fmtaddr(prefix, t2, fmt_data, strlen(fmt_data))); |
84 | | |
85 | 764 | struct sockaddr_in6 addr; |
86 | 764 | if (!netsnmp_sockaddr_in6(&addr, prefix, 5123)) |
87 | 15 | goto cleanup; |
88 | 764 | } |
89 | | |
90 | | /* |
91 | | * Security parsing routines. |
92 | | */ |
93 | 749 | char *udp6_token = af_gb_get_null_terminated(&data2, &size2); |
94 | 749 | char *udp6_param = af_gb_get_null_terminated(&data2, &size2); |
95 | 749 | if (udp6_token && udp6_param) { |
96 | 749 | netsnmp_udp6_parse_security(udp6_token, udp6_param); |
97 | 749 | } |
98 | | |
99 | 749 | char *udp_token = af_gb_get_null_terminated(&data2, &size2); |
100 | 749 | char *udp_param = af_gb_get_null_terminated(&data2, &size2); |
101 | 749 | if (udp_token && udp_param) { |
102 | 749 | netsnmp_udp_parse_security(udp_token, udp_param); |
103 | 749 | } |
104 | | |
105 | 749 | struct netsnmp_ep_str ep_str = { }; |
106 | 749 | char *endpoint = af_gb_get_null_terminated(&data2, &size2); |
107 | 749 | if (endpoint && !netsnmp_parse_ep_str(&ep_str, endpoint)) |
108 | 103 | goto cleanup; |
109 | | |
110 | 646 | char *unix_token = af_gb_get_null_terminated(&data2, &size2); |
111 | 646 | char *unix_param = af_gb_get_null_terminated(&data2, &size2); |
112 | 646 | if (unix_token && unix_param) { |
113 | 211 | netsnmp_unix_parse_security(unix_token, unix_param); |
114 | 211 | } |
115 | | |
116 | | /* |
117 | | * Cleanup |
118 | | */ |
119 | 646 | free(ep_str.addr); |
120 | 764 | cleanup: |
121 | 764 | netsnmp_clear_tdomain_list(); |
122 | 764 | shutdown_snmp_transport(); |
123 | | |
124 | 764 | af_gb_cleanup(); |
125 | 764 | return 0; |
126 | 646 | } |