/src/net-snmp/testing/fuzzing/snmp_parse_trap_fuzzer.c

Source
/*
 * Copyright (c) 2025, Net-snmp authors
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice, this
 *   list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * * Neither the name of the copyright holder nor the names of its
 *   contributors may be used to endorse or promote products derived from
 *   this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <net-snmp/net-snmp-config.h>
#include <net-snmp/net-snmp-includes.h>
#include "../../apps/snmptrapd_handlers.h"
#include "ada_fuzz_header.h"

int LLVMFuzzerInitialize(int *argc, char ***argv) {
    if (getenv("NETSNMP_DEBUGGING") != NULL) {
        /*
         * Turn on all debugging, to help understand what
         * bits of the parser are running.
         */
        snmp_enable_stderrlog();
        snmp_set_do_debugging(1);
        debug_register_tokens("");
    }

    return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    oid snmpTrapOid[] = { 1, 3, 6, 1, 6, 3, 1, 1, 4, 1, 0 };
    netsnmp_variable_list var2 = {
        .name = snmpTrapOid,
        .name_length = sizeof(snmpTrapOid) / sizeof(snmpTrapOid[0])
    };
    netsnmp_variable_list var1 = { .next_variable = &var2 };
    netsnmp_transport transport = { };
    netsnmp_session sess = { };
    netsnmp_pdu *pdu;
    int op;

    af_gb_init();
    var2.val_len = af_get_short(&data, &size);
    var2.val.objid = af_gb_get_random_data(&data, &size, var2.val_len);
    if (!var2.val.objid)
        goto cleanup;
    op = NETSNMP_CALLBACK_OP_RECEIVED_MESSAGE;
    pdu = af_gb_get_random_data(&data, &size, sizeof(*pdu));
    if (!pdu)
        goto cleanup;
    pdu->enterprise_length = af_get_short(&data, &size);
    pdu->enterprise = af_gb_get_random_data(&data, &size,
                                            pdu->enterprise_length *
                                            sizeof(pdu->enterprise[0]));
    if (!pdu->enterprise)
        goto cleanup;
    pdu->community = NULL;
    pdu->community_len = 0;
    pdu->contextEngineID = NULL;
    pdu->contextEngineIDLen = 0;
    pdu->securityEngineID = NULL;
    pdu->securityEngineIDLen = 0;
    pdu->contextName = NULL;
    pdu->contextNameLen = 0;
    pdu->securityName = NULL;
    pdu->securityNameLen = 0;
    pdu->transport_data = NULL;
    pdu->transport_data_length = 0;
    pdu->variables = &var1;
    snmp_input(op, &sess, 0/*ignored*/, pdu, &transport);

cleanup:
    af_gb_cleanup();

    return 0;
}

Line	Count	Source
1		/*
2		* Copyright (c) 2025, Net-snmp authors
3		* All rights reserved.
4		*
5		* Redistribution and use in source and binary forms, with or without
6		* modification, are permitted provided that the following conditions are met:
7		*
8		* * Redistributions of source code must retain the above copyright notice, this
9		* list of conditions and the following disclaimer.
10		*
11		* * Redistributions in binary form must reproduce the above copyright notice,
12		* this list of conditions and the following disclaimer in the documentation
13		* and/or other materials provided with the distribution.
14		*
15		* * Neither the name of the copyright holder nor the names of its
16		* contributors may be used to endorse or promote products derived from
17		* this software without specific prior written permission.
18		*
19		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20		* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22		* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25		* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26		* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27		* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28		* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29		*/
30
31		#include <net-snmp/net-snmp-config.h>
32		#include <net-snmp/net-snmp-includes.h>
33		#include "../../apps/snmptrapd_handlers.h"
34		#include "ada_fuzz_header.h"
35
36	32	int LLVMFuzzerInitialize(int argc, char **argv) {
37	32	if (getenv("NETSNMP_DEBUGGING") != NULL) {
38		/*
39		* Turn on all debugging, to help understand what
40		* bits of the parser are running.
41		*/
42	0	snmp_enable_stderrlog();
43	0	snmp_set_do_debugging(1);
44	0	debug_register_tokens("");
45	0	}
46
47	32	return 0;
48	32	}
49
50	471	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
51	471	oid snmpTrapOid[] = { 1, 3, 6, 1, 6, 3, 1, 1, 4, 1, 0 };
52	471	netsnmp_variable_list var2 = {
53	471	.name = snmpTrapOid,
54	471	.name_length = sizeof(snmpTrapOid) / sizeof(snmpTrapOid[0])
55	471	};
56	471	netsnmp_variable_list var1 = { .next_variable = &var2 };
57	471	netsnmp_transport transport = { };
58	471	netsnmp_session sess = { };
59	471	netsnmp_pdu *pdu;
60	471	int op;
61
62	471	af_gb_init();
63	471	var2.val_len = af_get_short(&data, &size);
64	471	var2.val.objid = af_gb_get_random_data(&data, &size, var2.val_len);
65	471	if (!var2.val.objid)
66	9	goto cleanup;
67	462	op = NETSNMP_CALLBACK_OP_RECEIVED_MESSAGE;
68	462	pdu = af_gb_get_random_data(&data, &size, sizeof(*pdu));
69	462	if (!pdu)
70	30	goto cleanup;
71	432	pdu->enterprise_length = af_get_short(&data, &size);
72	432	pdu->enterprise = af_gb_get_random_data(&data, &size,
73	432	pdu->enterprise_length *
74	432	sizeof(pdu->enterprise[0]));
75	432	if (!pdu->enterprise)
76	16	goto cleanup;
77	416	pdu->community = NULL;
78	416	pdu->community_len = 0;
79	416	pdu->contextEngineID = NULL;
80	416	pdu->contextEngineIDLen = 0;
81	416	pdu->securityEngineID = NULL;
82	416	pdu->securityEngineIDLen = 0;
83	416	pdu->contextName = NULL;
84	416	pdu->contextNameLen = 0;
85	416	pdu->securityName = NULL;
86	416	pdu->securityNameLen = 0;
87	416	pdu->transport_data = NULL;
88	416	pdu->transport_data_length = 0;
89	416	pdu->variables = &var1;
90	416	snmp_input(op, &sess, 0/ignored/, pdu, &transport);
91
92	471	cleanup:
93	471	af_gb_cleanup();
94
95	471	return 0;
96	416	}

Coverage Report

Created: 2026-03-17 06:31