/src/net-snmp/testing/fuzzing/snmp_parse_trap2_fuzzer.c

Source
/*
 * Copyright (c) 2025, Net-snmp authors
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice, this
 *   list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * * Neither the name of the copyright holder nor the names of its
 *   contributors may be used to endorse or promote products derived from
 *   this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <net-snmp/net-snmp-config.h>
#include <net-snmp/net-snmp-includes.h>
#include "../../apps/snmptrapd_handlers.h"
#include "ada_fuzz_header.h"

static netsnmp_session *add_session(netsnmp_transport *t)
{
    netsnmp_session session;

    snmp_sess_init(&session);
    session.peername = SNMP_DEFAULT_PEERNAME;
    session.version = SNMP_DEFAULT_VERSION;
    session.community_len = SNMP_DEFAULT_COMMUNITY_LEN;
    session.retries = SNMP_DEFAULT_RETRIES;
    session.timeout = SNMP_DEFAULT_TIMEOUT;
    session.callback = snmp_input;
    session.callback_magic = t;
    session.authenticator = NULL;
    session.isAuthoritative = SNMP_SESS_UNKNOWNAUTH;

    return snmp_add(&session, t, NULL, NULL);
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
    if (getenv("NETSNMP_DEBUGGING") != NULL) {
        snmp_enable_stderrlog();
        snmp_set_do_debugging(1);
        debug_register_tokens("sess_process_packet");
    }

    return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    netsnmp_transport *transport = NULL;
    netsnmp_session *session = NULL;
    const unsigned short pkt_len = size;
    const void *const pkt = data;
    int skt = -1;
    int ret = 1;

    if (pkt_len == 0)
        goto cleanup;

    netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_MIBDIRS, "mibs");
    netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID,
                           NETSNMP_DS_LIB_DONT_PERSIST_STATE, 1);
    netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_PERSISTENT_DIR,
                          "/tmp");

    init_snmp("snmptrapd");

    transport = netsnmp_transport_open_server("trap_fuzzer", "127.0.0.1:7365");
    if (!transport) {
        fprintf(stderr, "Error: failed to open Net-SNMP transport.\n");
        goto cleanup;
    }
    session = add_session(transport);
    if (!session) {
        fprintf(stderr, "Error: failed to add Net-SNMP session.\n");
        goto cleanup;
    }

    skt = socket(AF_INET, SOCK_DGRAM, 0);
    if (skt < 0) {
        perror("socket()");
        goto shutdown;
    }
    struct sockaddr_in addr = {
        .sin_family = AF_INET,
        .sin_port = htons(7365),
        .sin_addr = { htonl(INADDR_LOOPBACK) }
    };
    if (connect(skt, &addr, sizeof(addr)) < 0) {
        perror("connect()");
        goto shutdown;
    }
    if (send(skt, pkt, pkt_len, 0) < 0) {
        perror("send()");
        goto shutdown;
    }
    {
        fd_set readfds,writefds,exceptfds;
        int numfds = 0, block = 0;
        struct timeval timeout;

        FD_ZERO(&readfds);
        FD_ZERO(&writefds);
        FD_ZERO(&exceptfds);
        timerclear(&timeout);
        timeout.tv_sec = 5;
        snmp_select_info(&numfds, &readfds, &timeout, &block);
        if (select(numfds, &readfds, &writefds, &exceptfds, &timeout) > 0)
            snmp_read(&readfds);
    }
    ret = 0;

shutdown:
    snmp_shutdown("snmptrapd");

cleanup:
    if (skt >= 0)
        close(skt);
    if (session)
        snmp_close(session);

    return ret;
}

Line	Count	Source
1		/*
2		* Copyright (c) 2025, Net-snmp authors
3		* All rights reserved.
4		*
5		* Redistribution and use in source and binary forms, with or without
6		* modification, are permitted provided that the following conditions are met:
7		*
8		* * Redistributions of source code must retain the above copyright notice, this
9		* list of conditions and the following disclaimer.
10		*
11		* * Redistributions in binary form must reproduce the above copyright notice,
12		* this list of conditions and the following disclaimer in the documentation
13		* and/or other materials provided with the distribution.
14		*
15		* * Neither the name of the copyright holder nor the names of its
16		* contributors may be used to endorse or promote products derived from
17		* this software without specific prior written permission.
18		*
19		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20		* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22		* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25		* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26		* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27		* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28		* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29		*/
30
31		#include <net-snmp/net-snmp-config.h>
32		#include <net-snmp/net-snmp-includes.h>
33		#include "../../apps/snmptrapd_handlers.h"
34		#include "ada_fuzz_header.h"
35
36		static netsnmp_session add_session(netsnmp_transport t)
37	55	{
38	55	netsnmp_session session;
39
40	55	snmp_sess_init(&session);
41	55	session.peername = SNMP_DEFAULT_PEERNAME;
42	55	session.version = SNMP_DEFAULT_VERSION;
43	55	session.community_len = SNMP_DEFAULT_COMMUNITY_LEN;
44	55	session.retries = SNMP_DEFAULT_RETRIES;
45	55	session.timeout = SNMP_DEFAULT_TIMEOUT;
46	55	session.callback = snmp_input;
47	55	session.callback_magic = t;
48	55	session.authenticator = NULL;
49	55	session.isAuthoritative = SNMP_SESS_UNKNOWNAUTH;
50
51	55	return snmp_add(&session, t, NULL, NULL);
52	55	}
53
54	31	int LLVMFuzzerInitialize(int argc, char **argv) {
55	31	if (getenv("NETSNMP_DEBUGGING") != NULL) {
56	0	snmp_enable_stderrlog();
57	0	snmp_set_do_debugging(1);
58	0	debug_register_tokens("sess_process_packet");
59	0	}
60
61	31	return 0;
62	31	}
63
64	56	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
65	56	netsnmp_transport *transport = NULL;
66	56	netsnmp_session *session = NULL;
67	56	const unsigned short pkt_len = size;
68	56	const void *const pkt = data;
69	56	int skt = -1;
70	56	int ret = 1;
71
72	56	if (pkt_len == 0)
73	1	goto cleanup;
74
75	55	netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_MIBDIRS, "mibs");
76	55	netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID,
77	55	NETSNMP_DS_LIB_DONT_PERSIST_STATE, 1);
78	55	netsnmp_ds_set_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_PERSISTENT_DIR,
79	55	"/tmp");
80
81	55	init_snmp("snmptrapd");
82
83	55	transport = netsnmp_transport_open_server("trap_fuzzer", "127.0.0.1:7365");
84	55	if (!transport) {
85	0	fprintf(stderr, "Error: failed to open Net-SNMP transport.\n");
86	0	goto cleanup;
87	0	}
88	55	session = add_session(transport);
89	55	if (!session) {
90	0	fprintf(stderr, "Error: failed to add Net-SNMP session.\n");
91	0	goto cleanup;
92	0	}
93
94	55	skt = socket(AF_INET, SOCK_DGRAM, 0);
95	55	if (skt < 0) {
96	0	perror("socket()");
97	0	goto shutdown;
98	0	}
99	55	struct sockaddr_in addr = {
100	55	.sin_family = AF_INET,
101	55	.sin_port = htons(7365),
102	55	.sin_addr = { htonl(INADDR_LOOPBACK) }
103	55	};
104	55	if (connect(skt, &addr, sizeof(addr)) < 0) {
105	0	perror("connect()");
106	0	goto shutdown;
107	0	}
108	55	if (send(skt, pkt, pkt_len, 0) < 0) {
109	1	perror("send()");
110	1	goto shutdown;
111	1	}
112	54	{
113	54	fd_set readfds,writefds,exceptfds;
114	54	int numfds = 0, block = 0;
115	54	struct timeval timeout;
116
117	54	FD_ZERO(&readfds);
118	54	FD_ZERO(&writefds);
119	54	FD_ZERO(&exceptfds);
120	54	timerclear(&timeout);
121	54	timeout.tv_sec = 5;
122	54	snmp_select_info(&numfds, &readfds, &timeout, &block);
123	54	if (select(numfds, &readfds, &writefds, &exceptfds, &timeout) > 0)
124	54	snmp_read(&readfds);
125	54	}
126	54	ret = 0;
127
128	55	shutdown:
129	55	snmp_shutdown("snmptrapd");
130
131	56	cleanup:
132	56	if (skt >= 0)
133	55	close(skt);
134	56	if (session)
135	55	snmp_close(session);
136
137	56	return ret;
138	55	}

Coverage Report

Created: 2026-06-10 06:22