/src/ntp-dev/tests/fuzz/fuzz_ntpd_receive.c

Source
#include <stddef.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#include "config.h"
#include "recvbuff.h"
#include "ntpd.h"

const char *Version = "libntpq 0.3beta";
int listen_to_virtual_ips = TRUE;
int mdnstries = 5;
char const *progname = "fuzz_ntpd_receive";
#ifdef HAVE_WORKING_FORK
int    waitsync_fd_to_close = -1;    /* -w/--wait-sync */
#endif
int yydebug=0;

static int initialized = 0;
int sockfd;
uint8_t itf_index;

void fuzz_itf_selecter(void * data, interface_info_t * itf) {
    endpt **ep = (endpt **)data;
    if (itf_index == 0) {
        *ep = itf->ep;
    }
    itf_index--;
}

int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
    struct recvbuf rbufp;

    if (initialized == 0) {
        sockfd = open("/dev/null", O_RDWR );
        //adds interfaces
        init_io();
        init_auth();
        init_util();
        init_restrict();
        init_mon();
        init_timer();
        init_lib();
        init_request();
        init_control();
        init_peer();
        init_proto();
        init_loopfilter();
        io_open_sockets();
        initialized = 1;
    }

    if (Size < sizeof(l_fp)) {
        return 0;
    }
    memcpy(&rbufp.recv_time, Data, sizeof(l_fp));
    Data += sizeof(l_fp);
    Size -= sizeof(l_fp);

    if (Size < sizeof(sockaddr_u)) {
        return 0;
    }
    memcpy(&rbufp.srcadr, Data, sizeof(sockaddr_u));
    memcpy(&rbufp.recv_srcadr, &rbufp.srcadr, sizeof(sockaddr_u));
    Data += sizeof(sockaddr_u);
    Size -= sizeof(sockaddr_u);

    if (Size < 1) {
        return 0;
    }
    itf_index = Data[0];
    rbufp.dstadr = NULL;
    interface_enumerate(fuzz_itf_selecter, &rbufp.dstadr);
    if (rbufp.dstadr == NULL) {
        return 0;
    }
    Data++;
    Size--;

    if (Size > RX_BUFF_SIZE) {
        Size = RX_BUFF_SIZE;
    }
    rbufp.recv_length = Size;
    memcpy(rbufp.recv_buffer, Data, Size);

    rbufp.msg_flags = 0;
    rbufp.used = 0;
    rbufp.link = NULL;
    rbufp.fd = sockfd;

    receive(&rbufp);
    return 0;
}

Line	Count	Source
1		#include <stddef.h>
2		#include <stdint.h>
3		#include <sys/types.h>
4		#include <sys/stat.h>
5		#include <fcntl.h>
6
7		#include "config.h"
8		#include "recvbuff.h"
9		#include "ntpd.h"
10
11		const char *Version = "libntpq 0.3beta";
12		int listen_to_virtual_ips = TRUE;
13		int mdnstries = 5;
14		char const *progname = "fuzz_ntpd_receive";
15		#ifdef HAVE_WORKING_FORK
16		int waitsync_fd_to_close = -1; /* -w/--wait-sync */
17		#endif
18		int yydebug=0;
19
20		static int initialized = 0;
21		int sockfd;
22		uint8_t itf_index;
23
24	8.04k	void fuzz_itf_selecter(void * data, interface_info_t * itf) {
25	8.04k	endpt ep = (endpt )data;
26	8.04k	if (itf_index == 0) {
27	1.99k	*ep = itf->ep;
28	1.99k	}
29	8.04k	itf_index--;
30	8.04k	}
31
32	2.02k	int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
33	2.02k	struct recvbuf rbufp;
34
35	2.02k	if (initialized == 0) {
36	1	sockfd = open("/dev/null", O_RDWR );
37		//adds interfaces
38	1	init_io();
39	1	init_auth();
40	1	init_util();
41	1	init_restrict();
42	1	init_mon();
43	1	init_timer();
44	1	init_lib();
45	1	init_request();
46	1	init_control();
47	1	init_peer();
48	1	init_proto();
49	1	init_loopfilter();
50	1	io_open_sockets();
51	1	initialized = 1;
52	1	}
53
54	2.02k	if (Size < sizeof(l_fp)) {
55	5	return 0;
56	5	}
57	2.02k	memcpy(&rbufp.recv_time, Data, sizeof(l_fp));
58	2.02k	Data += sizeof(l_fp);
59	2.02k	Size -= sizeof(l_fp);
60
61	2.02k	if (Size < sizeof(sockaddr_u)) {
62	9	return 0;
63	9	}
64	2.01k	memcpy(&rbufp.srcadr, Data, sizeof(sockaddr_u));
65	2.01k	memcpy(&rbufp.recv_srcadr, &rbufp.srcadr, sizeof(sockaddr_u));
66	2.01k	Data += sizeof(sockaddr_u);
67	2.01k	Size -= sizeof(sockaddr_u);
68
69	2.01k	if (Size < 1) {
70	1	return 0;
71	1	}
72	2.01k	itf_index = Data[0];
73	2.01k	rbufp.dstadr = NULL;
74	2.01k	interface_enumerate(fuzz_itf_selecter, &rbufp.dstadr);
75	2.01k	if (rbufp.dstadr == NULL) {
76	14	return 0;
77	14	}
78	1.99k	Data++;
79	1.99k	Size--;
80
81	1.99k	if (Size > RX_BUFF_SIZE) {
82	65	Size = RX_BUFF_SIZE;
83	65	}
84	1.99k	rbufp.recv_length = Size;
85	1.99k	memcpy(rbufp.recv_buffer, Data, Size);
86
87	1.99k	rbufp.msg_flags = 0;
88	1.99k	rbufp.used = 0;
89	1.99k	rbufp.link = NULL;
90	1.99k	rbufp.fd = sockfd;
91
92	1.99k	receive(&rbufp);
93	1.99k	return 0;
94	2.01k	}

Coverage Report

Created: 2023-03-26 07:11