/src/openssl33/fuzz/quic-srtm.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"); |
5 | | * you may not use this file except in compliance with the License. |
6 | | * You may obtain a copy of the License at |
7 | | * https://www.openssl.org/source/license.html |
8 | | * or in the file LICENSE in the source distribution. |
9 | | */ |
10 | | |
11 | | #include <openssl/ssl.h> |
12 | | #include <openssl/err.h> |
13 | | #include <openssl/bio.h> |
14 | | #include "fuzzer.h" |
15 | | #include "internal/quic_srtm.h" |
16 | | |
17 | | int FuzzerInitialize(int *argc, char ***argv) |
18 | 200 | { |
19 | 200 | FuzzerSetRand(); |
20 | 200 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL); |
21 | 200 | OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); |
22 | 200 | ERR_clear_error(); |
23 | 200 | return 1; |
24 | 200 | } |
25 | | |
26 | | /* |
27 | | * Fuzzer input "protocol": |
28 | | * Big endian |
29 | | * Zero or more of: |
30 | | * ADD - u8(0x00) u64(opaque) u64(seq_num) u128(token) |
31 | | * REMOVE - u8(0x01) u64(opaque) u64(seq_num) |
32 | | * CULL - u8(0x02) u64(opaque) |
33 | | * LOOKUP - u8(0x03) u128(token) u64(idx) |
34 | | */ |
35 | | enum { |
36 | | CMD_ADD, |
37 | | CMD_REMOVE, |
38 | | CMD_CULL, |
39 | | CMD_LOOKUP |
40 | | }; |
41 | | |
42 | | int FuzzerTestOneInput(const uint8_t *buf, size_t len) |
43 | 1.16k | { |
44 | 1.16k | int rc = 0; |
45 | 1.16k | QUIC_SRTM *srtm = NULL; |
46 | 1.16k | PACKET pkt; |
47 | 1.16k | unsigned int cmd; |
48 | 1.16k | uint64_t arg_opaque, arg_seq_num, arg_idx; |
49 | 1.16k | QUIC_STATELESS_RESET_TOKEN arg_token; |
50 | | |
51 | 1.16k | if ((srtm = ossl_quic_srtm_new(NULL, NULL)) == NULL) { |
52 | 0 | rc = -1; |
53 | 0 | goto err; |
54 | 0 | } |
55 | | |
56 | 1.16k | if (!PACKET_buf_init(&pkt, buf, len)) |
57 | 0 | goto err; |
58 | | |
59 | 6.14M | while (PACKET_remaining(&pkt) > 0) { |
60 | 6.14M | if (!PACKET_get_1(&pkt, &cmd)) |
61 | 0 | goto err; |
62 | | |
63 | 6.14M | switch (cmd) { |
64 | 573k | case CMD_ADD: |
65 | 573k | if (!PACKET_get_net_8(&pkt, &arg_opaque) |
66 | 573k | || !PACKET_get_net_8(&pkt, &arg_seq_num) |
67 | 573k | || !PACKET_copy_bytes(&pkt, arg_token.token, |
68 | 573k | sizeof(arg_token.token))) |
69 | 610 | continue; /* just stop */ |
70 | | |
71 | 573k | ossl_quic_srtm_add(srtm, (void *)(uintptr_t)arg_opaque, |
72 | 573k | arg_seq_num, &arg_token); |
73 | 573k | ossl_quic_srtm_check(srtm); |
74 | 573k | break; |
75 | | |
76 | 85.9k | case CMD_REMOVE: |
77 | 85.9k | if (!PACKET_get_net_8(&pkt, &arg_opaque) |
78 | 85.9k | || !PACKET_get_net_8(&pkt, &arg_seq_num)) |
79 | 115 | continue; /* just stop */ |
80 | | |
81 | 85.8k | ossl_quic_srtm_remove(srtm, (void *)(uintptr_t)arg_opaque, |
82 | 85.8k | arg_seq_num); |
83 | 85.8k | ossl_quic_srtm_check(srtm); |
84 | 85.8k | break; |
85 | | |
86 | 20.7k | case CMD_CULL: |
87 | 20.7k | if (!PACKET_get_net_8(&pkt, &arg_opaque)) |
88 | 40 | continue; /* just stop */ |
89 | | |
90 | 20.6k | ossl_quic_srtm_cull(srtm, (void *)(uintptr_t)arg_opaque); |
91 | 20.6k | ossl_quic_srtm_check(srtm); |
92 | 20.6k | break; |
93 | | |
94 | 29.9k | case CMD_LOOKUP: |
95 | 29.9k | if (!PACKET_copy_bytes(&pkt, arg_token.token, |
96 | 29.9k | sizeof(arg_token.token)) |
97 | 29.9k | || !PACKET_get_net_8(&pkt, &arg_idx)) |
98 | 139 | continue; /* just stop */ |
99 | | |
100 | 29.8k | ossl_quic_srtm_lookup(srtm, &arg_token, (size_t)arg_idx, |
101 | 29.8k | NULL, NULL); |
102 | 29.8k | ossl_quic_srtm_check(srtm); |
103 | 29.8k | break; |
104 | | |
105 | 5.43M | default: |
106 | | /* Other bytes are treated as no-ops */ |
107 | 5.43M | continue; |
108 | 6.14M | } |
109 | 6.14M | } |
110 | | |
111 | 1.16k | err: |
112 | 1.16k | ossl_quic_srtm_free(srtm); |
113 | 1.16k | return rc; |
114 | 1.16k | } |
115 | | |
116 | | void FuzzerCleanup(void) |
117 | 0 | { |
118 | 0 | FuzzerClearRand(); |
119 | 0 | } |