/src/wireshark/fuzz/fuzzshark.c
Line | Count | Source |
1 | | /* fuzzshark.c |
2 | | * |
3 | | * Fuzzer variant of Wireshark for oss-fuzz |
4 | | * |
5 | | * Wireshark - Network traffic analyzer |
6 | | * By Gerald Combs <gerald@wireshark.org> |
7 | | * Copyright 1998 Gerald Combs |
8 | | * |
9 | | * SPDX-License-Identifier: GPL-2.0-or-later |
10 | | */ |
11 | | |
12 | | #include <config.h> |
13 | 0 | #define WS_LOG_DOMAIN LOG_DOMAIN_MAIN |
14 | | |
15 | | #include <stdlib.h> |
16 | | #include <stdio.h> |
17 | | #include <string.h> |
18 | | #include <limits.h> |
19 | | |
20 | | #include <glib.h> |
21 | | |
22 | | #include <epan/epan.h> |
23 | | |
24 | | #include <wsutil/cmdarg_err.h> |
25 | | #include <ui/failure_message.h> |
26 | | #include <wsutil/filesystem.h> |
27 | | #include <app/application_flavor.h> |
28 | | #include <wsutil/privileges.h> |
29 | | #include <wsutil/clopts_common.h> |
30 | | #include <wsutil/ws_getopt.h> |
31 | | #include <wsutil/wslog.h> |
32 | | #include <wsutil/version_info.h> |
33 | | |
34 | | #include <wiretap/wtap.h> |
35 | | |
36 | | #include <epan/color_filters.h> |
37 | | #include <epan/timestamp.h> |
38 | | #include <epan/prefs.h> |
39 | | #include <epan/column.h> |
40 | | #include <epan/column-info.h> |
41 | | #include <epan/print.h> |
42 | | #include <epan/epan_dissect.h> |
43 | | #include <epan/disabled_protos.h> |
44 | | |
45 | | #ifdef HAVE_PLUGINS |
46 | | #include <wsutil/plugins.h> |
47 | | #endif |
48 | | |
49 | | #include "FuzzerInterface.h" |
50 | | |
51 | 0 | #define EPAN_INIT_FAIL 2 |
52 | | |
53 | | static column_info fuzz_cinfo; |
54 | | static epan_t *fuzz_epan; |
55 | | static epan_dissect_t *fuzz_edt; |
56 | | |
57 | | static int |
58 | | fuzzshark_pref_set(const char *name, const char *value) |
59 | 60 | { |
60 | 60 | char pref[4096]; |
61 | 60 | char *errmsg = NULL; |
62 | | |
63 | 60 | prefs_set_pref_e ret; |
64 | | |
65 | 60 | snprintf(pref, sizeof(pref), "%s:%s", name, value); |
66 | | |
67 | 60 | ret = prefs_set_pref(pref, &errmsg); |
68 | 60 | g_free(errmsg); |
69 | | |
70 | 60 | return (ret == PREFS_SET_OK); |
71 | 60 | } |
72 | | |
73 | | static const nstime_t * |
74 | | fuzzshark_get_frame_ts(struct packet_provider_data *prov _U_, uint32_t frame_num _U_) |
75 | 262k | { |
76 | 262k | static nstime_t empty; |
77 | | |
78 | 262k | return ∅ |
79 | 262k | } |
80 | | |
81 | | static epan_t * |
82 | | fuzzshark_epan_new(void) |
83 | 15 | { |
84 | 15 | static const struct packet_provider_funcs funcs = { |
85 | 15 | fuzzshark_get_frame_ts, |
86 | 15 | NULL, |
87 | 15 | NULL, |
88 | 15 | NULL, |
89 | 15 | NULL, |
90 | 15 | NULL, |
91 | 15 | NULL, |
92 | 15 | NULL, |
93 | 15 | NULL, |
94 | 15 | }; |
95 | | |
96 | 15 | return epan_new(NULL, &funcs); |
97 | 15 | } |
98 | | |
99 | | static dissector_handle_t |
100 | | get_dissector_handle(const char *table, const char *target) |
101 | 15 | { |
102 | 15 | dissector_handle_t fuzz_handle = NULL; |
103 | | |
104 | 15 | if (table != NULL && target != NULL) |
105 | 12 | { |
106 | | /* search for handle, cannot use dissector_table_get_dissector_handle() cause it's using short-name, and I already used filter name in samples ;/ */ |
107 | 12 | GSList *handle_list = dissector_table_get_dissector_handles(find_dissector_table(table)); |
108 | 2.70k | while (handle_list) |
109 | 2.69k | { |
110 | 2.69k | dissector_handle_t handle = (dissector_handle_t) handle_list->data; |
111 | 2.69k | const char *handle_filter_name = proto_get_protocol_filter_name(dissector_handle_get_protocol_index(handle)); |
112 | | |
113 | 2.69k | if (!strcmp(handle_filter_name, target)) |
114 | 12 | fuzz_handle = handle; |
115 | 2.69k | handle_list = handle_list->next; |
116 | 2.69k | } |
117 | 12 | } |
118 | 3 | else if (target != NULL) |
119 | 3 | { |
120 | 3 | fuzz_handle = find_dissector(target); |
121 | 3 | } |
122 | | |
123 | 15 | return fuzz_handle; |
124 | 15 | } |
125 | | |
126 | | static void |
127 | | fuzz_prefs_apply(void) |
128 | 15 | { |
129 | | /* Turn off fragmentation for some protocols */ |
130 | 15 | fuzzshark_pref_set("ip.defragment", "FALSE"); |
131 | 15 | fuzzshark_pref_set("ipv6.defragment", "FALSE"); |
132 | 15 | fuzzshark_pref_set("wlan.defragment", "FALSE"); |
133 | 15 | fuzzshark_pref_set("tcp.desegment_tcp_streams", "FALSE"); |
134 | | |
135 | | /* Notify all registered modules that have had any of their preferences changed. */ |
136 | 15 | prefs_apply_all(); |
137 | 15 | } |
138 | | |
139 | | static int |
140 | | fuzz_init(int argc, char **argv) |
141 | 15 | { |
142 | 15 | char *configuration_init_error; |
143 | | |
144 | | |
145 | 15 | char *err_msg = NULL; |
146 | 15 | e_prefs *prefs_p; |
147 | 15 | int ret = EXIT_SUCCESS; |
148 | 15 | size_t i; |
149 | 15 | static const struct ws_option long_options[] = { |
150 | 15 | LONGOPT_WSLOG |
151 | 15 | {0, 0, 0, 0 } |
152 | 15 | }; |
153 | 15 | const struct file_extension_info* file_extensions; |
154 | 15 | unsigned num_extensions; |
155 | 15 | epan_app_data_t app_data; |
156 | | |
157 | | /* Future proof by zeroing out all data */ |
158 | 15 | memset(&app_data, 0, sizeof(app_data)); |
159 | | |
160 | 15 | const char *fuzz_target = |
161 | 15 | #if defined(FUZZ_DISSECTOR_TARGET) |
162 | 15 | FUZZ_DISSECTOR_TARGET; |
163 | | #else |
164 | | getenv("FUZZSHARK_TARGET"); |
165 | | #endif |
166 | | |
167 | 15 | const char *disabled_dissector_list[] = |
168 | 15 | { |
169 | 15 | #ifdef FUZZ_DISSECTOR_LIST |
170 | 15 | FUZZ_DISSECTOR_LIST , |
171 | 15 | #endif |
172 | 15 | "snort" |
173 | 15 | }; |
174 | | |
175 | | #if !defined(FUZZ_DISSECTOR_TABLE) && !defined(FUZZ_DISSECTOR_TARGET) |
176 | | const char *fuzz_table = getenv("FUZZSHARK_TABLE"); |
177 | | |
178 | | /* |
179 | | * Set the program name. |
180 | | * |
181 | | * XXX - yes, this isn't main(), but it still needs to be |
182 | | * set, as many Wireshark library routines depend on it |
183 | | * being set. |
184 | | */ |
185 | | g_set_prgname("oss-fuzzshark"); |
186 | | |
187 | | if (!fuzz_table && !fuzz_target) { |
188 | | fprintf(stderr, |
189 | | "Missing environment variables!\n" |
190 | | "\n" |
191 | | "Modes of operation:\n" |
192 | | "\n" |
193 | | " 1. Call a dissector directly by its name:\n" |
194 | | " FUZZSHARK_TARGET=dns %s input-file\n" |
195 | | " Calls dissect_x from register_dissector(NAME, dissect_x, proto_x)\n" |
196 | | "\n" |
197 | | " 2. Call a dissector by its filter name in a dissector table:\n" |
198 | | " FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf %s input-file\n" |
199 | | " The filter name is from proto_register_protocol(., ., FILTER_NAME)\n" |
200 | | " Selects dissectors from dissector_add_uint* or dissector_add_for_decode_as.\n" |
201 | | "\n" |
202 | | "Either mode runs the selected dissector once and can hopefully reproduce a\n" |
203 | | "crash. Mode (2) can be used if a dissector (such as 'ospf') is not available\n" |
204 | | "through (1).\n" |
205 | | "\n" |
206 | | "For best results, build dedicated fuzzshark_* targets with:\n" |
207 | | " cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++\\\n" |
208 | | " -DENABLE_FUZZER=1 -DENABLE_ASAN=1 -DENABLE_UBSAN=1\n" |
209 | | " ninja all-fuzzers\n" |
210 | | "These options enable LibFuzzer which makes fuzzing possible as opposed to\n" |
211 | | "running dissectors only once with a sample (as is the case with this fuzzshark" |
212 | | "binary). These fuzzshark_* targets are also used by oss-fuzz.\n", |
213 | | argv[0], argv[0]); |
214 | | return 1; |
215 | | } |
216 | | #endif |
217 | | |
218 | 15 | dissector_handle_t fuzz_handle = NULL; |
219 | | |
220 | | /* In oss-fuzz running environment g_get_home_dir() fails: |
221 | | * (process:1): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (0) |
222 | | * (process:1): GLib-CRITICAL **: g_once_init_leave: assertion 'result != 0' failed |
223 | | * |
224 | | * Avoid GLib-CRITICAL by setting some XDG environment variables. |
225 | | */ |
226 | 15 | g_setenv("XDG_CACHE_HOME", "/not/existing/directory", 0); /* g_get_user_cache_dir() */ |
227 | 15 | g_setenv("XDG_CONFIG_HOME", "/not/existing/directory", 0); /* g_get_user_config_dir() */ |
228 | 15 | g_setenv("XDG_DATA_HOME", "/not/existing/directory", 0); /* g_get_user_data_dir() */ |
229 | | |
230 | 15 | g_setenv("WIRESHARK_DEBUG_WMEM_OVERRIDE", "simple", 0); |
231 | 15 | g_setenv("G_SLICE", "always-malloc", 0); |
232 | | |
233 | 15 | cmdarg_err_init(stderr_cmdarg_err, stderr_cmdarg_err_cont); |
234 | | |
235 | | /* Initialize log handler early so we can have proper logging during startup. */ |
236 | 15 | ws_log_init(vcmdarg_err, "Fuzzshark Debug Console"); |
237 | | |
238 | | /* Early logging command-line initialization. */ |
239 | 15 | ws_log_parse_args(&argc, argv, "v", long_options, vcmdarg_err, LOG_ARGS_NOEXIT); |
240 | | |
241 | 15 | ws_noisy("Finished log init and parsing command line log arguments"); |
242 | | |
243 | | /* |
244 | | * Get credential information for later use, and drop privileges |
245 | | * before doing anything else. |
246 | | * Let the user know if anything happened. |
247 | | */ |
248 | 15 | init_process_policies(); |
249 | | #if 0 /* disable setresgid(), it fails with -EINVAL https://github.com/google/oss-fuzz/pull/532#issuecomment-294515463 */ |
250 | | relinquish_special_privs_perm(); |
251 | | #endif |
252 | | |
253 | | /* |
254 | | * Attempt to get the pathname of the executable file. |
255 | | */ |
256 | 15 | configuration_init_error = configuration_init(argv[0], "wireshark"); |
257 | 15 | if (configuration_init_error != NULL) { |
258 | 0 | fprintf(stderr, "fuzzshark: Can't get pathname of oss-fuzzshark program: %s.\n", configuration_init_error); |
259 | 0 | g_free(configuration_init_error); |
260 | 0 | } |
261 | | |
262 | | /* Initialize the version information. */ |
263 | 15 | ws_init_version_info("OSS Fuzzshark", NULL, application_get_vcs_version_info, |
264 | 15 | epan_gather_compile_info, epan_gather_runtime_info); |
265 | | |
266 | 15 | init_report_failure_message("fuzzshark"); |
267 | | |
268 | 15 | timestamp_set_type(TS_RELATIVE); |
269 | 15 | timestamp_set_precision(TS_PREC_AUTO); |
270 | 15 | timestamp_set_seconds_type(TS_SECONDS_DEFAULT); |
271 | | |
272 | | /* |
273 | | * Libwiretap must be initialized before libwireshark is, so that |
274 | | * dissection-time handlers for file-type-dependent blocks can |
275 | | * register using the file type/subtype value for the file type. |
276 | | */ |
277 | 15 | application_file_extensions(&file_extensions, &num_extensions); |
278 | 15 | wtap_init(true, application_configuration_environment_prefix(), file_extensions, num_extensions); |
279 | | |
280 | | /* Register all dissectors; we must do this before checking for the |
281 | | "-G" flag, as the "-G" flag dumps information registered by the |
282 | | dissectors, and we must do it before we read the preferences, in |
283 | | case any dissectors register preferences. */ |
284 | 15 | app_data.env_var_prefix = application_configuration_environment_prefix(); |
285 | 15 | app_data.col_fmt = application_columns(); |
286 | 15 | app_data.num_cols = application_num_columns(); |
287 | 15 | app_data.register_func = register_all_protocols; |
288 | 15 | app_data.handoff_func = register_all_protocol_handoffs; |
289 | 15 | if (!epan_init(NULL, NULL, false, &app_data)) |
290 | 0 | { |
291 | 0 | ret = EPAN_INIT_FAIL; |
292 | 0 | goto clean_exit; |
293 | 0 | } |
294 | | |
295 | | /* Load libwireshark settings from the current profile. */ |
296 | 15 | prefs_p = epan_load_settings(); |
297 | | |
298 | 15 | if (!color_filters_init(&err_msg, NULL, application_configuration_environment_prefix())) |
299 | 0 | { |
300 | 0 | fprintf(stderr, "%s\n", err_msg); |
301 | 0 | g_free(err_msg); |
302 | 0 | } |
303 | | |
304 | 135 | for (i = 0; i < G_N_ELEMENTS(disabled_dissector_list); i++) |
305 | 120 | { |
306 | 120 | const char *item = disabled_dissector_list[i]; |
307 | | |
308 | | /* XXX, need to think how to disallow chains like: IP -> .... -> IP, |
309 | | * best would be to disable dissector always, but allow it during initial call. */ |
310 | 120 | if (fuzz_target == NULL || strcmp(fuzz_target, item)) |
311 | 108 | { |
312 | 108 | fprintf(stderr, "oss-fuzzshark: disabling: %s\n", item); |
313 | 108 | proto_disable_proto_by_name(item); |
314 | 108 | } |
315 | 120 | } |
316 | | |
317 | 15 | fuzz_prefs_apply(); |
318 | | |
319 | | /* Build the column format array */ |
320 | 15 | build_column_format_array(&fuzz_cinfo, prefs_p->num_cols, true); |
321 | | |
322 | 15 | #if defined(FUZZ_DISSECTOR_TABLE) && defined(FUZZ_DISSECTOR_TARGET) |
323 | 15 | # define FUZZ_EPAN 1 |
324 | 15 | fprintf(stderr, "oss-fuzzshark: configured for dissector: %s in table: %s\n", fuzz_target, FUZZ_DISSECTOR_TABLE); |
325 | 15 | fuzz_handle = get_dissector_handle(FUZZ_DISSECTOR_TABLE, fuzz_target); |
326 | | |
327 | | #elif defined(FUZZ_DISSECTOR_TARGET) |
328 | | # define FUZZ_EPAN 2 |
329 | | fprintf(stderr, "oss-fuzzshark: configured for dissector: %s\n", fuzz_target); |
330 | | fuzz_handle = get_dissector_handle(NULL, fuzz_target); |
331 | | |
332 | | #else |
333 | | # define FUZZ_EPAN 3 |
334 | | if (fuzz_table) { |
335 | | fprintf(stderr, "oss-fuzzshark: requested dissector: %s in table %s\n", fuzz_target, fuzz_table); |
336 | | } else { |
337 | | fprintf(stderr, "oss-fuzzshark: requested dissector: %s\n", fuzz_target); |
338 | | } |
339 | | fuzz_handle = get_dissector_handle(fuzz_table, fuzz_target); |
340 | | #endif |
341 | | |
342 | 15 | #ifdef FUZZ_EPAN |
343 | 15 | g_assert(fuzz_handle != NULL && "Requested dissector is not found!"); |
344 | 15 | register_postdissector(fuzz_handle); |
345 | 15 | #endif |
346 | | |
347 | 15 | fuzz_epan = fuzzshark_epan_new(); |
348 | 15 | fuzz_edt = epan_dissect_new(fuzz_epan, true, false); |
349 | | |
350 | 15 | return 0; |
351 | 0 | clean_exit: |
352 | 0 | wtap_cleanup(); |
353 | 0 | free_progdirs(); |
354 | 0 | return ret; |
355 | 15 | } |
356 | | |
357 | | #ifdef FUZZ_EPAN |
358 | | int |
359 | | LLVMFuzzerTestOneInput(const uint8_t *buf, size_t real_len) |
360 | 114k | { |
361 | 114k | static uint32_t framenum = 0; |
362 | 114k | epan_dissect_t *edt = fuzz_edt; |
363 | | |
364 | 114k | uint32_t len = (uint32_t) real_len; |
365 | | |
366 | 114k | wtap_rec rec; |
367 | 114k | frame_data fdlocal; |
368 | | |
369 | 114k | wtap_rec_init(&rec, len); |
370 | | |
371 | | /* wtap_setup_packet_rec(&rec, WTAP_ENCAP_ETHERNET); */ |
372 | 114k | wtap_setup_packet_rec(&rec, INT16_MAX); |
373 | 114k | rec.rec_header.packet_header.caplen = len; |
374 | 114k | rec.rec_header.packet_header.len = len; |
375 | | |
376 | 114k | rec.presence_flags = WTAP_HAS_TS | WTAP_HAS_CAP_LEN; /* most common flags... */ |
377 | | |
378 | 114k | ws_buffer_append(&rec.data, buf, real_len); |
379 | | |
380 | 114k | frame_data_init(&fdlocal, ++framenum, &rec, /* offset */ 0, /* cum_bytes */ 0); |
381 | | /* frame_data_set_before_dissect() not needed */ |
382 | 114k | epan_dissect_run(edt, WTAP_FILE_TYPE_SUBTYPE_UNKNOWN, &rec, &fdlocal, NULL /* &fuzz_cinfo */); |
383 | 114k | frame_data_destroy(&fdlocal); |
384 | | |
385 | 114k | epan_dissect_reset(edt); |
386 | | |
387 | 114k | wtap_rec_cleanup(&rec); |
388 | 114k | return 0; |
389 | 114k | } |
390 | | |
391 | | #else |
392 | | # error "Missing fuzz target." |
393 | | #endif |
394 | | |
395 | | int |
396 | | LLVMFuzzerInitialize(int *argc, char ***argv) |
397 | 15 | { |
398 | 15 | return fuzz_init(*argc, *argv); |
399 | 15 | } |
400 | | |
401 | | /* |
402 | | * Editor modelines - https://www.wireshark.org/tools/modelines.html |
403 | | * |
404 | | * Local variables: |
405 | | * c-basic-offset: 8 |
406 | | * tab-width: 8 |
407 | | * indent-tabs-mode: t |
408 | | * End: |
409 | | * |
410 | | * vi: set shiftwidth=8 tabstop=8 noexpandtab: |
411 | | * :indentSize=8:tabSize=8:noTabs=false: |
412 | | */ |