diff options
Diffstat (limited to 'fuzz')
-rw-r--r-- | fuzz/CMakeLists.txt | 145 | ||||
-rw-r--r-- | fuzz/FuzzerInterface.h | 148 | ||||
-rw-r--r-- | fuzz/StandaloneFuzzTargetMain.c | 126 | ||||
-rw-r--r-- | fuzz/fuzzshark.c | 416 |
4 files changed, 835 insertions, 0 deletions
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt new file mode 100644 index 00000000..4b417db6 --- /dev/null +++ b/fuzz/CMakeLists.txt @@ -0,0 +1,145 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +# List of dissectors compiled below, which should be turned off. +# This is done to avoid single fuzzer (like IP) to call UDP protocols, which can go back to IP, and so on.. +# While doing so might find some bugs, but it's likely to be the problem for too big corpus in oss-fuzzer +# (see: https://github.com/google/oss-fuzz/issues/1087). +# + udplite - it's sharing most of code with UDP. +set(FUZZ_DISABLED_DISSECTORS ip udp udplite ospf bgp dhcp json) + +set(FUZZ_DISSECTORS ip) +set(FUZZ_IP_PROTO_DISSECTORS udp ospf) + +set(FUZZ_TCP_PORT_DISSECTORS bgp) +# list(APPEND FUZZ_TCP_PORT_DISSECTORS bzr) # disabled, cause of known problem. +# list(APPEND FUZZ_TCP_PORT_DISSECTORS echo) # disabled, too simple. + +set(FUZZ_UDP_PORT_DISSECTORS dns dhcp) +# list(FUZZ_UDP_PORT_DISSECTORS bfd) # disabled, too simple. + +set(FUZZ_MEDIA_TYPE_DISSECTORS json) + +set(fuzzshark_LIBS + ui + wiretap + epan + wsutil +) +if(OSS_FUZZ) + if("$ENV{LIB_FUZZING_ENGINE}" STREQUAL "") + message(FATAL_ERROR "LIB_FUZZING_ENGINE is not set!") + endif() + list(APPEND fuzzshark_LIBS $ENV{LIB_FUZZING_ENGINE}) +endif() +set(fuzzshark_FILES + fuzzshark.c +) +set(FUZZ_LINK_FLAGS "${WS_LINK_FLAGS}") +if(ENABLE_FUZZER) + set(FUZZ_LINK_FLAGS "${FUZZ_LINK_FLAGS} -fsanitize=fuzzer") +endif() +if(OSS_FUZZ) + # libFuzzingEngine.a is not position independent, so cannot use -pie. + set(FUZZ_LINK_FLAGS "${FUZZ_LINK_FLAGS} -no-pie") +endif() + +# Convert the list of disabled dissectors from a;b;c -> "a", "b", "c" +# for use in fuzzshark.c (macro) +string(REGEX REPLACE "([^;]+)" "\"\\1\"" FUZZ_DISABLED_DISSECTORS_MACRO "${FUZZ_DISABLED_DISSECTORS}") +string(REPLACE ";" ", " FUZZ_DISABLED_DISSECTORS_MACRO "${FUZZ_DISABLED_DISSECTORS_MACRO}") + +# Targets that are build via all-fuzzers: +# - fuzzshark: a non-specific fuzz target, configurable through env vars (requires BUILD_fuzzshark) +# - fuzzshark_<target>: fuzz target for a specific dissector target. +# - fuzzshark_<table>-<target>: fuzz target for a specific dissector via a dissector table. +add_custom_target(all-fuzzers) + +function(fuzzshark_set_common_options fuzzer_name) + # Sanitizers require a C++ runtime, so use a C++ linker. + set_target_properties(${fuzzer_name} PROPERTIES + FOLDER "Fuzzers" + LINK_FLAGS "${FUZZ_LINK_FLAGS}" + LINKER_LANGUAGE "CXX" + ) + target_link_libraries(${fuzzer_name} ${fuzzshark_LIBS}) + add_dependencies(all-fuzzers ${fuzzer_name}) +endfunction() + +if(BUILD_fuzzshark) + if(NOT (ENABLE_FUZZER OR OSS_FUZZ)) + # libFuzzer includes a main routine that enables fuzzing. If + # support for fuzzing was not enabled, add a small standalone + # target that can be used to test-compile fuzzshark.c. + list(APPEND fuzzshark_FILES StandaloneFuzzTargetMain.c) + endif() + add_executable(fuzzshark ${fuzzshark_FILES}) + fuzzshark_set_common_options(fuzzshark) +endif() + +# Create a new dissector fuzzer target. +# If <dissector_table> is empty, <name> will be called directly. +# If <dissector_table> is non-empty, a dissector with filter name <name> will be +# looked up in dissector table <dissector_table>. +function(generate_fuzzer dissector_table name) + if(NOT (ENABLE_FUZZER OR OSS_FUZZ)) + return() + endif() + + if(dissector_table STREQUAL "") + set(fuzzer_name fuzzshark_${name}) + else() + # "ip.proto" and "udp" -> "ip_proto-udp" + set(fuzzer_name fuzzshark_${dissector_table}-${name}) + string(REPLACE "." "_" fuzzer_name ${fuzzer_name}) + endif() + + add_executable(${fuzzer_name} EXCLUDE_FROM_ALL ${fuzzshark_FILES}) + fuzzshark_set_common_options(${fuzzer_name}) + target_compile_definitions(${fuzzer_name} PRIVATE + FUZZ_DISSECTOR_LIST=${FUZZ_DISABLED_DISSECTORS_MACRO} + FUZZ_DISSECTOR_TARGET="${name}" + ) + if(NOT dissector_table STREQUAL "") + target_compile_definitions(${fuzzer_name} PRIVATE + FUZZ_DISSECTOR_TABLE="${dissector_table}") + endif() +endfunction() + +# Add fuzzer targets for every dissector in list FUZZ_<table-var>_DISSECTORS, +# where <table-var> changes a <table> such as "ip.proto" into "IP_PROTO". +function(add_table_fuzzers table) + string(REPLACE "." "_" table_var ${table}) + string(TOUPPER "${table_var}" table_var) + foreach(dissector IN LISTS FUZZ_${table_var}_DISSECTORS) + generate_fuzzer(${table} ${dissector}) + endforeach() +endfunction() + +foreach(dissector IN LISTS FUZZ_DISSECTORS) + generate_fuzzer("" ${dissector}) +endforeach() + +add_table_fuzzers("ip.proto") +add_table_fuzzers("tcp.port") +add_table_fuzzers("udp.port") +add_table_fuzzers("media_type") + +# +# Editor modelines - https://www.wireshark.org/tools/modelines.html +# +# Local variables: +# c-basic-offset: 8 +# tab-width: 8 +# indent-tabs-mode: t +# End: +# +# vi: set shiftwidth=8 tabstop=8 noexpandtab: +# :indentSize=8:tabSize=8:noTabs=false: +# diff --git a/fuzz/FuzzerInterface.h b/fuzz/FuzzerInterface.h new file mode 100644 index 00000000..233110e6 --- /dev/null +++ b/fuzz/FuzzerInterface.h @@ -0,0 +1,148 @@ +/** @file */ +/* based on http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerInterface.h r321218 (20 Dec 2017) */ + +/* http://llvm.org/svn/llvm-project/compiler-rt/trunk/LICENSE.TXT follows */ + +/* +============================================================================== +compiler_rt License +============================================================================== + +The compiler_rt library is dual licensed under both the University of Illinois +"BSD-Like" license and the MIT license. As a user of this code you may choose +to use it under either license. As a contributor, you agree to allow your code +to be used under both. + +Full text of the relevant licenses is included below. + +============================================================================== + +University of Illinois/NCSA +Open Source License + +Copyright (c) 2009-2016 by the contributors listed in CREDITS.TXT + +All rights reserved. + +Developed by: + + LLVM Team + + University of Illinois at Urbana-Champaign + + http://llvm.org + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal with +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimers. + + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimers in the + documentation and/or other materials provided with the distribution. + + * Neither the names of the LLVM Team, University of Illinois at + Urbana-Champaign, nor the names of its contributors may be used to + endorse or promote products derived from this Software without specific + prior written permission. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE +SOFTWARE. + +============================================================================== + +Copyright (c) 2009-2015 by the contributors listed in CREDITS.TXT + +SPDX-License-Identifier: MIT + +============================================================================== +Copyrights and Licenses for Third Party Software Distributed with LLVM: +============================================================================== +The LLVM software contains code written by third parties. Such software will +have its own individual LICENSE.TXT file in the directory in which it appears. +This file will describe the copyrights, license, and restrictions which apply +to that code. + +The disclaimer of warranty in the University of Illinois Open Source License +applies to all code in the LLVM Distribution, and nothing in any of the +other licenses gives permission to use the names of the LLVM Team or the +University of Illinois to endorse or promote products derived from this +Software. +*/ +//===- FuzzerInterface.h - Interface header for the Fuzzer ------*- C++ -* ===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// Define the interface between libFuzzer and the library being tested. +//===----------------------------------------------------------------------===// + +// NOTE: the libFuzzer interface is thin and in the majority of cases +// you should not include this file into your target. In 95% of cases +// all you need is to define the following function in your file: +// extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +// WARNING: keep the interface in C. + +#ifndef LLVM_FUZZER_INTERFACE_H +#define LLVM_FUZZER_INTERFACE_H + +#include <stddef.h> +#include <stdint.h> + +#ifdef __cplusplus +extern "C" { +#endif // __cplusplus + +// Mandatory user-provided target function. +// Executes the code under test with [Data, Data+Size) as the input. +// libFuzzer will invoke this function *many* times with different inputs. +// Must return 0. +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +// Optional user-provided initialization function. +// If provided, this function will be called by libFuzzer once at startup. +// It may read and modify argc/argv. +// Must return 0. +int LLVMFuzzerInitialize(int *argc, char ***argv); + +// Optional user-provided custom mutator. +// Mutates raw data in [Data, Data+Size) inplace. +// Returns the new size, which is not greater than MaxSize. +// Given the same Seed produces the same mutation. +size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, + unsigned int Seed); + +// Optional user-provided custom cross-over function. +// Combines pieces of Data1 & Data2 together into Out. +// Returns the new size, which is not greater than MaxOutSize. +// Should produce the same mutation given the same Seed. +size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1, + const uint8_t *Data2, size_t Size2, + uint8_t *Out, size_t MaxOutSize, + unsigned int Seed); + +// Experimental, may go away in future. +// libFuzzer-provided function to be used inside LLVMFuzzerCustomMutator. +// Mutates raw data in [Data, Data+Size) inplace. +// Returns the new size, which is not greater than MaxSize. +size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); + +#ifdef __cplusplus +} // extern "C" +#endif // __cplusplus + +#endif // LLVM_FUZZER_INTERFACE_H diff --git a/fuzz/StandaloneFuzzTargetMain.c b/fuzz/StandaloneFuzzTargetMain.c new file mode 100644 index 00000000..cf29561c --- /dev/null +++ b/fuzz/StandaloneFuzzTargetMain.c @@ -0,0 +1,126 @@ +/* based on http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c r311407 (22 Aug 2017) */ + +/* http://llvm.org/svn/llvm-project/compiler-rt/trunk/LICENSE.TXT follows */ + +/* +============================================================================== +compiler_rt License +============================================================================== + +The compiler_rt library is dual licensed under both the University of Illinois +"BSD-Like" license and the MIT license. As a user of this code you may choose +to use it under either license. As a contributor, you agree to allow your code +to be used under both. + +Full text of the relevant licenses is included below. + +============================================================================== + +University of Illinois/NCSA +Open Source License + +Copyright (c) 2009-2016 by the contributors listed in CREDITS.TXT + +All rights reserved. + +Developed by: + + LLVM Team + + University of Illinois at Urbana-Champaign + + http://llvm.org + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal with +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimers. + + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimers in the + documentation and/or other materials provided with the distribution. + + * Neither the names of the LLVM Team, University of Illinois at + Urbana-Champaign, nor the names of its contributors may be used to + endorse or promote products derived from this Software without specific + prior written permission. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE +SOFTWARE. + +============================================================================== + +Copyright (c) 2009-2015 by the contributors listed in CREDITS.TXT + +SPDX-License-Identifier: MIT + +============================================================================== +Copyrights and Licenses for Third Party Software Distributed with LLVM: +============================================================================== +The LLVM software contains code written by third parties. Such software will +have its own individual LICENSE.TXT file in the directory in which it appears. +This file will describe the copyrights, license, and restrictions which apply +to that code. + +The disclaimer of warranty in the University of Illinois Open Source License +applies to all code in the LLVM Distribution, and nothing in any of the +other licenses gives permission to use the names of the LLVM Team or the +University of Illinois to endorse or promote products derived from this +Software. +*/ + +/*===- StandaloneFuzzTargetMain.c - standalone main() for fuzz targets. ---===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// This main() function can be linked to a fuzz target (i.e. a library +// that exports LLVMFuzzerTestOneInput() and possibly LLVMFuzzerInitialize()) +// instead of libFuzzer. This main() function will not perform any fuzzing +// but will simply feed all input files one by one to the fuzz target. +// +// Use this file to provide reproducers for bugs when linking against libFuzzer +// or other fuzzing engine is undesirable. +//===----------------------------------------------------------------------===*/ +#include <assert.h> +#include <stdio.h> +#include <stdlib.h> + +#include <glib.h> +#include <wsutil/file_util.h> + +#include "FuzzerInterface.h" + +int main(int argc, char **argv) { + fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); + LLVMFuzzerInitialize(&argc, &argv); + for (int i = 1; i < argc; i++) { + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = ws_fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + long len = ftell(f); + assert(len >= 0); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char*)g_malloc((size_t)len); + size_t n_read = fread(buf, 1, len, f); + assert(n_read == (size_t)len); + fclose(f); + LLVMFuzzerTestOneInput(buf, len); + g_free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + } +} diff --git a/fuzz/fuzzshark.c b/fuzz/fuzzshark.c new file mode 100644 index 00000000..22830c01 --- /dev/null +++ b/fuzz/fuzzshark.c @@ -0,0 +1,416 @@ +/* fuzzshark.c + * + * Fuzzer variant of Wireshark for oss-fuzz + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include <config.h> +#define WS_LOG_DOMAIN LOG_DOMAIN_MAIN + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <limits.h> + +#include <glib.h> + +#include <epan/epan.h> + +#include <wsutil/cmdarg_err.h> +#include <ui/failure_message.h> +#include <wsutil/filesystem.h> +#include <wsutil/privileges.h> +#include <wsutil/report_message.h> +#include <wsutil/wslog.h> +#include <wsutil/version_info.h> + +#include <wiretap/wtap.h> + +#include <epan/color_filters.h> +#include <epan/timestamp.h> +#include <epan/prefs.h> +#include <epan/column.h> +#include <epan/column-info.h> +#include <epan/print.h> +#include <epan/epan_dissect.h> +#include <epan/disabled_protos.h> + +#ifdef HAVE_PLUGINS +#include <wsutil/plugins.h> +#endif + +#include "FuzzerInterface.h" + +#define EPAN_INIT_FAIL 2 + +static column_info fuzz_cinfo; +static epan_t *fuzz_epan; +static epan_dissect_t *fuzz_edt; + +/* + * Report an error in command-line arguments. + */ +static void +fuzzshark_cmdarg_err(const char *msg_format, va_list ap) +{ + fprintf(stderr, "oss-fuzzshark: "); + vfprintf(stderr, msg_format, ap); + fprintf(stderr, "\n"); +} + +/* + * Report additional information for an error in command-line arguments. + */ +static void +fuzzshark_cmdarg_err_cont(const char *msg_format, va_list ap) +{ + vfprintf(stderr, msg_format, ap); + fprintf(stderr, "\n"); +} + +static int +fuzzshark_pref_set(const char *name, const char *value) +{ + char pref[4096]; + char *errmsg = NULL; + + prefs_set_pref_e ret; + + snprintf(pref, sizeof(pref), "%s:%s", name, value); + + ret = prefs_set_pref(pref, &errmsg); + g_free(errmsg); + + return (ret == PREFS_SET_OK); +} + +static const nstime_t * +fuzzshark_get_frame_ts(struct packet_provider_data *prov _U_, guint32 frame_num _U_) +{ + static nstime_t empty; + + return ∅ +} + +static epan_t * +fuzzshark_epan_new(void) +{ + static const struct packet_provider_funcs funcs = { + fuzzshark_get_frame_ts, + NULL, + NULL, + NULL + }; + + return epan_new(NULL, &funcs); +} + +static dissector_handle_t +get_dissector_handle(const char *table, const char *target) +{ + dissector_handle_t fuzz_handle = NULL; + + if (table != NULL && target != NULL) + { + /* search for handle, cannot use dissector_table_get_dissector_handle() cause it's using short-name, and I already used filter name in samples ;/ */ + GSList *handle_list = dissector_table_get_dissector_handles(find_dissector_table(table)); + while (handle_list) + { + dissector_handle_t handle = (dissector_handle_t) handle_list->data; + const char *handle_filter_name = proto_get_protocol_filter_name(dissector_handle_get_protocol_index(handle)); + + if (!strcmp(handle_filter_name, target)) + fuzz_handle = handle; + handle_list = handle_list->next; + } + } + else if (target != NULL) + { + fuzz_handle = find_dissector(target); + } + + return fuzz_handle; +} + +static void +fuzz_prefs_apply(void) +{ + /* Turn off fragmentation for some protocols */ + fuzzshark_pref_set("ip.defragment", "FALSE"); + fuzzshark_pref_set("ipv6.defragment", "FALSE"); + fuzzshark_pref_set("wlan.defragment", "FALSE"); + fuzzshark_pref_set("tcp.desegment_tcp_streams", "FALSE"); + + /* Notify all registered modules that have had any of their preferences changed. */ + prefs_apply_all(); +} + +static int +fuzz_init(int argc _U_, char **argv) +{ + char *configuration_init_error; + + static const struct report_message_routines fuzzshark_report_routines = { + failure_message, + failure_message, + open_failure_message, + read_failure_message, + write_failure_message, + cfile_open_failure_message, + cfile_dump_open_failure_message, + cfile_read_failure_message, + cfile_write_failure_message, + cfile_close_failure_message + }; + + char *err_msg = NULL; + e_prefs *prefs_p; + int ret = EXIT_SUCCESS; + size_t i; + + const char *fuzz_target = +#if defined(FUZZ_DISSECTOR_TARGET) + FUZZ_DISSECTOR_TARGET; +#else + getenv("FUZZSHARK_TARGET"); +#endif + + const char *disabled_dissector_list[] = + { +#ifdef FUZZ_DISSECTOR_LIST + FUZZ_DISSECTOR_LIST , +#endif + "snort" + }; + +#if !defined(FUZZ_DISSECTOR_TABLE) && !defined(FUZZ_DISSECTOR_TARGET) + const char *fuzz_table = getenv("FUZZSHARK_TABLE"); + + if (!fuzz_table && !fuzz_target) { + fprintf(stderr, +"Missing environment variables!\n" +"\n" +"Modes of operation:\n" +"\n" +" 1. Call a dissector directly by its name:\n" +" FUZZSHARK_TARGET=dns %s input-file\n" +" Calls dissect_x from register_dissector(NAME, dissect_x, proto_x)\n" +"\n" +" 2. Call a dissector by its filter name in a dissector table:\n" +" FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf %s input-file\n" +" The filter name is from proto_register_protocol(., ., FILTER_NAME)\n" +" Selects dissectors from dissector_add_uint* or dissector_add_for_decode_as.\n" +"\n" +"Either mode runs the selected dissector once and can hopefully reproduce a\n" +"crash. Mode (2) can be used if a dissector (such as 'ospf') is not available\n" +"through (1).\n" +"\n" +"For best results, build dedicated fuzzshark_* targets with:\n" +" cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++\\\n" +" -DENABLE_FUZZER=1 -DENABLE_ASAN=1 -DENABLE_UBSAN=1\n" +" ninja all-fuzzers\n" +"These options enable LibFuzzer which makes fuzzing possible as opposed to\n" +"running dissectors only once with a sample (as is the case with this fuzzshark" +"binary). These fuzzshark_* targets are also used by oss-fuzz.\n", + argv[0], argv[0]); + return 1; + } +#endif + + dissector_handle_t fuzz_handle = NULL; + + /* In oss-fuzz running environment g_get_home_dir() fails: + * (process:1): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (0) + * (process:1): GLib-CRITICAL **: g_once_init_leave: assertion 'result != 0' failed + * + * Avoid GLib-CRITICAL by setting some XDG environment variables. + */ + g_setenv("XDG_CACHE_HOME", "/not/existing/directory", 0); /* g_get_user_cache_dir() */ + g_setenv("XDG_CONFIG_HOME", "/not/existing/directory", 0); /* g_get_user_config_dir() */ + g_setenv("XDG_DATA_HOME", "/not/existing/directory", 0); /* g_get_user_data_dir() */ + + g_setenv("WIRESHARK_DEBUG_WMEM_OVERRIDE", "simple", 0); + g_setenv("G_SLICE", "always-malloc", 0); + + cmdarg_err_init(fuzzshark_cmdarg_err, fuzzshark_cmdarg_err_cont); + + /* Initialize log handler early so we can have proper logging during startup. */ + ws_log_init("fuzzshark", vcmdarg_err); + + /* Early logging command-line initialization. */ + ws_log_parse_args(&argc, argv, vcmdarg_err, LOG_ARGS_NOEXIT); + + ws_noisy("Finished log init and parsing command line log arguments"); + + /* + * Get credential information for later use, and drop privileges + * before doing anything else. + * Let the user know if anything happened. + */ + init_process_policies(); +#if 0 /* disable setresgid(), it fails with -EINVAL https://github.com/google/oss-fuzz/pull/532#issuecomment-294515463 */ + relinquish_special_privs_perm(); +#endif + + /* + * Attempt to get the pathname of the executable file. + */ + configuration_init_error = configuration_init(argv[0], NULL); + if (configuration_init_error != NULL) { + fprintf(stderr, "fuzzshark: Can't get pathname of oss-fuzzshark program: %s.\n", configuration_init_error); + g_free(configuration_init_error); + } + + /* Initialize the version information. */ + ws_init_version_info("OSS Fuzzshark", + epan_gather_compile_info, epan_gather_runtime_info); + + init_report_message("fuzzshark", &fuzzshark_report_routines); + + timestamp_set_type(TS_RELATIVE); + timestamp_set_precision(TS_PREC_AUTO); + timestamp_set_seconds_type(TS_SECONDS_DEFAULT); + + /* + * Libwiretap must be initialized before libwireshark is, so that + * dissection-time handlers for file-type-dependent blocks can + * register using the file type/subtype value for the file type. + */ + wtap_init(TRUE); + + /* Register all dissectors; we must do this before checking for the + "-G" flag, as the "-G" flag dumps information registered by the + dissectors, and we must do it before we read the preferences, in + case any dissectors register preferences. */ + if (!epan_init(NULL, NULL, FALSE)) + { + ret = EPAN_INIT_FAIL; + goto clean_exit; + } + + /* Load libwireshark settings from the current profile. */ + prefs_p = epan_load_settings(); + + if (!color_filters_init(&err_msg, NULL)) + { + fprintf(stderr, "%s\n", err_msg); + g_free(err_msg); + } + + for (i = 0; i < G_N_ELEMENTS(disabled_dissector_list); i++) + { + const char *item = disabled_dissector_list[i]; + + /* XXX, need to think how to disallow chains like: IP -> .... -> IP, + * best would be to disable dissector always, but allow it during initial call. */ + if (fuzz_target == NULL || strcmp(fuzz_target, item)) + { + fprintf(stderr, "oss-fuzzshark: disabling: %s\n", item); + proto_disable_proto_by_name(item); + } + } + + fuzz_prefs_apply(); + + /* Build the column format array */ + build_column_format_array(&fuzz_cinfo, prefs_p->num_cols, TRUE); + +#if defined(FUZZ_DISSECTOR_TABLE) && defined(FUZZ_DISSECTOR_TARGET) +# define FUZZ_EPAN 1 + fprintf(stderr, "oss-fuzzshark: configured for dissector: %s in table: %s\n", fuzz_target, FUZZ_DISSECTOR_TABLE); + fuzz_handle = get_dissector_handle(FUZZ_DISSECTOR_TABLE, fuzz_target); + +#elif defined(FUZZ_DISSECTOR_TARGET) +# define FUZZ_EPAN 2 + fprintf(stderr, "oss-fuzzshark: configured for dissector: %s\n", fuzz_target); + fuzz_handle = get_dissector_handle(NULL, fuzz_target); + +#else +# define FUZZ_EPAN 3 + if (fuzz_table) { + fprintf(stderr, "oss-fuzzshark: requested dissector: %s in table %s\n", fuzz_target, fuzz_table); + } else { + fprintf(stderr, "oss-fuzzshark: requested dissector: %s\n", fuzz_target); + } + fuzz_handle = get_dissector_handle(fuzz_table, fuzz_target); +#endif + +#ifdef FUZZ_EPAN + g_assert(fuzz_handle != NULL && "Requested dissector is not found!"); + register_postdissector(fuzz_handle); +#endif + + fuzz_epan = fuzzshark_epan_new(); + fuzz_edt = epan_dissect_new(fuzz_epan, TRUE, FALSE); + + return 0; +clean_exit: + wtap_cleanup(); + free_progdirs(); + return ret; +} + +#ifdef FUZZ_EPAN +int +LLVMFuzzerTestOneInput(const guint8 *buf, size_t real_len) +{ + static guint32 framenum = 0; + epan_dissect_t *edt = fuzz_edt; + + guint32 len = (guint32) real_len; + + wtap_rec rec; + frame_data fdlocal; + + memset(&rec, 0, sizeof(rec)); + + rec.rec_type = REC_TYPE_PACKET; + rec.rec_header.packet_header.caplen = len; + rec.rec_header.packet_header.len = len; + + /* whdr.pkt_encap = WTAP_ENCAP_ETHERNET; */ + rec.rec_header.packet_header.pkt_encap = G_MAXINT16; + rec.presence_flags = WTAP_HAS_TS | WTAP_HAS_CAP_LEN; /* most common flags... */ + + frame_data_init(&fdlocal, ++framenum, &rec, /* offset */ 0, /* cum_bytes */ 0); + /* frame_data_set_before_dissect() not needed */ + epan_dissect_run(edt, WTAP_FILE_TYPE_SUBTYPE_UNKNOWN, &rec, tvb_new_real_data(buf, len, len), &fdlocal, NULL /* &fuzz_cinfo */); + frame_data_destroy(&fdlocal); + + epan_dissect_reset(edt); + return 0; +} + +#else +# error "Missing fuzz target." +#endif + +int +LLVMFuzzerInitialize(int *argc, char ***argv) +{ + int ret; + + ret = fuzz_init(*argc, *argv); + if (ret != 0) + exit(ret); + + return 0; +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ |