Fuzz rpcpap protocol

author: Philippe Antoine <contact@catenacyber.fr> 2019-02-05 09:53:48 +0100
committer: Philippe Antoine <contact@catenacyber.fr> 2020-07-20 09:20:22 +0200
commit: c4510b8ba391f47ef03078605f16013c94c7cfb8 (patch)
tree: 13a7479573f1d5a5a7d5c43bb91cce1e3985c22b /testprogs/fuzz
parent: d4ccd36e82f8a0a0e9c877797c54cf2a656b800f (diff)
3 files changed, 135 insertions, 0 deletions
diff --git a/testprogs/fuzz/CMakeLists.txt b/testprogs/fuzz/CMakeLists.txt
index 4a2862f9..67250cca 100644
--- a/testprogs/fuzz/CMakeLists.txt
+++ b/testprogs/fuzz/CMakeLists.txt
@@ -18,3 +18,26 @@ if(NOT "${SANITIZER_FLAGS}" STREQUAL "")
   set_target_properties(fuzz_both PROPERTIES
       LINK_FLAGS "${SANITIZER_FLAGS}")
 endif()
+
+if(ENABLE_REMOTE AND "$ENV{CFLAGS}" MATCHES "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION")
+add_executable(fuzz_rclient onefile.c fuzz_rclient.c)
+target_link_libraries(fuzz_rclient ${ARGN} ${LIBRARY_NAME}_static ${PCAP_LINK_LIBRARIES})
+if(NOT "${SANITIZER_FLAGS}" STREQUAL "")
+  set_target_properties(fuzz_rclient PROPERTIES
+      LINK_FLAGS "${SANITIZER_FLAGS}")
+endif()
+
+add_executable(fuzz_rserver onefile.c fuzz_rserver.c ../../rpcapd/daemon.c)
+check_function_exists(crypt HAVE_CRYPT_IN_SYSTEM_LIBRARIES)
+if(HAVE_CRYPT_IN_SYSTEM_LIBRARIES)
+    set(HAVE_CRYPT TRUE)
+else(HAVE_CRYPT_IN_SYSTEM_LIBRARIES)
+     set(PCAP_LINK_LIBRARIES ${PCAP_LINK_LIBRARIES} crypt)
+endif(HAVE_CRYPT_IN_SYSTEM_LIBRARIES)
+target_link_libraries(fuzz_rserver ${ARGN} ${LIBRARY_NAME}_static ${PCAP_LINK_LIBRARIES})
+
+if(NOT "${SANITIZER_FLAGS}" STREQUAL "")
+  set_target_properties(fuzz_rserver PROPERTIES
+      LINK_FLAGS "${SANITIZER_FLAGS}")
+endif()
+endif(ENABLE_REMOTE AND "$ENV{CFLAGS}" MATCHES "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION")
diff --git a/testprogs/fuzz/fuzz_rclient.c b/testprogs/fuzz/fuzz_rclient.c
new file mode 100644
index 00000000..b5a6a91a
--- /dev/null
+++ b/testprogs/fuzz/fuzz_rclient.c
@@ -0,0 +1,56 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include <pcap/pcap.h>
+
+FILE * outfile = NULL;
+struct pcap_rmtauth auth;
+
+void fuzz_openFile(const char * name) {
+    if (outfile != NULL) {
+        fclose(outfile);
+    }
+    outfile = fopen(name, "w");
+    auth.type = RPCAP_RMTAUTH_PWD;
+    auth.username = "user";
+    auth.password = "pass";
+}
+
+void sock_initfuzz(const uint8_t *Data, size_t Size);
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    pcap_t * pkts;
+    char errbuf[PCAP_ERRBUF_SIZE];
+    const u_char *pkt;
+    struct pcap_pkthdr *header;
+    struct pcap_stat stats;
+    int r;
+
+    //initialization
+    if (outfile == NULL) {
+        fuzz_openFile("/dev/null");
+    }
+
+    sock_initfuzz(Data, Size);
+    //initialize structure
+    pkts = pcap_open("rpcap://127.0.0.1/fuzz.pcap", 0, 0, 1000, &auth, errbuf);
+    if (pkts == NULL) {
+        fprintf(outfile, "Couldn't open pcap file %s\n", errbuf);
+        return 0;
+    }
+
+    //loop over packets
+    r = pcap_next_ex(pkts, &header, &pkt);
+    while (r > 0) {
+        fprintf(outfile, "packet length=%d/%d\n",header->caplen, header->len);
+        r = pcap_next_ex(pkts, &header, &pkt);
+    }
+    if (pcap_stats(pkts, &stats) == 0) {
+        fprintf(outfile, "number of packets=%d\n", stats.ps_recv);
+    }
+    //close structure
+    pcap_close(pkts);
+
+    return 0;
+}
diff --git a/testprogs/fuzz/fuzz_rserver.c b/testprogs/fuzz/fuzz_rserver.c
new file mode 100644
index 00000000..c79a3736
--- /dev/null
+++ b/testprogs/fuzz/fuzz_rserver.c
@@ -0,0 +1,56 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <stdarg.h>
+
+#include <pcap/pcap.h>
+
+FILE * outfile = NULL;
+
+void fuzz_openFile(const char * name) {
+    if (outfile != NULL) {
+        fclose(outfile);
+    }
+    outfile = fopen(name, "w");
+}
+
+typedef enum {
+    LOGPRIO_DEBUG,
+    LOGPRIO_INFO,
+    LOGPRIO_WARNING,
+    LOGPRIO_ERROR
+} log_priority;
+
+void rpcapd_log(log_priority priority, const char *message, ...)
+{
+    va_list ap;
+
+    va_start(ap, message);
+    fprintf(outfile, "rpcapd[%d]:", priority);
+    vfprintf(outfile, message, ap);
+    putc('\n', outfile);
+    va_end(ap);
+}
+
+void sock_initfuzz(const uint8_t *Data, size_t Size);
+int daemon_serviceloop(int sockctrl, int isactive, char *passiveClients, int nullAuthAllowed, int uses_ssl);
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    int sock;
+
+    //initialization
+    if (outfile == NULL) {
+        fuzz_openFile("/dev/null");
+    }
+
+    sock_initfuzz(Data, Size);
+    sock = socket(AF_INET, SOCK_STREAM, 0);
+    if (sock == INVALID_SOCKET) {
+        abort();
+    }
+    //dummy socket, active, null auth allowed, no ssl
+    daemon_serviceloop(sock, 1, malloc(0), 1, 0);
+
+    return 0;
+}
author	Philippe Antoine <contact@catenacyber.fr>	2019-02-05 09:53:48 +0100
committer	Philippe Antoine <contact@catenacyber.fr>	2020-07-20 09:20:22 +0200
commit	c4510b8ba391f47ef03078605f16013c94c7cfb8 (patch)
tree	13a7479573f1d5a5a7d5c43bb91cce1e3985c22b /testprogs/fuzz
parent	d4ccd36e82f8a0a0e9c877797c54cf2a656b800f (diff)