fuzz: extend fuzzing coverage

ntop · Sep 16, 2023 · 7081400 · 7081400
1 parent 0828dff
commit 7081400
Show file tree

Hide file tree

Showing 9 changed files with 107 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -73,6 +73,7 @@
 /fuzz/fuzz_ds_bitmap64
 /fuzz/fuzz_ds_domain_classify
 /fuzz/fuzz_libinjection
+/fuzz/fuzz_binaryfusefilter
 /fuzz/fuzz_tls_certificate
 /fuzz/fuzz_dga
 /fuzz/fuzz_ds_cmsketch

diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
@@ -4,7 +4,7 @@ bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_
 #Data structures
 bin_PROGRAMS += fuzz_ds_patricia fuzz_ds_ahocorasick fuzz_ds_libcache fuzz_ds_tree fuzz_ds_ptree fuzz_ds_hash fuzz_ds_cmsketch fuzz_ds_bitmap64 fuzz_ds_domain_classify
 #Third party
-bin_PROGRAMS += fuzz_libinjection
+bin_PROGRAMS += fuzz_libinjection fuzz_binaryfusefilter
 #Internal crypto
 bin_PROGRAMS += fuzz_gcrypt_light
 #Configuration files
@@ -371,6 +371,21 @@ fuzz_libinjection_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
     $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
     $(fuzz_libinjection_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 
+fuzz_binaryfusefilter_SOURCES = fuzz_binaryfusefilter.cpp fuzz_common_code.c
+fuzz_binaryfusefilter_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_binaryfusefilter_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_binaryfusefilter_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
+fuzz_binaryfusefilter_LDFLAGS = $(LIBS)
+if HAS_FUZZLDFLAGS
+fuzz_binaryfusefilter_CXXFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_binaryfusefilter_CFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_binaryfusefilter_LDFLAGS += $(LIB_FUZZING_ENGINE)
+endif
+# force usage of CXX for linker
+fuzz_binaryfusefilter_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
+    $(fuzz_binaryfusefilter_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
+
 fuzz_tls_certificate_SOURCES = fuzz_tls_certificate.c fuzz_common_code.c
 fuzz_tls_certificate_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
 fuzz_tls_certificate_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
@@ -584,6 +599,7 @@ distdir:
 		-o -name 'ipv4_addresses.txt' \
 		-o -name 'bd_param.txt' \
 		-o -name 'splt_param.txt' \
+		-o -name 'random_list.list' \
 		-o -path './dictionary.dict' \
 		-o -path './dictionary_tls_certificate.dict' \
 		-o -path './corpus/fuzz_*.zip' \

diff --git a/fuzz/fuzz_binaryfusefilter.cpp b/fuzz/fuzz_binaryfusefilter.cpp
@@ -0,0 +1,63 @@
+#include "fuzz_common_code.h"
+#include "../src/lib/third_party/include/binaryfusefilter.h"
+#include "fuzzer/FuzzedDataProvider.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  u_int16_t i, num_iteration;
+  bool rc;
+  u_int64_t *values, value;
+  binary_fuse8_t filter8;
+  binary_fuse16_t filter16;
+
+  /* To allow memory allocation failures */
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  size = fuzzed_data.ConsumeIntegral<u_int16_t>();
+  values = (u_int64_t *)ndpi_calloc(size, sizeof(u_int64_t));
+  if (!values)
+    return 0;
+  for (i = 0; i < size; i++) {
+    values[i] = fuzzed_data.ConsumeIntegral<u_int64_t>();
+  }
+
+  rc = binary_fuse8_allocate(size, &filter8);
+  if (rc) {
+    rc = binary_fuse8_populate(values, size, &filter8);
+
+    if (rc) {
+      /* "Random" search */
+      num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>();
+      for (i = 0; i < num_iteration; i++) {
+        value = fuzzed_data.ConsumeIntegral<u_int64_t>();
+        binary_fuse8_contain(value, &filter8);
+      }
+      /* Search of an added entry */
+      if (size > 0)
+        binary_fuse8_contain(values[0], &filter8);
+    }
+    binary_fuse8_free(&filter8);
+  }
+
+  rc = binary_fuse16_allocate(size, &filter16);
+  if (rc) {
+    rc = binary_fuse16_populate(values, size, &filter16);
+
+    if (rc) {
+      /* "Random" search */
+      num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>();
+      for (i = 0; i < num_iteration; i++) {
+        value = fuzzed_data.ConsumeIntegral<u_int64_t>();
+        binary_fuse16_contain(value, &filter16);
+      }
+      /* Search of an added entry */
+      if (size > 0)
+        binary_fuse16_contain(values[0], &filter16);
+    }
+    binary_fuse16_free(&filter16);
+  }
+
+  ndpi_free(values);
+
+  return 0;
+}
diff --git a/fuzz/fuzz_ds_domain_classify.cpp b/fuzz/fuzz_ds_domain_classify.cpp
@@ -33,6 +33,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     }
   }
 
+  ndpi_domain_classify_add_domains(d, NDPI_PROTOCOL_UNKNOWN, "random_list.list");
+
+  if (fuzzed_data.ConsumeBool())
+    ndpi_domain_classify_finalize(d);
+
   /* "Random" search */
   num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>();
   for (i = 0; i < num_iteration; i++) {

diff --git a/fuzz/random_list.list b/fuzz/random_list.list
@@ -0,0 +1,6 @@
+#
+# Custom random list
+#
+aa1084bets10.com
+
+q
diff --git a/src/lib/ndpi_domain_classify.c b/src/lib/ndpi_domain_classify.c
@@ -130,6 +130,9 @@ u_int32_t ndpi_domain_classify_add_domains(ndpi_domain_classify *s,
   FILE *fd;
   char *line;
 
+  if(!s || !file_path)
+    return(false);
+
   for(i=0; i<MAX_NUM_NDPI_DOMAIN_CLASSIFICATIONS; i++) {
     if(s->classes[i].class_id == class_id) {
       break;      

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -122,8 +122,6 @@
 #include "nbpf.h"
 #endif
 
-static int _ndpi_debug_callbacks = 0;
-
 /* #define DGA_DEBUG 1 */
 /* #define MATCH_DEBUG 1 */
 
@@ -5307,23 +5305,21 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp
     if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue;
     if(!ndpi_proto_cb_tcp_payload(ndpi_str,a)) continue;
     if(!count_only) {
-      if(_ndpi_debug_callbacks)
-	  NDPI_LOG_DBG2(ndpi_str, "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a,
-		        ndpi_str->callback_buffer_size_tcp_payload);
-          memcpy(&ndpi_str->callback_buffer_tcp_payload[ndpi_str->callback_buffer_size_tcp_payload],
-	         &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));
+      NDPI_LOG_DBG2(ndpi_str, "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a,
+		    ndpi_str->callback_buffer_size_tcp_payload);
+      memcpy(&ndpi_str->callback_buffer_tcp_payload[ndpi_str->callback_buffer_size_tcp_payload],
+	     &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));
     }
     ndpi_str->callback_buffer_size_tcp_payload++;
   }
   for(a = 0; a < ndpi_str->callback_buffer_size; a++) {
     if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue;
     if(!ndpi_proto_cb_tcp_nopayload(ndpi_str,a)) continue;
     if(!count_only) {
-      if(_ndpi_debug_callbacks)
-	  NDPI_LOG_DBG2( ndpi_str,
-                        "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a);
-	  memcpy(&ndpi_str->callback_buffer_tcp_no_payload[ndpi_str->callback_buffer_size_tcp_no_payload],
-	         &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));
+      NDPI_LOG_DBG2(ndpi_str,
+                    "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a);
+      memcpy(&ndpi_str->callback_buffer_tcp_no_payload[ndpi_str->callback_buffer_size_tcp_no_payload],
+	     &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));
     }
     ndpi_str->callback_buffer_size_tcp_no_payload++;
   }
@@ -5333,8 +5329,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp
     if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue;
     if(!ndpi_proto_cb_udp(ndpi_str,a)) continue;
     if(!count_only) {
-      if(_ndpi_debug_callbacks)
-	 NDPI_LOG_DBG2(ndpi_str, "callback_buffer_size_udp: adding buffer : %u\n", a);
+      NDPI_LOG_DBG2(ndpi_str, "callback_buffer_size_udp: adding buffer : %u\n", a);
 
       memcpy(&ndpi_str->callback_buffer_udp[ndpi_str->callback_buffer_size_udp], &ndpi_str->callback_buffer[a],
 	     sizeof(struct ndpi_call_function_struct));
@@ -5347,8 +5342,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp
     if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue;
     if(!ndpi_proto_cb_other(ndpi_str,a)) continue;
     if(!count_only) {
-      if(_ndpi_debug_callbacks)
-	NDPI_LOG_DBG2(ndpi_str, "callback_buffer_non_tcp_udp: adding buffer : %u\n", a);
+      NDPI_LOG_DBG2(ndpi_str, "callback_buffer_non_tcp_udp: adding buffer : %u\n", a);
 
       memcpy(&ndpi_str->callback_buffer_non_tcp_udp[ndpi_str->callback_buffer_size_non_tcp_udp],
 	     &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct));

diff --git a/src/lib/third_party/include/binaryfusefilter.h b/src/lib/third_party/include/binaryfusefilter.h
@@ -216,7 +216,7 @@ static inline bool binary_fuse8_allocate(uint32_t size,
     filter->SegmentLength = 262144;
   }
   filter->SegmentLengthMask = filter->SegmentLength - 1;
-  double sizeFactor = binary_fuse_calculate_size_factor(arity, size);
+  double sizeFactor = size <= 1 ? 0 : binary_fuse_calculate_size_factor(arity, size);
   uint32_t capacity = size <= 1 ? 0 : (uint32_t)(round((double)size * sizeFactor));
   uint32_t initSegmentCount =
       (capacity + filter->SegmentLength - 1) / filter->SegmentLength -

diff --git a/tests/ossfuzz.sh b/tests/ossfuzz.sh
@@ -60,5 +60,6 @@ cp example/sha1_fingerprints.csv $OUT/
 cp fuzz/ipv4_addresses.txt $OUT/
 cp fuzz/bd_param.txt $OUT/
 cp fuzz/splt_param.txt $OUT/
+cp fuzz/random_list.list $OUT/
 mkdir -p $OUT/lists
 cp lists/*.list $OUT/lists