diff options
author | Peter Wu <peter@lekensteyn.nl> | 2018-10-17 00:47:20 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2018-10-20 07:00:43 +0000 |
commit | 7e88bb5e5372fc3454735e6ac840390341bf3d20 (patch) | |
tree | 2972097aa9acdf0e1e414ded2ca8b6a00372213a /fuzz | |
parent | eda196951b9b8293bb32cf6b3610ae4d1d5b940e (diff) |
fuzzshark: integrate oss-fuzz targets in CMake
The current fuzzshark target built by CMake is not usable for fuzzing.
Address this by adding a new ENABLE_FUZZER option that enables mandatory
instrumentation and libFuzzer linking options for the fuzzshark binary.
Create more CMake targets for specific fuzzing targets such as
fuzzshark_ip and fuzzshark_ip_proto-udp. These targets are not built by
default, either build individual targets or use the all-fuzzers target.
Now these binaries are not specific to oss-fuzz, so move them to a new
directory (perhaps the corpora can be added here in the future).
oss-fuzz build.sh is simplified and reuses the CMake targets.
When OSS_FUZZ is set, it will force static linking with external
libraries and limit parallel linker jobs (maybe not necessary for
Google's oss-fuzz builders, but my 8G/6c VM ran out of memory).
Change-Id: If3ba8f60ea1f5c3bd2131223050a81f9acbce05d
Reviewed-on: https://code.wireshark.org/review/30228
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'fuzz')
-rw-r--r-- | fuzz/CMakeLists.txt | 142 | ||||
-rw-r--r-- | fuzz/FuzzerInterface.h | 147 | ||||
-rw-r--r-- | fuzz/StandaloneFuzzTargetMain.c | 126 | ||||
-rw-r--r-- | fuzz/fuzzshark.c | 394 |
4 files changed, 809 insertions, 0 deletions
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt new file mode 100644 index 0000000000..c572f90c52 --- /dev/null +++ b/fuzz/CMakeLists.txt @@ -0,0 +1,142 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +# List of dissectors compiled below, which should be turned off. +# This is done to avoid single fuzzer (like IP) to call UDP protocols, which can go back to IP, and so on.. +# While doing so might find some bugs, but it's likely to be the problem for too big corpus in oss-fuzzer +# (see: https://github.com/google/oss-fuzz/issues/1087). +# + udplite - it's sharing most of code with UDP. +set(FUZZ_DISABLED_DISSECTORS ip udp udplite ospf bgp dhcp json) + +set(FUZZ_DISSECTORS ip) +set(FUZZ_IP_PROTO_DISSECTORS udp ospf) + +set(FUZZ_TCP_PORT_DISSECTORS bgp) +# list(APPEND FUZZ_TCP_PORT_DISSECTORS bzr) # disabled, cause of known problem. +# list(APPEND FUZZ_TCP_PORT_DISSECTORS echo) # disabled, too simple. + +set(FUZZ_UDP_PORT_DISSECTORS dns dhcp) +# list(FUZZ_UDP_PORT_DISSECTORS bfd) # disabled, too simple. + +set(FUZZ_MEDIA_TYPE_DISSECTORS json) + +set(fuzzshark_LIBS + wiretap + ${LIBEPAN_LIBS} +) +if(OSS_FUZZ) + if("$ENV{LIB_FUZZING_ENGINE}" STREQUAL "") + message(FATAL_ERROR "LIB_FUZZING_ENGINE is not set!") + endif() + list(APPEND fuzzshark_LIBS $ENV{LIB_FUZZING_ENGINE}) +endif() +set(fuzzshark_FILES + fuzzshark.c + ${CMAKE_SOURCE_DIR}/version_info.c +) +set(FUZZ_LINK_FLAGS "${WS_LINK_FLAGS}") +if(ENABLE_FUZZER) + set(FUZZ_LINK_FLAGS "${FUZZ_LINK_FLAGS} -fsanitize=fuzzer") +endif() +if(OSS_FUZZ) + # libFuzzingEngine.a is not position independent, so cannot use -pie. + set(FUZZ_LINK_FLAGS "${FUZZ_LINK_FLAGS} -no-pie") +endif() + +# Convert the list of disabled dissectors from a;b;c -> "a", "b", "c" +# for use in fuzzshark.c (macro) +string(REGEX REPLACE "([^;]+)" "\"\\1\"" FUZZ_DISABLED_DISSECTORS_MACRO "${FUZZ_DISABLED_DISSECTORS}") +string(REPLACE ";" ", " FUZZ_DISABLED_DISSECTORS_MACRO "${FUZZ_DISABLED_DISSECTORS_MACRO}") + +# Targets that are build via all-fuzzers: +# - fuzzshark: a non-specific fuzz target, configurable through env vars (requires BUILD_fuzzshark) +# - fuzzshark_<target>: fuzz target for a specific dissector target. +# - fuzzshark_<table>-<target>: fuzz target for a specific dissector via a dissector table. +add_custom_target(all-fuzzers) + +function(fuzzshark_set_common_options fuzzer_name) + add_dependencies(${fuzzer_name} version) + # Sanitizers require a C++ runtime, so use a C++ linker. + set_target_properties(${fuzzer_name} PROPERTIES + FOLDER "Fuzzers" + LINK_FLAGS "${FUZZ_LINK_FLAGS}" + LINKER_LANGUAGE "CXX" + ) + target_link_libraries(${fuzzer_name} ${fuzzshark_LIBS}) + add_dependencies(all-fuzzers ${fuzzer_name}) +endfunction() + +if(BUILD_fuzzshark) + if(NOT (ENABLE_FUZZER OR OSS_FUZZ)) + # libFuzzer includes a main routine that enables fuzzing. If + # support for fuzzing was not enabled, add a small standalone + # target that can be used to test-compile fuzzshark.c. + list(APPEND fuzzshark_FILES StandaloneFuzzTargetMain.c) + endif() + add_executable(fuzzshark ${fuzzshark_FILES}) + fuzzshark_set_common_options(fuzzshark) +endif() + +# Create a new dissector fuzzer target. +# If <dissector_table> is empty, <name> will be called directly. +# If <dissector_table> is non-empty, a dissector with filter name <name> will be +# looked up in dissector table <dissector_table>. +function(generate_fuzzer dissector_table name) + if(NOT (ENABLE_FUZZER OR OSS_FUZZ)) + return() + endif() + + if(dissector_table STREQUAL "") + set(fuzzer_name fuzzshark_${name}) + else() + # "ip.proto" and "udp" -> "ip_proto-udp" + set(fuzzer_name fuzzshark_${dissector_table}-${name}) + string(REPLACE "." "_" fuzzer_name ${fuzzer_name}) + endif() + + add_executable(${fuzzer_name} EXCLUDE_FROM_ALL ${fuzzshark_FILES}) + fuzzshark_set_common_options(${fuzzer_name}) + target_compile_definitions(${fuzzer_name} PRIVATE + FUZZ_DISSECTOR_LIST=${FUZZ_DISABLED_DISSECTORS_MACRO} + FUZZ_DISSECTOR_TABLE="${dissector_table}" + FUZZ_DISSECTOR_TARGET="${name}" + ) +endfunction() + +# Add fuzzer targets for every dissector in list FUZZ_<table-var>_DISSECTORS, +# where <table-var> changes a <table> such as "ip.proto" into "IP_PROTO". +function(add_table_fuzzers table) + string(REPLACE "." "_" table_var ${table}) + string(TOUPPER "${table_var}" table_var) + foreach(dissector IN LISTS FUZZ_${table_var}_DISSECTORS) + generate_fuzzer(${table} ${dissector}) + endforeach() +endfunction() + +foreach(dissector IN LISTS FUZZ_DISSECTORS) + generate_fuzzer("" ${dissector}) +endforeach() + +add_table_fuzzers("ip.proto") +add_table_fuzzers("tcp.port") +add_table_fuzzers("udp.port") +add_table_fuzzers("media_type") + +# +# Editor modelines - http://www.wireshark.org/tools/modelines.html +# +# Local variables: +# c-basic-offset: 8 +# tab-width: 8 +# indent-tabs-mode: t +# End: +# +# vi: set shiftwidth=8 tabstop=8 noexpandtab: +# :indentSize=8:tabSize=8:noTabs=false: +# diff --git a/fuzz/FuzzerInterface.h b/fuzz/FuzzerInterface.h new file mode 100644 index 0000000000..2208675e33 --- /dev/null +++ b/fuzz/FuzzerInterface.h @@ -0,0 +1,147 @@ +/* based on http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerInterface.h r321218 (20 Dec 2017) */ + +/* http://llvm.org/svn/llvm-project/compiler-rt/trunk/LICENSE.TXT follows */ + +/* +============================================================================== +compiler_rt License +============================================================================== + +The compiler_rt library is dual licensed under both the University of Illinois +"BSD-Like" license and the MIT license. As a user of this code you may choose +to use it under either license. As a contributor, you agree to allow your code +to be used under both. + +Full text of the relevant licenses is included below. + +============================================================================== + +University of Illinois/NCSA +Open Source License + +Copyright (c) 2009-2016 by the contributors listed in CREDITS.TXT + +All rights reserved. + +Developed by: + + LLVM Team + + University of Illinois at Urbana-Champaign + + http://llvm.org + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal with +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimers. + + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimers in the + documentation and/or other materials provided with the distribution. + + * Neither the names of the LLVM Team, University of Illinois at + Urbana-Champaign, nor the names of its contributors may be used to + endorse or promote products derived from this Software without specific + prior written permission. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE +SOFTWARE. + +============================================================================== + +Copyright (c) 2009-2015 by the contributors listed in CREDITS.TXT + +SPDX-License-Identifier: MIT + +============================================================================== +Copyrights and Licenses for Third Party Software Distributed with LLVM: +============================================================================== +The LLVM software contains code written by third parties. Such software will +have its own individual LICENSE.TXT file in the directory in which it appears. +This file will describe the copyrights, license, and restrictions which apply +to that code. + +The disclaimer of warranty in the University of Illinois Open Source License +applies to all code in the LLVM Distribution, and nothing in any of the +other licenses gives permission to use the names of the LLVM Team or the +University of Illinois to endorse or promote products derived from this +Software. +*/ +//===- FuzzerInterface.h - Interface header for the Fuzzer ------*- C++ -* ===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// Define the interface between libFuzzer and the library being tested. +//===----------------------------------------------------------------------===// + +// NOTE: the libFuzzer interface is thin and in the majority of cases +// you should not include this file into your target. In 95% of cases +// all you need is to define the following function in your file: +// extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +// WARNING: keep the interface in C. + +#ifndef LLVM_FUZZER_INTERFACE_H +#define LLVM_FUZZER_INTERFACE_H + +#include <stddef.h> +#include <stdint.h> + +#ifdef __cplusplus +extern "C" { +#endif // __cplusplus + +// Mandatory user-provided target function. +// Executes the code under test with [Data, Data+Size) as the input. +// libFuzzer will invoke this function *many* times with different inputs. +// Must return 0. +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +// Optional user-provided initialization function. +// If provided, this function will be called by libFuzzer once at startup. +// It may read and modify argc/argv. +// Must return 0. +int LLVMFuzzerInitialize(int *argc, char ***argv); + +// Optional user-provided custom mutator. +// Mutates raw data in [Data, Data+Size) inplace. +// Returns the new size, which is not greater than MaxSize. +// Given the same Seed produces the same mutation. +size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, + unsigned int Seed); + +// Optional user-provided custom cross-over function. +// Combines pieces of Data1 & Data2 together into Out. +// Returns the new size, which is not greater than MaxOutSize. +// Should produce the same mutation given the same Seed. +size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1, + const uint8_t *Data2, size_t Size2, + uint8_t *Out, size_t MaxOutSize, + unsigned int Seed); + +// Experimental, may go away in future. +// libFuzzer-provided function to be used inside LLVMFuzzerCustomMutator. +// Mutates raw data in [Data, Data+Size) inplace. +// Returns the new size, which is not greater than MaxSize. +size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); + +#ifdef __cplusplus +} // extern "C" +#endif // __cplusplus + +#endif // LLVM_FUZZER_INTERFACE_H diff --git a/fuzz/StandaloneFuzzTargetMain.c b/fuzz/StandaloneFuzzTargetMain.c new file mode 100644 index 0000000000..cf29561cf5 --- /dev/null +++ b/fuzz/StandaloneFuzzTargetMain.c @@ -0,0 +1,126 @@ +/* based on http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c r311407 (22 Aug 2017) */ + +/* http://llvm.org/svn/llvm-project/compiler-rt/trunk/LICENSE.TXT follows */ + +/* +============================================================================== +compiler_rt License +============================================================================== + +The compiler_rt library is dual licensed under both the University of Illinois +"BSD-Like" license and the MIT license. As a user of this code you may choose +to use it under either license. As a contributor, you agree to allow your code +to be used under both. + +Full text of the relevant licenses is included below. + +============================================================================== + +University of Illinois/NCSA +Open Source License + +Copyright (c) 2009-2016 by the contributors listed in CREDITS.TXT + +All rights reserved. + +Developed by: + + LLVM Team + + University of Illinois at Urbana-Champaign + + http://llvm.org + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal with +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimers. + + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimers in the + documentation and/or other materials provided with the distribution. + + * Neither the names of the LLVM Team, University of Illinois at + Urbana-Champaign, nor the names of its contributors may be used to + endorse or promote products derived from this Software without specific + prior written permission. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE +SOFTWARE. + +============================================================================== + +Copyright (c) 2009-2015 by the contributors listed in CREDITS.TXT + +SPDX-License-Identifier: MIT + +============================================================================== +Copyrights and Licenses for Third Party Software Distributed with LLVM: +============================================================================== +The LLVM software contains code written by third parties. Such software will +have its own individual LICENSE.TXT file in the directory in which it appears. +This file will describe the copyrights, license, and restrictions which apply +to that code. + +The disclaimer of warranty in the University of Illinois Open Source License +applies to all code in the LLVM Distribution, and nothing in any of the +other licenses gives permission to use the names of the LLVM Team or the +University of Illinois to endorse or promote products derived from this +Software. +*/ + +/*===- StandaloneFuzzTargetMain.c - standalone main() for fuzz targets. ---===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// This main() function can be linked to a fuzz target (i.e. a library +// that exports LLVMFuzzerTestOneInput() and possibly LLVMFuzzerInitialize()) +// instead of libFuzzer. This main() function will not perform any fuzzing +// but will simply feed all input files one by one to the fuzz target. +// +// Use this file to provide reproducers for bugs when linking against libFuzzer +// or other fuzzing engine is undesirable. +//===----------------------------------------------------------------------===*/ +#include <assert.h> +#include <stdio.h> +#include <stdlib.h> + +#include <glib.h> +#include <wsutil/file_util.h> + +#include "FuzzerInterface.h" + +int main(int argc, char **argv) { + fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); + LLVMFuzzerInitialize(&argc, &argv); + for (int i = 1; i < argc; i++) { + fprintf(stderr, "Running: %s\n", argv[i]); + FILE *f = ws_fopen(argv[i], "r"); + assert(f); + fseek(f, 0, SEEK_END); + long len = ftell(f); + assert(len >= 0); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char*)g_malloc((size_t)len); + size_t n_read = fread(buf, 1, len, f); + assert(n_read == (size_t)len); + fclose(f); + LLVMFuzzerTestOneInput(buf, len); + g_free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + } +} diff --git a/fuzz/fuzzshark.c b/fuzz/fuzzshark.c new file mode 100644 index 0000000000..e31d8219a5 --- /dev/null +++ b/fuzz/fuzzshark.c @@ -0,0 +1,394 @@ +/* oss-fuzzshark.c + * + * Fuzzer variant of Wireshark for oss-fuzz + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include <config.h> + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <limits.h> + +#include <glib.h> + +#include <epan/epan.h> + +#include <wsutil/cmdarg_err.h> +#include <wsutil/crash_info.h> +#include <wsutil/filesystem.h> +#include <wsutil/privileges.h> +#include <wsutil/report_message.h> +#include <version_info.h> + +#include <wiretap/wtap.h> + +#include <epan/color_filters.h> +#include <epan/timestamp.h> +#include <epan/prefs.h> +#include <epan/column.h> +#include <epan/print.h> +#include <epan/epan_dissect.h> +#include <epan/disabled_protos.h> + +#ifdef HAVE_PLUGINS +#include <wsutil/plugins.h> +#endif + +#include "FuzzerInterface.h" + +#define EPAN_INIT_FAIL 2 + +static column_info fuzz_cinfo; +static epan_t *fuzz_epan; +static epan_dissect_t *fuzz_edt; + +/* + * General errors and warnings are reported with an console message + * in oss-fuzzshark. + */ +static void +failure_warning_message(const char *msg_format, va_list ap) +{ + fprintf(stderr, "oss-fuzzshark: "); + vfprintf(stderr, msg_format, ap); + fprintf(stderr, "\n"); +} + +/* + * Open/create errors are reported with an console message in oss-fuzzshark. + */ +static void +open_failure_message(const char *filename, int err, gboolean for_writing) +{ + fprintf(stderr, "oss-fuzzshark: "); + fprintf(stderr, file_open_error_message(err, for_writing), filename); + fprintf(stderr, "\n"); +} + +/* + * Read errors are reported with an console message in oss-fuzzshark. + */ +static void +read_failure_message(const char *filename, int err) +{ + cmdarg_err("An error occurred while reading from the file \"%s\": %s.", filename, g_strerror(err)); +} + +/* + * Write errors are reported with an console message in oss-fuzzshark. + */ +static void +write_failure_message(const char *filename, int err) +{ + cmdarg_err("An error occurred while writing to the file \"%s\": %s.", filename, g_strerror(err)); +} + +/* + * Report additional information for an error in command-line arguments. + */ +static void +failure_message_cont(const char *msg_format, va_list ap) +{ + vfprintf(stderr, msg_format, ap); + fprintf(stderr, "\n"); +} + +static int +fuzzshark_pref_set(const char *name, const char *value) +{ + char pref[4096]; + char *errmsg = NULL; + + prefs_set_pref_e ret; + + g_snprintf(pref, sizeof(pref), "%s:%s", name, value); + + ret = prefs_set_pref(pref, &errmsg); + g_free(errmsg); + + return (ret == PREFS_SET_OK); +} + +static const nstime_t * +fuzzshark_get_frame_ts(struct packet_provider_data *prov _U_, guint32 frame_num _U_) +{ + static nstime_t empty; + + return ∅ +} + +static epan_t * +fuzzshark_epan_new(void) +{ + static const struct packet_provider_funcs funcs = { + fuzzshark_get_frame_ts, + NULL, + NULL, + NULL + }; + + return epan_new(NULL, &funcs); +} + +static dissector_handle_t +get_dissector_handle(const char *table, const char *target) +{ + dissector_handle_t fuzz_handle = NULL; + + if (table != NULL && target != NULL) + { + /* search for handle, cannot use dissector_table_get_dissector_handle() cause it's using short-name, and I already used filter name in samples ;/ */ + GSList *handle_list = dissector_table_get_dissector_handles(find_dissector_table(table)); + while (handle_list) + { + dissector_handle_t handle = (dissector_handle_t) handle_list->data; + const char *handle_filter_name = proto_get_protocol_filter_name(dissector_handle_get_protocol_index(handle)); + + if (!strcmp(handle_filter_name, target)) + fuzz_handle = handle; + handle_list = handle_list->next; + } + } + else if (target != NULL) + { + fuzz_handle = find_dissector(target); + } + + return fuzz_handle; +} + +static void +fuzz_prefs_apply(void) +{ + /* Turn off fragmentation for some protocols */ + fuzzshark_pref_set("ip.defragment", "FALSE"); + fuzzshark_pref_set("ipv6.defragment", "FALSE"); + fuzzshark_pref_set("wlan.defragment", "FALSE"); + fuzzshark_pref_set("tcp.desegment_tcp_streams", "FALSE"); + + /* Notify all registered modules that have had any of their preferences changed. */ + prefs_apply_all(); +} + +static int +fuzz_init(int argc _U_, char **argv) +{ + GString *comp_info_str; + GString *runtime_info_str; + char *init_progfile_dir_error; + + char *err_msg = NULL; + e_prefs *prefs_p; + int ret = EXIT_SUCCESS; + size_t i; + + const char *fuzz_target = +#if defined(FUZZ_DISSECTOR_TARGET) + FUZZ_DISSECTOR_TARGET; +#else + getenv("FUZZSHARK_TARGET"); +#endif + + const char *disabled_dissector_list[] = + { +#ifdef FUZZ_DISSECTOR_LIST + FUZZ_DISSECTOR_LIST , +#endif + "snort" + }; + + dissector_handle_t fuzz_handle = NULL; + + /* In oss-fuzz running environment g_get_home_dir() fails: + * (process:1): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (0) + * (process:1): GLib-CRITICAL **: g_once_init_leave: assertion 'result != 0' failed + * + * Avoid GLib-CRITICAL by setting some XDG environment variables. + */ + g_setenv("XDG_CACHE_HOME", "/not/existing/directory", 0); /* g_get_user_cache_dir() */ + g_setenv("XDG_CONFIG_HOME", "/not/existing/directory", 0); /* g_get_user_config_dir() */ + g_setenv("XDG_DATA_HOME", "/not/existing/directory", 0); /* g_get_user_data_dir() */ + + g_setenv("WIRESHARK_DEBUG_WMEM_OVERRIDE", "simple", 0); + g_setenv("G_SLICE", "always-malloc", 0); + + cmdarg_err_init(failure_warning_message, failure_message_cont); + + /* + * Get credential information for later use, and drop privileges + * before doing anything else. + * Let the user know if anything happened. + */ + init_process_policies(); +#if 0 /* disable setresgid(), it fails with -EINVAL https://github.com/google/oss-fuzz/pull/532#issuecomment-294515463 */ + relinquish_special_privs_perm(); +#endif + + /* + * Attempt to get the pathname of the executable file. + */ + init_progfile_dir_error = init_progfile_dir(argv[0]); + if (init_progfile_dir_error != NULL) + fprintf(stderr, "fuzzshark: Can't get pathname of oss-fuzzshark program: %s.\n", init_progfile_dir_error); + + /* Get the compile-time version information string */ + comp_info_str = get_compiled_version_info(NULL, epan_get_compiled_version_info); + + /* Get the run-time version information string */ + runtime_info_str = get_runtime_version_info(epan_get_runtime_version_info); + + /* Add it to the information to be reported on a crash. */ + ws_add_crash_info("OSS Fuzzshark (Wireshark) %s\n" + "\n" + "%s" + "\n" + "%s", + get_ws_vcs_version_info(), + comp_info_str->str, + runtime_info_str->str); + g_string_free(comp_info_str, TRUE); + g_string_free(runtime_info_str, TRUE); + + init_report_message(failure_warning_message, failure_warning_message, + open_failure_message, read_failure_message, write_failure_message); + + timestamp_set_type(TS_RELATIVE); + timestamp_set_precision(TS_PREC_AUTO); + timestamp_set_seconds_type(TS_SECONDS_DEFAULT); + + wtap_init(TRUE); + + /* Register all dissectors; we must do this before checking for the + "-G" flag, as the "-G" flag dumps information registered by the + dissectors, and we must do it before we read the preferences, in + case any dissectors register preferences. */ + if (!epan_init(NULL, NULL, FALSE)) + { + ret = EPAN_INIT_FAIL; + goto clean_exit; + } + + /* Load libwireshark settings from the current profile. */ + prefs_p = epan_load_settings(); + + if (!color_filters_init(&err_msg, NULL)) + { + fprintf(stderr, "%s\n", err_msg); + g_free(err_msg); + } + + for (i = 0; i < G_N_ELEMENTS(disabled_dissector_list); i++) + { + const char *item = disabled_dissector_list[i]; + + /* XXX, need to think how to disallow chains like: IP -> .... -> IP, + * best would be to disable dissector always, but allow it during initial call. */ + if (fuzz_target == NULL || strcmp(fuzz_target, item)) + { + fprintf(stderr, "oss-fuzzshark: disabling: %s\n", item); + proto_disable_proto_by_name(item); + } + } + + fuzz_prefs_apply(); + + /* Build the column format array */ + build_column_format_array(&fuzz_cinfo, prefs_p->num_cols, TRUE); + +#if defined(FUZZ_DISSECTOR_TABLE) && defined(FUZZ_DISSECTOR_TARGET) +# define FUZZ_EPAN 1 + fprintf(stderr, "oss-fuzzshark: configured for dissector: %s in table: %s\n", fuzz_target, FUZZ_DISSECTOR_TABLE); + fuzz_handle = get_dissector_handle(FUZZ_DISSECTOR_TABLE, fuzz_target); + +#elif defined(FUZZ_DISSECTOR_TARGET) +# define FUZZ_EPAN 2 + fprintf(stderr, "oss-fuzzshark: configured for dissector: %s\n", fuzz_target); + fuzz_handle = get_dissector_handle(NULL, fuzz_target); + +#else +# define FUZZ_EPAN 3 + fprintf(stderr, "oss-fuzzshark: env for dissector: %s\n", fuzz_target); + fuzz_handle = get_dissector_handle(getenv("FUZZSHARK_TABLE"), fuzz_target); +#endif + +#ifdef FUZZ_EPAN + g_assert(fuzz_handle != NULL); + register_postdissector(fuzz_handle); +#endif + + fuzz_epan = fuzzshark_epan_new(); + fuzz_edt = epan_dissect_new(fuzz_epan, TRUE, FALSE); + + return 0; +clean_exit: + wtap_cleanup(); + free_progdirs(); + return ret; +} + +#ifdef FUZZ_EPAN +int +LLVMFuzzerTestOneInput(const guint8 *buf, size_t real_len) +{ + static guint32 framenum = 0; + epan_dissect_t *edt = fuzz_edt; + + guint32 len = (guint32) real_len; + + wtap_rec rec; + frame_data fdlocal; + + memset(&rec, 0, sizeof(rec)); + + rec.rec_type = REC_TYPE_PACKET; + rec.rec_header.packet_header.caplen = len; + rec.rec_header.packet_header.len = len; + + /* whdr.pkt_encap = WTAP_ENCAP_ETHERNET; */ + rec.rec_header.packet_header.pkt_encap = G_MAXINT16; + rec.presence_flags = WTAP_HAS_TS | WTAP_HAS_CAP_LEN; /* most common flags... */ + + frame_data_init(&fdlocal, ++framenum, &rec, /* offset */ 0, /* cum_bytes */ 0); + /* frame_data_set_before_dissect() not needed */ + epan_dissect_run(edt, WTAP_FILE_TYPE_SUBTYPE_UNKNOWN, &rec, tvb_new_real_data(buf, len, len), &fdlocal, NULL /* &fuzz_cinfo */); + frame_data_destroy(&fdlocal); + + epan_dissect_reset(edt); + return 0; +} + +#else +# error "Missing fuzz target." +#endif + +int +LLVMFuzzerInitialize(int *argc, char ***argv) +{ + int ret; + + ret = fuzz_init(*argc, *argv); + if (ret != 0) + exit(ret); + + return 0; +} + +/* + * Editor modelines - http://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ |