suricata.8.0.0/fuzz__applayerparserparse_8c_source.html

/**

 * @file

 * @author Philippe Antoine <contact@catenacyber.fr>

 * fuzz target for AppLayerParserParse

 */


#include "suricata-common.h"

#include "suricata.h"

#include "app-layer-detect-proto.h"

#include "flow-util.h"

#include "app-layer-parser.h"

#include "util-unittest-helper.h"

#include "util-byte.h"

#include "conf-yaml-loader.h"

#include "util-conf.h"

#include "rust.h"


#define HEADER_LEN 6


int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);

int LLVMFuzzerInitialize(int *argc, char ***argv);


AppLayerParserThreadCtx *alp_tctx = NULL;


extern const char *configNoChecksum;


/* input buffer is structured this way :

 * 6 bytes header,

 * then sequence of buffers separated by magic bytes 01 D5 CA 7A */


/* The 6 bytes header is

 * alproto

 * proto

 * source port (uint16_t)

 * destination port (uint16_t) */


const uint8_t separator[] = {0x01, 0xD5, 0xCA, 0x7A};

SCInstance surifuzz;

AppProto forceLayer = 0;

char *target_suffix = NULL;

SC_ATOMIC_EXTERN(unsigned int, engine_stage);


int LLVMFuzzerInitialize(int *argc, char ***argv)

{

    target_suffix = strrchr((*argv)[0], '_');

    // else

    if (!target_suffix) {

        target_suffix = getenv("FUZZ_APPLAYER");

    }

    return 0;

}


int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)

{

    Flow * f;

    TcpSession ssn;

    const uint8_t * albuffer;

    uint8_t * alnext;

    size_t alsize;

    // used to find under and overflows

    // otherwise overflows do not fail as they read the next packet

    uint8_t * isolatedBuffer;


    if (alp_tctx == NULL) {

        //Redirects logs to /dev/null

        setenv("SC_LOG_OP_IFACE", "file", 0);

        setenv("SC_LOG_FILE", "/dev/null", 0);


        InitGlobal();

        SCRunmodeSet(RUNMODE_PCAP_FILE);

        GlobalsInitPreConfig();


        //redirect logs to /tmp

        ConfigSetLogDirectory("/tmp/");

        // disables checksums validation for fuzzing

        if (SCConfYamlLoadString(configNoChecksum, strlen(configNoChecksum)) != 0) {

            abort();

        }


        PostConfLoadedSetup(&surifuzz);

        alp_tctx = AppLayerParserThreadCtxAlloc();

        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);

        if (target_suffix != NULL) {

            AppProto applayer = StringToAppProto(target_suffix + 1);

            if (applayer != ALPROTO_UNKNOWN) {

                forceLayer = applayer;

                printf("Forcing %s=%" PRIu16 "\n", AppProtoToString(forceLayer), forceLayer);

            }

        }

        // http is the output name, but we want to fuzz HTTP1

        if (forceLayer == ALPROTO_HTTP) {

            forceLayer = ALPROTO_HTTP1;

        }

    }


    if (size < HEADER_LEN) {

        return 0;

    }


    if (data[0] >= g_alproto_max) {

        return 0;

    }

    //no UTHBuildFlow to have storage

    f = FlowAlloc();

    if (f == NULL) {

        return 0;

    }

    f->flags |= FLOW_IPV4 | FLOW_SGH_TOCLIENT | FLOW_SGH_TOSERVER;

    f->src.addr_data32[0] = 0x01020304;

    f->dst.addr_data32[0] = 0x05060708;

    f->sp = (uint16_t)((data[2] << 8) | data[3]);

    f->dp = (uint16_t)((data[4] << 8) | data[5]);

    f->proto = data[1];

    memset(&ssn, 0, sizeof(TcpSession));

    f->protoctx = &ssn;

    f->protomap = FlowGetProtoMapping(f->proto);

    if (forceLayer > 0) {

        f->alproto = forceLayer;

    } else {

        f->alproto = data[0];

    }


    FLOWLOCK_WRLOCK(f);

    /*

     * We want to fuzz multiple calls to AppLayerParserParse

     * because some parts of the code are only reached after

     * multiple packets (in SMTP for example).

     * So we treat our input as a list of buffers with magic separator.

     */

    albuffer = data + HEADER_LEN;

    alsize = size - HEADER_LEN;

    uint8_t flags = STREAM_START;

    int flip = 0;

    alnext = memmem(albuffer, alsize, separator, 4);

    while (alnext) {

        if (flip) {

            flags |= STREAM_TOCLIENT;

            flags &= ~(STREAM_TOSERVER);

            flip = 0;

        } else {

            flags |= STREAM_TOSERVER;

            flags &= ~(STREAM_TOCLIENT);

            flip = 1;

        }


        if (alnext != albuffer) {

            // only if we have some data

            isolatedBuffer = malloc(alnext - albuffer);

            if (isolatedBuffer == NULL) {

                goto bail;

            }

            memcpy(isolatedBuffer, albuffer, alnext - albuffer);

            (void)AppLayerParserParse(NULL, alp_tctx, f, f->alproto, flags, isolatedBuffer,

                    (uint32_t)(alnext - albuffer));

            free(isolatedBuffer);

            if (FlowChangeProto(f)) {

                // exits if a protocol change is requested

                alsize = 0;

                break;

            }

            flags &= ~(STREAM_START);

            if (f->alparser &&

                    (((flags & STREAM_TOSERVER) != 0 && SCAppLayerParserStateIssetFlag(f->alparser,

                                                                APP_LAYER_PARSER_EOF_TS)) ||

                            ((flags & STREAM_TOCLIENT) != 0 &&

                                    SCAppLayerParserStateIssetFlag(

                                            f->alparser, APP_LAYER_PARSER_EOF_TC)))) {

                //no final chunk

                alsize = 0;

                break;

            }


            AppLayerParserTransactionsCleanup(f, flags & (STREAM_TOSERVER | STREAM_TOCLIENT));

        }

        alsize -= alnext - albuffer + 4;

        albuffer = alnext + 4;

        if (alsize == 0) {

            break;

        }

        alnext = memmem(albuffer, alsize, separator, 4);

    }

    if (alsize > 0 ) {

        if (flip) {

            flags |= STREAM_TOCLIENT;

            flags &= ~(STREAM_TOSERVER);

            flip = 0;

        } else {

            flags |= STREAM_TOSERVER;

            flags &= ~(STREAM_TOCLIENT);

            flip = 1;

        }

        flags |= STREAM_EOF;

        isolatedBuffer = malloc(alsize);

        if (isolatedBuffer == NULL) {

            goto bail;

        }

        memcpy(isolatedBuffer, albuffer, alsize);

        (void)AppLayerParserParse(

                NULL, alp_tctx, f, f->alproto, flags, isolatedBuffer, (uint32_t)alsize);

        free(isolatedBuffer);

    }


bail:

    FLOWLOCK_UNLOCK(f);

    FlowFree(f);


    return 0;

}


app-layer-detect-proto.h

SCAppLayerParserStateIssetFlag
uint16_t SCAppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint16_t flag)
Definition app-layer-parser.c:1829

AppLayerParserTransactionsCleanup
void AppLayerParserTransactionsCleanup(Flow *f, const uint8_t pkt_dir)
remove obsolete (inspected and logged) transactions
Definition app-layer-parser.c:903

AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297

AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291

app-layer-parser.h

APP_LAYER_PARSER_EOF_TC
#define APP_LAYER_PARSER_EOF_TC
Definition app-layer-parser.h:54

APP_LAYER_PARSER_EOF_TS
#define APP_LAYER_PARSER_EOF_TS
Definition app-layer-parser.h:53

g_alproto_max
AppProto g_alproto_max
Definition app-layer-protos.c:29

AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition app-layer-protos.c:40

StringToAppProto
AppProto StringToAppProto(const char *proto_name)
Maps a string to its ALPROTO_* equivalent.
Definition app-layer-protos.c:60

AppProto
uint16_t AppProto
Definition app-layer-protos.h:86

ALPROTO_HTTP
@ ALPROTO_HTTP
Definition app-layer-protos.h:76

ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition app-layer-protos.h:29

ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36

SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition conf-yaml-loader.c:523

conf-yaml-loader.h

flags
uint8_t flags
Definition decode-gre.h:0

FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition flow-util.c:56

FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition flow-util.c:99

FlowFree
void FlowFree(Flow *f)
cleanup & free the memory of a flow
Definition flow-util.c:84

flow-util.h

FlowChangeProto
int FlowChangeProto(Flow *f)
Check if change proto flag is set for flow.
Definition flow.c:196

FLOW_SGH_TOCLIENT
#define FLOW_SGH_TOCLIENT
Definition flow.h:75

FLOW_SGH_TOSERVER
#define FLOW_SGH_TOSERVER
Definition flow.h:73

FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100

FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition flow.h:273

FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition flow.h:270

forceLayer
AppProto forceLayer
Definition fuzz_applayerparserparse.c:39

target_suffix
char * target_suffix
Definition fuzz_applayerparserparse.c:40

separator
const uint8_t separator[]
Definition fuzz_applayerparserparse.c:37

LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition fuzz_applayerparserparse.c:53

LLVMFuzzerInitialize
int LLVMFuzzerInitialize(int *argc, char ***argv)
Definition fuzz_applayerparserparse.c:43

alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23

configNoChecksum
const char * configNoChecksum
Definition confyaml.c:1

HEADER_LEN
#define HEADER_LEN
Definition fuzz_applayerparserparse.c:18

surifuzz
SCInstance surifuzz
Definition fuzz_applayerparserparse.c:38

RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition runmodes.h:30

rust.h

AppLayerParserThreadCtx_
Definition app-layer-parser.c:60

Flow_
Flow data structure.
Definition flow.h:356

Flow_::dp
Port dp
Definition flow.h:372

Flow_::proto
uint8_t proto
Definition flow.h:378

Flow_::flags
uint32_t flags
Definition flow.h:421

Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450

Flow_::protoctx
void * protoctx
Definition flow.h:441

Flow_::alparser
AppLayerParserState * alparser
Definition flow.h:478

Flow_::protomap
uint8_t protomap
Definition flow.h:445

Flow_::src
FlowAddress src
Definition flow.h:359

Flow_::sp
Port sp
Definition flow.h:361

Flow_::dst
FlowAddress dst
Definition flow.h:359

SCInstance_
Definition suricata.h:133

TcpSession_
Definition stream-tcp-private.h:283

suricata-common.h

InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition suricata.c:2965

SCRunmodeSet
void SCRunmodeSet(SCRunMode run_mode)
Set the current run mode.
Definition suricata.c:284

GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition suricata.c:382

PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition suricata.c:2716

suricata.h

SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition suricata.h:101

SC_ATOMIC_EXTERN
#define SC_ATOMIC_EXTERN(type, name)
wrapper for referencing an atomic variable declared on another file.
Definition util-atomic.h:296

SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition util-atomic.h:386

util-byte.h

ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition util-conf.c:33

util-conf.h

util-unittest-helper.h

setenv
void setenv(const char *name, const char *value, int overwrite)