suricata
fuzz_predefpcap_aware.c
Go to the documentation of this file.
1/**
2 * @file
3 * @author Philippe Antoine <contact@catenacyber.fr>
4 * fuzz target for predefined signatures and pcap (aware)
5 */
6
7#include "suricata-common.h"
8#include "source-pcap-file.h"
9#include "detect-engine.h"
10#include "util-classification-config.h"
11#include "util-reference-config.h"
12#include "app-layer.h"
13#include "tm-queuehandlers.h"
14#include "util-cidr.h"
15#include "util-profiling.h"
16#include "util-proto-name.h"
17#include "detect-engine-tag.h"
18#include "detect-engine-threshold.h"
19#include "host-bit.h"
20#include "ippair-bit.h"
21#include "app-layer-htp.h"
22#include "detect-fast-pattern.h"
23#include "util-unittest-helper.h"
24#include "conf-yaml-loader.h"
25#include "pkt-var.h"
26#include "flow-util.h"
27#include "tm-modules.h"
28#include "tmqh-packetpool.h"
29#include "util-conf.h"
30#include "packet.h"
31
32#include <fuzz_pcap.h>
33
34int LLVMFuzzerInitialize(const int *argc, char ***argv);
35int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
36
37static int initialized = 0;
38ThreadVars tv;
39DecodeThreadVars *dtv;
40// FlowWorkerThreadData
41void *fwd;
42SCInstance surifuzz;
43SC_ATOMIC_EXTERN(unsigned int, engine_stage);
44
45extern const char *configNoChecksum;
46
47char *filepath = NULL;
48
49int LLVMFuzzerInitialize(const int *argc, char ***argv)
50{
51 filepath = dirname(strdup((*argv)[0]));
52 return 0;
53}
54
55int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
56{
57 FPC_buffer_t pkts;
58 const u_char *pkt;
59 struct pcap_pkthdr header;
60 int r;
61 Packet *p;
62 size_t pcap_cnt = 0;
63
64 if (initialized == 0) {
65 // Redirects logs to /dev/null
66 setenv("SC_LOG_OP_IFACE", "file", 0);
67 setenv("SC_LOG_FILE", "/dev/null", 0);
68
69 InitGlobal();
70
71 GlobalsInitPreConfig();
72 SCRunmodeSet(RUNMODE_PCAP_FILE);
73 // redirect logs to /tmp
74 ConfigSetLogDirectory("/tmp/");
75 // disables checksums validation for fuzzing
76 if (SCConfYamlLoadString(configNoChecksum, strlen(configNoChecksum)) != 0) {
77 abort();
78 }
79 surifuzz.sig_file = malloc(strlen(filepath) + strlen("/fuzz.rules") + 1);
80 memcpy(surifuzz.sig_file, filepath, strlen(filepath));
81 memcpy(surifuzz.sig_file + strlen(filepath), "/fuzz.rules", strlen("/fuzz.rules"));
82 surifuzz.sig_file[strlen(filepath) + strlen("/fuzz.rules")] = 0;
83 surifuzz.sig_file_exclusive = 1;
84 // loads rules after init
85 surifuzz.delayed_detect = 1;
86
87 PostConfLoadedSetup(&surifuzz);
88 PreRunPostPrivsDropInit(SCRunmodeGet());
89 PostConfLoadedDetectSetup(&surifuzz);
90
91 memset(&tv, 0, sizeof(tv));
92 tv.flow_queue = FlowQueueNew();
93 if (tv.flow_queue == NULL)
94 abort();
95 dtv = DecodeThreadVarsAlloc(&tv);
96 DecodeRegisterPerfCounters(dtv, &tv);
97 tmm_modules[TMM_FLOWWORKER].ThreadInit(&tv, NULL, &fwd);
98 StatsSetupPrivate(&tv);
99
100 extern uint32_t max_pending_packets;
101 max_pending_packets = 128;
102 PacketPoolInit();
103 if (DetectEngineReload(&surifuzz) < 0) {
104 return 0;
105 }
106
107 SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
108 initialized = 1;
109 }
110
111 if (size < FPC0_HEADER_LEN) {
112 return 0;
113 }
114 // initialize FPC with the buffer
115 if (FPC_init(&pkts, data, size) < 0) {
116 return 0;
117 }
118
119 // loop over packets
120 r = FPC_next(&pkts, &header, &pkt);
121 p = PacketGetFromAlloc();
122 if (p == NULL || r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
123 goto bail;
124 }
125 p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
126 p->datalink = pkts.datalink;
127 p->pkt_src = PKT_SRC_WIRE;
128 while (r > 0) {
129 if (PacketCopyData(p, pkt, header.caplen) == 0) {
130 // DecodePcapFile
131 TmEcode ecode = tmm_modules[TMM_DECODEPCAPFILE].Func(&tv, p, dtv);
132 if (ecode == TM_ECODE_FAILED) {
133 break;
134 }
135 Packet *extra_p = PacketDequeueNoLock(&tv.decode_pq);
136 while (extra_p != NULL) {
137 PacketFreeOrRelease(extra_p);
138 extra_p = PacketDequeueNoLock(&tv.decode_pq);
139 }
140 tmm_modules[TMM_FLOWWORKER].Func(&tv, p, fwd);
141 extra_p = PacketDequeueNoLock(&tv.decode_pq);
142 while (extra_p != NULL) {
143 PacketFreeOrRelease(extra_p);
144 extra_p = PacketDequeueNoLock(&tv.decode_pq);
145 }
146 }
147 r = FPC_next(&pkts, &header, &pkt);
148 if (r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
149 goto bail;
150 }
151 PacketRecycle(p);
152 p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
153 p->datalink = pkts.datalink;
154 pcap_cnt++;
155 p->pcap_cnt = pcap_cnt;
156 p->pkt_src = PKT_SRC_WIRE;
157 }
158bail:
159 if (p != NULL) {
160 PacketFree(p);
161 }
162 FlowReset();
163
164 return 0;
165}
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition conf-yaml-loader.c:523
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition counters.c:1209
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition decode.h:52
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition detect-engine.c:4789
FlowQueueNew
FlowQueue * FlowQueueNew(void)
Definition flow-queue.c:35
FlowReset
void FlowReset(void)
Definition flow.c:673
dtv
DecodeThreadVars * dtv
Definition fuzz_predefpcap_aware.c:39
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition fuzz_predefpcap_aware.c:55
configNoChecksum
const char * configNoChecksum
Definition confyaml.c:1
tv
ThreadVars tv
Definition fuzz_predefpcap_aware.c:38
filepath
char * filepath
Definition fuzz_predefpcap_aware.c:47
surifuzz
SCInstance surifuzz
Definition fuzz_predefpcap_aware.c:42
fwd
void * fwd
Definition fuzz_predefpcap_aware.c:41
LLVMFuzzerInitialize
int LLVMFuzzerInitialize(const int *argc, char ***argv)
Definition fuzz_predefpcap_aware.c:49
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition decode.c:628
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition decode.c:804
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition decode.c:258
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition decode.c:377
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition decode.c:276
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition decode.c:219
PacketDequeueNoLock
Packet * PacketDequeueNoLock(PacketQueueNoLock *qnl)
Definition packet-queue.c:208
PacketRecycle
void PacketRecycle(Packet *p)
Definition packet.c:150
max_pending_packets
uint32_t max_pending_packets
Definition suricata.c:183
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition runmodes.h:30
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition decode.h:963
Packet_
Definition decode.h:501
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition decode.h:626
Packet_::ts
SCTime_t ts
Definition decode.h:555
Packet_::pkt_src
uint8_t pkt_src
Definition decode.h:611
Packet_::datalink
int datalink
Definition decode.h:639
SCInstance_
Definition suricata.h:133
SCInstance_::sig_file
char * sig_file
Definition suricata.h:138
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition suricata.h:139
SCInstance_::delayed_detect
int delayed_detect
Definition suricata.h:165
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition threadvars.h:112
ThreadVars_::flow_queue
struct FlowQueue_ * flow_queue
Definition threadvars.h:135
TmModule_::Func
TmEcode(* Func)(ThreadVars *, Packet *, void *)
Definition tm-modules.h:56
TmModule_::ThreadInit
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition tm-modules.h:51
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition suricata.c:2965
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition suricata.c:2625
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition suricata.c:2315
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition suricata.c:279
SCRunmodeSet
void SCRunmodeSet(SCRunMode run_mode)
Set the current run mode.
Definition suricata.c:284
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition suricata.c:382
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition suricata.c:2716
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition suricata.h:101
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition tm-modules.c:29
TMM_FLOWWORKER
@ TMM_FLOWWORKER
Definition tm-threads-common.h:34
TMM_DECODEPCAPFILE
@ TMM_DECODEPCAPFILE
Definition tm-threads-common.h:41
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition tm-threads-common.h:82
PacketPoolInit
void PacketPoolInit(void)
Definition tmqh-packetpool.c:235
SC_ATOMIC_EXTERN
#define SC_ATOMIC_EXTERN(type, name)
wrapper for referencing an atomic variable declared on another file.
Definition util-atomic.h:296
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition util-atomic.h:386
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition util-conf.c:33
SCTIME_FROM_TIMEVAL
#define SCTIME_FROM_TIMEVAL(tv)
Definition util-time.h:79
setenv
void setenv(const char *name, const char *value, int overwrite)