DGNum/libubox
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
libubox/tests/fuzz/test-fuzz.c
Petr Štetiar 5c0faaf4f5 tests: prefer dynamically allocated buffers 
Help detecting Valgrind OOB reads and other issues.

 Conditional jump or move depends on uninitialised value(s)
   at 0x5452886: blobmsg_parse (blobmsg.c:203)
   by 0x400A8E: test_blobmsg (tests/test-blobmsg-parse.c:66)
   by 0x400A8E: main (tests/test-blobmsg-parse.c:82)

 Conditional jump or move depends on uninitialised value(s)
   at 0x545247F: blobmsg_check_name (blobmsg.c:39)
   by 0x545247F: blobmsg_check_attr_len (blobmsg.c:79)
   by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
   by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
   by 0x400AB8: main (tests/test-blobmsg-parse.c:82)

 Conditional jump or move depends on uninitialised value(s)
   at 0x54524A0: blobmsg_check_name (blobmsg.c:42)
   by 0x54524A0: blobmsg_check_attr_len (blobmsg.c:79)
   by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
   by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
   by 0x400AB8: main (tests/test-blobmsg-parse.c:82)

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/021204.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-20 16:54:10 +01:00

108 lines
2.4 KiB
C
Raw Blame History

#include <stdio.h>
#include <stdint.h>
#include <stddef.h>
#include <limits.h>
#include "blob.h"
#include "blobmsg.h"
#define BLOBMSG_TYPE_TROUBLE INT_MAX
static void fuzz_blobmsg_parse(const uint8_t *data, size_t size)
{
enum {
FOO_MESSAGE,
FOO_LIST,
FOO_TESTDATA,
__FOO_MAX
};
static const int blobmsg_type[] = {
BLOBMSG_TYPE_UNSPEC,
BLOBMSG_TYPE_ARRAY,
BLOBMSG_TYPE_TABLE,
BLOBMSG_TYPE_STRING,
BLOBMSG_TYPE_INT64,
BLOBMSG_TYPE_INT32,
BLOBMSG_TYPE_INT16,
BLOBMSG_TYPE_INT8,
BLOBMSG_TYPE_DOUBLE,
BLOBMSG_TYPE_TROUBLE,
};
static const struct blobmsg_policy foo_policy[] = {
[FOO_MESSAGE] = {
.name = "message",
.type = BLOBMSG_TYPE_STRING,
},
[FOO_LIST] = {
.name = "list",
.type = BLOBMSG_TYPE_ARRAY,
},
[FOO_TESTDATA] = {
.name = "testdata",
.type = BLOBMSG_TYPE_TABLE,
},
};
struct blob_attr *tb[__FOO_MAX];
blobmsg_parse(foo_policy, __FOO_MAX, tb, (uint8_t *)data, size);
blobmsg_parse_array(foo_policy, __FOO_MAX, tb, (uint8_t *)data, size);
blobmsg_check_attr_len((struct blob_attr *)data, false, size);
blobmsg_check_attr_len((struct blob_attr *)data, true, size);
for (size_t i=0; i < ARRAY_SIZE(blobmsg_type); i++) {
blobmsg_check_array_len((struct blob_attr *)data, blobmsg_type[i], size);
blobmsg_check_attr_list_len((struct blob_attr *)data, blobmsg_type[i], size);
}
}
static void fuzz_blob_parse(const uint8_t *data, size_t size)
{
enum {
FOO_ATTR_NESTED,
FOO_ATTR_BINARY,
FOO_ATTR_STRING,
FOO_ATTR_INT8,
FOO_ATTR_INT16,
FOO_ATTR_INT32,
FOO_ATTR_INT64,
FOO_ATTR_DOUBLE,
__FOO_ATTR_MAX
};
static const struct blob_attr_info foo_policy[__FOO_ATTR_MAX] = {
[FOO_ATTR_NESTED] = { .type = BLOB_ATTR_NESTED },
[FOO_ATTR_BINARY] = { .type = BLOB_ATTR_BINARY },
[FOO_ATTR_STRING] = { .type = BLOB_ATTR_STRING },
[FOO_ATTR_INT8] = { .type = BLOB_ATTR_INT8 },
[FOO_ATTR_INT16] = { .type = BLOB_ATTR_INT16 },
[FOO_ATTR_INT32] = { .type = BLOB_ATTR_INT32 },
[FOO_ATTR_INT64] = { .type = BLOB_ATTR_INT64 },
[FOO_ATTR_DOUBLE] = { .type = BLOB_ATTR_DOUBLE },
};
struct blob_attr *foo[__FOO_ATTR_MAX];
struct blob_attr *buf = (struct blob_attr *)data;
blob_parse_untrusted(buf, size, foo, foo_policy, __FOO_ATTR_MAX);
}
int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size)
{
uint8_t *data;
data = malloc(size);
if (!data)
return -1;
memcpy(data, input, size);
fuzz_blob_parse(data, size);
fuzz_blobmsg_parse(data, size);
free(data);
return 0;
}
Reference in a new issue View git blame Copy permalink