| 1 | #include <glib.h>
|
|---|
| 2 | #include <stdlib.h>
|
|---|
| 3 | #include <stdio.h>
|
|---|
| 4 | #include "../src/libslirp.h"
|
|---|
| 5 | #include "helper.h"
|
|---|
| 6 | #include "slirp_base_fuzz.h"
|
|---|
| 7 |
|
|---|
| 8 | #ifdef CUSTOM_MUTATOR
|
|---|
| 9 | extern size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
|
|---|
| 10 | size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed);
|
|---|
| 11 |
|
|---|
| 12 | /// This is a custom mutator, this allows us to mutate only specific parts of
|
|---|
| 13 | /// the input and fix the checksum so the packet isn't rejected for bad reasons.
|
|---|
| 14 | extern size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
|
|---|
| 15 | size_t MaxSize, unsigned int Seed)
|
|---|
| 16 | {
|
|---|
| 17 | size_t current_size = Size;
|
|---|
| 18 | uint8_t *Data_ptr = Data;
|
|---|
| 19 | uint8_t *ip_data;
|
|---|
| 20 | uint32_t ipsource;
|
|---|
| 21 | bool mutated = false;
|
|---|
| 22 |
|
|---|
| 23 | pcap_hdr_t *hdr = (void *)Data_ptr;
|
|---|
| 24 | pcaprec_hdr_t *rec = NULL;
|
|---|
| 25 |
|
|---|
| 26 | if (current_size < sizeof(pcap_hdr_t)) {
|
|---|
| 27 | return 0;
|
|---|
| 28 | }
|
|---|
| 29 |
|
|---|
| 30 | Data_ptr += sizeof(*hdr);
|
|---|
| 31 | current_size -= sizeof(*hdr);
|
|---|
| 32 |
|
|---|
| 33 | if (hdr->magic_number == 0xd4c3b2a1) {
|
|---|
| 34 | g_debug("FIXME: byteswap fields");
|
|---|
| 35 | return 0;
|
|---|
| 36 | } /* else assume native pcap file */
|
|---|
| 37 | if (hdr->network != 1) {
|
|---|
| 38 | return 0;
|
|---|
| 39 | }
|
|---|
| 40 |
|
|---|
| 41 | for ( ; current_size > sizeof(*rec); Data_ptr += rec->incl_len, current_size -= rec->incl_len) {
|
|---|
| 42 | rec = (void *)Data_ptr;
|
|---|
| 43 | Data_ptr += sizeof(*rec);
|
|---|
| 44 | current_size -= sizeof(*rec);
|
|---|
| 45 |
|
|---|
| 46 | if (rec->incl_len != rec->orig_len) {
|
|---|
| 47 | return 0;
|
|---|
| 48 | }
|
|---|
| 49 | if (rec->incl_len > current_size) {
|
|---|
| 50 | return 0;
|
|---|
| 51 | }
|
|---|
| 52 | if (rec->incl_len < 14 + 1) {
|
|---|
| 53 | return 0;
|
|---|
| 54 | }
|
|---|
| 55 |
|
|---|
| 56 | ip_data = Data_ptr + 14;
|
|---|
| 57 |
|
|---|
| 58 | if (rec->incl_len >= 14 + 16) {
|
|---|
| 59 | ipsource = * (uint32_t*) (ip_data + 12);
|
|---|
| 60 |
|
|---|
| 61 | // This an answer, which we will produce, so don't mutate
|
|---|
| 62 | if (ipsource == htonl(0x0a000202) || ipsource == htonl(0x0a000203))
|
|---|
| 63 | continue;
|
|---|
| 64 | }
|
|---|
| 65 |
|
|---|
| 66 | // Exclude packets that are not UDP from the mutation strategy
|
|---|
| 67 | if (ip_data[9] != IPPROTO_UDP)
|
|---|
| 68 | continue;
|
|---|
| 69 |
|
|---|
| 70 | uint8_t Data_to_mutate[MaxSize];
|
|---|
| 71 | uint8_t ip_hl = (ip_data[0] & 0xF);
|
|---|
| 72 | uint8_t ip_hl_in_bytes = ip_hl * 4; /* ip header length */
|
|---|
| 73 |
|
|---|
| 74 | // The size inside the packet can't be trusted, if it is too big it can
|
|---|
| 75 | // lead to heap overflows in the fuzzing code.
|
|---|
| 76 | // Fixme : don't use ip_hl_in_bytes inside the fuzzing code, maybe use the
|
|---|
| 77 | // rec->incl_len and manually calculate the size.
|
|---|
| 78 | if (ip_hl_in_bytes > rec->incl_len - 14)
|
|---|
| 79 | return 0;
|
|---|
| 80 |
|
|---|
| 81 | uint8_t *start_of_udp = ip_data + ip_hl_in_bytes;
|
|---|
| 82 | uint8_t udp_header_size = 8;
|
|---|
| 83 | uint16_t udp_size = ntohs(*(uint16_t *)(start_of_udp + 4));
|
|---|
| 84 |
|
|---|
| 85 | // The size inside the packet can't be trusted, if it is too big it can
|
|---|
| 86 | // lead to heap overflows in the fuzzing code.
|
|---|
| 87 | // Fixme : don't use udp_size inside the fuzzing code, maybe use the
|
|---|
| 88 | // rec->incl_len and manually calculate the size.
|
|---|
| 89 | if (udp_size > MaxSize || udp_size > rec->incl_len - 14 - ip_hl_in_bytes)
|
|---|
| 90 | return 0;
|
|---|
| 91 |
|
|---|
| 92 | // Copy interesting data to the `Data_to_mutate` array
|
|---|
| 93 | // here we want to fuzz everything in the udp packet
|
|---|
| 94 | memset(Data_to_mutate, 0, MaxSize);
|
|---|
| 95 | memcpy(Data_to_mutate, start_of_udp, udp_size);
|
|---|
| 96 |
|
|---|
| 97 | // Call to libfuzzer's mutation function.
|
|---|
| 98 | // Pass the whole UDP packet, mutate it and then fix checksum value
|
|---|
| 99 | // so the packet isn't rejected.
|
|---|
| 100 | // The new size of the data is returned by LLVMFuzzerMutate.
|
|---|
| 101 | // Fixme: allow to change the size of the UDP packet, this will require
|
|---|
| 102 | // to fix the size before calculating the new checksum and change
|
|---|
| 103 | // how the Data_ptr is advanced.
|
|---|
| 104 | // Most offsets bellow should be good for when the switch will be
|
|---|
| 105 | // done to avoid overwriting new/mutated data.
|
|---|
| 106 | LLVMFuzzerMutate(Data_to_mutate, udp_header_size, udp_header_size);
|
|---|
| 107 |
|
|---|
| 108 | // Drop checksum
|
|---|
| 109 | *(uint16_t *)(Data_to_mutate + 6) = 0;
|
|---|
| 110 |
|
|---|
| 111 | // Copy the mutated data back to the `Data` array
|
|---|
| 112 | memcpy(start_of_udp, Data_to_mutate, udp_size);
|
|---|
| 113 |
|
|---|
| 114 | mutated = true;
|
|---|
| 115 | }
|
|---|
| 116 |
|
|---|
| 117 | if (!mutated)
|
|---|
| 118 | return 0;
|
|---|
| 119 |
|
|---|
| 120 | return Size;
|
|---|
| 121 | }
|
|---|
| 122 | #endif // CUSTOM_MUTATOR
|
|---|
