fuzz: improve coverage (ntop#2612)

Add fuzzer to test `ndpi_quick_encrypt()` and `ndpi_quick_decrypt()`
Antaryo · Nov 1, 2024 · b63f74a · b63f74a
1 parent 137d87f
commit b63f74a
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -68,6 +68,7 @@
 /fuzz/fuzz_alg_shoco
 /fuzz/fuzz_alg_memmem
 /fuzz/fuzz_alg_strnstr
+/fuzz/fuzz_alg_quick_encryption
 /fuzz/fuzz_config
 /fuzz/fuzz_community_id
 /fuzz/fuzz_serialization

diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
@@ -1,6 +1,6 @@
 bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga fuzz_is_stun_udp fuzz_is_stun_tcp
 #Alghoritms
-bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream fuzz_alg_shoco fuzz_alg_memmem fuzz_alg_strnstr
+bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream fuzz_alg_shoco fuzz_alg_memmem fuzz_alg_strnstr fuzz_alg_quick_encryption
 #Data structures
 bin_PROGRAMS += fuzz_ds_patricia fuzz_ds_ahocorasick fuzz_ds_libcache fuzz_ds_tree fuzz_ds_ptree fuzz_ds_hash fuzz_ds_cmsketch fuzz_ds_bitmap64_fuse fuzz_ds_domain_classify
 #Third party
@@ -249,6 +249,21 @@ fuzz_alg_strnstr_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
     $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
     $(fuzz_alg_strnstr_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 
+fuzz_alg_quick_encryption_SOURCES = fuzz_alg_quick_encryption.cpp fuzz_common_code.c
+fuzz_alg_quick_encryption_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_alg_quick_encryption_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_alg_quick_encryption_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
+fuzz_alg_quick_encryption_LDFLAGS = $(LIBS)
+if HAS_FUZZLDFLAGS
+fuzz_alg_quick_encryption_CXXFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_alg_quick_encryption_CFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_alg_quick_encryption_LDFLAGS += $(LIB_FUZZING_ENGINE)
+endif
+# force usage of CXX for linker
+fuzz_alg_quick_encryption_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
+    $(fuzz_alg_quick_encryption_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
+
 fuzz_alg_ses_des_SOURCES = fuzz_alg_ses_des.cpp fuzz_common_code.c
 fuzz_alg_ses_des_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
 fuzz_alg_ses_des_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)

diff --git a/fuzz/fuzz_alg_quick_encryption.cpp b/fuzz/fuzz_alg_quick_encryption.cpp
@@ -0,0 +1,30 @@
+#include "ndpi_api.h"
+#include "fuzz_common_code.h"
+
+#include <stdlib.h>
+#include <stdint.h>
+#include "fuzzer/FuzzedDataProvider.h"
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  char *enc_buffer, *dec_buffer;
+  u_int16_t encrypted_msg_len, decrypted_msg_len;
+
+  if(fuzzed_data.remaining_bytes() <= 64) /* Some data */
+    return -1;
+
+  /* To allow memory allocation failures */
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  std::vector<unsigned char>key = fuzzed_data.ConsumeBytes<u_int8_t>(64);
+  std::vector<char>cleartext_msg = fuzzed_data.ConsumeRemainingBytes<char>();
+
+  enc_buffer = ndpi_quick_encrypt(cleartext_msg.data(), cleartext_msg.size(), &encrypted_msg_len, key.data());
+  if(enc_buffer) {
+    dec_buffer = ndpi_quick_decrypt(enc_buffer, encrypted_msg_len, &decrypted_msg_len, key.data());
+    ndpi_free(enc_buffer);
+    ndpi_free(dec_buffer);
+  }
+  return 0;
+}
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
@@ -3810,7 +3810,8 @@ char* ndpi_quick_encrypt(const char *cleartext_msg,
   encoded = ndpi_base64_encode((const unsigned char *)encoded_buf, encoded_len);
   ndpi_free(encoded_buf);
 
-  *encrypted_msg_len = strlen(encoded);
+  if(encoded)
+    *encrypted_msg_len = strlen(encoded);
 
   return(encoded);
 }
@@ -3842,13 +3843,15 @@ char* ndpi_quick_decrypt(const char *encrypted_msg,
 
   if((content == NULL) || (content_len == 0)) {
     /* Base64 decoding error */
+    ndpi_free(decoded_string);
     ndpi_free(content);
     return(NULL);
   }
 
   if(allocated_decoded_string < (content_len+1)) {
     /* Buffer size failure */
-    free(content);
+    ndpi_free(decoded_string);
+    ndpi_free(content);
     return(NULL);
   }