Merge pull request #1764 from cesanta/fuzz

Optimize fuzzer

Makefile

@@ -75,8 +75,10 @@ musl: RUN = $(DOCKER) mdashnet/cc1
 unamalgamated: $(HDRS) Makefile test/packed_fs.c
 	$(CC) src/*.c test/packed_fs.c test/unit_test.c $(CFLAGS) $(LDFLAGS) -g -o unit_test
 
+fuzz: WARN += -Wno-deprecated -Wno-vla-extension
+fuzz: ASAN = -fsanitize=fuzzer,signed-integer-overflow,address,undefined
 fuzz: mongoose.c mongoose.h Makefile test/fuzz.c
-	$(CXX) test/fuzz.c $(WARN) $(INCS) $(TFLAGS) -Wno-missing-field-initializers -fsanitize=fuzzer,signed-integer-overflow,address -Wno-deprecated -Wno-vla-extension -o fuzzer
+	$(CXX) test/fuzz.c $(OPTS) $(WARN) $(INCS) $(TFLAGS) $(ASAN) -o fuzzer
 	$(RUN) ./fuzzer
 
 test: Makefile mongoose.h $(SRCS)

mip/mip.c

@@ -444,7 +444,7 @@ static void rx_arp(struct mip_if *ifp, struct pkt *pkt) {
 
 static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
   // MG_DEBUG(("ICMP %d", (int) len));
-  if (pkt->icmp->type == 8 && pkt->ip->dst == ifp->ip) {
+  if (pkt->icmp->type == 8 && pkt->ip != NULL && pkt->ip->dst == ifp->ip) {
     struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src,
                           sizeof(struct icmp) + pkt->pay.len);
     struct icmp *icmp = (struct icmp *) (ip + 1);
@@ -733,7 +733,7 @@ static void rx_ip6(struct mip_if *ifp, struct pkt *pkt) {
     if (pkt->pay.len < sizeof(*pkt->icmp)) return;
     mkpay(pkt, pkt->icmp + 1);
     rx_icmp(ifp, pkt);
-  } else if (pkt->ip->proto == 17) {
+  } else if (pkt->ip6->proto == 17) {
     pkt->udp = (struct udp *) (pkt->ip6 + 1);
     if (pkt->pay.len < sizeof(*pkt->udp)) return;
     // MG_DEBUG(("  UDP %u %u -> %u", len, mg_htons(udp->sport),

mongoose.c

@@ -6733,7 +6733,7 @@ static void rx_arp(struct mip_if *ifp, struct pkt *pkt) {
 
 static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
   // MG_DEBUG(("ICMP %d", (int) len));
-  if (pkt->icmp->type == 8 && pkt->ip->dst == ifp->ip) {
+  if (pkt->icmp->type == 8 && pkt->ip != NULL && pkt->ip->dst == ifp->ip) {
     struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src,
                           sizeof(struct icmp) + pkt->pay.len);
     struct icmp *icmp = (struct icmp *) (ip + 1);
@@ -7022,7 +7022,7 @@ static void rx_ip6(struct mip_if *ifp, struct pkt *pkt) {
     if (pkt->pay.len < sizeof(*pkt->icmp)) return;
     mkpay(pkt, pkt->icmp + 1);
     rx_icmp(ifp, pkt);
-  } else if (pkt->ip->proto == 17) {
+  } else if (pkt->ip6->proto == 17) {
     pkt->udp = (struct udp *) (pkt->ip6 + 1);
     if (pkt->pay.len < sizeof(*pkt->udp)) return;
     // MG_DEBUG(("  UDP %u %u -> %u", len, mg_htons(udp->sport),

test/fuzz.c

@@ -57,16 +57,30 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   mg_json_get(mg_str_n((char *) data, size), "$.a.b", &n);
   mg_json_get(mg_str_n((char *) data, size), "$[0]", &n);
 
-  struct mip_cfg cfg = {};
-  size_t pktlen = 1540;
-  char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */];
-  struct mip_if *ifp = (struct mip_if *) t;
-  struct mg_mgr mgr;
-  mg_mgr_init(&mgr);
-  if_init(ifp, &mgr, &cfg, &mip_driver_mock, NULL, pktlen, 0);
-  mip_rx(ifp, (void *) data, size);
-  mgr.priv = NULL;  // Don't let Mongoose free() ifp
-  mg_mgr_free(&mgr);
+  if (size > 0) {
+    struct mip_cfg cfg = {};
+    size_t pktlen = 1540;
+    char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */];
+    struct mip_if *ifp = (struct mip_if *) t;
+    struct mg_mgr mgr;
+    mg_mgr_init(&mgr);
+    if_init(ifp, &mgr, &cfg, &mip_driver_mock, NULL, pktlen, 0);
+
+    // Make a copy of the random data, in order to modify it
+    uint8_t pkt[size];
+    struct eth *eth = (struct eth *) pkt;
+    memcpy(pkt, data, size);
+    if (size > sizeof(*eth)) {
+      static uint8_t i;
+      uint16_t types[] = {0x800, 0x800, 0x806, 0x86dd};
+      memcpy(eth->dst, ifp->mac, 6);  // Set valid destination MAC
+      eth->type = mg_htons(types[i++ & 3]);
+    }
+
+    mip_rx(ifp, (void *) pkt, size);
+    mgr.priv = NULL;  // Don't let Mongoose free() ifp
+    mg_mgr_free(&mgr);
+  }
 
   return 0;
 }