1 files changed, 314 insertions, 0 deletions
diff --git a/fuzz/mutator_aux.c b/fuzz/mutator_aux.c
new file mode 100644
index 0000000..24aa716
--- /dev/null
+++ b/fuzz/mutator_aux.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (c) 2019 Yubico AB. All rights reserved.
+ * Use of this source code is governed by a BSD-style
+ * license that can be found in the LICENSE file.
+ */
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "mutator_aux.h"
+size_t LLVMFuzzerMutate(uint8_t *, size_t, size_t);
+static uint8_t *wire_data_ptr = NULL;
+static size_t   wire_data_len = 0;
+size_t
+xstrlen(const char *s)
+{
+        if (s == NULL)
+                return (0);
+        return (strlen(s));
+}
+void
+consume(const void *body, size_t len)
+{
+        const volatile uint8_t *ptr = body;
+        volatile uint8_t x = 0;
+        while (len--)
+                x ^= *ptr++;
+}
+int
+unpack_int(uint8_t t, uint8_t **ptr, size_t *len, int *v) NO_MSAN
+{
+        size_t l;
+        if (*len < sizeof(t) || **ptr != t)
+                return (-1);
+        *ptr += sizeof(t);
+        *len -= sizeof(t);
+        if (*len < sizeof(l))
+                return (-1);
+        memcpy(&l, *ptr, sizeof(l));
+        *ptr += sizeof(l);
+        *len -= sizeof(l);
+        if (l != sizeof(*v) || *len < l)
+                return (-1);
+        memcpy(v, *ptr, sizeof(*v));
+        *ptr += sizeof(*v);
+        *len -= sizeof(*v);
+        return (0);
+}
+int
+unpack_string(uint8_t t, uint8_t **ptr, size_t *len, char *v) NO_MSAN
+{
+        size_t l;
+        if (*len < sizeof(t) || **ptr != t)
+                return (-1);
+        *ptr += sizeof(t);
+        *len -= sizeof(t);
+        if (*len < sizeof(l))
+                return (-1);
+        memcpy(&l, *ptr, sizeof(l));
+        *ptr += sizeof(l);
+        *len -= sizeof(l);
+        if (*len < l || l >= MAXSTR)
+                return (-1);
+        memcpy(v, *ptr, l);
+        v[l] = '\0';
+        *ptr += l;
+        *len -= l;
+        return (0);
+}
+int
+unpack_byte(uint8_t t, uint8_t **ptr, size_t *len, uint8_t *v) NO_MSAN
+{
+        size_t l;
+        if (*len < sizeof(t) || **ptr != t)
+                return (-1);
+        *ptr += sizeof(t);
+        *len -= sizeof(t);
+        if (*len < sizeof(l))
+                return (-1);
+        memcpy(&l, *ptr, sizeof(l));
+        *ptr += sizeof(l);
+        *len -= sizeof(l);
+        if (l != sizeof(*v) || *len < l)
+                return (-1);
+        memcpy(v, *ptr, sizeof(*v));
+        *ptr += sizeof(*v);
+        *len -= sizeof(*v);
+        return (0);
+}
+int
+unpack_blob(uint8_t t, uint8_t **ptr, size_t *len, struct blob *v) NO_MSAN
+{
+        size_t l;
+        v->len = 0;
+        if (*len < sizeof(t) || **ptr != t)
+                return (-1);
+        *ptr += sizeof(t);
+        *len -= sizeof(t);
+        if (*len < sizeof(l))
+                return (-1);
+        memcpy(&l, *ptr, sizeof(l));
+        *ptr += sizeof(l);
+        *len -= sizeof(l);
+        if (*len < l || l > sizeof(v->body))
+                return (-1);
+        memcpy(v->body, *ptr, l);
+        *ptr += l;
+        *len -= l;
+        v->len = l;
+        return (0);
+}
+int
+pack_int(uint8_t t, uint8_t **ptr, size_t *len, int v) NO_MSAN
+{
+        const size_t l = sizeof(v);
+        if (*len < sizeof(t) + sizeof(l) + l)
+                return (-1);
+        (*ptr)[0] = t;
+        memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
+        memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l);
+        *ptr += sizeof(t) + sizeof(l) + l;
+        *len -= sizeof(t) + sizeof(l) + l;
+        return (0);
+}
+int
+pack_string(uint8_t t, uint8_t **ptr, size_t *len, const char *v) NO_MSAN
+{
+        const size_t l = strlen(v);
+        if (*len < sizeof(t) + sizeof(l) + l)
+                return (-1);
+        (*ptr)[0] = t;
+        memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
+        memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v, l);
+        *ptr += sizeof(t) + sizeof(l) + l;
+        *len -= sizeof(t) + sizeof(l) + l;
+        return (0);
+}
+int
+pack_byte(uint8_t t, uint8_t **ptr, size_t *len, uint8_t v) NO_MSAN
+{
+        const size_t l = sizeof(v);
+        if (*len < sizeof(t) + sizeof(l) + l)
+                return (-1);
+        (*ptr)[0] = t;
+        memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
+        memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l);
+        *ptr += sizeof(t) + sizeof(l) + l;
+        *len -= sizeof(t) + sizeof(l) + l;
+        return (0);
+}
+int
+pack_blob(uint8_t t, uint8_t **ptr, size_t *len, const struct blob *v) NO_MSAN
+{
+        const size_t l = v->len;
+        if (*len < sizeof(t) + sizeof(l) + l)
+                return (-1);
+        (*ptr)[0] = t;
+        memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
+        memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v->body, l);
+        *ptr += sizeof(t) + sizeof(l) + l;
+        *len -= sizeof(t) + sizeof(l) + l;
+        return (0);
+}
+void
+mutate_byte(uint8_t *b)
+{
+        LLVMFuzzerMutate(b, sizeof(*b), sizeof(*b));
+}
+void
+mutate_int(int *i)
+{
+        LLVMFuzzerMutate((uint8_t *)i, sizeof(*i), sizeof(*i));
+}
+void
+mutate_blob(struct blob *blob)
+{
+        blob->len = LLVMFuzzerMutate((uint8_t *)blob->body, blob->len,
+            sizeof(blob->body));
+}
+void
+mutate_string(char *s)
+{
+        size_t n;
+        n = LLVMFuzzerMutate((uint8_t *)s, strlen(s), MAXSTR - 1);
+        s[n] = '\0';
+}
+ 
+void *
+dev_open(const char *path)
+{
+        (void)path;
+        return ((void *)0xdeadbeef);
+}
+void
+dev_close(void *handle)
+{
+        assert(handle == (void *)0xdeadbeef);
+}
+int
+dev_read(void *handle, unsigned char *ptr, size_t len, int ms)
+{
+        size_t n;
+        (void)ms;
+        assert(handle == (void *)0xdeadbeef);
+        assert(len == 64);
+        if (wire_data_len < len)
+                n = wire_data_len;
+        else
+                n = len;
+        memcpy(ptr, wire_data_ptr, n);
+        wire_data_ptr += n;
+        wire_data_len -= n;
+        return ((int)n);
+}
+int
+dev_write(void *handle, const unsigned char *ptr, size_t len)
+{
+        assert(handle == (void *)0xdeadbeef);
+        assert(len == 64 + 1);
+        consume(ptr, len);
+        if (uniform_random(400) < 1)
+                return (-1);
+        return ((int)len);
+}
+void
+set_wire_data(uint8_t *ptr, size_t len)
+{
+        wire_data_ptr = ptr;
+        wire_data_len = len;
+}

diff --git a/fuzz/mutator_aux.c b/fuzz/mutator_aux.c new file mode 100644 index 0000000..24aa716 --- /dev/null +++ b/fuzz/mutator_aux.c
@@ -0,0 +1,314 @@
	1	/*
	2	* Copyright (c) 2019 Yubico AB. All rights reserved.
	3	* Use of this source code is governed by a BSD-style
	4	* license that can be found in the LICENSE file.
	5	*/
	6
	7	#include <assert.h>
	8	#include <stddef.h>
	9	#include <stdint.h>
	10	#include <stdio.h>
	11	#include <stdlib.h>
	12	#include <string.h>
	13
	14	#include "mutator_aux.h"
	15
	16	size_t LLVMFuzzerMutate(uint8_t *, size_t, size_t);
	17
	18	static uint8_t *wire_data_ptr = NULL;
	19	static size_t wire_data_len = 0;
	20
	21	size_t
	22	xstrlen(const char *s)
	23	{
	24	if (s == NULL)
	25	return (0);
	26
	27	return (strlen(s));
	28	}
	29
	30	void
	31	consume(const void *body, size_t len)
	32	{
	33	const volatile uint8_t *ptr = body;
	34	volatile uint8_t x = 0;
	35
	36	while (len--)
	37	x ^= *ptr++;
	38	}
	39
	40	int
	41	unpack_int(uint8_t t, uint8_t *ptr, size_t len, int *v) NO_MSAN
	42	{
	43	size_t l;
	44
	45	if (len < sizeof(t) \|\| *ptr != t)
	46	return (-1);
	47
	48	*ptr += sizeof(t);
	49	*len -= sizeof(t);
	50
	51	if (*len < sizeof(l))
	52	return (-1);
	53
	54	memcpy(&l, *ptr, sizeof(l));
	55	*ptr += sizeof(l);
	56	*len -= sizeof(l);
	57
	58	if (l != sizeof(v) \|\| len < l)
	59	return (-1);
	60
	61	memcpy(v, ptr, sizeof(v));
	62	ptr += sizeof(v);
	63	len -= sizeof(v);
	64
	65	return (0);
	66	}
	67
	68	int
	69	unpack_string(uint8_t t, uint8_t *ptr, size_t len, char *v) NO_MSAN
	70	{
	71	size_t l;
	72
	73	if (len < sizeof(t) \|\| *ptr != t)
	74	return (-1);
	75
	76	*ptr += sizeof(t);
	77	*len -= sizeof(t);
	78
	79	if (*len < sizeof(l))
	80	return (-1);
	81
	82	memcpy(&l, *ptr, sizeof(l));
	83	*ptr += sizeof(l);
	84	*len -= sizeof(l);
	85
	86	if (*len < l \|\| l >= MAXSTR)
	87	return (-1);
	88
	89	memcpy(v, *ptr, l);
	90	v[l] = '\0';
	91
	92	*ptr += l;
	93	*len -= l;
	94
	95	return (0);
	96	}
	97
	98	int
	99	unpack_byte(uint8_t t, uint8_t *ptr, size_t len, uint8_t *v) NO_MSAN
	100	{
	101	size_t l;
	102
	103	if (len < sizeof(t) \|\| *ptr != t)
	104	return (-1);
	105
	106	*ptr += sizeof(t);
	107	*len -= sizeof(t);
	108
	109	if (*len < sizeof(l))
	110	return (-1);
	111
	112	memcpy(&l, *ptr, sizeof(l));
	113	*ptr += sizeof(l);
	114	*len -= sizeof(l);
	115
	116	if (l != sizeof(v) \|\| len < l)
	117	return (-1);
	118
	119	memcpy(v, ptr, sizeof(v));
	120	ptr += sizeof(v);
	121	len -= sizeof(v);
	122
	123	return (0);
	124	}
	125
	126	int
	127	unpack_blob(uint8_t t, uint8_t *ptr, size_t len, struct blob *v) NO_MSAN
	128	{
	129	size_t l;
	130
	131	v->len = 0;
	132
	133	if (len < sizeof(t) \|\| *ptr != t)
	134	return (-1);
	135
	136	*ptr += sizeof(t);
	137	*len -= sizeof(t);
	138
	139	if (*len < sizeof(l))
	140	return (-1);
	141
	142	memcpy(&l, *ptr, sizeof(l));
	143	*ptr += sizeof(l);
	144	*len -= sizeof(l);
	145
	146	if (*len < l \|\| l > sizeof(v->body))
	147	return (-1);
	148
	149	memcpy(v->body, *ptr, l);
	150	*ptr += l;
	151	*len -= l;
	152
	153	v->len = l;
	154
	155	return (0);
	156	}
	157
	158	int
	159	pack_int(uint8_t t, uint8_t *ptr, size_t len, int v) NO_MSAN
	160	{
	161	const size_t l = sizeof(v);
	162
	163	if (*len < sizeof(t) + sizeof(l) + l)
	164	return (-1);
	165
	166	(*ptr)[0] = t;
	167	memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
	168	memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l);
	169
	170	*ptr += sizeof(t) + sizeof(l) + l;
	171	*len -= sizeof(t) + sizeof(l) + l;
	172
	173	return (0);
	174	}
	175
	176	int
	177	pack_string(uint8_t t, uint8_t *ptr, size_t len, const char *v) NO_MSAN
	178	{
	179	const size_t l = strlen(v);
	180
	181	if (*len < sizeof(t) + sizeof(l) + l)
	182	return (-1);
	183
	184	(*ptr)[0] = t;
	185	memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
	186	memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v, l);
	187
	188	*ptr += sizeof(t) + sizeof(l) + l;
	189	*len -= sizeof(t) + sizeof(l) + l;
	190
	191	return (0);
	192	}
	193
	194	int
	195	pack_byte(uint8_t t, uint8_t *ptr, size_t len, uint8_t v) NO_MSAN
	196	{
	197	const size_t l = sizeof(v);
	198
	199	if (*len < sizeof(t) + sizeof(l) + l)
	200	return (-1);
	201
	202	(*ptr)[0] = t;
	203	memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
	204	memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l);
	205
	206	*ptr += sizeof(t) + sizeof(l) + l;
	207	*len -= sizeof(t) + sizeof(l) + l;
	208
	209	return (0);
	210	}
	211
	212	int
	213	pack_blob(uint8_t t, uint8_t *ptr, size_t len, const struct blob *v) NO_MSAN
	214	{
	215	const size_t l = v->len;
	216
	217	if (*len < sizeof(t) + sizeof(l) + l)
	218	return (-1);
	219
	220	(*ptr)[0] = t;
	221	memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l));
	222	memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v->body, l);
	223
	224	*ptr += sizeof(t) + sizeof(l) + l;
	225	*len -= sizeof(t) + sizeof(l) + l;
	226
	227	return (0);
	228	}
	229
	230	void
	231	mutate_byte(uint8_t *b)
	232	{
	233	LLVMFuzzerMutate(b, sizeof(b), sizeof(b));
	234	}
	235
	236	void
	237	mutate_int(int *i)
	238	{
	239	LLVMFuzzerMutate((uint8_t )i, sizeof(i), sizeof(*i));
	240	}
	241
	242	void
	243	mutate_blob(struct blob *blob)
	244	{
	245	blob->len = LLVMFuzzerMutate((uint8_t *)blob->body, blob->len,
	246	sizeof(blob->body));
	247	}
	248
	249	void
	250	mutate_string(char *s)
	251	{
	252	size_t n;
	253
	254	n = LLVMFuzzerMutate((uint8_t *)s, strlen(s), MAXSTR - 1);
	255	s[n] = '\0';
	256	}
	257
	258	void *
	259	dev_open(const char *path)
	260	{
	261	(void)path;
	262
	263	return ((void *)0xdeadbeef);
	264	}
	265
	266	void
	267	dev_close(void *handle)
	268	{
	269	assert(handle == (void *)0xdeadbeef);
	270	}
	271
	272	int
	273	dev_read(void handle, unsigned char ptr, size_t len, int ms)
	274	{
	275	size_t n;
	276
	277	(void)ms;
	278
	279	assert(handle == (void *)0xdeadbeef);
	280	assert(len == 64);
	281
	282	if (wire_data_len < len)
	283	n = wire_data_len;
	284	else
	285	n = len;
	286
	287	memcpy(ptr, wire_data_ptr, n);
	288
	289	wire_data_ptr += n;
	290	wire_data_len -= n;
	291
	292	return ((int)n);
	293	}
	294
	295	int
	296	dev_write(void handle, const unsigned char ptr, size_t len)
	297	{
	298	assert(handle == (void *)0xdeadbeef);
	299	assert(len == 64 + 1);
	300
	301	consume(ptr, len);
	302
	303	if (uniform_random(400) < 1)
	304	return (-1);
	305
	306	return ((int)len);
	307	}
	308
	309	void
	310	set_wire_data(uint8_t *ptr, size_t len)
	311	{
	312	wire_data_ptr = ptr;
	313	wire_data_len = len;
	314	}