diff options
Diffstat (limited to 'fuzz/mutator_aux.c')
-rw-r--r-- | fuzz/mutator_aux.c | 314 |
1 files changed, 314 insertions, 0 deletions
diff --git a/fuzz/mutator_aux.c b/fuzz/mutator_aux.c new file mode 100644 index 0000000..24aa716 --- /dev/null +++ b/fuzz/mutator_aux.c | |||
@@ -0,0 +1,314 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2019 Yubico AB. All rights reserved. | ||
3 | * Use of this source code is governed by a BSD-style | ||
4 | * license that can be found in the LICENSE file. | ||
5 | */ | ||
6 | |||
7 | #include <assert.h> | ||
8 | #include <stddef.h> | ||
9 | #include <stdint.h> | ||
10 | #include <stdio.h> | ||
11 | #include <stdlib.h> | ||
12 | #include <string.h> | ||
13 | |||
14 | #include "mutator_aux.h" | ||
15 | |||
16 | size_t LLVMFuzzerMutate(uint8_t *, size_t, size_t); | ||
17 | |||
18 | static uint8_t *wire_data_ptr = NULL; | ||
19 | static size_t wire_data_len = 0; | ||
20 | |||
21 | size_t | ||
22 | xstrlen(const char *s) | ||
23 | { | ||
24 | if (s == NULL) | ||
25 | return (0); | ||
26 | |||
27 | return (strlen(s)); | ||
28 | } | ||
29 | |||
30 | void | ||
31 | consume(const void *body, size_t len) | ||
32 | { | ||
33 | const volatile uint8_t *ptr = body; | ||
34 | volatile uint8_t x = 0; | ||
35 | |||
36 | while (len--) | ||
37 | x ^= *ptr++; | ||
38 | } | ||
39 | |||
40 | int | ||
41 | unpack_int(uint8_t t, uint8_t **ptr, size_t *len, int *v) NO_MSAN | ||
42 | { | ||
43 | size_t l; | ||
44 | |||
45 | if (*len < sizeof(t) || **ptr != t) | ||
46 | return (-1); | ||
47 | |||
48 | *ptr += sizeof(t); | ||
49 | *len -= sizeof(t); | ||
50 | |||
51 | if (*len < sizeof(l)) | ||
52 | return (-1); | ||
53 | |||
54 | memcpy(&l, *ptr, sizeof(l)); | ||
55 | *ptr += sizeof(l); | ||
56 | *len -= sizeof(l); | ||
57 | |||
58 | if (l != sizeof(*v) || *len < l) | ||
59 | return (-1); | ||
60 | |||
61 | memcpy(v, *ptr, sizeof(*v)); | ||
62 | *ptr += sizeof(*v); | ||
63 | *len -= sizeof(*v); | ||
64 | |||
65 | return (0); | ||
66 | } | ||
67 | |||
68 | int | ||
69 | unpack_string(uint8_t t, uint8_t **ptr, size_t *len, char *v) NO_MSAN | ||
70 | { | ||
71 | size_t l; | ||
72 | |||
73 | if (*len < sizeof(t) || **ptr != t) | ||
74 | return (-1); | ||
75 | |||
76 | *ptr += sizeof(t); | ||
77 | *len -= sizeof(t); | ||
78 | |||
79 | if (*len < sizeof(l)) | ||
80 | return (-1); | ||
81 | |||
82 | memcpy(&l, *ptr, sizeof(l)); | ||
83 | *ptr += sizeof(l); | ||
84 | *len -= sizeof(l); | ||
85 | |||
86 | if (*len < l || l >= MAXSTR) | ||
87 | return (-1); | ||
88 | |||
89 | memcpy(v, *ptr, l); | ||
90 | v[l] = '\0'; | ||
91 | |||
92 | *ptr += l; | ||
93 | *len -= l; | ||
94 | |||
95 | return (0); | ||
96 | } | ||
97 | |||
98 | int | ||
99 | unpack_byte(uint8_t t, uint8_t **ptr, size_t *len, uint8_t *v) NO_MSAN | ||
100 | { | ||
101 | size_t l; | ||
102 | |||
103 | if (*len < sizeof(t) || **ptr != t) | ||
104 | return (-1); | ||
105 | |||
106 | *ptr += sizeof(t); | ||
107 | *len -= sizeof(t); | ||
108 | |||
109 | if (*len < sizeof(l)) | ||
110 | return (-1); | ||
111 | |||
112 | memcpy(&l, *ptr, sizeof(l)); | ||
113 | *ptr += sizeof(l); | ||
114 | *len -= sizeof(l); | ||
115 | |||
116 | if (l != sizeof(*v) || *len < l) | ||
117 | return (-1); | ||
118 | |||
119 | memcpy(v, *ptr, sizeof(*v)); | ||
120 | *ptr += sizeof(*v); | ||
121 | *len -= sizeof(*v); | ||
122 | |||
123 | return (0); | ||
124 | } | ||
125 | |||
126 | int | ||
127 | unpack_blob(uint8_t t, uint8_t **ptr, size_t *len, struct blob *v) NO_MSAN | ||
128 | { | ||
129 | size_t l; | ||
130 | |||
131 | v->len = 0; | ||
132 | |||
133 | if (*len < sizeof(t) || **ptr != t) | ||
134 | return (-1); | ||
135 | |||
136 | *ptr += sizeof(t); | ||
137 | *len -= sizeof(t); | ||
138 | |||
139 | if (*len < sizeof(l)) | ||
140 | return (-1); | ||
141 | |||
142 | memcpy(&l, *ptr, sizeof(l)); | ||
143 | *ptr += sizeof(l); | ||
144 | *len -= sizeof(l); | ||
145 | |||
146 | if (*len < l || l > sizeof(v->body)) | ||
147 | return (-1); | ||
148 | |||
149 | memcpy(v->body, *ptr, l); | ||
150 | *ptr += l; | ||
151 | *len -= l; | ||
152 | |||
153 | v->len = l; | ||
154 | |||
155 | return (0); | ||
156 | } | ||
157 | |||
158 | int | ||
159 | pack_int(uint8_t t, uint8_t **ptr, size_t *len, int v) NO_MSAN | ||
160 | { | ||
161 | const size_t l = sizeof(v); | ||
162 | |||
163 | if (*len < sizeof(t) + sizeof(l) + l) | ||
164 | return (-1); | ||
165 | |||
166 | (*ptr)[0] = t; | ||
167 | memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); | ||
168 | memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l); | ||
169 | |||
170 | *ptr += sizeof(t) + sizeof(l) + l; | ||
171 | *len -= sizeof(t) + sizeof(l) + l; | ||
172 | |||
173 | return (0); | ||
174 | } | ||
175 | |||
176 | int | ||
177 | pack_string(uint8_t t, uint8_t **ptr, size_t *len, const char *v) NO_MSAN | ||
178 | { | ||
179 | const size_t l = strlen(v); | ||
180 | |||
181 | if (*len < sizeof(t) + sizeof(l) + l) | ||
182 | return (-1); | ||
183 | |||
184 | (*ptr)[0] = t; | ||
185 | memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); | ||
186 | memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v, l); | ||
187 | |||
188 | *ptr += sizeof(t) + sizeof(l) + l; | ||
189 | *len -= sizeof(t) + sizeof(l) + l; | ||
190 | |||
191 | return (0); | ||
192 | } | ||
193 | |||
194 | int | ||
195 | pack_byte(uint8_t t, uint8_t **ptr, size_t *len, uint8_t v) NO_MSAN | ||
196 | { | ||
197 | const size_t l = sizeof(v); | ||
198 | |||
199 | if (*len < sizeof(t) + sizeof(l) + l) | ||
200 | return (-1); | ||
201 | |||
202 | (*ptr)[0] = t; | ||
203 | memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); | ||
204 | memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l); | ||
205 | |||
206 | *ptr += sizeof(t) + sizeof(l) + l; | ||
207 | *len -= sizeof(t) + sizeof(l) + l; | ||
208 | |||
209 | return (0); | ||
210 | } | ||
211 | |||
212 | int | ||
213 | pack_blob(uint8_t t, uint8_t **ptr, size_t *len, const struct blob *v) NO_MSAN | ||
214 | { | ||
215 | const size_t l = v->len; | ||
216 | |||
217 | if (*len < sizeof(t) + sizeof(l) + l) | ||
218 | return (-1); | ||
219 | |||
220 | (*ptr)[0] = t; | ||
221 | memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); | ||
222 | memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v->body, l); | ||
223 | |||
224 | *ptr += sizeof(t) + sizeof(l) + l; | ||
225 | *len -= sizeof(t) + sizeof(l) + l; | ||
226 | |||
227 | return (0); | ||
228 | } | ||
229 | |||
230 | void | ||
231 | mutate_byte(uint8_t *b) | ||
232 | { | ||
233 | LLVMFuzzerMutate(b, sizeof(*b), sizeof(*b)); | ||
234 | } | ||
235 | |||
236 | void | ||
237 | mutate_int(int *i) | ||
238 | { | ||
239 | LLVMFuzzerMutate((uint8_t *)i, sizeof(*i), sizeof(*i)); | ||
240 | } | ||
241 | |||
242 | void | ||
243 | mutate_blob(struct blob *blob) | ||
244 | { | ||
245 | blob->len = LLVMFuzzerMutate((uint8_t *)blob->body, blob->len, | ||
246 | sizeof(blob->body)); | ||
247 | } | ||
248 | |||
249 | void | ||
250 | mutate_string(char *s) | ||
251 | { | ||
252 | size_t n; | ||
253 | |||
254 | n = LLVMFuzzerMutate((uint8_t *)s, strlen(s), MAXSTR - 1); | ||
255 | s[n] = '\0'; | ||
256 | } | ||
257 | |||
258 | void * | ||
259 | dev_open(const char *path) | ||
260 | { | ||
261 | (void)path; | ||
262 | |||
263 | return ((void *)0xdeadbeef); | ||
264 | } | ||
265 | |||
266 | void | ||
267 | dev_close(void *handle) | ||
268 | { | ||
269 | assert(handle == (void *)0xdeadbeef); | ||
270 | } | ||
271 | |||
272 | int | ||
273 | dev_read(void *handle, unsigned char *ptr, size_t len, int ms) | ||
274 | { | ||
275 | size_t n; | ||
276 | |||
277 | (void)ms; | ||
278 | |||
279 | assert(handle == (void *)0xdeadbeef); | ||
280 | assert(len == 64); | ||
281 | |||
282 | if (wire_data_len < len) | ||
283 | n = wire_data_len; | ||
284 | else | ||
285 | n = len; | ||
286 | |||
287 | memcpy(ptr, wire_data_ptr, n); | ||
288 | |||
289 | wire_data_ptr += n; | ||
290 | wire_data_len -= n; | ||
291 | |||
292 | return ((int)n); | ||
293 | } | ||
294 | |||
295 | int | ||
296 | dev_write(void *handle, const unsigned char *ptr, size_t len) | ||
297 | { | ||
298 | assert(handle == (void *)0xdeadbeef); | ||
299 | assert(len == 64 + 1); | ||
300 | |||
301 | consume(ptr, len); | ||
302 | |||
303 | if (uniform_random(400) < 1) | ||
304 | return (-1); | ||
305 | |||
306 | return ((int)len); | ||
307 | } | ||
308 | |||
309 | void | ||
310 | set_wire_data(uint8_t *ptr, size_t len) | ||
311 | { | ||
312 | wire_data_ptr = ptr; | ||
313 | wire_data_len = len; | ||
314 | } | ||