From 173bfbf7886608a4a7abbfac6a42ac4bf4a3432d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 20 Sep 2020 16:14:20 +0100 Subject: New upstream version 1.5.0 --- fuzz/mutator_aux.c | 253 ++++++++++++++--------------------------------------- 1 file changed, 65 insertions(+), 188 deletions(-) (limited to 'fuzz/mutator_aux.c') diff --git a/fuzz/mutator_aux.c b/fuzz/mutator_aux.c index fe09438..98815e8 100644 --- a/fuzz/mutator_aux.c +++ b/fuzz/mutator_aux.c @@ -5,26 +5,28 @@ */ #include +#include #include #include #include #include #include +#include "fido.h" #include "mutator_aux.h" size_t LLVMFuzzerMutate(uint8_t *, size_t, size_t); -static uint8_t *wire_data_ptr = NULL; -static size_t wire_data_len = 0; +static const uint8_t *wire_data_ptr = NULL; +static size_t wire_data_len = 0; size_t xstrlen(const char *s) { if (s == NULL) - return (0); + return 0; - return (strlen(s)); + return strlen(s); } void @@ -33,6 +35,10 @@ consume(const void *body, size_t len) const volatile uint8_t *ptr = body; volatile uint8_t x = 0; +#ifdef WITH_MSAN + __msan_check_mem_is_initialized(body, len); +#endif + while (len--) x ^= *ptr++; } @@ -44,217 +50,87 @@ consume_str(const char *str) } int -unpack_int(uint8_t t, uint8_t **ptr, size_t *len, int *v) NO_MSAN -{ - size_t l; - - if (*len < sizeof(t) || **ptr != t) - return (-1); - - *ptr += sizeof(t); - *len -= sizeof(t); - - if (*len < sizeof(l)) - return (-1); - - memcpy(&l, *ptr, sizeof(l)); - *ptr += sizeof(l); - *len -= sizeof(l); - - if (l != sizeof(*v) || *len < l) - return (-1); - - memcpy(v, *ptr, sizeof(*v)); - *ptr += sizeof(*v); - *len -= sizeof(*v); - - return (0); -} - -int -unpack_string(uint8_t t, uint8_t **ptr, size_t *len, char *v) NO_MSAN +unpack_int(cbor_item_t *item, int *v) { - size_t l; - - if (*len < sizeof(t) || **ptr != t) - return (-1); - - *ptr += sizeof(t); - *len -= sizeof(t); - - if (*len < sizeof(l)) - return (-1); - - memcpy(&l, *ptr, sizeof(l)); - *ptr += sizeof(l); - *len -= sizeof(l); + if (cbor_is_int(item) == false || + cbor_int_get_width(item) != CBOR_INT_64) + return -1; - if (*len < l || l >= MAXSTR) - return (-1); - - memcpy(v, *ptr, l); - v[l] = '\0'; - - *ptr += l; - *len -= l; - - return (0); -} - -int -unpack_byte(uint8_t t, uint8_t **ptr, size_t *len, uint8_t *v) NO_MSAN -{ - size_t l; - - if (*len < sizeof(t) || **ptr != t) - return (-1); - - *ptr += sizeof(t); - *len -= sizeof(t); - - if (*len < sizeof(l)) - return (-1); - - memcpy(&l, *ptr, sizeof(l)); - *ptr += sizeof(l); - *len -= sizeof(l); - - if (l != sizeof(*v) || *len < l) - return (-1); - - memcpy(v, *ptr, sizeof(*v)); - *ptr += sizeof(*v); - *len -= sizeof(*v); - - return (0); -} - -int -unpack_blob(uint8_t t, uint8_t **ptr, size_t *len, struct blob *v) NO_MSAN -{ - size_t l; - - v->len = 0; - - if (*len < sizeof(t) || **ptr != t) - return (-1); - - *ptr += sizeof(t); - *len -= sizeof(t); - - if (*len < sizeof(l)) - return (-1); - - memcpy(&l, *ptr, sizeof(l)); - *ptr += sizeof(l); - *len -= sizeof(l); - - if (*len < l || l > sizeof(v->body)) - return (-1); - - memcpy(v->body, *ptr, l); - *ptr += l; - *len -= l; - - v->len = l; + if (cbor_isa_uint(item)) + *v = (int)cbor_get_uint64(item); + else + *v = (int)(-cbor_get_uint64(item) - 1); - return (0); + return 0; } int -pack_int(uint8_t t, uint8_t **ptr, size_t *len, int v) NO_MSAN +unpack_string(cbor_item_t *item, char *v) { - const size_t l = sizeof(v); + size_t len; - if (*len < sizeof(t) + sizeof(l) + l) - return (-1); + if (cbor_isa_bytestring(item) == false || + (len = cbor_bytestring_length(item)) >= MAXSTR) + return -1; - (*ptr)[0] = t; - memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); - memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l); + memcpy(v, cbor_bytestring_handle(item), len); + v[len] = '\0'; - *ptr += sizeof(t) + sizeof(l) + l; - *len -= sizeof(t) + sizeof(l) + l; - - return (0); + return 0; } int -pack_string(uint8_t t, uint8_t **ptr, size_t *len, const char *v) NO_MSAN +unpack_byte(cbor_item_t *item, uint8_t *v) { - const size_t l = strlen(v); - - if (*len < sizeof(t) + sizeof(l) + l) - return (-1); - - (*ptr)[0] = t; - memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); - memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v, l); + if (cbor_isa_uint(item) == false || + cbor_int_get_width(item) != CBOR_INT_8) + return -1; - *ptr += sizeof(t) + sizeof(l) + l; - *len -= sizeof(t) + sizeof(l) + l; + *v = cbor_get_uint8(item); - return (0); + return 0; } int -pack_byte(uint8_t t, uint8_t **ptr, size_t *len, uint8_t v) NO_MSAN +unpack_blob(cbor_item_t *item, struct blob *v) { - const size_t l = sizeof(v); + if (cbor_isa_bytestring(item) == false || + (v->len = cbor_bytestring_length(item)) > sizeof(v->body)) + return -1; - if (*len < sizeof(t) + sizeof(l) + l) - return (-1); + memcpy(v->body, cbor_bytestring_handle(item), v->len); - (*ptr)[0] = t; - memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); - memcpy(&(*ptr)[sizeof(t) + sizeof(l)], &v, l); - - *ptr += sizeof(t) + sizeof(l) + l; - *len -= sizeof(t) + sizeof(l) + l; - - return (0); + return 0; } -int -pack_blob(uint8_t t, uint8_t **ptr, size_t *len, const struct blob *v) NO_MSAN +cbor_item_t * +pack_int(int v) NO_MSAN { - const size_t l = v->len; - - if (*len < sizeof(t) + sizeof(l) + l) - return (-1); - - (*ptr)[0] = t; - memcpy(&(*ptr)[sizeof(t)], &l, sizeof(l)); - memcpy(&(*ptr)[sizeof(t) + sizeof(l)], v->body, l); - - *ptr += sizeof(t) + sizeof(l) + l; - *len -= sizeof(t) + sizeof(l) + l; - - return (0); + if (v < 0) + return cbor_build_negint64((uint64_t)(-(int64_t)v - 1)); + else + return cbor_build_uint64((uint64_t)v); } -size_t -len_int(void) +cbor_item_t * +pack_string(const char *v) NO_MSAN { - return (sizeof(uint8_t) + sizeof(size_t) + sizeof(int)); -} + if (strlen(v) >= MAXSTR) + return NULL; -size_t -len_string(int max) -{ - return ((sizeof(uint8_t) + sizeof(size_t)) + (max ? MAXSTR - 1 : 0)); + return cbor_build_bytestring((const unsigned char *)v, strlen(v)); } -size_t -len_byte(void) +cbor_item_t * +pack_byte(uint8_t v) NO_MSAN { - return (sizeof(uint8_t) + sizeof(size_t) + sizeof(uint8_t)); + return cbor_build_uint8(v); } -size_t -len_blob(int max) +cbor_item_t * +pack_blob(const struct blob *v) NO_MSAN { - return (sizeof(uint8_t) + sizeof(size_t) + (max ? MAXBLOB : 0)); + return cbor_build_bytestring(v->body, v->len); } void @@ -284,13 +160,13 @@ mutate_string(char *s) n = LLVMFuzzerMutate((uint8_t *)s, strlen(s), MAXSTR - 1); s[n] = '\0'; } - + void * dev_open(const char *path) { (void)path; - return ((void *)0xdeadbeef); + return (void *)0xdeadbeef; } void @@ -307,7 +183,7 @@ dev_read(void *handle, unsigned char *ptr, size_t len, int ms) (void)ms; assert(handle == (void *)0xdeadbeef); - assert(len == 64); + assert(len >= CTAP_MIN_REPORT_LEN && len <= CTAP_MAX_REPORT_LEN); if (wire_data_len < len) n = wire_data_len; @@ -319,25 +195,26 @@ dev_read(void *handle, unsigned char *ptr, size_t len, int ms) wire_data_ptr += n; wire_data_len -= n; - return ((int)n); + return (int)n; } int dev_write(void *handle, const unsigned char *ptr, size_t len) { assert(handle == (void *)0xdeadbeef); - assert(len == 64 + 1); + assert(len >= CTAP_MIN_REPORT_LEN + 1 && + len <= CTAP_MAX_REPORT_LEN + 1); consume(ptr, len); if (uniform_random(400) < 1) - return (-1); + return -1; - return ((int)len); + return (int)len; } void -set_wire_data(uint8_t *ptr, size_t len) +set_wire_data(const uint8_t *ptr, size_t len) { wire_data_ptr = ptr; wire_data_len = len; -- cgit v1.2.3