Skip to content

Commit d7e03ff

Browse files
Alami-Aminerestyled-commits
authored andcommitted
[libfuzzer] Fuzzing different Transport Types for all-clusters-app (project-chip#35629)
* Fuzzing different Transport Types for all-clusters-app * Adding an enum value for the number of transport types * 1. replacing magic number when fuzzing the number of transport types 2. using different parts of the fuzzed input data for TransportType and for Payload * Restyled by clang-format * avoiding out of bounds access --------- Co-authored-by: Restyled.io <commits@restyled.io>
1 parent a2b1f6b commit d7e03ff

File tree

2 files changed

+24
-3
lines changed

2 files changed

+24
-3
lines changed

examples/all-clusters-app/linux/fuzzing-main.cpp

+23-3
Original file line numberDiff line numberDiff line change
@@ -73,9 +73,20 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
7373
// For now, just dump the data as a UDP payload into the session manager.
7474
// But maybe we should try to separately extract a PeerAddress and data from
7575
// the incoming data?
76-
Transport::PeerAddress peerAddr;
76+
77+
// To avoid out-of-bounds access when acessing aData[1]
78+
if (aSize < 2)
79+
{
80+
return 0;
81+
}
82+
83+
// dumping payload with fuzzed transport types
84+
constexpr uint8_t numberOfTypes = static_cast<int>(Transport::Type::kLast) + 1;
85+
Transport::Type fuzzedTransportType = static_cast<Transport::Type>(aData[0] % numberOfTypes);
86+
Transport::PeerAddress peerAddr(fuzzedTransportType);
87+
7788
System::PacketBufferHandle buf =
78-
System::PacketBufferHandle::NewWithData(aData, aSize, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
89+
System::PacketBufferHandle::NewWithData(&aData[1], aSize - 1, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
7990
if (buf.IsNull())
8091
{
8192
// Too big; we couldn't represent this as a packetbuffer to start with.
@@ -84,8 +95,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
8495

8596
// Ignoring the return value from OnMessageReceived, because we might be
8697
// passing it all sorts of garbage that will cause it to fail.
87-
Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf));
8898

99+
// for TCP we need to have MessageTransportContext
100+
if (fuzzedTransportType == Transport::Type::kTcp)
101+
{
102+
Transport::MessageTransportContext msgContext;
103+
Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf), &msgContext);
104+
}
105+
else
106+
{
107+
Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf));
108+
}
89109
// Now process pending events until our sentinel is reached.
90110
PlatformMgr().ScheduleWork([](intptr_t) { PlatformMgr().StopEventLoopTask(); });
91111
PlatformMgr().RunEventLoop();

src/transport/raw/PeerAddress.h

+1
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ enum class Type : uint8_t
5454
kBle,
5555
kTcp,
5656
kWiFiPAF,
57+
kLast = kWiFiPAF, // This is not an actual transport type, it just refers to the last transport type
5758
};
5859

5960
/**

0 commit comments

Comments
 (0)