Adding Fuzzing Targets

Alami-Amine · Alami-Amine · commit 406ad005f267 · 2024-09-02T18:29:18.000+02:00
diff --git a/src/credentials/tests/FuzzChipCertPW.cpp b/src/credentials/tests/FuzzChipCertPW.cpp
@@ -13,7 +13,6 @@ using namespace fuzztest;
 
 void ChipCertFuzzer(const std::vector<std::uint8_t> & bytes)
 {
-
     ByteSpan span(bytes.data(), bytes.size());
 
     {
@@ -58,6 +57,43 @@ void ChipCertFuzzer(const std::vector<std::uint8_t> & bytes)
         MutableByteSpan outCert(outCertBuf);
         (void) ConvertChipCertToX509Cert(span, outCert);
     }
+
+    {
+        // TODO: #34352 To Move this to a Fixture once Errors related to FuzzTest Fixtures are resolved
+        ASSERT_EQ(chip::Platform::MemoryInit(), CHIP_NO_ERROR);
+        ByteSpan span(bytes.data(), bytes.size());
+        ValidateChipRCAC(span);
+        chip::Platform::MemoryShutdown();
+    }
 }
 
 FUZZ_TEST(ChipCert, ChipCertFuzzer).WithDomains(Arbitrary<std::vector<std::uint8_t>>());
+
+// The Property function for DecodeChipCertFuzzer, The FUZZ_TEST Macro will call this function.
+void DecodeChipCertFuzzer(const std::vector<std::uint8_t> & bytes, BitFlags<CertDecodeFlags> aDecodeFlag)
+{
+    ByteSpan span(bytes.data(), bytes.size());
+
+    // TODO: #34352 To Move this to a Fixture once Errors related to FuzzTest Fixtures are resolved
+    ASSERT_EQ(chip::Platform::MemoryInit(), CHIP_NO_ERROR);
+
+    ChipCertificateData certData;
+    (void) DecodeChipCert(span, certData, aDecodeFlag);
+
+    chip::Platform::MemoryShutdown();
+}
+
+// This function allows us to fuzz using one of three CertDecodeFlags flags; by using FuzzTests's `ElementOf` API, we define an
+// input domain by explicitly enumerating the set of values in it More Info:
+// https://github.com/google/fuzztest/blob/main/doc/domains-reference.md#elementof-domains-element-of
+auto AnyCertDecodeFlag()
+{
+
+    constexpr BitFlags<CertDecodeFlags> NullDecodeFlag;
+    constexpr BitFlags<CertDecodeFlags> GenTBSHashFlag(CertDecodeFlags::kGenerateTBSHash);
+    constexpr BitFlags<CertDecodeFlags> TrustAnchorFlag(CertDecodeFlags::kIsTrustAnchor);
+
+    return ElementOf<CertDecodeFlags>({ NullDecodeFlag, GenTBSHashFlag, TrustAnchorFlag });
+}
+
+FUZZ_TEST(ChipCert, DecodeChipCertFuzzer).WithDomains(Arbitrary<std::vector<std::uint8_t>>(), AnyCertDecodeFlag());
diff --git a/src/lib/dnssd/minimal_mdns/tests/FuzzPacketParsingPW.cpp b/src/lib/dnssd/minimal_mdns/tests/FuzzPacketParsingPW.cpp
@@ -8,6 +8,7 @@
 #include <lib/dnssd/minimal_mdns/RecordData.h>
 
 using namespace fuzztest;
+using namespace std;
 
 namespace {
 
@@ -66,4 +67,64 @@ void PacketParserFuzz(const std::vector<std::uint8_t> & bytes)
     mdns::Minimal::ParsePacket(packet, &delegate);
 }
 
-FUZZ_TEST(MinimalmDNS, PacketParserFuzz).WithDomains(Arbitrary<std::vector<std::uint8_t>>());
+class TxtRecordAccumulator : public TxtRecordDelegate
+{
+public:
+    using DataType = vector<pair<string, string>>;
+
+    void OnRecord(const BytesRange & name, const BytesRange & value) override
+    {
+        mData.push_back(make_pair(AsString(name), AsString(value)));
+    }
+
+    DataType & Data() { return mData; }
+    const DataType & Data() const { return mData; }
+
+private:
+    DataType mData;
+
+    static string AsString(const BytesRange & range)
+    {
+        return string(reinterpret_cast<const char *>(range.Start()), reinterpret_cast<const char *>(range.End()));
+    }
+};
+
+void TxtResponderFuzz2(const std::vector<std::uint8_t> & aRecord)
+{
+
+    bool equal_sign_present = false;
+    auto equal_sign_pos     = aRecord.end();
+
+    // This test is only giving a set of values, it can be gives more
+    vector<uint8_t> prefixedRecord{ static_cast<uint8_t>(aRecord.size()) };
+
+    prefixedRecord.insert(prefixedRecord.end(), aRecord.begin(), aRecord.end());
+
+    TxtRecordAccumulator accumulator;
+
+    // The Function under Test, Check that the function does not Crash
+    ParseTxtRecord(BytesRange(prefixedRecord.data(), (&prefixedRecord.back() + 1)), &accumulator);
+
+    for (auto it = aRecord.begin(); it != aRecord.end(); it++)
+    {
+        // if this is first `=` found in the fuzzed record
+        if ('=' == static_cast<char>(*it) && false == equal_sign_present)
+        {
+            equal_sign_present = true;
+            equal_sign_pos     = it;
+        }
+    }
+
+    // The Fuzzed Input (record) needs to have at least two characters in order for ParseTxtRecord to do something
+    if (aRecord.size() > 1)
+    {
+        if (true == equal_sign_present)
+        {
+            std::string input_record_value(equal_sign_pos + 1, aRecord.end());
+            EXPECT_EQ(accumulator.Data().at(0).second, input_record_value);
+        }
+    }
+}
+
+FUZZ_TEST(MinimalmDNS, TxtResponderFuzz2).WithDomains(Arbitrary<vector<uint8_t>>().WithMaxSize(254));
+FUZZ_TEST(MinimalmDNS, PacketParserFuzz).WithDomains(Arbitrary<vector<uint8_t>>());
diff --git a/src/lib/format/tests/FuzzPayloadDecoderPW.cpp b/src/lib/format/tests/FuzzPayloadDecoderPW.cpp
@@ -34,7 +34,8 @@ using namespace chip::TLV;
 using namespace chip::TLVMeta;
 using namespace fuzztest;
 
-void RunDecodePW(const std::vector<std::uint8_t> & bytes, chip::Protocols::Id mProtocol, uint8_t mMessageType)
+// The Property Function; The FUZZ_TEST macro will call this function, with the fuzzed input domains
+void RunDecodeFuzz(const std::vector<std::uint8_t> & bytes, chip::Protocols::Id mProtocol, uint8_t mMessageType)
 {
 
     PayloadDecoderInitParams params;
@@ -56,29 +57,15 @@ void RunDecodePW(const std::vector<std::uint8_t> & bytes, chip::Protocols::Id mP
     {
         // Nothing to do ...
     }
-
-    // TODO: remove
-    // PRINT BYTES: To check the combination of bytes being printed
-    //  std::cout << "bytes: ";
-    //  for (const auto& byte : bytes) {
-    //      std::cout << static_cast<int>(byte) << " ";
-    //  }
-    //  std::cout <<std::endl << std::endl;
-
-    // printing Protocol IDs
-    // std::cout << "protocol ID: " << mProtocol.GetProtocolId()<<std::endl;
-
-    // printing mMessageType
-    // std::cout << "mMessageType: " << mMessageType << std::endl;
 }
 
-// This allows us to fuzz test with all the combinations of protocols
-auto ProtocolIDs()
+// This allows us to create a FuzzTest "Input Domain" to fuzz test with all the combinations of protocols.
+auto AnyProtocolID()
 {
     return ElementOf({ chip::Protocols::SecureChannel::Id, chip::Protocols::InteractionModel::Id, chip::Protocols::BDX::Id,
                        chip::Protocols::UserDirectedCommissioning::Id });
 }
 
-FUZZ_TEST(PayloadDecoder, RunDecodePW).WithDomains(Arbitrary<std::vector<std::uint8_t>>(), ProtocolIDs(), Arbitrary<uint8_t>());
+FUZZ_TEST(PayloadDecoder, RunDecodeFuzz).WithDomains(Arbitrary<std::vector<std::uint8_t>>(), AnyProtocolID(), Arbitrary<uint8_t>());
 
 } // namespace
diff --git a/src/setup_payload/tests/FuzzBase38PW.cpp b/src/setup_payload/tests/FuzzBase38PW.cpp
@@ -5,6 +5,7 @@
 #include <pw_fuzzer/fuzztest.h>
 #include <pw_unit_test/framework.h>
 
+#include "setup_payload/QRCodeSetupPayloadParser.h"
 #include <setup_payload/Base38Decode.h>
 #include <setup_payload/Base38Encode.h>
 
@@ -54,9 +55,19 @@ void Base38RoundTripFuzz(const std::vector<uint8_t> & bytes)
     ASSERT_EQ(decodedData, bytes);
 }
 
+void FuzzQRCodeSetupPayloadParser(const std::string & s)
+{
+    chip::Platform::MemoryInit();
+
+    SetupPayload payload;
+    QRCodeSetupPayloadParser(s).populatePayload(payload);
+}
+
 // The invocation of the FuzzTest
 FUZZ_TEST(Base38Decoder, Base38DecodeFuzz).WithDomains(Arbitrary<std::vector<uint8_t>>());
 
 // Max size of the vector is defined as 306 since that will give an outputSizeNeeded of 511 which is less than the required
 // kMaxOutputSize
 FUZZ_TEST(Base38Decoder, Base38RoundTripFuzz).WithDomains(Arbitrary<std::vector<uint8_t>>().WithMaxSize(306));
+
+FUZZ_TEST(Base38Decoder, FuzzQRCodeSetupPayloadParser).WithDomains(Arbitrary<std::string>());
