From 04789a380f1e52d80533f0367b7ae88dd9a4212a Mon Sep 17 00:00:00 2001
From: Alami-Amine <aalami90@gmail.com>
Date: Tue, 17 Sep 2024 20:39:32 +0200
Subject: [PATCH 1/5] Fuzzing different Transport Types for all-clusters-app
---
.../all-clusters-app/linux/fuzzing-main.cpp | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/examples/all-clusters-app/linux/fuzzing-main.cpp b/examples/all-clusters-app/linux/fuzzing-main.cpp
index 793a70a6a9fa3e..44b58786b71bd0 100644
--- a/examples/all-clusters-app/linux/fuzzing-main.cpp
+++ b/examples/all-clusters-app/linux/fuzzing-main.cpp
@@ -73,7 +73,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
// For now, just dump the data as a UDP payload into the session manager.
// But maybe we should try to separately extract a PeerAddress and data from
// the incoming data?
- Transport::PeerAddress peerAddr;
+
+ // dumping payload with random transport types
+ Transport::Type fuzzedTransportType = static_cast<Transport::Type>(*aData % 5);
+ Transport::PeerAddress peerAddr(fuzzedTransportType);
+
System::PacketBufferHandle buf =
System::PacketBufferHandle::NewWithData(aData, aSize, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
if (buf.IsNull())
@@ -84,8 +88,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
// Ignoring the return value from OnMessageReceived, because we might be
// passing it all sorts of garbage that will cause it to fail.
- Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf));
+ // for TCP we need to have MessageTransportContext
+ if (fuzzedTransportType == Transport::Type::kTcp)
+ {
+ Transport::MessageTransportContext msgContext;
+ Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf), &msgContext);
+ }
+ else
+ {
+ Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf));
+ }
// Now process pending events until our sentinel is reached.
PlatformMgr().ScheduleWork([](intptr_t) { PlatformMgr().StopEventLoopTask(); });
PlatformMgr().RunEventLoop();
From b46ce9f110057d1f6399c8431e42ac61a2e402a4 Mon Sep 17 00:00:00 2001
From: Alami-Amine <aalami90@gmail.com>
Date: Wed, 18 Sep 2024 12:55:29 +0200
Subject: [PATCH 2/5] Adding an enum value for the number of transport types
---
src/transport/raw/PeerAddress.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/transport/raw/PeerAddress.h b/src/transport/raw/PeerAddress.h
index 896648f76f537a..d58bf3caaedf78 100644
--- a/src/transport/raw/PeerAddress.h
+++ b/src/transport/raw/PeerAddress.h
@@ -54,6 +54,7 @@ enum class Type : uint8_t
kBle,
kTcp,
kWiFiPAF,
+ kLast = kWiFiPAF, //This is not an actual transport type, it just refers to the last transport type
};
/**
From a3d0fb712a681cf99ca1614d3b85e1ec6ea76169 Mon Sep 17 00:00:00 2001
From: Alami-Amine <aalami90@gmail.com>
Date: Wed, 18 Sep 2024 12:57:03 +0200
Subject: [PATCH 3/5] 1. replacing magic number when fuzzing the number of
transport types 2. using different parts of the fuzzed input data for
TransportType and for Payload
---
examples/all-clusters-app/linux/fuzzing-main.cpp | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/examples/all-clusters-app/linux/fuzzing-main.cpp b/examples/all-clusters-app/linux/fuzzing-main.cpp
index 44b58786b71bd0..ba7f792a098907 100644
--- a/examples/all-clusters-app/linux/fuzzing-main.cpp
+++ b/examples/all-clusters-app/linux/fuzzing-main.cpp
@@ -74,12 +74,18 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
// But maybe we should try to separately extract a PeerAddress and data from
// the incoming data?
- // dumping payload with random transport types
- Transport::Type fuzzedTransportType = static_cast<Transport::Type>(*aData % 5);
+ // dumping payload with fuzzed transport types
+ constexpr uint8_t numberOfTypes = static_cast<int>(Transport::Type::kLast) + 1;
+ Transport::Type fuzzedTransportType = static_cast<Transport::Type>(aData[0] % numberOfTypes);
Transport::PeerAddress peerAddr(fuzzedTransportType);
+ if (aSize < 1)
+ {
+ return 0;
+ }
+
System::PacketBufferHandle buf =
- System::PacketBufferHandle::NewWithData(aData, aSize, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
+ System::PacketBufferHandle::NewWithData(&aData[1], aSize - 1, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
if (buf.IsNull())
{
// Too big; we couldn't represent this as a packetbuffer to start with.
From 8f17d3b27921850f632db786526939752177d51a Mon Sep 17 00:00:00 2001
From: "Restyled.io" <commits@restyled.io>
Date: Wed, 18 Sep 2024 14:27:51 +0000
Subject: [PATCH 4/5] Restyled by clang-format
---
examples/all-clusters-app/linux/fuzzing-main.cpp | 2 +-
src/transport/raw/PeerAddress.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/examples/all-clusters-app/linux/fuzzing-main.cpp b/examples/all-clusters-app/linux/fuzzing-main.cpp
index ba7f792a098907..cfca923adcffe0 100644
--- a/examples/all-clusters-app/linux/fuzzing-main.cpp
+++ b/examples/all-clusters-app/linux/fuzzing-main.cpp
@@ -75,7 +75,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
// the incoming data?
// dumping payload with fuzzed transport types
- constexpr uint8_t numberOfTypes = static_cast<int>(Transport::Type::kLast) + 1;
+ constexpr uint8_t numberOfTypes = static_cast<int>(Transport::Type::kLast) + 1;
Transport::Type fuzzedTransportType = static_cast<Transport::Type>(aData[0] % numberOfTypes);
Transport::PeerAddress peerAddr(fuzzedTransportType);
diff --git a/src/transport/raw/PeerAddress.h b/src/transport/raw/PeerAddress.h
index d58bf3caaedf78..60d92b8f7b5d04 100644
--- a/src/transport/raw/PeerAddress.h
+++ b/src/transport/raw/PeerAddress.h
@@ -54,7 +54,7 @@ enum class Type : uint8_t
kBle,
kTcp,
kWiFiPAF,
- kLast = kWiFiPAF, //This is not an actual transport type, it just refers to the last transport type
+ kLast = kWiFiPAF, // This is not an actual transport type, it just refers to the last transport type
};
/**
From fec7b495dfa6cc6db13ec7081ce2817eadf07f8d Mon Sep 17 00:00:00 2001
From: Alami-Amine <aalami90@gmail.com>
Date: Thu, 19 Sep 2024 13:02:01 +0200
Subject: [PATCH 5/5] avoiding out of bounds access
---
examples/all-clusters-app/linux/fuzzing-main.cpp | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/examples/all-clusters-app/linux/fuzzing-main.cpp b/examples/all-clusters-app/linux/fuzzing-main.cpp
index cfca923adcffe0..2d8422d0d2eee6 100644
--- a/examples/all-clusters-app/linux/fuzzing-main.cpp
+++ b/examples/all-clusters-app/linux/fuzzing-main.cpp
@@ -74,16 +74,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
// But maybe we should try to separately extract a PeerAddress and data from
// the incoming data?
+ // To avoid out-of-bounds access when acessing aData[1]
+ if (aSize < 2)
+ {
+ return 0;
+ }
+
// dumping payload with fuzzed transport types
constexpr uint8_t numberOfTypes = static_cast<int>(Transport::Type::kLast) + 1;
Transport::Type fuzzedTransportType = static_cast<Transport::Type>(aData[0] % numberOfTypes);
Transport::PeerAddress peerAddr(fuzzedTransportType);
- if (aSize < 1)
- {
- return 0;
- }
-
System::PacketBufferHandle buf =
System::PacketBufferHandle::NewWithData(&aData[1], aSize - 1, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
if (buf.IsNull())