tests/fuzz/test-fuzz.c

   1 #include <stdio.h>
   2 #include <stdint.h>
   3 #include <stddef.h>
   4 #include <limits.h>
   5
   6 #include "blob.h"
   7 #include "blobmsg.h"
   8
   9 #define BLOBMSG_TYPE_TROUBLE INT_MAX
  10
  11 static void fuzz_blobmsg_parse(const uint8_t *data, size_t size)
  12 {
  13         enum {
  14                 FOO_MESSAGE,
  15                 FOO_LIST,
  16                 FOO_TESTDATA,
  17                 __FOO_MAX
  18         };
  19
  20         static const int blobmsg_type[] = {
  21                 BLOBMSG_TYPE_UNSPEC,
  22                 BLOBMSG_TYPE_ARRAY,
  23                 BLOBMSG_TYPE_TABLE,
  24                 BLOBMSG_TYPE_STRING,
  25                 BLOBMSG_TYPE_INT64,
  26                 BLOBMSG_TYPE_INT32,
  27                 BLOBMSG_TYPE_INT16,
  28                 BLOBMSG_TYPE_INT8,
  29                 BLOBMSG_TYPE_DOUBLE,
  30                 BLOBMSG_TYPE_TROUBLE,
  31         };
  32
  33         static const struct blobmsg_policy foo_policy[] = {
  34                 [FOO_MESSAGE] = {
  35                         .name = "message",
  36                         .type = BLOBMSG_TYPE_STRING,
  37                 },
  38                 [FOO_LIST] = {
  39                         .name = "list",
  40                         .type = BLOBMSG_TYPE_ARRAY,
  41                 },
  42                 [FOO_TESTDATA] = {
  43                         .name = "testdata",
  44                         .type = BLOBMSG_TYPE_TABLE,
  45                 },
  46         };
  47
  48         struct blob_attr *tb[__FOO_MAX];
  49
  50         blobmsg_parse(foo_policy, __FOO_MAX, tb, (uint8_t *)data, size);
  51         blobmsg_parse_array(foo_policy, __FOO_MAX, tb, (uint8_t *)data, size);
  52
  53         blobmsg_check_attr_len((struct blob_attr *)data, false, size);
  54         blobmsg_check_attr_len((struct blob_attr *)data, true, size);
  55
  56         for (size_t i=0; i < ARRAY_SIZE(blobmsg_type); i++) {
  57                 blobmsg_check_array_len((struct blob_attr *)data, blobmsg_type[i], size);
  58                 blobmsg_check_attr_list_len((struct blob_attr *)data, blobmsg_type[i], size);
  59         }
  60 }
  61
  62 static void fuzz_blob_parse(const uint8_t *data, size_t size)
  63 {
  64         enum {
  65                 FOO_ATTR_NESTED,
  66                 FOO_ATTR_BINARY,
  67                 FOO_ATTR_STRING,
  68                 FOO_ATTR_INT8,
  69                 FOO_ATTR_INT16,
  70                 FOO_ATTR_INT32,
  71                 FOO_ATTR_INT64,
  72                 FOO_ATTR_DOUBLE,
  73                 __FOO_ATTR_MAX
  74         };
  75
  76
  77         static const struct blob_attr_info foo_policy[__FOO_ATTR_MAX] = {
  78                 [FOO_ATTR_NESTED] = { .type = BLOB_ATTR_NESTED },
  79                 [FOO_ATTR_BINARY] = { .type = BLOB_ATTR_BINARY },
  80                 [FOO_ATTR_STRING] = { .type = BLOB_ATTR_STRING },
  81                 [FOO_ATTR_INT8] = { .type = BLOB_ATTR_INT8 },
  82                 [FOO_ATTR_INT16] = { .type = BLOB_ATTR_INT16 },
  83                 [FOO_ATTR_INT32] = { .type = BLOB_ATTR_INT32 },
  84                 [FOO_ATTR_INT64] = { .type = BLOB_ATTR_INT64 },
  85                 [FOO_ATTR_DOUBLE] = { .type = BLOB_ATTR_DOUBLE },
  86         };
  87
  88         struct blob_attr *foo[__FOO_ATTR_MAX];
  89         struct blob_attr *buf = (struct blob_attr *)data;
  90
  91         blob_parse_untrusted(buf, size, foo, foo_policy, __FOO_ATTR_MAX);
  92 }
  93
  94 int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size)
  95 {
  96         uint8_t *data;
  97
  98         data = malloc(size);
  99         if (!data)
 100                 return -1;
 101
 102         memcpy(data, input, size);
 103         fuzz_blob_parse(data, size);
 104         fuzz_blobmsg_parse(data, size);
 105         free(data);
 106
 107         return 0;
 108 }