projects/ntp/patch.diff - platform/external/oss-fuzz - Git at Google

 diff --git a/configure.ac b/configure.ac
 index 7975d31..528861c 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -4399,6 +4399,37 @@ AC_DEFINE_UNQUOTED([DYNAMIC_INTERLEAVE], [$ntp_dynamic_interleave],
      [support dynamic interleave?])
  AC_MSG_RESULT([$ntp_ok])

 +AC_ARG_ENABLE(fuzztargets,
 +    AS_HELP_STRING([--enable-fuzztargets], [Enable fuzz targets]),[enable_fuzztargets=$enableval],[enable_fuzztargets=no])
 +AM_CONDITIONAL([BUILD_FUZZTARGETS], [test "x$enable_fuzztargets" = "xyes"])
 +AS_IF([test "x$enable_fuzztargets" = "xyes"], [
 +    AC_PROG_CXX
 +    AC_LANG_PUSH(C++)
 +    AS_IF([test "x$LIB_FUZZING_ENGINE" = "x"], [
 +        LIB_FUZZING_ENGINE=-fsanitize=fuzzer
 +        AC_SUBST(LIB_FUZZING_ENGINE)
 +    ])
 +    tmp_saved_flags=$[]_AC_LANG_PREFIX[]FLAGS
 +    _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $LIB_FUZZING_ENGINE"
 +    AC_MSG_CHECKING([whether $CXX accepts $LIB_FUZZING_ENGINE])
 +    AC_LINK_IFELSE([AC_LANG_SOURCE([[
 +#include <sys/types.h>
 +extern "C" int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
 +extern "C" int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size) {
 +(void)Data;
 +(void)Size;
 +return 0;
 +}
 +        ]])],
 +        [ AC_MSG_RESULT(yes)
 +          has_sanitizefuzzer=yes],
 +        [ AC_MSG_RESULT(no) ]
 +    )
 +    _AC_LANG_PREFIX[]FLAGS=$tmp_saved_flags, []
 +    AC_LANG_POP()
 +])
 +AM_CONDITIONAL([HAS_SANITIZEFUZZER], [test "x$has_sanitizefuzzer" = "xyes"])
 +
  NTP_UNITYBUILD

  dnl  gtest is needed for our tests subdirs. It would be nice if we could
 @@ -4459,6 +4490,7 @@ AC_CONFIG_FILES([tests/ntpd/Makefile])
  AC_CONFIG_FILES([tests/ntpq/Makefile])
  AC_CONFIG_FILES([tests/sandbox/Makefile])
  AC_CONFIG_FILES([tests/sec-2853/Makefile])
 +AC_CONFIG_FILES([tests/fuzz/Makefile])
  AC_CONFIG_FILES([util/Makefile])

  perllibdir="${datadir}/ntp/lib"
 diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
 index 7c3fdd4..190a373 100644
 --- a/ntpd/ntp_io.c
 +++ b/ntpd/ntp_io.c
 @@ -503,7 +503,11 @@ io_open_sockets(void)
  	 * Create the sockets
  	 */
  	BLOCKIO();
 +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 +	create_sockets(4123);
 +#else
  	create_sockets(NTP_PORT);
 +#endif
  	UNBLOCKIO();

  	init_async_notifications();
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index af502b9..60a2379 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
 @@ -10,3 +10,6 @@ SUBDIRS +=		\
  	sec-2853	\
  	$(NULL)

 +if BUILD_FUZZTARGETS
 +    SUBDIRS += fuzz
 +endif
 diff --git a/tests/fuzz/Makefile.am b/tests/fuzz/Makefile.am
 new file mode 100644
 index 0000000..7f482b5
 --- /dev/null
 +++ b/tests/fuzz/Makefile.am
 @@ -0,0 +1,13 @@
 +include $(top_srcdir)/includes.mf
 +
 +bin_PROGRAMS = fuzz_ntpd_receive
 +
 +fuzz_ntpd_receive_SOURCES = fuzz_ntpd_receive.c ../../ntpd/ntp_io.c ../../ntpd/ntp_config.c ../../ntpd/ntp_scanner.c ../../ntpd/ntp_parser.y ../../ntpd/ntpd-opts.c
 +fuzz_ntpd_receive_CFLAGS = $(NTP_INCS) -I../../sntp/libopts -I../../ntpd/
 +fuzz_ntpd_receive_LDADD = ../../ntpd/libntpd.a $(LIBPARSE) ../../libntp/libntp.a $(LDADD_LIBNTP) $(LIBOPTS_LDADD) $(PTHREAD_LIBS) $(LIBM) $(LDADD_NTP) $(LSCF) $(LDADD_LIBUTIL)
 +
 +if HAS_SANITIZEFUZZER
 +    fuzz_ntpd_receive_LDFLAGS = $(LIB_FUZZING_ENGINE) -lstdc++ -stdlib=libc++
 +else
 +    fuzz_ntpd_receive_SOURCES += onefile.c
 +endif
 diff --git a/tests/fuzz/fuzz_ntpd_receive.c b/tests/fuzz/fuzz_ntpd_receive.c
 new file mode 100644
 index 0000000..7cb8d99
 --- /dev/null
 +++ b/tests/fuzz/fuzz_ntpd_receive.c
 @@ -0,0 +1,94 @@
 +#include <stddef.h>
 +#include <stdint.h>
 +#include <sys/types.h>
 +#include <sys/stat.h>
 +#include <fcntl.h>
 +
 +#include "config.h"
 +#include "recvbuff.h"
 +#include "ntpd.h"
 +
 +const char *Version = "libntpq 0.3beta";
 +int listen_to_virtual_ips = TRUE;
 +int mdnstries = 5;
 +char const *progname = "fuzz_ntpd_receive";
 +#ifdef HAVE_WORKING_FORK
 +int    waitsync_fd_to_close = -1;    /* -w/--wait-sync */
 +#endif
 +int yydebug=0;
 +
 +static int initialized = 0;
 +int sockfd;
 +uint8_t itf_index;
 +
 +void fuzz_itf_selecter(void * data, interface_info_t * itf) {
 +    endpt **ep = (endpt **)data;
 +    if (itf_index == 0) {
 +        *ep = itf->ep;
 +    }
 +    itf_index--;
 +}
 +
 +int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
 +    struct recvbuf rbufp;
 +
 +    if (initialized == 0) {
 +        sockfd = open("/dev/null", O_RDWR );
 +        //adds interfaces
 +        init_io();
 +        init_auth();
 +        init_util();
 +        init_restrict();
 +        init_mon();
 +        init_timer();
 +        init_lib();
 +        init_request();
 +        init_control();
 +        init_peer();
 +        init_proto();
 +        init_loopfilter();
 +        io_open_sockets();
 +        initialized = 1;
 +    }
 +
 +    if (Size < sizeof(l_fp)) {
 +        return 0;
 +    }
 +    memcpy(&rbufp.recv_time, Data, sizeof(l_fp));
 +    Data += sizeof(l_fp);
 +    Size -= sizeof(l_fp);
 +
 +    if (Size < sizeof(sockaddr_u)) {
 +        return 0;
 +    }
 +    memcpy(&rbufp.srcadr, Data, sizeof(sockaddr_u));
 +    memcpy(&rbufp.recv_srcadr, &rbufp.srcadr, sizeof(sockaddr_u));
 +    Data += sizeof(sockaddr_u);
 +    Size -= sizeof(sockaddr_u);
 +
 +    if (Size < 1) {
 +        return 0;
 +    }
 +    itf_index = Data[0];
 +    rbufp.dstadr = NULL;
 +    interface_enumerate(fuzz_itf_selecter, &rbufp.dstadr);
 +    if (rbufp.dstadr == NULL) {
 +        return 0;
 +    }
 +    Data++;
 +    Size--;
 +
 +    if (Size > RX_BUFF_SIZE) {
 +        Size = RX_BUFF_SIZE;
 +    }
 +    rbufp.recv_length = Size;
 +    memcpy(rbufp.recv_buffer, Data, Size);
 +
 +    rbufp.msg_flags = 0;
 +    rbufp.used = 0;
 +    rbufp.link = NULL;
 +    rbufp.fd = sockfd;
 +
 +    receive(&rbufp);
 +    return 0;
 +}
 diff --git a/tests/fuzz/onefile.c b/tests/fuzz/onefile.c
 new file mode 100644
 index 0000000..74be306
 --- /dev/null
 +++ b/tests/fuzz/onefile.c
 @@ -0,0 +1,51 @@
 +#include <stdint.h>
 +#include <stdlib.h>
 +#include <stdio.h>
 +
 +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
 +
 +int main(int argc, char** argv)
 +{
 +    FILE * fp;
 +    uint8_t *Data;
 +    size_t Size;
 +
 +    if (argc != 2) {
 +        return 1;
 +    }
 +    //opens the file, get its size, and reads it into a buffer
 +    fp = fopen(argv[1], "rb");
 +    if (fp == NULL) {
 +        return 2;
 +    }
 +    if (fseek(fp, 0L, SEEK_END) != 0) {
 +        fclose(fp);
 +        return 2;
 +    }
 +    Size = ftell(fp);
 +    if (Size == (size_t) -1) {
 +        fclose(fp);
 +        return 2;
 +    }
 +    if (fseek(fp, 0L, SEEK_SET) != 0) {
 +        fclose(fp);
 +        return 2;
 +    }
 +    Data = malloc(Size);
 +    if (Data == NULL) {
 +        fclose(fp);
 +        return 2;
 +    }
 +    if (fread(Data, Size, 1, fp) != 1) {
 +        fclose(fp);
 +        free(Data);
 +        return 2;
 +    }
 +
 +    //lauch fuzzer
 +    LLVMFuzzerTestOneInput(Data, Size);
 +    free(Data);
 +    fclose(fp);
 +    return 0;
 +}
 +
	diff --git a/configure.ac b/configure.ac
	index 7975d31..528861c 100644
	--- a/configure.ac
	+++ b/configure.ac
	@@ -4399,6 +4399,37 @@ AC_DEFINE_UNQUOTED([DYNAMIC_INTERLEAVE], [$ntp_dynamic_interleave],
	[support dynamic interleave?])
	AC_MSG_RESULT([$ntp_ok])

	+AC_ARG_ENABLE(fuzztargets,
	+ AS_HELP_STRING([--enable-fuzztargets], [Enable fuzz targets]),[enable_fuzztargets=$enableval],[enable_fuzztargets=no])
	+AM_CONDITIONAL([BUILD_FUZZTARGETS], [test "x$enable_fuzztargets" = "xyes"])
	+AS_IF([test "x$enable_fuzztargets" = "xyes"], [
	+ AC_PROG_CXX
	+ AC_LANG_PUSH(C++)
	+ AS_IF([test "x$LIB_FUZZING_ENGINE" = "x"], [
	+ LIB_FUZZING_ENGINE=-fsanitize=fuzzer
	+ AC_SUBST(LIB_FUZZING_ENGINE)
	+ ])
	+ tmp_saved_flags=$[]_AC_LANG_PREFIX[]FLAGS
	+ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $LIB_FUZZING_ENGINE"
	+ AC_MSG_CHECKING([whether $CXX accepts $LIB_FUZZING_ENGINE])
	+ AC_LINK_IFELSE([AC_LANG_SOURCE([[
	+#include <sys/types.h>
	+extern "C" int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
	+extern "C" int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size) {
	+(void)Data;
	+(void)Size;
	+return 0;
	+}
	+ ]])],
	+ [ AC_MSG_RESULT(yes)
	+ has_sanitizefuzzer=yes],
	+ [ AC_MSG_RESULT(no) ]
	+ )
	+ _AC_LANG_PREFIX[]FLAGS=$tmp_saved_flags, []
	+ AC_LANG_POP()
	+])
	+AM_CONDITIONAL([HAS_SANITIZEFUZZER], [test "x$has_sanitizefuzzer" = "xyes"])
	+
	NTP_UNITYBUILD

	dnl gtest is needed for our tests subdirs. It would be nice if we could
	@@ -4459,6 +4490,7 @@ AC_CONFIG_FILES([tests/ntpd/Makefile])
	AC_CONFIG_FILES([tests/ntpq/Makefile])
	AC_CONFIG_FILES([tests/sandbox/Makefile])
	AC_CONFIG_FILES([tests/sec-2853/Makefile])
	+AC_CONFIG_FILES([tests/fuzz/Makefile])
	AC_CONFIG_FILES([util/Makefile])

	perllibdir="${datadir}/ntp/lib"
	diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
	index 7c3fdd4..190a373 100644
	--- a/ntpd/ntp_io.c
	+++ b/ntpd/ntp_io.c
	@@ -503,7 +503,11 @@ io_open_sockets(void)
	* Create the sockets
	*/
	BLOCKIO();
	+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
	+ create_sockets(4123);
	+#else
	create_sockets(NTP_PORT);
	+#endif
	UNBLOCKIO();

	init_async_notifications();
	diff --git a/tests/Makefile.am b/tests/Makefile.am
	index af502b9..60a2379 100644
	--- a/tests/Makefile.am
	+++ b/tests/Makefile.am
	@@ -10,3 +10,6 @@ SUBDIRS += \
	sec-2853 \
	$(NULL)

	+if BUILD_FUZZTARGETS
	+ SUBDIRS += fuzz
	+endif
	diff --git a/tests/fuzz/Makefile.am b/tests/fuzz/Makefile.am
	new file mode 100644
	index 0000000..7f482b5
	--- /dev/null
	+++ b/tests/fuzz/Makefile.am
	@@ -0,0 +1,13 @@
	+include $(top_srcdir)/includes.mf
	+
	+bin_PROGRAMS = fuzz_ntpd_receive
	+
	+fuzz_ntpd_receive_SOURCES = fuzz_ntpd_receive.c ../../ntpd/ntp_io.c ../../ntpd/ntp_config.c ../../ntpd/ntp_scanner.c ../../ntpd/ntp_parser.y ../../ntpd/ntpd-opts.c
	+fuzz_ntpd_receive_CFLAGS = $(NTP_INCS) -I../../sntp/libopts -I../../ntpd/
	+fuzz_ntpd_receive_LDADD = ../../ntpd/libntpd.a $(LIBPARSE) ../../libntp/libntp.a $(LDADD_LIBNTP) $(LIBOPTS_LDADD) $(PTHREAD_LIBS) $(LIBM) $(LDADD_NTP) $(LSCF) $(LDADD_LIBUTIL)
	+
	+if HAS_SANITIZEFUZZER
	+ fuzz_ntpd_receive_LDFLAGS = $(LIB_FUZZING_ENGINE) -lstdc++ -stdlib=libc++
	+else
	+ fuzz_ntpd_receive_SOURCES += onefile.c
	+endif
	diff --git a/tests/fuzz/fuzz_ntpd_receive.c b/tests/fuzz/fuzz_ntpd_receive.c
	new file mode 100644
	index 0000000..7cb8d99
	--- /dev/null
	+++ b/tests/fuzz/fuzz_ntpd_receive.c
	@@ -0,0 +1,94 @@
	+#include <stddef.h>
	+#include <stdint.h>
	+#include <sys/types.h>
	+#include <sys/stat.h>
	+#include <fcntl.h>
	+
	+#include "config.h"
	+#include "recvbuff.h"
	+#include "ntpd.h"
	+
	+const char *Version = "libntpq 0.3beta";
	+int listen_to_virtual_ips = TRUE;
	+int mdnstries = 5;
	+char const *progname = "fuzz_ntpd_receive";
	+#ifdef HAVE_WORKING_FORK
	+int waitsync_fd_to_close = -1; /* -w/--wait-sync */
	+#endif
	+int yydebug=0;
	+
	+static int initialized = 0;
	+int sockfd;
	+uint8_t itf_index;
	+
	+void fuzz_itf_selecter(void * data, interface_info_t * itf) {
	+ endpt ep = (endpt )data;
	+ if (itf_index == 0) {
	+ *ep = itf->ep;
	+ }
	+ itf_index--;
	+}
	+
	+int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
	+ struct recvbuf rbufp;
	+
	+ if (initialized == 0) {
	+ sockfd = open("/dev/null", O_RDWR );
	+ //adds interfaces
	+ init_io();
	+ init_auth();
	+ init_util();
	+ init_restrict();
	+ init_mon();
	+ init_timer();
	+ init_lib();
	+ init_request();
	+ init_control();
	+ init_peer();
	+ init_proto();
	+ init_loopfilter();
	+ io_open_sockets();
	+ initialized = 1;
	+ }
	+
	+ if (Size < sizeof(l_fp)) {
	+ return 0;
	+ }
	+ memcpy(&rbufp.recv_time, Data, sizeof(l_fp));
	+ Data += sizeof(l_fp);
	+ Size -= sizeof(l_fp);
	+
	+ if (Size < sizeof(sockaddr_u)) {
	+ return 0;
	+ }
	+ memcpy(&rbufp.srcadr, Data, sizeof(sockaddr_u));
	+ memcpy(&rbufp.recv_srcadr, &rbufp.srcadr, sizeof(sockaddr_u));
	+ Data += sizeof(sockaddr_u);
	+ Size -= sizeof(sockaddr_u);
	+
	+ if (Size < 1) {
	+ return 0;
	+ }
	+ itf_index = Data[0];
	+ rbufp.dstadr = NULL;
	+ interface_enumerate(fuzz_itf_selecter, &rbufp.dstadr);
	+ if (rbufp.dstadr == NULL) {
	+ return 0;
	+ }
	+ Data++;
	+ Size--;
	+
	+ if (Size > RX_BUFF_SIZE) {
	+ Size = RX_BUFF_SIZE;
	+ }
	+ rbufp.recv_length = Size;
	+ memcpy(rbufp.recv_buffer, Data, Size);
	+
	+ rbufp.msg_flags = 0;
	+ rbufp.used = 0;
	+ rbufp.link = NULL;
	+ rbufp.fd = sockfd;
	+
	+ receive(&rbufp);
	+ return 0;
	+}
	diff --git a/tests/fuzz/onefile.c b/tests/fuzz/onefile.c
	new file mode 100644
	index 0000000..74be306
	--- /dev/null
	+++ b/tests/fuzz/onefile.c
	@@ -0,0 +1,51 @@
	+#include <stdint.h>
	+#include <stdlib.h>
	+#include <stdio.h>
	+
	+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
	+
	+int main(int argc, char** argv)
	+{
	+ FILE * fp;
	+ uint8_t *Data;
	+ size_t Size;
	+
	+ if (argc != 2) {
	+ return 1;
	+ }
	+ //opens the file, get its size, and reads it into a buffer
	+ fp = fopen(argv[1], "rb");
	+ if (fp == NULL) {
	+ return 2;
	+ }
	+ if (fseek(fp, 0L, SEEK_END) != 0) {
	+ fclose(fp);
	+ return 2;
	+ }
	+ Size = ftell(fp);
	+ if (Size == (size_t) -1) {
	+ fclose(fp);
	+ return 2;
	+ }
	+ if (fseek(fp, 0L, SEEK_SET) != 0) {
	+ fclose(fp);
	+ return 2;
	+ }
	+ Data = malloc(Size);
	+ if (Data == NULL) {
	+ fclose(fp);
	+ return 2;
	+ }
	+ if (fread(Data, Size, 1, fp) != 1) {
	+ fclose(fp);
	+ free(Data);
	+ return 2;
	+ }
	+
	+ //lauch fuzzer
	+ LLVMFuzzerTestOneInput(Data, Size);
	+ free(Data);
	+ fclose(fp);
	+ return 0;
	+}
	+