srs/trunk/3rdparty/libsrtp-2-fit/fuzzer/fuzzer.c

/* By Guido Vranken <guidovranken@gmail.com> --
 * https://guidovranken.wordpress.com/ */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdbool.h>
#include <limits.h>
#include "srtp.h"
#include "srtp_priv.h"
#include "ekt.h"
#include "fuzzer.h"
#include "mt19937.h"
#include "testmem.h"

/* Global variables */
static bool g_no_align = false; /* Can be enabled with --no_align */
static bool g_post_init =
    false; /* Set to true once past initialization phase */
static bool g_write_input = false;

#ifdef FUZZ_32BIT
#include <sys/mman.h>
static bool g_no_mmap = false; /* Can be enabled with --no_mmap */
static void *g_mmap_allocation =
    NULL; /* Keeps current mmap() allocation address */
static size_t g_mmap_allocation_size =
    0; /* Keeps current mmap() allocation size */
#endif

/* Custom allocator functions */

static void *fuzz_alloc(const size_t size, const bool do_zero)
{
    void *ret = NULL;
#ifdef FUZZ_32BIT
    bool do_malloc = true;
#endif
    bool do_mmap, mmap_high = true;

    if (size == 0) {
        size_t ret;
        /* Allocations of size 0 are not illegal, but are a bad practice, since
         * writing just a single byte to this region constitutes undefined
         * behavior per the C spec. glibc will return a small, valid memory
         * region
         * whereas OpenBSD will crash upon writing to it.
         * Intentionally return a pointer to an invalid page to detect
         * unsound code efficiently.
         * fuzz_free is aware of this pointer range and will not attempt
         * to free()/munmap() it.
         */
        ret = 0x01 + (fuzz_mt19937_get() % 1024);
        return (void *)ret;
    }

    /* Don't do mmap()-based allocations during initialization */
    if (g_post_init == true) {
        /* Even extract these values if --no_mmap is specified.
         * This keeps the PRNG output stream consistent across
         * fuzzer configurations.
         */
        do_mmap = (fuzz_mt19937_get() % 64) == 0 ? true : false;
        if (do_mmap == true) {
            mmap_high = (fuzz_mt19937_get() % 2) == 0 ? true : false;
        }
    } else {
        do_mmap = false;
    }

#ifdef FUZZ_32BIT
    /* g_mmap_allocation must be NULL because we only support a single
     * concurrent mmap allocation at a time
     */
    if (g_mmap_allocation == NULL && g_no_mmap == false && do_mmap == true) {
        void *mmap_address;
        if (mmap_high == true) {
            mmap_address = (void *)0xFFFF0000;
        } else {
            mmap_address = (void *)0x00010000;
        }
        g_mmap_allocation_size = size;

        ret = mmap(mmap_address, g_mmap_allocation_size, PROT_READ | PROT_WRITE,
                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

        if (ret == MAP_FAILED) {
            /* That's okay -- just return NULL to the caller */

            ret = NULL;

            /* Reset this for the sake of cleanliness */
            g_mmap_allocation_size = 0;
        }
        /* ret not being MAP_FAILED does not mean that ret is the requested
         * address (mmap_address). That's okay. We're not going to perform
         * a munmap() on it and call malloc() instead. It won't gain us
         * anything.
         */

        g_mmap_allocation = ret;
        do_malloc = false;
    }

    if (do_malloc == true)
#endif
    {
        ret = malloc(size);
    }

    /* Mimic calloc() if so requested */
    if (ret != NULL && do_zero) {
        memset(ret, 0, size);
    }

    return ret;
}

/* Internal allocations by this fuzzer must on one hand (sometimes)
 * receive memory from mmap(), but on the other hand these requests for
 * memory may not fail. By calling this function, the allocation is
 * guaranteed to succeed; it first tries with fuzz_alloc(), which may
 * fail if it uses mmap(), and if that is the case, memory is allocated
 * via the libc allocator (malloc, calloc) which should always succeed */
static void *fuzz_alloc_succeed(const size_t size, const bool do_zero)
{
    void *ret = fuzz_alloc(size, do_zero);
    if (ret == NULL) {
        if (do_zero == false) {
            ret = malloc(size);
        } else {
            ret = calloc(1, size);
        }
    }

    return ret;
}

void *fuzz_calloc(const size_t nmemb, const size_t size)
{
    /* We must be past srtp_init() to prevent that that function fails */
    if (g_post_init == true) {
        /* Fail 1 in 64 allocations on average to test whether the library
         * can deal with this properly.
         */
        if ((fuzz_mt19937_get() % 64) == 0) {
            return NULL;
        }
    }

    return fuzz_alloc(nmemb * size, true);
}

static bool fuzz_is_special_pointer(void *ptr)
{
    /* Special, invalid pointers introduced when code attempted
     * to do size = 0 allocations.
     */
    if ((size_t)ptr >= 0x01 && (size_t)ptr < (0x01 + 1024)) {
        return true;
    } else {
        return false;
    }
}

void fuzz_free(void *ptr)
{
    if (fuzz_is_special_pointer(ptr) == true) {
        return;
    }

#ifdef FUZZ_32BIT
    if (g_post_init == true && ptr != NULL && ptr == g_mmap_allocation) {
        if (munmap(g_mmap_allocation, g_mmap_allocation_size) == -1) {
            /* Shouldn't happen */
            abort();
        }
        g_mmap_allocation = NULL;
    } else
#endif
    {
        free(ptr);
    }
}

static srtp_err_status_t fuzz_srtp_protect(srtp_t srtp_sender,
                                           void *hdr,
                                           int *len,
                                           uint8_t use_mki,
                                           unsigned int mki)
{
    return srtp_protect(srtp_sender, hdr, len);
}

static srtp_err_status_t fuzz_srtp_unprotect(srtp_t srtp_sender,
                                             void *hdr,
                                             int *len,
                                             uint8_t use_mki,
                                             unsigned int mki)
{
    return srtp_unprotect(srtp_sender, hdr, len);
}

static srtp_err_status_t fuzz_srtp_protect_rtcp(srtp_t srtp_sender,
                                                void *hdr,
                                                int *len,
                                                uint8_t use_mki,
                                                unsigned int mki)
{
    return srtp_protect_rtcp(srtp_sender, hdr, len);
}

static srtp_err_status_t fuzz_srtp_unprotect_rtcp(srtp_t srtp_sender,
                                                  void *hdr,
                                                  int *len,
                                                  uint8_t use_mki,
                                                  unsigned int mki)
{
    return srtp_unprotect_rtcp(srtp_sender, hdr, len);
}

static srtp_err_status_t fuzz_srtp_protect_mki(srtp_t srtp_sender,
                                               void *hdr,
                                               int *len,
                                               uint8_t use_mki,
                                               unsigned int mki)
{
    return srtp_protect_mki(srtp_sender, hdr, len, use_mki, mki);
}

static srtp_err_status_t fuzz_srtp_protect_rtcp_mki(srtp_t srtp_sender,
                                                    void *hdr,
                                                    int *len,
                                                    uint8_t use_mki,
                                                    unsigned int mki)
{
    return srtp_protect_rtcp_mki(srtp_sender, hdr, len, use_mki, mki);
}

static srtp_err_status_t fuzz_srtp_unprotect_mki(srtp_t srtp_sender,
                                                 void *hdr,
                                                 int *len,
                                                 uint8_t use_mki,
                                                 unsigned int mki)
{
    return srtp_unprotect_mki(srtp_sender, hdr, len, use_mki);
}

static srtp_err_status_t fuzz_srtp_unprotect_rtcp_mki(srtp_t srtp_sender,
                                                      void *hdr,
                                                      int *len,
                                                      uint8_t use_mki,
                                                      unsigned int mki)
{
    return srtp_unprotect_rtcp_mki(srtp_sender, hdr, len, use_mki);
}

/* Get protect length functions */

static srtp_err_status_t fuzz_srtp_get_protect_length(const srtp_t srtp_ctx,
                                                      uint8_t use_mki,
                                                      unsigned int mki,
                                                      uint32_t *length)
{
    return srtp_get_protect_trailer_length(srtp_ctx, 0, 0, length);
}

static srtp_err_status_t fuzz_srtp_get_protect_rtcp_length(
    const srtp_t srtp_ctx,
    uint8_t use_mki,
    unsigned int mki,
    uint32_t *length)
{
    return srtp_get_protect_rtcp_trailer_length(srtp_ctx, 0, 0, length);
}

static srtp_err_status_t fuzz_srtp_get_protect_mki_length(const srtp_t srtp_ctx,
                                                          uint8_t use_mki,
                                                          unsigned int mki,
                                                          uint32_t *length)
{
    return srtp_get_protect_trailer_length(srtp_ctx, use_mki, mki, length);
}

static srtp_err_status_t fuzz_srtp_get_protect_rtcp_mki_length(
    const srtp_t srtp_ctx,
    uint8_t use_mki,
    unsigned int mki,
    uint32_t *length)
{
    return srtp_get_protect_rtcp_trailer_length(srtp_ctx, use_mki, mki, length);
}

static uint8_t *extract_key(const uint8_t **data,
                            size_t *size,
                            const size_t key_size)
{
    uint8_t *ret;
    if (*size < key_size) {
        return NULL;
    }

    ret = fuzz_alloc_succeed(key_size, false);
    EXTRACT(ret, *data, *size, key_size);

    return ret;
}

static srtp_master_key_t *extract_master_key(const uint8_t **data,
                                             size_t *size,
                                             const size_t key_size,
                                             bool simulate,
                                             bool *success)
{
    srtp_master_key_t *ret = NULL;
    uint16_t mki_id_size;

    if (simulate == true) {
        *success = false;
    }

    EXTRACT_IF(&mki_id_size, *data, *size, sizeof(mki_id_size));

    if (*size < key_size + mki_id_size) {
        goto end;
    }

    if (simulate == true) {
        *data += key_size + mki_id_size;
        *size -= key_size + mki_id_size;
        *success = true;
        goto end;
    }

    ret = fuzz_alloc_succeed(sizeof(srtp_master_key_t), false);
    ret->key = fuzz_alloc_succeed(key_size, false);

    ret->mki_id = fuzz_alloc_succeed(mki_id_size, false);

    EXTRACT(ret->key, *data, *size, key_size);
    EXTRACT(ret->mki_id, *data, *size, mki_id_size);
    ret->mki_size = mki_id_size;
end:
    return ret;
}

static srtp_master_key_t **extract_master_keys(const uint8_t **data,
                                               size_t *size,
                                               const size_t key_size,
                                               unsigned long *num_master_keys)
{
    const uint8_t *data_orig = *data;
    size_t size_orig = *size;
    size_t i = 0;

    srtp_master_key_t **ret = NULL;

    *num_master_keys = 0;

    /* First pass -- dry run, determine how many keys we want and can extract */
    while (1) {
        uint8_t do_extract_master_key;
        bool success;
        if (*size < sizeof(do_extract_master_key)) {
            goto next;
        }
        EXTRACT(&do_extract_master_key, *data, *size,
                sizeof(do_extract_master_key));

        /* Decide whether to extract another key */
        if ((do_extract_master_key % 2) == 0) {
            break;
        }

        extract_master_key(data, size, key_size, true, &success);

        if (success == false) {
            break;
        }

        (*num_master_keys)++;
    }

next:
    *data = data_orig;
    *size = size_orig;

    /* Allocate array of pointers */
    ret = fuzz_alloc_succeed(*num_master_keys * sizeof(srtp_master_key_t *),
                             false);

    /* Second pass -- perform the actual extractions */
    for (i = 0; i < *num_master_keys; i++) {
        uint8_t do_extract_master_key;
        EXTRACT_IF(&do_extract_master_key, *data, *size,
                   sizeof(do_extract_master_key));

        if ((do_extract_master_key % 2) == 0) {
            break;
        }

        ret[i] = extract_master_key(data, size, key_size, false, NULL);

        if (ret[i] == NULL) {
            /* Shouldn't happen */
            abort();
        }
    }

end:
    return ret;
}

static srtp_ekt_policy_t extract_ekt_policy(const uint8_t **data, size_t *size)
{
    srtp_ekt_policy_t ret = NULL;
    struct {
        srtp_ekt_spi_t spi;
        uint8_t key[16];

    } params;

    EXTRACT_IF(&params, *data, *size, sizeof(params));

    ret = fuzz_alloc_succeed(sizeof(struct srtp_ekt_policy_ctx_t), false);

    ret->spi = params.spi;

    /* The only supported cipher type */
    ret->ekt_cipher_type = SRTP_EKT_CIPHER_AES_128_ECB;

    ret->ekt_key = fuzz_alloc_succeed(sizeof(params.key), false);
    memcpy(ret->ekt_key, params.key, sizeof(params.key));

    ret->next_ekt_policy = NULL;

end:
    return ret;
}

static srtp_policy_t *extract_policy(const uint8_t **data, size_t *size)
{
    srtp_policy_t *policy = NULL;
    struct {
        uint8_t srtp_crypto_policy_func;
        uint64_t window_size;
        uint8_t allow_repeat_tx;
        uint8_t ssrc_type;
        uint32_t ssrc_value;
        uint8_t num_xtn_hdr;
        uint8_t with_ekt;
        srtp_ekt_spi_t ekt_spi;
        uint8_t do_extract_key;
        uint8_t do_extract_master_keys;
    } params;

    EXTRACT_IF(&params, *data, *size, sizeof(params));

    params.srtp_crypto_policy_func %= sizeof(fuzz_srtp_crypto_policies) /
                                      sizeof(fuzz_srtp_crypto_policies[0]);
    params.allow_repeat_tx %= 2;
    params.ssrc_type %=
        sizeof(fuzz_ssrc_type_map) / sizeof(fuzz_ssrc_type_map[0]);
    params.with_ekt %= 2;

    policy = fuzz_alloc_succeed(sizeof(*policy), true);

    fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func]
        .crypto_policy_func(&policy->rtp);
    fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func]
        .crypto_policy_func(&policy->rtcp);

    if (policy->rtp.cipher_key_len > MAX_KEY_LEN) {
        /* Shouldn't happen */
        abort();
    }

    policy->ssrc.type = fuzz_ssrc_type_map[params.ssrc_type].srtp_ssrc_type;
    policy->ssrc.value = params.ssrc_value;

    if ((params.do_extract_key % 2) == 0) {
        policy->key = extract_key(data, size, policy->rtp.cipher_key_len);

        if (policy->key == NULL) {
            fuzz_free(policy);
            return NULL;
        }
    }

    if (params.num_xtn_hdr != 0) {
        const size_t xtn_hdr_size = params.num_xtn_hdr * sizeof(int);
        if (*size < xtn_hdr_size) {
            fuzz_free(policy->key);
            fuzz_free(policy);
            return NULL;
        }
        policy->enc_xtn_hdr = fuzz_alloc_succeed(xtn_hdr_size, false);
        EXTRACT(policy->enc_xtn_hdr, *data, *size, xtn_hdr_size);
        policy->enc_xtn_hdr_count = params.num_xtn_hdr;
    }

    if ((params.do_extract_master_keys % 2) == 0) {
        policy->keys = extract_master_keys(
            data, size, policy->rtp.cipher_key_len, &policy->num_master_keys);
        if (policy->keys == NULL) {
            fuzz_free(policy->key);
            fuzz_free(policy->enc_xtn_hdr);
            fuzz_free(policy);
            return NULL;
        }
    }

    if (params.with_ekt) {
        policy->ekt = extract_ekt_policy(data, size);
    }

    policy->window_size = params.window_size;
    policy->allow_repeat_tx = params.allow_repeat_tx;
    policy->next = NULL;

end:
    return policy;
}

static srtp_policy_t *extract_policies(const uint8_t **data, size_t *size)
{
    srtp_policy_t *curpolicy = NULL, *policy_chain = NULL;

    curpolicy = extract_policy(data, size);
    if (curpolicy == NULL) {
        return NULL;
    }

    policy_chain = curpolicy;

    while (1) {
        uint8_t do_extract_policy;
        EXTRACT_IF(&do_extract_policy, *data, *size, sizeof(do_extract_policy));

        /* Decide whether to extract another policy */
        if ((do_extract_policy % 2) == 0) {
            break;
        }

        curpolicy->next = extract_policy(data, size);
        if (curpolicy->next == NULL) {
            break;
        }
        curpolicy = curpolicy->next;
    }

end:
    return policy_chain;
}

static uint32_t *extract_remove_stream_ssrc(const uint8_t **data,
                                            size_t *size,
                                            uint8_t *num_remove_stream)
{
    uint32_t *ret = NULL;
    uint8_t _num_remove_stream;
    size_t total_size;

    *num_remove_stream = 0;

    EXTRACT_IF(&_num_remove_stream, *data, *size, sizeof(_num_remove_stream));

    if (_num_remove_stream == 0) {
        goto end;
    }

    total_size = _num_remove_stream * sizeof(uint32_t);

    if (*size < total_size) {
        goto end;
    }

    ret = fuzz_alloc_succeed(total_size, false);
    EXTRACT(ret, *data, *size, total_size);

    *num_remove_stream = _num_remove_stream;

end:
    return ret;
}

static uint32_t *extract_set_roc(const uint8_t **data,
                                 size_t *size,
                                 uint8_t *num_set_roc)
{
    uint32_t *ret = NULL;
    uint8_t _num_set_roc;
    size_t total_size;

    *num_set_roc = 0;
    EXTRACT_IF(&_num_set_roc, *data, *size, sizeof(_num_set_roc));
    if (_num_set_roc == 0) {
        goto end;
    }

    /* Tuples of 2 uint32_t's */
    total_size = _num_set_roc * sizeof(uint32_t) * 2;

    if (*size < total_size) {
        goto end;
    }

    ret = fuzz_alloc_succeed(total_size, false);
    EXTRACT(ret, *data, *size, total_size);

    *num_set_roc = _num_set_roc;

end:
    return ret;
}

static void free_policies(srtp_policy_t *curpolicy)
{
    size_t i;
    while (curpolicy) {
        srtp_policy_t *next = curpolicy->next;

        fuzz_free(curpolicy->key);

        for (i = 0; i < curpolicy->num_master_keys; i++) {
            fuzz_free(curpolicy->keys[i]->key);
            fuzz_free(curpolicy->keys[i]->mki_id);
            fuzz_free(curpolicy->keys[i]);
        }

        fuzz_free(curpolicy->keys);
        fuzz_free(curpolicy->enc_xtn_hdr);

        if (curpolicy->ekt) {
            fuzz_free(curpolicy->ekt->ekt_key);
            fuzz_free(curpolicy->ekt);
        }

        fuzz_free(curpolicy);

        curpolicy = next;
    }
}

static uint8_t *run_srtp_func(const srtp_t srtp_ctx,
                              const uint8_t **data,
                              size_t *size)
{
    uint8_t *ret = NULL;
    uint8_t *copy = NULL, *copy_2 = NULL;

    struct {
        uint16_t size;
        uint8_t srtp_func;
        uint8_t use_mki;
        uint32_t mki;
        uint8_t stretch;
    } params_1;

    struct {
        uint8_t srtp_func;
        uint8_t use_mki;
        uint32_t mki;
    } params_2;
    int ret_size;

    EXTRACT_IF(&params_1, *data, *size, sizeof(params_1));
    params_1.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]);
    params_1.use_mki %= 2;

    if (*size < params_1.size) {
        goto end;
    }

    /* Enforce 4 byte alignment */
    if (g_no_align == false) {
        params_1.size -= params_1.size % 4;
    }

    if (params_1.size == 0) {
        goto end;
    }

    ret_size = params_1.size;
    if (srtp_funcs[params_1.srtp_func].protect == true) {
        /* Intentionally not initialized to trigger MemorySanitizer, if
         * applicable */
        uint32_t alloc_size;

        if (srtp_funcs[params_1.srtp_func].get_length(
                srtp_ctx, params_1.use_mki, params_1.mki, &alloc_size) !=
            srtp_err_status_ok) {
            goto end;
        }

        copy = fuzz_alloc_succeed(ret_size + alloc_size, false);
    } else {
        copy = fuzz_alloc_succeed(ret_size, false);
    }

    EXTRACT(copy, *data, *size, params_1.size);

    if (srtp_funcs[params_1.srtp_func].srtp_func(
            srtp_ctx, copy, &ret_size, params_1.use_mki, params_1.mki) !=
        srtp_err_status_ok) {
        fuzz_free(copy);
        goto end;
    }
    // fuzz_free(copy);

    fuzz_testmem(copy, ret_size);

    ret = copy;

    EXTRACT_IF(&params_2, *data, *size, sizeof(params_2));
    params_2.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]);
    params_2.use_mki %= 2;

    if (ret_size == 0) {
        goto end;
    }

    if (srtp_funcs[params_2.srtp_func].protect == true) {
        /* Intentionally not initialized to trigger MemorySanitizer, if
         * applicable */
        uint32_t alloc_size;

        if (srtp_funcs[params_2.srtp_func].get_length(
                srtp_ctx, params_2.use_mki, params_2.mki, &alloc_size) !=
            srtp_err_status_ok) {
            goto end;
        }

        copy_2 = fuzz_alloc_succeed(ret_size + alloc_size, false);
    } else {
        copy_2 = fuzz_alloc_succeed(ret_size, false);
    }

    memcpy(copy_2, copy, ret_size);
    fuzz_free(copy);
    copy = copy_2;

    if (srtp_funcs[params_2.srtp_func].srtp_func(
            srtp_ctx, copy, &ret_size, params_2.use_mki, params_2.mki) !=
        srtp_err_status_ok) {
        fuzz_free(copy);
        ret = NULL;
        goto end;
    }

    fuzz_testmem(copy, ret_size);

    ret = copy;

end:
    return ret;
}

void fuzz_srtp_event_handler(srtp_event_data_t *data)
{
    fuzz_testmem(data, sizeof(srtp_event_data_t));
    if (data->session != NULL) {
        fuzz_testmem(data->session, sizeof(*data->session));
    }
}

static void fuzz_write_input(const uint8_t *data, size_t size)
{
    FILE *fp = fopen("input.bin", "wb");

    if (fp == NULL) {
        /* Shouldn't happen */
        abort();
    }

    if (size != 0 && fwrite(data, size, 1, fp) != 1) {
        printf("Cannot write\n");
        /* Shouldn't happen */
        abort();
    }

    fclose(fp);
}

int LLVMFuzzerInitialize(int *argc, char ***argv)
{
    char **_argv = *argv;
    int i;
    bool no_custom_event_handler = false;

    if (srtp_init() != srtp_err_status_ok) {
        /* Shouldn't happen */
        abort();
    }

    for (i = 0; i < *argc; i++) {
        if (strcmp("--no_align", _argv[i]) == 0) {
            g_no_align = true;
        } else if (strcmp("--no_custom_event_handler", _argv[i]) == 0) {
            no_custom_event_handler = true;
        } else if (strcmp("--write_input", _argv[i]) == 0) {
            g_write_input = true;
        }
#ifdef FUZZ_32BIT
        else if (strcmp("--no_mmap", _argv[i]) == 0) {
            g_no_mmap = true;
        }
#endif
        else if (strncmp("--", _argv[i], 2) == 0) {
            printf("Invalid argument: %s\n", _argv[i]);
            exit(0);
        }
    }

    if (no_custom_event_handler == false) {
        if (srtp_install_event_handler(fuzz_srtp_event_handler) !=
            srtp_err_status_ok) {
            /* Shouldn't happen */
            abort();
        }
    }

    /* Fully initialized -- past this point, simulated allocation failures
     * are allowed to occur */
    g_post_init = true;

    return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    uint8_t num_remove_stream;
    uint32_t *remove_stream_ssrc = NULL;
    uint8_t num_set_roc;
    uint32_t *set_roc = NULL;
    srtp_t srtp_ctx = NULL;
    srtp_policy_t *policy_chain = NULL, *policy_chain_2 = NULL;
    uint32_t randseed;
    static bool firstrun = true;

    if (firstrun == true) {
        /* TODO version check etc and send it to MSAN */
    }

#ifdef FUZZ_32BIT
    /* Free the mmap allocation made during the previous iteration, if
     * applicable */
    fuzz_free(g_mmap_allocation);
#endif

    if (g_write_input == true) {
        fuzz_write_input(data, size);
    }

    EXTRACT_IF(&randseed, data, size, sizeof(randseed));
    fuzz_mt19937_init(randseed);
    srand(randseed);

    /* policy_chain is used to initialize the srtp context with */
    if ((policy_chain = extract_policies(&data, &size)) == NULL) {
        goto end;
    }
    /* policy_chain_2 is used as an argument to srtp_update later on */
    if ((policy_chain_2 = extract_policies(&data, &size)) == NULL) {
        goto end;
    }

    /* Create context */
    if (srtp_create(&srtp_ctx, policy_chain) != srtp_err_status_ok) {
        goto end;
    }

    // free_policies(policy_chain);
    // policy_chain = NULL;

    /* Don't check for NULL result -- no extractions is fine */
    remove_stream_ssrc =
        extract_remove_stream_ssrc(&data, &size, &num_remove_stream);

    /* Don't check for NULL result -- no extractions is fine */
    set_roc = extract_set_roc(&data, &size, &num_set_roc);

    {
        uint8_t *ret;
        int i = 0, j = 0;

        while ((ret = run_srtp_func(srtp_ctx, &data, &size)) != NULL) {
            fuzz_free(ret);

            /* Keep removing streams until the set of SSRCs extracted from the
             * fuzzer input is exhausted */
            if (i < num_remove_stream) {
                if (srtp_remove_stream(srtp_ctx, remove_stream_ssrc[i]) !=
                    srtp_err_status_ok) {
                    goto end;
                }
                i++;
            }

            /* Keep setting and getting ROCs until the set of SSRC/ROC tuples
             * extracted from the fuzzer input is exhausted */
            if (j < num_set_roc * 2) {
                uint32_t roc;
                if (srtp_set_stream_roc(srtp_ctx, set_roc[j], set_roc[j + 1]) !=
                    srtp_err_status_ok) {
                    goto end;
                }
                if (srtp_get_stream_roc(srtp_ctx, set_roc[j + 1], &roc) !=
                    srtp_err_status_ok) {
                    goto end;
                }
                j += 2;
            }

            if (policy_chain_2 != NULL) {
                /* TODO srtp_update(srtp_ctx, policy_chain_2); */

                /* Discard after using once */
                free_policies(policy_chain_2);
                policy_chain_2 = NULL;
            }
        }
    }

end:
    free_policies(policy_chain);
    free_policies(policy_chain_2);
    fuzz_free(remove_stream_ssrc);
    fuzz_free(set_roc);
    if (srtp_ctx != NULL) {
        srtp_dealloc(srtp_ctx);
    }
    fuzz_mt19937_destroy();

    return 0;
}