2
0

fuzzer.c 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936
  1. /* By Guido Vranken <guidovranken@gmail.com> --
  2. * https://guidovranken.wordpress.com/ */
  3. #include <stdio.h>
  4. #include <string.h>
  5. #include <stdlib.h>
  6. #include <stdbool.h>
  7. #include <limits.h>
  8. #include "srtp.h"
  9. #include "srtp_priv.h"
  10. #include "ekt.h"
  11. #include "fuzzer.h"
  12. #include "mt19937.h"
  13. #include "testmem.h"
  14. /* Global variables */
  15. static bool g_no_align = false; /* Can be enabled with --no_align */
  16. static bool g_post_init =
  17. false; /* Set to true once past initialization phase */
  18. static bool g_write_input = false;
  19. #ifdef FUZZ_32BIT
  20. #include <sys/mman.h>
  21. static bool g_no_mmap = false; /* Can be enabled with --no_mmap */
  22. static void *g_mmap_allocation =
  23. NULL; /* Keeps current mmap() allocation address */
  24. static size_t g_mmap_allocation_size =
  25. 0; /* Keeps current mmap() allocation size */
  26. #endif
  27. /* Custom allocator functions */
  28. static void *fuzz_alloc(const size_t size, const bool do_zero)
  29. {
  30. void *ret = NULL;
  31. #ifdef FUZZ_32BIT
  32. bool do_malloc = true;
  33. #endif
  34. bool do_mmap, mmap_high = true;
  35. if (size == 0) {
  36. size_t ret;
  37. /* Allocations of size 0 are not illegal, but are a bad practice, since
  38. * writing just a single byte to this region constitutes undefined
  39. * behavior per the C spec. glibc will return a small, valid memory
  40. * region
  41. * whereas OpenBSD will crash upon writing to it.
  42. * Intentionally return a pointer to an invalid page to detect
  43. * unsound code efficiently.
  44. * fuzz_free is aware of this pointer range and will not attempt
  45. * to free()/munmap() it.
  46. */
  47. ret = 0x01 + (fuzz_mt19937_get() % 1024);
  48. return (void *)ret;
  49. }
  50. /* Don't do mmap()-based allocations during initialization */
  51. if (g_post_init == true) {
  52. /* Even extract these values if --no_mmap is specified.
  53. * This keeps the PRNG output stream consistent across
  54. * fuzzer configurations.
  55. */
  56. do_mmap = (fuzz_mt19937_get() % 64) == 0 ? true : false;
  57. if (do_mmap == true) {
  58. mmap_high = (fuzz_mt19937_get() % 2) == 0 ? true : false;
  59. }
  60. } else {
  61. do_mmap = false;
  62. }
  63. #ifdef FUZZ_32BIT
  64. /* g_mmap_allocation must be NULL because we only support a single
  65. * concurrent mmap allocation at a time
  66. */
  67. if (g_mmap_allocation == NULL && g_no_mmap == false && do_mmap == true) {
  68. void *mmap_address;
  69. if (mmap_high == true) {
  70. mmap_address = (void *)0xFFFF0000;
  71. } else {
  72. mmap_address = (void *)0x00010000;
  73. }
  74. g_mmap_allocation_size = size;
  75. ret = mmap(mmap_address, g_mmap_allocation_size, PROT_READ | PROT_WRITE,
  76. MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
  77. if (ret == MAP_FAILED) {
  78. /* That's okay -- just return NULL to the caller */
  79. ret = NULL;
  80. /* Reset this for the sake of cleanliness */
  81. g_mmap_allocation_size = 0;
  82. }
  83. /* ret not being MAP_FAILED does not mean that ret is the requested
  84. * address (mmap_address). That's okay. We're not going to perform
  85. * a munmap() on it and call malloc() instead. It won't gain us
  86. * anything.
  87. */
  88. g_mmap_allocation = ret;
  89. do_malloc = false;
  90. }
  91. if (do_malloc == true)
  92. #endif
  93. {
  94. ret = malloc(size);
  95. }
  96. /* Mimic calloc() if so requested */
  97. if (ret != NULL && do_zero) {
  98. memset(ret, 0, size);
  99. }
  100. return ret;
  101. }
  102. /* Internal allocations by this fuzzer must on one hand (sometimes)
  103. * receive memory from mmap(), but on the other hand these requests for
  104. * memory may not fail. By calling this function, the allocation is
  105. * guaranteed to succeed; it first tries with fuzz_alloc(), which may
  106. * fail if it uses mmap(), and if that is the case, memory is allocated
  107. * via the libc allocator (malloc, calloc) which should always succeed */
  108. static void *fuzz_alloc_succeed(const size_t size, const bool do_zero)
  109. {
  110. void *ret = fuzz_alloc(size, do_zero);
  111. if (ret == NULL) {
  112. if (do_zero == false) {
  113. ret = malloc(size);
  114. } else {
  115. ret = calloc(1, size);
  116. }
  117. }
  118. return ret;
  119. }
  120. void *fuzz_calloc(const size_t nmemb, const size_t size)
  121. {
  122. /* We must be past srtp_init() to prevent that that function fails */
  123. if (g_post_init == true) {
  124. /* Fail 1 in 64 allocations on average to test whether the library
  125. * can deal with this properly.
  126. */
  127. if ((fuzz_mt19937_get() % 64) == 0) {
  128. return NULL;
  129. }
  130. }
  131. return fuzz_alloc(nmemb * size, true);
  132. }
  133. static bool fuzz_is_special_pointer(void *ptr)
  134. {
  135. /* Special, invalid pointers introduced when code attempted
  136. * to do size = 0 allocations.
  137. */
  138. if ((size_t)ptr >= 0x01 && (size_t)ptr < (0x01 + 1024)) {
  139. return true;
  140. } else {
  141. return false;
  142. }
  143. }
  144. void fuzz_free(void *ptr)
  145. {
  146. if (fuzz_is_special_pointer(ptr) == true) {
  147. return;
  148. }
  149. #ifdef FUZZ_32BIT
  150. if (g_post_init == true && ptr != NULL && ptr == g_mmap_allocation) {
  151. if (munmap(g_mmap_allocation, g_mmap_allocation_size) == -1) {
  152. /* Shouldn't happen */
  153. abort();
  154. }
  155. g_mmap_allocation = NULL;
  156. } else
  157. #endif
  158. {
  159. free(ptr);
  160. }
  161. }
  162. static srtp_err_status_t fuzz_srtp_protect(srtp_t srtp_sender,
  163. void *hdr,
  164. int *len,
  165. uint8_t use_mki,
  166. unsigned int mki)
  167. {
  168. return srtp_protect(srtp_sender, hdr, len);
  169. }
  170. static srtp_err_status_t fuzz_srtp_unprotect(srtp_t srtp_sender,
  171. void *hdr,
  172. int *len,
  173. uint8_t use_mki,
  174. unsigned int mki)
  175. {
  176. return srtp_unprotect(srtp_sender, hdr, len);
  177. }
  178. static srtp_err_status_t fuzz_srtp_protect_rtcp(srtp_t srtp_sender,
  179. void *hdr,
  180. int *len,
  181. uint8_t use_mki,
  182. unsigned int mki)
  183. {
  184. return srtp_protect_rtcp(srtp_sender, hdr, len);
  185. }
  186. static srtp_err_status_t fuzz_srtp_unprotect_rtcp(srtp_t srtp_sender,
  187. void *hdr,
  188. int *len,
  189. uint8_t use_mki,
  190. unsigned int mki)
  191. {
  192. return srtp_unprotect_rtcp(srtp_sender, hdr, len);
  193. }
  194. static srtp_err_status_t fuzz_srtp_protect_mki(srtp_t srtp_sender,
  195. void *hdr,
  196. int *len,
  197. uint8_t use_mki,
  198. unsigned int mki)
  199. {
  200. return srtp_protect_mki(srtp_sender, hdr, len, use_mki, mki);
  201. }
  202. static srtp_err_status_t fuzz_srtp_protect_rtcp_mki(srtp_t srtp_sender,
  203. void *hdr,
  204. int *len,
  205. uint8_t use_mki,
  206. unsigned int mki)
  207. {
  208. return srtp_protect_rtcp_mki(srtp_sender, hdr, len, use_mki, mki);
  209. }
  210. static srtp_err_status_t fuzz_srtp_unprotect_mki(srtp_t srtp_sender,
  211. void *hdr,
  212. int *len,
  213. uint8_t use_mki,
  214. unsigned int mki)
  215. {
  216. return srtp_unprotect_mki(srtp_sender, hdr, len, use_mki);
  217. }
  218. static srtp_err_status_t fuzz_srtp_unprotect_rtcp_mki(srtp_t srtp_sender,
  219. void *hdr,
  220. int *len,
  221. uint8_t use_mki,
  222. unsigned int mki)
  223. {
  224. return srtp_unprotect_rtcp_mki(srtp_sender, hdr, len, use_mki);
  225. }
  226. /* Get protect length functions */
  227. static srtp_err_status_t fuzz_srtp_get_protect_length(const srtp_t srtp_ctx,
  228. uint8_t use_mki,
  229. unsigned int mki,
  230. uint32_t *length)
  231. {
  232. return srtp_get_protect_trailer_length(srtp_ctx, 0, 0, length);
  233. }
  234. static srtp_err_status_t fuzz_srtp_get_protect_rtcp_length(
  235. const srtp_t srtp_ctx,
  236. uint8_t use_mki,
  237. unsigned int mki,
  238. uint32_t *length)
  239. {
  240. return srtp_get_protect_rtcp_trailer_length(srtp_ctx, 0, 0, length);
  241. }
  242. static srtp_err_status_t fuzz_srtp_get_protect_mki_length(const srtp_t srtp_ctx,
  243. uint8_t use_mki,
  244. unsigned int mki,
  245. uint32_t *length)
  246. {
  247. return srtp_get_protect_trailer_length(srtp_ctx, use_mki, mki, length);
  248. }
  249. static srtp_err_status_t fuzz_srtp_get_protect_rtcp_mki_length(
  250. const srtp_t srtp_ctx,
  251. uint8_t use_mki,
  252. unsigned int mki,
  253. uint32_t *length)
  254. {
  255. return srtp_get_protect_rtcp_trailer_length(srtp_ctx, use_mki, mki, length);
  256. }
  257. static uint8_t *extract_key(const uint8_t **data,
  258. size_t *size,
  259. const size_t key_size)
  260. {
  261. uint8_t *ret;
  262. if (*size < key_size) {
  263. return NULL;
  264. }
  265. ret = fuzz_alloc_succeed(key_size, false);
  266. EXTRACT(ret, *data, *size, key_size);
  267. return ret;
  268. }
  269. static srtp_master_key_t *extract_master_key(const uint8_t **data,
  270. size_t *size,
  271. const size_t key_size,
  272. bool simulate,
  273. bool *success)
  274. {
  275. srtp_master_key_t *ret = NULL;
  276. uint16_t mki_id_size;
  277. if (simulate == true) {
  278. *success = false;
  279. }
  280. EXTRACT_IF(&mki_id_size, *data, *size, sizeof(mki_id_size));
  281. if (*size < key_size + mki_id_size) {
  282. goto end;
  283. }
  284. if (simulate == true) {
  285. *data += key_size + mki_id_size;
  286. *size -= key_size + mki_id_size;
  287. *success = true;
  288. goto end;
  289. }
  290. ret = fuzz_alloc_succeed(sizeof(srtp_master_key_t), false);
  291. ret->key = fuzz_alloc_succeed(key_size, false);
  292. ret->mki_id = fuzz_alloc_succeed(mki_id_size, false);
  293. EXTRACT(ret->key, *data, *size, key_size);
  294. EXTRACT(ret->mki_id, *data, *size, mki_id_size);
  295. ret->mki_size = mki_id_size;
  296. end:
  297. return ret;
  298. }
  299. static srtp_master_key_t **extract_master_keys(const uint8_t **data,
  300. size_t *size,
  301. const size_t key_size,
  302. unsigned long *num_master_keys)
  303. {
  304. const uint8_t *data_orig = *data;
  305. size_t size_orig = *size;
  306. size_t i = 0;
  307. srtp_master_key_t **ret = NULL;
  308. *num_master_keys = 0;
  309. /* First pass -- dry run, determine how many keys we want and can extract */
  310. while (1) {
  311. uint8_t do_extract_master_key;
  312. bool success;
  313. if (*size < sizeof(do_extract_master_key)) {
  314. goto next;
  315. }
  316. EXTRACT(&do_extract_master_key, *data, *size,
  317. sizeof(do_extract_master_key));
  318. /* Decide whether to extract another key */
  319. if ((do_extract_master_key % 2) == 0) {
  320. break;
  321. }
  322. extract_master_key(data, size, key_size, true, &success);
  323. if (success == false) {
  324. break;
  325. }
  326. (*num_master_keys)++;
  327. }
  328. next:
  329. *data = data_orig;
  330. *size = size_orig;
  331. /* Allocate array of pointers */
  332. ret = fuzz_alloc_succeed(*num_master_keys * sizeof(srtp_master_key_t *),
  333. false);
  334. /* Second pass -- perform the actual extractions */
  335. for (i = 0; i < *num_master_keys; i++) {
  336. uint8_t do_extract_master_key;
  337. EXTRACT_IF(&do_extract_master_key, *data, *size,
  338. sizeof(do_extract_master_key));
  339. if ((do_extract_master_key % 2) == 0) {
  340. break;
  341. }
  342. ret[i] = extract_master_key(data, size, key_size, false, NULL);
  343. if (ret[i] == NULL) {
  344. /* Shouldn't happen */
  345. abort();
  346. }
  347. }
  348. end:
  349. return ret;
  350. }
  351. static srtp_ekt_policy_t extract_ekt_policy(const uint8_t **data, size_t *size)
  352. {
  353. srtp_ekt_policy_t ret = NULL;
  354. struct {
  355. srtp_ekt_spi_t spi;
  356. uint8_t key[16];
  357. } params;
  358. EXTRACT_IF(&params, *data, *size, sizeof(params));
  359. ret = fuzz_alloc_succeed(sizeof(struct srtp_ekt_policy_ctx_t), false);
  360. ret->spi = params.spi;
  361. /* The only supported cipher type */
  362. ret->ekt_cipher_type = SRTP_EKT_CIPHER_AES_128_ECB;
  363. ret->ekt_key = fuzz_alloc_succeed(sizeof(params.key), false);
  364. memcpy(ret->ekt_key, params.key, sizeof(params.key));
  365. ret->next_ekt_policy = NULL;
  366. end:
  367. return ret;
  368. }
  369. static srtp_policy_t *extract_policy(const uint8_t **data, size_t *size)
  370. {
  371. srtp_policy_t *policy = NULL;
  372. struct {
  373. uint8_t srtp_crypto_policy_func;
  374. uint64_t window_size;
  375. uint8_t allow_repeat_tx;
  376. uint8_t ssrc_type;
  377. uint32_t ssrc_value;
  378. uint8_t num_xtn_hdr;
  379. uint8_t with_ekt;
  380. srtp_ekt_spi_t ekt_spi;
  381. uint8_t do_extract_key;
  382. uint8_t do_extract_master_keys;
  383. } params;
  384. EXTRACT_IF(&params, *data, *size, sizeof(params));
  385. params.srtp_crypto_policy_func %= sizeof(fuzz_srtp_crypto_policies) /
  386. sizeof(fuzz_srtp_crypto_policies[0]);
  387. params.allow_repeat_tx %= 2;
  388. params.ssrc_type %=
  389. sizeof(fuzz_ssrc_type_map) / sizeof(fuzz_ssrc_type_map[0]);
  390. params.with_ekt %= 2;
  391. policy = fuzz_alloc_succeed(sizeof(*policy), true);
  392. fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func]
  393. .crypto_policy_func(&policy->rtp);
  394. fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func]
  395. .crypto_policy_func(&policy->rtcp);
  396. if (policy->rtp.cipher_key_len > MAX_KEY_LEN) {
  397. /* Shouldn't happen */
  398. abort();
  399. }
  400. policy->ssrc.type = fuzz_ssrc_type_map[params.ssrc_type].srtp_ssrc_type;
  401. policy->ssrc.value = params.ssrc_value;
  402. if ((params.do_extract_key % 2) == 0) {
  403. policy->key = extract_key(data, size, policy->rtp.cipher_key_len);
  404. if (policy->key == NULL) {
  405. fuzz_free(policy);
  406. return NULL;
  407. }
  408. }
  409. if (params.num_xtn_hdr != 0) {
  410. const size_t xtn_hdr_size = params.num_xtn_hdr * sizeof(int);
  411. if (*size < xtn_hdr_size) {
  412. fuzz_free(policy->key);
  413. fuzz_free(policy);
  414. return NULL;
  415. }
  416. policy->enc_xtn_hdr = fuzz_alloc_succeed(xtn_hdr_size, false);
  417. EXTRACT(policy->enc_xtn_hdr, *data, *size, xtn_hdr_size);
  418. policy->enc_xtn_hdr_count = params.num_xtn_hdr;
  419. }
  420. if ((params.do_extract_master_keys % 2) == 0) {
  421. policy->keys = extract_master_keys(
  422. data, size, policy->rtp.cipher_key_len, &policy->num_master_keys);
  423. if (policy->keys == NULL) {
  424. fuzz_free(policy->key);
  425. fuzz_free(policy->enc_xtn_hdr);
  426. fuzz_free(policy);
  427. return NULL;
  428. }
  429. }
  430. if (params.with_ekt) {
  431. policy->ekt = extract_ekt_policy(data, size);
  432. }
  433. policy->window_size = params.window_size;
  434. policy->allow_repeat_tx = params.allow_repeat_tx;
  435. policy->next = NULL;
  436. end:
  437. return policy;
  438. }
  439. static srtp_policy_t *extract_policies(const uint8_t **data, size_t *size)
  440. {
  441. srtp_policy_t *curpolicy = NULL, *policy_chain = NULL;
  442. curpolicy = extract_policy(data, size);
  443. if (curpolicy == NULL) {
  444. return NULL;
  445. }
  446. policy_chain = curpolicy;
  447. while (1) {
  448. uint8_t do_extract_policy;
  449. EXTRACT_IF(&do_extract_policy, *data, *size, sizeof(do_extract_policy));
  450. /* Decide whether to extract another policy */
  451. if ((do_extract_policy % 2) == 0) {
  452. break;
  453. }
  454. curpolicy->next = extract_policy(data, size);
  455. if (curpolicy->next == NULL) {
  456. break;
  457. }
  458. curpolicy = curpolicy->next;
  459. }
  460. end:
  461. return policy_chain;
  462. }
  463. static uint32_t *extract_remove_stream_ssrc(const uint8_t **data,
  464. size_t *size,
  465. uint8_t *num_remove_stream)
  466. {
  467. uint32_t *ret = NULL;
  468. uint8_t _num_remove_stream;
  469. size_t total_size;
  470. *num_remove_stream = 0;
  471. EXTRACT_IF(&_num_remove_stream, *data, *size, sizeof(_num_remove_stream));
  472. if (_num_remove_stream == 0) {
  473. goto end;
  474. }
  475. total_size = _num_remove_stream * sizeof(uint32_t);
  476. if (*size < total_size) {
  477. goto end;
  478. }
  479. ret = fuzz_alloc_succeed(total_size, false);
  480. EXTRACT(ret, *data, *size, total_size);
  481. *num_remove_stream = _num_remove_stream;
  482. end:
  483. return ret;
  484. }
  485. static uint32_t *extract_set_roc(const uint8_t **data,
  486. size_t *size,
  487. uint8_t *num_set_roc)
  488. {
  489. uint32_t *ret = NULL;
  490. uint8_t _num_set_roc;
  491. size_t total_size;
  492. *num_set_roc = 0;
  493. EXTRACT_IF(&_num_set_roc, *data, *size, sizeof(_num_set_roc));
  494. if (_num_set_roc == 0) {
  495. goto end;
  496. }
  497. /* Tuples of 2 uint32_t's */
  498. total_size = _num_set_roc * sizeof(uint32_t) * 2;
  499. if (*size < total_size) {
  500. goto end;
  501. }
  502. ret = fuzz_alloc_succeed(total_size, false);
  503. EXTRACT(ret, *data, *size, total_size);
  504. *num_set_roc = _num_set_roc;
  505. end:
  506. return ret;
  507. }
  508. static void free_policies(srtp_policy_t *curpolicy)
  509. {
  510. size_t i;
  511. while (curpolicy) {
  512. srtp_policy_t *next = curpolicy->next;
  513. fuzz_free(curpolicy->key);
  514. for (i = 0; i < curpolicy->num_master_keys; i++) {
  515. fuzz_free(curpolicy->keys[i]->key);
  516. fuzz_free(curpolicy->keys[i]->mki_id);
  517. fuzz_free(curpolicy->keys[i]);
  518. }
  519. fuzz_free(curpolicy->keys);
  520. fuzz_free(curpolicy->enc_xtn_hdr);
  521. if (curpolicy->ekt) {
  522. fuzz_free(curpolicy->ekt->ekt_key);
  523. fuzz_free(curpolicy->ekt);
  524. }
  525. fuzz_free(curpolicy);
  526. curpolicy = next;
  527. }
  528. }
  529. static uint8_t *run_srtp_func(const srtp_t srtp_ctx,
  530. const uint8_t **data,
  531. size_t *size)
  532. {
  533. uint8_t *ret = NULL;
  534. uint8_t *copy = NULL, *copy_2 = NULL;
  535. struct {
  536. uint16_t size;
  537. uint8_t srtp_func;
  538. uint8_t use_mki;
  539. uint32_t mki;
  540. uint8_t stretch;
  541. } params_1;
  542. struct {
  543. uint8_t srtp_func;
  544. uint8_t use_mki;
  545. uint32_t mki;
  546. } params_2;
  547. int ret_size;
  548. EXTRACT_IF(&params_1, *data, *size, sizeof(params_1));
  549. params_1.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]);
  550. params_1.use_mki %= 2;
  551. if (*size < params_1.size) {
  552. goto end;
  553. }
  554. /* Enforce 4 byte alignment */
  555. if (g_no_align == false) {
  556. params_1.size -= params_1.size % 4;
  557. }
  558. if (params_1.size == 0) {
  559. goto end;
  560. }
  561. ret_size = params_1.size;
  562. if (srtp_funcs[params_1.srtp_func].protect == true) {
  563. /* Intentionally not initialized to trigger MemorySanitizer, if
  564. * applicable */
  565. uint32_t alloc_size;
  566. if (srtp_funcs[params_1.srtp_func].get_length(
  567. srtp_ctx, params_1.use_mki, params_1.mki, &alloc_size) !=
  568. srtp_err_status_ok) {
  569. goto end;
  570. }
  571. copy = fuzz_alloc_succeed(ret_size + alloc_size, false);
  572. } else {
  573. copy = fuzz_alloc_succeed(ret_size, false);
  574. }
  575. EXTRACT(copy, *data, *size, params_1.size);
  576. if (srtp_funcs[params_1.srtp_func].srtp_func(
  577. srtp_ctx, copy, &ret_size, params_1.use_mki, params_1.mki) !=
  578. srtp_err_status_ok) {
  579. fuzz_free(copy);
  580. goto end;
  581. }
  582. // fuzz_free(copy);
  583. fuzz_testmem(copy, ret_size);
  584. ret = copy;
  585. EXTRACT_IF(&params_2, *data, *size, sizeof(params_2));
  586. params_2.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]);
  587. params_2.use_mki %= 2;
  588. if (ret_size == 0) {
  589. goto end;
  590. }
  591. if (srtp_funcs[params_2.srtp_func].protect == true) {
  592. /* Intentionally not initialized to trigger MemorySanitizer, if
  593. * applicable */
  594. uint32_t alloc_size;
  595. if (srtp_funcs[params_2.srtp_func].get_length(
  596. srtp_ctx, params_2.use_mki, params_2.mki, &alloc_size) !=
  597. srtp_err_status_ok) {
  598. goto end;
  599. }
  600. copy_2 = fuzz_alloc_succeed(ret_size + alloc_size, false);
  601. } else {
  602. copy_2 = fuzz_alloc_succeed(ret_size, false);
  603. }
  604. memcpy(copy_2, copy, ret_size);
  605. fuzz_free(copy);
  606. copy = copy_2;
  607. if (srtp_funcs[params_2.srtp_func].srtp_func(
  608. srtp_ctx, copy, &ret_size, params_2.use_mki, params_2.mki) !=
  609. srtp_err_status_ok) {
  610. fuzz_free(copy);
  611. ret = NULL;
  612. goto end;
  613. }
  614. fuzz_testmem(copy, ret_size);
  615. ret = copy;
  616. end:
  617. return ret;
  618. }
  619. void fuzz_srtp_event_handler(srtp_event_data_t *data)
  620. {
  621. fuzz_testmem(data, sizeof(srtp_event_data_t));
  622. if (data->session != NULL) {
  623. fuzz_testmem(data->session, sizeof(*data->session));
  624. }
  625. }
  626. static void fuzz_write_input(const uint8_t *data, size_t size)
  627. {
  628. FILE *fp = fopen("input.bin", "wb");
  629. if (fp == NULL) {
  630. /* Shouldn't happen */
  631. abort();
  632. }
  633. if (size != 0 && fwrite(data, size, 1, fp) != 1) {
  634. printf("Cannot write\n");
  635. /* Shouldn't happen */
  636. abort();
  637. }
  638. fclose(fp);
  639. }
  640. int LLVMFuzzerInitialize(int *argc, char ***argv)
  641. {
  642. char **_argv = *argv;
  643. int i;
  644. bool no_custom_event_handler = false;
  645. if (srtp_init() != srtp_err_status_ok) {
  646. /* Shouldn't happen */
  647. abort();
  648. }
  649. for (i = 0; i < *argc; i++) {
  650. if (strcmp("--no_align", _argv[i]) == 0) {
  651. g_no_align = true;
  652. } else if (strcmp("--no_custom_event_handler", _argv[i]) == 0) {
  653. no_custom_event_handler = true;
  654. } else if (strcmp("--write_input", _argv[i]) == 0) {
  655. g_write_input = true;
  656. }
  657. #ifdef FUZZ_32BIT
  658. else if (strcmp("--no_mmap", _argv[i]) == 0) {
  659. g_no_mmap = true;
  660. }
  661. #endif
  662. else if (strncmp("--", _argv[i], 2) == 0) {
  663. printf("Invalid argument: %s\n", _argv[i]);
  664. exit(0);
  665. }
  666. }
  667. if (no_custom_event_handler == false) {
  668. if (srtp_install_event_handler(fuzz_srtp_event_handler) !=
  669. srtp_err_status_ok) {
  670. /* Shouldn't happen */
  671. abort();
  672. }
  673. }
  674. /* Fully initialized -- past this point, simulated allocation failures
  675. * are allowed to occur */
  676. g_post_init = true;
  677. return 0;
  678. }
  679. int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
  680. {
  681. uint8_t num_remove_stream;
  682. uint32_t *remove_stream_ssrc = NULL;
  683. uint8_t num_set_roc;
  684. uint32_t *set_roc = NULL;
  685. srtp_t srtp_ctx = NULL;
  686. srtp_policy_t *policy_chain = NULL, *policy_chain_2 = NULL;
  687. uint32_t randseed;
  688. static bool firstrun = true;
  689. if (firstrun == true) {
  690. /* TODO version check etc and send it to MSAN */
  691. }
  692. #ifdef FUZZ_32BIT
  693. /* Free the mmap allocation made during the previous iteration, if
  694. * applicable */
  695. fuzz_free(g_mmap_allocation);
  696. #endif
  697. if (g_write_input == true) {
  698. fuzz_write_input(data, size);
  699. }
  700. EXTRACT_IF(&randseed, data, size, sizeof(randseed));
  701. fuzz_mt19937_init(randseed);
  702. srand(randseed);
  703. /* policy_chain is used to initialize the srtp context with */
  704. if ((policy_chain = extract_policies(&data, &size)) == NULL) {
  705. goto end;
  706. }
  707. /* policy_chain_2 is used as an argument to srtp_update later on */
  708. if ((policy_chain_2 = extract_policies(&data, &size)) == NULL) {
  709. goto end;
  710. }
  711. /* Create context */
  712. if (srtp_create(&srtp_ctx, policy_chain) != srtp_err_status_ok) {
  713. goto end;
  714. }
  715. // free_policies(policy_chain);
  716. // policy_chain = NULL;
  717. /* Don't check for NULL result -- no extractions is fine */
  718. remove_stream_ssrc =
  719. extract_remove_stream_ssrc(&data, &size, &num_remove_stream);
  720. /* Don't check for NULL result -- no extractions is fine */
  721. set_roc = extract_set_roc(&data, &size, &num_set_roc);
  722. {
  723. uint8_t *ret;
  724. int i = 0, j = 0;
  725. while ((ret = run_srtp_func(srtp_ctx, &data, &size)) != NULL) {
  726. fuzz_free(ret);
  727. /* Keep removing streams until the set of SSRCs extracted from the
  728. * fuzzer input is exhausted */
  729. if (i < num_remove_stream) {
  730. if (srtp_remove_stream(srtp_ctx, remove_stream_ssrc[i]) !=
  731. srtp_err_status_ok) {
  732. goto end;
  733. }
  734. i++;
  735. }
  736. /* Keep setting and getting ROCs until the set of SSRC/ROC tuples
  737. * extracted from the fuzzer input is exhausted */
  738. if (j < num_set_roc * 2) {
  739. uint32_t roc;
  740. if (srtp_set_stream_roc(srtp_ctx, set_roc[j], set_roc[j + 1]) !=
  741. srtp_err_status_ok) {
  742. goto end;
  743. }
  744. if (srtp_get_stream_roc(srtp_ctx, set_roc[j + 1], &roc) !=
  745. srtp_err_status_ok) {
  746. goto end;
  747. }
  748. j += 2;
  749. }
  750. if (policy_chain_2 != NULL) {
  751. /* TODO srtp_update(srtp_ctx, policy_chain_2); */
  752. /* Discard after using once */
  753. free_policies(policy_chain_2);
  754. policy_chain_2 = NULL;
  755. }
  756. }
  757. }
  758. end:
  759. free_policies(policy_chain);
  760. free_policies(policy_chain_2);
  761. fuzz_free(remove_stream_ssrc);
  762. fuzz_free(set_roc);
  763. if (srtp_ctx != NULL) {
  764. srtp_dealloc(srtp_ctx);
  765. }
  766. fuzz_mt19937_destroy();
  767. return 0;
  768. }