GitHub/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2026-05-12 09:40:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
coturn/fuzzing/FuzzStun.c
T
Pavel Punsky cb701a47b4 Add fuzz coverage for integrity helpers (#1888)
2026-04-30 22:32:50 -07:00

609 lines
24 KiB
C
Raw Permalink Blame History

/*
* SPDX-License-Identifier: BSD-3-Clause
*
* https://opensource.org/license/bsd-3-clause
*
* Multi-harness libFuzzer entry point for server-side STUN parsing.
*
* Every iteration runs all sub-harnesses in sequence on the same input:
* RFC 5769 integrity checks, multi-SHA/credential integrity, attribute
* iteration, attribute serialization, and legacy (pre-RFC 5389) STUN
* detection. Keeping everything behind a single binary allows the
* upstream OSS-Fuzz build recipe to stay unchanged.
*/
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include "apputils.h"
#include "ns_turn_ioaddr.h"
#include "ns_turn_msg.h"
#include "ns_turn_msg_defs.h"
#include "ns_turn_utils.h"
#include "stun_buffer.h"
static uint8_t fuzz_byte(const uint8_t *Data, size_t Size, size_t idx) { return Size ? Data[idx % Size] : 0; }
static uint16_t fuzz_u16(const uint8_t *Data, size_t Size, size_t idx) {
return (uint16_t)(((uint16_t)fuzz_byte(Data, Size, idx) << 8) | (uint16_t)fuzz_byte(Data, Size, idx + 1));
}
static void fuzz_printable_string(const uint8_t *Data, size_t Size, size_t idx, uint8_t *out, size_t out_size) {
if (!out_size) {
return;
}
const size_t max_len = out_size - 1;
const size_t len = max_len ? (size_t)(fuzz_byte(Data, Size, idx) % (max_len + 1)) : 0;
for (size_t i = 0; i < len; ++i) {
out[i] = (uint8_t)(33 + (fuzz_byte(Data, Size, idx + 1 + i) % 94));
}
out[len] = 0;
}
/* ------------------------------------------------------------------ */
/* Integrity: SHA1 short-term + SHA256 long-term (original FuzzStun). */
/* ------------------------------------------------------------------ */
static void harness_integrity_sha1(const uint8_t *Data, size_t Size) {
if (Size < 10 || Size > 5120) {
return;
}
stun_is_command_message_full_check_str((uint8_t *)Data, Size, 1, NULL);
uint8_t uname[STUN_MAX_USERNAME_SIZE + 1] = "fuzzuser";
uint8_t realm[STUN_MAX_REALM_SIZE + 1] = "fuzz.realm";
uint8_t upwd[STUN_MAX_PWD_SIZE + 1] = "VOkJxbRl1RmTxUk/WvJxBt";
stun_check_message_integrity_str(TURN_CREDENTIALS_SHORT_TERM, (uint8_t *)Data, Size, uname, realm, upwd,
SHATYPE_SHA1);
stun_check_message_integrity_str(TURN_CREDENTIALS_LONG_TERM, (uint8_t *)Data, Size, uname, realm, upwd,
SHATYPE_SHA256);
}
/* ------------------------------------------------------------------ */
/* Integrity across all SHA types + credential modes (FuzzStunIntegrity). */
/* ------------------------------------------------------------------ */
static void harness_integrity_multi(const uint8_t *Data, size_t Size) {
if (Size < STUN_HEADER_LENGTH || Size > 5120) {
return;
}
uint8_t buf[5120];
uint8_t uname[STUN_MAX_USERNAME_SIZE + 1] = "fuzzuser";
uint8_t realm[STUN_MAX_REALM_SIZE + 1] = "fuzz.realm";
uint8_t upwd[STUN_MAX_PWD_SIZE + 1] = "VOkJxbRl1RmTxUk/WvJxBt";
static const SHATYPE sha_types[] = {SHATYPE_SHA1, SHATYPE_SHA256, SHATYPE_SHA384, SHATYPE_SHA512};
const size_t num_sha = sizeof(sha_types) / sizeof(sha_types[0]);
for (size_t s = 0; s < num_sha; s++) {
memcpy(buf, Data, Size);
stun_is_command_message_full_check_str(buf, Size, 1, NULL);
stun_check_message_integrity_str(TURN_CREDENTIALS_SHORT_TERM, buf, Size, uname, realm, upwd, sha_types[s]);
memcpy(buf, Data, Size);
stun_check_message_integrity_str(TURN_CREDENTIALS_LONG_TERM, buf, Size, uname, realm, upwd, sha_types[s]);
}
}
/* ------------------------------------------------------------------ */
/* Attribute TLV iteration + typed extraction (FuzzStunAttrIter). */
/* ------------------------------------------------------------------ */
static const uint16_t kAllAttrTypes[] = {
STUN_ATTRIBUTE_MAPPED_ADDRESS,
OLD_STUN_ATTRIBUTE_RESPONSE_ADDRESS,
STUN_ATTRIBUTE_CHANGE_REQUEST,
OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS,
OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS,
STUN_ATTRIBUTE_USERNAME,
OLD_STUN_ATTRIBUTE_PASSWORD,
STUN_ATTRIBUTE_MESSAGE_INTEGRITY,
STUN_ATTRIBUTE_ERROR_CODE,
STUN_ATTRIBUTE_UNKNOWN_ATTRIBUTES,
OLD_STUN_ATTRIBUTE_REFLECTED_FROM,
STUN_ATTRIBUTE_CHANNEL_NUMBER,
STUN_ATTRIBUTE_LIFETIME,
STUN_ATTRIBUTE_BANDWIDTH,
STUN_ATTRIBUTE_XOR_PEER_ADDRESS,
STUN_ATTRIBUTE_DATA,
STUN_ATTRIBUTE_REALM,
STUN_ATTRIBUTE_NONCE,
STUN_ATTRIBUTE_XOR_RELAYED_ADDRESS,
STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY,
STUN_ATTRIBUTE_EVEN_PORT,
STUN_ATTRIBUTE_REQUESTED_TRANSPORT,
STUN_ATTRIBUTE_DONT_FRAGMENT,
STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
STUN_ATTRIBUTE_XOR_MAPPED_ADDRESS,
OLD_STUN_ATTRIBUTE_XOR_MAPPED_ADDRESS,
STUN_ATTRIBUTE_TIMER_VAL,
STUN_ATTRIBUTE_RESERVATION_TOKEN,
STUN_ATTRIBUTE_PRIORITY,
STUN_ATTRIBUTE_PADDING,
STUN_ATTRIBUTE_RESPONSE_PORT,
STUN_ATTRIBUTE_CONNECTION_ID,
STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY,
STUN_ATTRIBUTE_ADDRESS_ERROR_CODE,
STUN_ATTRIBUTE_SOFTWARE,
STUN_ATTRIBUTE_ALTERNATE_SERVER,
STUN_ATTRIBUTE_FINGERPRINT,
STUN_ATTRIBUTE_ICE_CONTROLLED,
STUN_ATTRIBUTE_RESPONSE_ORIGIN,
STUN_ATTRIBUTE_OTHER_ADDRESS,
STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION,
STUN_ATTRIBUTE_ORIGIN,
STUN_ATTRIBUTE_MOBILITY_TICKET,
STUN_ATTRIBUTE_NEW_BANDWIDTH,
};
static const uint16_t kAddrAttrs[] = {
STUN_ATTRIBUTE_MAPPED_ADDRESS, STUN_ATTRIBUTE_XOR_MAPPED_ADDRESS, OLD_STUN_ATTRIBUTE_XOR_MAPPED_ADDRESS,
STUN_ATTRIBUTE_XOR_PEER_ADDRESS, STUN_ATTRIBUTE_XOR_RELAYED_ADDRESS, STUN_ATTRIBUTE_ALTERNATE_SERVER,
STUN_ATTRIBUTE_RESPONSE_ORIGIN, STUN_ATTRIBUTE_OTHER_ADDRESS,
};
static void harness_attr_iter(const uint8_t *Data, size_t Size) {
if (Size < STUN_HEADER_LENGTH || Size > 8192) {
return;
}
uint8_t buf[8192];
memcpy(buf, Data, Size);
if (!stun_is_command_message_str(buf, Size)) {
return;
}
stun_attr_ref sar = stun_attr_get_first_str(buf, Size);
while (sar) {
(void)stun_attr_get_type(sar);
(void)stun_attr_get_len(sar);
(void)stun_attr_get_value(sar);
(void)stun_attr_is_addr(sar);
sar = stun_attr_get_next_str(buf, Size, sar);
}
ioa_addr addr;
const size_t num_addr_attrs = sizeof(kAddrAttrs) / sizeof(kAddrAttrs[0]);
for (size_t i = 0; i < num_addr_attrs; i++) {
sar = stun_attr_get_first_by_type_str(buf, Size, kAddrAttrs[i]);
if (sar) {
memset(&addr, 0, sizeof(addr));
stun_attr_get_addr_str(buf, Size, sar, &addr, NULL);
}
memset(&addr, 0, sizeof(addr));
stun_attr_get_first_addr_str(buf, Size, kAddrAttrs[i], &addr, NULL);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_CHANNEL_NUMBER);
if (sar) {
(void)stun_attr_get_channel_number(sar);
}
(void)stun_attr_get_first_channel_number_str(buf, Size);
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY);
if (sar) {
(void)stun_get_requested_address_family(sar);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY);
if (sar) {
(void)stun_get_requested_address_family(sar);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_EVEN_PORT);
if (sar) {
(void)stun_attr_get_even_port(sar);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_BANDWIDTH);
if (sar) {
(void)stun_attr_get_bandwidth(sar);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_NEW_BANDWIDTH);
if (sar) {
(void)stun_attr_get_bandwidth(sar);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_RESERVATION_TOKEN);
if (sar) {
(void)stun_attr_get_reservation_token_value(sar);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_CHANGE_REQUEST);
if (sar) {
bool change_ip = false, change_port = false;
stun_attr_get_change_request_str(sar, &change_ip, &change_port);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_RESPONSE_PORT);
if (sar) {
(void)stun_attr_get_response_port_str(sar);
}
sar = stun_attr_get_first_by_type_str(buf, Size, STUN_ATTRIBUTE_PADDING);
if (sar) {
(void)stun_attr_get_padding_len_str(sar);
}
{
int err_code = 0;
uint8_t err_msg[1024] = {0};
stun_is_error_response_str(buf, Size, &err_code, err_msg, sizeof(err_msg));
}
{
int err_code = 0;
uint8_t err_msg[1024] = {0};
uint8_t chal_realm[STUN_MAX_REALM_SIZE + 1] = {0};
uint8_t chal_nonce[STUN_MAX_NONCE_SIZE + 1] = {0};
uint8_t server_name[STUN_MAX_SERVER_NAME_SIZE + 1] = {0};
bool oauth = false;
stun_is_challenge_response_str(buf, Size, &err_code, err_msg, sizeof(err_msg), chal_realm, chal_nonce, server_name,
&oauth);
}
const size_t num_all_attrs = sizeof(kAllAttrTypes) / sizeof(kAllAttrTypes[0]);
for (size_t i = 0; i < num_all_attrs; i++) {
sar = stun_attr_get_first_by_type_str(buf, Size, kAllAttrTypes[i]);
if (sar) {
(void)stun_attr_get_type(sar);
(void)stun_attr_get_len(sar);
(void)stun_attr_get_value(sar);
}
}
}
/* ------------------------------------------------------------------ */
/* Attribute serialization / append paths (FuzzStunAttrAdd). */
/* ------------------------------------------------------------------ */
static void harness_attr_add(const uint8_t *Data, size_t Size) {
if (Size < STUN_HEADER_LENGTH || Size > 4096) {
return;
}
uint8_t buf[MAX_STUN_MESSAGE_SIZE] = {0};
memcpy(buf, Data, Size);
size_t len = Size;
if (!stun_is_command_message_str(buf, len)) {
return;
}
uint8_t test_uname[] = "fuzzuser@fuzz.realm";
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_USERNAME, test_uname, (int)(sizeof(test_uname) - 1));
uint8_t test_realm[] = "fuzz.realm";
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_REALM, test_realm, (int)(sizeof(test_realm) - 1));
uint8_t test_nonce[] = "fuzznonce0123456789abcdef";
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_NONCE, test_nonce, (int)(sizeof(test_nonce) - 1));
uint8_t test_sw[] = "coturn-fuzz/1.0";
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_SOFTWARE, test_sw, (int)(sizeof(test_sw) - 1));
uint8_t lifetime_val[4] = {0x00, 0x00, 0x02, 0x58};
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_LIFETIME, lifetime_val, 4);
uint8_t transport_val[4] = {STUN_ATTRIBUTE_TRANSPORT_UDP_VALUE, 0x00, 0x00, 0x00};
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_REQUESTED_TRANSPORT, transport_val, 4);
uint8_t af_val[4] = {STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4, 0x00, 0x00, 0x00};
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY, af_val, 4);
uint8_t even_port_val[1] = {0x80};
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_EVEN_PORT, even_port_val, 1);
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_DONT_FRAGMENT, NULL, 0);
stun_attr_add_channel_number_str(buf, &len, 0x4001);
stun_attr_add_bandwidth_str(buf, &len, 1000000);
ioa_addr addr4 = {0};
addr4.s4.sin_family = AF_INET;
addr4.s4.sin_port = htons(12345);
addr4.s4.sin_addr.s_addr = htonl(0xC0A80001);
stun_attr_add_addr_str(buf, &len, STUN_ATTRIBUTE_XOR_MAPPED_ADDRESS, &addr4);
stun_attr_add_addr_str(buf, &len, STUN_ATTRIBUTE_XOR_PEER_ADDRESS, &addr4);
stun_attr_add_addr_str(buf, &len, STUN_ATTRIBUTE_XOR_RELAYED_ADDRESS, &addr4);
stun_attr_add_addr_str(buf, &len, STUN_ATTRIBUTE_MAPPED_ADDRESS, &addr4);
ioa_addr addr6 = {0};
addr6.s6.sin6_family = AF_INET6;
addr6.s6.sin6_port = htons(54321);
addr6.s6.sin6_addr.s6_addr[15] = 1;
stun_attr_add_addr_str(buf, &len, STUN_ATTRIBUTE_XOR_MAPPED_ADDRESS, &addr6);
stun_attr_add_addr_str(buf, &len, STUN_ATTRIBUTE_XOR_RELAYED_ADDRESS, &addr6);
stun_attr_add_address_error_code(buf, &len, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6, 440);
stun_attr_add_change_request_str(buf, &len, true, true);
stun_attr_add_response_port_str(buf, &len, 3479);
stun_attr_add_padding_str(buf, &len, 64);
if (Size > STUN_HEADER_LENGTH + 4) {
int data_len = (int)(Size - STUN_HEADER_LENGTH);
if (data_len > 1024) {
data_len = 1024;
}
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_DATA, Data + STUN_HEADER_LENGTH, data_len);
}
stun_attr_add_fingerprint_str(buf, &len);
}
/* ------------------------------------------------------------------ */
/* Legacy (pre-RFC 5389) STUN detection (FuzzOldStun). */
/* ------------------------------------------------------------------ */
static void harness_old_stun(const uint8_t *Data, size_t Size) {
if (Size < STUN_HEADER_LENGTH || Size > 5120) {
return;
}
uint8_t buf[5120];
memcpy(buf, Data, Size);
uint32_t cookie = 0;
bool is_old = old_stun_is_command_message_str(buf, Size, &cookie);
(void)stun_is_command_message_str(buf, Size);
if (is_old) {
(void)stun_get_msg_type_str(buf, Size);
(void)stun_get_method_str(buf, Size);
stun_is_request_str(buf, Size);
stun_is_indication_str(buf, Size);
stun_is_success_response_str(buf, Size);
int err_code = 0;
uint8_t err_msg[256] = {0};
stun_is_error_response_str(buf, Size, &err_code, err_msg, sizeof(err_msg));
int fp_present = 0;
stun_is_command_message_full_check_str(buf, Size, 1, &fp_present);
stun_is_command_message_full_check_str(buf, Size, 0, &fp_present);
stun_is_binding_request_str(buf, Size, 0);
stun_is_binding_response_str(buf, Size);
stun_attr_ref sar = stun_attr_get_first_str(buf, Size);
while (sar) {
(void)stun_attr_get_type(sar);
(void)stun_attr_get_len(sar);
sar = stun_attr_get_next_str(buf, Size, sar);
}
}
}
/* ------------------------------------------------------------------ */
/* Challenge-response builder (FuzzStunChallengeResponse). */
/* */
/* stun_is_challenge_response_str only descends into its three inner */
/* stun_attr_get_first_by_type_str calls when: */
/* 1) the message is an error response, */
/* 2) err_code is 401 OR 438, */
/* 3) a REALM attribute is present, */
/* 4) a NONCE attribute is present. */
/* The OAuth branch additionally requires THIRD-PARTY-AUTHORIZATION. */
/* */
/* The fuzzer-driven harness in harness_attr_iter calls the function */
/* every iteration but the conjunction of conditions is too specific */
/* for libFuzzer to discover from binary mutation alone — OSS-Fuzz */
/* introspector flags 9 unreached callsites under */
/* stun_attr_get_first_by_type_str gated on this function. */
/* */
/* Build six deterministic message variants on every iteration so */
/* every internal branch is exercised regardless of the input bytes. */
/* Realm / nonce / server-name lengths are derived from fuzz bytes so */
/* each iteration is still meaningfully distinct. */
/* ------------------------------------------------------------------ */
static void harness_challenge_response_builder(const uint8_t *Data, size_t Size) {
if (!Size) {
return;
}
static const uint16_t kMethods[] = {
STUN_METHOD_ALLOCATE,
STUN_METHOD_BINDING,
STUN_METHOD_REFRESH,
STUN_METHOD_CHANNEL_BIND,
};
const uint16_t method = kMethods[Data[0] % (sizeof(kMethods) / sizeof(kMethods[0]))];
/* Length of each variable-length string is taken from a single fuzz byte
* so libFuzzer still varies the inputs across iterations. Floors keep the
* attribute non-empty so the inner copies in stun_is_challenge_response_str
* actually populate the output buffers. */
const size_t realm_len = 1 + (Size > 1 ? (Data[1] % 16) : 0);
const size_t nonce_len = 1 + (Size > 2 ? (Data[2] % 16) : 0);
const size_t server_len = 1 + (Size > 3 ? (Data[3] % 16) : 0);
uint8_t realm_buf[STUN_MAX_REALM_SIZE + 1] = {0};
uint8_t nonce_buf[STUN_MAX_NONCE_SIZE + 1] = {0};
uint8_t server_buf[STUN_MAX_SERVER_NAME_SIZE + 1] = {0};
for (size_t i = 0; i < realm_len; ++i) {
realm_buf[i] = (uint8_t)('a' + (i % 26));
}
for (size_t i = 0; i < nonce_len; ++i) {
nonce_buf[i] = (uint8_t)('0' + (i % 10));
}
for (size_t i = 0; i < server_len; ++i) {
server_buf[i] = (uint8_t)('A' + (i % 26));
}
stun_tid tid = {0};
for (size_t i = 0; i < STUN_TID_SIZE; ++i) {
tid.tsx_id[i] = (uint8_t)(Size > i + 4 ? Data[i + 4] : (uint8_t)i);
}
/* Each variant builds a fresh error response and runs it through the
* predicate so the inner attribute lookups fire. */
static const struct {
uint16_t err_code;
bool include_realm;
bool include_nonce;
bool include_third_party_auth;
} kVariants[] = {
{401, true, true, false}, /* canonical 401 challenge: REALM + NONCE */
{401, true, true, true}, /* same + THIRD-PARTY-AUTHORIZATION (OAuth branch) */
{438, true, true, false}, /* covers the (*err_code) == 438 disjunct */
{401, true, false, false}, /* REALM present, NONCE missing — negative inner path */
{401, false, false, false}, /* err_code matches but no REALM — outer negative path */
{400, true, true, false}, /* err_code does not match 401/438 — early-out path */
};
for (size_t v = 0; v < sizeof(kVariants) / sizeof(kVariants[0]); ++v) {
uint8_t buf[MAX_STUN_MESSAGE_SIZE] = {0};
size_t len = 0;
stun_init_error_response_str(method, buf, &len, kVariants[v].err_code, (const uint8_t *)"unauthorized", &tid, true);
if (kVariants[v].include_realm) {
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_REALM, realm_buf, (int)realm_len);
}
if (kVariants[v].include_third_party_auth) {
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION, server_buf, (int)server_len);
}
if (kVariants[v].include_nonce) {
stun_attr_add_str(buf, &len, STUN_ATTRIBUTE_NONCE, nonce_buf, (int)nonce_len);
}
int err_code = 0;
uint8_t err_msg[1024] = {0};
uint8_t out_realm[STUN_MAX_REALM_SIZE + 1] = {0};
uint8_t out_nonce[STUN_MAX_NONCE_SIZE + 1] = {0};
uint8_t out_server[STUN_MAX_SERVER_NAME_SIZE + 1] = {0};
bool oauth = false;
(void)stun_is_challenge_response_str(buf, len, &err_code, err_msg, sizeof(err_msg), out_realm, out_nonce,
out_server, &oauth);
/* Also exercise the NULL-oauth-pointer branch, which is reachable from
* other call sites in the codebase. */
(void)stun_is_challenge_response_str(buf, len, &err_code, err_msg, sizeof(err_msg), out_realm, out_nonce,
out_server, NULL);
}
}
/* ------------------------------------------------------------------ */
/* Address parser coverage for make_ioa_addr_from_full_string. */
/* ------------------------------------------------------------------ */
static void harness_full_addr_parser(const uint8_t *Data, size_t Size) {
ioa_addr addr;
const uint16_t default_port = fuzz_u16(Data, Size, 0);
const uint16_t explicit_port = fuzz_u16(Data, Size, 2);
char ipv4_plain[MAX_IOA_ADDR_STRING];
char ipv4_with_port[MAX_IOA_ADDR_STRING];
char ipv6_bracketed[MAX_IOA_ADDR_STRING];
char ipv6_with_port[MAX_IOA_ADDR_STRING];
char ipv4_spaced[MAX_IOA_ADDR_STRING];
snprintf(ipv4_plain, sizeof(ipv4_plain), "%u.%u.%u.%u", fuzz_byte(Data, Size, 4), fuzz_byte(Data, Size, 5),
fuzz_byte(Data, Size, 6), fuzz_byte(Data, Size, 7));
snprintf(ipv4_with_port, sizeof(ipv4_with_port), "%u.%u.%u.%u:%u", fuzz_byte(Data, Size, 8), fuzz_byte(Data, Size, 9),
fuzz_byte(Data, Size, 10), fuzz_byte(Data, Size, 11), explicit_port);
snprintf(ipv6_bracketed, sizeof(ipv6_bracketed), "[2001:db8:%x:%x::%x]", fuzz_u16(Data, Size, 12),
fuzz_u16(Data, Size, 14), fuzz_u16(Data, Size, 16));
snprintf(ipv6_with_port, sizeof(ipv6_with_port), "[2001:db8:%x:%x::%x]:%u", fuzz_u16(Data, Size, 18),
fuzz_u16(Data, Size, 20), fuzz_u16(Data, Size, 22), explicit_port);
snprintf(ipv4_spaced, sizeof(ipv4_spaced), " %u.%u.%u.%u:%u", fuzz_byte(Data, Size, 24), fuzz_byte(Data, Size, 25),
fuzz_byte(Data, Size, 26), fuzz_byte(Data, Size, 27), explicit_port);
static const char *kFixedInputs[] = {
"", "0.0.0.0", "127.0.0.1:3478", "192.0.2.1:", "[::1]", "[::1]:5349", "[2001:db8::1] ", "::1",
};
for (size_t i = 0; i < sizeof(kFixedInputs) / sizeof(kFixedInputs[0]); ++i) {
memset(&addr, 0, sizeof(addr));
(void)make_ioa_addr_from_full_string((const uint8_t *)kFixedInputs[i], default_port, &addr);
}
const char *generated[] = {ipv4_plain, ipv4_with_port, ipv6_bracketed, ipv6_with_port, ipv4_spaced};
for (size_t i = 0; i < sizeof(generated) / sizeof(generated[0]); ++i) {
memset(&addr, 0, sizeof(addr));
(void)make_ioa_addr_from_full_string((const uint8_t *)generated[i], default_port, &addr);
}
(void)make_ioa_addr_from_full_string((const uint8_t *)ipv4_plain, default_port, NULL);
}
/* ------------------------------------------------------------------ */
/* Direct MESSAGE-INTEGRITY append helpers. */
/* ------------------------------------------------------------------ */
static void harness_integrity_attr_add(const uint8_t *Data, size_t Size) {
static const SHATYPE kShaTypes[] = {SHATYPE_SHA1, SHATYPE_SHA256, SHATYPE_SHA384, SHATYPE_SHA512};
const SHATYPE shatype = kShaTypes[fuzz_byte(Data, Size, 0) % (sizeof(kShaTypes) / sizeof(kShaTypes[0]))];
uint8_t uname[STUN_MAX_USERNAME_SIZE + 1] = {0};
uint8_t realm[STUN_MAX_REALM_SIZE + 1] = {0};
uint8_t nonce[STUN_MAX_NONCE_SIZE + 1] = {0};
uint8_t upwd[STUN_MAX_PWD_SIZE + 1] = {0};
password_t pwd = {0};
hmackey_t key = {0};
fuzz_printable_string(Data, Size, 1, uname, sizeof(uname));
fuzz_printable_string(Data, Size, 1 + sizeof(uname), realm, sizeof(realm));
fuzz_printable_string(Data, Size, 1 + sizeof(uname) + sizeof(realm), nonce, sizeof(nonce));
fuzz_printable_string(Data, Size, 1 + sizeof(uname) + sizeof(realm) + sizeof(nonce), upwd, sizeof(upwd));
fuzz_printable_string(Data, Size, 1 + sizeof(uname) + sizeof(realm) + sizeof(nonce) + sizeof(upwd), pwd, sizeof(pwd));
if (!uname[0]) {
memcpy(uname, "fuzzuser", sizeof("fuzzuser"));
}
if (!realm[0]) {
memcpy(realm, "fuzz.realm", sizeof("fuzz.realm"));
}
if (!nonce[0]) {
memcpy(nonce, "fuzznonce", sizeof("fuzznonce"));
}
if (!upwd[0]) {
memcpy(upwd, "fuzzpassword", sizeof("fuzzpassword"));
}
if (!pwd[0]) {
memcpy(pwd, "shortterm", sizeof("shortterm"));
}
for (size_t i = 0; i < sizeof(key); ++i) {
key[i] = fuzz_byte(Data, Size, 32 + i);
}
uint8_t buf[MAX_STUN_MESSAGE_SIZE];
size_t len = 0;
stun_init_request_str(STUN_METHOD_BINDING, buf, &len);
(void)stun_attr_add_integrity_by_key_str(buf, &len, uname, realm, key, nonce, shatype);
len = 0;
stun_init_request_str(STUN_METHOD_ALLOCATE, buf, &len);
(void)stun_attr_add_integrity_by_user_str(buf, &len, uname, realm, upwd, nonce, shatype);
len = 0;
stun_init_request_str(STUN_METHOD_REFRESH, buf, &len);
(void)stun_attr_add_integrity_by_user_short_term_str(buf, &len, uname, pwd, shatype);
len = 0;
stun_init_request_str(STUN_METHOD_CHANNEL_BIND, buf, &len);
(void)stun_attr_add_integrity_str(TURN_CREDENTIALS_SHORT_TERM, buf, &len, key, pwd, shatype);
len = 0;
stun_init_request_str(STUN_METHOD_BINDING, buf, &len);
(void)stun_attr_add_integrity_str(TURN_CREDENTIALS_LONG_TERM, buf, &len, key, pwd, shatype);
}
/* ------------------------------------------------------------------ */
/* libFuzzer entry point — run every harness on each input. */
/* ------------------------------------------------------------------ */
extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
harness_integrity_sha1(Data, Size);
harness_integrity_multi(Data, Size);
harness_attr_iter(Data, Size);
harness_attr_add(Data, Size);
harness_old_stun(Data, Size);
harness_challenge_response_builder(Data, Size);
harness_full_addr_parser(Data, Size);
harness_integrity_attr_add(Data, Size);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink