fuzz: add a test that pushes fuzzed data to the p2p socket

vasild · vasild · commit 32ab679f54a4 · 2023-01-12T15:46:26.000+01:00
This way the full call chain is being tested/fuzzed, from the socket,
to `CConnman`, to `PeerManager` and the interaction between them.
diff --git a/src/Makefile.test.include b/src/Makefile.test.include
@@ -288,6 +288,7 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/net_permissions.cpp \
  test/fuzz/netaddress.cpp \
  test/fuzz/netbase_dns_lookup.cpp \
+ test/fuzz/netmsg.cpp \
  test/fuzz/node_eviction.cpp \
  test/fuzz/p2p_transport_serialization.cpp \
  test/fuzz/parse_hd_keypath.cpp \
diff --git a/src/test/fuzz/netmsg.cpp b/src/test/fuzz/netmsg.cpp
@@ -0,0 +1,136 @@
+// Copyright (c) 2020-2023 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <banman.h>
+#include <blockencodings.h>
+#include <consensus/consensus.h>
+#include <net_processing.h>
+#include <protocol.h>
+#include <streams.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/mining.h>
+#include <test/util/setup_common.h>
+#include <test/util/validation.h>
+#include <util/check.h>
+#include <util/time.h>
+#include <validationinterface.h>
+
+#include <chrono>
+#include <string>
+#include <thread>
+
+namespace {
+NetTestingSetup* g_setup;
+} // namespace
+
+static size_t& GetNumMsgTypes()
+{
+    static size_t g_num_msg_types{0};
+    return g_num_msg_types;
+}
+#define FUZZ_TARGET_MSG(msg_type)                          \
+    struct msg_type##CountBeforeMain {                     \
+        msg_type##CountBeforeMain()                        \
+        {                                                  \
+            ++GetNumMsgTypes();                            \
+        }                                                  \
+    } const static g_##msg_type##count_before_main;        \
+    FUZZ_TARGET_INIT(netmsg_##msg_type, initialize_netmsg) \
+    {                                                      \
+        fuzz_target(buffer, #msg_type);                    \
+    }
+
+void initialize_netmsg()
+{
+    Assert(GetNumMsgTypes() == getAllNetMessageTypes().size()); // If this fails, add or remove the message type below
+
+    static const auto testing_setup = MakeNoLogFileContext<NetTestingSetup>();
+    g_setup = testing_setup.get();
+    for (int i = 0; i < 2 * COINBASE_MATURITY; i++) {
+        MineBlock(g_setup->m_node, CScript() << OP_TRUE);
+    }
+    SyncWithValidationInterfaceQueue();
+}
+
+static void fuzz_target(FuzzBufferType buffer, const std::string& limit_to_message_type)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+
+    SetMockTime(GetMockTime() + std::chrono::minutes{fuzzed_data_provider.ConsumeIntegral<uint8_t>()});
+
+    g_setup->m_node.connman->OpenNetworkConnection(
+        CAddress{}, false, nullptr, "1.2.3.4:8333", ConnectionType::OUTBOUND_FULL_RELAY);
+
+    auto pipes = g_setup->m_sockets_pipes.PopFront();
+
+    uint8_t buf[1024];
+
+    LIMITED_WHILE(fuzzed_data_provider.remaining_bytes() > 0, 100) {
+
+        const std::string message_type =
+            limit_to_message_type.empty() ?
+                fuzzed_data_provider.ConsumeBytesAsString(CMessageHeader::COMMAND_SIZE) :
+                limit_to_message_type;
+
+        CDataStream payload{
+            ConsumeRandomLengthByteVector(fuzzed_data_provider), SER_NETWORK, PROTOCOL_VERSION};
+
+        pipes->recv.PushNetMsg(message_type, payload);
+
+        if (pipes->send.GetBytes(buf, sizeof(buf)) == 0) { // EOF, the socket has been closed.
+            return;
+        }
+    }
+
+    // Force a disconnect and wait for it.
+    g_setup->m_node.connman->ForEachNode([&](CNode* node) {
+        g_setup->m_node.peerman->UnitTestMisbehaving(node->GetId(), DISCOURAGEMENT_THRESHOLD);
+    });
+    memset(buf, 0x0, sizeof(buf));
+    pipes->recv.PushBytes(buf, sizeof(buf));
+    while (pipes->send.GetNetMsg().has_value()) {
+        ;
+    }
+
+    SyncWithValidationInterfaceQueue();
+}
+
+FUZZ_TARGET_INIT(netmsg_any, initialize_netmsg) { fuzz_target(buffer, ""); }
+FUZZ_TARGET_MSG(addr);
+FUZZ_TARGET_MSG(addrv2);
+FUZZ_TARGET_MSG(block);
+FUZZ_TARGET_MSG(blocktxn);
+FUZZ_TARGET_MSG(cfcheckpt);
+FUZZ_TARGET_MSG(cfheaders);
+FUZZ_TARGET_MSG(cfilter);
+FUZZ_TARGET_MSG(cmpctblock);
+FUZZ_TARGET_MSG(feefilter);
+FUZZ_TARGET_MSG(filteradd);
+FUZZ_TARGET_MSG(filterclear);
+FUZZ_TARGET_MSG(filterload);
+FUZZ_TARGET_MSG(getaddr);
+FUZZ_TARGET_MSG(getblocks);
+FUZZ_TARGET_MSG(getblocktxn);
+FUZZ_TARGET_MSG(getcfcheckpt);
+FUZZ_TARGET_MSG(getcfheaders);
+FUZZ_TARGET_MSG(getcfilters);
+FUZZ_TARGET_MSG(getdata);
+FUZZ_TARGET_MSG(getheaders);
+FUZZ_TARGET_MSG(headers);
+FUZZ_TARGET_MSG(inv);
+FUZZ_TARGET_MSG(mempool);
+FUZZ_TARGET_MSG(merkleblock);
+FUZZ_TARGET_MSG(notfound);
+FUZZ_TARGET_MSG(ping);
+FUZZ_TARGET_MSG(pong);
+FUZZ_TARGET_MSG(sendaddrv2);
+FUZZ_TARGET_MSG(sendcmpct);
+FUZZ_TARGET_MSG(sendheaders);
+FUZZ_TARGET_MSG(sendtxrcncl);
+FUZZ_TARGET_MSG(tx);
+FUZZ_TARGET_MSG(verack);
+FUZZ_TARGET_MSG(version);
+FUZZ_TARGET_MSG(wtxidrelay);
