fuzz: add fuzzers to test reader_util code

.gitignore

@@ -77,6 +77,8 @@
 /fuzz/fuzz_gcrypt_light
 /fuzz/fuzz_ndpi_reader_payload_analyzer
 /fuzz/fuzz_filecfg_protocols
+/fuzz/fuzz_readerutils_workflow
+/fuzz/fuzz_readerutils_parseprotolist
 /fuzz/fuzz_ndpi_reader_alloc_fail_seed_corpus.zip
 /fuzz/fuzz_ndpi_reader_seed_corpus.zip
 /fuzz/fuzz_quic_get_crypto_data_seed_corpus.zip
@@ -100,6 +102,8 @@
 /fuzz/fuzz_filecfg_protocols_seed_corpus.zip
 /fuzz/fuzz_dga_seed_corpus.zip
 /fuzz/fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip
+/fuzz/fuzz_readerutils_workflow_seed_corpus.zip
+/fuzz/fuzz_readerutils_parseprotolist_seed_corpus.zip
 /fuzz/fuzz_*.dict
 /influxdb/Makefile
 /install-sh

example/reader_util.c

@@ -436,7 +436,7 @@ int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask, int inverte
     }
     proto = ndpi_get_proto_id(module, n);
     if(proto == NDPI_PROTOCOL_UNKNOWN && strcmp(n,"unknown") && strcmp(n,"0")) {
-      fprintf(stderr,"Invalid protocol %s\n",n);
+      LOG(NDPI_LOG_ERROR, "Invalid protocol %s\n", n);
       ndpi_exit_detection_module(module);
       return 1;
     }
@@ -475,7 +475,7 @@ struct ndpi_workflow* ndpi_workflow_init(const struct ndpi_workflow_prefs * pref
   workflow = ndpi_calloc(1, sizeof(struct ndpi_workflow));
   if(workflow == NULL) {
     LOG(NDPI_LOG_ERROR, "global structure initialization failed\n");
-    ndpi_free(module);
+    ndpi_exit_detection_module(module);
     return NULL;
   }
 
@@ -489,8 +489,11 @@ struct ndpi_workflow* ndpi_workflow_init(const struct ndpi_workflow_prefs * pref
 
   if(_debug_protocols != NULL && ! _debug_protocols_ok) {
     NDPI_BITMASK_RESET(debug_bitmask);
-    if(parse_proto_name_list(_debug_protocols, &debug_bitmask, 0))
-      exit(-1);
+    if(parse_proto_name_list(_debug_protocols, &debug_bitmask, 0)) {
+      ndpi_exit_detection_module(module);
+      ndpi_free(workflow);
+      return NULL;
+    }
     _debug_protocols_ok = 1;
   }
   if(_debug_protocols_ok)

example/reader_util.h

@@ -93,6 +93,10 @@ extern int dpdk_port_deinit(int port);
 #define SERIALIZATION_BUFSIZ     (8192 * 2)
 
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 // inner hash table (ja3 -> security state)
 typedef struct ndpi_ja3_info {
   char * ja3;
@@ -408,6 +412,7 @@ void ndpi_flow_info_free_data(struct ndpi_flow_info *flow);
 void ndpi_flow_info_freer(void *node);
 const char* print_cipher_id(u_int32_t cipher);
 double ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], unsigned int num_bytes);
+int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask, int inverted_logic);
 
 extern int nDPI_LogLevel;
 
@@ -425,4 +430,8 @@ extern int nDPI_LogLevel;
 #define LINKTYPE_LINUX_SLL2 276
 #endif
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif

fuzz/Makefile.am

@@ -9,6 +9,8 @@ bin_PROGRAMS += fuzz_libinjection
 bin_PROGRAMS += fuzz_gcrypt_light
 #Configuration files
 bin_PROGRAMS += fuzz_filecfg_protocols
+#Reader utils
+bin_PROGRAMS += fuzz_readerutils_workflow fuzz_readerutils_parseprotolist
 
 fuzz_process_packet_SOURCES = fuzz_process_packet.c fuzz_common_code.c
 fuzz_process_packet_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
@@ -393,6 +395,36 @@ fuzz_filecfg_protocols_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
     $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
     $(fuzz_filecfg_protocols_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 
+fuzz_readerutils_workflow_SOURCES = fuzz_readerutils_workflow.cpp fuzz_common_code.c ../example/reader_util.c
+fuzz_readerutils_workflow_CXXFLAGS = -I../example/ @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_readerutils_workflow_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_readerutils_workflow_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
+fuzz_readerutils_workflow_LDFLAGS = $(PCAP_LIB) $(LIBS)
+if HAS_FUZZLDFLAGS
+fuzz_readerutils_workflow_CXXFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_readerutils_workflow_CFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_readerutils_workflow_LDFLAGS += $(LIB_FUZZING_ENGINE)
+endif
+# force usage of CXX for linker
+fuzz_readerutils_workflow_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
+    $(fuzz_readerutils_workflow_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
+
+fuzz_readerutils_parseprotolist_SOURCES = fuzz_readerutils_parseprotolist.cpp fuzz_common_code.c ../example/reader_util.c
+fuzz_readerutils_parseprotolist_CXXFLAGS = -I../example/ @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_readerutils_parseprotolist_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
+fuzz_readerutils_parseprotolist_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
+fuzz_readerutils_parseprotolist_LDFLAGS = $(PCAP_LIB) $(LIBS)
+if HAS_FUZZLDFLAGS
+fuzz_readerutils_parseprotolist_CXXFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_readerutils_parseprotolist_CFLAGS += $(LIB_FUZZING_ENGINE)
+fuzz_readerutils_parseprotolist_LDFLAGS += $(LIB_FUZZING_ENGINE)
+endif
+# force usage of CXX for linker
+fuzz_readerutils_parseprotolist_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
+    $(fuzz_readerutils_parseprotolist_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
+
 
 # required for Google oss-fuzz
 # see https://github.com/google/oss-fuzz/tree/master/projects/ndpi
@@ -502,7 +534,17 @@ files_corpus_fuzz_filecfg_protocols :=  $(wildcard corpus/fuzz_filecfg_protocols
 fuzz_filecfg_protocols_seed_corpus.zip: $(files_corpus_fuzz_filecfg_protocols)
 	zip -j fuzz_filecfg_protocols_seed_corpus.zip $(files_corpus_fuzz_filecfg_protocols)
 
-corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_config_seed_corpus.zip fuzz_ds_patricia_seed_corpus.zip fuzz_ds_ahocorasick_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_hw_rsi_outliers_da_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_ds_tree_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip
+files_corpus_fuzz_readerutils_workflow :=  $(wildcard corpus/fuzz_readerutils_workflow/*)
+
+fuzz_readerutils_workflow_seed_corpus.zip: $(files_corpus_fuzz_readerutils_workflow)
+	zip -j fuzz_readerutils_workflow_seed_corpus.zip $(files_corpus_fuzz_readerutils_workflow)
+
+files_corpus_fuzz_readerutils_parseprotolist :=  $(wildcard corpus/fuzz_readerutils_parseprotolist/*)
+
+fuzz_readerutils_parseprotolist_seed_corpus.zip: $(files_corpus_fuzz_readerutils_parseprotolist)
+	zip -j fuzz_readerutils_parseprotolist_seed_corpus.zip $(files_corpus_fuzz_readerutils_parseprotolist)
+
+corpus: fuzz_ndpi_reader_seed_corpus.zip fuzz_ndpi_reader_alloc_fail_seed_corpus.zip fuzz_ndpi_reader_payload_analyzer_seed_corpus.zip fuzz_quic_get_crypto_data_seed_corpus.zip fuzz_config_seed_corpus.zip fuzz_ds_patricia_seed_corpus.zip fuzz_ds_ahocorasick_seed_corpus.zip fuzz_alg_ses_des_seed_corpus.zip fuzz_alg_hw_rsi_outliers_da_seed_corpus.zip fuzz_alg_bins_seed_corpus.zip fuzz_alg_hll_seed_corpus.zip fuzz_alg_jitter_seed_corpus.zip fuzz_ds_libcache_seed_corpus.zip fuzz_community_id_seed_corpus.zip fuzz_ds_tree_seed_corpus.zip fuzz_serialization_seed_corpus.zip fuzz_ds_ptree_seed_corpus.zip fuzz_alg_crc32_md5_seed_corpus.zip fuzz_alg_bytestream_seed_corpus.zip fuzz_libinjection_seed_corpus.zip fuzz_tls_certificate_seed_corpus.zip fuzz_filecfg_protocols_seed_corpus.zip fuzz_readerutils_workflow_seed_corpus.zip fuzz_readerutils_parseprotolist_seed_corpus.zip
 	cp corpus/fuzz_*seed_corpus.zip .
 
 #Create dictionaries exactly as expected by oss-fuzz.
@@ -529,6 +571,8 @@ distdir:
 		-o -path './corpus/fuzz_*.zip' \
 		-o -path './corpus/fuzz_quic_get_crypto_data/*' \
 		-o -path './corpus/fuzz_filecfg_protocols/*' \
+		-o -path './corpus/fuzz_readerutils_workflow/*' \
+		-o -path './corpus/fuzz_readerutils_parseprotolist/*' \
 		-o -path './corpus/fuzz_config/*' \
 		-o -path './corpus/fuzz_serialization/*' \
 		-o -path './corpus/fuzz_community_id/*' \

fuzz/corpus/fuzz_readerutils_parseprotolist/1

@@ -0,0 +1 @@
+all

fuzz/corpus/fuzz_readerutils_parseprotolist/10

@@ -0,0 +1 @@
+foo

fuzz/corpus/fuzz_readerutils_parseprotolist/10a91a2248f2b25b29d2fd4c06ffba567db5858b

@@ -0,0 +1 @@
+-,"ovpn,"

fuzz/corpus/fuzz_readerutils_parseprotolist/11

@@ -0,0 +1 @@
+ foo

fuzz/corpus/fuzz_readerutils_parseprotolist/12

@@ -0,0 +1 @@
+foo bar

fuzz/corpus/fuzz_readerutils_parseprotolist/13

@@ -0,0 +1 @@
+-openvpn

fuzz/corpus/fuzz_readerutils_parseprotolist/14

@@ -0,0 +1 @@
+-openvpn;

fuzz/corpus/fuzz_readerutils_parseprotolist/15

@@ -0,0 +1 @@
+-openvpn;all

fuzz/corpus/fuzz_readerutils_parseprotolist/16

@@ -0,0 +1 @@
+-http\t--dns

fuzz/corpus/fuzz_readerutils_parseprotolist/2

@@ -0,0 +1 @@
+all;

fuzz/corpus/fuzz_readerutils_parseprotolist/237cc011e3270d9ad91c0066c26b1d07f79df7f5

@@ -0,0 +1 @@
+-ovpn

fuzz/corpus/fuzz_readerutils_parseprotolist/3

@@ -0,0 +1 @@
+quic;http

fuzz/corpus/fuzz_readerutils_parseprotolist/35220b50f5998387245b2d7c5ee06f64823cfb3d

@@ -0,0 +1 @@
+quic;„p,

fuzz/corpus/fuzz_readerutils_parseprotolist/3caf6ff7a958dd5f6cc611a0b79857c1ceefb096

@@ -0,0 +1 @@
+-ovpn

fuzz/corpus/fuzz_readerutils_parseprotolist/4

@@ -0,0 +1 @@
+quic;http,

fuzz/corpus/fuzz_readerutils_parseprotolist/5

@@ -0,0 +1 @@
+,quic;http,

fuzz/corpus/fuzz_readerutils_parseprotolist/535c91faaf0c9f9f3d9b6a5c1acee798aba92477

@@ -0,0 +1 @@
+alq

fuzz/corpus/fuzz_readerutils_parseprotolist/59cf709399be499c5f24a1aabf348606cf37694b

@@ -0,0 +1 @@
+all;all;

fuzz/corpus/fuzz_readerutils_parseprotolist/6

@@ -0,0 +1 @@
+,quic;http,+all

fuzz/corpus/fuzz_readerutils_parseprotolist/6e7fd6ebc1ab69ef3a5077ccbe3d69677fea1a09

@@ -0,0 +1 @@
+quic;tthttp,

fuzz/corpus/fuzz_readerutils_parseprotolist/7

@@ -0,0 +1 @@
+,quic;http,-all

fuzz/corpus/fuzz_readerutils_parseprotolist/7b8f11484a99cf70a6f7b4a0d1a5e753e11775e5

@@ -0,0 +1 @@
+,quic;http,-a

fuzz/corpus/fuzz_readerutils_parseprotolist/8

@@ -0,0 +1 @@
+all,+dns

fuzz/corpus/fuzz_readerutils_parseprotolist/8ef6d0f838b137c837743eb02376351acf7c19cf

@@ -0,0 +1 @@
+-,"ovpn,"

fuzz/corpus/fuzz_readerutils_parseprotolist/9

@@ -0,0 +1 @@
+all,unknown

fuzz/corpus/fuzz_readerutils_parseprotolist/a0509ba2816a7e772f4d27f616ac57994243a32e

@@ -0,0 +1 @@
+quic,

fuzz/corpus/fuzz_readerutils_parseprotolist/aee9fd2b3dc7c4b0892c1b0e759a58a47637acc2

@@ -0,0 +1,2 @@
+all,+dns
+)

fuzz/corpus/fuzz_readerutils_parseprotolist/b7ae8aa291fc5824c9d3291f2fb99cb8efd4d45c

@@ -0,0 +1 @@
+OICQ foo

fuzz/corpus/fuzz_readerutils_parseprotolist/d749a82ff4b833b3f96693aae60f310ed6c79d6e

@@ -0,0 +1 @@
+qalulij

fuzz/corpus/fuzz_readerutils_parseprotolist/daad5285c5ce44e7d78003fa9f809dc779aace50

@@ -0,0 +1 @@
+lal

fuzz/fuzz_readerutils_parseprotolist.cpp

@@ -0,0 +1,49 @@
+#include "ndpi_api.h"
+#include "fuzz_common_code.h"
+#include "reader_util.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include "fuzzer/FuzzedDataProvider.h"
+
+char *_debug_protocols;
+int nDPI_LogLevel = 0;
+u_int32_t current_ndpi_memory = 0, max_ndpi_memory = 0;
+u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
+u_int8_t enable_flow_stats = 0;
+u_int8_t human_readeable_string_len = 5;
+u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
+ndpi_init_prefs init_prefs = ndpi_track_flow_payload | ndpi_enable_ja3_plus | ndpi_enable_tcp_ack_payload_heuristic;
+int enable_malloc_bins = 0;
+int malloc_size_stats = 0;
+int max_malloc_bins = 14;
+struct ndpi_bin malloc_bins; /* unused */
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  int inverted_logic;
+  NDPI_PROTOCOL_BITMASK bitmask;
+  char *str;
+
+  /* To allow memory allocation failures */
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  inverted_logic = size % 2; /* pseudo-random */
+  if(inverted_logic) {
+    NDPI_BITMASK_SET_ALL(bitmask);
+  } else {
+    NDPI_BITMASK_RESET(bitmask);
+  }
+
+  str = (char *)ndpi_malloc(size + 1); /* We need a null-terminated string */
+  if(str) {
+    memcpy(str, data, size);
+    str[size] = '\0';
+
+    parse_proto_name_list(str, &bitmask, inverted_logic);
+
+    ndpi_free(str);
+  }
+  return 0;
+}

fuzz/fuzz_readerutils_workflow.cpp

@@ -0,0 +1,111 @@
+#include "ndpi_api.h"
+#include "fuzz_common_code.h"
+#include "reader_util.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include "fuzzer/FuzzedDataProvider.h"
+
+extern u_int8_t enable_doh_dot_detection;
+
+char *_debug_protocols;
+int nDPI_LogLevel = 0;
+u_int32_t current_ndpi_memory = 0, max_ndpi_memory = 0;
+u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
+u_int8_t enable_flow_stats = 0;
+u_int8_t human_readeable_string_len = 5;
+u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
+ndpi_init_prefs init_prefs = ndpi_track_flow_payload | ndpi_enable_ja3_plus | ndpi_enable_tcp_ack_payload_heuristic;
+int enable_malloc_bins = 0;
+int malloc_size_stats = 0;
+int max_malloc_bins = 14;
+struct ndpi_bin malloc_bins; /* unused */
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  ndpi_workflow *w;
+  struct ndpi_workflow_prefs prefs;
+  pcap_t *pcap_handle;
+  ndpi_serialization_format serialization_format;
+  NDPI_PROTOCOL_BITMASK enabled_bitmask;
+  ndpi_risk flow_risk;
+  const u_char *pkt;
+  struct pcap_pkthdr *header;
+  int r;
+  char errbuf[PCAP_ERRBUF_SIZE];
+  FILE *fd;
+  u_int8_t debug_protos_index;
+  const char *strs[] = { "all",
+			 "dns,quic",
+			 "+dns:-quic",
+			 "all;-http",
+			 "foo",
+			 "openvpn",
+			 "+bar;-foo",
+			 NULL,
+			 "http;bar" };
+
+
+  /* Data structure: 8 bytes header for random values + pcap file */
+  if(size < 8)
+    return 0; 
+
+  /* To allow memory allocation failures */
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  prefs.decode_tunnels = fuzzed_data.ConsumeBool();
+  prefs.quiet_mode = fuzzed_data.ConsumeBool();
+  prefs.ignore_vlanid = fuzzed_data.ConsumeBool();
+  prefs.num_roots = fuzzed_data.ConsumeIntegral<u_int8_t>();
+  if(prefs.num_roots == 0)
+    prefs.num_roots = 1;
+  prefs.max_ndpi_flows = fuzzed_data.ConsumeIntegral<u_int8_t>();
+
+  serialization_format = static_cast<ndpi_serialization_format>(fuzzed_data.ConsumeIntegralInRange(1, 4));
+
+  debug_protos_index = fuzzed_data.ConsumeIntegralInRange(0,  static_cast<int>(sizeof(strs) / sizeof(char *) - 1));
+  _debug_protocols = ndpi_strdup(strs[debug_protos_index]);
+
+  /* byte8 is still unused */
+
+  enable_doh_dot_detection = 1;
+
+  fd = buffer_to_file(data + 8, size - 8);
+  if(fd == NULL) {
+    ndpi_free(_debug_protocols);
+    return 0;
+  }
+
+  pcap_handle = pcap_fopen_offline(fd, errbuf);
+  if(pcap_handle == NULL) {
+    fclose(fd);
+    ndpi_free(_debug_protocols);
+    return 0;
+  }
+  if(ndpi_is_datalink_supported(pcap_datalink(pcap_handle)) == 0) {
+    pcap_close(pcap_handle);
+    ndpi_free(_debug_protocols);
+    return 0;
+  }
+
+  w = ndpi_workflow_init(&prefs, pcap_handle, 1, serialization_format);
+  if(w) {
+    NDPI_BITMASK_SET_ALL(enabled_bitmask);
+    ndpi_set_protocol_detection_bitmask2(w->ndpi_struct, &enabled_bitmask);
+    ndpi_finalize_initialization(w->ndpi_struct);
+
+    header = NULL;
+    r = pcap_next_ex(pcap_handle, &header, &pkt);
+    while (r > 0) {
+      ndpi_workflow_process_packet(w, header, pkt, &flow_risk);
+      r = pcap_next_ex(pcap_handle, &header, &pkt);
+    }
+
+    ndpi_workflow_free(w);
+  }
+  pcap_close(pcap_handle);
+
+  ndpi_free(_debug_protocols);
+
+  return 0;
+}

src/lib/ndpi_domain_classify.c

@@ -35,7 +35,10 @@
 ndpi_domain_classify* ndpi_domain_classify_alloc() {
   int i;
   ndpi_domain_classify *cat = (ndpi_domain_classify*)ndpi_malloc(sizeof(ndpi_domain_classify));
-
+
+  if(!cat)
+    return NULL;
+
   for(i=0; i<MAX_NUM_NDPI_DOMAIN_CLASSIFICATIONS; i++)
     cat->classes[i].class_id = 0, cat->classes[i].domains = NULL;