From 20557738a00a17ddb5ae591513cef8c458feec5c Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Thu, 22 Aug 2019 12:53:08 +0700 Subject: [PATCH] fuzz the frame parser --- .travis/fuzzit.sh | 18 +- fuzzing/frames/corpus/multiple-frames-0 | Bin 0 -> 698 bytes fuzzing/frames/corpus/multiple-frames-1 | Bin 0 -> 288 bytes fuzzing/frames/corpus/multiple-frames-10 | Bin 0 -> 200 bytes fuzzing/frames/corpus/multiple-frames-11 | Bin 0 -> 42 bytes fuzzing/frames/corpus/multiple-frames-12 | Bin 0 -> 134 bytes fuzzing/frames/corpus/multiple-frames-13 | Bin 0 -> 222 bytes fuzzing/frames/corpus/multiple-frames-14 | Bin 0 -> 719 bytes fuzzing/frames/corpus/multiple-frames-15 | Bin 0 -> 193 bytes fuzzing/frames/corpus/multiple-frames-16 | Bin 0 -> 67 bytes fuzzing/frames/corpus/multiple-frames-17 | Bin 0 -> 201 bytes fuzzing/frames/corpus/multiple-frames-18 | Bin 0 -> 567 bytes fuzzing/frames/corpus/multiple-frames-19 | Bin 0 -> 127 bytes fuzzing/frames/corpus/multiple-frames-2 | Bin 0 -> 241 bytes fuzzing/frames/corpus/multiple-frames-20 | Bin 0 -> 93 bytes fuzzing/frames/corpus/multiple-frames-21 | Bin 0 -> 148 bytes fuzzing/frames/corpus/multiple-frames-22 | Bin 0 -> 139 bytes fuzzing/frames/corpus/multiple-frames-23 | Bin 0 -> 300 bytes fuzzing/frames/corpus/multiple-frames-24 | Bin 0 -> 289 bytes fuzzing/frames/corpus/multiple-frames-3 | 2 + fuzzing/frames/corpus/multiple-frames-4 | Bin 0 -> 161 bytes fuzzing/frames/corpus/multiple-frames-5 | Bin 0 -> 318 bytes fuzzing/frames/corpus/multiple-frames-6 | Bin 0 -> 273 bytes fuzzing/frames/corpus/multiple-frames-7 | Bin 0 -> 193 bytes fuzzing/frames/corpus/multiple-frames-8 | Bin 0 -> 179 bytes fuzzing/frames/corpus/multiple-frames-9 | Bin 0 -> 439 bytes fuzzing/frames/corpus/single-frame-0 | 1 + fuzzing/frames/corpus/single-frame-1 | 1 + fuzzing/frames/corpus/single-frame-10 | 1 + fuzzing/frames/corpus/single-frame-11 | 1 + fuzzing/frames/corpus/single-frame-12 | Bin 0 -> 8 bytes fuzzing/frames/corpus/single-frame-13 | Bin 0 -> 105 bytes fuzzing/frames/corpus/single-frame-14 | 1 + fuzzing/frames/corpus/single-frame-15 | 2 + fuzzing/frames/corpus/single-frame-16 | 1 + fuzzing/frames/corpus/single-frame-17 | 1 + fuzzing/frames/corpus/single-frame-18 | 1 + fuzzing/frames/corpus/single-frame-19 | 1 + fuzzing/frames/corpus/single-frame-2 | Bin 0 -> 57 bytes fuzzing/frames/corpus/single-frame-20 | 1 + fuzzing/frames/corpus/single-frame-21 | 1 + fuzzing/frames/corpus/single-frame-22 | 1 + fuzzing/frames/corpus/single-frame-23 | 1 + fuzzing/frames/corpus/single-frame-24 | 1 + fuzzing/frames/corpus/single-frame-25 | 1 + fuzzing/frames/corpus/single-frame-26 | 1 + fuzzing/frames/corpus/single-frame-27 | 1 + fuzzing/frames/corpus/single-frame-28 | 1 + fuzzing/frames/corpus/single-frame-29 | Bin 0 -> 5 bytes fuzzing/frames/corpus/single-frame-3 | 1 + fuzzing/frames/corpus/single-frame-30 | Bin 0 -> 109 bytes fuzzing/frames/corpus/single-frame-31 | Bin 0 -> 4 bytes fuzzing/frames/corpus/single-frame-32 | 2 + fuzzing/frames/corpus/single-frame-33 | 1 + fuzzing/frames/corpus/single-frame-34 | 1 + fuzzing/frames/corpus/single-frame-35 | Bin 0 -> 10 bytes fuzzing/frames/corpus/single-frame-36 | 1 + fuzzing/frames/corpus/single-frame-4 | 1 + fuzzing/frames/corpus/single-frame-5 | 1 + fuzzing/frames/corpus/single-frame-6 | Bin 0 -> 20 bytes fuzzing/frames/corpus/single-frame-7 | Bin 0 -> 87 bytes fuzzing/frames/corpus/single-frame-8 | Bin 0 -> 252 bytes fuzzing/frames/corpus/single-frame-9 | 1 + fuzzing/frames/fuzz.go | 76 ++++++ fuzzing/frames/main.go | 289 +++++++++++++++++++++++ 65 files changed, 408 insertions(+), 6 deletions(-) create mode 100644 fuzzing/frames/corpus/multiple-frames-0 create mode 100644 fuzzing/frames/corpus/multiple-frames-1 create mode 100644 fuzzing/frames/corpus/multiple-frames-10 create mode 100644 fuzzing/frames/corpus/multiple-frames-11 create mode 100644 fuzzing/frames/corpus/multiple-frames-12 create mode 100644 fuzzing/frames/corpus/multiple-frames-13 create mode 100644 fuzzing/frames/corpus/multiple-frames-14 create mode 100644 fuzzing/frames/corpus/multiple-frames-15 create mode 100644 fuzzing/frames/corpus/multiple-frames-16 create mode 100644 fuzzing/frames/corpus/multiple-frames-17 create mode 100644 fuzzing/frames/corpus/multiple-frames-18 create mode 100644 fuzzing/frames/corpus/multiple-frames-19 create mode 100644 fuzzing/frames/corpus/multiple-frames-2 create mode 100644 fuzzing/frames/corpus/multiple-frames-20 create mode 100644 fuzzing/frames/corpus/multiple-frames-21 create mode 100644 fuzzing/frames/corpus/multiple-frames-22 create mode 100644 fuzzing/frames/corpus/multiple-frames-23 create mode 100644 fuzzing/frames/corpus/multiple-frames-24 create mode 100644 fuzzing/frames/corpus/multiple-frames-3 create mode 100644 fuzzing/frames/corpus/multiple-frames-4 create mode 100644 fuzzing/frames/corpus/multiple-frames-5 create mode 100644 fuzzing/frames/corpus/multiple-frames-6 create mode 100644 fuzzing/frames/corpus/multiple-frames-7 create mode 100644 fuzzing/frames/corpus/multiple-frames-8 create mode 100644 fuzzing/frames/corpus/multiple-frames-9 create mode 100644 fuzzing/frames/corpus/single-frame-0 create mode 100644 fuzzing/frames/corpus/single-frame-1 create mode 100644 fuzzing/frames/corpus/single-frame-10 create mode 100644 fuzzing/frames/corpus/single-frame-11 create mode 100644 fuzzing/frames/corpus/single-frame-12 create mode 100644 fuzzing/frames/corpus/single-frame-13 create mode 100644 fuzzing/frames/corpus/single-frame-14 create mode 100644 fuzzing/frames/corpus/single-frame-15 create mode 100644 fuzzing/frames/corpus/single-frame-16 create mode 100644 fuzzing/frames/corpus/single-frame-17 create mode 100644 fuzzing/frames/corpus/single-frame-18 create mode 100644 fuzzing/frames/corpus/single-frame-19 create mode 100644 fuzzing/frames/corpus/single-frame-2 create mode 100644 fuzzing/frames/corpus/single-frame-20 create mode 100644 fuzzing/frames/corpus/single-frame-21 create mode 100644 fuzzing/frames/corpus/single-frame-22 create mode 100644 fuzzing/frames/corpus/single-frame-23 create mode 100644 fuzzing/frames/corpus/single-frame-24 create mode 100644 fuzzing/frames/corpus/single-frame-25 create mode 100644 fuzzing/frames/corpus/single-frame-26 create mode 100644 fuzzing/frames/corpus/single-frame-27 create mode 100644 fuzzing/frames/corpus/single-frame-28 create mode 100644 fuzzing/frames/corpus/single-frame-29 create mode 100644 fuzzing/frames/corpus/single-frame-3 create mode 100644 fuzzing/frames/corpus/single-frame-30 create mode 100644 fuzzing/frames/corpus/single-frame-31 create mode 100644 fuzzing/frames/corpus/single-frame-32 create mode 100644 fuzzing/frames/corpus/single-frame-33 create mode 100644 fuzzing/frames/corpus/single-frame-34 create mode 100644 fuzzing/frames/corpus/single-frame-35 create mode 100644 fuzzing/frames/corpus/single-frame-36 create mode 100644 fuzzing/frames/corpus/single-frame-4 create mode 100644 fuzzing/frames/corpus/single-frame-5 create mode 100644 fuzzing/frames/corpus/single-frame-6 create mode 100644 fuzzing/frames/corpus/single-frame-7 create mode 100644 fuzzing/frames/corpus/single-frame-8 create mode 100644 fuzzing/frames/corpus/single-frame-9 create mode 100644 fuzzing/frames/fuzz.go create mode 100644 fuzzing/frames/main.go diff --git a/.travis/fuzzit.sh b/.travis/fuzzit.sh index 1ccf12d5a..0e5a03dbb 100755 --- a/.travis/fuzzit.sh +++ b/.travis/fuzzit.sh @@ -11,6 +11,10 @@ fi ## in the old style GOPATH way export GO111MODULE="off" +## Install fuzzit +wget -q -O fuzzit https://github.com/fuzzitdev/fuzzit/releases/download/v2.4.23/fuzzit_Linux_x86_64 +chmod a+x fuzzit + ## Install go-fuzz go get -u github.com/dvyukov/go-fuzz/go-fuzz github.com/dvyukov/go-fuzz/go-fuzz-build @@ -18,13 +22,15 @@ go get -u github.com/dvyukov/go-fuzz/go-fuzz github.com/dvyukov/go-fuzz/go-fuzz- go get -d -v -u ./... cd fuzzing/header - go-fuzz-build -libfuzzer -o fuzz-header.a . clang -fsanitize=fuzzer fuzz-header.a -o fuzz-header -## Install fuzzit -wget -q -O fuzzit https://github.com/fuzzitdev/fuzzit/releases/download/v2.4.23/fuzzit_Linux_x86_64 -chmod a+x fuzzit +cd ../frames +go-fuzz-build -libfuzzer -o fuzz-frames.a . +clang -fsanitize=fuzzer fuzz-frames.a -o fuzz-frames -# Create the job -./fuzzit create job --type ${FUZZING_TYPE} --branch ${BRANCH} --revision=${TRAVIS_COMMIT} quic-go/fuzz-header fuzz-header +cd ../.. + +# Create the jobs +./fuzzit create job --type ${FUZZING_TYPE} --branch ${BRANCH} --revision=${TRAVIS_COMMIT} quic-go/fuzz-header fuzzing/header/fuzz-header +./fuzzit create job --type ${FUZZING_TYPE} --branch ${BRANCH} --revision=${TRAVIS_COMMIT} quic-go/fuzz-frames fuzzing/frames/fuzz-frames diff --git a/fuzzing/frames/corpus/multiple-frames-0 b/fuzzing/frames/corpus/multiple-frames-0 new file mode 100644 index 0000000000000000000000000000000000000000..1371b4527db0c16efcec2892f229ad6e088758f0 GIT binary patch literal 698 zcmV;r0!96?7c~){WIPc6|NsC0|Ns9SN5}v`WajT$q{h}`j6Jd%r<8|jwRoY&)af@> zh?sM)X=&Ka5fM7GzSomzTyf+ktXT;(RX|bZua9ilt$x;y(4#5eM)7Dh_hRg3<;~vf zzn91|9frV$X;m=K|!4A^sptoi%^}frJ3S&QSD~yvrmSmH32n zEk`kn00P3{WN5zU+ROnNz^q~|lx|AEz#|(~OymLj!1Z|lOU&kEz`Nfgpj3Y%zzc%0 z`Y)%^zyZ5Jxq5@j zzyJZZ;g1$dzyJSwP+zyJUPUyZv-s%uBugvh&o zg2_p}fv}UpgQs5lh+X~afIAh*fE&S`fI8vMfGV@(fOpsofCfVSfCbkUfCG0;QQLq3 zn;T3YM&MT)bst|^PM=1lL7+foKyd>D1^_^0Y&I0epPYg`Tk;{tCh4h*@-zWB(jnSY z-c-o72KhgJ0m~HEl*QiWjAt^O9XzSD)B6w_xp)>KBWuAc`o$-Jb$O37OJ|zeCa^BAR)nTYGcl@3KKdPBzp}eR(*I zp`Kj+gCS#em?qyj_%mr-qAI3Ql}M1h+|OpMJ#(nxtDl31eI`4*C-uBZd)8D(P0NNV zwB2Z%piK>~XrP1ErRa3T9OSNco!zz}!3`>9SB+s8qrBBxm7md)1j6ILtl;JY3w!`+ gxqN91m^8vDDY~1~|EaH78EcrOa5*IKdbK?;}V01QFPKfB?dU64yKz z@jIZQ+t;#?;B?PyiogahvVa2J*+&II>p-SJpcfqk4FmukOs)WJNqX1- literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-10 b/fuzzing/frames/corpus/multiple-frames-10 new file mode 100644 index 0000000000000000000000000000000000000000..a264d1b81cdb1c3be3b712b63406135cf9e593f3 GIT binary patch literal 200 zcmV;(05|{Y3?Bdg|NsC0|Nmw}p83!{yQ8Kc9kkG2)&LeA000aHt9zppY_g_3Q2fht zzwqtY%?HJv@hVO@KFQ`g@v~2Bs`TjxQPKAP7YpcCHlcYeJ~%EK3eX%zp#T6KDL`Z( zGke^^l3o=22By9w1a+|FG;~%Vlb5-}sgbn|YGrW*u;4O%_(3Q!^?CBkE#mk4%WL*& z9I6j`K)*TUF=g7V35W>iGQP82oMo7;x3DvGN2Q`5%tup8?v|@#Y`Th{Ol05{K?fQl CKVuXC literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-11 b/fuzzing/frames/corpus/multiple-frames-11 new file mode 100644 index 0000000000000000000000000000000000000000..583723eefea6fdc51686999122dff7dabe74fb46 GIT binary patch literal 42 fcmb;xWcUvSoM9IjL|`1*md~a|3@koNbYUU@T-Y5H literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-12 b/fuzzing/frames/corpus/multiple-frames-12 new file mode 100644 index 0000000000000000000000000000000000000000..f4aa432f48068d71d9ed1705c5fc85f543874b37 GIT binary patch literal 134 zcmXq!G-Kdl`ws=1%hX#KMa+$OD#Z7Eh+<`%QO{9nl-_;UQ>VnOaKD_S;?f^IiLUle z>d*dKNvq9DQmnl9%IfU0*`~|mKL+YOp3BLv;ileY!@$n9qib#diI()I^BpA`QzyS^ k*mUw6OV=E!ax1RzNV)Ury}~6~flAgQ9~p!uW)zPx# literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-13 b/fuzzing/frames/corpus/multiple-frames-13 new file mode 100644 index 0000000000000000000000000000000000000000..d2e06b87efbc521d8e8d4545b6cb44cbfb0312bb GIT binary patch literal 222 zcmV<403rW_3AVI*9uAI8(%%U5=w+gx4)0UC>+u~u=bZKmI35Bi>|t-n(MqmSAYz08 zVDOSF;W=06#TY}>zZ};~oA=h7%@gm^L%$5JeWg#$fDCP_pnLN(iCLn{uWyXepBp3; zeUvWZm=I(6NEUs_9YsSxWF{~W%H8^{!0n^_Gw3mhY2R3#8k2Hh_p=b=LM))H8h7xQt1t0)70Lbrc2mk;8 literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-14 b/fuzzing/frames/corpus/multiple-frames-14 new file mode 100644 index 0000000000000000000000000000000000000000..e87b05ae618c85f79d8b8e9abb9dccd06558e946 GIT binary patch literal 719 zcmb;u%_#m41u_%sq?{NWQns8r=O`zfaG3j*wVeE1|2zhV;`iH4C4w8LXaC|8@mia5 zL8^zT`t#HKo#xyZU|_lIV4i4nxmxm|OVtbU4QH+$%;PDq z7Zi^^=)b}F+{xRU4k%Sl5R6a@JD}`y(bh&s;sCb^|9np7!ULxB{8!X`{eOUcwL(*1 zQyv4;kt=Uk-!Nv}&meTz`ijQNx2wDlyw&$fO5^A{F!A{HWS6|}2RQYvKTa?CcYre6HCx?RiJ7T~ZHlUKeHm4+Xr|bDqZJoz`7>&Qqyz8Q;v35|hbHt&_FQZuf zqqfCSx|GBFkN3pn*r}U-&+@;uzN_f@Zn4Qi5|x+J1`(&73_M%%+qC{e!KUZs372KO7Jg=vZGYlj O%m5+9T?`ooa%=&$&>*e= literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-17 b/fuzzing/frames/corpus/multiple-frames-17 new file mode 100644 index 0000000000000000000000000000000000000000..05840c0c6465fd4efd0e6b4df1ea67df67ba8d48 GIT binary patch literal 201 zcmdleSQ7Rh3K*Dfxjpti_994@f#uM#+$TD97d9U|FA;xm^@I4sR;M*?@Q6sCJUCTI zZLMkJp+zqapPXPHe}I|e@%a{4y@Q;^<|X#L+Yd1K^qx4c{_OzsmNn}x-^h|MG!!&y z*xkai(^cwi-u+6k*_>ii1RkC=JUBTm$H8NXyN_&X7?K-!91pK~V$pml?>}E7clD3L v1G?gpXVTZGNpI##mCBKvbWwJ-V2avR_90~w literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-18 b/fuzzing/frames/corpus/multiple-frames-18 new file mode 100644 index 0000000000000000000000000000000000000000..6b0411cb6b60eb445390205439b42a0d28fa0661 GIT binary patch literal 567 zcmeBXIy5i!sQ8|y=L}+p@;2=#Xytx-fSJFFHUH%61A@z@99QkEIUx0Y+qb3fG!8H@ zUEE#xXzKw6#?32dTk0HOV2DbMmeK>#?Ax!$ego2Mk3@D)1JYK{TKX>lX{L(VTb2T8 z4wrZSOMo=<|GdTbK>Tdp?P(x>t`=V`kY?D?E!fe=@>w6mE}gaa=0u~Fhe7PQER|D1 zbWJ+zMG!s9Xx_A@ZH<-<>f3@Fc&GeqU{2W8z?%J|fpNW314C>@14F1l#Vv0qx0YaL zhdif84n7WX)()W>=F+TU4ASNA8Tkb_tukUdcf?@Fzb7?y4UA%!Sq^Nv&cL>BQ}*d6 zEYlnVnw1WQ8(md75x4rlkx!esZXbVkfJv6egZcRO1H7y9GwWyb9$@sI%KN$I_W=f> V>Ech{=^kKUzINxM-;og%lmLxE>81bx literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-19 b/fuzzing/frames/corpus/multiple-frames-19 new file mode 100644 index 0000000000000000000000000000000000000000..d26e7929fbdcce5e7bf45edd40fe4735e0a321b4 GIT binary patch literal 127 zcmV-_0D%7@8Vitccru#$n;lqfKxAE|&(>uYjFu>NI=f!njk8e!1Hbf%eGGW6?jART zMVzC@$`69V8Z7w37e88XVy6`6L5OK$b_e$7ZtHm@rZZYT(|QtTBjQEt^#jH@pb@bS hIRI1YJ_>X(QAqx!Rkax^CZGoju<3fWgz%o5P6ateILrV5 literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-2 b/fuzzing/frames/corpus/multiple-frames-2 new file mode 100644 index 0000000000000000000000000000000000000000..1e46b2ec3985158b52076d5df80d87eee27e9ae9 GIT binary patch literal 241 zcmcb?^wK{r!6(jmb^{~tLzbIUaxZ*Ya=-eZi_bnr8I}8oE~LHgH=k5}+W6<^E6-Q% zI3OIe=Y06P`3F=BwN)doa30VR3A8WWSa5*VVdLIEJfR0z@1}UwvRsf^$9L@!gG0)O zx7&?^)B9pW8C5B<^Y-I4GimMyz}`>r($D!<>D8EyK#JNy#!-F87%o9nx#ER!jE zxl(!G#WjgXAF`=VuoRc}D!iwmGTq+xa@ExoPWh~q4Xlr!wM$GsBfZ>cS^kr!)%@|o o4APr6OwT*A_WwUgBhJ3J2RVflMP>g(foS;j5`PgGk3pOp030=WF8}}l literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-20 b/fuzzing/frames/corpus/multiple-frames-20 new file mode 100644 index 0000000000000000000000000000000000000000..2a0ab65d67748721aad427ad5508a48c2123653f GIT binary patch literal 93 zcmV-j0HXi16J(+Q6J(+S#>XB1q?^h!0R+PY_9l*U-pj!TEgVaG*^0sfyp;kiRv^GP zJNYYbr-{HSFwje|{`$Zt*Ufpto&vxf5?0+_+*!Z|Ah=(>epSE%MUiYWlmHYozuGC? literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-21 b/fuzzing/frames/corpus/multiple-frames-21 new file mode 100644 index 0000000000000000000000000000000000000000..b58536811844ae7ebe3fda92562b1647d7a15d37 GIT binary patch literal 148 zcmV;F0Biqs7*e!JS_Fv9^a0wp;%3V-f-^d7g7hnk=rIEJe$U~wKUc>A0L%~j&ZHLW z*aV4716O8o(!s&oORfJ_~DB~YcT@>bPdWa%avEA7ADzD zfhrQC?n|i+&S}~f4>1|Z)b=#r&CZb~ne?j`^vAoDfvEdtckU?Z0YQUai#~=an7C2R Cg-Bii literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-22 b/fuzzing/frames/corpus/multiple-frames-22 new file mode 100644 index 0000000000000000000000000000000000000000..0931891f947e39b94d8b3f6f7b12a11d0ac8e994 GIT binary patch literal 139 zcma!G=MrqGbhoXn&cCZ9@E;09#jN0LMp;FN6xIVC8O`4I-)!RYdC&AW@T|)av^w#B zu3hKEbAFy_tA9-5)OBat^Db$I%=L-#(-j%Q7B8DKN3bR5qW7CNq1T6N;@or7bC<4~ iE5>iYzTM}KYG6f0^V$M+{aNOsua|E~yb>dlYzYA5SVCF= literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-23 b/fuzzing/frames/corpus/multiple-frames-23 new file mode 100644 index 0000000000000000000000000000000000000000..ba8e0692d75b4e3110c630514fd44128c1edebc2 GIT binary patch literal 300 zcmbQr$s)**v_ZhJhIi6Dv8w+N@asTc@4XPF7vD=OSxl7oGq7CGQD1-NQ2L28XT(0Y zXtLZpB;fe6VM4LwA*ERz5kw)v#S?OW*%UudRoXe^ZEe>9l4;% z0gDeX@N=y-aQ!FC#U?rQF))CC%?VtcO^2GXp-(q)bB9@={sAz1DQy5QFlG!WJT4b+UpDJ&!_y6^ zU8|Qr#`SLL9nZ6HPJ%rnk&57Jv8QB}rs8T>p|cUKkKy^f?>Scxo&0kk01da_m=;U! z=&=9)=g#q)>l~0i3@vrvYKzUPj>zeSj1l;{Bb~Y<#`BZyATzI2GA~Fn!#+MffJPX& n$j?WdWM`uU3Ag}?rRhncI8=})WTe+GfJJs$1ic@}mmFlg1dWt3 literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-3 b/fuzzing/frames/corpus/multiple-frames-3 new file mode 100644 index 000000000..e425cdaea --- /dev/null +++ b/fuzzing/frames/corpus/multiple-frames-3 @@ -0,0 +1,2 @@ + MVc1H+W@2mG3=( +;NW%Аuy$M \ No newline at end of file diff --git a/fuzzing/frames/corpus/multiple-frames-4 b/fuzzing/frames/corpus/multiple-frames-4 new file mode 100644 index 0000000000000000000000000000000000000000..1e4130722dd36351e1cf2b2c93d8c8e867ab8d12 GIT binary patch literal 161 zcmYdgl$hj@eGP;Kqp~V)9aX*jpYH`n;MJ8YSFZUH6DMY%{%QJC)r>&XM$-wx`V0aI zE5z#>7-W(H85l^=DYo04WhoCoXKq1cnSH~j&wWP@e6tMDSM>>r(Qk4p4)O{1*7&{r ZK+mF+$#)JpG1Vw*_o>_sQjY&>4*)EJMkoLP literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-5 b/fuzzing/frames/corpus/multiple-frames-5 new file mode 100644 index 0000000000000000000000000000000000000000..c225304508c703a60e14b5ff3ca70f9a904aa1e8 GIT binary patch literal 318 zcmdnQ5;u*(RJ5h8rN&w`@XdcHV32m6&}VbeyYQ`4nD7tR!++w#I9F9}Kht(+Bf~d_ z!`z1gt~xAO^uhG;{`?e$%+`+wGtV8K{BOpb$3ki<0jF5Y_o-y9mD;pxUA@xX)6IuO z^_c6vJ8zk}Q@r~~X(e}s*kuXX^T(Cd%?nSx7qC9A-@T(|(PGKWY}>7?4u7vhat7V( zL= literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-6 b/fuzzing/frames/corpus/multiple-frames-6 new file mode 100644 index 0000000000000000000000000000000000000000..8d62efe3f654b6cabf58ed3390d0157a79c49ce7 GIT binary patch literal 273 zcmZPWDnBGyB2Q^X1EWqUJucd}7^F zb?&g8#*LM=3-;%lPPtyUxO3qy@wBAL*K=pC+QuL@js3$t@&2UOq70&w=dmWj3}%3v z%#-gZ|8wcRkQonxZv6|LyhN}3)9q6MCmkQOMVyn~xGv!wx9{%nH?+@qt-V(upqpg; zEKF$fDt}J1B?lZ^7r$S6_NsNJybp5R&lyZGvZ}I=N{gu&;+i7Ya zp3iZrHd;~=r?c*7=9I8A|50axE`9=Oi0i3}Z$iU@%?d*%`A^{q;{t?TRE(n~>y!CU2{ED65KL^b&2%MQy zp4h}7e%*5BuSJX>?@xYv)+HxySF7xy^jZ7woNwMU#bJB)))z`#1y$*f=iQ$##&AsQ jH~Ayf=3k7~9-?ajHJfMB literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-8 b/fuzzing/frames/corpus/multiple-frames-8 new file mode 100644 index 0000000000000000000000000000000000000000..c7621143d8c92a5a14eafd1d6ce557fd10507aea GIT binary patch literal 179 zcmbO!ZT0edjK81LMc)0-t!{fb%HHbyQt_bD^@Nss|E${JYubBCXS7^9vn%!Vs?|YV zlZ|iYdoPu+c`?J!D>J}M-Nn;fk|*uje<=7CRdRPzO<}v|G^~OQVtaSyGm&i(>xN_Y HeGH5M`~6*) literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/multiple-frames-9 b/fuzzing/frames/corpus/multiple-frames-9 new file mode 100644 index 0000000000000000000000000000000000000000..a49da67902a6c0393ff0c1b781eae1f3256f9287 GIT binary patch literal 439 zcmaDOI=d-#9k0YJyL6dedE-8oRHkmfQ(JX*TwKS;>b^T*$#n0TolJL27cEcxAD!vp zC3H92aGi2q)T9F(J)UXh_Vx!D?!1l8+~j+J;qJxPaucT>U=XPL_%3?y0S2Bo3esl& z2N<|s1Q~^&JHWu0Y3yXa>i`1-&+NEXJ0LB1ET`fTkmeFNc~}}qbKZYHV;zuY6zI{k z2GR_5X}d!wUu>^yxWF>8DQ!bj!^V^14ctFwHe~GKZqRL8+Q4whwL$Z$Qv+xJiw35q zhYcJidm0!XZSu@==yq^*h~;HcVB=sC_zwjVdtzQ41YyBTdn{LQ%;z*Re7@|dj<1QP zuId+=_DD6xpHq2@+I12w%>NEgC~5!hH-WPx&iKLaER(sb zg|8eIdi~-zPi;tOr&LqZiQPP%;fX7ABqlQiOf+DadgR-zMSca(TrO69K6|M1Te=zB zulC=Uf8SG-{VSzuIq%}KN R`i`~p)&51^I=lv%4FEUo$7uin literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/single-frame-0 b/fuzzing/frames/corpus/single-frame-0 new file mode 100644 index 000000000..bd55da9b9 --- /dev/null +++ b/fuzzing/frames/corpus/single-frame-0 @@ -0,0 +1 @@ +s  \ No newline at end of file diff --git a/fuzzing/frames/corpus/single-frame-1 b/fuzzing/frames/corpus/single-frame-1 new file mode 100644 index 000000000..5b360e5ab --- /dev/null +++ b/fuzzing/frames/corpus/single-frame-1 @@ -0,0 +1 @@ + ݝRכMvBaz ;[ L5pX?au)ڞoNtKoLܺ>>OTm.|UyϢǎ \ No newline at end of file diff --git a/fuzzing/frames/corpus/single-frame-10 b/fuzzing/frames/corpus/single-frame-10 new file mode 100644 index 000000000..777d72323 --- /dev/null +++ b/fuzzing/frames/corpus/single-frame-10 @@ -0,0 +1 @@ +74 \ No newline at end of file diff --git a/fuzzing/frames/corpus/single-frame-11 b/fuzzing/frames/corpus/single-frame-11 new file mode 100644 index 000000000..8acb1d441 --- /dev/null +++ b/fuzzing/frames/corpus/single-frame-11 @@ -0,0 +1 @@ +z \ No newline at end of file diff --git a/fuzzing/frames/corpus/single-frame-12 b/fuzzing/frames/corpus/single-frame-12 new file mode 100644 index 0000000000000000000000000000000000000000..a2efe6f22a6c5b487a46b0d7ae40fe0d24c1155a GIT binary patch literal 8 PcmX@cx@pTK9R@1^5fK9_ literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/single-frame-13 b/fuzzing/frames/corpus/single-frame-13 new file mode 100644 index 0000000000000000000000000000000000000000..8c8103d2be4e87d850eb21a0b37638982337e0db GIT binary patch literal 105 zcmV-v0G9tV1^_^0gVZS*!l-&ll>8n*9udW)oPLg}=3Q*W1ZDj-FDydrJwEmgwwFLr zeaB@hp6~S*Q(B?P^F6UX(f6(!aj%=r6(c-3Ie7KKaEa*iCVC9aemTF& L$E-rWEEg^3)kJEp-`s47sPMdA? zbt*2AWX}clXwt}@q}E+_1`cG0kXbTIw_4j28ZUe=-gpu8fzJqPKEv3vcK{OoC#1Gp P0pF literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/single-frame-7 b/fuzzing/frames/corpus/single-frame-7 new file mode 100644 index 0000000000000000000000000000000000000000..e02737e42268b1e55b363febc5a97e52321dce80 GIT binary patch literal 87 zcmV-d0I2^H0_}7%35I~F`+xyHN(9!l?y}ls49d@rY2c6~;LgUi2bAp=`^>;c6>vEG tZ(6`4`27=Px!S-Bpq=+tD&D{YpxTMoZ@Rz$eXooge&@gd0rTMndZf1TEzSS{ literal 0 HcmV?d00001 diff --git a/fuzzing/frames/corpus/single-frame-8 b/fuzzing/frames/corpus/single-frame-8 new file mode 100644 index 0000000000000000000000000000000000000000..591017f4ef92862584e84ba61e562c407209aa69 GIT binary patch literal 252 zcmXS7I`CRZk+;$|fI<8~POZytm*&g^9wz!5ZixjRP~|*b-FL_J0JA3F+Jl|)2iW{# z;)3=z9AN2Eb$Dsxc7SpD!Lrpn8xAn`I{yl`7d*hgbz}21UA6-ZJU6EMFvuQYU@XWy zDG(2&r!PHzBj5l7Lx)!QUDg8(%=c7w{yzldr^z^|wg71*yTi8(fV9&ZliJrnIxx=k z>rWuf8ymFi(X85yX+So^IrHkdAbNe?$qO??blf}2dz%{#ot89;>smCFF1p^pef&%V wyY%M 0 { + f, err := parser.ParseNext(r, encLevel) + if err != nil { + break + } + frames = append(frames, f) + } + parsedLen := initialLen - r.Len() + + if len(frames) == 0 { + return 0 + } + + b := &bytes.Buffer{} + for _, f := range frames { + if f == nil { // PADDING frame + b.WriteByte(0x0) + continue + } + // We accept empty STREAM frames, but we don't write them. + if sf, ok := f.(*wire.StreamFrame); ok { + if sf.DataLen() == 0 { + continue + } + } + lenBefore := b.Len() + if err := f.Write(b, version); err != nil { + panic(fmt.Sprintf("Error writing frame %#v: %s", f, err)) + } + frameLen := b.Len() - lenBefore + if f.Length(version) != protocol.ByteCount(frameLen) { + panic(fmt.Sprintf("Inconsistent frame length for %#v: expected %d, got %d", f, frameLen, f.Length(version))) + } + } + if b.Len() > parsedLen { + panic(fmt.Sprintf("Serialized length (%d) is longer than parsed length (%d)", b.Len(), parsedLen)) + } + return 0 +} diff --git a/fuzzing/frames/main.go b/fuzzing/frames/main.go new file mode 100644 index 000000000..f397be6f3 --- /dev/null +++ b/fuzzing/frames/main.go @@ -0,0 +1,289 @@ +// +build !gofuzz + +package main + +import ( + "bytes" + "fmt" + "math/rand" + "os" + "time" + + "github.com/lucas-clemente/quic-go" + "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/lucas-clemente/quic-go/internal/qerr" + "github.com/lucas-clemente/quic-go/internal/wire" +) + +const version = protocol.VersionTLS + +func getRandomData(l int) []byte { + b := make([]byte, l) + rand.Read(b) + return b +} + +func getRandomNumber() uint64 { + switch 1 << uint8(rand.Intn(3)) { + case 1: + return uint64(rand.Int63n(64)) + case 2: + return uint64(rand.Int63n(16384)) + case 4: + return uint64(rand.Int63n(1073741824)) + case 8: + return uint64(rand.Int63n(4611686018427387904)) + default: + panic("unexpected length") + } +} + +func getRandomNumberLowerOrEqual(target uint64) uint64 { + if target == 0 { + return 0 + } + return uint64(rand.Int63n(int64(target))) +} + +// returns a *maximum* number of num ACK ranges +func getAckRanges(num int) []wire.AckRange { + var ranges []wire.AckRange + + prevSmallest := uint64(rand.Int63n(4611686018427387904)) + for i := 0; i < num; i++ { + if prevSmallest <= 2 { + break + } + largest := getRandomNumberLowerOrEqual(prevSmallest - 2) + smallest := getRandomNumberLowerOrEqual(largest) + + ranges = append(ranges, wire.AckRange{ + Smallest: protocol.PacketNumber(smallest), + Largest: protocol.PacketNumber(largest), + }) + prevSmallest = smallest + } + return ranges +} + +func getFrames() []wire.Frame { + frames := []wire.Frame{ + &wire.StreamFrame{ // STREAM frame at 0 offset, with FIN bit + StreamID: protocol.StreamID(getRandomNumber()), + FinBit: true, + }, + &wire.StreamFrame{ // STREAM frame at 0 offset, with data and FIN bit + StreamID: protocol.StreamID(getRandomNumber()), + FinBit: true, + Data: getRandomData(100), + }, + &wire.StreamFrame{ // STREAM frame at non-zero offset, with data + StreamID: protocol.StreamID(getRandomNumber()), + Offset: protocol.ByteCount(getRandomNumber()), + Data: getRandomData(50), + }, + &wire.StreamFrame{ // STREAM frame at non-zero offset, with data and FIN bit + StreamID: protocol.StreamID(getRandomNumber()), + Offset: protocol.ByteCount(getRandomNumber()), + Data: getRandomData(50), + FinBit: true, + }, + &wire.StreamFrame{ // STREAM frame at maximum offset, with FIN bit + StreamID: protocol.StreamID(getRandomNumber()), + Offset: protocol.MaxByteCount - 5, + Data: getRandomData(5), + FinBit: true, + }, + &wire.StreamFrame{ // STREAM frame with data at maximum offset + StreamID: protocol.StreamID(getRandomNumber()), + Offset: protocol.MaxByteCount, + Data: getRandomData(10), + }, + &wire.AckFrame{ + AckRanges: getAckRanges(1), + DelayTime: time.Duration(getRandomNumber()), + }, + &wire.AckFrame{ + AckRanges: getAckRanges(5), + DelayTime: time.Duration(getRandomNumber()), + }, + &wire.AckFrame{ + AckRanges: getAckRanges(300), + DelayTime: time.Duration(getRandomNumber()), + }, + &wire.PingFrame{}, + &wire.ResetStreamFrame{ + StreamID: protocol.StreamID(getRandomNumber()), + ErrorCode: quic.ErrorCode(getRandomNumber()), + ByteOffset: protocol.ByteCount(getRandomNumber()), + }, + &wire.ResetStreamFrame{ // at maximum offset + StreamID: protocol.StreamID(getRandomNumber()), + ErrorCode: quic.ErrorCode(getRandomNumber()), + ByteOffset: protocol.MaxByteCount, + }, + &wire.StopSendingFrame{ + StreamID: protocol.StreamID(getRandomNumber()), + ErrorCode: quic.ErrorCode(getRandomNumber()), + }, + &wire.CryptoFrame{ + Data: getRandomData(100), + }, + &wire.CryptoFrame{ + Offset: protocol.ByteCount(getRandomNumber()), + Data: getRandomData(50), + }, + &wire.NewTokenFrame{ + Token: getRandomData(10), + }, + &wire.MaxDataFrame{ + ByteOffset: protocol.ByteCount(getRandomNumber()), + }, + &wire.MaxDataFrame{ + ByteOffset: protocol.MaxByteCount, + }, + &wire.MaxStreamDataFrame{ + StreamID: protocol.StreamID(getRandomNumber()), + ByteOffset: protocol.ByteCount(getRandomNumber()), + }, + &wire.MaxStreamDataFrame{ + StreamID: protocol.StreamID(getRandomNumber()), + ByteOffset: protocol.MaxByteCount, + }, + &wire.MaxStreamsFrame{ + Type: protocol.StreamTypeUni, + MaxStreamNum: protocol.StreamNum(getRandomNumber()), + }, + &wire.MaxStreamsFrame{ + Type: protocol.StreamTypeBidi, + MaxStreamNum: protocol.StreamNum(getRandomNumber()), + }, + &wire.DataBlockedFrame{ + DataLimit: protocol.ByteCount(getRandomNumber()), + }, + &wire.DataBlockedFrame{ + DataLimit: protocol.MaxByteCount, + }, + &wire.StreamDataBlockedFrame{ + StreamID: protocol.StreamID(getRandomNumber()), + DataLimit: protocol.ByteCount(getRandomNumber()), + }, + &wire.StreamDataBlockedFrame{ + StreamID: protocol.StreamID(getRandomNumber()), + DataLimit: protocol.MaxByteCount, + }, + &wire.StreamsBlockedFrame{ + Type: protocol.StreamTypeUni, + StreamLimit: protocol.StreamNum(getRandomNumber()), + }, + &wire.StreamsBlockedFrame{ + Type: protocol.StreamTypeBidi, + StreamLimit: protocol.StreamNum(getRandomNumber()), + }, + &wire.RetireConnectionIDFrame{ + SequenceNumber: getRandomNumber(), + }, + &wire.ConnectionCloseFrame{ // QUIC error with empty reason + IsApplicationError: false, + ErrorCode: qerr.ErrorCode(getRandomNumber()), + ReasonPhrase: "", + }, + &wire.ConnectionCloseFrame{ // QUIC error with reason + IsApplicationError: false, + // TODO: add frame type + ErrorCode: qerr.ErrorCode(getRandomNumber()), + ReasonPhrase: string(getRandomData(100)), + }, + &wire.ConnectionCloseFrame{ // application error with empty reason + IsApplicationError: true, + ErrorCode: qerr.ErrorCode(getRandomNumber()), + ReasonPhrase: "", + }, + &wire.ConnectionCloseFrame{ // application error with reason + IsApplicationError: true, + ErrorCode: qerr.ErrorCode(getRandomNumber()), + ReasonPhrase: string(getRandomData(100)), + }, + } + + seq1 := getRandomNumber() + seq2 := getRandomNumber() + var token1, token2 [16]byte + copy(token1[:], getRandomData(16)) + copy(token2[:], getRandomData(16)) + frames = append(frames, []wire.Frame{ + &wire.NewConnectionIDFrame{ + SequenceNumber: seq1, + RetirePriorTo: seq1 / 2, + ConnectionID: getRandomData(4), + StatelessResetToken: token1, + }, + &wire.NewConnectionIDFrame{ + SequenceNumber: seq2, + RetirePriorTo: seq2, + ConnectionID: getRandomData(17), + StatelessResetToken: token2, + }, + }...) + + var data1 [8]byte + copy(data1[:], getRandomData(8)) + frames = append(frames, &wire.PathChallengeFrame{ + Data: data1, + }) + + var data2 [8]byte + copy(data2[:], getRandomData(8)) + frames = append(frames, &wire.PathResponseFrame{ + Data: data2, + }) + + return frames +} + +func main() { + rand.Seed(42) + + for i, f := range getFrames() { + b := &bytes.Buffer{} + if err := f.Write(b, version); err != nil { + panic(err) + } + if err := writeCorpusFile(fmt.Sprintf("single-frame-%d", i), b.Bytes()); err != nil { + panic(err) + } + } + + for i := 0; i < 25; i++ { + frames := getFrames() + + b := &bytes.Buffer{} + for j := 0; j < rand.Intn(30)+2; j++ { + if rand.Intn(10) == 0 { // write a PADDING frame + b.WriteByte(0x0) + } + f := frames[rand.Intn(len(frames))] + if err := f.Write(b, version); err != nil { + panic(err) + } + if rand.Intn(10) == 0 { // write a PADDING frame + b.WriteByte(0x0) + } + } + if err := writeCorpusFile(fmt.Sprintf("multiple-frames-%d", i), b.Bytes()); err != nil { + panic(err) + } + } +} + +func writeCorpusFile(name string, data []byte) error { + file, err := os.Create("corpus/" + name) + if err != nil { + return err + } + data = append(getRandomData(1), data...) + if _, err := file.Write(data); err != nil { + return err + } + return file.Close() +}