fuzz: make targets more resitant to allocation failures

2 years ago · 5fb0b3b8cb
parent 3247e39f0c
commit 5fb0b3b8cb
6 changed files with 27 additions and 12 deletions
--- a/src/tests/fuzz/fuzz_applayerparserparse.c
+++ b/src/tests/fuzz/fuzz_applayerparserparse.c
@ -36,6 +36,7 @@ AppLayerParserThreadCtx *alp_tctx = NULL;
 const uint8_t separator[] = {0x01, 0xD5, 0xCA, 0x7A};
 SCInstance surifuzz;
 AppProto forceLayer = 0;
 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
 int LLVMFuzzerInitialize(int *argc, char ***argv)
 {
@ -75,10 +76,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
    // otherwise overflows do not fail as they read the next packet
    uint8_t * isolatedBuffer;
    if (size < HEADER_LEN) {
        return 0;
    }
    if (alp_tctx == NULL) {
        //Redirects logs to /dev/null
        setenv("SC_LOG_OP_IFACE", "file", 0);
@ -97,6 +94,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        PostConfLoadedSetup(&surifuzz);
        alp_tctx = AppLayerParserThreadCtxAlloc();
        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
    }
    if (size < HEADER_LEN) {
        return 0;
    }
    if (data[0] >= ALPROTO_MAX) {
@ -149,7 +151,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
            // only if we have some data
            isolatedBuffer = malloc(alnext - albuffer);
            if (isolatedBuffer == NULL) {
-                return 0;
+                goto bail;
            }
            memcpy(isolatedBuffer, albuffer, alnext - albuffer);
            (void) AppLayerParserParse(NULL, alp_tctx, f, f->alproto, flags, isolatedBuffer, alnext - albuffer);
@ -192,13 +194,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        flags |= STREAM_EOF;
        isolatedBuffer = malloc(alsize);
        if (isolatedBuffer == NULL) {
-            return 0;
+            goto bail;
        }
        memcpy(isolatedBuffer, albuffer, alsize);
        (void) AppLayerParserParse(NULL, alp_tctx, f, f->alproto, flags, isolatedBuffer, alsize);
        free(isolatedBuffer);
    }
 bail:
    FLOWLOCK_UNLOCK(f);
    FlowFree(f);
--- a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c
+++ b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c
@ -23,6 +23,7 @@
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
 AppLayerProtoDetectThreadCtx *alpd_tctx = NULL;
 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
@ -32,10 +33,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
    AppProto alproto;
    AppProto alproto2;
    if (size < HEADER_LEN) {
        return 0;
    }
    if (alpd_tctx == NULL) {
        //global init
        InitGlobal();
@ -50,6 +47,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        AppLayerParserSetup();
        AppLayerParserRegisterProtocolParsers();
        alpd_tctx = AppLayerProtoDetectGetCtxThread();
        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
    }
    if (size < HEADER_LEN) {
        return 0;
    }
    f = TestHelperBuildFlow(AF_INET, "1.2.3.4", "5.6.7.8", (uint16_t)((data[2] << 8) | data[3]),
--- a/src/tests/fuzz/fuzz_decodepcapfile.c
+++ b/src/tests/fuzz/fuzz_decodepcapfile.c
@ -31,6 +31,7 @@ pcap-file:\n\
 ThreadVars *tv;
 DecodeThreadVars *dtv;
 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
@ -80,6 +81,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        extern uint16_t max_pending_packets;
        max_pending_packets = 128;
        PacketPoolInit();
        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
        initialized = 1;
    }
--- a/src/tests/fuzz/fuzz_predefpcap_aware.c
+++ b/src/tests/fuzz/fuzz_predefpcap_aware.c
@ -40,6 +40,7 @@ DecodeThreadVars *dtv;
 // FlowWorkerThreadData
 void *fwd;
 SCInstance surifuzz;
 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
 #include "confyaml.c"
@ -103,6 +104,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
            return 0;
        }
        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
        initialized = 1;
    }
@ -117,7 +119,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
    // loop over packets
    r = FPC_next(&pkts, &header, &pkt);
    p = PacketGetFromAlloc();
-    if (r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
+    if (p == NULL || r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
        goto bail;
    }
    p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
@ -154,7 +156,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        p->pkt_src = PKT_SRC_WIRE;
    }
 bail:
    if (p != NULL) {
        PacketFree(p);
    }
    FlowReset();
    return 0;
--- a/src/tests/fuzz/fuzz_sigpcap.c
+++ b/src/tests/fuzz/fuzz_sigpcap.c
@ -40,6 +40,7 @@ DecodeThreadVars *dtv;
 //FlowWorkerThreadData
 void *fwd;
 SCInstance surifuzz;
 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
 #include "confyaml.c"
@ -92,6 +93,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        extern uint16_t max_pending_packets;
        max_pending_packets = 128;
        PacketPoolInit();
        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
        initialized = 1;
    }
--- a/src/tests/fuzz/fuzz_sigpcap_aware.c
+++ b/src/tests/fuzz/fuzz_sigpcap_aware.c
@ -40,6 +40,7 @@ DecodeThreadVars *dtv;
 // FlowWorkerThreadData
 void *fwd;
 SCInstance surifuzz;
 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
 #include "confyaml.c"
@ -118,6 +119,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        extern uint16_t max_pending_packets;
        max_pending_packets = 128;
        PacketPoolInit();
        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
        initialized = 1;
    }