-
You can run the tests over the corpus with a "regular" build, then $ fuzzing/fuzz-input ../fuzzing/IN/* Or building with fuzzing enabled, and running: $ CFLAGS="-fsanitize=fuzzer" CC=clang CXX=clang++ meson -Db_lundef=false $ fuzzing/fuzz-input ../fuzzing/IN I have an initial corpus which was generated by running fuzz-input for a few hours starting with qemu.pkt, which is the first packet sent by qemu. Sadly, it only covers 25%... I tried to increase the coverage manually, see for example tftp-get-blah.pkt, but that's not so simple, as multiple packets may be required to setup a session etc. Neverthess, the fuzzing already found a few issues, so it might be worth to add it in this current form. fuzzing/oss-fuzz.sh is used by oss-fuzz, for Google fuzzing. (see documentation if you want to reproduce the build locally) Signed-off-by:
Marc-André Lureau <marcandre.lureau@redhat.com>
b5f4b774 -
The slirp_fuzz_ip_header harness should be working and is a basic example of a custom mutator focusing on part of the input. The slirp_fuzz_udp harness needs a bit of work to calculate the checksum properly. The code can be built using `meson build` followed by `ninja -C build`, the current meson.build file is not suitable with a general usage. To run the fuzzing code just run `build/fuzzing/fuzz-ip-header fuzzing/IN -detect_leaks=0`, crash will be sent to current folder and new input will go directly in the `IN` folder. The main point to focus on to improve the fuzzing should be generating a better corpus.
0e9b0ad4 -
- by adding trace examples - by separating fuzzing different headers / data - by adding an echo TCP server forward - also factorizing code along the way Also-by:
JC <luffy33820@gmail.com> Also-by:
Alisee Lafontaine <alisee.lafontaine@u-bordeaux.fr>
884d39ee -
We don't know in advance what the trace will have received as sequence number, so when fuzzing tcp, just align on what the trace says
f045cdc9 -
Samuel Thibault authored
It's no use sending to the slirp stack the trace packets which are supposed to be generated by the stack. Also no use fuzzing them, then.
6f28e96e -
Samuel Thibault authoredea785a27
- .gitlab-ci.yml 16 additions, 0 deletions.gitlab-ci.yml
- fuzzing/IN_dhcp/dhcp.pkt 0 additions, 0 deletionsfuzzing/IN_dhcp/dhcp.pkt
- fuzzing/IN_dhcp/dhcp_capture.pcap 0 additions, 0 deletionsfuzzing/IN_dhcp/dhcp_capture.pcap
- fuzzing/IN_icmp/icmp_capture.pcap 0 additions, 0 deletionsfuzzing/IN_icmp/icmp_capture.pcap
- fuzzing/IN_icmp/ping_10-0-2-2.pcap 0 additions, 0 deletionsfuzzing/IN_icmp/ping_10-0-2-2.pcap
- fuzzing/IN_ip-header/DNS_freedesktop_1-1-1-1.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/DNS_freedesktop_1-1-1-1.pcap
- fuzzing/IN_ip-header/dhcp.pkt 1 addition, 0 deletionsfuzzing/IN_ip-header/dhcp.pkt
- fuzzing/IN_ip-header/dhcp_capture.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/dhcp_capture.pcap
- fuzzing/IN_ip-header/icmp_capture.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/icmp_capture.pcap
- fuzzing/IN_ip-header/nc-10.0.2.2-8080.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/nc-10.0.2.2-8080.pcap
- fuzzing/IN_ip-header/nc-ident.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/nc-ident.pcap
- fuzzing/IN_ip-header/ping_10-0-2-2.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/ping_10-0-2-2.pcap
- fuzzing/IN_ip-header/tcp_qemucapt.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/tcp_qemucapt.pcap
- fuzzing/IN_ip-header/tftp-get-blah.pkt 1 addition, 0 deletionsfuzzing/IN_ip-header/tftp-get-blah.pkt
- fuzzing/IN_ip-header/tftp_capture.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/tftp_capture.pcap
- fuzzing/IN_ip-header/tftp_get_libslirp-txt.pcap 1 addition, 0 deletionsfuzzing/IN_ip-header/tftp_get_libslirp-txt.pcap
- fuzzing/IN_tcp-d 1 addition, 0 deletionsfuzzing/IN_tcp-d
- fuzzing/IN_tcp-h 1 addition, 0 deletionsfuzzing/IN_tcp-h
- fuzzing/IN_tcp/nc-10.0.2.2-8080.pcap 0 additions, 0 deletionsfuzzing/IN_tcp/nc-10.0.2.2-8080.pcap
- fuzzing/IN_tcp/nc-ident.pcap 0 additions, 0 deletionsfuzzing/IN_tcp/nc-ident.pcap