fuzz the header parsing

2025-04-03 20:27:35 +03:00 · 2019-08-16 13:06:55 +07:00 · 2019-08-16 13:06:55 +07:00 · 2c22eb644c
commit 2c22eb644c
parent 7df59b855f
18 changed files with 249 additions and 0 deletions
--- a/codecov.yml
+++ b/codecov.yml
@ -11,6 +11,7 @@ coverage:
    - internal/utils/packetinterval_linkedlist.go
    - internal/utils/linkedlist/linkedlist.go
    - quictrace/
+    - fuzzing/
  status:
    project:
      default:
--- a/fuzzing/header/corpus/header-0
+++ b/fuzzing/header/corpus/header-0
--- a/fuzzing/header/corpus/header-1
+++ b/fuzzing/header/corpus/header-1
--- a/fuzzing/header/corpus/header-2
+++ b/fuzzing/header/corpus/header-2
--- a/fuzzing/header/corpus/header-3
+++ b/fuzzing/header/corpus/header-3
--- a/fuzzing/header/corpus/header-4
+++ b/fuzzing/header/corpus/header-4
--- a/fuzzing/header/corpus/header-5
+++ b/fuzzing/header/corpus/header-5
--- a/fuzzing/header/corpus/header-6
+++ b/fuzzing/header/corpus/header-6
@ -0,0 +1,2 @@
+ÉðQGOÿ	aF'jaeÙñý&�aïT*l
+Þ÷~Øfò	»¡E!U‘sÓG x
--- a/fuzzing/header/corpus/header-7
+++ b/fuzzing/header/corpus/header-7
--- a/fuzzing/header/corpus/header-8
+++ b/fuzzing/header/corpus/header-8
--- a/fuzzing/header/corpus/header-9
+++ b/fuzzing/header/corpus/header-9
@ -0,0 +1 @@
+E@�1tQ�����
--- a/fuzzing/header/corpus/vnp-0
+++ b/fuzzing/header/corpus/vnp-0
--- a/fuzzing/header/corpus/vnp-1
+++ b/fuzzing/header/corpus/vnp-1
--- a/fuzzing/header/corpus/vnp-2
+++ b/fuzzing/header/corpus/vnp-2
--- a/fuzzing/header/corpus/vnp-3
+++ b/fuzzing/header/corpus/vnp-3
--- a/fuzzing/header/corpus/vnp-4
+++ b/fuzzing/header/corpus/vnp-4
--- a/fuzzing/header/fuzz.go
+++ b/fuzzing/header/fuzz.go
@ -0,0 +1,64 @@
+// +build gofuzz
+
+package header
+
+import (
+	"bytes"
+	"fmt"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/wire"
+)
+
+const version = protocol.VersionTLS
+
+func Fuzz(data []byte) int {
+	if len(data) < 1 {
+		return 0
+	}
+	connIDLen := int(data[0] % 21)
+	data = data[1:]
+
+	isVNP := wire.IsVersionNegotiationPacket(data)
+	connID, err := wire.ParseConnectionID(data, connIDLen)
+	if err != nil {
+		return 0
+	}
+	hdr, _, _, err := wire.ParsePacket(data, connIDLen)
+	if err != nil {
+		return 0
+	}
+	if !hdr.DestConnectionID.Equal(connID) {
+		panic(fmt.Sprintf("Expected connection IDs to match: %s vs %s", hdr.DestConnectionID, connID))
+	}
+
+	var extHdr *wire.ExtendedHeader
+	// Parse the extended header, if this is not a Retry packet.
+	if hdr.Type == protocol.PacketTypeRetry {
+		extHdr = &wire.ExtendedHeader{Header: *hdr}
+	} else {
+		var err error
+		extHdr, err = hdr.ParseExtended(bytes.NewReader(data), version)
+		if err != nil {
+			return 0
+		}
+	}
+	b := &bytes.Buffer{}
+	if err := extHdr.Write(b, version); err != nil {
+		// We are able to parse packets with connection IDs longer than 20 bytes,
+		// but in QUIC version 1, we don't write headers with longer connection IDs.
+		if hdr.DestConnectionID.Len() <= protocol.MaxConnIDLen &&
+			hdr.SrcConnectionID.Len() <= protocol.MaxConnIDLen &&
+			hdr.OrigDestConnectionID.Len() <= protocol.MaxConnIDLen {
+			panic(err)
+		}
+		return 0
+	}
+	// GetLength is not implemented for Retry and Version Negotiation.
+	if !isVNP && hdr.Type != protocol.PacketTypeRetry {
+		if expLen := extHdr.GetLength(version); expLen != protocol.ByteCount(b.Len()) {
+			panic(fmt.Sprintf("inconsistent header length: %#v. Expected %d, got %d", extHdr, expLen, b.Len()))
+		}
+	}
+	return 0
+}
--- a/fuzzing/header/main.go
+++ b/fuzzing/header/main.go
@ -0,0 +1,181 @@
+// +build !gofuzz
+
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"math/rand"
+	"os"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/wire"
+)
+
+const version = protocol.VersionTLS
+
+func getRandomData(l int) []byte {
+	b := make([]byte, l)
+	rand.Read(b)
+	return b
+}
+
+func getVNP(src, dest protocol.ConnectionID, numVersions int) []byte {
+	versions := make([]protocol.VersionNumber, numVersions)
+	for i := 0; i < numVersions; i++ {
+		versions[i] = protocol.VersionNumber(rand.Uint32())
+	}
+	data, err := wire.ComposeVersionNegotiation(src, dest, versions)
+	if err != nil {
+		panic(err)
+	}
+	return data
+}
+
+func main() {
+	rand.Seed(1337)
+
+	headers := []wire.Header{
+		wire.Header{ // Initial without token
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(3)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(8)),
+			Type:             protocol.PacketTypeInitial,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Initial without token, with zero-length src conn id
+			IsLongHeader:     true,
+			DestConnectionID: protocol.ConnectionID(getRandomData(8)),
+			Type:             protocol.PacketTypeInitial,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Initial with Token
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(10)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(19)),
+			Type:             protocol.PacketTypeInitial,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+			Token:            getRandomData(25),
+		},
+		wire.Header{ // Handshake packet
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(5)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(10)),
+			Type:             protocol.PacketTypeHandshake,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Handshake packet, with zero-length src conn id
+			IsLongHeader:     true,
+			DestConnectionID: protocol.ConnectionID(getRandomData(12)),
+			Type:             protocol.PacketTypeHandshake,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // 0-RTT packet
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(8)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(9)),
+			Type:             protocol.PacketType0RTT,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Retry Packet
+			IsLongHeader:         true,
+			SrcConnectionID:      protocol.ConnectionID(getRandomData(8)),
+			DestConnectionID:     protocol.ConnectionID(getRandomData(9)),
+			OrigDestConnectionID: protocol.ConnectionID(getRandomData(10)),
+			Type:                 protocol.PacketTypeRetry,
+			Token:                getRandomData(10),
+			Version:              version,
+		},
+		wire.Header{ // Retry Packet, with empty orig dest conn id
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(8)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(9)),
+			Type:             protocol.PacketTypeRetry,
+			Token:            getRandomData(1000),
+			Version:          version,
+		},
+		wire.Header{ // Retry Packet, with zero-length dest conn id
+			IsLongHeader:         true,
+			SrcConnectionID:      protocol.ConnectionID(getRandomData(8)),
+			OrigDestConnectionID: protocol.ConnectionID(getRandomData(10)),
+			Type:                 protocol.PacketTypeRetry,
+			Token:                getRandomData(1000),
+			Version:              version,
+		},
+		wire.Header{ // Short-Header
+			DestConnectionID: protocol.ConnectionID(getRandomData(8)),
+		},
+	}
+
+	for i, h := range headers {
+		extHdr := &wire.ExtendedHeader{
+			Header:          h,
+			PacketNumberLen: protocol.PacketNumberLen(rand.Intn(4) + 1),
+			PacketNumber:    protocol.PacketNumber(rand.Uint64()),
+		}
+		b := &bytes.Buffer{}
+		if err := extHdr.Write(b, version); err != nil {
+			panic(err)
+		}
+		if h.Length > 0 {
+			b.Write(make([]byte, h.Length))
+		}
+
+		if err := writeCorpusFile(fmt.Sprintf("header-%d", i), b.Bytes()); err != nil {
+			panic(err)
+		}
+	}
+
+	vnps := [][]byte{
+		getVNP(
+			protocol.ConnectionID(getRandomData(8)),
+			protocol.ConnectionID(getRandomData(10)),
+			4,
+		),
+		getVNP(
+			protocol.ConnectionID(getRandomData(10)),
+			protocol.ConnectionID(getRandomData(5)),
+			0,
+		),
+		getVNP(
+			protocol.ConnectionID(getRandomData(3)),
+			protocol.ConnectionID(getRandomData(19)),
+			100,
+		),
+		getVNP(
+			protocol.ConnectionID(getRandomData(3)),
+			nil,
+			20,
+		),
+		getVNP(
+			nil,
+			protocol.ConnectionID(getRandomData(10)),
+			5,
+		),
+	}
+
+	for i, vnp := range vnps {
+		if err := writeCorpusFile(fmt.Sprintf("vnp-%d", i), vnp); err != nil {
+			panic(err)
+		}
+	}
+
+}
+
+func writeCorpusFile(name string, data []byte) error {
+	file, err := os.Create("corpus/" + name)
+	if err != nil {
+		return err
+	}
+	data = append(getRandomData(1), data...)
+	if _, err := file.Write(data); err != nil {
+		return err
+	}
+	return file.Close()
+}