diff --git a/.gitignore b/.gitignore index 86317213..8cccd348 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,7 @@ fuzzing/*/crashers fuzzing/*/sonarprofile fuzzing/*/suppressions fuzzing/*/corpus/ +fuzzing/*-fuzz.zip !fuzzing/frames/single-frame* !fuzzing/frames/multiple-frame* !fuzzing/header/header* diff --git a/fuzzing/frames/main.go b/fuzzing/frames/cmd/corpus.go similarity index 99% rename from fuzzing/frames/main.go rename to fuzzing/frames/cmd/corpus.go index c81bf0f4..6043a2ab 100644 --- a/fuzzing/frames/main.go +++ b/fuzzing/frames/cmd/corpus.go @@ -1,5 +1,3 @@ -// +build !gofuzz - package main import ( diff --git a/fuzzing/frames/fuzz.go b/fuzzing/frames/fuzz.go index 45f7d8df..1d5110ce 100644 --- a/fuzzing/frames/fuzz.go +++ b/fuzzing/frames/fuzz.go @@ -1,5 +1,3 @@ -// +build gofuzz - package frames import ( @@ -10,9 +8,10 @@ import ( "github.com/lucas-clemente/quic-go/internal/wire" ) -const version = protocol.VersionTLS - +//go:generate go run ./cmd/corpus.go func Fuzz(data []byte) int { + const version = protocol.VersionTLS + if len(data) < 1 { return 0 } diff --git a/fuzzing/header/main.go b/fuzzing/header/cmd/corpus.go similarity index 99% rename from fuzzing/header/main.go rename to fuzzing/header/cmd/corpus.go index 13dff303..6e3f1cd5 100644 --- a/fuzzing/header/main.go +++ b/fuzzing/header/cmd/corpus.go @@ -1,5 +1,3 @@ -// +build !gofuzz - package main import ( diff --git a/fuzzing/header/fuzz.go b/fuzzing/header/fuzz.go index 7ce2d63c..328d35c0 100644 --- a/fuzzing/header/fuzz.go +++ b/fuzzing/header/fuzz.go @@ -1,5 +1,3 @@ -// +build gofuzz - package header import ( @@ -12,6 +10,7 @@ import ( const version = protocol.VersionTLS +//go:generate go run ./cmd/corpus.go func Fuzz(data []byte) int { if len(data) < 1 { return 0 @@ -19,7 +18,9 @@ func Fuzz(data []byte) int { connIDLen := int(data[0] % 21) data = data[1:] - isVNP := wire.IsVersionNegotiationPacket(data) + if wire.IsVersionNegotiationPacket(data) { + return fuzzVNP(data) + } connID, err := wire.ParseConnectionID(data, connIDLen) if err != nil { return 0 @@ -48,17 +49,37 @@ func Fuzz(data []byte) int { // We are able to parse packets with connection IDs longer than 20 bytes, // but in QUIC version 1, we don't write headers with longer connection IDs. if hdr.DestConnectionID.Len() <= protocol.MaxConnIDLen && - hdr.SrcConnectionID.Len() <= protocol.MaxConnIDLen && - hdr.OrigDestConnectionID.Len() <= protocol.MaxConnIDLen { + hdr.SrcConnectionID.Len() <= protocol.MaxConnIDLen { panic(err) } return 0 } - // GetLength is not implemented for Retry and Version Negotiation. - if !isVNP && hdr.Type != protocol.PacketTypeRetry { + // GetLength is not implemented for Retry packets + if hdr.Type != protocol.PacketTypeRetry { if expLen := extHdr.GetLength(version); expLen != protocol.ByteCount(b.Len()) { panic(fmt.Sprintf("inconsistent header length: %#v. Expected %d, got %d", extHdr, expLen, b.Len())) } } return 0 } + +func fuzzVNP(data []byte) int { + connID, err := wire.ParseConnectionID(data, 0) + if err != nil { + return 0 + } + hdr, versions, err := wire.ParseVersionNegotiationPacket(bytes.NewReader(data)) + if err != nil { + return 0 + } + if !hdr.DestConnectionID.Equal(connID) { + panic("connection IDs don't match") + } + if len(versions) == 0 { + panic("no versions") + } + if _, err := wire.ComposeVersionNegotiation(hdr.SrcConnectionID, hdr.DestConnectionID, versions); err != nil { + panic(err) + } + return 0 +}