diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml index 895812411..622bc773d 100644 --- a/fuzz/Cargo.toml +++ b/fuzz/Cargo.toml @@ -3,21 +3,15 @@ name = "smoltcp-fuzz" version = "0.0.1" authors = ["Automatically generated"] publish = false +edition = "2018" [package.metadata] cargo-fuzz = true [dependencies] +libfuzzer-sys = "0.4" getopts = "0.2" - -[dependencies.smoltcp] -path = ".." - -[dependencies.libfuzzer-sys] -git = "https://github.com/rust-fuzz/libfuzzer-sys.git" - -[profile.release] -codegen-units = 1 # needed to prevent weird linker error about sancov guards +smoltcp = { path = "..", features = [ "medium-ethernet" ] } # Prevent this from interfering with workspaces [workspace] @@ -26,7 +20,11 @@ members = ["."] [[bin]] name = "packet_parser" path = "fuzz_targets/packet_parser.rs" +test = false +doc = false [[bin]] name = "tcp_headers" path = "fuzz_targets/tcp_headers.rs" +test = false +doc = false diff --git a/fuzz/fuzz_targets/packet_parser.rs b/fuzz/fuzz_targets/packet_parser.rs index 357e1f333..e9e58bffb 100644 --- a/fuzz/fuzz_targets/packet_parser.rs +++ b/fuzz/fuzz_targets/packet_parser.rs @@ -1,8 +1,10 @@ #![no_main] -#[macro_use] extern crate libfuzzer_sys; -extern crate smoltcp; +use libfuzzer_sys::fuzz_target; +use smoltcp::wire::*; fuzz_target!(|data: &[u8]| { - use smoltcp::wire::*; - format!("{}", PrettyPrinter::>::new("", &data)); + format!( + "{}", + PrettyPrinter::>::new("", &data) + ); }); diff --git a/fuzz/fuzz_targets/tcp_headers.rs b/fuzz/fuzz_targets/tcp_headers.rs index 86a274dfb..24482ef86 100644 --- a/fuzz/fuzz_targets/tcp_headers.rs +++ b/fuzz/fuzz_targets/tcp_headers.rs @@ -1,26 +1,20 @@ #![no_main] -#[macro_use] extern crate libfuzzer_sys; -extern crate smoltcp; - -use std as core; -extern crate getopts; - -use core::cmp; +use libfuzzer_sys::fuzz_target; +use smoltcp::iface::{InterfaceBuilder, NeighborCache}; use smoltcp::phy::{Loopback, Medium}; -use smoltcp::wire::{EthernetAddress, EthernetFrame, EthernetProtocol}; -use smoltcp::wire::{IpAddress, IpCidr, Ipv4Packet, Ipv6Packet, TcpPacket}; -use smoltcp::iface::{NeighborCache, InterfaceBuilder}; use smoltcp::socket::{SocketSet, TcpSocket, TcpSocketBuffer}; use smoltcp::time::{Duration, Instant}; +use smoltcp::wire::{EthernetAddress, EthernetFrame, EthernetProtocol}; +use smoltcp::wire::{IpAddress, IpCidr, Ipv4Packet, Ipv6Packet, TcpPacket}; +use std::cmp; -mod utils { - include!("../utils.rs"); -} +#[path = "../utils.rs"] +mod utils; mod mock { + use smoltcp::time::{Duration, Instant}; + use std::sync::atomic::{AtomicUsize, Ordering}; use std::sync::Arc; - use std::sync::atomic::{Ordering, AtomicUsize}; - use smoltcp::time::{Duration, Instant}; // should be AtomicU64 but that's unstable #[derive(Debug, Clone)] @@ -33,7 +27,8 @@ mod mock { } pub fn advance(&self, duration: Duration) { - self.0.fetch_add(duration.total_millis() as usize, Ordering::SeqCst); + self.0 + .fetch_add(duration.total_millis() as usize, Ordering::SeqCst); } pub fn elapsed(&self) -> Instant { @@ -52,7 +47,10 @@ impl TcpHeaderFuzzer { // // Otherwise, it replaces the entire rest of the TCP header with the fuzzer's output. pub fn new(data: &[u8]) -> TcpHeaderFuzzer { - let copy_len = cmp::min(data.len(), 56 /* max TCP header length without port numbers*/); + let copy_len = cmp::min( + data.len(), + 56, /* max TCP header length without port numbers*/ + ); let mut fuzzer = TcpHeaderFuzzer([0; 56], copy_len); fuzzer.0[..copy_len].copy_from_slice(&data[..copy_len]); @@ -68,13 +66,16 @@ impl smoltcp::phy::Fuzzer for TcpHeaderFuzzer { let tcp_packet_offset = { let eth_frame = EthernetFrame::new_unchecked(&frame_data); - EthernetFrame::<&mut [u8]>::header_len() + match eth_frame.ethertype() { - EthernetProtocol::Ipv4 => - Ipv4Packet::new_unchecked(eth_frame.payload()).header_len() as usize, - EthernetProtocol::Ipv6 => - Ipv6Packet::new_unchecked(eth_frame.payload()).header_len() as usize, - _ => return - } + EthernetFrame::<&mut [u8]>::header_len() + + match eth_frame.ethertype() { + EthernetProtocol::Ipv4 => { + Ipv4Packet::new_unchecked(eth_frame.payload()).header_len() as usize + } + EthernetProtocol::Ipv6 => { + Ipv6Packet::new_unchecked(eth_frame.payload()).header_len() as usize + } + _ => return, + } }; let tcp_is_syn = { @@ -95,7 +96,7 @@ impl smoltcp::phy::Fuzzer for TcpHeaderFuzzer { (tcp_packet[12] as usize >> 4) * 4 }; - let tcp_packet = &mut frame_data[tcp_packet_offset+4..]; + let tcp_packet = &mut frame_data[tcp_packet_offset + 4..]; let replacement_data = &self.0[..self.1]; let copy_len = cmp::min(replacement_data.len(), tcp_header_len); @@ -114,17 +115,17 @@ fuzz_target!(|data: &[u8]| { let clock = mock::Clock::new(); let device = { - let (mut opts, mut free) = utils::create_options(); utils::add_middleware_options(&mut opts, &mut free); let mut matches = utils::parse_options(&opts, free); - let device = utils::parse_middleware_options(&mut matches, Loopback::new(Medium::Ethernet), - /*loopback=*/true); + let device = utils::parse_middleware_options( + &mut matches, + Loopback::new(Medium::Ethernet), + /*loopback=*/ true, + ); - smoltcp::phy::FuzzInjector::new(device, - EmptyFuzzer(), - TcpHeaderFuzzer::new(data)) + smoltcp::phy::FuzzInjector::new(device, EmptyFuzzer(), TcpHeaderFuzzer::new(data)) }; let mut neighbor_cache_entries = [None; 8]; @@ -132,10 +133,10 @@ fuzz_target!(|data: &[u8]| { let ip_addrs = [IpCidr::new(IpAddress::v4(127, 0, 0, 1), 8)]; let mut iface = InterfaceBuilder::new(device) - .ethernet_addr(EthernetAddress::default()) - .neighbor_cache(neighbor_cache) - .ip_addrs(ip_addrs) - .finalize(); + .ethernet_addr(EthernetAddress::default()) + .neighbor_cache(neighbor_cache) + .ip_addrs(ip_addrs) + .finalize(); let server_socket = { // It is not strictly necessary to use a `static mut` and unsafe code here, but @@ -162,7 +163,7 @@ fuzz_target!(|data: &[u8]| { let server_handle = socket_set.add(server_socket); let client_handle = socket_set.add(client_socket); - let mut did_listen = false; + let mut did_listen = false; let mut did_connect = false; let mut done = false; while !done && clock.elapsed() < Instant::from_millis(4_000) { @@ -187,24 +188,28 @@ fuzz_target!(|data: &[u8]| { let mut socket = socket_set.get::(client_handle); if !socket.is_open() { if !did_connect { - socket.connect((IpAddress::v4(127, 0, 0, 1), 1234), - (IpAddress::Unspecified, 65000)).unwrap(); + socket + .connect( + (IpAddress::v4(127, 0, 0, 1), 1234), + (IpAddress::Unspecified, 65000), + ) + .unwrap(); did_connect = true; } } if socket.can_send() { - socket.send_slice(b"0123456789abcdef0123456789abcdef0123456789abcdef").unwrap(); + socket + .send_slice(b"0123456789abcdef0123456789abcdef0123456789abcdef") + .unwrap(); socket.close(); } } match iface.poll_delay(&socket_set, clock.elapsed()) { - Some(Duration { millis: 0 }) => {}, - Some(delay) => { - clock.advance(delay) - }, - None => clock.advance(Duration::from_millis(1)) + Some(Duration { millis: 0 }) => {} + Some(delay) => clock.advance(delay), + None => clock.advance(Duration::from_millis(1)), } } }); diff --git a/fuzz/utils.rs b/fuzz/utils.rs index 26763c23a..89329d99d 100644 --- a/fuzz/utils.rs +++ b/fuzz/utils.rs @@ -1,18 +1,17 @@ // TODO: this is literally a copy of examples/utils.rs, but without an allow dead code attribute. // The include logic does not allow having attributes in included files. -use std::cell::RefCell; -use std::str::{self, FromStr}; -use std::rc::Rc; -use std::io; -use std::fs::File; -use std::time::{SystemTime, UNIX_EPOCH}; +use getopts::{Matches, Options}; use std::env; +use std::fs::File; +use std::io; +use std::io::Write; use std::process; -use getopts::{Options, Matches}; +use std::str::{self, FromStr}; +use std::time::{SystemTime, UNIX_EPOCH}; -use smoltcp::phy::{Device, EthernetTracer, FaultInjector}; -use smoltcp::phy::{PcapWriter, PcapSink, PcapMode, PcapLinkType}; +use smoltcp::phy::{Device, FaultInjector, Tracer}; +use smoltcp::phy::{PcapMode, PcapWriter}; use smoltcp::time::Duration; pub fn create_options() -> (Options, Vec<&'static str>) { @@ -29,10 +28,17 @@ pub fn parse_options(options: &Options, free: Vec<&str>) -> Matches { } Ok(matches) => { if matches.opt_present("h") || matches.free.len() != free.len() { - let brief = format!("Usage: {} [OPTION]... {}", - env::args().nth(0).unwrap(), free.join(" ")); + let brief = format!( + "Usage: {} [OPTION]... {}", + env::args().nth(0).unwrap(), + free.join(" ") + ); print!("{}", options.usage(&brief)); - process::exit(if matches.free.len() != free.len() { 1 } else { 0 }) + process::exit(if matches.free.len() != free.len() { + 1 + } else { + 0 + }) } matches } @@ -41,46 +47,102 @@ pub fn parse_options(options: &Options, free: Vec<&str>) -> Matches { pub fn add_middleware_options(opts: &mut Options, _free: &mut Vec<&str>) { opts.optopt("", "pcap", "Write a packet capture file", "FILE"); - opts.optopt("", "drop-chance", "Chance of dropping a packet (%)", "CHANCE"); - opts.optopt("", "corrupt-chance", "Chance of corrupting a packet (%)", "CHANCE"); - opts.optopt("", "size-limit", "Drop packets larger than given size (octets)", "SIZE"); - opts.optopt("", "tx-rate-limit", "Drop packets after transmit rate exceeds given limit \ - (packets per interval)", "RATE"); - opts.optopt("", "rx-rate-limit", "Drop packets after transmit rate exceeds given limit \ - (packets per interval)", "RATE"); - opts.optopt("", "shaping-interval", "Sets the interval for rate limiting (ms)", "RATE"); + opts.optopt( + "", + "drop-chance", + "Chance of dropping a packet (%)", + "CHANCE", + ); + opts.optopt( + "", + "corrupt-chance", + "Chance of corrupting a packet (%)", + "CHANCE", + ); + opts.optopt( + "", + "size-limit", + "Drop packets larger than given size (octets)", + "SIZE", + ); + opts.optopt( + "", + "tx-rate-limit", + "Drop packets after transmit rate exceeds given limit \ + (packets per interval)", + "RATE", + ); + opts.optopt( + "", + "rx-rate-limit", + "Drop packets after transmit rate exceeds given limit \ + (packets per interval)", + "RATE", + ); + opts.optopt( + "", + "shaping-interval", + "Sets the interval for rate limiting (ms)", + "RATE", + ); } -pub fn parse_middleware_options(matches: &mut Matches, device: D, loopback: bool) - -> FaultInjector>>> - where D: for<'a> Device<'a> +pub fn parse_middleware_options( + matches: &mut Matches, + device: D, + loopback: bool, +) -> FaultInjector>>> +where + D: for<'a> Device<'a>, { - let drop_chance = matches.opt_str("drop-chance").map(|s| u8::from_str(&s).unwrap()) - .unwrap_or(0); - let corrupt_chance = matches.opt_str("corrupt-chance").map(|s| u8::from_str(&s).unwrap()) - .unwrap_or(0); - let size_limit = matches.opt_str("size-limit").map(|s| usize::from_str(&s).unwrap()) - .unwrap_or(0); - let tx_rate_limit = matches.opt_str("tx-rate-limit").map(|s| u64::from_str(&s).unwrap()) - .unwrap_or(0); - let rx_rate_limit = matches.opt_str("rx-rate-limit").map(|s| u64::from_str(&s).unwrap()) - .unwrap_or(0); - let shaping_interval = matches.opt_str("shaping-interval").map(|s| u64::from_str(&s).unwrap()) - .unwrap_or(0); + let drop_chance = matches + .opt_str("drop-chance") + .map(|s| u8::from_str(&s).unwrap()) + .unwrap_or(0); + let corrupt_chance = matches + .opt_str("corrupt-chance") + .map(|s| u8::from_str(&s).unwrap()) + .unwrap_or(0); + let size_limit = matches + .opt_str("size-limit") + .map(|s| usize::from_str(&s).unwrap()) + .unwrap_or(0); + let tx_rate_limit = matches + .opt_str("tx-rate-limit") + .map(|s| u64::from_str(&s).unwrap()) + .unwrap_or(0); + let rx_rate_limit = matches + .opt_str("rx-rate-limit") + .map(|s| u64::from_str(&s).unwrap()) + .unwrap_or(0); + let shaping_interval = matches + .opt_str("shaping-interval") + .map(|s| u64::from_str(&s).unwrap()) + .unwrap_or(0); - let pcap_writer: Box; + let pcap_writer: Box; if let Some(pcap_filename) = matches.opt_str("pcap") { pcap_writer = Box::new(File::create(pcap_filename).expect("cannot open file")) } else { pcap_writer = Box::new(io::sink()) } - let seed = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().subsec_nanos(); + let seed = SystemTime::now() + .duration_since(UNIX_EPOCH) + .unwrap() + .subsec_nanos(); + + let device = PcapWriter::new( + device, + pcap_writer, + if loopback { + PcapMode::TxOnly + } else { + PcapMode::Both + }, + ); - let device = PcapWriter::new(device, Rc::new(RefCell::new(pcap_writer)) as Rc, - if loopback { PcapMode::TxOnly } else { PcapMode::Both }, - PcapLinkType::Ethernet); - let device = EthernetTracer::new(device, |_timestamp, _printer| { + let device = Tracer::new(device, |_timestamp, _printer| { #[cfg(feature = "log")] trace!("{}", _printer); });