1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "vpnclient_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <securec.h>
21
22 #include "accesstoken_kit.h"
23 #include "refbase.h"
24 #include "token_setproc.h"
25
26 #include "i_vpn_event_callback.h"
27 #include "networkvpn_service.h"
28
29 namespace OHOS {
30 namespace NetManagerStandard {
31 namespace {
32
33 constexpr size_t STR_LEN = 16;
34
35 size_t g_baseFuzzPos = 0;
36 size_t g_baseFuzzSize = 0;
37 const uint8_t *g_baseFuzzData = nullptr;
38
39 using namespace Security::AccessToken;
40 using Security::AccessToken::AccessTokenID;
41 HapInfoParams testInfoParms = {.userID = 1,
42 .bundleName = "vpnclient_fuzzer",
43 .instIndex = 0,
44 .appIDDesc = "test",
45 .isSystemApp = true};
46
47 PermissionDef testPermDef = {.permissionName = "ohos.permission.MANAGE_VPN",
48 .bundleName = "vpnclient_fuzzer",
49 .grantMode = 1,
50 .availableLevel = APL_SYSTEM_BASIC,
51 .label = "label",
52 .labelId = 1,
53 .description = "Test vpn maneger network info",
54 .descriptionId = 1};
55
56 PermissionStateFull testState = {.permissionName = "ohos.permission.MANAGE_VPN",
57 .isGeneral = true,
58 .resDeviceID = {"local"},
59 .grantStatus = {PermissionState::PERMISSION_GRANTED},
60 .grantFlags = {2}};
61
62 HapPolicyParams testPolicyPrams = {.apl = APL_SYSTEM_BASIC,
63 .domain = "test.domain",
64 .permList = {testPermDef},
65 .permStateList = {testState}};
66 class AccessToken {
67 public:
AccessToken()68 AccessToken() : currentID_(GetSelfTokenID())
69 {
70 AccessTokenIDEx tokenIdEx = AccessTokenKit::AllocHapToken(testInfoParms, testPolicyPrams);
71 accessID_ = tokenIdEx.tokenIDEx;
72 SetSelfTokenID(tokenIdEx.tokenIDEx);
73 }
~AccessToken()74 ~AccessToken()
75 {
76 AccessTokenKit::DeleteToken(accessID_);
77 SetSelfTokenID(currentID_);
78 }
79
80 private:
81 AccessTokenID currentID_;
82 AccessTokenID accessID_ = 0;
83 };
84 } // namespace
85
InitGlobalData(const uint8_t * data,size_t size)86 bool InitGlobalData(const uint8_t *data, size_t size)
87 {
88 if (data == nullptr || size == 0) {
89 return false;
90 }
91 g_baseFuzzPos = 0;
92 g_baseFuzzSize = size;
93 g_baseFuzzData = data;
94 return true;
95 }
96
GetData()97 template <class T> T GetData()
98 {
99 T object{};
100 size_t objectSize = sizeof(object);
101 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
102 return object;
103 }
104 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
105 if (ret != EOK) {
106 return {};
107 }
108 g_baseFuzzPos += objectSize;
109 return object;
110 }
111
GetStringData()112 std::string GetStringData()
113 {
114 char cstr[STR_LEN] = {0};
115 for (uint32_t i = 0; i < STR_LEN - 1; i++) {
116 cstr[i] = GetData<char>();
117 }
118 return std::string(cstr);
119 }
120
GetAddressData()121 INetAddr GetAddressData()
122 {
123 INetAddr netAddr;
124 netAddr.type_ = GetData<uint8_t>();
125 netAddr.family_ = GetData<uint8_t>();
126 netAddr.prefixlen_ = GetData<uint8_t>();
127 netAddr.address_ = GetStringData();
128 netAddr.netMask_ = GetStringData();
129 netAddr.hostName_ = GetStringData();
130 netAddr.port_ = GetData<uint8_t>();
131 return netAddr;
132 }
133
GetRouteData()134 Route GetRouteData()
135 {
136 Route route;
137 route.iface_ = GetStringData();
138 route.destination_ = GetAddressData();
139 route.gateway_ = GetAddressData();
140 route.mtu_ = GetData<int32_t>();
141 route.isHost_ = GetData<bool>();
142 route.hasGateway_ = GetData<bool>();
143 route.isDefaultRoute_ = GetData<bool>();
144 return route;
145 }
146
147 class VpnEventCallbackTest : public IRemoteStub<IVpnEventCallback> {
148 public:
OnVpnStateChanged(const bool & isConnected)149 void OnVpnStateChanged(const bool &isConnected) override{};
OnVpnMultiUserSetUp()150 void OnVpnMultiUserSetUp() override{};
151 };
152
OnRemoteRequest(INetworkVpnService::MessageCode code,MessageParcel & data)153 int32_t OnRemoteRequest(INetworkVpnService::MessageCode code, MessageParcel &data)
154 {
155 MessageParcel reply;
156 MessageOption option;
157 return Singleton<NetworkVpnService>::GetInstance().OnRemoteRequest(static_cast<uint32_t>(code), data, reply,
158 option);
159 }
160
PrepareFuzzTest(const uint8_t * data,size_t size)161 void PrepareFuzzTest(const uint8_t *data, size_t size)
162 {
163 AccessToken token;
164 MessageParcel dataParcel;
165 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
166 return;
167 }
168 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_PREPARE, dataParcel);
169 }
170
ProtectFuzzTest(const uint8_t * data,size_t size)171 void ProtectFuzzTest(const uint8_t *data, size_t size)
172 {
173 AccessToken token;
174 MessageParcel dataParcel;
175 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
176 return;
177 }
178 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_PROTECT, dataParcel);
179 }
180
SetUpVpnFuzzTest(const uint8_t * data,size_t size)181 void SetUpVpnFuzzTest(const uint8_t *data, size_t size)
182 {
183 if (!InitGlobalData(data, size)) {
184 return;
185 }
186
187 AccessToken token;
188 MessageParcel dataParcel;
189 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
190 return;
191 }
192 sptr<VpnConfig> config = new (std::nothrow) VpnConfig();
193 config->addresses_.emplace_back(GetAddressData());
194 config->routes_.emplace_back(GetRouteData());
195 config->mtu_ = GetData<int32_t>();
196 config->isAcceptIPv4_ = GetData<bool>();
197 config->isAcceptIPv6_ = GetData<bool>();
198 config->isLegacy_ = GetData<bool>();
199 config->isMetered_ = GetData<bool>();
200 config->isBlocking_ = GetData<bool>();
201 config->dnsAddresses_.emplace_back(GetStringData());
202 config->searchDomains_.emplace_back(GetStringData());
203 config->acceptedApplications_.emplace_back(GetStringData());
204 config->acceptedApplications_.emplace_back(GetStringData());
205 if (!config->Marshalling(dataParcel)) {
206 return;
207 }
208 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_START_VPN, dataParcel);
209 }
210
DestroyVpnFuzzTest(const uint8_t * data,size_t size)211 void DestroyVpnFuzzTest(const uint8_t *data, size_t size)
212 {
213 AccessToken token;
214 MessageParcel dataParcel;
215 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
216 return;
217 }
218 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_STOP_VPN, dataParcel);
219 }
220
RegisterVpnEventFuzzTest(const uint8_t * data,size_t size)221 void RegisterVpnEventFuzzTest(const uint8_t *data, size_t size)
222 {
223 AccessToken token;
224 MessageParcel dataParcel;
225 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
226 return;
227 }
228
229 sptr<IVpnEventCallback> callback = new (std::nothrow) VpnEventCallbackTest();
230 if (callback == nullptr || !dataParcel.WriteRemoteObject(callback->AsObject().GetRefPtr())) {
231 return;
232 }
233 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_REGISTER_EVENT_CALLBACK, dataParcel);
234 }
235
UnregisterVpnEventFuzzTest(const uint8_t * data,size_t size)236 void UnregisterVpnEventFuzzTest(const uint8_t *data, size_t size)
237 {
238 AccessToken token;
239 MessageParcel dataParcel;
240 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
241 return;
242 }
243
244 sptr<IVpnEventCallback> callback = new (std::nothrow) VpnEventCallbackTest();
245 if (callback == nullptr || !dataParcel.WriteRemoteObject(callback->AsObject().GetRefPtr())) {
246 return;
247 }
248 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_UNREGISTER_EVENT_CALLBACK, dataParcel);
249 }
250 } // namespace NetManagerStandard
251 } // namespace OHOS
252
253 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)254 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
255 {
256 /* Run your code on data */
257 OHOS::NetManagerStandard::PrepareFuzzTest(data, size);
258 OHOS::NetManagerStandard::ProtectFuzzTest(data, size);
259 OHOS::NetManagerStandard::SetUpVpnFuzzTest(data, size);
260 OHOS::NetManagerStandard::DestroyVpnFuzzTest(data, size);
261 OHOS::NetManagerStandard::RegisterVpnEventFuzzTest(data, size);
262 OHOS::NetManagerStandard::UnregisterVpnEventFuzzTest(data, size);
263 return 0;
264 }