1 /*
2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "vpnclient_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <securec.h>
21
22 #include "i_vpn_event_callback.h"
23 #include "netmanager_ext_test_security.h"
24 #include "networkvpn_service.h"
25 #include "refbase.h"
26
27 namespace OHOS {
28 namespace NetManagerStandard {
29 namespace {
30
31 constexpr size_t STR_LEN = 16;
32
33 size_t g_baseFuzzPos = 0;
34 size_t g_baseFuzzSize = 0;
35 const uint8_t *g_baseFuzzData = nullptr;
36 } // namespace
37
InitGlobalData(const uint8_t * data,size_t size)38 bool InitGlobalData(const uint8_t *data, size_t size)
39 {
40 if (data == nullptr || size == 0) {
41 return false;
42 }
43 g_baseFuzzPos = 0;
44 g_baseFuzzSize = size;
45 g_baseFuzzData = data;
46 return true;
47 }
48
GetData()49 template <class T> T GetData()
50 {
51 T object{};
52 size_t objectSize = sizeof(object);
53 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
54 return object;
55 }
56 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
57 if (ret != EOK) {
58 return {};
59 }
60 g_baseFuzzPos += objectSize;
61 return object;
62 }
63
GetStringData()64 std::string GetStringData()
65 {
66 char cstr[STR_LEN] = {0};
67 for (uint32_t i = 0; i < STR_LEN - 1; i++) {
68 cstr[i] = GetData<char>();
69 }
70 return std::string(cstr);
71 }
72
GetAddressData()73 INetAddr GetAddressData()
74 {
75 INetAddr netAddr;
76 netAddr.type_ = GetData<uint8_t>();
77 netAddr.family_ = GetData<uint8_t>();
78 netAddr.prefixlen_ = GetData<uint8_t>();
79 netAddr.address_ = GetStringData();
80 netAddr.netMask_ = GetStringData();
81 netAddr.hostName_ = GetStringData();
82 netAddr.port_ = GetData<uint8_t>();
83 return netAddr;
84 }
85
GetRouteData()86 Route GetRouteData()
87 {
88 Route route;
89 route.iface_ = GetStringData();
90 route.destination_ = GetAddressData();
91 route.gateway_ = GetAddressData();
92 route.mtu_ = GetData<int32_t>();
93 route.isHost_ = GetData<bool>();
94 route.hasGateway_ = GetData<bool>();
95 route.isDefaultRoute_ = GetData<bool>();
96 return route;
97 }
98
99 class VpnEventCallbackTest : public IRemoteStub<IVpnEventCallback> {
100 public:
OnVpnStateChanged(const bool & isConnected)101 void OnVpnStateChanged(const bool &isConnected) override{};
OnVpnMultiUserSetUp()102 void OnVpnMultiUserSetUp() override{};
103 };
104
OnRemoteRequest(INetworkVpnService::MessageCode code,MessageParcel & data)105 int32_t OnRemoteRequest(INetworkVpnService::MessageCode code, MessageParcel &data)
106 {
107 MessageParcel reply;
108 MessageOption option;
109 return Singleton<NetworkVpnService>::GetInstance().OnRemoteRequest(static_cast<uint32_t>(code), data, reply,
110 option);
111 }
112
PrepareFuzzTest(const uint8_t * data,size_t size)113 void PrepareFuzzTest(const uint8_t *data, size_t size)
114 {
115 NetManagerExtAccessToken token;
116 MessageParcel dataParcel;
117 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
118 return;
119 }
120 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_PREPARE, dataParcel);
121 }
122
ProtectFuzzTest(const uint8_t * data,size_t size)123 void ProtectFuzzTest(const uint8_t *data, size_t size)
124 {
125 NetManagerExtAccessToken token;
126 MessageParcel dataParcel;
127 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
128 return;
129 }
130 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_PROTECT, dataParcel);
131 }
132
SetUpVpnFuzzTest(const uint8_t * data,size_t size)133 void SetUpVpnFuzzTest(const uint8_t *data, size_t size)
134 {
135 if (!InitGlobalData(data, size)) {
136 return;
137 }
138
139 NetManagerExtAccessToken token;
140 MessageParcel dataParcel;
141 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
142 return;
143 }
144 sptr<VpnConfig> config = new (std::nothrow) VpnConfig();
145 config->addresses_.emplace_back(GetAddressData());
146 config->routes_.emplace_back(GetRouteData());
147 config->mtu_ = GetData<int32_t>();
148 config->isAcceptIPv4_ = GetData<bool>();
149 config->isAcceptIPv6_ = GetData<bool>();
150 config->isLegacy_ = GetData<bool>();
151 config->isMetered_ = GetData<bool>();
152 config->isBlocking_ = GetData<bool>();
153 config->dnsAddresses_.emplace_back(GetStringData());
154 config->searchDomains_.emplace_back(GetStringData());
155 config->acceptedApplications_.emplace_back(GetStringData());
156 config->acceptedApplications_.emplace_back(GetStringData());
157 if (!config->Marshalling(dataParcel)) {
158 return;
159 }
160 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_START_VPN, dataParcel);
161 }
162
DestroyVpnFuzzTest(const uint8_t * data,size_t size)163 void DestroyVpnFuzzTest(const uint8_t *data, size_t size)
164 {
165 NetManagerExtAccessToken token;
166 MessageParcel dataParcel;
167 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
168 return;
169 }
170 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_STOP_VPN, dataParcel);
171 }
172
RegisterVpnEventFuzzTest(const uint8_t * data,size_t size)173 void RegisterVpnEventFuzzTest(const uint8_t *data, size_t size)
174 {
175 NetManagerExtAccessToken token;
176 MessageParcel dataParcel;
177 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
178 return;
179 }
180
181 sptr<IVpnEventCallback> callback = new (std::nothrow) VpnEventCallbackTest();
182 if (callback == nullptr || !dataParcel.WriteRemoteObject(callback->AsObject().GetRefPtr())) {
183 return;
184 }
185 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_REGISTER_EVENT_CALLBACK, dataParcel);
186 }
187
UnregisterVpnEventFuzzTest(const uint8_t * data,size_t size)188 void UnregisterVpnEventFuzzTest(const uint8_t *data, size_t size)
189 {
190 NetManagerExtAccessToken token;
191 MessageParcel dataParcel;
192 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
193 return;
194 }
195
196 sptr<IVpnEventCallback> callback = new (std::nothrow) VpnEventCallbackTest();
197 if (callback == nullptr || !dataParcel.WriteRemoteObject(callback->AsObject().GetRefPtr())) {
198 return;
199 }
200 OnRemoteRequest(INetworkVpnService::MessageCode::CMD_UNREGISTER_EVENT_CALLBACK, dataParcel);
201 }
202 } // namespace NetManagerStandard
203 } // namespace OHOS
204
205 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)206 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
207 {
208 /* Run your code on data */
209 OHOS::NetManagerStandard::PrepareFuzzTest(data, size);
210 OHOS::NetManagerStandard::ProtectFuzzTest(data, size);
211 OHOS::NetManagerStandard::SetUpVpnFuzzTest(data, size);
212 OHOS::NetManagerStandard::DestroyVpnFuzzTest(data, size);
213 OHOS::NetManagerStandard::RegisterVpnEventFuzzTest(data, size);
214 OHOS::NetManagerStandard::UnregisterVpnEventFuzzTest(data, size);
215 return 0;
216 }