1 /*
2 * Copyright (C) 2023-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "mdns_client_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <securec.h>
21
22 #include "imdns_service.h"
23 #include "iservice_registry.h"
24 #include "message_parcel.h"
25 #include "net_manager_ext_constants.h"
26 #include "refbase.h"
27 #include "system_ability_definition.h"
28 #include "netmgr_ext_log_wrapper.h"
29 #include "mdns_protocol_impl.h"
30 #define private public
31 #include "mdns_client.h"
32 #include "mdns_service.h"
33 #undef private
34
35 namespace OHOS {
36 namespace NetManagerStandard {
37
38 class IRegistrationCallbackTest : public IRemoteStub<IRegistrationCallback> {
39 public:
HandleRegister(const MDnsServiceInfo & serviceInfo,int32_t retCode)40 int32_t HandleRegister(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
HandleUnRegister(const MDnsServiceInfo & serviceInfo,int32_t retCode)41 int32_t HandleUnRegister(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
HandleRegisterResult(const MDnsServiceInfo & serviceInfo,int32_t retCode)42 int32_t HandleRegisterResult(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
43 };
44
45 class IDiscoveryCallbackTest : public IRemoteStub<IDiscoveryCallback> {
46 public:
HandleStartDiscover(const MDnsServiceInfo & serviceInfo,int32_t retCode)47 int32_t HandleStartDiscover(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
HandleStopDiscover(const MDnsServiceInfo & serviceInfo,int32_t retCode)48 int32_t HandleStopDiscover(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
HandleServiceFound(const MDnsServiceInfo & serviceInfo,int32_t retCode)49 int32_t HandleServiceFound(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
HandleServiceLost(const MDnsServiceInfo & serviceInfo,int32_t retCode)50 int32_t HandleServiceLost(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
51 };
52
53 class IResolveCallbackTest : public IRemoteStub<IResolveCallback> {
54 public:
HandleResolveResult(const MDnsServiceInfo & serviceInfo,int32_t retCode)55 int32_t HandleResolveResult(const MDnsServiceInfo &serviceInfo, int32_t retCode) override { return 0; }
56 };
57
58 static const uint8_t *g_baseFuzzData = nullptr;
59 static size_t g_baseFuzzSize = 0;
60 static size_t g_baseFuzzPos;
61 static bool g_isInited = false;
62 static constexpr size_t STR_LEN = 10;
63
InitGlobalData(const uint8_t * data,size_t size)64 bool InitGlobalData(const uint8_t *data, size_t size)
65 {
66 if (data == nullptr || size == 0) {
67 return false;
68 }
69 g_baseFuzzData = data;
70 g_baseFuzzSize = size;
71 g_baseFuzzPos = 0;
72 return true;
73 }
74
GetData()75 template <class T> T GetData()
76 {
77 T object{};
78 size_t objectSize = sizeof(object);
79 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
80 return object;
81 }
82 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
83 if (ret != EOK) {
84 return {};
85 }
86 g_baseFuzzPos += objectSize;
87 return object;
88 }
89
GetStringFromData(int strlen)90 std::string GetStringFromData(int strlen)
91 {
92 char cstr[strlen];
93 cstr[strlen - 1] = '\0';
94 for (int i = 0; i < strlen - 1; i++) {
95 cstr[i] = GetData<char>();
96 }
97 std::string str(cstr);
98 return str;
99 }
100
WriteInterfaceToken(MessageParcel & data)101 bool WriteInterfaceToken(MessageParcel &data)
102 {
103 return data.WriteInterfaceToken(IMdnsService::GetDescriptor());
104 }
105
GetMessageParcel(const uint8_t * data,size_t size,MessageParcel & dataParcel)106 __attribute__((no_sanitize("cfi"))) bool GetMessageParcel(const uint8_t *data, size_t size, MessageParcel &dataParcel)
107 {
108 if (!InitGlobalData(data, size)) {
109 return false;
110 }
111
112 if (!WriteInterfaceToken(dataParcel)) {
113 return false;
114 }
115
116 MDnsServiceInfo* info = new (std::nothrow) MDnsServiceInfo();
117 info->name = GetStringFromData(STR_LEN);
118 info->type = GetStringFromData(STR_LEN);
119 info->family = GetData<int32_t>();
120 info->addr = GetStringFromData(STR_LEN);
121 info->port = GetData<int32_t>();
122 std::string str = GetStringFromData(STR_LEN);
123 info->txtRecord = std::vector<uint8_t>(str.begin(), str.end());
124 if (!dataParcel.WriteParcelable(info)) {
125 return false;
126 }
127
128 return true;
129 }
130
Init()131 void Init()
132 {
133 if (!g_isInited) {
134 DelayedSingleton<MDnsService>::GetInstance()->Init();
135 g_isInited = true;
136 }
137 }
138
OnRemoteRequest(uint32_t code,MessageParcel & data)139 __attribute__((no_sanitize("cfi"))) int32_t OnRemoteRequest(uint32_t code, MessageParcel &data)
140 {
141 if (!g_isInited) {
142 Init();
143 }
144
145 MessageParcel reply;
146 MessageOption option;
147 return DelayedSingleton<MDnsService>::GetInstance()->OnRemoteRequest(code, data, reply, option);
148 }
149
RegisterServiceFuzzTest(const uint8_t * data,size_t size)150 void RegisterServiceFuzzTest(const uint8_t *data, size_t size)
151 {
152 NETMGR_EXT_LOG_D("RegisterServiceFuzzTest enter");
153 MessageParcel dataParcel;
154 if (!GetMessageParcel(data, size, dataParcel)) {
155 return;
156 }
157
158 sptr<IRegistrationCallbackTest> callback = new (std::nothrow) IRegistrationCallbackTest();
159 if (callback == nullptr) {
160 return;
161 }
162 dataParcel.WriteRemoteObject(callback->AsObject());
163
164 OnRemoteRequest(static_cast<uint32_t>(IMdnsServiceIpcCode::COMMAND_REGISTER_SERVICE), dataParcel);
165 }
166
UnRegisterServiceFuzzTest(const uint8_t * data,size_t size)167 void UnRegisterServiceFuzzTest(const uint8_t *data, size_t size)
168 {
169 NETMGR_EXT_LOG_D("UnRegisterServiceFuzzTest enter");
170 MessageParcel dataParcel;
171 if (!InitGlobalData(data, size)) {
172 return;
173 }
174
175 if (!WriteInterfaceToken(dataParcel)) {
176 return;
177 }
178
179 sptr<IRegistrationCallbackTest> callback = new (std::nothrow) IRegistrationCallbackTest();
180 if (callback == nullptr) {
181 return;
182 }
183 dataParcel.WriteRemoteObject(callback->AsObject());
184
185 OnRemoteRequest(static_cast<uint32_t>(IMdnsServiceIpcCode::COMMAND_UN_REGISTER_SERVICE), dataParcel);
186 }
187
StartDiscoverServiceFuzzTest(const uint8_t * data,size_t size)188 void StartDiscoverServiceFuzzTest(const uint8_t *data, size_t size)
189 {
190 NETMGR_EXT_LOG_D("StartDiscoverServiceFuzzTest enter");
191 MessageParcel dataParcel;
192 if (!InitGlobalData(data, size)) {
193 return;
194 }
195
196 if (!WriteInterfaceToken(dataParcel)) {
197 return;
198 }
199 std::string serviceType = GetStringFromData(STR_LEN);
200 if (!dataParcel.WriteString16(Str8ToStr16(serviceType))) {
201 return;
202 }
203 sptr<IDiscoveryCallbackTest> callback = new (std::nothrow) IDiscoveryCallbackTest();
204 if (callback == nullptr) {
205 return;
206 }
207 dataParcel.WriteRemoteObject(callback->AsObject());
208
209 OnRemoteRequest(static_cast<uint32_t>(IMdnsServiceIpcCode::COMMAND_START_DISCOVER_SERVICE), dataParcel);
210 }
211
StopDiscoverServiceFuzzTest(const uint8_t * data,size_t size)212 void StopDiscoverServiceFuzzTest(const uint8_t *data, size_t size)
213 {
214 NETMGR_EXT_LOG_D("StopDiscoverServiceFuzzTest enter");
215 MessageParcel dataParcel;
216 if (!InitGlobalData(data, size)) {
217 return;
218 }
219
220 if (!WriteInterfaceToken(dataParcel)) {
221 return;
222 }
223 sptr<IDiscoveryCallbackTest> callback = new (std::nothrow) IDiscoveryCallbackTest();
224 if (callback == nullptr) {
225 return;
226 }
227 dataParcel.WriteRemoteObject(callback->AsObject());
228
229 OnRemoteRequest(static_cast<uint32_t>(IMdnsServiceIpcCode::COMMAND_STOP_DISCOVER_SERVICE), dataParcel);
230 }
231
ResolveServiceFuzzTest(const uint8_t * data,size_t size)232 void ResolveServiceFuzzTest(const uint8_t *data, size_t size)
233 {
234 NETMGR_EXT_LOG_D("ResolveServiceFuzzTest enter");
235 MessageParcel dataParcel;
236 if (!GetMessageParcel(data, size, dataParcel)) {
237 return;
238 }
239
240 sptr<IResolveCallbackTest> callback = new (std::nothrow) IResolveCallbackTest();
241 if (callback == nullptr) {
242 return;
243 }
244 dataParcel.WriteRemoteObject(callback->AsObject());
245
246 OnRemoteRequest(static_cast<uint32_t>(IMdnsServiceIpcCode::COMMAND_RESOLVE_SERVICE), dataParcel);
247 }
248
MdnsRegisterServiceFuzzTest(const uint8_t * data,size_t size)249 void MdnsRegisterServiceFuzzTest(const uint8_t *data, size_t size)
250 {
251 if (data == nullptr || size == 0) {
252 return;
253 }
254 MDnsServiceInfo serviceInfo;
255 std::string name(reinterpret_cast<const char *>(data), size);
256 serviceInfo.name = name;
257 serviceInfo.port = static_cast<int32_t>(size % STR_LEN);
258 sptr<IRegistrationCallbackTest> callback = new (std::nothrow) IRegistrationCallbackTest();
259 if (callback == nullptr) {
260 return;
261 }
262 DelayedSingleton<MDnsClient>::GetInstance()->RegisterService(serviceInfo, callback);
263 DelayedSingleton<MDnsClient>::GetInstance()->UnRegisterService(callback);
264 }
265
MdnsStartDiscoverServiceFuzzTest(const uint8_t * data,size_t size)266 void MdnsStartDiscoverServiceFuzzTest(const uint8_t *data, size_t size)
267 {
268 if (data == nullptr || size == 0) {
269 return;
270 }
271 sptr<IDiscoveryCallbackTest> callback = new (std::nothrow) IDiscoveryCallbackTest();
272 if (callback == nullptr) {
273 return;
274 }
275 std::string serviceType(reinterpret_cast<const char *>(data), size);
276 DelayedSingleton<MDnsClient>::GetInstance()->StartDiscoverService(serviceType, callback);
277 DelayedSingleton<MDnsClient>::GetInstance()->StopDiscoverService(callback);
278 }
279
MdnsResolveServiceFuzzTest(const uint8_t * data,size_t size)280 void MdnsResolveServiceFuzzTest(const uint8_t *data, size_t size)
281 {
282 if (data == nullptr || size == 0) {
283 return;
284 }
285 sptr<IResolveCallbackTest> callback = new (std::nothrow) IResolveCallbackTest();
286 if (callback == nullptr) {
287 return;
288 }
289 MDnsServiceInfo serviceInfo;
290 std::string name(reinterpret_cast<const char *>(data), size);
291 serviceInfo.port = static_cast<int32_t>(size % STR_LEN);
292 serviceInfo.name = name;
293 DelayedSingleton<MDnsClient>::GetInstance()->ResolveService(serviceInfo, callback);
294 DelayedSingleton<MDnsClient>::GetInstance()->RestartResume();
295 }
296
ReceivePacketTest(const uint8_t * data,size_t size)297 void ReceivePacketTest(const uint8_t *data, size_t size)
298 {
299 if (data == nullptr) {
300 return;
301 }
302 MessageParcel dataParcel;
303 if (!GetMessageParcel(data, size, dataParcel)) {
304 return;
305 }
306 std::string str = GetStringFromData(STR_LEN);
307 std::vector<uint8_t> copy = std::vector<uint8_t>(str.begin(), str.end());
308 MDnsPayloadParser parser;
309 MDnsMessage msg = parser.FromBytes(copy);
310 }
311 } // namespace NetManagerStandard
312 } // namespace OHOS
313
314 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)315 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
316 {
317 /* Run your code on data */
318 OHOS::NetManagerStandard::RegisterServiceFuzzTest(data, size);
319 OHOS::NetManagerStandard::StartDiscoverServiceFuzzTest(data, size);
320 OHOS::NetManagerStandard::StopDiscoverServiceFuzzTest(data, size);
321 OHOS::NetManagerStandard::ResolveServiceFuzzTest(data, size);
322 OHOS::NetManagerStandard::UnRegisterServiceFuzzTest(data, size);
323 OHOS::NetManagerStandard::MdnsRegisterServiceFuzzTest(data, size);
324 OHOS::NetManagerStandard::MdnsStartDiscoverServiceFuzzTest(data, size);
325 OHOS::NetManagerStandard::MdnsResolveServiceFuzzTest(data, size);
326 OHOS::NetManagerStandard::ReceivePacketTest(data, size);
327 return 0;
328 }
329