1 /*
2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "vpnclient_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <securec.h>
21
22 #include "ivpn_event_callback.h"
23 #include "netmanager_ext_test_security.h"
24 #include "networkvpn_service.h"
25 #include "refbase.h"
26
27 namespace OHOS {
28 namespace NetManagerStandard {
29 namespace {
30
31 constexpr size_t STR_LEN = 16;
32
33 size_t g_baseFuzzPos = 0;
34 size_t g_baseFuzzSize = 0;
35 const uint8_t *g_baseFuzzData = nullptr;
36 } // namespace
37
InitGlobalData(const uint8_t * data,size_t size)38 bool InitGlobalData(const uint8_t *data, size_t size)
39 {
40 if (data == nullptr || size == 0) {
41 return false;
42 }
43 g_baseFuzzPos = 0;
44 g_baseFuzzSize = size;
45 g_baseFuzzData = data;
46 return true;
47 }
48
GetData()49 template <class T> T GetData()
50 {
51 T object{};
52 size_t objectSize = sizeof(object);
53 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
54 return object;
55 }
56 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
57 if (ret != EOK) {
58 return {};
59 }
60 g_baseFuzzPos += objectSize;
61 return object;
62 }
63
GetStringData()64 std::string GetStringData()
65 {
66 char cstr[STR_LEN] = {0};
67 for (uint32_t i = 0; i < STR_LEN - 1; i++) {
68 cstr[i] = GetData<char>();
69 }
70 return std::string(cstr);
71 }
72
GetAddressData()73 INetAddr GetAddressData()
74 {
75 INetAddr netAddr;
76 netAddr.type_ = GetData<uint8_t>();
77 netAddr.family_ = GetData<uint8_t>();
78 netAddr.prefixlen_ = GetData<uint8_t>();
79 netAddr.address_ = GetStringData();
80 netAddr.netMask_ = GetStringData();
81 netAddr.hostName_ = GetStringData();
82 netAddr.port_ = GetData<uint8_t>();
83 return netAddr;
84 }
85
GetRouteData()86 Route GetRouteData()
87 {
88 Route route;
89 route.iface_ = GetStringData();
90 route.destination_ = GetAddressData();
91 route.gateway_ = GetAddressData();
92 route.mtu_ = GetData<int32_t>();
93 route.isHost_ = GetData<bool>();
94 route.hasGateway_ = GetData<bool>();
95 route.isDefaultRoute_ = GetData<bool>();
96 return route;
97 }
98
99 class VpnEventCallbackTest : public IRemoteStub<IVpnEventCallback> {
100 public:
OnVpnStateChanged(bool isConnected)101 int32_t OnVpnStateChanged(bool isConnected) override { return 0; };
OnVpnMultiUserSetUp()102 int32_t OnVpnMultiUserSetUp()override { return 0; };
OnMultiVpnStateChanged(bool isConnected,const std::string & bundleName,const std::string & vpnId)103 int32_t OnMultiVpnStateChanged(bool isConnected, const std::string &bundleName,
104 const std::string &vpnId) override{ return 0; };
105 };
106
OnRemoteRequest(INetworkVpnServiceIpcCode code,MessageParcel & data)107 __attribute__((no_sanitize("cfi"))) int32_t OnRemoteRequest(INetworkVpnServiceIpcCode code,
108 MessageParcel &data)
109 {
110 MessageParcel reply;
111 MessageOption option;
112 return DelayedSingleton<NetworkVpnService>::GetInstance()->OnRemoteRequest(static_cast<uint32_t>(code), data,
113 reply, option);
114 }
115
PrepareFuzzTest(const uint8_t * data,size_t size)116 void PrepareFuzzTest(const uint8_t *data, size_t size)
117 {
118 if (!InitGlobalData(data, size)) {
119 return;
120 }
121 NetManagerExtAccessToken token;
122 MessageParcel dataParcel;
123 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
124 return;
125 }
126 int32_t num = GetData<int32_t>();
127 if (!dataParcel.WriteInt32(num)) {
128 return;
129 }
130 OnRemoteRequest(INetworkVpnServiceIpcCode::COMMAND_PREPARE, dataParcel);
131 }
132
ProtectFuzzTest(const uint8_t * data,size_t size)133 void ProtectFuzzTest(const uint8_t *data, size_t size)
134 {
135 if (!InitGlobalData(data, size)) {
136 return;
137 }
138 NetManagerExtAccessToken token;
139 MessageParcel dataParcel;
140 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
141 return;
142 }
143 int32_t num = GetData<int32_t>();
144 if (!dataParcel.WriteInt32(num)) {
145 return;
146 }
147 OnRemoteRequest(INetworkVpnServiceIpcCode::COMMAND_PROTECT, dataParcel);
148 }
149
SetUpVpnFuzzTest(const uint8_t * data,size_t size)150 void SetUpVpnFuzzTest(const uint8_t *data, size_t size)
151 {
152 if (!InitGlobalData(data, size)) {
153 return;
154 }
155
156 NetManagerExtAccessToken token;
157 MessageParcel dataParcel;
158 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
159 return;
160 }
161 VpnConfig* config = new (std::nothrow) VpnConfig();
162 config->addresses_.emplace_back(GetAddressData());
163 config->routes_.emplace_back(GetRouteData());
164 config->mtu_ = GetData<int32_t>();
165 config->isAcceptIPv4_ = GetData<bool>();
166 config->isAcceptIPv6_ = GetData<bool>();
167 config->isLegacy_ = GetData<bool>();
168 config->isMetered_ = GetData<bool>();
169 config->isBlocking_ = GetData<bool>();
170 config->dnsAddresses_.emplace_back(GetStringData());
171 config->searchDomains_.emplace_back(GetStringData());
172 config->acceptedApplications_.emplace_back(GetStringData());
173 config->acceptedApplications_.emplace_back(GetStringData());
174 if (!config->Marshalling(dataParcel)) {
175 return;
176 }
177 OnRemoteRequest(INetworkVpnServiceIpcCode::COMMAND_SET_UP_VPN, dataParcel);
178 }
179
DestroyVpnFuzzTest(const uint8_t * data,size_t size)180 void DestroyVpnFuzzTest(const uint8_t *data, size_t size)
181 {
182 if (!InitGlobalData(data, size)) {
183 return;
184 }
185 NetManagerExtAccessToken token;
186 MessageParcel dataParcel;
187 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
188 return;
189 }
190 int32_t num = GetData<int32_t>();
191 if (!dataParcel.WriteInt32(num)) {
192 return;
193 }
194 OnRemoteRequest(INetworkVpnServiceIpcCode::COMMAND_DESTROY_VPN, dataParcel);
195 }
196
RegisterVpnEventFuzzTest(const uint8_t * data,size_t size)197 void RegisterVpnEventFuzzTest(const uint8_t *data, size_t size)
198 {
199 if (!InitGlobalData(data, size)) {
200 return;
201 }
202 NetManagerExtAccessToken token;
203 MessageParcel dataParcel;
204 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
205 return;
206 }
207
208 sptr<IVpnEventCallback> callback = new (std::nothrow) VpnEventCallbackTest();
209 if (callback == nullptr || !dataParcel.WriteRemoteObject(callback->AsObject())) {
210 return;
211 }
212 int32_t num = GetData<int32_t>();
213 if (!dataParcel.WriteInt32(num)) {
214 return;
215 }
216 OnRemoteRequest(INetworkVpnServiceIpcCode::COMMAND_REGISTER_VPN_EVENT, dataParcel);
217 }
218
UnregisterVpnEventFuzzTest(const uint8_t * data,size_t size)219 void UnregisterVpnEventFuzzTest(const uint8_t *data, size_t size)
220 {
221 if (!InitGlobalData(data, size)) {
222 return;
223 }
224 NetManagerExtAccessToken token;
225 MessageParcel dataParcel;
226 if (!dataParcel.WriteInterfaceToken(NetworkVpnServiceStub::GetDescriptor())) {
227 return;
228 }
229
230 sptr<IVpnEventCallback> callback = new (std::nothrow) VpnEventCallbackTest();
231 if (callback == nullptr || !dataParcel.WriteRemoteObject(callback->AsObject())) {
232 return;
233 }
234 int32_t num = GetData<int32_t>();
235 if (!dataParcel.WriteInt32(num)) {
236 return;
237 }
238 OnRemoteRequest(INetworkVpnServiceIpcCode::COMMAND_UNREGISTER_VPN_EVENT, dataParcel);
239 }
240 } // namespace NetManagerStandard
241 } // namespace OHOS
242
243 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)244 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
245 {
246 /* Run your code on data */
247 OHOS::NetManagerStandard::PrepareFuzzTest(data, size);
248 OHOS::NetManagerStandard::ProtectFuzzTest(data, size);
249 OHOS::NetManagerStandard::SetUpVpnFuzzTest(data, size);
250 OHOS::NetManagerStandard::DestroyVpnFuzzTest(data, size);
251 OHOS::NetManagerStandard::RegisterVpnEventFuzzTest(data, size);
252 OHOS::NetManagerStandard::UnregisterVpnEventFuzzTest(data, size);
253 return 0;
254 }
255