1 #include <stdint.h>
2 extern "C" {
3 #include "eap_fuzz_Cproxy.h"
4 }
5
6 #include <src/libfuzzer/libfuzzer_macro.h>
7 #include "eap_fuzz.pb.h"
8
9 #define S_MALLOC(var, size) \
10 do { \
11 if ((var = (uint8_t *)malloc(size)) == NULL) { \
12 return; \
13 } \
14 } while(0)
15
write_header(uint8_t * packet,uint16_t data_size,uint8_t type)16 void write_header(uint8_t *packet, uint16_t data_size, uint8_t type)
17 {
18 data_size += EAP_HEADERLEN;
19 //the packet type
20 *(packet)++ = type&0xff;
21 //id
22 *(packet)++ = 0x0;
23 //the length as big endian short
24 *(packet)++ = ((data_size >> 8)&0xff);
25 *(packet)++ = data_size&0xff;
26 }
27
DEFINE_BINARY_PROTO_FUZZER(const eap_fuzz::proto::PacketSet & packets)28 DEFINE_BINARY_PROTO_FUZZER(const eap_fuzz::proto::PacketSet &packets){
29 init();
30
31 for(const eap_fuzz::proto::Packet& packet: packets.packets()){
32 uint8_t *fuzz_packet = NULL;
33 size_t packet_len = 0;
34 std::string data = "";
35 uint8_t packet_type = -1;
36 switch(packet.PacketType_case()){
37 case eap_fuzz::proto::Packet::kEapRequest: {
38 packet_type = EAP_REQUEST;
39 uint8_t eap_request_type = -1;
40 auto eap_request = packet.eap_request();
41 switch(eap_request.EapRequestType_case()){
42 case eap_fuzz::proto::EapRequest::kIdentity: {
43 eap_request_type = EAPT_IDENTITY;
44 data = eap_request.identity().data();
45 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1);
46 break;
47 }
48 case eap_fuzz::proto::EapRequest::kNotification: {
49 eap_request_type = EAPT_NOTIFICATION;
50 data = eap_request.notification().data();
51 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1);
52 break;
53 }
54 case eap_fuzz::proto::EapRequest::kMd5Chap: {
55 eap_request_type = EAPT_MD5CHAP;
56 data = eap_request.md5chap().data();
57 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1);
58 break;
59 }
60 case eap_fuzz::proto::EapRequest::kSrp: {
61 auto request_srp = eap_request.srp();
62 eap_request_type = EAPT_SRP;
63 uint8_t srp_type = -1;
64 switch(request_srp.EspMessage_case()){
65 case eap_fuzz::proto::EaptRequestSRP::kSrpChallenge:{
66 data = request_srp.srp_challenge().data();
67 srp_type = EAPSRP_CHALLENGE;
68 break;
69 }
70 case eap_fuzz::proto::EaptRequestSRP::kSrpValidator:{
71 data = request_srp.srp_validator().data();
72 srp_type = EAPSRP_SVALIDATOR;
73 break;
74 }
75 case eap_fuzz::proto::EaptRequestSRP::kSrpKey:{
76 data = request_srp.srp_key().data();
77 srp_type = EAPSRP_SKEY;
78 break;
79 }
80 case eap_fuzz::proto::EaptRequestSRP::kSrpLwreChallenge:{
81 data = request_srp.srp_lwre_challenge().data();
82 srp_type = EAPSRP_LWRECHALLENGE;
83 break;
84 }
85 case eap_fuzz::proto::EaptRequestSRP::ESPMESSAGE_NOT_SET:{
86 return;
87 }
88
89 }
90 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+2);
91 *(fuzz_packet+EAP_HEADERLEN+1) = srp_type;
92 packet_len++;
93 break;
94 }
95 case eap_fuzz::proto::EapRequest::EAPREQUESTTYPE_NOT_SET: {
96 return;
97 }
98 }
99 *(fuzz_packet+EAP_HEADERLEN) = eap_request_type;
100 ++packet_len;
101 break;
102 }
103
104 case eap_fuzz::proto::Packet::kEapResponse: {
105 packet_type = EAP_RESPONSE;
106 auto eap_response = packet.eap_response();
107 uint8_t eap_response_type = -1;
108 switch(eap_response.EapResponseType_case()){
109 case eap_fuzz::proto::EapResponse::kIdentity: {
110 eap_response_type = EAPT_IDENTITY;
111 data = eap_response.identity().data();
112 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1);
113 break;
114 }
115 case eap_fuzz::proto::EapResponse::kNotification: {
116 eap_response_type = EAPT_NOTIFICATION;
117 data = eap_response.notification().data();
118 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1);
119 break;
120 }
121 case eap_fuzz::proto::EapResponse::kMd5Chap: {
122 eap_response_type = EAPT_MD5CHAP;
123 data = eap_response.md5chap().data();
124 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+1);
125 break;
126 }
127 case eap_fuzz::proto::EapResponse::kNak: {
128 eap_response_type = EAPT_NAK;
129 auto response_nak = eap_response.nak();
130 uint8_t nak_type = -1;
131 switch(response_nak.EaptResponseNAKType_case()){
132 case eap_fuzz::proto::EaptResponseNAK::kSrp:{
133 nak_type = EAPT_SRP;
134 break;
135
136 }
137 case eap_fuzz::proto::EaptResponseNAK::kMd5Chap:{
138 nak_type = EAPT_MD5CHAP;
139 break;
140
141 }
142 case eap_fuzz::proto::EaptResponseNAK::EAPTRESPONSENAKTYPE_NOT_SET:{
143 return;
144 }
145 }
146 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+2);
147 *(fuzz_packet+EAP_HEADERLEN+1) = nak_type;
148 packet_len++;
149 break;
150 }
151 case eap_fuzz::proto::EapResponse::kSrp: {
152 auto response_srp = eap_response.srp();
153 eap_response_type = EAPT_SRP;
154 uint8_t srp_type = -1;
155 switch(response_srp.EspMessage_case()){
156 case eap_fuzz::proto::EaptResponseSRP::kSrpChallenge:{
157 data = response_srp.srp_challenge().data();
158 srp_type = EAPSRP_LWRECHALLENGE;
159 break;
160 }
161 case eap_fuzz::proto::EaptResponseSRP::kSrpCvalidator:{
162 data = response_srp.srp_cvalidator().data();
163 srp_type = EAPSRP_CVALIDATOR;
164 break;
165 }
166 case eap_fuzz::proto::EaptResponseSRP::kSrpCkey:{
167 data = response_srp.srp_ckey().data();
168 srp_type = EAPSRP_CKEY;
169 break;
170 }
171 case eap_fuzz::proto::EaptResponseSRP::kSrpAck:{
172 data = response_srp.srp_ack().data();
173 srp_type = EAPSRP_ACK;
174 break;
175 }
176 case eap_fuzz::proto::EaptResponseSRP::ESPMESSAGE_NOT_SET:{
177 return;
178 }
179
180 }
181 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN+2);
182 *(fuzz_packet+EAP_HEADERLEN+1) = srp_type;
183 packet_len++;
184 break;
185 }
186 case eap_fuzz::proto::EapResponse::EAPRESPONSETYPE_NOT_SET: {
187 return;
188 }
189 }
190 *(fuzz_packet+EAP_HEADERLEN) = eap_response_type;
191 ++packet_len;
192 break;
193 }
194 case eap_fuzz::proto::Packet::kEapSuccess: {
195 packet_type = EAP_SUCCESS;
196 data = packet.eap_success().data();
197 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN);
198 break;
199 }
200 case eap_fuzz::proto::Packet::kEapFailure: {
201 packet_type = EAP_FAILURE;
202 data = packet.eap_failure().data();
203 S_MALLOC(fuzz_packet, data.size()+EAP_HEADERLEN);
204 break;
205 }
206 case eap_fuzz::proto::Packet::PACKETTYPE_NOT_SET: {
207 return;
208 }
209 }
210 write_header(fuzz_packet, data.size()+packet_len, packet_type);
211 memcpy(fuzz_packet+EAP_HEADERLEN+packet_len, data.data(), data.size());
212 proxy_packet(fuzz_packet, data.size()+EAP_HEADERLEN+packet_len);
213 free(fuzz_packet);
214 }
215 }
216