[libfuzzer] Fuzzing different Transport Types for all-clusters-app (p…

…roject-chip#35629) * Fuzzing different Transport Types for all-clusters-app * Adding an enum value for the number of transport types * 1. replacing magic number when fuzzing the number of transport types 2. using different parts of the fuzzed input data for TransportType and for Payload * Restyled by clang-format * avoiding out of bounds access --------- Co-authored-by: Restyled.io <[email protected]>
yyzhong-g · Dec 11, 2024 · 84901d4 · 84901d4
1 parent 4d8de33
commit 84901d4
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/examples/all-clusters-app/linux/fuzzing-main.cpp b/examples/all-clusters-app/linux/fuzzing-main.cpp
@@ -73,9 +73,20 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
     // For now, just dump the data as a UDP payload into the session manager.
     // But maybe we should try to separately extract a PeerAddress and data from
     // the incoming data?
-    Transport::PeerAddress peerAddr;
+
+    // To avoid out-of-bounds access when acessing aData[1]
+    if (aSize < 2)
+    {
+        return 0;
+    }
+
+    // dumping payload with fuzzed transport types
+    constexpr uint8_t numberOfTypes     = static_cast<int>(Transport::Type::kLast) + 1;
+    Transport::Type fuzzedTransportType = static_cast<Transport::Type>(aData[0] % numberOfTypes);
+    Transport::PeerAddress peerAddr(fuzzedTransportType);
+
     System::PacketBufferHandle buf =
-        System::PacketBufferHandle::NewWithData(aData, aSize, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
+        System::PacketBufferHandle::NewWithData(&aData[1], aSize - 1, /* aAdditionalSize = */ 0, /* aReservedSize = */ 0);
     if (buf.IsNull())
     {
         // Too big; we couldn't represent this as a packetbuffer to start with.
@@ -84,8 +95,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * aData, size_t aSize)
 
     // Ignoring the return value from OnMessageReceived, because we might be
     // passing it all sorts of garbage that will cause it to fail.
-    Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf));
 
+    // for TCP we need to have MessageTransportContext
+    if (fuzzedTransportType == Transport::Type::kTcp)
+    {
+        Transport::MessageTransportContext msgContext;
+        Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf), &msgContext);
+    }
+    else
+    {
+        Server::GetInstance().GetSecureSessionManager().OnMessageReceived(peerAddr, std::move(buf));
+    }
     // Now process pending events until our sentinel is reached.
     PlatformMgr().ScheduleWork([](intptr_t) { PlatformMgr().StopEventLoopTask(); });
     PlatformMgr().RunEventLoop();

diff --git a/src/transport/raw/PeerAddress.h b/src/transport/raw/PeerAddress.h
@@ -54,6 +54,7 @@ enum class Type : uint8_t
     kBle,
     kTcp,
     kWiFiPAF,
+    kLast = kWiFiPAF, // This is not an actual transport type, it just refers to the last transport type
 };
 
 /**
-Original file line number
+Diff line change
@@ Expand Up / @@ -54,6 +54,7 @@ enum class Type : uint8_t @@
         kBle,
         kTcp,
         kWiFiPAF,
+        kLast = kWiFiPAF, // This is not an actual transport type, it just refers to the last transport type
     };
     /**
@@ Expand Down @@