fuzz/fuzzshark.c

   1 /* fuzzshark.c
   2  *
   3  * Fuzzer variant of Wireshark for oss-fuzz
   4  *
   5  * Wireshark - Network traffic analyzer
   6  * By Gerald Combs <gerald@wireshark.org>
   7  * Copyright 1998 Gerald Combs
   8  *
   9  * SPDX-License-Identifier: GPL-2.0-or-later
  10  */
  11
  12 #include <config.h>
  13 #define WS_LOG_DOMAIN  LOG_DOMAIN_MAIN
  14
  15 #include <stdlib.h>
  16 #include <stdio.h>
  17 #include <string.h>
  18 #include <limits.h>
  19
  20 #include <glib.h>
  21
  22 #include <epan/epan.h>
  23
  24 #include <wsutil/cmdarg_err.h>
  25 #include <ui/failure_message.h>
  26 #include <wsutil/filesystem.h>
  27 #include <wsutil/privileges.h>
  28 #include <wsutil/wslog.h>
  29 #include <wsutil/version_info.h>
  30
  31 #include <wiretap/wtap.h>
  32
  33 #include <epan/color_filters.h>
  34 #include <epan/timestamp.h>
  35 #include <epan/prefs.h>
  36 #include <epan/column.h>
  37 #include <epan/column-info.h>
  38 #include <epan/print.h>
  39 #include <epan/epan_dissect.h>
  40 #include <epan/disabled_protos.h>
  41
  42 #ifdef HAVE_PLUGINS
  43 #include <wsutil/plugins.h>
  44 #endif
  45
  46 #include "FuzzerInterface.h"
  47
  48 #define EPAN_INIT_FAIL 2
  49
  50 static column_info fuzz_cinfo;
  51 static epan_t *fuzz_epan;
  52 static epan_dissect_t *fuzz_edt;
  53
  54 static int
  55 fuzzshark_pref_set(const char *name, const char *value)
  56 {
  57         char pref[4096];
  58         char *errmsg = NULL;
  59
  60         prefs_set_pref_e ret;
  61
  62         snprintf(pref, sizeof(pref), "%s:%s", name, value);
  63
  64         ret = prefs_set_pref(pref, &errmsg);
  65         g_free(errmsg);
  66
  67         return (ret == PREFS_SET_OK);
  68 }
  69
  70 static const nstime_t *
  71 fuzzshark_get_frame_ts(struct packet_provider_data *prov _U_, uint32_t frame_num _U_)
  72 {
  73         static nstime_t empty;
  74
  75         return &empty;
  76 }
  77
  78 static epan_t *
  79 fuzzshark_epan_new(void)
  80 {
  81         static const struct packet_provider_funcs funcs = {
  82                 fuzzshark_get_frame_ts,
  83                 NULL,
  84                 NULL,
  85                 NULL
  86         };
  87
  88         return epan_new(NULL, &funcs);
  89 }
  90
  91 static dissector_handle_t
  92 get_dissector_handle(const char *table, const char *target)
  93 {
  94         dissector_handle_t fuzz_handle = NULL;
  95
  96         if (table != NULL && target != NULL)
  97         {
  98                 /* search for handle, cannot use dissector_table_get_dissector_handle() cause it's using short-name, and I already used filter name in samples ;/ */
  99                 GSList *handle_list = dissector_table_get_dissector_handles(find_dissector_table(table));
 100                 while (handle_list)
 101                 {
 102                         dissector_handle_t handle = (dissector_handle_t) handle_list->data;
 103                         const char *handle_filter_name = proto_get_protocol_filter_name(dissector_handle_get_protocol_index(handle));
 104
 105                         if (!strcmp(handle_filter_name, target))
 106                                 fuzz_handle = handle;
 107                         handle_list = handle_list->next;
 108                 }
 109         }
 110         else if (target != NULL)
 111         {
 112                 fuzz_handle = find_dissector(target);
 113         }
 114
 115         return fuzz_handle;
 116 }
 117
 118 static void
 119 fuzz_prefs_apply(void)
 120 {
 121         /* Turn off fragmentation for some protocols */
 122         fuzzshark_pref_set("ip.defragment", "FALSE");
 123         fuzzshark_pref_set("ipv6.defragment", "FALSE");
 124         fuzzshark_pref_set("wlan.defragment", "FALSE");
 125         fuzzshark_pref_set("tcp.desegment_tcp_streams", "FALSE");
 126
 127         /* Notify all registered modules that have had any of their preferences changed. */
 128         prefs_apply_all();
 129 }
 130
 131 static int
 132 fuzz_init(int argc _U_, char **argv)
 133 {
 134         char                *configuration_init_error;
 135
 136
 137         char                *err_msg = NULL;
 138         e_prefs             *prefs_p;
 139         int                  ret = EXIT_SUCCESS;
 140         size_t               i;
 141
 142         const char *fuzz_target =
 143 #if defined(FUZZ_DISSECTOR_TARGET)
 144                 FUZZ_DISSECTOR_TARGET;
 145 #else
 146                 getenv("FUZZSHARK_TARGET");
 147 #endif
 148
 149         const char *disabled_dissector_list[] =
 150         {
 151 #ifdef FUZZ_DISSECTOR_LIST
 152                 FUZZ_DISSECTOR_LIST ,
 153 #endif
 154                 "snort"
 155         };
 156
 157 #if !defined(FUZZ_DISSECTOR_TABLE) && !defined(FUZZ_DISSECTOR_TARGET)
 158         const char *fuzz_table = getenv("FUZZSHARK_TABLE");
 159
 160         /*
 161          * Set the pogram name.
 162          *
 163          * XXX - yes, this isn't main(), but it still needs to be
 164          * set, as many Wireshark library routines depend on it
 165          * being set.
 166          */
 167         g_set_prgname("oss-fuzzshark");
 168
 169         if (!fuzz_table && !fuzz_target) {
 170                 fprintf(stderr,
 171 "Missing environment variables!\n"
 172 "\n"
 173 "Modes of operation:\n"
 174 "\n"
 175 " 1. Call a dissector directly by its name:\n"
 176 "      FUZZSHARK_TARGET=dns %s input-file\n"
 177 "    Calls dissect_x from register_dissector(NAME, dissect_x, proto_x)\n"
 178 "\n"
 179 " 2. Call a dissector by its filter name in a dissector table:\n"
 180 "      FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf %s input-file\n"
 181 "    The filter name is from proto_register_protocol(., ., FILTER_NAME)\n"
 182 "    Selects dissectors from dissector_add_uint* or dissector_add_for_decode_as.\n"
 183 "\n"
 184 "Either mode runs the selected dissector once and can hopefully reproduce a\n"
 185 "crash. Mode (2) can be used if a dissector (such as 'ospf') is not available\n"
 186 "through (1).\n"
 187 "\n"
 188 "For best results, build dedicated fuzzshark_* targets with:\n"
 189 "    cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++\\\n"
 190 "      -DENABLE_FUZZER=1 -DENABLE_ASAN=1 -DENABLE_UBSAN=1\n"
 191 "    ninja all-fuzzers\n"
 192 "These options enable LibFuzzer which makes fuzzing possible as opposed to\n"
 193 "running dissectors only once with a sample (as is the case with this fuzzshark"
 194 "binary). These fuzzshark_* targets are also used by oss-fuzz.\n",
 195                         argv[0], argv[0]);
 196                 return 1;
 197         }
 198 #endif
 199
 200         dissector_handle_t fuzz_handle = NULL;
 201
 202         /* In oss-fuzz running environment g_get_home_dir() fails:
 203          * (process:1): GLib-WARNING **: getpwuid_r(): failed due to unknown user id (0)
 204          * (process:1): GLib-CRITICAL **: g_once_init_leave: assertion 'result != 0' failed
 205          *
 206          * Avoid GLib-CRITICAL by setting some XDG environment variables.
 207          */
 208         g_setenv("XDG_CACHE_HOME", "/not/existing/directory", 0);  /* g_get_user_cache_dir() */
 209         g_setenv("XDG_CONFIG_HOME", "/not/existing/directory", 0); /* g_get_user_config_dir() */
 210         g_setenv("XDG_DATA_HOME", "/not/existing/directory", 0);   /* g_get_user_data_dir() */
 211
 212         g_setenv("WIRESHARK_DEBUG_WMEM_OVERRIDE", "simple", 0);
 213         g_setenv("G_SLICE", "always-malloc", 0);
 214
 215         cmdarg_err_init(stderr_cmdarg_err, stderr_cmdarg_err_cont);
 216
 217         /* Initialize log handler early so we can have proper logging during startup. */
 218         ws_log_init(vcmdarg_err);
 219
 220         /* Early logging command-line initialization. */
 221         ws_log_parse_args(&argc, argv, vcmdarg_err, LOG_ARGS_NOEXIT);
 222
 223         ws_noisy("Finished log init and parsing command line log arguments");
 224
 225         /*
 226          * Get credential information for later use, and drop privileges
 227          * before doing anything else.
 228          * Let the user know if anything happened.
 229          */
 230         init_process_policies();
 231 #if 0 /* disable setresgid(), it fails with -EINVAL https://github.com/google/oss-fuzz/pull/532#issuecomment-294515463 */
 232         relinquish_special_privs_perm();
 233 #endif
 234
 235         /*
 236          * Attempt to get the pathname of the executable file.
 237          */
 238         configuration_init_error = configuration_init(argv[0]);
 239         if (configuration_init_error != NULL) {
 240                 fprintf(stderr, "fuzzshark: Can't get pathname of oss-fuzzshark program: %s.\n", configuration_init_error);
 241                 g_free(configuration_init_error);
 242         }
 243
 244         /* Initialize the version information. */
 245         ws_init_version_info("OSS Fuzzshark",
 246             epan_gather_compile_info, epan_gather_runtime_info);
 247
 248         init_report_failure_message("fuzzshark");
 249
 250         timestamp_set_type(TS_RELATIVE);
 251         timestamp_set_precision(TS_PREC_AUTO);
 252         timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
 253
 254         /*
 255          * Libwiretap must be initialized before libwireshark is, so that
 256          * dissection-time handlers for file-type-dependent blocks can
 257          * register using the file type/subtype value for the file type.
 258          */
 259         wtap_init(true);
 260
 261         /* Register all dissectors; we must do this before checking for the
 262            "-G" flag, as the "-G" flag dumps information registered by the
 263            dissectors, and we must do it before we read the preferences, in
 264            case any dissectors register preferences. */
 265         if (!epan_init(NULL, NULL, false))
 266         {
 267                 ret = EPAN_INIT_FAIL;
 268                 goto clean_exit;
 269         }
 270
 271         /* Load libwireshark settings from the current profile. */
 272         prefs_p = epan_load_settings();
 273
 274         if (!color_filters_init(&err_msg, NULL))
 275         {
 276                 fprintf(stderr, "%s\n", err_msg);
 277                 g_free(err_msg);
 278         }
 279
 280         for (i = 0; i < G_N_ELEMENTS(disabled_dissector_list); i++)
 281         {
 282                 const char *item = disabled_dissector_list[i];
 283
 284                 /* XXX, need to think how to disallow chains like: IP -> .... -> IP,
 285                  * best would be to disable dissector always, but allow it during initial call. */
 286                 if (fuzz_target == NULL || strcmp(fuzz_target, item))
 287                 {
 288                         fprintf(stderr, "oss-fuzzshark: disabling: %s\n", item);
 289                         proto_disable_proto_by_name(item);
 290                 }
 291         }
 292
 293         fuzz_prefs_apply();
 294
 295         /* Build the column format array */
 296         build_column_format_array(&fuzz_cinfo, prefs_p->num_cols, true);
 297
 298 #if defined(FUZZ_DISSECTOR_TABLE) && defined(FUZZ_DISSECTOR_TARGET)
 299 # define FUZZ_EPAN 1
 300         fprintf(stderr, "oss-fuzzshark: configured for dissector: %s in table: %s\n", fuzz_target, FUZZ_DISSECTOR_TABLE);
 301         fuzz_handle = get_dissector_handle(FUZZ_DISSECTOR_TABLE, fuzz_target);
 302
 303 #elif defined(FUZZ_DISSECTOR_TARGET)
 304 # define FUZZ_EPAN 2
 305         fprintf(stderr, "oss-fuzzshark: configured for dissector: %s\n", fuzz_target);
 306         fuzz_handle = get_dissector_handle(NULL, fuzz_target);
 307
 308 #else
 309 # define FUZZ_EPAN 3
 310         if (fuzz_table) {
 311                 fprintf(stderr, "oss-fuzzshark: requested dissector: %s in table %s\n", fuzz_target, fuzz_table);
 312         } else {
 313                 fprintf(stderr, "oss-fuzzshark: requested dissector: %s\n", fuzz_target);
 314         }
 315         fuzz_handle = get_dissector_handle(fuzz_table, fuzz_target);
 316 #endif
 317
 318 #ifdef FUZZ_EPAN
 319         g_assert(fuzz_handle != NULL && "Requested dissector is not found!");
 320         register_postdissector(fuzz_handle);
 321 #endif
 322
 323         fuzz_epan = fuzzshark_epan_new();
 324         fuzz_edt = epan_dissect_new(fuzz_epan, true, false);
 325
 326         return 0;
 327 clean_exit:
 328         wtap_cleanup();
 329         free_progdirs();
 330         return ret;
 331 }
 332
 333 #ifdef FUZZ_EPAN
 334 int
 335 LLVMFuzzerTestOneInput(const uint8_t *buf, size_t real_len)
 336 {
 337         static uint32_t framenum = 0;
 338         epan_dissect_t *edt = fuzz_edt;
 339
 340         uint32_t len = (uint32_t) real_len;
 341
 342         wtap_rec rec;
 343         frame_data fdlocal;
 344
 345         memset(&rec, 0, sizeof(rec));
 346
 347         rec.rec_type = REC_TYPE_PACKET;
 348         rec.rec_header.packet_header.caplen = len;
 349         rec.rec_header.packet_header.len = len;
 350
 351         /* whdr.pkt_encap = WTAP_ENCAP_ETHERNET; */
 352         rec.rec_header.packet_header.pkt_encap = INT16_MAX;
 353         rec.presence_flags = WTAP_HAS_TS | WTAP_HAS_CAP_LEN; /* most common flags... */
 354
 355         frame_data_init(&fdlocal, ++framenum, &rec, /* offset */ 0, /* cum_bytes */ 0);
 356         /* frame_data_set_before_dissect() not needed */
 357         epan_dissect_run(edt, WTAP_FILE_TYPE_SUBTYPE_UNKNOWN, &rec, buf, &fdlocal, NULL /* &fuzz_cinfo */);
 358         frame_data_destroy(&fdlocal);
 359
 360         epan_dissect_reset(edt);
 361         return 0;
 362 }
 363
 364 #else
 365 # error "Missing fuzz target."
 366 #endif
 367
 368 int
 369 LLVMFuzzerInitialize(int *argc, char ***argv)
 370 {
 371         int ret;
 372
 373         ret = fuzz_init(*argc, *argv);
 374         if (ret != 0)
 375                 exit(ret);
 376
 377         return 0;
 378 }
 379
 380 /*
 381  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 382  *
 383  * Local variables:
 384  * c-basic-offset: 8
 385  * tab-width: 8
 386  * indent-tabs-mode: t
 387  * End:
 388  *
 389  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
 390  * :indentSize=8:tabSize=8:noTabs=false:
 391  */