123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108 |
- #include <stdio.h>
- #include <stdint.h>
- #include <stddef.h>
- #include <limits.h>
- #include "blob.h"
- #include "blobmsg.h"
- #define BLOBMSG_TYPE_TROUBLE INT_MAX
- static void fuzz_blobmsg_parse(const uint8_t *data, size_t size)
- {
- enum {
- FOO_MESSAGE,
- FOO_LIST,
- FOO_TESTDATA,
- __FOO_MAX
- };
- static const int blobmsg_type[] = {
- BLOBMSG_TYPE_UNSPEC,
- BLOBMSG_TYPE_ARRAY,
- BLOBMSG_TYPE_TABLE,
- BLOBMSG_TYPE_STRING,
- BLOBMSG_TYPE_INT64,
- BLOBMSG_TYPE_INT32,
- BLOBMSG_TYPE_INT16,
- BLOBMSG_TYPE_INT8,
- BLOBMSG_TYPE_DOUBLE,
- BLOBMSG_TYPE_TROUBLE,
- };
- static const struct blobmsg_policy foo_policy[] = {
- [FOO_MESSAGE] = {
- .name = "message",
- .type = BLOBMSG_TYPE_STRING,
- },
- [FOO_LIST] = {
- .name = "list",
- .type = BLOBMSG_TYPE_ARRAY,
- },
- [FOO_TESTDATA] = {
- .name = "testdata",
- .type = BLOBMSG_TYPE_TABLE,
- },
- };
- struct blob_attr *tb[__FOO_MAX];
- blobmsg_parse(foo_policy, __FOO_MAX, tb, (uint8_t *)data, size);
- blobmsg_parse_array(foo_policy, __FOO_MAX, tb, (uint8_t *)data, size);
- blobmsg_check_attr_len((struct blob_attr *)data, false, size);
- blobmsg_check_attr_len((struct blob_attr *)data, true, size);
- for (size_t i=0; i < ARRAY_SIZE(blobmsg_type); i++) {
- blobmsg_check_array_len((struct blob_attr *)data, blobmsg_type[i], size);
- blobmsg_check_attr_list_len((struct blob_attr *)data, blobmsg_type[i], size);
- }
- }
- static void fuzz_blob_parse(const uint8_t *data, size_t size)
- {
- enum {
- FOO_ATTR_NESTED,
- FOO_ATTR_BINARY,
- FOO_ATTR_STRING,
- FOO_ATTR_INT8,
- FOO_ATTR_INT16,
- FOO_ATTR_INT32,
- FOO_ATTR_INT64,
- FOO_ATTR_DOUBLE,
- __FOO_ATTR_MAX
- };
- static const struct blob_attr_info foo_policy[__FOO_ATTR_MAX] = {
- [FOO_ATTR_NESTED] = { .type = BLOB_ATTR_NESTED },
- [FOO_ATTR_BINARY] = { .type = BLOB_ATTR_BINARY },
- [FOO_ATTR_STRING] = { .type = BLOB_ATTR_STRING },
- [FOO_ATTR_INT8] = { .type = BLOB_ATTR_INT8 },
- [FOO_ATTR_INT16] = { .type = BLOB_ATTR_INT16 },
- [FOO_ATTR_INT32] = { .type = BLOB_ATTR_INT32 },
- [FOO_ATTR_INT64] = { .type = BLOB_ATTR_INT64 },
- [FOO_ATTR_DOUBLE] = { .type = BLOB_ATTR_DOUBLE },
- };
- struct blob_attr *foo[__FOO_ATTR_MAX];
- struct blob_attr *buf = (struct blob_attr *)data;
- blob_parse_untrusted(buf, size, foo, foo_policy, __FOO_ATTR_MAX);
- }
- int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size)
- {
- uint8_t *data;
- data = malloc(size);
- if (!data)
- return -1;
- memcpy(data, input, size);
- fuzz_blob_parse(data, size);
- fuzz_blobmsg_parse(data, size);
- free(data);
- return 0;
- }
|