From a0ed5dafbff58beb9a707ab36c4fe00af8a8a7c7 Mon Sep 17 00:00:00 2001 From: fenner Date: Thu, 29 Mar 2018 10:13:49 -0400 Subject: [PATCH] Add net-snmp project (#1277) * Initial infrastructure for net-snmp in the AutoFuzz project * Add a fuzzer based on what Google sent us Storing this here until we have a more complete design for storing fuzzers in the net-snmp source tree. * calloc PDU so we can use the standard pdu free, to avoid false leaks * Only turn on debugging when $NETSNMP_DEBUGGING is set in the environment The debugging is useful to help replicate the problem, but not useful when simply running the fuzzer, so let the user choose it by settng $NETSNMP_DEBUGGING in their environment when running the replication. * Add agentx_parse_fuzzer * Build agentx_parse_fuzzer * Add copyright notice, copy boilerplate from init * Don't make a copy, just pass the data in directly. (Also, don't use C++-style comment, the regression test in the net-snmp codebase will be C.) --- projects/net-snmp/Dockerfile | 26 +++++++++++++ projects/net-snmp/agentx_parse_fuzzer.c | 47 +++++++++++++++++++++++ projects/net-snmp/build.sh | 35 +++++++++++++++++ projects/net-snmp/project.yaml | 7 ++++ projects/net-snmp/snmp_pdu_parse_fuzzer.c | 44 +++++++++++++++++++++ 5 files changed, 159 insertions(+) create mode 100644 projects/net-snmp/Dockerfile create mode 100644 projects/net-snmp/agentx_parse_fuzzer.c create mode 100755 projects/net-snmp/build.sh create mode 100644 projects/net-snmp/project.yaml create mode 100644 projects/net-snmp/snmp_pdu_parse_fuzzer.c diff --git a/projects/net-snmp/Dockerfile b/projects/net-snmp/Dockerfile new file mode 100644 index 000000000..a5114b421 --- /dev/null +++ b/projects/net-snmp/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +MAINTAINER fenner@gmail.com +RUN apt-get update && apt-get install -y make autoconf libtool libssl-dev +RUN git clone --depth 1 git://git.code.sf.net/p/net-snmp/code net-snmp +WORKDIR net-snmp +COPY build.sh $SRC/ +# +# Until the project moves the fuzzers to the source tree +COPY snmp_pdu_parse_fuzzer.c $SRC/ +COPY agentx_parse_fuzzer.c $SRC/ diff --git a/projects/net-snmp/agentx_parse_fuzzer.c b/projects/net-snmp/agentx_parse_fuzzer.c new file mode 100644 index 000000000..436011208 --- /dev/null +++ b/projects/net-snmp/agentx_parse_fuzzer.c @@ -0,0 +1,47 @@ +/* + * Copyright 2018 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This fuzzer exercises the agentx PDU parsing code. + */ +#include +#include +/* We build with the agent/mibgroup/agentx dir in an -I */ +#include +#include +#include +#include + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + if (getenv("NETSNMP_DEBUGGING") != NULL) { + /* + * Turn on all debugging, to help understand what + * bits of the parser are running. + */ + snmp_enable_stderrlog(); + snmp_set_do_debugging(1); + debug_register_tokens(""); + } + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + netsnmp_pdu *pdu = SNMP_MALLOC_TYPEDEF(netsnmp_pdu); + netsnmp_session session; + + session.version = AGENTX_VERSION_1; + agentx_parse(&session, pdu, (unsigned char *)data, size); + snmp_free_pdu(pdu); + return 0; +} diff --git a/projects/net-snmp/build.sh b/projects/net-snmp/build.sh new file mode 100755 index 000000000..c0c0a8f1e --- /dev/null +++ b/projects/net-snmp/build.sh @@ -0,0 +1,35 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +./configure --with-openssl=/usr --with-defaults --with-logfile="/dev/null" --with-persistent-directory="/dev/null" +# net-snmp build is not parallel-make safe; do not add -j +make + +# build fuzzers (remember to link statically) +$CC $CFLAGS -c -Iinclude $SRC/snmp_pdu_parse_fuzzer.c -o $WORK/snmp_pdu_parse_fuzzer.o +$CXX $CXXFLAGS $WORK/snmp_pdu_parse_fuzzer.o \ + -lFuzzingEngine snmplib/.libs/libnetsnmp.a \ + -Wl,-Bstatic -lcrypto -Wl,-Bdynamic -lm \ + -o $OUT/snmp_pdu_parse_fuzzer + +$CC $CFLAGS -c -Iinclude -Iagent/mibgroup/agentx $SRC/agentx_parse_fuzzer.c -o $WORK/agentx_parse_fuzzer.o +$CXX $CXXFLAGS $WORK/agentx_parse_fuzzer.o \ + -lFuzzingEngine snmplib/.libs/libnetsnmp.a \ + agent/.libs/libnetsnmpagent.a \ + -Wl,-Bstatic -lcrypto -Wl,-Bdynamic -lm \ + -o $OUT/agentx_parse_fuzzer diff --git a/projects/net-snmp/project.yaml b/projects/net-snmp/project.yaml new file mode 100644 index 000000000..53055d7f8 --- /dev/null +++ b/projects/net-snmp/project.yaml @@ -0,0 +1,7 @@ +homepage: "http://www.net-snmp.org/" +primary_contact: "hardaker@users.sourceforge.net" +auto_ccs: + - "rstory@freesnmp.com" + - "fenner@gmail.com" + - "bvanassche@acm.org" + - "magfr@lysator.liu.se" diff --git a/projects/net-snmp/snmp_pdu_parse_fuzzer.c b/projects/net-snmp/snmp_pdu_parse_fuzzer.c new file mode 100644 index 000000000..6d45552db --- /dev/null +++ b/projects/net-snmp/snmp_pdu_parse_fuzzer.c @@ -0,0 +1,44 @@ +/* + * Copyright 2018 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This fuzzer exercises the SNMP PDU parsing code, including ASN.1. + */ +#include +#include +#include +#include +#include + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + if (getenv("NETSNMP_DEBUGGING") != NULL) { + /* + * Turn on all debugging, to help understand what + * bits of the parser are running. + */ + snmp_enable_stderrlog(); + snmp_set_do_debugging(1); + debug_register_tokens(""); + } + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + size_t bytes_remaining = size; + netsnmp_pdu *pdu = SNMP_MALLOC_TYPEDEF(netsnmp_pdu); + + snmp_pdu_parse(pdu, (unsigned char *)data, &bytes_remaining); + snmp_free_pdu(pdu); + return 0; +}