Fix #24 and #26, Revert Makefile in fuzz-tests

assaabloy-ppi · Feb 19, 2018 · 3b53d13 · 3b53d13
1 parent e70e508
commit 3b53d13
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 44 deletions.
diff --git a/fuzz-tests/Makefile b/fuzz-tests/Makefile
@@ -3,9 +3,9 @@ FLAGS_COMMON = -Wall -Wpedantic -Wextra -Werror -std=c99
 INC_PATHS_GCC = -I../src -I../tests -I../src/external/tweetnacl
 INC_PATHS_AFL = -I../src -I../tests -I../src/external/tweetnacl
 
-GCC_FLAGS = $(INC_PATHS_GCC) $(FLAGS_COMMON) -O0 -g -ggdb
+GCC_FLAGS = $(INC_PATHS_GCC) $(FLAGS_COMMON) -O0 -g -ggdb -fprofile-arcs -ftest-coverage
 AFL_FLAGS = $(INC_PATHS_AFL) -std=c99
-SRC = ../src/salt.c ../src/salti_util.c ../src/salti_handshake.c read_util.c
+SRC = ../src/salt.c ../src/salti_util.c ../src/salti_handshake.c
 
 FUZZ_TARGETS = host_a1m1 client_m2 client_m3 host_m4 client_a2 host_app client_app read_parse
 
@@ -26,25 +26,25 @@ endif
 .PHONY: all
 
 _build/salt.o: ../src/salt.c
-	$(CC) -c $^ $(GCC_FLAGS) -o $@
+	gcc -c $^ $(GCC_FLAGS) -o $@
 
 _build/salti_util.o: ../src/salti_util.c
-	$(CC) -c $^ $(GCC_FLAGS) -o $@
+	gcc -c $^ $(GCC_FLAGS) -o $@
 
 _build/salti_handshake.o: ../src/salti_handshake.c
-	$(CC) -c $^ $(GCC_FLAGS) -o $@
+	gcc -c $^ $(GCC_FLAGS) -o $@
 
 _build/crypt_mock.o: crypt_mock.c
-	$(CC) -c $^ -o $@ $(INC_PATHS_GCC)
+	gcc -c $^ -o $@ $(INC_PATHS_GCC)
 
 _build/test_data_mock.o: test_data_mock.c
-	$(CC) -c $^ $(GCC_FLAGS) -o $@
+	gcc -c $^ $(GCC_FLAGS) -o $@
 
 _build/test_data.o: ../tests/test_data.c
-	$(CC) -c $^ $(GCC_FLAGS) -o $@
+	gcc -c $^ $(GCC_FLAGS) -o $@
 
 _build/tweetnacl.o: ../src/external/tweetnacl/tweetnacl.c
-	$(CC) -c $^ $(GCC_FLAGS) -o $@
+	gcc -c $^ $(GCC_FLAGS) -o $@
 
 $(EXE_FUZZ_TARGETS):
 
@@ -58,7 +58,7 @@ $(EXE_COV):
 %.cmin: $(SRC) $(SRC_FUZZ_TARGETS)
 	mkdir -p _build
 	mkdir -p output
-	$(CC) -DAFL $(SRC) $*.c  $(AFL_FLAGS) -o _build/$*.fuzz
+	afl-gcc -DAFL $(SRC) $*.c  $(AFL_FLAGS) -o _build/$*.fuzz
 	afl-cmin -i input/$* -o input/cmin_$* ./_build/$*.fuzz
 	rm -rf ./input/$*
 	mv ./input/cmin_$* ./input/$*	
@@ -67,21 +67,21 @@ $(EXE_COV):
 %.fuzz:  $(SRC) $(SRC_FUZZ_TARGETS) 
 	mkdir -p _build
 	mkdir -p output
-	AFL_HARDEN=1 $(CC) -DAFL $(SRC) $*.c  $(AFL_FLAGS) -o _build/$*.fuzz
+	AFL_HARDEN=1 afl-gcc -DAFL $(SRC) $*.c  $(AFL_FLAGS) -o _build/$*.fuzz
 	AFL_HARDEN=1 afl-fuzz -i input/$* -o output/$* ./_build/$*.fuzz
 
 # AFL fuzz with ASAN sanitizer
 %.afuzz:  $(SRC) $(SRC_FUZZ_TARGETS) 
 	mkdir -p _build
 	mkdir -p output
-	AFL_USE_ASAN=1 $(CC) -DAFL $(SRC) $*.c  $(AFL_FLAGS) -o _build/$*.fuzz
+	AFL_USE_ASAN=1 afl-gcc -m32 -DAFL $(SRC) $*.c  $(AFL_FLAGS) -o _build/$*.fuzz
 	AFL_USE_ASAN=1 afl-fuzz -m none -i input/$* -o output/$* ./_build/$*.fuzz
 
 # libFuzzer fuzz with ASAN+UBSAN sanitizers
 %.libfuzz: $(SRC)
 	mkdir -p _build
 	mkdir -p output	
-	$(CC) $(GCC_FLAGS) -Wno-unused-parameter -fsanitize=fuzzer,address,undefined  \
+	clang $(GCC_FLAGS) -Wno-unused-parameter -fsanitize=fuzzer,address,undefined  \
 				 $(SRC) $*.c \
 				-lm -o _build/$*.libfuzz
 
@@ -96,8 +96,8 @@ $(EXE_COV):
 %.cov: $(EXE_OBJ)
 	mkdir -p _build
 	mkdir -p ./output/$*/queue
-	$(CC) -c $*.c -DAFL $(GCC_FLAGS) -o _build/$*.o
-	$(CC) -lm $^ _build/$*.o -o _build/$@  --coverage $(GCC_FLAGS)
+	gcc -c $*.c -DAFL $(GCC_FLAGS) -o _build/$*.o
+	gcc -lm $^ _build/$*.o -o _build/$@  -lgcov --coverage $(GCC_FLAGS)
 	cd _build; find ../input/$* -type f -exec bash -c "cat {} | ../_build/$*.cov" \;
 	cd _build; find ../output/$*/queue -type f -exec bash -c "cat {} | ../_build/$*.cov" \;
 	lcov --base-directory . --directory . --capture --output-file _build/coverage.info

diff --git a/fuzz-tests/read_parse.c b/fuzz-tests/read_parse.c
@@ -1,4 +1,5 @@
 #include <string.h>
+#include <stdlib.h>
 #include "libfuzzer.inc"
 
 #include "salt.h"
@@ -7,29 +8,53 @@
 int main(void) {
 
     uint8_t buf[1024];
-    uint8_t cpy[1024];
     salt_msg_t msg;
 
     uint32_t size = read(0, buf, sizeof(buf));
-    salt_err_t ret = salt_read_init(SALT_APP_PKG_MSG_HEADER_VALUE, buf, size, &msg);
+
+    uint8_t *data = malloc(size);
+
+    if (data == NULL) {
+        return 0;
+    }
+
+    uint32_t cpy_used = 0;
+    uint8_t *cpy = malloc(size);
+    if (cpy == NULL) {
+        free(data);
+        return 0;
+    }
+
+    memcpy(data, buf, size);
+
+    salt_err_t ret = salt_read_init(SALT_APP_PKG_MSG_HEADER_VALUE, data, size, &msg);
 
     if (ret != SALT_ERR_NONE) {
+        free(data);
+        free(cpy);
         return 0;
     }
 
     do {
-        memcpy(cpy, msg.read.p_payload, msg.read.message_size);
+        memcpy(&cpy[cpy_used], msg.read.p_payload, msg.read.message_size);
+        cpy_used += msg.read.message_size;
     } while (salt_read_next(&msg) == SALT_SUCCESS);
 
-    ret = salt_read_init(SALT_MULTI_APP_PKG_MSG_HEADER_VALUE, buf, size, &msg);
+    cpy_used = 0;
+    ret = salt_read_init(SALT_MULTI_APP_PKG_MSG_HEADER_VALUE, data, size, &msg);
 
     if (ret != SALT_ERR_NONE) {
+        free(data);
+        free(cpy);
         return 0;
     }
 
     do {
-        memcpy(cpy, msg.read.p_payload, msg.read.message_size);
+        memcpy(&cpy[cpy_used], msg.read.p_payload, msg.read.message_size);
+        cpy_used += msg.read.message_size;
     } while (salt_read_next(&msg) == SALT_SUCCESS);
 
+    free(data);
+    free(cpy);
     return 0;
 }
diff --git a/src/salti_util.c b/src/salti_util.c
@@ -9,6 +9,7 @@
 
 /* C Library includes */
 #include <string.h> /* memcpy, memset */
+#include <stdlib.h> /* labs */
 
 /* Salt library includes */
 #include "salti_util.h"
@@ -505,22 +506,19 @@ uint8_t salt_write_create(salt_msg_t *p_msg)
 
 }
 
-#include <stdio.h>
 bool time_check(uint32_t first, uint32_t now, uint32_t peer_time, uint32_t thresh)
 {
 
-    first   &= 0x7FFFFFFF;
-    now     &= 0x7FFFFFFF;
+    int32_t diff = peer_time - now + first;
 
-    printf("first: %u\r\n", first);
-    printf("now: %u\r\n", now);
-    printf("peer_time: %u\r\n", peer_time);
-    printf("thresh: %u\r\n", thresh);
-
-    printf("now - first: %u\r\n", now - first);
-    printf("peer_time + thresh: %u\r\n", peer_time + thresh);
+    if (INT32_MIN == diff) {
+        diff = INT32_MAX;
+    }
+    else {
+        diff = (diff < 0) ? -diff : diff;
+    }
 
-    if (now - first > peer_time + thresh) {
+    if ((uint32_t) diff > thresh) {
         return false;
     }
 

diff --git a/tests/time_check.c b/tests/time_check.c
@@ -19,10 +19,6 @@ static void dummy(void **state)
 {
     (void) state;
 
-    printf("UINT32_MAX: %d\r\n", INT32_MAX);
-
-    printf("%u\r\n", (uint32_t ) -500);
-
     /*
      * bool time_check(uint32_t first,
      *                 uint32_t now,
@@ -35,20 +31,56 @@ static void dummy(void **state)
     assert_true(time_check(0, 1000, 0, 1000));
     assert_false(time_check(0, 1001, 0, 1000));
 
-    assert_true(time_check(UINT16_MAX, UINT16_MAX, UINT16_MAX, 1000));
-    assert_true(time_check(UINT16_MAX, UINT16_MAX+1000, UINT16_MAX, 1000));
+    assert_true(time_check(UINT16_MAX, UINT16_MAX, 0, 1000));
+    assert_true(time_check(UINT16_MAX, UINT16_MAX+1000, 0, 1000));
     assert_false(time_check(UINT16_MAX, UINT16_MAX+1001, 0, 1000));
 
     assert_true(time_check(5000, 5000, 0, 1000));
-    assert_true(time_check(5000, 5000, 0, 1000));
+    assert_true(time_check(5000, 6000, 0, 1000));
     assert_false(time_check(5000, 6001, 0, 1000));
 
-    /*
-    assert_true(time_check(INT32_MAX, INT32_MAX, 0, 1000));
-    assert_true(time_check(INT32_MAX, INT32_MAX+1000, 0, 1000));
-    assert_false(time_check(INT32_MAX, INT32_MAX+1001, 0, 1000));
-    */
-    assert_true(false);
+    assert_true(time_check(
+        (uint32_t) INT32_MAX,      /* First */
+        (uint32_t) INT32_MAX,      /* Package time now */
+        (uint32_t) 0,              /* Package time peer */
+        (uint32_t) 1000            /* Threshold */
+    ));
+
+    assert_true(time_check(
+        (uint32_t) INT32_MAX,           /* First */
+        (uint32_t) INT32_MAX+1000,      /* Package time now */
+        (uint32_t) 500,                 /* Package time peer */
+        (uint32_t) 1000                 /* Threshold */
+    ));
+
+    assert_false(time_check(
+        (uint32_t) INT32_MAX,      /* First */
+        (uint32_t) INT32_MAX+1001,      /* Package time now */
+        (uint32_t) 0,              /* Package time peer */
+        (uint32_t) 1000            /* Threshold */
+    ));
+
+    assert_true(time_check(
+        (uint32_t) INT32_MAX,           /* First */
+        (uint32_t) INT32_MAX+INT32_MAX,      /* Package time now */
+        (uint32_t) INT32_MAX+500,                 /* Package time peer */
+        (uint32_t) 1000                 /* Threshold */
+    ));
+
+    assert_false(time_check(
+        (uint32_t) INT32_MAX,      /* First */
+        (uint32_t) INT32_MAX+500,      /* Package time now */
+        (uint32_t) 1501,              /* Package time peer */
+        (uint32_t) 1000            /* Threshold */
+    ));
+
+    assert_false(time_check(
+        (uint32_t) 0,      /* First */
+        (uint32_t) (uint32_t) INT32_MIN,      /* Package time now */
+        (uint32_t) 0,              /* Package time peer */
+        (uint32_t) 1000            /* Threshold */
+    ));
+
 }
 
 int main(void)