add fuzzing harnesses

sudden6 · sudden6 · commit 9eb88798a3fd · 2022-01-10T20:57:00.000+01:00
Toxsave harness ported to libFuzzer interface.
New harness for bootstrap phase.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -535,8 +535,23 @@ if (BUILD_MISC_TESTS)
         target_link_libraries(cracker OpenMP::OpenMP_C)
     endif()
   endif()
+endif()
+
+# Enabling this breaks all other tests and no network connections will be possible
+option(BUILD_FUZZ_TESTS "Build fuzzing harnesses" OFF)
+if (BUILD_FUZZ_TESTS)
+    # For coverage tests
+    target_compile_definitions(toxcore_static PUBLIC "FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION")
+
+    # Override network functions
+    add_library(network_adapter testing/fuzzing/network_adapter.c)
 
-  add_executable(afl_toxsave
-    testing/afl_toxsave.c)
-  target_link_modules(afl_toxsave toxcore)
+    # Fuzzes the toxsave API
+    add_executable(toxsave_fuzzer testing/fuzzing/toxsave_harness.cc)
+    target_link_libraries(toxsave_fuzzer toxcore_static network_adapter -fsanitize=fuzzer)
+
+    # Fuzzes the bootstrap process
+    add_executable(bootstrap_fuzzer testing/fuzzing/bootstrap_harness.cc)
+    target_link_libraries(bootstrap_fuzzer toxcore_static network_adapter -fsanitize=fuzzer)
 endif()
+
diff --git a/testing/afl_toxsave.c b/testing/afl_toxsave.c
diff --git a/testing/fuzzing/bootstrap_harness.cc b/testing/fuzzing/bootstrap_harness.cc
@@ -0,0 +1,34 @@
+#include "../../toxcore/tox.h"
+#include "network_adapter.h"
+
+#include <cstring>
+#include <cassert>
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  network_adapter_init(data, size);
+
+  Tox_Err_New error_new;
+  Tox *tox = tox_new(NULL, &error_new);
+
+  assert(tox != nullptr);
+  assert(error_new == TOX_ERR_NEW_OK);
+
+  uint8_t pub_key[TOX_PUBLIC_KEY_SIZE] = {0};
+
+  bool success = tox_bootstrap(tox, "127.0.0.1", 12345, pub_key, nullptr);
+  assert(success);
+
+  /*
+   * The iteration count here is a magic value in the literal sense, too small
+   * and coverage will be bad, too big and fuzzing will not be efficient.
+   * NOTE: This should be fine tuned after gathering some experience.
+   */
+
+  for (uint32_t i = 0; i < 100; ++i) {
+    tox_iterate(tox, nullptr);
+  }
+
+  tox_kill(tox);
+  return 0;  // Non-zero return values are reserved for future use.
+}
diff --git a/testing/fuzzing/toxsave_harness.cc b/testing/fuzzing/toxsave_harness.cc
@@ -0,0 +1,25 @@
+#include "../../toxcore/tox.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  Tox_Err_Options_New error_options;
+
+  struct Tox_Options *tox_options = tox_options_new(&error_options);
+
+  assert(tox_options != nullptr);
+  assert(error_options == TOX_ERR_OPTIONS_NEW_OK);
+
+  // pass test data to Tox
+  tox_options_set_savedata_data(tox_options, data, size);
+  tox_options_set_savedata_type(tox_options, TOX_SAVEDATA_TYPE_TOX_SAVE);
+
+  Tox_Err_New error_new;
+  Tox *tox = tox_new(tox_options, &error_new);
+
+  assert(tox != nullptr);
+  assert(error_new == TOX_ERR_NEW_OK);
+
+  tox_options_free(tox_options);
+
+  tox_kill(tox);
+  return 0;  // Non-zero return values are reserved for future use.
+}
