fuzz: implement targets for PCP and NAT-PMP port mapping requests

darosior · darosior · commit c73b59d47f1e · 2025-02-12T11:39:37.000-05:00
diff --git a/src/test/fuzz/CMakeLists.txt b/src/test/fuzz/CMakeLists.txt
@@ -75,6 +75,7 @@ add_executable(fuzz
   p2p_handshake.cpp
   p2p_headers_presync.cpp
   p2p_transport_serialization.cpp
+  pcp.cpp
   package_eval.cpp
   parse_hd_keypath.cpp
   parse_iso8601.cpp
diff --git a/src/test/fuzz/pcp.cpp b/src/test/fuzz/pcp.cpp
@@ -0,0 +1,80 @@
+// Copyright (c) 2024 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/fuzz/util/net.h>
+
+#include <common/pcp.h>
+#include <util/check.h>
+
+using namespace std::literals;
+
+//! Fixed nonce to use in PCP port mapping requests.
+constexpr PCPMappingNonce PCP_NONCE{0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc};
+
+//! Number of attempts to request a NAT-PMP or PCP port mapping to the gateway.
+constexpr int NUM_TRIES{5};
+
+//! Timeout for each attempt to request a port mapping.
+constexpr std::chrono::duration TIMEOUT{100ms};
+
+void port_map_target_init()
+{
+    LogInstance().DisableLogging();
+}
+
+FUZZ_TARGET(pcp_request_port_map, .init = port_map_target_init)
+{
+    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+
+    // Create a mocked socket between random (and potentially invalid) client and gateway addresses.
+    CreateSock = [&](int domain, int type, int protocol) {
+        if ((domain == AF_INET || domain == AF_INET6) && type == SOCK_DGRAM && protocol == IPPROTO_UDP) {
+            return std::make_unique<FuzzedSock>(fuzzed_data_provider);
+        }
+        return std::unique_ptr<FuzzedSock>();
+    };
+
+    // Perform the port mapping request. The mocked socket will return fuzzer-provided data.
+    const auto gateway_addr{ConsumeNetAddr(fuzzed_data_provider)};
+    const auto local_addr{ConsumeNetAddr(fuzzed_data_provider)};
+    const auto port{fuzzed_data_provider.ConsumeIntegral<uint16_t>()};
+    const auto lifetime{fuzzed_data_provider.ConsumeIntegral<uint32_t>()};
+    const auto res{PCPRequestPortMap(PCP_NONCE, gateway_addr, local_addr, port, lifetime, NUM_TRIES, TIMEOUT)};
+
+    // In case of success the mapping must be consistent with the request.
+    if (const MappingResult* mapping = std::get_if<MappingResult>(&res)) {
+        Assert(mapping);
+        Assert(mapping->internal.GetPort() == port);
+        mapping->ToString();
+    }
+}
+
+FUZZ_TARGET(natpmp_request_port_map, .init = port_map_target_init)
+{
+    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+
+    // Create a mocked socket between random (and potentially invalid) client and gateway addresses.
+    CreateSock = [&](int domain, int type, int protocol) {
+        if (domain == AF_INET && type == SOCK_DGRAM && protocol == IPPROTO_UDP) {
+            return std::make_unique<FuzzedSock>(fuzzed_data_provider);
+        }
+        return std::unique_ptr<FuzzedSock>();
+    };
+
+    // Perform the port mapping request. The mocked socket will return fuzzer-provided data.
+    const auto gateway_addr{ConsumeNetAddr(fuzzed_data_provider)};
+    const auto port{fuzzed_data_provider.ConsumeIntegral<uint16_t>()};
+    const auto lifetime{fuzzed_data_provider.ConsumeIntegral<uint32_t>()};
+    const auto res{NATPMPRequestPortMap(gateway_addr, port, lifetime, NUM_TRIES, TIMEOUT)};
+
+    // In case of success the mapping must be consistent with the request.
+    if (const MappingResult* mapping = std::get_if<MappingResult>(&res)) {
+        Assert(mapping);
+        Assert(mapping->internal.GetPort() == port);
+        mapping->ToString();
+    }
+}
