fix: fuzzing issues

Author: bboilot-ledger

src/features/generic_tx_parser/gtp_field.c

@@ -124,6 +124,10 @@ static bool handle_param_constraint(const s_tlv_data *data, s_field_ctx *context
         PRINTF("Error: CONSTRAINT present but VISIBLE is not MUST_BE or IF_NOT_IN!\n");
         return false;
     }
+    if (data->length == 0 || data->value == NULL) {
+        PRINTF("Error: Empty constraint value!\n");
+        return false;
+    }
     // Allocate new constraint node
     s_field_constraint *node = NULL;
     if (mem_buffer_allocate((void **) &node, sizeof(s_field_constraint)) == false) {

src/plugins/erc1155/erc1155_ui.c

@@ -134,6 +134,11 @@ static void set_batch_transfer_ui(ethQueryContractUI_t *msg, erc1155_context_t *
 void handle_query_contract_ui_1155(ethQueryContractUI_t *msg) {
     erc1155_context_t *context = (erc1155_context_t *) msg->pluginContext;
 
+    if (msg->item1 == NULL) {
+        msg->result = ETH_PLUGIN_RESULT_ERROR;
+        return;
+    }
+
     msg->result = ETH_PLUGIN_RESULT_OK;
     switch (context->selectorIndex) {
         case SET_APPROVAL_FOR_ALL:

src/plugins/eth2/eth2_plugin.c

@@ -103,10 +103,7 @@ void eth2_plugin_call(eth_plugin_msg_t message, void *parameters) {
 
                 case 4 + (32 * 5):  // deposit pubkey 1
                 {
-                    // Copy the first 32 bytes.
-                    memcpy(context->deposit_address,
-                           msg->parameter,
-                           sizeof(context->deposit_address));
+                    memcpy(context->deposit_address, msg->parameter, PARAMETER_LENGTH);
                     msg->result = ETH_PLUGIN_RESULT_OK;
                     break;
                 }
@@ -141,7 +138,7 @@ void eth2_plugin_call(eth_plugin_msg_t message, void *parameters) {
 
                 case 4 + (32 * 8):  // withdrawal credentials
                 {
-                    uint8_t tmp[48];
+                    uint8_t tmp[48] = {0};
                     uint32_t withdrawalKeyPath[4];
                     withdrawalKeyPath[0] = WITHDRAWAL_KEY_PATH_1;
                     withdrawalKeyPath[1] = WITHDRAWAL_KEY_PATH_2;

tests/fuzzing/harness/fuzz_eip7702.c

@@ -1,4 +1,6 @@
+#include <setjmp.h>
 #include "fuzz_utils.h"
+#include "mocks.h"
 
 int fuzzEIP7702(const uint8_t *data, size_t size) {
     size_t offset = 0;
@@ -17,11 +19,10 @@ int fuzzEIP7702(const uint8_t *data, size_t size) {
     return 0;
 }
 
-/* Main fuzzing handler called by libfuzzer */
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     init_fuzzing_environment();
+    if (sigsetjmp(fuzz_exit_jump_ctx.jmp_buf, 1)) return 0;
 
-    // Run the harness
     fuzzEIP7702(data, size);
 
     return 0;

tests/fuzzing/harness/fuzz_plugin_swap_calldata.c

@@ -7,11 +7,12 @@
  * - G_swap_crosschain_hash must point to a valid hash for comparison
  */
 
+#include <setjmp.h>
 #include "fuzz_utils.h"
+#include "mocks.h"
 #include "shared_context.h"
 #include "swap_lib_calls.h"
 
-// Forward declaration of the plugin call function
 void swap_with_calldata_plugin_call(eth_plugin_msg_t message, void *parameters);
 
 // Buffer sizes
@@ -110,6 +111,7 @@ static int fuzz_swap_calldata_plugin(const uint8_t *data, size_t size) {
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     init_fuzzing_environment();
+    if (sigsetjmp(fuzz_exit_jump_ctx.jmp_buf, 1)) return 0;
     fuzz_swap_calldata_plugin(data, size);
     return 0;
 }

tests/fuzzing/harness/fuzz_proxy.c

@@ -1,15 +1,16 @@
+#include <setjmp.h>
 #include "fuzz_utils.h"
+#include "mocks.h"
 
 int fuzzProxyInfo(const uint8_t *data, size_t size) {
     if (size < 1) return 0;
     return handle_proxy_info(data[0], 0, size - 1, data + 1);
 }
 
-/* Main fuzzing handler called by libfuzzer */
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     init_fuzzing_environment();
+    if (sigsetjmp(fuzz_exit_jump_ctx.jmp_buf, 1)) return 0;
 
-    // Run the harness
     fuzzProxyInfo(data, size);
 
     return 0;

tests/fuzzing/harness/fuzz_safe.c

@@ -1,4 +1,6 @@
+#include <setjmp.h>
 #include "fuzz_utils.h"
+#include "mocks.h"
 
 #include "safe_descriptor.h"
 
@@ -21,13 +23,12 @@ int fuzzSignerCmd(const uint8_t *data, size_t size) {
     return 0;
 }
 
-/* Main fuzzing handler called by libfuzzer */
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     uint8_t target;
     init_fuzzing_environment();
     SAFE_DESC = NULL;
+    if (sigsetjmp(fuzz_exit_jump_ctx.jmp_buf, 1)) return 0;
 
-    // Determine which harness function to call based on the first byte of data
     if (size < 1) return 0;
     target = data[0];
     data++;

tests/fuzzing/mock/mock.c

@@ -1,15 +1,40 @@
 #include <string.h>
 #include <stdlib.h>
+#include <setjmp.h>
 
 #include "cx_errors.h"
 #include "cx_sha256.h"
 #include "cx_sha3.h"
 #include "buffer.h"
 #include "lcx_ecfp.h"
 #include "mem_alloc.h"
+#include "exceptions.h"
+#include "os_task.h"
 
 #include "bip32_utils.h"
 
+try_context_t fuzz_exit_jump_ctx = {0};
+try_context_t *G_exception_context = &fuzz_exit_jump_ctx;
+
+try_context_t *try_context_get(void) {
+    return G_exception_context;
+}
+
+try_context_t *try_context_set(try_context_t *context) {
+    try_context_t *previous = G_exception_context;
+    G_exception_context = context;
+    return previous;
+}
+
+void __attribute__((noreturn))
+os_sched_exit(bolos_task_status_t exit_code __attribute__((unused))) {
+    longjmp(fuzz_exit_jump_ctx.jmp_buf, 1);
+}
+
+void __attribute__((noreturn)) os_lib_end(void) {
+    longjmp(fuzz_exit_jump_ctx.jmp_buf, 1);
+}
+
 /** MemorySanitizer does not wrap explicit_bzero https://github.com/google/sanitizers/issues/1507
  * which results in false positives when running MemorySanitizer.
  */
@@ -55,7 +80,6 @@ void mem_free(mem_ctx_t ctx, void *ptr) {
     free(ptr);
 }
 
-// APPs expect a specific length
 cx_err_t cx_ecdomain_parameters_length(cx_curve_t cv, size_t *length) {
     (void) cv;
     *length = (size_t) 32;

tests/fuzzing/mock/mocks.h

@@ -0,0 +1,6 @@
+#pragma once
+
+#include <setjmp.h>
+#include "exceptions.h"
+
+extern try_context_t fuzz_exit_jump_ctx;