fuzz: harden ndpi_hex_decode and add targeted parser harnesses (#3163)

Closes #3159

Co-authored-by: jeffhuang <jeff@docker.xydrsucermoubd24xgo33yhsgd.bx.internal.cloudapp.net>

Author: parasol-aser

example/utests.c

@@ -2296,6 +2296,148 @@ static void cryptoUnitTest(void) {
 }
 
 
+static void checkHexDecode(const u_char *encoded, size_t encoded_len,
+			   const u_char *expected, size_t expected_len) {
+  size_t out_len = 0;
+  u_char *decoded;
+
+  decoded = ndpi_hex_decode(encoded, encoded_len, &out_len);
+  assert(decoded != NULL);
+  assert(out_len == expected_len);
+  assert(memcmp(decoded, expected, expected_len) == 0);
+  assert(decoded[out_len] == '\0');
+
+  ndpi_free(decoded);
+}
+
+static void checkTlsBlocksDecode(const u_char *encoded, size_t encoded_len,
+				 const struct ndpi_tls_block *expected_blocks,
+				 u_int8_t expected_num_blocks) {
+  u_int8_t num_blocks = 0;
+  u_int8_t i;
+  struct ndpi_tls_block *decoded;
+
+  decoded = ndpi_decode_tls_blocks(encoded, encoded_len, &num_blocks);
+  assert(decoded != NULL);
+  assert(num_blocks == expected_num_blocks);
+
+  for(i = 0; i < num_blocks; i++) {
+    assert(decoded[i].block_type == expected_blocks[i].block_type);
+    assert(decoded[i].same_pkt == expected_blocks[i].same_pkt);
+    assert(decoded[i].len == expected_blocks[i].len);
+  }
+
+  ndpi_free(decoded);
+}
+
+static void rewriteHexCase(u_char *encoded, size_t encoded_len) {
+  size_t i;
+
+  for(i = 0; i < encoded_len; i++) {
+    if(encoded[i] >= 'a' && encoded[i] <= 'f') {
+      if((i & 0x1) == 0)
+	encoded[i] -= 'a' - 'A';
+    } else if(encoded[i] >= 'A' && encoded[i] <= 'F') {
+      if((i & 0x1) == 1)
+	encoded[i] += 'a' - 'A';
+    }
+  }
+}
+
+static void hexDecodeUnitTest(void) {
+  static const u_char lower_hex[] = { 'a', 'f' };
+  static const u_char upper_hex[] = { 'A', 'F' };
+  static const u_char mixed_hex[] = { '0', '1', 'a', 'B', 'c', 'D' };
+  static const u_char zero_hex[] = { '0', '0', 'f', 'F' };
+  static const u_char invalid_hex[] = { '0', 'g' };
+  static const u_char odd_hex[] = { '0' };
+  static const u_char lower_expected[] = { 0xAF };
+  static const u_char upper_expected[] = { 0xAF };
+  static const u_char mixed_expected[] = { 0x01, 0xAB, 0xCD };
+  static const u_char zero_expected[] = { 0x00, 0xFF };
+  size_t out_len = 123;
+  u_char *decoded;
+
+  checkHexDecode(lower_hex, sizeof(lower_hex), lower_expected, sizeof(lower_expected));
+  checkHexDecode(upper_hex, sizeof(upper_hex), upper_expected, sizeof(upper_expected));
+  checkHexDecode(mixed_hex, sizeof(mixed_hex), mixed_expected, sizeof(mixed_expected));
+  checkHexDecode(zero_hex, sizeof(zero_hex), zero_expected, sizeof(zero_expected));
+
+  decoded = ndpi_hex_decode(invalid_hex, sizeof(invalid_hex), &out_len);
+  assert(decoded == NULL);
+  assert(out_len == 0);
+
+  out_len = 123;
+  decoded = ndpi_hex_decode(odd_hex, sizeof(odd_hex), &out_len);
+  assert(decoded == NULL);
+  assert(out_len == 0);
+
+  out_len = 123;
+  decoded = ndpi_hex_decode((const u_char *)"", 0, &out_len);
+  assert(decoded != NULL);
+  assert(out_len == 0);
+  assert(decoded[0] == '\0');
+  ndpi_free(decoded);
+}
+
+static void tlsBlocksUnitTest(void) {
+  struct ndpi_tls_block expected_blocks[] = {
+    { .block_type = tls_handshake_client_hello, .len = 0x0000, .same_pkt = 1 },
+    { .block_type = tls_application_data, .len = 0xFFFF, .same_pkt = 0 },
+    { .block_type = tls_application_data, .len = 0x00AF, .same_pkt = 1 }
+  };
+  static const u_char truncated_tls_blocks[] = { '0', '0', '0', '1' };
+  static const u_char invalid_tls_blocks[] = { '0', 'g', '0', '0', '0', '0' };
+  static const u_char odd_tls_blocks[] = { '0', '0', '0' };
+  u_int8_t expected_num_blocks = sizeof(expected_blocks) / sizeof(expected_blocks[0]);
+  u_int8_t num_blocks = 0;
+  size_t encoded_len;
+  size_t oversized_encoded_len = (size_t)256 * 6;
+  u_char *encoded;
+  u_char *encoded_no_nul;
+  u_char *oversized_encoded;
+
+  encoded = ndpi_encode_tls_blocks(expected_blocks, expected_num_blocks);
+  assert(encoded != NULL);
+
+  encoded_len = strlen((const char *)encoded);
+  encoded_no_nul = ndpi_malloc(encoded_len);
+  assert(encoded_no_nul != NULL);
+
+  memcpy(encoded_no_nul, encoded, encoded_len);
+
+  checkTlsBlocksDecode(encoded_no_nul, encoded_len, expected_blocks, expected_num_blocks);
+  rewriteHexCase(encoded_no_nul, encoded_len);
+  checkTlsBlocksDecode(encoded_no_nul, encoded_len, expected_blocks, expected_num_blocks);
+  ndpi_free(encoded_no_nul);
+  ndpi_free(encoded);
+
+  num_blocks = expected_num_blocks;
+  assert(ndpi_decode_tls_blocks(truncated_tls_blocks, sizeof(truncated_tls_blocks), &num_blocks) == NULL);
+  assert(num_blocks == 0);
+
+  num_blocks = expected_num_blocks;
+  assert(ndpi_decode_tls_blocks(invalid_tls_blocks, sizeof(invalid_tls_blocks), &num_blocks) == NULL);
+  assert(num_blocks == 0);
+
+  num_blocks = expected_num_blocks;
+  assert(ndpi_decode_tls_blocks(odd_tls_blocks, sizeof(odd_tls_blocks), &num_blocks) == NULL);
+  assert(num_blocks == 0);
+
+  oversized_encoded = ndpi_malloc(oversized_encoded_len);
+  assert(oversized_encoded != NULL);
+  memset(oversized_encoded, '0', oversized_encoded_len);
+
+  num_blocks = expected_num_blocks;
+  assert(ndpi_decode_tls_blocks(oversized_encoded, oversized_encoded_len, &num_blocks) == NULL);
+  assert(num_blocks == 0);
+  ndpi_free(oversized_encoded);
+
+  num_blocks = expected_num_blocks;
+  assert(ndpi_decode_tls_blocks((const u_char *)"", 0, &num_blocks) == NULL);
+  assert(num_blocks == 0);
+}
+
 void run_unit_tests() {
 
   checkRankingUnitTest(false);
@@ -2352,5 +2494,7 @@ void run_unit_tests() {
   bitmap64FuseUnitTest();
   riskUtilsUnitTest();
   cryptoUnitTest();
+  hexDecodeUnitTest();
+  tlsBlocksUnitTest();
 
 }

fuzz/Makefile.am

@@ -1,4 +1,4 @@
-bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_nalloc fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga fuzz_is_stun_udp fuzz_is_stun_tcp fuzz_match_custom_category
+bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_nalloc fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga fuzz_is_stun_udp fuzz_is_stun_tcp fuzz_match_custom_category fuzz_tls_client_server_hello fuzz_dns_parse fuzz_http_parse fuzz_ndpi_decode_tls_blocks
 #Alghoritms
 bin_PROGRAMS += fuzz_alg_ranking fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream fuzz_alg_shoco fuzz_alg_memmem fuzz_alg_strnstr fuzz_alg_quick_encryption
 #Data structures
@@ -186,6 +186,21 @@ fuzz_is_stun_tcp_LINK = $(FUZZ_LINK_COMMAND)
 fuzz_match_custom_category_SOURCES = fuzz_match_custom_category.c fuzz_common_code.c
 fuzz_match_custom_category_LINK = $(FUZZ_LINK_COMMAND)
 
+fuzz_tls_client_server_hello_SOURCES = fuzz_tls_client_server_hello.c fuzz_common_code.c
+fuzz_tls_client_server_hello_CFLAGS = $(AM_CFLAGS) -DNDPI_LIB_COMPILATION
+fuzz_tls_client_server_hello_LINK = $(FUZZ_LINK_COMMAND)
+
+fuzz_dns_parse_SOURCES = fuzz_dns_parse.c fuzz_common_code.c
+fuzz_dns_parse_CFLAGS = $(AM_CFLAGS) -DNDPI_LIB_COMPILATION
+fuzz_dns_parse_LINK = $(FUZZ_LINK_COMMAND)
+
+fuzz_http_parse_SOURCES = fuzz_http_parse.c fuzz_common_code.c
+fuzz_http_parse_CFLAGS = $(AM_CFLAGS) -DNDPI_LIB_COMPILATION
+fuzz_http_parse_LINK = $(FUZZ_LINK_COMMAND)
+
+fuzz_ndpi_decode_tls_blocks_SOURCES = fuzz_ndpi_decode_tls_blocks.c
+fuzz_ndpi_decode_tls_blocks_LINK = $(FUZZ_LINK_COMMAND)
+
 fuzz_gcrypt_light_SOURCES = fuzz_gcrypt_light.cpp fuzz_common_code.c
 fuzz_gcrypt_light_LINK = $(FUZZ_LINK_COMMAND)
 

fuzz/fuzz_dns_parse.c

@@ -0,0 +1,98 @@
+/*
+ * fuzz_dns_parse
+ *
+ * What it tests:
+ *   DNS query / answer RR walking in src/lib/protocols/dns.c. Calls
+ *   ndpi_search_dns() directly with a synthesised packet_struct so the
+ *   dissector is reached without depending on ndpi_detection_process_packet()
+ *   and the full flow state machine. Exercises attacker-controlled uint16
+ *   counts (num_queries, num_answers, authority_rrs, additional_rrs) and the
+ *   name-compression pointer loops.
+ *
+ * Expected input format:
+ *   Raw DNS payload (starts with the 12-byte ndpi_dns_packet_header prefix).
+ *   The last byte is consumed as a selector:
+ *     bit 0 -> TCP vs UDP framing
+ *     bit 1 -> MDNS port (5353) vs DNS port (53)
+ */
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+#include "fuzz_common_code.h"
+
+#include <arpa/inet.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static struct ndpi_detection_module_struct *ndpi_struct = NULL;
+static struct ndpi_flow_struct *ndpi_flow = NULL;
+static struct ndpi_iphdr iph;
+static struct ndpi_udphdr udph;
+static struct ndpi_tcphdr tcph;
+
+static char *path = NULL;
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+  (void)argc;
+  path = dirname(strdup(*argv[0])); /* No errors; no free! */
+  return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  struct ndpi_packet_struct *packet;
+  uint8_t selector;
+  int is_tcp, is_mdns;
+  uint16_t port;
+
+  if (ndpi_struct == NULL) {
+    fuzz_init_detection_module(&ndpi_struct, NULL, path);
+    ndpi_flow = ndpi_calloc(1, sizeof(struct ndpi_flow_struct));
+
+    memset(&iph, 0, sizeof(iph));
+    iph.version = 4;
+    iph.ihl = 5;
+    iph.saddr = htonl(0x0A000001);
+    iph.daddr = htonl(0x0A000002);
+  }
+
+  if (size < 1)
+    return 0;
+
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  selector = data[size - 1];
+  is_tcp  = selector & 0x01;
+  is_mdns = (selector & 0x02) ? 1 : 0;
+  port    = is_mdns ? 5353 : 53;
+
+  packet = &ndpi_struct->packet;
+  packet->payload = data;
+  packet->payload_packet_len = (u_int16_t)size;
+  packet->iph = &iph;
+  packet->iphv6 = NULL;
+
+  if (is_tcp) {
+    memset(&tcph, 0, sizeof(tcph));
+    tcph.source = htons(port);
+    tcph.dest = htons(port);
+    packet->tcp = &tcph;
+    packet->udp = NULL;
+    iph.protocol = 6;
+  } else {
+    memset(&udph, 0, sizeof(udph));
+    udph.source = htons(port);
+    udph.dest = htons(port);
+    packet->udp = &udph;
+    packet->tcp = NULL;
+    iph.protocol = 17;
+  }
+
+  memset(ndpi_flow, 0, sizeof(struct ndpi_flow_struct));
+  ndpi_flow->l4_proto = is_tcp ? IPPROTO_TCP : IPPROTO_UDP;
+
+  ndpi_search_dns(ndpi_struct, ndpi_flow);
+  ndpi_free_flow_data(ndpi_flow);
+
+  return 0;
+}

fuzz/fuzz_http_parse.c

@@ -0,0 +1,74 @@
+/*
+ * fuzz_http_parse
+ *
+ * What it tests:
+ *   HTTP dissector (ndpi_search_http_tcp) in src/lib/protocols/http.c. Calls
+ *   the parser directly with a synthesised packet_struct so the header
+ *   extractors (Host, User-Agent, Content-Type, Referer), chunked/transfer
+ *   handling, URL/URI walking, WebSocket upgrade, and URL-decode helpers are
+ *   reached without relying on the full ndpi_detection_process_packet() flow
+ *   state machine.
+ *
+ * Expected input format:
+ *   Raw TCP payload bytes (e.g. "GET / HTTP/1.1\r\nHost: x\r\n\r\n").
+ */
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+#include "fuzz_common_code.h"
+
+#include <arpa/inet.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static struct ndpi_detection_module_struct *ndpi_struct = NULL;
+static struct ndpi_flow_struct *ndpi_flow = NULL;
+static struct ndpi_iphdr iph;
+static struct ndpi_tcphdr tcph;
+
+static char *path = NULL;
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+  (void)argc;
+  path = dirname(strdup(*argv[0])); /* No errors; no free! */
+  return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  struct ndpi_packet_struct *packet;
+
+  if (ndpi_struct == NULL) {
+    fuzz_init_detection_module(&ndpi_struct, NULL, path);
+    ndpi_flow = ndpi_calloc(1, sizeof(struct ndpi_flow_struct));
+
+    memset(&iph, 0, sizeof(iph));
+    iph.version = 4;
+    iph.ihl = 5;
+    iph.protocol = 6; /* TCP */
+    iph.saddr = htonl(0x0A000001);
+    iph.daddr = htonl(0x0A000002);
+
+    memset(&tcph, 0, sizeof(tcph));
+    tcph.source = htons(80);
+    tcph.dest = htons(80);
+  }
+
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  packet = &ndpi_struct->packet;
+  packet->payload = data;
+  packet->payload_packet_len = (u_int16_t)size;
+  packet->iph = &iph;
+  packet->iphv6 = NULL;
+  packet->tcp = &tcph;
+  packet->udp = NULL;
+
+  memset(ndpi_flow, 0, sizeof(struct ndpi_flow_struct));
+  ndpi_flow->l4_proto = IPPROTO_TCP;
+
+  ndpi_search_http_tcp(ndpi_struct, ndpi_flow);
+  ndpi_free_flow_data(ndpi_flow);
+
+  return 0;
+}

fuzz/fuzz_ndpi_decode_tls_blocks.c

@@ -0,0 +1,34 @@
+/*
+ * fuzz_ndpi_decode_tls_blocks
+ *
+ * What it tests:
+ *   ndpi_decode_tls_blocks() in src/lib/ndpi_utils.c, which in turn invokes
+ *   ndpi_hex_decode(). The decoder consumes an attacker-controlled byte
+ *   stream, hex-decodes it, then walks it as { block_type, len_hi, len_lo }
+ *   triples. Both the hex decoder and the structural parser are exposed.
+ *
+ * Expected input format:
+ *   Arbitrary bytes (interpreted as hex ASCII by the target). No state, one
+ *   shot per invocation; all memory returned by the target is freed here.
+ */
+
+#include "ndpi_api.h"
+
+#include <stdint.h>
+#include <stdlib.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  u_int8_t num_blocks = 0;
+  struct ndpi_tls_block *blocks;
+
+  if (size > (u_int)UINT32_MAX)
+    return 0;
+
+  blocks = ndpi_decode_tls_blocks((const u_char *)data,
+                                  (u_int)size,
+                                  &num_blocks);
+  if (blocks != NULL)
+    ndpi_free(blocks);
+
+  return 0;
+}