1 /* Fuzz testing for the nanopb core.
2 * Attempts to verify all the properties defined in the security model document.
12 #include <malloc_wrappers.h>
13 #include "alltypes_static.pb.h"
14 #include "alltypes_pointer.pb.h"
16 static uint64_t random_seed;
18 /* Uses xorshift64 here instead of rand() for both speed and
19 * reproducibility across platforms. */
20 static uint32_t rand_word()
22 random_seed ^= random_seed >> 12;
23 random_seed ^= random_seed << 25;
24 random_seed ^= random_seed >> 27;
25 return random_seed * 2685821657736338717ULL;
28 /* Get a random integer in range, with approximately flat distribution. */
29 static int rand_int(int min, int max)
31 return rand_word() % (max + 1 - min) + min;
34 static bool rand_bool()
36 return rand_word() & 1;
39 /* Get a random byte, with skewed distribution.
40 * Important corner cases like 0xFF, 0x00 and 0xFE occur more
41 * often than other values. */
42 static uint8_t rand_byte()
44 uint32_t w = rand_word();
55 /* Get a random length, with skewed distribution.
56 * Favors the shorter lengths, but always atleast 1. */
57 static size_t rand_len(size_t max)
59 uint32_t w = rand_word();
63 else if (w & 0x400000)
65 else if (w & 0x200000)
75 /* Fills a buffer with random data with skewed distribution. */
76 static void rand_fill(uint8_t *buf, size_t count)
82 /* Fill with random protobuf-like data */
83 static size_t rand_fill_protobuf(uint8_t *buf, size_t min_bytes, size_t max_bytes, int min_tag)
85 pb_ostream_t stream = pb_ostream_from_buffer(buf, max_bytes);
87 while(stream.bytes_written < min_bytes)
89 pb_wire_type_t wt = rand_int(0, 3);
90 if (wt == 3) wt = 5; /* Gap in values */
92 if (!pb_encode_tag(&stream, wt, rand_int(min_tag, min_tag + 512)))
95 if (wt == PB_WT_VARINT)
98 rand_fill((uint8_t*)&value, sizeof(value));
99 pb_encode_varint(&stream, value);
101 else if (wt == PB_WT_64BIT)
104 rand_fill((uint8_t*)&value, sizeof(value));
105 pb_encode_fixed64(&stream, &value);
107 else if (wt == PB_WT_32BIT)
110 rand_fill((uint8_t*)&value, sizeof(value));
111 pb_encode_fixed32(&stream, &value);
113 else if (wt == PB_WT_STRING)
118 if (min_bytes > stream.bytes_written)
119 len = rand_len(min_bytes - stream.bytes_written);
124 pb_encode_varint(&stream, len);
126 pb_write(&stream, buf, len);
131 return stream.bytes_written;
134 /* Given a buffer of data, mess it up a bit */
135 static void rand_mess(uint8_t *buf, size_t count)
137 int m = rand_int(0, 3);
141 /* Replace random substring */
142 int s = rand_int(0, count - 1);
143 int l = rand_len(count - s);
144 rand_fill(buf + s, l);
148 /* Swap random bytes */
149 int a = rand_int(0, count - 1);
150 int b = rand_int(0, count - 1);
157 /* Duplicate substring */
158 int s = rand_int(0, count - 2);
159 int l = rand_len((count - s) / 2);
160 memcpy(buf + s + l, buf + s, l);
164 /* Add random protobuf noise */
165 int s = rand_int(0, count - 1);
166 int l = rand_len(count - s);
167 rand_fill_protobuf(buf + s, l, count - s, 1);
171 /* Some default data to put in the message */
172 static const alltypes_static_AllTypes initval = alltypes_static_AllTypes_init_default;
176 static bool do_static_encode(uint8_t *buffer, size_t *msglen)
181 /* Allocate a message and fill it with defaults */
182 alltypes_static_AllTypes *msg = malloc_with_check(sizeof(alltypes_static_AllTypes));
183 memcpy(msg, &initval, sizeof(initval));
185 /* Apply randomness to the data before encoding */
186 while (rand_int(0, 7))
187 rand_mess((uint8_t*)msg, sizeof(alltypes_static_AllTypes));
189 stream = pb_ostream_from_buffer(buffer, BUFSIZE);
190 status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg);
191 assert(stream.bytes_written <= BUFSIZE);
192 assert(stream.bytes_written <= alltypes_static_AllTypes_size);
194 *msglen = stream.bytes_written;
195 pb_release(alltypes_static_AllTypes_fields, msg);
196 free_with_check(msg);
201 /* Append or prepend protobuf noise */
202 static void do_protobuf_noise(uint8_t *buffer, size_t *msglen)
204 int m = rand_int(0, 2);
205 size_t max_size = BUFSIZE - 32 - *msglen;
209 uint8_t *tmp = malloc_with_check(BUFSIZE);
210 size_t s = rand_fill_protobuf(tmp, rand_len(max_size), BUFSIZE - *msglen, 512);
211 memmove(buffer + s, buffer, *msglen);
212 memcpy(buffer, tmp, s);
213 free_with_check(tmp);
219 size_t s = rand_fill_protobuf(buffer + *msglen, rand_len(max_size), BUFSIZE - *msglen, 512);
224 static bool do_static_decode(uint8_t *buffer, size_t msglen, bool assert_success)
229 alltypes_static_AllTypes *msg = malloc_with_check(sizeof(alltypes_static_AllTypes));
230 rand_fill((uint8_t*)msg, sizeof(alltypes_static_AllTypes));
231 stream = pb_istream_from_buffer(buffer, msglen);
232 status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg);
234 if (!status && assert_success)
236 /* Anything that was successfully encoded, should be decodeable.
237 * One exception: strings without null terminator are encoded up
238 * to end of buffer, but refused on decode because the terminator
240 if (strcmp(stream.errmsg, "string overflow") != 0)
244 free_with_check(msg);
248 static bool do_pointer_decode(uint8_t *buffer, size_t msglen, bool assert_success)
252 alltypes_pointer_AllTypes *msg;
254 msg = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
255 memset(msg, 0, sizeof(alltypes_pointer_AllTypes));
256 stream = pb_istream_from_buffer(buffer, msglen);
258 assert(get_alloc_count() == 0);
259 status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg);
264 pb_release(alltypes_pointer_AllTypes_fields, msg);
265 assert(get_alloc_count() == 0);
267 free_with_check(msg);
272 /* Do a decode -> encode -> decode -> encode roundtrip */
273 static void do_static_roundtrip(uint8_t *buffer, size_t msglen)
276 uint8_t *buf2 = malloc_with_check(BUFSIZE);
277 uint8_t *buf3 = malloc_with_check(BUFSIZE);
278 size_t msglen2, msglen3;
279 alltypes_static_AllTypes *msg1 = malloc_with_check(sizeof(alltypes_static_AllTypes));
280 alltypes_static_AllTypes *msg2 = malloc_with_check(sizeof(alltypes_static_AllTypes));
281 memset(msg1, 0, sizeof(alltypes_static_AllTypes));
282 memset(msg2, 0, sizeof(alltypes_static_AllTypes));
285 pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
286 status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg1);
291 pb_ostream_t stream = pb_ostream_from_buffer(buf2, BUFSIZE);
292 status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg1);
294 msglen2 = stream.bytes_written;
298 pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
299 status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg2);
304 pb_ostream_t stream = pb_ostream_from_buffer(buf3, BUFSIZE);
305 status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg2);
307 msglen3 = stream.bytes_written;
310 assert(msglen2 == msglen3);
311 assert(memcmp(buf2, buf3, msglen2) == 0);
313 free_with_check(msg1);
314 free_with_check(msg2);
315 free_with_check(buf2);
316 free_with_check(buf3);
319 /* Do decode -> encode -> decode -> encode roundtrip */
320 static void do_pointer_roundtrip(uint8_t *buffer, size_t msglen)
323 uint8_t *buf2 = malloc_with_check(BUFSIZE);
324 uint8_t *buf3 = malloc_with_check(BUFSIZE);
325 size_t msglen2, msglen3;
326 alltypes_pointer_AllTypes *msg1 = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
327 alltypes_pointer_AllTypes *msg2 = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
328 memset(msg1, 0, sizeof(alltypes_pointer_AllTypes));
329 memset(msg2, 0, sizeof(alltypes_pointer_AllTypes));
332 pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
333 status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg1);
338 pb_ostream_t stream = pb_ostream_from_buffer(buf2, BUFSIZE);
339 status = pb_encode(&stream, alltypes_pointer_AllTypes_fields, msg1);
341 msglen2 = stream.bytes_written;
345 pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
346 status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg2);
351 pb_ostream_t stream = pb_ostream_from_buffer(buf3, BUFSIZE);
352 status = pb_encode(&stream, alltypes_pointer_AllTypes_fields, msg2);
354 msglen3 = stream.bytes_written;
357 assert(msglen2 == msglen3);
358 assert(memcmp(buf2, buf3, msglen2) == 0);
360 pb_release(alltypes_pointer_AllTypes_fields, msg1);
361 pb_release(alltypes_pointer_AllTypes_fields, msg2);
362 free_with_check(msg1);
363 free_with_check(msg2);
364 free_with_check(buf2);
365 free_with_check(buf3);
368 static void run_iteration()
370 uint8_t *buffer = malloc_with_check(BUFSIZE);
374 rand_fill(buffer, BUFSIZE);
376 if (do_static_encode(buffer, &msglen))
378 do_protobuf_noise(buffer, &msglen);
380 status = do_static_decode(buffer, msglen, true);
383 do_static_roundtrip(buffer, msglen);
385 status = do_pointer_decode(buffer, msglen, true);
388 do_pointer_roundtrip(buffer, msglen);
390 /* Apply randomness to the encoded data */
392 rand_mess(buffer, BUFSIZE);
394 /* Apply randomness to encoded data length */
396 msglen = rand_int(0, BUFSIZE);
398 status = do_static_decode(buffer, msglen, false);
399 do_pointer_decode(buffer, msglen, status);
403 do_static_roundtrip(buffer, msglen);
404 do_pointer_roundtrip(buffer, msglen);
408 free_with_check(buffer);
411 int main(int argc, char **argv)
416 random_seed = atol(argv[1]);
420 random_seed = time(NULL);
423 fprintf(stderr, "Random seed: %llu\n", (long long unsigned)random_seed);
425 for (i = 0; i < 10000; i++)