Merge #565
565: Add fuzzing for IEEE802.15.4 frame r=Dirbaio a=thibautvdv Because IEEE802.15.4 uses compression in its frame, fuzzing it is maybe a good idea. Adding this fuzz target showed that some frame methods were panicking. `check_len` now checks if accessors will panic or not. I ran the fuzzer for about 15 minutes and nothing showed up after the changes in `check_len`. Co-authored-by: Thibaut Vandervelden <thvdveld@vub.be>master
bors[bot]
GitHub
commit
e8659d7cca
|
|
@ -34,3 +34,9 @@ name = "dhcp_header"
|
|||
path = "fuzz_targets/dhcp_header.rs"
|
||||
test = false
|
||||
doc = false
|
||||
|
||||
[[bin]]
|
||||
name = "ieee802154_header"
|
||||
path = "fuzz_targets/ieee802154_header.rs"
|
||||
test = false
|
||||
doc = false
|
||||
|
|
|
|||
|
|
@ -0,0 +1,19 @@
|
|||
#![no_main]
|
||||
use libfuzzer_sys::fuzz_target;
|
||||
use smoltcp::wire::{Ieee802154Frame, Ieee802154Repr};
|
||||
|
||||
fuzz_target!(|data: &[u8]| {
|
||||
if let Ok(ref frame) = Ieee802154Frame::new_checked(data) {
|
||||
if let Ok(repr) = Ieee802154Repr::parse(frame) {
|
||||
// The buffer len returns only the lenght required for emitting the header
|
||||
// and does not take into account the length of the payload.
|
||||
let mut buffer = vec![0; repr.buffer_len()];
|
||||
|
||||
// NOTE: unchecked because the checked version checks if the addressing mode field
|
||||
// is valid or not. The addressing mode field is required for calculating the length of
|
||||
// the header, which is used in `check_len`.
|
||||
let mut frame = Ieee802154Frame::new_unchecked(&mut buffer[..]);
|
||||
repr.emit(&mut frame);
|
||||
}
|
||||
};
|
||||
});
|
||||
|
|
@ -251,10 +251,24 @@ impl<T: AsRef<[u8]>> Frame<T> {
|
|||
pub fn check_len(&self) -> Result<()> {
|
||||
// We need at least 3 bytes
|
||||
if self.buffer.as_ref().len() < 3 {
|
||||
Err(Error::Truncated)
|
||||
} else {
|
||||
Ok(())
|
||||
return Err(Error::Truncated);
|
||||
}
|
||||
|
||||
let mut offset = field::ADDRESSING.start + 2;
|
||||
|
||||
// Calculate the size of the addressing field.
|
||||
offset += self.dst_addressing_mode().size();
|
||||
offset += self.src_addressing_mode().size();
|
||||
|
||||
if !self.pan_id_compression() {
|
||||
offset += 2;
|
||||
}
|
||||
|
||||
if offset > self.buffer.as_ref().len() {
|
||||
return Err(Error::Truncated);
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Consumes the frame, returning the underlying buffer.
|
||||
|
|
|
|||
Loading…
Reference in New Issue