Merge #565
565: Add fuzzing for IEEE802.15.4 frame r=Dirbaio a=thibautvdv Because IEEE802.15.4 uses compression in its frame, fuzzing it is maybe a good idea. Adding this fuzz target showed that some frame methods were panicking. `check_len` now checks if accessors will panic or not. I ran the fuzzer for about 15 minutes and nothing showed up after the changes in `check_len`. Co-authored-by: Thibaut Vandervelden <thvdveld@vub.be>master
commit
e8659d7cca
|
@ -34,3 +34,9 @@ name = "dhcp_header"
|
||||||
path = "fuzz_targets/dhcp_header.rs"
|
path = "fuzz_targets/dhcp_header.rs"
|
||||||
test = false
|
test = false
|
||||||
doc = false
|
doc = false
|
||||||
|
|
||||||
|
[[bin]]
|
||||||
|
name = "ieee802154_header"
|
||||||
|
path = "fuzz_targets/ieee802154_header.rs"
|
||||||
|
test = false
|
||||||
|
doc = false
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
#![no_main]
|
||||||
|
use libfuzzer_sys::fuzz_target;
|
||||||
|
use smoltcp::wire::{Ieee802154Frame, Ieee802154Repr};
|
||||||
|
|
||||||
|
fuzz_target!(|data: &[u8]| {
|
||||||
|
if let Ok(ref frame) = Ieee802154Frame::new_checked(data) {
|
||||||
|
if let Ok(repr) = Ieee802154Repr::parse(frame) {
|
||||||
|
// The buffer len returns only the lenght required for emitting the header
|
||||||
|
// and does not take into account the length of the payload.
|
||||||
|
let mut buffer = vec![0; repr.buffer_len()];
|
||||||
|
|
||||||
|
// NOTE: unchecked because the checked version checks if the addressing mode field
|
||||||
|
// is valid or not. The addressing mode field is required for calculating the length of
|
||||||
|
// the header, which is used in `check_len`.
|
||||||
|
let mut frame = Ieee802154Frame::new_unchecked(&mut buffer[..]);
|
||||||
|
repr.emit(&mut frame);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
});
|
|
@ -251,10 +251,24 @@ impl<T: AsRef<[u8]>> Frame<T> {
|
||||||
pub fn check_len(&self) -> Result<()> {
|
pub fn check_len(&self) -> Result<()> {
|
||||||
// We need at least 3 bytes
|
// We need at least 3 bytes
|
||||||
if self.buffer.as_ref().len() < 3 {
|
if self.buffer.as_ref().len() < 3 {
|
||||||
Err(Error::Truncated)
|
return Err(Error::Truncated);
|
||||||
} else {
|
|
||||||
Ok(())
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
let mut offset = field::ADDRESSING.start + 2;
|
||||||
|
|
||||||
|
// Calculate the size of the addressing field.
|
||||||
|
offset += self.dst_addressing_mode().size();
|
||||||
|
offset += self.src_addressing_mode().size();
|
||||||
|
|
||||||
|
if !self.pan_id_compression() {
|
||||||
|
offset += 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
if offset > self.buffer.as_ref().len() {
|
||||||
|
return Err(Error::Truncated);
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Consumes the frame, returning the underlying buffer.
|
/// Consumes the frame, returning the underlying buffer.
|
||||||
|
|
Loading…
Reference in New Issue