Skip to content

Commit

Permalink
Support ephemeral addresses on fuzzer
Browse files Browse the repository at this point in the history
  • Loading branch information
@Anilm3
Anilm3 committed Oct 9, 2023
1 parent aa3eae9 commit f039b24
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 11 deletions.
7 changes: 6 additions & 1 deletion fuzzing/src/helpers.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,9 @@ void _print_object(ddwaf_object entry, uint8_t depth)
}

break;

case DDWAF_OBJ_FLOAT:
std::cerr << entry.f64;
break;
case DDWAF_OBJ_SIGNED:
std::cerr << entry.intValue;
break;
Expand All @@ -108,6 +110,9 @@ void _print_object(ddwaf_object entry, uint8_t depth)
case DDWAF_OBJ_BOOL:
std::cerr << std::boolalpha << entry.boolean;
break;
case DDWAF_OBJ_NULL:
std::cerr << "(null)";
break;
case DDWAF_OBJ_INVALID:
std::cerr << "--PW ERROR--";
break;
Expand Down
9 changes: 7 additions & 2 deletions fuzzing/src/interface.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,15 +92,20 @@ ddwaf_handle init_waf()
return handle;
}

void run_waf(ddwaf_handle handle, ddwaf_object args, size_t timeLeftInUs)
void run_waf(ddwaf_handle handle, ddwaf_object args, bool ephemeral, size_t timeLeftInUs)
{
ddwaf_context context = ddwaf_context_init(handle);
if (context == nullptr) {
__builtin_trap();
}

ddwaf_result res;
auto code = ddwaf_run(context, &args, nullptr, &res, timeLeftInUs);
auto code = DDWAF_OK;
if (ephemeral) {
ddwaf_run(context, nullptr, &args, &res, timeLeftInUs);
} else {
ddwaf_run(context, &args, nullptr, &res, timeLeftInUs);
}

// TODO split input in several ddwaf_object, and call ddwaf_run on the same context

Expand Down
2 changes: 1 addition & 1 deletion fuzzing/src/interface.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@
#include <ddwaf.h>

ddwaf_handle init_waf();
void run_waf(ddwaf_handle handle, ddwaf_object args, size_t timeLeftInUs);
void run_waf(ddwaf_handle handle, ddwaf_object args, bool ephemeral, size_t timeLeftInUs);
18 changes: 11 additions & 7 deletions fuzzing/src/main.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,20 +38,22 @@ class waf_runner {
while (running_) {
ddwaf_object input;
size_t timeout;
bool ephemeral;
{
std::unique_lock<std::mutex> lock{mtx_};
if (objects_.empty()) {
cv_.wait_for(lock, 100ms);
continue;
}
auto [new_input, new_timeout] = objects_.top();
auto [new_input, new_ephemeral, new_timeout] = objects_.top();
objects_.pop();

input = new_input;
timeout = new_timeout;
ephemeral = new_ephemeral;
}

run_waf(handle_, input, timeout);
run_waf(handle_, input, ephemeral, timeout);
}
});
}
Expand All @@ -70,19 +72,19 @@ class waf_runner {
for (auto &t : threads_) { t.join(); }

while (!objects_.empty()) {
auto [object, timeout] = objects_.top();
auto [object, ephemeral, timeout] = objects_.top();
objects_.pop();

ddwaf_object_free(&object);
}
ddwaf_destroy(handle_);
}

void push(ddwaf_object object, size_t timeout)
void push(ddwaf_object object, bool ephemeral, size_t timeout)
{
{
std::unique_lock<std::mutex> lock{mtx_};
objects_.push({object, timeout});
objects_.push({object, ephemeral, timeout});
}
cv_.notify_one();
}
Expand All @@ -94,7 +96,7 @@ class waf_runner {
std::mutex mtx_;
std::condition_variable cv_;
std::atomic<bool> running_{true};
std::stack<std::pair<ddwaf_object, size_t>> objects_;
std::stack<std::tuple<ddwaf_object, bool, size_t>> objects_;
};

std::unique_ptr<waf_runner> runner{nullptr};
Expand All @@ -120,6 +122,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *bytes, size_t size)
{
size_t timeLeftInUs;
ddwaf_object args = build_object(bytes, size, verbose, fuzzTimeout, &timeLeftInUs);
runner->push(args, timeLeftInUs);

bool ephemeral = size > 0 && (bytes[0] & 0x01) == 0;
runner->push(args, ephemeral, timeLeftInUs);
return 0;
}

0 comments on commit f039b24

Please sign in to comment.