From 838f89d576bd5b39fe0873b4b8a6ad54dc30033a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20=C3=96hrstr=C3=B6m?= Date: Mon, 9 Aug 2021 11:06:30 +0200 Subject: [PATCH] When fuzzing do not check crcs. This can make the fuzzer reach more code paths. --- Makefile | 8 ++++---- fuzz_testcases/difvifparser/seed3 | Bin 0 -> 2483 bytes src/wmbus.cc | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 fuzz_testcases/difvifparser/seed3 diff --git a/Makefile b/Makefile index 216ea97..9592647 100644 --- a/Makefile +++ b/Makefile @@ -88,7 +88,8 @@ endif $(info Building $(VERSION)) -CXXFLAGS ?= $(DEBUG_FLAGS) -fPIC -std=c++11 -Wall -Werror=format-security +FUZZFLAGS ?= -DFUZZING=false +CXXFLAGS ?= $(DEBUG_FLAGS) $(FUZZFLAGS) -fPIC -std=c++11 -Wall -Werror=format-security CXXFLAGS += -I$(BUILD) LDFLAGS ?= $(DEBUG_LDFLAGS) @@ -344,9 +345,8 @@ afl_prepared: AFLplusplus/src/afl-cc.c touch afl_prepared build_fuzz: afl_prepared - echo GURKA - $(MAKE) AFL_HARDEN=1 CXX=$(AFL_HOME)/afl-g++-fast $(BUILD)/fuzz - $(MAKE) AFL_HARDEN=1 CXX=$(AFL_HOME)/afl-g++-fast $(BUILD)/wmbusmeters + $(MAKE) AFL_HARDEN=1 CXX=$(AFL_HOME)/afl-g++-fast FUZZFLAGS=-DFUZZING=true $(BUILD)/fuzz + $(MAKE) AFL_HARDEN=1 CXX=$(AFL_HOME)/afl-g++-fast FUZZFLAGS=-DFUZZING=true $(BUILD)/wmbusmeters run_fuzz_difvifparser: ${AFL_HOME}/afl-fuzz -i fuzz_testcases/difvifparser -o fuzz_findings/ build/fuzz diff --git a/fuzz_testcases/difvifparser/seed3 b/fuzz_testcases/difvifparser/seed3 new file mode 100644 index 0000000000000000000000000000000000000000..40ebd473cf1fdb956e13ae63c7e33e0d9058630e GIT binary patch literal 2483 zcmZP&ko`S4f%xEb)~KrnJOonkfdO|N)B${d28&BZ-7#`PKw;!~b=0RLF9cBAD!&*Q Se$hG%9@E+a63zc7@f!dx#b~hr literal 0 HcmV?d00001 diff --git a/src/wmbus.cc b/src/wmbus.cc index 7f909de..b770f01 100644 --- a/src/wmbus.cc +++ b/src/wmbus.cc @@ -986,7 +986,7 @@ bool Telegram::parseELL(vector::iterator &pos) ell_pl_crc_b[0], ell_pl_crc_b[1], check & 0xff, check >> 8, (ell_pl_crc==check?"OK":"ERROR")); - if (ell_pl_crc != check) + if (ell_pl_crc != check && !FUZZING) { // Ouch, checksum of the payload does not match. // A wrong key was probably used for decryption. @@ -4063,7 +4063,7 @@ bool trimCRCsFrameFormatA(std::vector &payload) uint16_t calc_crc = crc16_EN13757(&payload[0], 10); uint16_t check_crc = payload[10] << 8 | payload[11]; - if (calc_crc != check_crc) + if (calc_crc != check_crc && !FUZZING) { debug("(wmbus) ff a dll crc first (calculated %04x) did not match (expected %04x) for bytes 0-%zu!\n", calc_crc, check_crc, 10); return false; @@ -4077,7 +4077,7 @@ bool trimCRCsFrameFormatA(std::vector &payload) size_t to = pos+16; calc_crc = crc16_EN13757(&payload[pos], 16); check_crc = payload[to] << 8 | payload[to+1]; - if (calc_crc != check_crc) + if (calc_crc != check_crc && !FUZZING) { debug("(wmbus) ff a dll crc mid (calculated %04x) did not match (expected %04x) for bytes %zu-%zu!\n", calc_crc, check_crc, pos, to-1); @@ -4093,7 +4093,7 @@ bool trimCRCsFrameFormatA(std::vector &payload) size_t blen = (tto-pos); calc_crc = crc16_EN13757(&payload[pos], blen); check_crc = payload[tto] << 8 | payload[tto+1]; - if (calc_crc != check_crc) + if (calc_crc != check_crc && !FUZZING) { debug("(wmbus) ff a dll crc final (calculated %04x) did not match (expected %04x) for bytes %zu-%zu!\n", calc_crc, check_crc, pos, tto-1); @@ -4140,7 +4140,7 @@ bool trimCRCsFrameFormatB(std::vector &payload) uint16_t calc_crc = crc16_EN13757(&payload[0], crc1_pos); uint16_t check_crc = payload[crc1_pos] << 8 | payload[crc1_pos+1]; - if (calc_crc != check_crc) + if (calc_crc != check_crc && !FUZZING) { debug("(wmbus) ff b dll crc (calculated %04x) did not match (expected %04x) for bytes 0-%zu!\n", calc_crc, check_crc, crc1_pos); return false; @@ -4154,7 +4154,7 @@ bool trimCRCsFrameFormatB(std::vector &payload) calc_crc = crc16_EN13757(&payload[crc1_pos+2], crc2_pos); check_crc = payload[crc2_pos] << 8 | payload[crc2_pos+1]; - if (calc_crc != check_crc) + if (calc_crc != check_crc && !FUZZING) { debug("(wmbus) ff b dll crc (calculated %04x) did not match (expected %04x) for bytes %zu-%zu!\n", calc_crc, check_crc, crc1_pos+2, crc2_pos);