diff options
| author | Antoine Poinsot <darosior@protonmail.com> | 2025-01-15 16:14:30 -0500 |
|---|---|---|
| committer | Antoine Poinsot <darosior@protonmail.com> | 2025-02-12 11:39:37 -0500 |
| commit | c73b59d47f1ec6fff1ad9155181c2285a5ef5cf4 (patch) | |
| tree | faceaf3969ace4f2d3bdf7073d6733959385c7cd | |
| parent | 1695c8ab5bd3ea2dd0a065bcb8162a973dede7fe (diff) | |
fuzz: implement targets for PCP and NAT-PMP port mapping requests
| -rw-r--r-- | src/test/fuzz/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | src/test/fuzz/pcp.cpp | 80 |
2 files changed, 81 insertions, 0 deletions
diff --git a/src/test/fuzz/CMakeLists.txt b/src/test/fuzz/CMakeLists.txt index a261d3ecea..e99c6d91f4 100644 --- a/src/test/fuzz/CMakeLists.txt +++ b/src/test/fuzz/CMakeLists.txt @@ -75,6 +75,7 @@ add_executable(fuzz p2p_handshake.cpp p2p_headers_presync.cpp p2p_transport_serialization.cpp + pcp.cpp package_eval.cpp parse_hd_keypath.cpp parse_iso8601.cpp diff --git a/src/test/fuzz/pcp.cpp b/src/test/fuzz/pcp.cpp new file mode 100644 index 0000000000..76fdded188 --- /dev/null +++ b/src/test/fuzz/pcp.cpp @@ -0,0 +1,80 @@ +// Copyright (c) 2024 The Bitcoin Core developers +// Distributed under the MIT software license, see the accompanying +// file COPYING or http://www.opensource.org/licenses/mit-license.php. + +#include <test/fuzz/FuzzedDataProvider.h> +#include <test/fuzz/fuzz.h> +#include <test/fuzz/util.h> +#include <test/fuzz/util/net.h> + +#include <common/pcp.h> +#include <util/check.h> + +using namespace std::literals; + +//! Fixed nonce to use in PCP port mapping requests. +constexpr PCPMappingNonce PCP_NONCE{0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc}; + +//! Number of attempts to request a NAT-PMP or PCP port mapping to the gateway. +constexpr int NUM_TRIES{5}; + +//! Timeout for each attempt to request a port mapping. +constexpr std::chrono::duration TIMEOUT{100ms}; + +void port_map_target_init() +{ + LogInstance().DisableLogging(); +} + +FUZZ_TARGET(pcp_request_port_map, .init = port_map_target_init) +{ + FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; + + // Create a mocked socket between random (and potentially invalid) client and gateway addresses. + CreateSock = [&](int domain, int type, int protocol) { + if ((domain == AF_INET || domain == AF_INET6) && type == SOCK_DGRAM && protocol == IPPROTO_UDP) { + return std::make_unique<FuzzedSock>(fuzzed_data_provider); + } + return std::unique_ptr<FuzzedSock>(); + }; + + // Perform the port mapping request. The mocked socket will return fuzzer-provided data. + const auto gateway_addr{ConsumeNetAddr(fuzzed_data_provider)}; + const auto local_addr{ConsumeNetAddr(fuzzed_data_provider)}; + const auto port{fuzzed_data_provider.ConsumeIntegral<uint16_t>()}; + const auto lifetime{fuzzed_data_provider.ConsumeIntegral<uint32_t>()}; + const auto res{PCPRequestPortMap(PCP_NONCE, gateway_addr, local_addr, port, lifetime, NUM_TRIES, TIMEOUT)}; + + // In case of success the mapping must be consistent with the request. + if (const MappingResult* mapping = std::get_if<MappingResult>(&res)) { + Assert(mapping); + Assert(mapping->internal.GetPort() == port); + mapping->ToString(); + } +} + +FUZZ_TARGET(natpmp_request_port_map, .init = port_map_target_init) +{ + FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; + + // Create a mocked socket between random (and potentially invalid) client and gateway addresses. + CreateSock = [&](int domain, int type, int protocol) { + if (domain == AF_INET && type == SOCK_DGRAM && protocol == IPPROTO_UDP) { + return std::make_unique<FuzzedSock>(fuzzed_data_provider); + } + return std::unique_ptr<FuzzedSock>(); + }; + + // Perform the port mapping request. The mocked socket will return fuzzer-provided data. + const auto gateway_addr{ConsumeNetAddr(fuzzed_data_provider)}; + const auto port{fuzzed_data_provider.ConsumeIntegral<uint16_t>()}; + const auto lifetime{fuzzed_data_provider.ConsumeIntegral<uint32_t>()}; + const auto res{NATPMPRequestPortMap(gateway_addr, port, lifetime, NUM_TRIES, TIMEOUT)}; + + // In case of success the mapping must be consistent with the request. + if (const MappingResult* mapping = std::get_if<MappingResult>(&res)) { + Assert(mapping); + Assert(mapping->internal.GetPort() == port); + mapping->ToString(); + } +} |