The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
Macros | Functions | Variables
fuzzer_tmpl.c File Reference

Fuzz the tmpl tokenize -> resolve pipeline. More...

#include <freeradius-devel/fuzzer/common.h>
#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/tmpl.h>
#include <freeradius-devel/unlang/base.h>
+ Include dependency graph for fuzzer_tmpl.c:

Go to the source code of this file.

Macros

#define MODE_ATTR_STR   4
 
#define MODE_COUNT   5
 
#define MODE_SUBSTR_BACK   3
 
#define MODE_SUBSTR_BARE   0
 
#define MODE_SUBSTR_DOUBLE   1
 
#define MODE_SUBSTR_SINGLE   2
 
#define POISON_END   64
 
#define POISON_START   64
 

Functions

int LLVMFuzzerInitialize (int *argc, char ***argv)
 
int LLVMFuzzerTestOneInput (const uint8_t *buf, size_t len)
 

Variables

static tmpl_res_rules_t tr_rules
 

Detailed Description

Fuzz the tmpl tokenize -> resolve pipeline.

Drives the two public tmpl parsers:

tmpl_afrom_substr() - the general parser, dispatches by quote. Reads from an fr_sbuff_t with explicit length, i.e. the input is NOT required to be NUL-terminated. Network-attacker-reachable via every place a config string or xlat operand is turned into a tmpl.

tmpl_afrom_attr_str() - the attribute-only convenience wrapper. Takes a NUL-terminated C string. Used by callers that already have a flat name (e.g. legacy callers, some unit tests).

The APIs are called based on mode (see below), and then tmpl_resolve() and tmpl_print() are called to fully exercise the tmpl code.

Input layout: byte[0] - mode selector, used mod the number of variants. byte[1..] - the tmpl text. For tmpl_afrom_substr() the bytes are used verbatim and NOT NUL-terminated; for tmpl_afrom_attr_str() they are copied into a separate NUL-terminated scratch buffer first (the function's contract requires that).

Definition in file fuzzer_tmpl.c.

Macro Definition Documentation

◆ MODE_ATTR_STR

#define MODE_ATTR_STR   4

Definition at line 120 of file fuzzer_tmpl.c.

◆ MODE_COUNT

#define MODE_COUNT   5

Definition at line 121 of file fuzzer_tmpl.c.

◆ MODE_SUBSTR_BACK

#define MODE_SUBSTR_BACK   3

Definition at line 119 of file fuzzer_tmpl.c.

◆ MODE_SUBSTR_BARE

#define MODE_SUBSTR_BARE   0

Definition at line 116 of file fuzzer_tmpl.c.

◆ MODE_SUBSTR_DOUBLE

#define MODE_SUBSTR_DOUBLE   1

Definition at line 117 of file fuzzer_tmpl.c.

◆ MODE_SUBSTR_SINGLE

#define MODE_SUBSTR_SINGLE   2

Definition at line 118 of file fuzzer_tmpl.c.

◆ POISON_END

#define POISON_END   64

Definition at line 109 of file fuzzer_tmpl.c.

◆ POISON_START

#define POISON_START   64

Definition at line 108 of file fuzzer_tmpl.c.

Function Documentation

◆ LLVMFuzzerInitialize()

int LLVMFuzzerInitialize ( int *  argc,
char ***  argv 
)

Definition at line 55 of file fuzzer_tmpl.c.

+ Here is the call graph for this function:

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput ( const uint8_t buf,
size_t  len 
)

Definition at line 123 of file fuzzer_tmpl.c.

+ Here is the call graph for this function:

Variable Documentation

◆ tr_rules

tmpl_res_rules_t tr_rules
static

Definition at line 53 of file fuzzer_tmpl.c.

Generated by   doxygen 1.9.8