Fuzz the xlat tokenize -> resolve -> eval pipeline. More...

#include <freeradius-devel/fuzzer/common.h>
#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/request.h>
#include <freeradius-devel/server/tmpl.h>
#include <freeradius-devel/unlang/base.h>
#include <freeradius-devel/unlang/xlat.h>

Include dependency graph for fuzzer_xlat.c:

Go to the source code of this file.

Macros
#define	POISON_END 64

#define	POISON_START 64

Functions
int	LLVMFuzzerInitialize (int argc, char **argv)

int	LLVMFuzzerTestOneInput (const uint8_t *buf, size_t len)

Detailed Description

Fuzz the xlat tokenize -> resolve -> eval pipeline.

Drives the three public xlat tokenisers (xlat_tokenize, xlat_tokenize_expression, xlat_tokenize_condition) and, on success, follows through xlat_resolve() and xlat_aeval_compiled() against a synthetic request built from the test dictionary. This exercises:

src/lib/unlang/xlat_tokenize.c src/lib/unlang/xlat_expr.c src/lib/unlang/xlat_eval.c src/lib/unlang/xlat_builtin.c

All of which are at 0% coverage under the existing protocol-decoder fuzzers despite being on the network-attacker-reachable path: xlat expansions interpolate attribute values that originate from RADIUS, DHCP, DNS etc. packets at request time.

Input layout: byte[0] - low 2 bits select the tokeniser variant byte[1..] - the xlat expression text (not NUL-terminated)

Definition in file fuzzer_xlat.c.

Macro Definition Documentation

◆ POISON_END

#define POISON_END 64

Definition at line 82 of file fuzzer_xlat.c.

◆ POISON_START

#define POISON_START 64

Definition at line 81 of file fuzzer_xlat.c.

Function Documentation

◆ LLVMFuzzerInitialize()

int LLVMFuzzerInitialize	(	int *	argc,
		char ***	argv
	)

Definition at line 48 of file fuzzer_xlat.c.

Here is the call graph for this function:

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput	(	const uint8_t *	buf,
		size_t	len
	)

Definition at line 84 of file fuzzer_xlat.c.