The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
Macros | Functions | Variables
fuzzer_xlat.c File Reference

Fuzz the xlat tokenize -> resolve -> eval pipeline. More...

#include <freeradius-devel/build.h>
#include <freeradius-devel/util/atexit.h>
#include <freeradius-devel/util/dict.h>
#include <freeradius-devel/util/dl.h>
#include <freeradius-devel/util/lsan.h>
#include <freeradius-devel/util/sbuff.h>
#include <freeradius-devel/util/strerror.h>
#include <freeradius-devel/util/syserror.h>
#include <freeradius-devel/util/talloc.h>
#include <freeradius-devel/util/types.h>
#include <freeradius-devel/util/value.h>
#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/request.h>
#include <freeradius-devel/server/tmpl.h>
#include <freeradius-devel/unlang/base.h>
#include <freeradius-devel/unlang/xlat.h>
+ Include dependency graph for fuzzer_xlat.c:

Go to the source code of this file.

Macros

#define POISON_END   64
 
#define POISON_START   64
 

Functions

int LLVMFuzzerInitialize (int *argc, char ***argv)
 
int LLVMFuzzerTestOneInput (const uint8_t *buf, size_t len)
 

Variables

static fr_dict_tdict_internal = NULL
 
static bool init_done = false
 

Detailed Description

Fuzz the xlat tokenize -> resolve -> eval pipeline.

Drives the three public xlat tokenisers (xlat_tokenize, xlat_tokenize_expression, xlat_tokenize_condition) and, on success, follows through xlat_resolve() and xlat_aeval_compiled() against a synthetic request built from the test dictionary. This exercises:

src/lib/unlang/xlat_tokenize.c src/lib/unlang/xlat_expr.c src/lib/unlang/xlat_eval.c src/lib/unlang/xlat_builtin.c

All of which are at 0% coverage under the existing protocol-decoder fuzzers despite being on the network-attacker-reachable path: xlat expansions interpolate attribute values that originate from RADIUS, DHCP, DNS etc. packets at request time.

Input layout: byte[0] - low 2 bits select the tokeniser variant byte[1..] - the xlat expression text (not NUL-terminated)

Definition in file fuzzer_xlat.c.

Macro Definition Documentation

◆ POISON_END

#define POISON_END   64

Definition at line 133 of file fuzzer_xlat.c.

◆ POISON_START

#define POISON_START   64

Definition at line 132 of file fuzzer_xlat.c.

Function Documentation

◆ LLVMFuzzerInitialize()

int LLVMFuzzerInitialize ( int *  argc,
char ***  argv 
)

Definition at line 61 of file fuzzer_xlat.c.

+ Here is the call graph for this function:

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput ( const uint8_t buf,
size_t  len 
)

Definition at line 135 of file fuzzer_xlat.c.

+ Here is the call graph for this function:

Variable Documentation

◆ dict_internal

fr_dict_t* dict_internal = NULL
static

Definition at line 59 of file fuzzer_xlat.c.

◆ init_done

bool init_done = false
static

Definition at line 58 of file fuzzer_xlat.c.

Generated by   doxygen 1.9.8