From 7cf97fda154ba837933eb05be5aeecfb69a06641 Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Fri, 3 Apr 2020 13:32:34 -0700 Subject: [PATCH] Make asmap Interpreter errors fatal and fuzz test it --- src/test/fuzz/asmap.cpp | 45 ++++++++++++++++++++++++++++++----------- src/util/asmap.cpp | 2 +- 2 files changed, 34 insertions(+), 13 deletions(-) diff --git a/src/test/fuzz/asmap.cpp b/src/test/fuzz/asmap.cpp index 7f3eef79a..ea56277ea 100644 --- a/src/test/fuzz/asmap.cpp +++ b/src/test/fuzz/asmap.cpp @@ -3,26 +3,47 @@ // file COPYING or http://www.opensource.org/licenses/mit-license.php. #include -#include #include #include #include +//! asmap code that consumes nothing +static const std::vector IPV6_PREFIX_ASMAP = {}; + +//! asmap code that consumes the 96 prefix bits of ::ffff:0/96 (IPv4-in-IPv6 map) +static const std::vector IPV4_PREFIX_ASMAP = { + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, // Match 0x00 + true, true, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, // Match 0xFF + true, true, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true // Match 0xFF +}; + void test_one_input(const std::vector& buffer) { - FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size()); - const Network network = fuzzed_data_provider.PickValueInArray({NET_IPV4, NET_IPV6}); - if (fuzzed_data_provider.remaining_bytes() < 16) { - return; - } - CNetAddr net_addr; - net_addr.SetRaw(network, fuzzed_data_provider.ConsumeBytes(16).data()); - std::vector asmap; - for (const char cur_byte : fuzzed_data_provider.ConsumeRemainingBytes()) { - for (int bit = 0; bit < 8; ++bit) { - asmap.push_back((cur_byte >> bit) & 1); + // Encoding: [7 bits: asmap size] [1 bit: ipv6?] [3-130 bytes: asmap] [4 or 16 bytes: addr] + if (buffer.size() < 1 + 3 + 4) return; + int asmap_size = 3 + (buffer[0] & 127); + bool ipv6 = buffer[0] & 128; + int addr_size = ipv6 ? 16 : 4; + if (buffer.size() < size_t(1 + asmap_size + addr_size)) return; + std::vector asmap = ipv6 ? IPV6_PREFIX_ASMAP : IPV4_PREFIX_ASMAP; + asmap.reserve(asmap.size() + 8 * asmap_size); + for (int i = 0; i < asmap_size; ++i) { + for (int j = 0; j < 8; ++j) { + asmap.push_back((buffer[1 + i] >> j) & 1); } } + if (!SanityCheckASMap(asmap)) return; + CNetAddr net_addr; + net_addr.SetRaw(ipv6 ? NET_IPV6 : NET_IPV4, buffer.data() + 1 + asmap_size); (void)net_addr.GetMappedAS(asmap); } diff --git a/src/util/asmap.cpp b/src/util/asmap.cpp index 5f3f53c39..f24a382d6 100644 --- a/src/util/asmap.cpp +++ b/src/util/asmap.cpp @@ -116,7 +116,7 @@ uint32_t Interpret(const std::vector &asmap, const std::vector &ip) break; // Instruction straddles EOF } } - // Reached EOF without RETURN, or aborted (see any of the breaks above). + assert(false); // Reached EOF without RETURN, or aborted (see any of the breaks above) - should have been caught by SanityCheckASMap below return 0; // 0 is not a valid ASN }