From 7b496e026b0de7e42945cefc2c0165c8bd807af8 Mon Sep 17 00:00:00 2001
From: katrielc <katrielc@webrtc.org>
Date: Mon, 6 Jun 2016 09:45:25 -0700
Subject: [PATCH] Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=true

Review-Url: https://codereview.webrtc.org/2044523002
Cr-Commit-Position: refs/heads/master@{#13050}
---
 webrtc/test/fuzzers/BUILD.gn                 | 27 +++++++++++++++++++
 webrtc/test/fuzzers/sdp_parser_fuzzer.cc     | 25 +++++++++++++++++
 webrtc/test/fuzzers/stun_parser_fuzzer.cc    | 28 ++++++++++++++++++++
 webrtc/test/fuzzers/stun_validator_fuzzer.cc | 23 ++++++++++++++++
 4 files changed, 103 insertions(+)
 create mode 100644 webrtc/test/fuzzers/sdp_parser_fuzzer.cc
 create mode 100644 webrtc/test/fuzzers/stun_parser_fuzzer.cc
 create mode 100644 webrtc/test/fuzzers/stun_validator_fuzzer.cc

diff --git a/webrtc/test/fuzzers/BUILD.gn b/webrtc/test/fuzzers/BUILD.gn
index 3e59339299..319427aad5 100644
--- a/webrtc/test/fuzzers/BUILD.gn
+++ b/webrtc/test/fuzzers/BUILD.gn
@@ -84,6 +84,33 @@ webrtc_fuzzer_test("rtp_packet_fuzzer") {
   ]
 }
 
+webrtc_fuzzer_test("sdp_parser_fuzzer") {
+  sources = [
+    "sdp_parser_fuzzer.cc",
+  ]
+  deps = [
+    "//webrtc/api:libjingle_peerconnection",
+  ]
+}
+
+webrtc_fuzzer_test("stun_parser_fuzzer") {
+  sources = [
+    "stun_parser_fuzzer.cc",
+  ]
+  deps = [
+    "//webrtc/p2p:rtc_p2p",
+  ]
+}
+
+webrtc_fuzzer_test("stun_validator_fuzzer") {
+  sources = [
+    "stun_validator_fuzzer.cc",
+  ]
+  deps = [
+    "//webrtc/p2p:rtc_p2p",
+  ]
+}
+
 source_set("audio_decoder_fuzzer") {
   public_configs = [ "../..:common_inherited_config" ]
   sources = [
diff --git a/webrtc/test/fuzzers/sdp_parser_fuzzer.cc b/webrtc/test/fuzzers/sdp_parser_fuzzer.cc
new file mode 100644
index 0000000000..f21c991a3e
--- /dev/null
+++ b/webrtc/test/fuzzers/sdp_parser_fuzzer.cc
@@ -0,0 +1,25 @@
+/*
+ *  Copyright (c) 2016 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "webrtc/api/jsepsessiondescription.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  std::string message(reinterpret_cast<const char*>(data), size);
+  webrtc::SdpParseError error;
+
+  std::unique_ptr<webrtc::SessionDescriptionInterface> sdp(
+      CreateSessionDescription("offer", message, &error));
+}
+
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/stun_parser_fuzzer.cc b/webrtc/test/fuzzers/stun_parser_fuzzer.cc
new file mode 100644
index 0000000000..02f10b195c
--- /dev/null
+++ b/webrtc/test/fuzzers/stun_parser_fuzzer.cc
@@ -0,0 +1,28 @@
+/*
+ *  Copyright (c) 2016 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "webrtc/p2p/base/stun.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  const char* message = reinterpret_cast<const char*>(data);
+
+  // Normally we'd check the integrity first, but those checks are
+  // fuzzed separately in stun_validator_fuzzer.cc. We still want to
+  // fuzz this target since the integrity checks could be forged by a
+  // malicious adversary who receives a call.
+  std::unique_ptr<cricket::IceMessage> stun_msg(new cricket::IceMessage());
+  rtc::ByteBufferReader buf(message, size);
+  stun_msg->Read(&buf);
+}
+}  // namespace webrtc
diff --git a/webrtc/test/fuzzers/stun_validator_fuzzer.cc b/webrtc/test/fuzzers/stun_validator_fuzzer.cc
new file mode 100644
index 0000000000..1f919f59dc
--- /dev/null
+++ b/webrtc/test/fuzzers/stun_validator_fuzzer.cc
@@ -0,0 +1,23 @@
+/*
+ *  Copyright (c) 2016 The WebRTC project authors. All Rights Reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "webrtc/p2p/base/stun.h"
+
+namespace webrtc {
+void FuzzOneInput(const uint8_t* data, size_t size) {
+  const char* message = reinterpret_cast<const char*>(data);
+
+  cricket::StunMessage::ValidateFingerprint(message, size);
+  cricket::StunMessage::ValidateMessageIntegrity(message, size, "");
+}
+}  // namespace webrtc