for initial integration in oss-fuzz (#736)

* support of oss-fuzz

Signed-off-by: 0x34d <ajsinghyadav00@gmail.com>

7 files changed, 69 insertions, 89 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7b7590f..f0a0dc4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -136,8 +136,7 @@ option(BUILD_TOOLS "Build Tools (requires POPT Library)" OFF)
 cmake_dependent_option(BUILD_TOOLS_DOCS "Build man pages for tools (requires xmlto)" OFF "BUILD_TOOLS" OFF)
 option(BUILD_API_DOCS "Build Doxygen API docs" OFF)
 option(RUN_SYSTEM_TESTS "Run system tests (i.e. tests requiring an accessible RabbitMQ server instance on localhost)" OFF)
-option(BUILD_LIBFUZZ "Build LibFuzzer" OFF)
-option(BUILD_AFLFUZZ "Build AFLFuzzer" OFF)
+option(BUILD_OSSFUZZ "Build OSSFUZZ" OFF)
 
 if (NOT BUILD_SHARED_LIBS AND NOT BUILD_STATIC_LIBS)
     message(FATAL_ERROR "One or both of BUILD_SHARED_LIBS or BUILD_STATIC_LIBS must be set to ON to build")
@@ -145,25 +144,12 @@ endif()
 
 set(targets_export_name rabbitmq-targets)
 
-if(BUILD_LIBFUZZ)
-  if (NOT CMAKE_C_COMPILER_ID STREQUAL "Clang")
-    message(FATAL_ERROR "Need clang for libFuzzer support")
-  endif()
+if(BUILD_OSSFUZZ)
   if (NOT BUILD_STATIC_LIBS)
-    message(FATAL_ERROR "LibFuzzer can only be built against static libraries " "(set BUILD_STATIC_LIBS=ON)")
+    message(FATAL_ERROR "OSS-FUZZ can only be built against static libraries " "(set BUILD_STATIC_LIBS=ON)")
   endif ()
-
-  SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer-no-link,address,undefined")
-  SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address,undefined")
-endif ()
-
-if(BUILD_AFLFUZZ)
-  if (NOT BUILD_STATIC_LIBS)
-    message(FATAL_ERROR "AFL-Fuzzer can only be built against static libraries " "(set BUILD_STATIC_LIBS=ON)")
-  endif ()
-
-  SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address,undefined")
-  SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address,undefined")
+  SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+  SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}")
 endif ()
 
 add_subdirectory(librabbitmq)
@@ -192,7 +178,7 @@ if(CMAKE_PROJECT_NAME STREQUAL PROJECT_NAME AND BUILD_TESTING)
   add_subdirectory(tests)
 endif ()
 
-if(BUILD_LIBFUZZ OR BUILD_AFLFUZZ)
+if(BUILD_OSSFUZZ)
   add_subdirectory(fuzz)
 endif ()
 
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 7212758..06d9e78 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -6,15 +6,15 @@ include_directories(
 add_definitions(-DHAVE_CONFIG_H)
 add_definitions(-DAMQP_STATIC)
 
-if(BUILD_LIBFUZZ)
+SET(CMAKE_EXE_LINKER_FLAGS "${LIB_FUZZING_ENGINE}")
+
+if(BUILD_OSSFUZZ)
   add_executable(fuzz_url fuzz_url.c)
-  target_link_libraries(fuzz_url rabbitmq-static -fsanitize=fuzzer)
+  target_link_libraries(fuzz_url rabbitmq-static)
 
   add_executable(fuzz_table fuzz_table.c)
-  target_link_libraries(fuzz_table rabbitmq-static -fsanitize=fuzzer)
-endif ()
+  target_link_libraries(fuzz_table rabbitmq-static)
 
-if(BUILD_AFLFUZZ)
   add_executable(fuzz_server fuzz_server.c)
   target_link_libraries(fuzz_server rabbitmq-static)
 endif ()
diff --git a/fuzz/README.md b/fuzz/README.md
index f11e13d..815fa07 100644
--- a/fuzz/README.md
+++ b/fuzz/README.md
@@ -1,15 +1,27 @@
-#### Libfuzzer
-```
-cmake -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DBUILD_LIBFUZZ=ON ../
+### OSS-Fuzz in House
 
-./fuzz/fuzz_url
-./fuzz/fuzz_table
+#### Export Flags
 ```
-
-#### AFL Fuzzer
+export CC=clang
+export CXX=clang++
+export CFLAGS=-fsanitize=fuzzer-no-link,address
+export LIB_FUZZING_ENGINE=-fsanitize=fuzzer
+export LDFLAGS=-fsanitize=address 
 ```
-cmake -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_BUILD_TYPE=Debug -DBUILD_AFLFUZZ=ON ../
 
-afl-fuzz -i afl_in -o afl_out -- ./fuzz_server 8080 @@
+#### Build cmake Fuzzer
+```
+cmake -DCMAKE_BUILD_TYPE=Debug -DBUILD_OSSFUZZ=ON \
+-DCMAKE_C_COMPILER=$CC -DCMAKE_CXX_COMPILER=$CXX \
+-DCMAKE_C_FLAGS=$CFLAGS -DCMAKE_EXE_LINKER_FLAGS=$CFLAGS \
+-DLIB_FUZZING_ENGINE=$LIB_FUZZING_ENGINE \
+../
+```
 
+#### Run Fuzzer
+```
+mkdir coverage
+./fuzz/fuzz_url coverage/ ../fuzz/input/
+./fuzz/fuzz_table coverage/ ../fuzz/input/
+./fuzz/fuzz_server coverage/ ../fuzz/input/
 ```
diff --git a/fuzz/fuzz_server.c b/fuzz/fuzz_server.c
index b5e4b6a..ae72d8e 100644
--- a/fuzz/fuzz_server.c
+++ b/fuzz/fuzz_server.c
@@ -15,30 +15,22 @@
 #include <rabbitmq-c/tcp_socket.h>
 
 struct Fuzzer {
+  int socket;
   uint16_t port;
-  char *file;
+  pthread_t thread;
 
-  FILE *inFile;
   uint64_t size;
   uint8_t *buffer;
-
-  pthread_t thread;
-  int socket;
 };
 typedef struct Fuzzer Fuzzer;
 
-static uint8_t pre_encoded_table[] = {0x00, 0x00, 0x00, 0xff, 0x07,
-                                      0x6c, 0x6f, 0x6e, 0x67, 0x73};
+#define PORT 8080
+#define kMinInputLength 9
+#define kMaxInputLength 1024
+
+void client(Fuzzer *fuzzer);
 
 void fuzzinit(Fuzzer *fuzzer) {
-  // File
-  fuzzer->inFile = fopen(fuzzer->file, "rb");
-  fseek(fuzzer->inFile, 0L, SEEK_END);
-  fuzzer->size = ftell(fuzzer->inFile);
-  fseek(fuzzer->inFile, 0L, SEEK_SET);
-  fuzzer->buffer = (uint8_t *)calloc(fuzzer->size, sizeof(char));
-  fread(fuzzer->buffer, sizeof(char), fuzzer->size, fuzzer->inFile);
-  // Server
   struct sockaddr_in server_addr;
   fuzzer->socket = socket(AF_INET, SOCK_STREAM, 0);
   server_addr.sin_family = AF_INET;
@@ -50,7 +42,6 @@ void fuzzinit(Fuzzer *fuzzer) {
 }
 
 void *Server(void *args) {
-
   Fuzzer *fuzzer = (Fuzzer *)args;
 
   int client;
@@ -61,18 +52,42 @@ void *Server(void *args) {
   client = accept(fuzzer->socket, (struct sockaddr *)&clientAddr, &clientSZ);
 
   recv(client, clientData, sizeof(clientData), 0);
+  send(client, fuzzer->buffer, fuzzer->size, 0);
 
-  if (fuzzer->size < 9) {
-    send(client, pre_encoded_table, sizeof(pre_encoded_table), 0);
-  } else {
-    send(client, fuzzer->buffer, fuzzer->size, 0);
-  }
-
+  shutdown(client, SHUT_RDWR);
   close(client);
 
   pthread_exit(NULL);
 }
 
+void clean(Fuzzer *fuzzer) {
+  shutdown(fuzzer->socket, SHUT_RDWR);
+  close(fuzzer->socket);
+  free(fuzzer);
+}
+
+extern int LLVMFuzzerTestOneInput(const char *data, size_t size) {
+
+  if (size < kMinInputLength || size > kMaxInputLength) {
+    return 0;
+  }
+
+  Fuzzer *fuzzer = (Fuzzer *)malloc(sizeof(Fuzzer));
+  fuzzer->port = PORT;
+
+  fuzzinit(fuzzer);
+
+  pthread_create(&fuzzer->thread, NULL, Server, fuzzer);
+
+  client(fuzzer);
+
+  pthread_join(fuzzer->thread, NULL);
+
+  clean(fuzzer);
+
+  return 0;
+}
+
 void client(Fuzzer *fuzzer) {
   char const *hostname;
   int status;
@@ -98,36 +113,3 @@ void client(Fuzzer *fuzzer) {
   amqp_destroy_connection(conn);
 }
 
-void clean(Fuzzer *fuzzer) {
-
-  free(fuzzer->buffer);
-  fclose(fuzzer->inFile);
-
-  close(fuzzer->socket);
-
-  free(fuzzer);
-}
-
-int main(int argc, char *argv[]) {
-
-  if (argc < 3) {
-    printf("Server-port,Input-file \n");
-    return 0;
-  }
-
-  Fuzzer *fuzzer = (Fuzzer *)malloc(sizeof(Fuzzer));
-  fuzzer->port = atoi(argv[1]);
-  fuzzer->file = argv[2];
-
-  fuzzinit(fuzzer);
-
-  pthread_create(&fuzzer->thread, NULL, Server, fuzzer);
-
-  client(fuzzer);
-
-  pthread_join(fuzzer->thread, NULL);
-
-  clean(fuzzer);
-
-  return 0;
-}
diff --git a/fuzz/input/input.raw b/fuzz/input/fuzz_server.raw
index 4f2ca96..4f2ca96 100644
--- a/fuzz/input/input.raw
+++ b/fuzz/input/fuzz_server.raw
diff --git a/fuzz/input/fuzz_table.raw b/fuzz/input/fuzz_table.raw
new file mode 100644
index 0000000..421d520
--- /dev/null
+++ b/fuzz/input/fuzz_table.raw
diff --git a/fuzz/input/fuzz_url.raw b/fuzz/input/fuzz_url.raw
new file mode 100644
index 0000000..34a284a
--- /dev/null
+++ b/fuzz/input/fuzz_url.raw