Module: kamailio Branch: master Commit: 7b3eb23703b3b8c42f8a555bee5a293d03477da0 URL: https://github.com/kamailio/kamailio/commit/7b3eb23703b3b8c42f8a555bee5a293d03477da0
Author: Daniel-Constantin Mierla <[email protected]> Committer: Daniel-Constantin Mierla <[email protected]> Date: 2026-03-03T13:45:01+01:00 misc/fuzz: add fuzzing for tcp read headers --- Modified: misc/fuzz/fuzz_parse_msg.c --- Diff: https://github.com/kamailio/kamailio/commit/7b3eb23703b3b8c42f8a555bee5a293d03477da0.diff Patch: https://github.com/kamailio/kamailio/commit/7b3eb23703b3b8c42f8a555bee5a293d03477da0.patch --- diff --git a/misc/fuzz/fuzz_parse_msg.c b/misc/fuzz/fuzz_parse_msg.c index 80fe75a226b..7798f62b94b 100644 --- a/misc/fuzz/fuzz_parse_msg.c +++ b/misc/fuzz/fuzz_parse_msg.c @@ -12,65 +12,119 @@ #include "../parser/parse_diversion.h" #include "../parser/parse_identityinfo.h" #include "../parser/parse_disposition.h" +#include "../tcp_conn.h" +#include "../tcp_read.h" -int LLVMFuzzerInitialize(int *argc, char ***argv) { - ksr_hname_init_index(); - return 0; +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + ksr_hname_init_index(); + return 0; } -int -LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - sip_msg_t orig_inv = { }; - orig_inv.buf = (char*)data; - orig_inv.len = size; +int ksr_fuzz_tcp_read(char *buf, size_t bsize) +{ + char *p; + size_t rsize; + struct tcp_connection c; + rd_conn_flags_t read_flags; + + if(bsize >= (1 << 24)) { + /* limit the size */ + return 0; + } + + rsize = bsize + 5; + p = (char *)malloc(rsize + 1); + if(p == NULL) { + return -1; + } + memcpy(p, "MSRP ", 5); + memcpy(p + 5, buf, bsize); + p[rsize] = '\0'; + + memset(&c, 0, sizeof(struct tcp_connection)); + init_tcp_req(&c.req, p + 5, bsize); + c.req.pos += bsize; + c.s = -1; + c.fd = -1; + c.state = S_CONN_OK; + c.type = PROTO_TCP; + c.rcv.proto = PROTO_TCP; + read_flags = 0; + tcp_read_headers(&c, &read_flags); + + memset(&c, 0, sizeof(struct tcp_connection)); + init_tcp_req(&c.req, p, rsize); + c.req.pos += rsize; + c.s = -1; + c.fd = -1; + c.state = S_CONN_OK; + c.type = PROTO_TCP; + c.rcv.proto = PROTO_TCP; + read_flags = 0; + tcp_read_headers(&c, &read_flags); + + free(p); + + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + sip_msg_t orig_inv = {}; + + ksr_fuzz_tcp_read((char *)data, size); + + orig_inv.buf = (char *)data; + orig_inv.len = size; - if(size >= 4*BUF_SIZE) { - /* test with larger message than core accepts, but not indefinitely large */ - return 0; - } + if(size >= 4 * BUF_SIZE) { + /* test with larger message than core accepts, but not indefinitely large */ + return 0; + } - if (parse_msg(orig_inv.buf, orig_inv.len, &orig_inv) < 0) { - goto cleanup; - } + if(parse_msg(orig_inv.buf, orig_inv.len, &orig_inv) < 0) { + goto cleanup; + } - parse_headers(&orig_inv, HDR_EOH_F, 0); + parse_headers(&orig_inv, HDR_EOH_F, 0); - parse_sdp(&orig_inv); + parse_sdp(&orig_inv); - parse_from_header(&orig_inv); + parse_from_header(&orig_inv); - parse_from_uri(&orig_inv); + parse_from_uri(&orig_inv); - parse_to_header(&orig_inv); + parse_to_header(&orig_inv); - parse_to_uri(&orig_inv); + parse_to_uri(&orig_inv); - parse_contact_headers(&orig_inv); + parse_contact_headers(&orig_inv); - parse_refer_to_header(&orig_inv); + parse_refer_to_header(&orig_inv); - parse_pai_header(&orig_inv); + parse_pai_header(&orig_inv); - parse_diversion_header(&orig_inv); + parse_diversion_header(&orig_inv); - parse_privacy(&orig_inv); + parse_privacy(&orig_inv); - parse_content_disposition(&orig_inv); + parse_content_disposition(&orig_inv); - parse_identityinfo_header(&orig_inv); + parse_identityinfo_header(&orig_inv); - parse_record_route_headers(&orig_inv); + parse_record_route_headers(&orig_inv); - parse_route_headers(&orig_inv); + parse_route_headers(&orig_inv); - str uri; - get_src_uri(&orig_inv, 0, &uri); + str uri; + get_src_uri(&orig_inv, 0, &uri); - str ssock; - get_src_address_socket(&orig_inv, &ssock); + str ssock; + get_src_address_socket(&orig_inv, &ssock); cleanup: - free_sip_msg(&orig_inv); + free_sip_msg(&orig_inv); - return 0; + return 0; } _______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
