1*90e502c7SAndroid Build Coastguard Worker /* By Guido Vranken <[email protected]> --
2*90e502c7SAndroid Build Coastguard Worker * https://guidovranken.wordpress.com/ */
3*90e502c7SAndroid Build Coastguard Worker
4*90e502c7SAndroid Build Coastguard Worker #include <stdio.h>
5*90e502c7SAndroid Build Coastguard Worker #include <string.h>
6*90e502c7SAndroid Build Coastguard Worker #include <stdlib.h>
7*90e502c7SAndroid Build Coastguard Worker #include <stdbool.h>
8*90e502c7SAndroid Build Coastguard Worker #include <limits.h>
9*90e502c7SAndroid Build Coastguard Worker #include "srtp.h"
10*90e502c7SAndroid Build Coastguard Worker #include "srtp_priv.h"
11*90e502c7SAndroid Build Coastguard Worker #include "ekt.h"
12*90e502c7SAndroid Build Coastguard Worker #include "fuzzer.h"
13*90e502c7SAndroid Build Coastguard Worker #include "mt19937.h"
14*90e502c7SAndroid Build Coastguard Worker #include "testmem.h"
15*90e502c7SAndroid Build Coastguard Worker
16*90e502c7SAndroid Build Coastguard Worker /* Global variables */
17*90e502c7SAndroid Build Coastguard Worker static bool g_no_align = false; /* Can be enabled with --no_align */
18*90e502c7SAndroid Build Coastguard Worker static bool g_post_init =
19*90e502c7SAndroid Build Coastguard Worker false; /* Set to true once past initialization phase */
20*90e502c7SAndroid Build Coastguard Worker static bool g_write_input = false;
21*90e502c7SAndroid Build Coastguard Worker
22*90e502c7SAndroid Build Coastguard Worker #ifdef FUZZ_32BIT
23*90e502c7SAndroid Build Coastguard Worker #include <sys/mman.h>
24*90e502c7SAndroid Build Coastguard Worker static bool g_no_mmap = false; /* Can be enabled with --no_mmap */
25*90e502c7SAndroid Build Coastguard Worker static void *g_mmap_allocation =
26*90e502c7SAndroid Build Coastguard Worker NULL; /* Keeps current mmap() allocation address */
27*90e502c7SAndroid Build Coastguard Worker static size_t g_mmap_allocation_size =
28*90e502c7SAndroid Build Coastguard Worker 0; /* Keeps current mmap() allocation size */
29*90e502c7SAndroid Build Coastguard Worker #endif
30*90e502c7SAndroid Build Coastguard Worker
31*90e502c7SAndroid Build Coastguard Worker /* Custom allocator functions */
32*90e502c7SAndroid Build Coastguard Worker
fuzz_alloc(const size_t size,const bool do_zero)33*90e502c7SAndroid Build Coastguard Worker static void *fuzz_alloc(const size_t size, const bool do_zero)
34*90e502c7SAndroid Build Coastguard Worker {
35*90e502c7SAndroid Build Coastguard Worker void *ret = NULL;
36*90e502c7SAndroid Build Coastguard Worker #ifdef FUZZ_32BIT
37*90e502c7SAndroid Build Coastguard Worker bool do_malloc = true;
38*90e502c7SAndroid Build Coastguard Worker #endif
39*90e502c7SAndroid Build Coastguard Worker bool do_mmap, mmap_high = true;
40*90e502c7SAndroid Build Coastguard Worker
41*90e502c7SAndroid Build Coastguard Worker if (size == 0) {
42*90e502c7SAndroid Build Coastguard Worker size_t ret;
43*90e502c7SAndroid Build Coastguard Worker /* Allocations of size 0 are not illegal, but are a bad practice, since
44*90e502c7SAndroid Build Coastguard Worker * writing just a single byte to this region constitutes undefined
45*90e502c7SAndroid Build Coastguard Worker * behavior per the C spec. glibc will return a small, valid memory
46*90e502c7SAndroid Build Coastguard Worker * region
47*90e502c7SAndroid Build Coastguard Worker * whereas OpenBSD will crash upon writing to it.
48*90e502c7SAndroid Build Coastguard Worker * Intentionally return a pointer to an invalid page to detect
49*90e502c7SAndroid Build Coastguard Worker * unsound code efficiently.
50*90e502c7SAndroid Build Coastguard Worker * fuzz_free is aware of this pointer range and will not attempt
51*90e502c7SAndroid Build Coastguard Worker * to free()/munmap() it.
52*90e502c7SAndroid Build Coastguard Worker */
53*90e502c7SAndroid Build Coastguard Worker ret = 0x01 + (fuzz_mt19937_get() % 1024);
54*90e502c7SAndroid Build Coastguard Worker return (void *)ret;
55*90e502c7SAndroid Build Coastguard Worker }
56*90e502c7SAndroid Build Coastguard Worker
57*90e502c7SAndroid Build Coastguard Worker /* Don't do mmap()-based allocations during initialization */
58*90e502c7SAndroid Build Coastguard Worker if (g_post_init == true) {
59*90e502c7SAndroid Build Coastguard Worker /* Even extract these values if --no_mmap is specified.
60*90e502c7SAndroid Build Coastguard Worker * This keeps the PRNG output stream consistent across
61*90e502c7SAndroid Build Coastguard Worker * fuzzer configurations.
62*90e502c7SAndroid Build Coastguard Worker */
63*90e502c7SAndroid Build Coastguard Worker do_mmap = (fuzz_mt19937_get() % 64) == 0 ? true : false;
64*90e502c7SAndroid Build Coastguard Worker if (do_mmap == true) {
65*90e502c7SAndroid Build Coastguard Worker mmap_high = (fuzz_mt19937_get() % 2) == 0 ? true : false;
66*90e502c7SAndroid Build Coastguard Worker }
67*90e502c7SAndroid Build Coastguard Worker } else {
68*90e502c7SAndroid Build Coastguard Worker do_mmap = false;
69*90e502c7SAndroid Build Coastguard Worker }
70*90e502c7SAndroid Build Coastguard Worker
71*90e502c7SAndroid Build Coastguard Worker #ifdef FUZZ_32BIT
72*90e502c7SAndroid Build Coastguard Worker /* g_mmap_allocation must be NULL because we only support a single
73*90e502c7SAndroid Build Coastguard Worker * concurrent mmap allocation at a time
74*90e502c7SAndroid Build Coastguard Worker */
75*90e502c7SAndroid Build Coastguard Worker if (g_mmap_allocation == NULL && g_no_mmap == false && do_mmap == true) {
76*90e502c7SAndroid Build Coastguard Worker void *mmap_address;
77*90e502c7SAndroid Build Coastguard Worker if (mmap_high == true) {
78*90e502c7SAndroid Build Coastguard Worker mmap_address = (void *)0xFFFF0000;
79*90e502c7SAndroid Build Coastguard Worker } else {
80*90e502c7SAndroid Build Coastguard Worker mmap_address = (void *)0x00010000;
81*90e502c7SAndroid Build Coastguard Worker }
82*90e502c7SAndroid Build Coastguard Worker g_mmap_allocation_size = size;
83*90e502c7SAndroid Build Coastguard Worker
84*90e502c7SAndroid Build Coastguard Worker ret = mmap(mmap_address, g_mmap_allocation_size, PROT_READ | PROT_WRITE,
85*90e502c7SAndroid Build Coastguard Worker MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
86*90e502c7SAndroid Build Coastguard Worker
87*90e502c7SAndroid Build Coastguard Worker if (ret == MAP_FAILED) {
88*90e502c7SAndroid Build Coastguard Worker /* That's okay -- just return NULL to the caller */
89*90e502c7SAndroid Build Coastguard Worker
90*90e502c7SAndroid Build Coastguard Worker ret = NULL;
91*90e502c7SAndroid Build Coastguard Worker
92*90e502c7SAndroid Build Coastguard Worker /* Reset this for the sake of cleanliness */
93*90e502c7SAndroid Build Coastguard Worker g_mmap_allocation_size = 0;
94*90e502c7SAndroid Build Coastguard Worker }
95*90e502c7SAndroid Build Coastguard Worker /* ret not being MAP_FAILED does not mean that ret is the requested
96*90e502c7SAndroid Build Coastguard Worker * address (mmap_address). That's okay. We're not going to perform
97*90e502c7SAndroid Build Coastguard Worker * a munmap() on it and call malloc() instead. It won't gain us
98*90e502c7SAndroid Build Coastguard Worker * anything.
99*90e502c7SAndroid Build Coastguard Worker */
100*90e502c7SAndroid Build Coastguard Worker
101*90e502c7SAndroid Build Coastguard Worker g_mmap_allocation = ret;
102*90e502c7SAndroid Build Coastguard Worker do_malloc = false;
103*90e502c7SAndroid Build Coastguard Worker }
104*90e502c7SAndroid Build Coastguard Worker
105*90e502c7SAndroid Build Coastguard Worker if (do_malloc == true)
106*90e502c7SAndroid Build Coastguard Worker #endif
107*90e502c7SAndroid Build Coastguard Worker {
108*90e502c7SAndroid Build Coastguard Worker ret = malloc(size);
109*90e502c7SAndroid Build Coastguard Worker }
110*90e502c7SAndroid Build Coastguard Worker
111*90e502c7SAndroid Build Coastguard Worker /* Mimic calloc() if so requested */
112*90e502c7SAndroid Build Coastguard Worker if (ret != NULL && do_zero) {
113*90e502c7SAndroid Build Coastguard Worker memset(ret, 0, size);
114*90e502c7SAndroid Build Coastguard Worker }
115*90e502c7SAndroid Build Coastguard Worker
116*90e502c7SAndroid Build Coastguard Worker return ret;
117*90e502c7SAndroid Build Coastguard Worker }
118*90e502c7SAndroid Build Coastguard Worker
119*90e502c7SAndroid Build Coastguard Worker /* Internal allocations by this fuzzer must on one hand (sometimes)
120*90e502c7SAndroid Build Coastguard Worker * receive memory from mmap(), but on the other hand these requests for
121*90e502c7SAndroid Build Coastguard Worker * memory may not fail. By calling this function, the allocation is
122*90e502c7SAndroid Build Coastguard Worker * guaranteed to succeed; it first tries with fuzz_alloc(), which may
123*90e502c7SAndroid Build Coastguard Worker * fail if it uses mmap(), and if that is the case, memory is allocated
124*90e502c7SAndroid Build Coastguard Worker * via the libc allocator (malloc, calloc) which should always succeed */
fuzz_alloc_succeed(const size_t size,const bool do_zero)125*90e502c7SAndroid Build Coastguard Worker static void *fuzz_alloc_succeed(const size_t size, const bool do_zero)
126*90e502c7SAndroid Build Coastguard Worker {
127*90e502c7SAndroid Build Coastguard Worker void *ret = fuzz_alloc(size, do_zero);
128*90e502c7SAndroid Build Coastguard Worker if (ret == NULL) {
129*90e502c7SAndroid Build Coastguard Worker if (do_zero == false) {
130*90e502c7SAndroid Build Coastguard Worker ret = malloc(size);
131*90e502c7SAndroid Build Coastguard Worker } else {
132*90e502c7SAndroid Build Coastguard Worker ret = calloc(1, size);
133*90e502c7SAndroid Build Coastguard Worker }
134*90e502c7SAndroid Build Coastguard Worker }
135*90e502c7SAndroid Build Coastguard Worker
136*90e502c7SAndroid Build Coastguard Worker return ret;
137*90e502c7SAndroid Build Coastguard Worker }
138*90e502c7SAndroid Build Coastguard Worker
fuzz_calloc(const size_t nmemb,const size_t size)139*90e502c7SAndroid Build Coastguard Worker void *fuzz_calloc(const size_t nmemb, const size_t size)
140*90e502c7SAndroid Build Coastguard Worker {
141*90e502c7SAndroid Build Coastguard Worker /* We must be past srtp_init() to prevent that that function fails */
142*90e502c7SAndroid Build Coastguard Worker if (g_post_init == true) {
143*90e502c7SAndroid Build Coastguard Worker /* Fail 1 in 64 allocations on average to test whether the library
144*90e502c7SAndroid Build Coastguard Worker * can deal with this properly.
145*90e502c7SAndroid Build Coastguard Worker */
146*90e502c7SAndroid Build Coastguard Worker if ((fuzz_mt19937_get() % 64) == 0) {
147*90e502c7SAndroid Build Coastguard Worker return NULL;
148*90e502c7SAndroid Build Coastguard Worker }
149*90e502c7SAndroid Build Coastguard Worker }
150*90e502c7SAndroid Build Coastguard Worker
151*90e502c7SAndroid Build Coastguard Worker return fuzz_alloc(nmemb * size, true);
152*90e502c7SAndroid Build Coastguard Worker }
153*90e502c7SAndroid Build Coastguard Worker
fuzz_is_special_pointer(void * ptr)154*90e502c7SAndroid Build Coastguard Worker static bool fuzz_is_special_pointer(void *ptr)
155*90e502c7SAndroid Build Coastguard Worker {
156*90e502c7SAndroid Build Coastguard Worker /* Special, invalid pointers introduced when code attempted
157*90e502c7SAndroid Build Coastguard Worker * to do size = 0 allocations.
158*90e502c7SAndroid Build Coastguard Worker */
159*90e502c7SAndroid Build Coastguard Worker if ((size_t)ptr >= 0x01 && (size_t)ptr < (0x01 + 1024)) {
160*90e502c7SAndroid Build Coastguard Worker return true;
161*90e502c7SAndroid Build Coastguard Worker } else {
162*90e502c7SAndroid Build Coastguard Worker return false;
163*90e502c7SAndroid Build Coastguard Worker }
164*90e502c7SAndroid Build Coastguard Worker }
165*90e502c7SAndroid Build Coastguard Worker
fuzz_free(void * ptr)166*90e502c7SAndroid Build Coastguard Worker void fuzz_free(void *ptr)
167*90e502c7SAndroid Build Coastguard Worker {
168*90e502c7SAndroid Build Coastguard Worker if (fuzz_is_special_pointer(ptr) == true) {
169*90e502c7SAndroid Build Coastguard Worker return;
170*90e502c7SAndroid Build Coastguard Worker }
171*90e502c7SAndroid Build Coastguard Worker
172*90e502c7SAndroid Build Coastguard Worker #ifdef FUZZ_32BIT
173*90e502c7SAndroid Build Coastguard Worker if (g_post_init == true && ptr != NULL && ptr == g_mmap_allocation) {
174*90e502c7SAndroid Build Coastguard Worker if (munmap(g_mmap_allocation, g_mmap_allocation_size) == -1) {
175*90e502c7SAndroid Build Coastguard Worker /* Shouldn't happen */
176*90e502c7SAndroid Build Coastguard Worker abort();
177*90e502c7SAndroid Build Coastguard Worker }
178*90e502c7SAndroid Build Coastguard Worker g_mmap_allocation = NULL;
179*90e502c7SAndroid Build Coastguard Worker } else
180*90e502c7SAndroid Build Coastguard Worker #endif
181*90e502c7SAndroid Build Coastguard Worker {
182*90e502c7SAndroid Build Coastguard Worker free(ptr);
183*90e502c7SAndroid Build Coastguard Worker }
184*90e502c7SAndroid Build Coastguard Worker }
185*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_protect(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)186*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_protect(srtp_t srtp_sender,
187*90e502c7SAndroid Build Coastguard Worker void *hdr,
188*90e502c7SAndroid Build Coastguard Worker int *len,
189*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
190*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
191*90e502c7SAndroid Build Coastguard Worker {
192*90e502c7SAndroid Build Coastguard Worker return srtp_protect(srtp_sender, hdr, len);
193*90e502c7SAndroid Build Coastguard Worker }
194*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_unprotect(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)195*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_unprotect(srtp_t srtp_sender,
196*90e502c7SAndroid Build Coastguard Worker void *hdr,
197*90e502c7SAndroid Build Coastguard Worker int *len,
198*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
199*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
200*90e502c7SAndroid Build Coastguard Worker {
201*90e502c7SAndroid Build Coastguard Worker return srtp_unprotect(srtp_sender, hdr, len);
202*90e502c7SAndroid Build Coastguard Worker }
203*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_protect_rtcp(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)204*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_protect_rtcp(srtp_t srtp_sender,
205*90e502c7SAndroid Build Coastguard Worker void *hdr,
206*90e502c7SAndroid Build Coastguard Worker int *len,
207*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
208*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
209*90e502c7SAndroid Build Coastguard Worker {
210*90e502c7SAndroid Build Coastguard Worker return srtp_protect_rtcp(srtp_sender, hdr, len);
211*90e502c7SAndroid Build Coastguard Worker }
212*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_unprotect_rtcp(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)213*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_unprotect_rtcp(srtp_t srtp_sender,
214*90e502c7SAndroid Build Coastguard Worker void *hdr,
215*90e502c7SAndroid Build Coastguard Worker int *len,
216*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
217*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
218*90e502c7SAndroid Build Coastguard Worker {
219*90e502c7SAndroid Build Coastguard Worker return srtp_unprotect_rtcp(srtp_sender, hdr, len);
220*90e502c7SAndroid Build Coastguard Worker }
221*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_protect_mki(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)222*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_protect_mki(srtp_t srtp_sender,
223*90e502c7SAndroid Build Coastguard Worker void *hdr,
224*90e502c7SAndroid Build Coastguard Worker int *len,
225*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
226*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
227*90e502c7SAndroid Build Coastguard Worker {
228*90e502c7SAndroid Build Coastguard Worker return srtp_protect_mki(srtp_sender, hdr, len, use_mki, mki);
229*90e502c7SAndroid Build Coastguard Worker }
230*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_protect_rtcp_mki(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)231*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_protect_rtcp_mki(srtp_t srtp_sender,
232*90e502c7SAndroid Build Coastguard Worker void *hdr,
233*90e502c7SAndroid Build Coastguard Worker int *len,
234*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
235*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
236*90e502c7SAndroid Build Coastguard Worker {
237*90e502c7SAndroid Build Coastguard Worker return srtp_protect_rtcp_mki(srtp_sender, hdr, len, use_mki, mki);
238*90e502c7SAndroid Build Coastguard Worker }
239*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_unprotect_mki(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)240*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_unprotect_mki(srtp_t srtp_sender,
241*90e502c7SAndroid Build Coastguard Worker void *hdr,
242*90e502c7SAndroid Build Coastguard Worker int *len,
243*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
244*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
245*90e502c7SAndroid Build Coastguard Worker {
246*90e502c7SAndroid Build Coastguard Worker return srtp_unprotect_mki(srtp_sender, hdr, len, use_mki);
247*90e502c7SAndroid Build Coastguard Worker }
248*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_unprotect_rtcp_mki(srtp_t srtp_sender,void * hdr,int * len,uint8_t use_mki,unsigned int mki)249*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_unprotect_rtcp_mki(srtp_t srtp_sender,
250*90e502c7SAndroid Build Coastguard Worker void *hdr,
251*90e502c7SAndroid Build Coastguard Worker int *len,
252*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
253*90e502c7SAndroid Build Coastguard Worker unsigned int mki)
254*90e502c7SAndroid Build Coastguard Worker {
255*90e502c7SAndroid Build Coastguard Worker return srtp_unprotect_rtcp_mki(srtp_sender, hdr, len, use_mki);
256*90e502c7SAndroid Build Coastguard Worker }
257*90e502c7SAndroid Build Coastguard Worker
258*90e502c7SAndroid Build Coastguard Worker /* Get protect length functions */
259*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_get_protect_length(const srtp_t srtp_ctx,uint8_t use_mki,unsigned int mki,uint32_t * length)260*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_get_protect_length(const srtp_t srtp_ctx,
261*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
262*90e502c7SAndroid Build Coastguard Worker unsigned int mki,
263*90e502c7SAndroid Build Coastguard Worker uint32_t *length)
264*90e502c7SAndroid Build Coastguard Worker {
265*90e502c7SAndroid Build Coastguard Worker return srtp_get_protect_trailer_length(srtp_ctx, 0, 0, length);
266*90e502c7SAndroid Build Coastguard Worker }
267*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_get_protect_rtcp_length(const srtp_t srtp_ctx,uint8_t use_mki,unsigned int mki,uint32_t * length)268*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_get_protect_rtcp_length(
269*90e502c7SAndroid Build Coastguard Worker const srtp_t srtp_ctx,
270*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
271*90e502c7SAndroid Build Coastguard Worker unsigned int mki,
272*90e502c7SAndroid Build Coastguard Worker uint32_t *length)
273*90e502c7SAndroid Build Coastguard Worker {
274*90e502c7SAndroid Build Coastguard Worker return srtp_get_protect_rtcp_trailer_length(srtp_ctx, 0, 0, length);
275*90e502c7SAndroid Build Coastguard Worker }
276*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_get_protect_mki_length(const srtp_t srtp_ctx,uint8_t use_mki,unsigned int mki,uint32_t * length)277*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_get_protect_mki_length(const srtp_t srtp_ctx,
278*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
279*90e502c7SAndroid Build Coastguard Worker unsigned int mki,
280*90e502c7SAndroid Build Coastguard Worker uint32_t *length)
281*90e502c7SAndroid Build Coastguard Worker {
282*90e502c7SAndroid Build Coastguard Worker return srtp_get_protect_trailer_length(srtp_ctx, use_mki, mki, length);
283*90e502c7SAndroid Build Coastguard Worker }
284*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_get_protect_rtcp_mki_length(const srtp_t srtp_ctx,uint8_t use_mki,unsigned int mki,uint32_t * length)285*90e502c7SAndroid Build Coastguard Worker static srtp_err_status_t fuzz_srtp_get_protect_rtcp_mki_length(
286*90e502c7SAndroid Build Coastguard Worker const srtp_t srtp_ctx,
287*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki,
288*90e502c7SAndroid Build Coastguard Worker unsigned int mki,
289*90e502c7SAndroid Build Coastguard Worker uint32_t *length)
290*90e502c7SAndroid Build Coastguard Worker {
291*90e502c7SAndroid Build Coastguard Worker return srtp_get_protect_rtcp_trailer_length(srtp_ctx, use_mki, mki, length);
292*90e502c7SAndroid Build Coastguard Worker }
293*90e502c7SAndroid Build Coastguard Worker
extract_key(const uint8_t ** data,size_t * size,const size_t key_size)294*90e502c7SAndroid Build Coastguard Worker static uint8_t *extract_key(const uint8_t **data,
295*90e502c7SAndroid Build Coastguard Worker size_t *size,
296*90e502c7SAndroid Build Coastguard Worker const size_t key_size)
297*90e502c7SAndroid Build Coastguard Worker {
298*90e502c7SAndroid Build Coastguard Worker uint8_t *ret;
299*90e502c7SAndroid Build Coastguard Worker if (*size < key_size) {
300*90e502c7SAndroid Build Coastguard Worker return NULL;
301*90e502c7SAndroid Build Coastguard Worker }
302*90e502c7SAndroid Build Coastguard Worker
303*90e502c7SAndroid Build Coastguard Worker ret = fuzz_alloc_succeed(key_size, false);
304*90e502c7SAndroid Build Coastguard Worker EXTRACT(ret, *data, *size, key_size);
305*90e502c7SAndroid Build Coastguard Worker
306*90e502c7SAndroid Build Coastguard Worker return ret;
307*90e502c7SAndroid Build Coastguard Worker }
308*90e502c7SAndroid Build Coastguard Worker
extract_master_key(const uint8_t ** data,size_t * size,const size_t key_size,bool simulate,bool * success)309*90e502c7SAndroid Build Coastguard Worker static srtp_master_key_t *extract_master_key(const uint8_t **data,
310*90e502c7SAndroid Build Coastguard Worker size_t *size,
311*90e502c7SAndroid Build Coastguard Worker const size_t key_size,
312*90e502c7SAndroid Build Coastguard Worker bool simulate,
313*90e502c7SAndroid Build Coastguard Worker bool *success)
314*90e502c7SAndroid Build Coastguard Worker {
315*90e502c7SAndroid Build Coastguard Worker srtp_master_key_t *ret = NULL;
316*90e502c7SAndroid Build Coastguard Worker uint16_t mki_id_size;
317*90e502c7SAndroid Build Coastguard Worker
318*90e502c7SAndroid Build Coastguard Worker if (simulate == true) {
319*90e502c7SAndroid Build Coastguard Worker *success = false;
320*90e502c7SAndroid Build Coastguard Worker }
321*90e502c7SAndroid Build Coastguard Worker
322*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(&mki_id_size, *data, *size, sizeof(mki_id_size));
323*90e502c7SAndroid Build Coastguard Worker
324*90e502c7SAndroid Build Coastguard Worker if (*size < key_size + mki_id_size) {
325*90e502c7SAndroid Build Coastguard Worker goto end;
326*90e502c7SAndroid Build Coastguard Worker }
327*90e502c7SAndroid Build Coastguard Worker
328*90e502c7SAndroid Build Coastguard Worker if (simulate == true) {
329*90e502c7SAndroid Build Coastguard Worker *data += key_size + mki_id_size;
330*90e502c7SAndroid Build Coastguard Worker *size -= key_size + mki_id_size;
331*90e502c7SAndroid Build Coastguard Worker *success = true;
332*90e502c7SAndroid Build Coastguard Worker goto end;
333*90e502c7SAndroid Build Coastguard Worker }
334*90e502c7SAndroid Build Coastguard Worker
335*90e502c7SAndroid Build Coastguard Worker ret = fuzz_alloc_succeed(sizeof(srtp_master_key_t), false);
336*90e502c7SAndroid Build Coastguard Worker ret->key = fuzz_alloc_succeed(key_size, false);
337*90e502c7SAndroid Build Coastguard Worker
338*90e502c7SAndroid Build Coastguard Worker ret->mki_id = fuzz_alloc_succeed(mki_id_size, false);
339*90e502c7SAndroid Build Coastguard Worker
340*90e502c7SAndroid Build Coastguard Worker EXTRACT(ret->key, *data, *size, key_size);
341*90e502c7SAndroid Build Coastguard Worker EXTRACT(ret->mki_id, *data, *size, mki_id_size);
342*90e502c7SAndroid Build Coastguard Worker ret->mki_size = mki_id_size;
343*90e502c7SAndroid Build Coastguard Worker end:
344*90e502c7SAndroid Build Coastguard Worker return ret;
345*90e502c7SAndroid Build Coastguard Worker }
346*90e502c7SAndroid Build Coastguard Worker
extract_master_keys(const uint8_t ** data,size_t * size,const size_t key_size,unsigned long * num_master_keys)347*90e502c7SAndroid Build Coastguard Worker static srtp_master_key_t **extract_master_keys(const uint8_t **data,
348*90e502c7SAndroid Build Coastguard Worker size_t *size,
349*90e502c7SAndroid Build Coastguard Worker const size_t key_size,
350*90e502c7SAndroid Build Coastguard Worker unsigned long *num_master_keys)
351*90e502c7SAndroid Build Coastguard Worker {
352*90e502c7SAndroid Build Coastguard Worker const uint8_t *data_orig = *data;
353*90e502c7SAndroid Build Coastguard Worker size_t size_orig = *size;
354*90e502c7SAndroid Build Coastguard Worker size_t i = 0;
355*90e502c7SAndroid Build Coastguard Worker
356*90e502c7SAndroid Build Coastguard Worker srtp_master_key_t **ret = NULL;
357*90e502c7SAndroid Build Coastguard Worker
358*90e502c7SAndroid Build Coastguard Worker *num_master_keys = 0;
359*90e502c7SAndroid Build Coastguard Worker
360*90e502c7SAndroid Build Coastguard Worker /* First pass -- dry run, determine how many keys we want and can extract */
361*90e502c7SAndroid Build Coastguard Worker while (1) {
362*90e502c7SAndroid Build Coastguard Worker uint8_t do_extract_master_key;
363*90e502c7SAndroid Build Coastguard Worker bool success;
364*90e502c7SAndroid Build Coastguard Worker if (*size < sizeof(do_extract_master_key)) {
365*90e502c7SAndroid Build Coastguard Worker goto next;
366*90e502c7SAndroid Build Coastguard Worker }
367*90e502c7SAndroid Build Coastguard Worker EXTRACT(&do_extract_master_key, *data, *size,
368*90e502c7SAndroid Build Coastguard Worker sizeof(do_extract_master_key));
369*90e502c7SAndroid Build Coastguard Worker
370*90e502c7SAndroid Build Coastguard Worker /* Decide whether to extract another key */
371*90e502c7SAndroid Build Coastguard Worker if ((do_extract_master_key % 2) == 0) {
372*90e502c7SAndroid Build Coastguard Worker break;
373*90e502c7SAndroid Build Coastguard Worker }
374*90e502c7SAndroid Build Coastguard Worker
375*90e502c7SAndroid Build Coastguard Worker extract_master_key(data, size, key_size, true, &success);
376*90e502c7SAndroid Build Coastguard Worker
377*90e502c7SAndroid Build Coastguard Worker if (success == false) {
378*90e502c7SAndroid Build Coastguard Worker break;
379*90e502c7SAndroid Build Coastguard Worker }
380*90e502c7SAndroid Build Coastguard Worker
381*90e502c7SAndroid Build Coastguard Worker (*num_master_keys)++;
382*90e502c7SAndroid Build Coastguard Worker }
383*90e502c7SAndroid Build Coastguard Worker
384*90e502c7SAndroid Build Coastguard Worker next:
385*90e502c7SAndroid Build Coastguard Worker *data = data_orig;
386*90e502c7SAndroid Build Coastguard Worker *size = size_orig;
387*90e502c7SAndroid Build Coastguard Worker
388*90e502c7SAndroid Build Coastguard Worker /* Allocate array of pointers */
389*90e502c7SAndroid Build Coastguard Worker ret = fuzz_alloc_succeed(*num_master_keys * sizeof(srtp_master_key_t *),
390*90e502c7SAndroid Build Coastguard Worker false);
391*90e502c7SAndroid Build Coastguard Worker
392*90e502c7SAndroid Build Coastguard Worker /* Second pass -- perform the actual extractions */
393*90e502c7SAndroid Build Coastguard Worker for (i = 0; i < *num_master_keys; i++) {
394*90e502c7SAndroid Build Coastguard Worker uint8_t do_extract_master_key;
395*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(&do_extract_master_key, *data, *size,
396*90e502c7SAndroid Build Coastguard Worker sizeof(do_extract_master_key));
397*90e502c7SAndroid Build Coastguard Worker
398*90e502c7SAndroid Build Coastguard Worker if ((do_extract_master_key % 2) == 0) {
399*90e502c7SAndroid Build Coastguard Worker break;
400*90e502c7SAndroid Build Coastguard Worker }
401*90e502c7SAndroid Build Coastguard Worker
402*90e502c7SAndroid Build Coastguard Worker ret[i] = extract_master_key(data, size, key_size, false, NULL);
403*90e502c7SAndroid Build Coastguard Worker
404*90e502c7SAndroid Build Coastguard Worker if (ret[i] == NULL) {
405*90e502c7SAndroid Build Coastguard Worker /* Shouldn't happen */
406*90e502c7SAndroid Build Coastguard Worker abort();
407*90e502c7SAndroid Build Coastguard Worker }
408*90e502c7SAndroid Build Coastguard Worker }
409*90e502c7SAndroid Build Coastguard Worker
410*90e502c7SAndroid Build Coastguard Worker end:
411*90e502c7SAndroid Build Coastguard Worker return ret;
412*90e502c7SAndroid Build Coastguard Worker }
413*90e502c7SAndroid Build Coastguard Worker
extract_ekt_policy(const uint8_t ** data,size_t * size)414*90e502c7SAndroid Build Coastguard Worker static srtp_ekt_policy_t extract_ekt_policy(const uint8_t **data, size_t *size)
415*90e502c7SAndroid Build Coastguard Worker {
416*90e502c7SAndroid Build Coastguard Worker srtp_ekt_policy_t ret = NULL;
417*90e502c7SAndroid Build Coastguard Worker struct {
418*90e502c7SAndroid Build Coastguard Worker srtp_ekt_spi_t spi;
419*90e502c7SAndroid Build Coastguard Worker uint8_t key[16];
420*90e502c7SAndroid Build Coastguard Worker
421*90e502c7SAndroid Build Coastguard Worker } params;
422*90e502c7SAndroid Build Coastguard Worker
423*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(¶ms, *data, *size, sizeof(params));
424*90e502c7SAndroid Build Coastguard Worker
425*90e502c7SAndroid Build Coastguard Worker ret = fuzz_alloc_succeed(sizeof(struct srtp_ekt_policy_ctx_t), false);
426*90e502c7SAndroid Build Coastguard Worker
427*90e502c7SAndroid Build Coastguard Worker ret->spi = params.spi;
428*90e502c7SAndroid Build Coastguard Worker
429*90e502c7SAndroid Build Coastguard Worker /* The only supported cipher type */
430*90e502c7SAndroid Build Coastguard Worker ret->ekt_cipher_type = SRTP_EKT_CIPHER_AES_128_ECB;
431*90e502c7SAndroid Build Coastguard Worker
432*90e502c7SAndroid Build Coastguard Worker ret->ekt_key = fuzz_alloc_succeed(sizeof(params.key), false);
433*90e502c7SAndroid Build Coastguard Worker memcpy(ret->ekt_key, params.key, sizeof(params.key));
434*90e502c7SAndroid Build Coastguard Worker
435*90e502c7SAndroid Build Coastguard Worker ret->next_ekt_policy = NULL;
436*90e502c7SAndroid Build Coastguard Worker
437*90e502c7SAndroid Build Coastguard Worker end:
438*90e502c7SAndroid Build Coastguard Worker return ret;
439*90e502c7SAndroid Build Coastguard Worker }
440*90e502c7SAndroid Build Coastguard Worker
extract_policy(const uint8_t ** data,size_t * size)441*90e502c7SAndroid Build Coastguard Worker static srtp_policy_t *extract_policy(const uint8_t **data, size_t *size)
442*90e502c7SAndroid Build Coastguard Worker {
443*90e502c7SAndroid Build Coastguard Worker srtp_policy_t *policy = NULL;
444*90e502c7SAndroid Build Coastguard Worker struct {
445*90e502c7SAndroid Build Coastguard Worker uint8_t srtp_crypto_policy_func;
446*90e502c7SAndroid Build Coastguard Worker uint64_t window_size;
447*90e502c7SAndroid Build Coastguard Worker uint8_t allow_repeat_tx;
448*90e502c7SAndroid Build Coastguard Worker uint8_t ssrc_type;
449*90e502c7SAndroid Build Coastguard Worker uint32_t ssrc_value;
450*90e502c7SAndroid Build Coastguard Worker uint8_t num_xtn_hdr;
451*90e502c7SAndroid Build Coastguard Worker uint8_t with_ekt;
452*90e502c7SAndroid Build Coastguard Worker srtp_ekt_spi_t ekt_spi;
453*90e502c7SAndroid Build Coastguard Worker uint8_t do_extract_key;
454*90e502c7SAndroid Build Coastguard Worker uint8_t do_extract_master_keys;
455*90e502c7SAndroid Build Coastguard Worker } params;
456*90e502c7SAndroid Build Coastguard Worker
457*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(¶ms, *data, *size, sizeof(params));
458*90e502c7SAndroid Build Coastguard Worker
459*90e502c7SAndroid Build Coastguard Worker params.srtp_crypto_policy_func %= sizeof(fuzz_srtp_crypto_policies) /
460*90e502c7SAndroid Build Coastguard Worker sizeof(fuzz_srtp_crypto_policies[0]);
461*90e502c7SAndroid Build Coastguard Worker params.allow_repeat_tx %= 2;
462*90e502c7SAndroid Build Coastguard Worker params.ssrc_type %=
463*90e502c7SAndroid Build Coastguard Worker sizeof(fuzz_ssrc_type_map) / sizeof(fuzz_ssrc_type_map[0]);
464*90e502c7SAndroid Build Coastguard Worker params.with_ekt %= 2;
465*90e502c7SAndroid Build Coastguard Worker
466*90e502c7SAndroid Build Coastguard Worker policy = fuzz_alloc_succeed(sizeof(*policy), true);
467*90e502c7SAndroid Build Coastguard Worker
468*90e502c7SAndroid Build Coastguard Worker fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func]
469*90e502c7SAndroid Build Coastguard Worker .crypto_policy_func(&policy->rtp);
470*90e502c7SAndroid Build Coastguard Worker fuzz_srtp_crypto_policies[params.srtp_crypto_policy_func]
471*90e502c7SAndroid Build Coastguard Worker .crypto_policy_func(&policy->rtcp);
472*90e502c7SAndroid Build Coastguard Worker
473*90e502c7SAndroid Build Coastguard Worker if (policy->rtp.cipher_key_len > MAX_KEY_LEN) {
474*90e502c7SAndroid Build Coastguard Worker /* Shouldn't happen */
475*90e502c7SAndroid Build Coastguard Worker abort();
476*90e502c7SAndroid Build Coastguard Worker }
477*90e502c7SAndroid Build Coastguard Worker
478*90e502c7SAndroid Build Coastguard Worker policy->ssrc.type = fuzz_ssrc_type_map[params.ssrc_type].srtp_ssrc_type;
479*90e502c7SAndroid Build Coastguard Worker policy->ssrc.value = params.ssrc_value;
480*90e502c7SAndroid Build Coastguard Worker
481*90e502c7SAndroid Build Coastguard Worker if ((params.do_extract_key % 2) == 0) {
482*90e502c7SAndroid Build Coastguard Worker policy->key = extract_key(data, size, policy->rtp.cipher_key_len);
483*90e502c7SAndroid Build Coastguard Worker
484*90e502c7SAndroid Build Coastguard Worker if (policy->key == NULL) {
485*90e502c7SAndroid Build Coastguard Worker fuzz_free(policy);
486*90e502c7SAndroid Build Coastguard Worker return NULL;
487*90e502c7SAndroid Build Coastguard Worker }
488*90e502c7SAndroid Build Coastguard Worker }
489*90e502c7SAndroid Build Coastguard Worker
490*90e502c7SAndroid Build Coastguard Worker if (params.num_xtn_hdr != 0) {
491*90e502c7SAndroid Build Coastguard Worker const size_t xtn_hdr_size = params.num_xtn_hdr * sizeof(int);
492*90e502c7SAndroid Build Coastguard Worker if (*size < xtn_hdr_size) {
493*90e502c7SAndroid Build Coastguard Worker fuzz_free(policy->key);
494*90e502c7SAndroid Build Coastguard Worker fuzz_free(policy);
495*90e502c7SAndroid Build Coastguard Worker return NULL;
496*90e502c7SAndroid Build Coastguard Worker }
497*90e502c7SAndroid Build Coastguard Worker policy->enc_xtn_hdr = fuzz_alloc_succeed(xtn_hdr_size, false);
498*90e502c7SAndroid Build Coastguard Worker EXTRACT(policy->enc_xtn_hdr, *data, *size, xtn_hdr_size);
499*90e502c7SAndroid Build Coastguard Worker policy->enc_xtn_hdr_count = params.num_xtn_hdr;
500*90e502c7SAndroid Build Coastguard Worker }
501*90e502c7SAndroid Build Coastguard Worker
502*90e502c7SAndroid Build Coastguard Worker if ((params.do_extract_master_keys % 2) == 0) {
503*90e502c7SAndroid Build Coastguard Worker policy->keys = extract_master_keys(
504*90e502c7SAndroid Build Coastguard Worker data, size, policy->rtp.cipher_key_len, &policy->num_master_keys);
505*90e502c7SAndroid Build Coastguard Worker if (policy->keys == NULL) {
506*90e502c7SAndroid Build Coastguard Worker fuzz_free(policy->key);
507*90e502c7SAndroid Build Coastguard Worker fuzz_free(policy->enc_xtn_hdr);
508*90e502c7SAndroid Build Coastguard Worker fuzz_free(policy);
509*90e502c7SAndroid Build Coastguard Worker return NULL;
510*90e502c7SAndroid Build Coastguard Worker }
511*90e502c7SAndroid Build Coastguard Worker }
512*90e502c7SAndroid Build Coastguard Worker
513*90e502c7SAndroid Build Coastguard Worker if (params.with_ekt) {
514*90e502c7SAndroid Build Coastguard Worker policy->ekt = extract_ekt_policy(data, size);
515*90e502c7SAndroid Build Coastguard Worker }
516*90e502c7SAndroid Build Coastguard Worker
517*90e502c7SAndroid Build Coastguard Worker policy->window_size = params.window_size;
518*90e502c7SAndroid Build Coastguard Worker policy->allow_repeat_tx = params.allow_repeat_tx;
519*90e502c7SAndroid Build Coastguard Worker policy->next = NULL;
520*90e502c7SAndroid Build Coastguard Worker
521*90e502c7SAndroid Build Coastguard Worker end:
522*90e502c7SAndroid Build Coastguard Worker return policy;
523*90e502c7SAndroid Build Coastguard Worker }
524*90e502c7SAndroid Build Coastguard Worker
extract_policies(const uint8_t ** data,size_t * size)525*90e502c7SAndroid Build Coastguard Worker static srtp_policy_t *extract_policies(const uint8_t **data, size_t *size)
526*90e502c7SAndroid Build Coastguard Worker {
527*90e502c7SAndroid Build Coastguard Worker srtp_policy_t *curpolicy = NULL, *policy_chain = NULL;
528*90e502c7SAndroid Build Coastguard Worker
529*90e502c7SAndroid Build Coastguard Worker curpolicy = extract_policy(data, size);
530*90e502c7SAndroid Build Coastguard Worker if (curpolicy == NULL) {
531*90e502c7SAndroid Build Coastguard Worker return NULL;
532*90e502c7SAndroid Build Coastguard Worker }
533*90e502c7SAndroid Build Coastguard Worker
534*90e502c7SAndroid Build Coastguard Worker policy_chain = curpolicy;
535*90e502c7SAndroid Build Coastguard Worker
536*90e502c7SAndroid Build Coastguard Worker while (1) {
537*90e502c7SAndroid Build Coastguard Worker uint8_t do_extract_policy;
538*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(&do_extract_policy, *data, *size, sizeof(do_extract_policy));
539*90e502c7SAndroid Build Coastguard Worker
540*90e502c7SAndroid Build Coastguard Worker /* Decide whether to extract another policy */
541*90e502c7SAndroid Build Coastguard Worker if ((do_extract_policy % 2) == 0) {
542*90e502c7SAndroid Build Coastguard Worker break;
543*90e502c7SAndroid Build Coastguard Worker }
544*90e502c7SAndroid Build Coastguard Worker
545*90e502c7SAndroid Build Coastguard Worker curpolicy->next = extract_policy(data, size);
546*90e502c7SAndroid Build Coastguard Worker if (curpolicy->next == NULL) {
547*90e502c7SAndroid Build Coastguard Worker break;
548*90e502c7SAndroid Build Coastguard Worker }
549*90e502c7SAndroid Build Coastguard Worker curpolicy = curpolicy->next;
550*90e502c7SAndroid Build Coastguard Worker }
551*90e502c7SAndroid Build Coastguard Worker
552*90e502c7SAndroid Build Coastguard Worker end:
553*90e502c7SAndroid Build Coastguard Worker return policy_chain;
554*90e502c7SAndroid Build Coastguard Worker }
555*90e502c7SAndroid Build Coastguard Worker
extract_remove_stream_ssrc(const uint8_t ** data,size_t * size,uint8_t * num_remove_stream)556*90e502c7SAndroid Build Coastguard Worker static uint32_t *extract_remove_stream_ssrc(const uint8_t **data,
557*90e502c7SAndroid Build Coastguard Worker size_t *size,
558*90e502c7SAndroid Build Coastguard Worker uint8_t *num_remove_stream)
559*90e502c7SAndroid Build Coastguard Worker {
560*90e502c7SAndroid Build Coastguard Worker uint32_t *ret = NULL;
561*90e502c7SAndroid Build Coastguard Worker uint8_t _num_remove_stream;
562*90e502c7SAndroid Build Coastguard Worker size_t total_size;
563*90e502c7SAndroid Build Coastguard Worker
564*90e502c7SAndroid Build Coastguard Worker *num_remove_stream = 0;
565*90e502c7SAndroid Build Coastguard Worker
566*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(&_num_remove_stream, *data, *size, sizeof(_num_remove_stream));
567*90e502c7SAndroid Build Coastguard Worker
568*90e502c7SAndroid Build Coastguard Worker if (_num_remove_stream == 0) {
569*90e502c7SAndroid Build Coastguard Worker goto end;
570*90e502c7SAndroid Build Coastguard Worker }
571*90e502c7SAndroid Build Coastguard Worker
572*90e502c7SAndroid Build Coastguard Worker total_size = _num_remove_stream * sizeof(uint32_t);
573*90e502c7SAndroid Build Coastguard Worker
574*90e502c7SAndroid Build Coastguard Worker if (*size < total_size) {
575*90e502c7SAndroid Build Coastguard Worker goto end;
576*90e502c7SAndroid Build Coastguard Worker }
577*90e502c7SAndroid Build Coastguard Worker
578*90e502c7SAndroid Build Coastguard Worker ret = fuzz_alloc_succeed(total_size, false);
579*90e502c7SAndroid Build Coastguard Worker EXTRACT(ret, *data, *size, total_size);
580*90e502c7SAndroid Build Coastguard Worker
581*90e502c7SAndroid Build Coastguard Worker *num_remove_stream = _num_remove_stream;
582*90e502c7SAndroid Build Coastguard Worker
583*90e502c7SAndroid Build Coastguard Worker end:
584*90e502c7SAndroid Build Coastguard Worker return ret;
585*90e502c7SAndroid Build Coastguard Worker }
586*90e502c7SAndroid Build Coastguard Worker
extract_set_roc(const uint8_t ** data,size_t * size,uint8_t * num_set_roc)587*90e502c7SAndroid Build Coastguard Worker static uint32_t *extract_set_roc(const uint8_t **data,
588*90e502c7SAndroid Build Coastguard Worker size_t *size,
589*90e502c7SAndroid Build Coastguard Worker uint8_t *num_set_roc)
590*90e502c7SAndroid Build Coastguard Worker {
591*90e502c7SAndroid Build Coastguard Worker uint32_t *ret = NULL;
592*90e502c7SAndroid Build Coastguard Worker uint8_t _num_set_roc;
593*90e502c7SAndroid Build Coastguard Worker size_t total_size;
594*90e502c7SAndroid Build Coastguard Worker
595*90e502c7SAndroid Build Coastguard Worker *num_set_roc = 0;
596*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(&_num_set_roc, *data, *size, sizeof(_num_set_roc));
597*90e502c7SAndroid Build Coastguard Worker if (_num_set_roc == 0) {
598*90e502c7SAndroid Build Coastguard Worker goto end;
599*90e502c7SAndroid Build Coastguard Worker }
600*90e502c7SAndroid Build Coastguard Worker
601*90e502c7SAndroid Build Coastguard Worker /* Tuples of 2 uint32_t's */
602*90e502c7SAndroid Build Coastguard Worker total_size = _num_set_roc * sizeof(uint32_t) * 2;
603*90e502c7SAndroid Build Coastguard Worker
604*90e502c7SAndroid Build Coastguard Worker if (*size < total_size) {
605*90e502c7SAndroid Build Coastguard Worker goto end;
606*90e502c7SAndroid Build Coastguard Worker }
607*90e502c7SAndroid Build Coastguard Worker
608*90e502c7SAndroid Build Coastguard Worker ret = fuzz_alloc_succeed(total_size, false);
609*90e502c7SAndroid Build Coastguard Worker EXTRACT(ret, *data, *size, total_size);
610*90e502c7SAndroid Build Coastguard Worker
611*90e502c7SAndroid Build Coastguard Worker *num_set_roc = _num_set_roc;
612*90e502c7SAndroid Build Coastguard Worker
613*90e502c7SAndroid Build Coastguard Worker end:
614*90e502c7SAndroid Build Coastguard Worker return ret;
615*90e502c7SAndroid Build Coastguard Worker }
616*90e502c7SAndroid Build Coastguard Worker
free_policies(srtp_policy_t * curpolicy)617*90e502c7SAndroid Build Coastguard Worker static void free_policies(srtp_policy_t *curpolicy)
618*90e502c7SAndroid Build Coastguard Worker {
619*90e502c7SAndroid Build Coastguard Worker size_t i;
620*90e502c7SAndroid Build Coastguard Worker while (curpolicy) {
621*90e502c7SAndroid Build Coastguard Worker srtp_policy_t *next = curpolicy->next;
622*90e502c7SAndroid Build Coastguard Worker
623*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->key);
624*90e502c7SAndroid Build Coastguard Worker
625*90e502c7SAndroid Build Coastguard Worker for (i = 0; i < curpolicy->num_master_keys; i++) {
626*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->keys[i]->key);
627*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->keys[i]->mki_id);
628*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->keys[i]);
629*90e502c7SAndroid Build Coastguard Worker }
630*90e502c7SAndroid Build Coastguard Worker
631*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->keys);
632*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->enc_xtn_hdr);
633*90e502c7SAndroid Build Coastguard Worker
634*90e502c7SAndroid Build Coastguard Worker if (curpolicy->ekt) {
635*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->ekt->ekt_key);
636*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy->ekt);
637*90e502c7SAndroid Build Coastguard Worker }
638*90e502c7SAndroid Build Coastguard Worker
639*90e502c7SAndroid Build Coastguard Worker fuzz_free(curpolicy);
640*90e502c7SAndroid Build Coastguard Worker
641*90e502c7SAndroid Build Coastguard Worker curpolicy = next;
642*90e502c7SAndroid Build Coastguard Worker }
643*90e502c7SAndroid Build Coastguard Worker }
644*90e502c7SAndroid Build Coastguard Worker
run_srtp_func(const srtp_t srtp_ctx,const uint8_t ** data,size_t * size)645*90e502c7SAndroid Build Coastguard Worker static uint8_t *run_srtp_func(const srtp_t srtp_ctx,
646*90e502c7SAndroid Build Coastguard Worker const uint8_t **data,
647*90e502c7SAndroid Build Coastguard Worker size_t *size)
648*90e502c7SAndroid Build Coastguard Worker {
649*90e502c7SAndroid Build Coastguard Worker uint8_t *ret = NULL;
650*90e502c7SAndroid Build Coastguard Worker uint8_t *copy = NULL, *copy_2 = NULL;
651*90e502c7SAndroid Build Coastguard Worker
652*90e502c7SAndroid Build Coastguard Worker struct {
653*90e502c7SAndroid Build Coastguard Worker uint16_t size;
654*90e502c7SAndroid Build Coastguard Worker uint8_t srtp_func;
655*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki;
656*90e502c7SAndroid Build Coastguard Worker uint32_t mki;
657*90e502c7SAndroid Build Coastguard Worker uint8_t stretch;
658*90e502c7SAndroid Build Coastguard Worker } params_1;
659*90e502c7SAndroid Build Coastguard Worker
660*90e502c7SAndroid Build Coastguard Worker struct {
661*90e502c7SAndroid Build Coastguard Worker uint8_t srtp_func;
662*90e502c7SAndroid Build Coastguard Worker uint8_t use_mki;
663*90e502c7SAndroid Build Coastguard Worker uint32_t mki;
664*90e502c7SAndroid Build Coastguard Worker } params_2;
665*90e502c7SAndroid Build Coastguard Worker int ret_size;
666*90e502c7SAndroid Build Coastguard Worker
667*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(¶ms_1, *data, *size, sizeof(params_1));
668*90e502c7SAndroid Build Coastguard Worker params_1.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]);
669*90e502c7SAndroid Build Coastguard Worker params_1.use_mki %= 2;
670*90e502c7SAndroid Build Coastguard Worker
671*90e502c7SAndroid Build Coastguard Worker if (*size < params_1.size) {
672*90e502c7SAndroid Build Coastguard Worker goto end;
673*90e502c7SAndroid Build Coastguard Worker }
674*90e502c7SAndroid Build Coastguard Worker
675*90e502c7SAndroid Build Coastguard Worker /* Enforce 4 byte alignment */
676*90e502c7SAndroid Build Coastguard Worker if (g_no_align == false) {
677*90e502c7SAndroid Build Coastguard Worker params_1.size -= params_1.size % 4;
678*90e502c7SAndroid Build Coastguard Worker }
679*90e502c7SAndroid Build Coastguard Worker
680*90e502c7SAndroid Build Coastguard Worker if (params_1.size == 0) {
681*90e502c7SAndroid Build Coastguard Worker goto end;
682*90e502c7SAndroid Build Coastguard Worker }
683*90e502c7SAndroid Build Coastguard Worker
684*90e502c7SAndroid Build Coastguard Worker ret_size = params_1.size;
685*90e502c7SAndroid Build Coastguard Worker if (srtp_funcs[params_1.srtp_func].protect == true) {
686*90e502c7SAndroid Build Coastguard Worker /* Intentionally not initialized to trigger MemorySanitizer, if
687*90e502c7SAndroid Build Coastguard Worker * applicable */
688*90e502c7SAndroid Build Coastguard Worker uint32_t alloc_size;
689*90e502c7SAndroid Build Coastguard Worker
690*90e502c7SAndroid Build Coastguard Worker if (srtp_funcs[params_1.srtp_func].get_length(
691*90e502c7SAndroid Build Coastguard Worker srtp_ctx, params_1.use_mki, params_1.mki, &alloc_size) !=
692*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
693*90e502c7SAndroid Build Coastguard Worker goto end;
694*90e502c7SAndroid Build Coastguard Worker }
695*90e502c7SAndroid Build Coastguard Worker
696*90e502c7SAndroid Build Coastguard Worker copy = fuzz_alloc_succeed(ret_size + alloc_size, false);
697*90e502c7SAndroid Build Coastguard Worker } else {
698*90e502c7SAndroid Build Coastguard Worker copy = fuzz_alloc_succeed(ret_size, false);
699*90e502c7SAndroid Build Coastguard Worker }
700*90e502c7SAndroid Build Coastguard Worker
701*90e502c7SAndroid Build Coastguard Worker EXTRACT(copy, *data, *size, params_1.size);
702*90e502c7SAndroid Build Coastguard Worker
703*90e502c7SAndroid Build Coastguard Worker if (srtp_funcs[params_1.srtp_func].srtp_func(
704*90e502c7SAndroid Build Coastguard Worker srtp_ctx, copy, &ret_size, params_1.use_mki, params_1.mki) !=
705*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
706*90e502c7SAndroid Build Coastguard Worker fuzz_free(copy);
707*90e502c7SAndroid Build Coastguard Worker goto end;
708*90e502c7SAndroid Build Coastguard Worker }
709*90e502c7SAndroid Build Coastguard Worker // fuzz_free(copy);
710*90e502c7SAndroid Build Coastguard Worker
711*90e502c7SAndroid Build Coastguard Worker fuzz_testmem(copy, ret_size);
712*90e502c7SAndroid Build Coastguard Worker
713*90e502c7SAndroid Build Coastguard Worker ret = copy;
714*90e502c7SAndroid Build Coastguard Worker
715*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(¶ms_2, *data, *size, sizeof(params_2));
716*90e502c7SAndroid Build Coastguard Worker params_2.srtp_func %= sizeof(srtp_funcs) / sizeof(srtp_funcs[0]);
717*90e502c7SAndroid Build Coastguard Worker params_2.use_mki %= 2;
718*90e502c7SAndroid Build Coastguard Worker
719*90e502c7SAndroid Build Coastguard Worker if (ret_size == 0) {
720*90e502c7SAndroid Build Coastguard Worker goto end;
721*90e502c7SAndroid Build Coastguard Worker }
722*90e502c7SAndroid Build Coastguard Worker
723*90e502c7SAndroid Build Coastguard Worker if (srtp_funcs[params_2.srtp_func].protect == true) {
724*90e502c7SAndroid Build Coastguard Worker /* Intentionally not initialized to trigger MemorySanitizer, if
725*90e502c7SAndroid Build Coastguard Worker * applicable */
726*90e502c7SAndroid Build Coastguard Worker uint32_t alloc_size;
727*90e502c7SAndroid Build Coastguard Worker
728*90e502c7SAndroid Build Coastguard Worker if (srtp_funcs[params_2.srtp_func].get_length(
729*90e502c7SAndroid Build Coastguard Worker srtp_ctx, params_2.use_mki, params_2.mki, &alloc_size) !=
730*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
731*90e502c7SAndroid Build Coastguard Worker goto end;
732*90e502c7SAndroid Build Coastguard Worker }
733*90e502c7SAndroid Build Coastguard Worker
734*90e502c7SAndroid Build Coastguard Worker copy_2 = fuzz_alloc_succeed(ret_size + alloc_size, false);
735*90e502c7SAndroid Build Coastguard Worker } else {
736*90e502c7SAndroid Build Coastguard Worker copy_2 = fuzz_alloc_succeed(ret_size, false);
737*90e502c7SAndroid Build Coastguard Worker }
738*90e502c7SAndroid Build Coastguard Worker
739*90e502c7SAndroid Build Coastguard Worker memcpy(copy_2, copy, ret_size);
740*90e502c7SAndroid Build Coastguard Worker fuzz_free(copy);
741*90e502c7SAndroid Build Coastguard Worker copy = copy_2;
742*90e502c7SAndroid Build Coastguard Worker
743*90e502c7SAndroid Build Coastguard Worker if (srtp_funcs[params_2.srtp_func].srtp_func(
744*90e502c7SAndroid Build Coastguard Worker srtp_ctx, copy, &ret_size, params_2.use_mki, params_2.mki) !=
745*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
746*90e502c7SAndroid Build Coastguard Worker fuzz_free(copy);
747*90e502c7SAndroid Build Coastguard Worker ret = NULL;
748*90e502c7SAndroid Build Coastguard Worker goto end;
749*90e502c7SAndroid Build Coastguard Worker }
750*90e502c7SAndroid Build Coastguard Worker
751*90e502c7SAndroid Build Coastguard Worker fuzz_testmem(copy, ret_size);
752*90e502c7SAndroid Build Coastguard Worker
753*90e502c7SAndroid Build Coastguard Worker ret = copy;
754*90e502c7SAndroid Build Coastguard Worker
755*90e502c7SAndroid Build Coastguard Worker end:
756*90e502c7SAndroid Build Coastguard Worker return ret;
757*90e502c7SAndroid Build Coastguard Worker }
758*90e502c7SAndroid Build Coastguard Worker
fuzz_srtp_event_handler(srtp_event_data_t * data)759*90e502c7SAndroid Build Coastguard Worker void fuzz_srtp_event_handler(srtp_event_data_t *data)
760*90e502c7SAndroid Build Coastguard Worker {
761*90e502c7SAndroid Build Coastguard Worker fuzz_testmem(data, sizeof(srtp_event_data_t));
762*90e502c7SAndroid Build Coastguard Worker if (data->session != NULL) {
763*90e502c7SAndroid Build Coastguard Worker fuzz_testmem(data->session, sizeof(*data->session));
764*90e502c7SAndroid Build Coastguard Worker }
765*90e502c7SAndroid Build Coastguard Worker }
766*90e502c7SAndroid Build Coastguard Worker
fuzz_write_input(const uint8_t * data,size_t size)767*90e502c7SAndroid Build Coastguard Worker static void fuzz_write_input(const uint8_t *data, size_t size)
768*90e502c7SAndroid Build Coastguard Worker {
769*90e502c7SAndroid Build Coastguard Worker FILE *fp = fopen("input.bin", "wb");
770*90e502c7SAndroid Build Coastguard Worker
771*90e502c7SAndroid Build Coastguard Worker if (fp == NULL) {
772*90e502c7SAndroid Build Coastguard Worker /* Shouldn't happen */
773*90e502c7SAndroid Build Coastguard Worker abort();
774*90e502c7SAndroid Build Coastguard Worker }
775*90e502c7SAndroid Build Coastguard Worker
776*90e502c7SAndroid Build Coastguard Worker if (size != 0 && fwrite(data, size, 1, fp) != 1) {
777*90e502c7SAndroid Build Coastguard Worker printf("Cannot write\n");
778*90e502c7SAndroid Build Coastguard Worker /* Shouldn't happen */
779*90e502c7SAndroid Build Coastguard Worker abort();
780*90e502c7SAndroid Build Coastguard Worker }
781*90e502c7SAndroid Build Coastguard Worker
782*90e502c7SAndroid Build Coastguard Worker fclose(fp);
783*90e502c7SAndroid Build Coastguard Worker }
784*90e502c7SAndroid Build Coastguard Worker
LLVMFuzzerInitialize(int * argc,char *** argv)785*90e502c7SAndroid Build Coastguard Worker int LLVMFuzzerInitialize(int *argc, char ***argv)
786*90e502c7SAndroid Build Coastguard Worker {
787*90e502c7SAndroid Build Coastguard Worker char **_argv = *argv;
788*90e502c7SAndroid Build Coastguard Worker int i;
789*90e502c7SAndroid Build Coastguard Worker bool no_custom_event_handler = false;
790*90e502c7SAndroid Build Coastguard Worker
791*90e502c7SAndroid Build Coastguard Worker if (srtp_init() != srtp_err_status_ok) {
792*90e502c7SAndroid Build Coastguard Worker /* Shouldn't happen */
793*90e502c7SAndroid Build Coastguard Worker abort();
794*90e502c7SAndroid Build Coastguard Worker }
795*90e502c7SAndroid Build Coastguard Worker
796*90e502c7SAndroid Build Coastguard Worker for (i = 0; i < *argc; i++) {
797*90e502c7SAndroid Build Coastguard Worker if (strcmp("--no_align", _argv[i]) == 0) {
798*90e502c7SAndroid Build Coastguard Worker g_no_align = true;
799*90e502c7SAndroid Build Coastguard Worker } else if (strcmp("--no_custom_event_handler", _argv[i]) == 0) {
800*90e502c7SAndroid Build Coastguard Worker no_custom_event_handler = true;
801*90e502c7SAndroid Build Coastguard Worker } else if (strcmp("--write_input", _argv[i]) == 0) {
802*90e502c7SAndroid Build Coastguard Worker g_write_input = true;
803*90e502c7SAndroid Build Coastguard Worker }
804*90e502c7SAndroid Build Coastguard Worker #ifdef FUZZ_32BIT
805*90e502c7SAndroid Build Coastguard Worker else if (strcmp("--no_mmap", _argv[i]) == 0) {
806*90e502c7SAndroid Build Coastguard Worker g_no_mmap = true;
807*90e502c7SAndroid Build Coastguard Worker }
808*90e502c7SAndroid Build Coastguard Worker #endif
809*90e502c7SAndroid Build Coastguard Worker else if (strncmp("--", _argv[i], 2) == 0) {
810*90e502c7SAndroid Build Coastguard Worker printf("Invalid argument: %s\n", _argv[i]);
811*90e502c7SAndroid Build Coastguard Worker exit(0);
812*90e502c7SAndroid Build Coastguard Worker }
813*90e502c7SAndroid Build Coastguard Worker }
814*90e502c7SAndroid Build Coastguard Worker
815*90e502c7SAndroid Build Coastguard Worker if (no_custom_event_handler == false) {
816*90e502c7SAndroid Build Coastguard Worker if (srtp_install_event_handler(fuzz_srtp_event_handler) !=
817*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
818*90e502c7SAndroid Build Coastguard Worker /* Shouldn't happen */
819*90e502c7SAndroid Build Coastguard Worker abort();
820*90e502c7SAndroid Build Coastguard Worker }
821*90e502c7SAndroid Build Coastguard Worker }
822*90e502c7SAndroid Build Coastguard Worker
823*90e502c7SAndroid Build Coastguard Worker /* Fully initialized -- past this point, simulated allocation failures
824*90e502c7SAndroid Build Coastguard Worker * are allowed to occur */
825*90e502c7SAndroid Build Coastguard Worker g_post_init = true;
826*90e502c7SAndroid Build Coastguard Worker
827*90e502c7SAndroid Build Coastguard Worker return 0;
828*90e502c7SAndroid Build Coastguard Worker }
829*90e502c7SAndroid Build Coastguard Worker
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)830*90e502c7SAndroid Build Coastguard Worker int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
831*90e502c7SAndroid Build Coastguard Worker {
832*90e502c7SAndroid Build Coastguard Worker uint8_t num_remove_stream;
833*90e502c7SAndroid Build Coastguard Worker uint32_t *remove_stream_ssrc = NULL;
834*90e502c7SAndroid Build Coastguard Worker uint8_t num_set_roc;
835*90e502c7SAndroid Build Coastguard Worker uint32_t *set_roc = NULL;
836*90e502c7SAndroid Build Coastguard Worker srtp_t srtp_ctx = NULL;
837*90e502c7SAndroid Build Coastguard Worker srtp_policy_t *policy_chain = NULL, *policy_chain_2 = NULL;
838*90e502c7SAndroid Build Coastguard Worker uint32_t randseed;
839*90e502c7SAndroid Build Coastguard Worker static bool firstrun = true;
840*90e502c7SAndroid Build Coastguard Worker
841*90e502c7SAndroid Build Coastguard Worker if (firstrun == true) {
842*90e502c7SAndroid Build Coastguard Worker /* TODO version check etc and send it to MSAN */
843*90e502c7SAndroid Build Coastguard Worker }
844*90e502c7SAndroid Build Coastguard Worker
845*90e502c7SAndroid Build Coastguard Worker #ifdef FUZZ_32BIT
846*90e502c7SAndroid Build Coastguard Worker /* Free the mmap allocation made during the previous iteration, if
847*90e502c7SAndroid Build Coastguard Worker * applicable */
848*90e502c7SAndroid Build Coastguard Worker fuzz_free(g_mmap_allocation);
849*90e502c7SAndroid Build Coastguard Worker #endif
850*90e502c7SAndroid Build Coastguard Worker
851*90e502c7SAndroid Build Coastguard Worker if (g_write_input == true) {
852*90e502c7SAndroid Build Coastguard Worker fuzz_write_input(data, size);
853*90e502c7SAndroid Build Coastguard Worker }
854*90e502c7SAndroid Build Coastguard Worker
855*90e502c7SAndroid Build Coastguard Worker EXTRACT_IF(&randseed, data, size, sizeof(randseed));
856*90e502c7SAndroid Build Coastguard Worker fuzz_mt19937_init(randseed);
857*90e502c7SAndroid Build Coastguard Worker srand(randseed);
858*90e502c7SAndroid Build Coastguard Worker
859*90e502c7SAndroid Build Coastguard Worker /* policy_chain is used to initialize the srtp context with */
860*90e502c7SAndroid Build Coastguard Worker if ((policy_chain = extract_policies(&data, &size)) == NULL) {
861*90e502c7SAndroid Build Coastguard Worker goto end;
862*90e502c7SAndroid Build Coastguard Worker }
863*90e502c7SAndroid Build Coastguard Worker /* policy_chain_2 is used as an argument to srtp_update later on */
864*90e502c7SAndroid Build Coastguard Worker if ((policy_chain_2 = extract_policies(&data, &size)) == NULL) {
865*90e502c7SAndroid Build Coastguard Worker goto end;
866*90e502c7SAndroid Build Coastguard Worker }
867*90e502c7SAndroid Build Coastguard Worker
868*90e502c7SAndroid Build Coastguard Worker /* Create context */
869*90e502c7SAndroid Build Coastguard Worker if (srtp_create(&srtp_ctx, policy_chain) != srtp_err_status_ok) {
870*90e502c7SAndroid Build Coastguard Worker goto end;
871*90e502c7SAndroid Build Coastguard Worker }
872*90e502c7SAndroid Build Coastguard Worker
873*90e502c7SAndroid Build Coastguard Worker // free_policies(policy_chain);
874*90e502c7SAndroid Build Coastguard Worker // policy_chain = NULL;
875*90e502c7SAndroid Build Coastguard Worker
876*90e502c7SAndroid Build Coastguard Worker /* Don't check for NULL result -- no extractions is fine */
877*90e502c7SAndroid Build Coastguard Worker remove_stream_ssrc =
878*90e502c7SAndroid Build Coastguard Worker extract_remove_stream_ssrc(&data, &size, &num_remove_stream);
879*90e502c7SAndroid Build Coastguard Worker
880*90e502c7SAndroid Build Coastguard Worker /* Don't check for NULL result -- no extractions is fine */
881*90e502c7SAndroid Build Coastguard Worker set_roc = extract_set_roc(&data, &size, &num_set_roc);
882*90e502c7SAndroid Build Coastguard Worker
883*90e502c7SAndroid Build Coastguard Worker {
884*90e502c7SAndroid Build Coastguard Worker uint8_t *ret;
885*90e502c7SAndroid Build Coastguard Worker int i = 0, j = 0;
886*90e502c7SAndroid Build Coastguard Worker
887*90e502c7SAndroid Build Coastguard Worker while ((ret = run_srtp_func(srtp_ctx, &data, &size)) != NULL) {
888*90e502c7SAndroid Build Coastguard Worker fuzz_free(ret);
889*90e502c7SAndroid Build Coastguard Worker
890*90e502c7SAndroid Build Coastguard Worker /* Keep removing streams until the set of SSRCs extracted from the
891*90e502c7SAndroid Build Coastguard Worker * fuzzer input is exhausted */
892*90e502c7SAndroid Build Coastguard Worker if (i < num_remove_stream) {
893*90e502c7SAndroid Build Coastguard Worker if (srtp_remove_stream(srtp_ctx, remove_stream_ssrc[i]) !=
894*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
895*90e502c7SAndroid Build Coastguard Worker goto end;
896*90e502c7SAndroid Build Coastguard Worker }
897*90e502c7SAndroid Build Coastguard Worker i++;
898*90e502c7SAndroid Build Coastguard Worker }
899*90e502c7SAndroid Build Coastguard Worker
900*90e502c7SAndroid Build Coastguard Worker /* Keep setting and getting ROCs until the set of SSRC/ROC tuples
901*90e502c7SAndroid Build Coastguard Worker * extracted from the fuzzer input is exhausted */
902*90e502c7SAndroid Build Coastguard Worker if (j < num_set_roc * 2) {
903*90e502c7SAndroid Build Coastguard Worker uint32_t roc;
904*90e502c7SAndroid Build Coastguard Worker if (srtp_set_stream_roc(srtp_ctx, set_roc[j], set_roc[j + 1]) !=
905*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
906*90e502c7SAndroid Build Coastguard Worker goto end;
907*90e502c7SAndroid Build Coastguard Worker }
908*90e502c7SAndroid Build Coastguard Worker if (srtp_get_stream_roc(srtp_ctx, set_roc[j + 1], &roc) !=
909*90e502c7SAndroid Build Coastguard Worker srtp_err_status_ok) {
910*90e502c7SAndroid Build Coastguard Worker goto end;
911*90e502c7SAndroid Build Coastguard Worker }
912*90e502c7SAndroid Build Coastguard Worker j += 2;
913*90e502c7SAndroid Build Coastguard Worker }
914*90e502c7SAndroid Build Coastguard Worker
915*90e502c7SAndroid Build Coastguard Worker if (policy_chain_2 != NULL) {
916*90e502c7SAndroid Build Coastguard Worker /* TODO srtp_update(srtp_ctx, policy_chain_2); */
917*90e502c7SAndroid Build Coastguard Worker
918*90e502c7SAndroid Build Coastguard Worker /* Discard after using once */
919*90e502c7SAndroid Build Coastguard Worker free_policies(policy_chain_2);
920*90e502c7SAndroid Build Coastguard Worker policy_chain_2 = NULL;
921*90e502c7SAndroid Build Coastguard Worker }
922*90e502c7SAndroid Build Coastguard Worker }
923*90e502c7SAndroid Build Coastguard Worker }
924*90e502c7SAndroid Build Coastguard Worker
925*90e502c7SAndroid Build Coastguard Worker end:
926*90e502c7SAndroid Build Coastguard Worker free_policies(policy_chain);
927*90e502c7SAndroid Build Coastguard Worker free_policies(policy_chain_2);
928*90e502c7SAndroid Build Coastguard Worker fuzz_free(remove_stream_ssrc);
929*90e502c7SAndroid Build Coastguard Worker fuzz_free(set_roc);
930*90e502c7SAndroid Build Coastguard Worker if (srtp_ctx != NULL) {
931*90e502c7SAndroid Build Coastguard Worker srtp_dealloc(srtp_ctx);
932*90e502c7SAndroid Build Coastguard Worker }
933*90e502c7SAndroid Build Coastguard Worker fuzz_mt19937_destroy();
934*90e502c7SAndroid Build Coastguard Worker
935*90e502c7SAndroid Build Coastguard Worker return 0;
936*90e502c7SAndroid Build Coastguard Worker }
937