diff --git a/libfreerdp/core/test/CMakeLists.txt b/libfreerdp/core/test/CMakeLists.txt index 672924654..9b2e65405 100644 --- a/libfreerdp/core/test/CMakeLists.txt +++ b/libfreerdp/core/test/CMakeLists.txt @@ -10,7 +10,8 @@ set(${MODULE_PREFIX}_TESTS TestSettings.c) set(FUZZERS - TestFuzzFastpath.c + TestFuzzCoreClient.c + TestFuzzCoreServer.c TestFuzzCryptoCertificateDataSetPEM.c ) @@ -35,7 +36,7 @@ add_definitions(-DTESTING_SRC_DIRECTORY="${PROJECT_SOURCE_DIR}") target_link_libraries(${MODULE_NAME} freerdp winpr freerdp-client) include (AddFuzzerTest) -add_fuzzer_test("${FUZZERS}" "freerdp winpr") +add_fuzzer_test("${FUZZERS}" "freerdp-client freerdp winpr") set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}") diff --git a/libfreerdp/core/test/TestFuzzCoreClient.c b/libfreerdp/core/test/TestFuzzCoreClient.c new file mode 100644 index 000000000..5c6749791 --- /dev/null +++ b/libfreerdp/core/test/TestFuzzCoreClient.c @@ -0,0 +1,116 @@ +#include + +#include "../fastpath.h" +#include "../surface.h" +#include "../window.h" +#include "../info.h" +#include "../multitransport.h" + +static BOOL test_client(const uint8_t* Data, size_t Size) +{ + RDP_CLIENT_ENTRY_POINTS entry = { 0 }; + + entry.Version = RDP_CLIENT_INTERFACE_VERSION; + entry.Size = sizeof(RDP_CLIENT_ENTRY_POINTS_V1); + entry.ContextSize = sizeof(rdpContext); + + rdpContext* context = freerdp_client_context_new(&entry); + if (!context) + goto fail; + + rdpRdp* rdp = context->rdp; + WINPR_ASSERT(rdp); + + wStream sbuffer = { 0 }; + wStream* s = Stream_StaticConstInit(&sbuffer, Data, Size); + + { + rdpFastPath* fastpath = rdp->fastpath; + WINPR_ASSERT(fastpath); + + fastpath_recv_updates(fastpath, s); + fastpath_recv_inputs(fastpath, s); + + UINT16 length = 0; + fastpath_read_header_rdp(fastpath, s, &length); + fastpath_decrypt(fastpath, s, &length); + } + + { + UINT16 length = 0; + UINT16 flags = 0; + UINT16 channelId = 0; + UINT16 tpktLength = 0; + UINT16 remainingLength = 0; + UINT16 type = 0; + UINT16 securityFlags = 0; + UINT32 share_id = 0; + BYTE compressed_type = 0; + BYTE btype = 0; + UINT16 compressed_len = 0; + + rdp_recv_callback(rdp->transport, s, rdp); + rdp_read_security_header(rdp, s, &flags, &length); + rdp_read_header(rdp, s, &length, &channelId); + rdp_read_share_control_header(rdp, s, &tpktLength, &remainingLength, &type, &channelId); + rdp_read_share_data_header(rdp, s, &length, &btype, &share_id, &compressed_type, + &compressed_len); + rdp_recv_enhanced_security_redirection_packet(rdp, s); + rdp_recv_out_of_sequence_pdu(rdp, s, type, length); + rdp_recv_message_channel_pdu(rdp, s, securityFlags); + } + { + rdpUpdate* update = rdp->update; + UINT16 channelId = 0; + UINT16 length = 0; + UINT16 pduSource = 0; + UINT16 pduLength = 0; + update_recv_order(update, s); + update_recv_altsec_window_order(update, s); + update_recv_play_sound(update, s); + update_recv_pointer(update, s); + update_recv_surfcmds(update, s); + rdp_recv_get_active_header(rdp, s, &channelId, &length); + rdp_recv_demand_active(rdp, s, pduSource, length); + rdp_recv_confirm_active(rdp, s, pduLength); + } + { + rdpNla* nla = nla_new(rdp->context, rdp->transport); + nla_recv_pdu(nla, s); + nla_free(nla); + } + { + rdp_recv_heartbeat_packet(rdp, s); + rdp->state = CONNECTION_STATE_SECURE_SETTINGS_EXCHANGE; + rdp_recv_client_info(rdp, s); + rdp_recv_save_session_info(rdp, s); + } + { + freerdp_is_valid_mcs_create_request(Data, Size); + freerdp_is_valid_mcs_create_response(Data, Size); + } + { + multitransport_recv_request(rdp->multitransport, s); + multitransport_recv_response(rdp->multitransport, s); + } + { + autodetect_recv_request_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s); + autodetect_recv_response_packet(rdp->autodetect, RDP_TRANSPORT_TCP, s); + } + { + rdp_recv_deactivate_all(rdp, s); + rdp_recv_server_synchronize_pdu(rdp, s); + rdp_recv_client_synchronize_pdu(rdp, s); + + rdp_recv_data_pdu(rdp, s); + rdp_recv_font_map_pdu(rdp, s); + } +fail: + freerdp_client_context_free(context); +} + +int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) +{ + test_client(Data, Size); + return 0; +} diff --git a/libfreerdp/core/test/TestFuzzFastpath.c b/libfreerdp/core/test/TestFuzzCoreServer.c similarity index 77% rename from libfreerdp/core/test/TestFuzzFastpath.c rename to libfreerdp/core/test/TestFuzzCoreServer.c index 57f5dbd3e..cd469f447 100644 --- a/libfreerdp/core/test/TestFuzzFastpath.c +++ b/libfreerdp/core/test/TestFuzzCoreServer.c @@ -1,11 +1,12 @@ #include + #include "../fastpath.h" #include "../surface.h" #include "../window.h" #include "../info.h" #include "../multitransport.h" -int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) +static BOOL test_server(const uint8_t* Data, size_t Size) { freerdp_peer* client = calloc(1, sizeof(freerdp_peer)); if (!client) @@ -51,18 +52,6 @@ int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) rdp_read_share_data_header(rdp, s, &length, &btype, &share_id, &compressed_type, &compressed_len); rdp_recv_message_channel_pdu(rdp, s, securityFlags); - - freerdp_settings_set_bool(rdp->settings, FreeRDP_ServerMode, FALSE); - rdp_recv_callback(rdp->transport, s, rdp); - rdp_read_security_header(rdp, s, &flags, &length); - rdp_read_header(rdp, s, &length, &channelId); - rdp_read_share_control_header(rdp, s, &tpktLength, &remainingLength, &type, &channelId); - rdp_read_share_data_header(rdp, s, &length, &btype, &share_id, &compressed_type, - &compressed_len); - rdp_recv_enhanced_security_redirection_packet(rdp, s); - rdp_recv_out_of_sequence_pdu(rdp, s, type, length); - rdp_recv_message_channel_pdu(rdp, s, securityFlags); - freerdp_settings_set_bool(rdp->settings, FreeRDP_ServerMode, TRUE); } { rdpUpdate* update = rdp->update; @@ -106,13 +95,14 @@ int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) rdp_recv_deactivate_all(rdp, s); rdp_recv_server_synchronize_pdu(rdp, s); rdp_recv_client_synchronize_pdu(rdp, s); - - freerdp_settings_set_bool(rdp->settings, FreeRDP_ServerMode, FALSE); - rdp_recv_data_pdu(rdp, s); - rdp_recv_font_map_pdu(rdp, s); } fail: freerdp_peer_context_free(client); free(client); +} + +int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) +{ + test_server(Data, Size); return 0; }