Analyze libfuzzer findings
So I managed to build the wireshark libfuzzer style fuzzers like this:
mkdir build-fuzz
cd build-fuzz
cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DENABLE_FUZZER=1 -DENABLE_ASAN=1 -DENABLE_UBSAN=1 ..
ninja all-fuzzers
And to start the actual fuzzing I do:
mkdir corpus-$proto new-corpus-$proto
cp /path/to/$proto-pdu new-corpus-$proto
./run/fuzzshark_tcp_port-$proto new-corpus-$proto corpus-$proto
Is my understanding correct that the corpus files are just the inner-most raw protocol PDUs (i.e. without any PCAP/link-layer/ip/tcp headers), and not complete PCAP files?
At least the files generated in the new-corpus-$proto
directory aren't valid PCAP files.
There is samples_to_pcap.c that looks like it's usable for turning corpus files into PCAP files for easier inspection. Is this a correct assessment?
However, I tried to convert some new-corpus-$proto
files with samples_to_pcap
and a lot of the time tshark doesn't even apply the $proto
dissector because it reports 'TCP segment of a reassembled PDU'.
Another thing that isn't clear to me: How is one supposed to deal with DISSECTOR_ASSERT*
failures during fuzzing?
I mean I'm interested in the exact input that triggered the assertion.
However, the fuzzing continues and I;m just seeing the assertion failure messages running by - without an indication where to find the input that generated an assertion.
Do I have to turn these assertions into crashes?
I tried that (by explicitly calling abort()
) and then fuzzing stops and then extra crash-...
files are written into the current working directory. But again, using samples_to_pcap
I only get pcaps where tshark insists on skipping the $proto
dissector because of 'TCP segment of a reassembled PDU'.