Analyze libfuzzer findings

asked 2021-11-16 12:32:56 +0000

So I managed to build the wireshark libfuzzer style fuzzers like this:

mkdir build-fuzz
cd build-fuzz
ninja all-fuzzers

And to start the actual fuzzing I do:

mkdir corpus-$proto new-corpus-$proto
cp /path/to/$proto-pdu new-corpus-$proto
./run/fuzzshark_tcp_port-$proto new-corpus-$proto corpus-$proto

Is my understanding correct that the corpus files are just the inner-most raw protocol PDUs (i.e. without any PCAP/link-layer/ip/tcp headers), and not complete PCAP files?

At least the files generated in the new-corpus-$proto directory aren't valid PCAP files.

There is samples_to_pcap.c that looks like it's usable for turning corpus files into PCAP files for easier inspection. Is this a correct assessment?

However, I tried to convert some new-corpus-$proto files with samples_to_pcap and a lot of the time tshark doesn't even apply the $proto dissector because it reports 'TCP segment of a reassembled PDU'.

Another thing that isn't clear to me: How is one supposed to deal with DISSECTOR_ASSERT* failures during fuzzing?

I mean I'm interested in the exact input that triggered the assertion.

However, the fuzzing continues and I;m just seeing the assertion failure messages running by - without an indication where to find the input that generated an assertion.

Do I have to turn these assertions into crashes?

I tried that (by explicitly calling abort()) and then fuzzing stops and then extra crash-... files are written into the current working directory. But again, using samples_to_pcap I only get pcaps where tshark insists on skipping the $proto dissector because of 'TCP segment of a reassembled PDU'.

edit retag flag offensive close merge delete