diff options
Diffstat (limited to 'azalea-protocol')
| -rw-r--r-- | azalea-protocol/Cargo.toml | 2 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/.gitignore | 4 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/Cargo.toml | 75 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/README.md | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/clientbound_config.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/clientbound_game.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/clientbound_handshake.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/clientbound_login.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/clientbound_status.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/serverbound_config.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/serverbound_game.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/serverbound_handshake.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/serverbound_login.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/fuzz/fuzz_targets/serverbound_status.rs | 10 | ||||
| -rw-r--r-- | azalea-protocol/src/common/tags.rs | 4 | ||||
| -rw-r--r-- | azalea-protocol/src/read.rs | 33 |
16 files changed, 225 insertions, 3 deletions
diff --git a/azalea-protocol/Cargo.toml b/azalea-protocol/Cargo.toml index 59991274..c7b0fd57 100644 --- a/azalea-protocol/Cargo.toml +++ b/azalea-protocol/Cargo.toml @@ -43,7 +43,7 @@ indexmap.workspace = true reqwest = { workspace = true, optional = true, features = ["socks"] } [features] -default = ["online-mode"] +default = ["online-mode", "connecting"] connecting = [] online-mode = ["azalea-auth/online-mode", "dep:reqwest"] bevy_ecs = ["dep:bevy_ecs", "azalea-entity/bevy_ecs", "azalea-core/bevy_ecs"] diff --git a/azalea-protocol/fuzz/.gitignore b/azalea-protocol/fuzz/.gitignore new file mode 100644 index 00000000..1a45eee7 --- /dev/null +++ b/azalea-protocol/fuzz/.gitignore @@ -0,0 +1,4 @@ +target +corpus +artifacts +coverage diff --git a/azalea-protocol/fuzz/Cargo.toml b/azalea-protocol/fuzz/Cargo.toml new file mode 100644 index 00000000..37e4e606 --- /dev/null +++ b/azalea-protocol/fuzz/Cargo.toml @@ -0,0 +1,75 @@ +[package] +name = "azalea-fuzz" +version = "0.0.0" +publish = false +edition = "2024" + +[package.metadata] +cargo-fuzz = true + +[dependencies] +libfuzzer-sys = "0.4" +azalea-protocol = { path = "..", default-features = false } + +[[bin]] +name = "clientbound_config" +path = "fuzz_targets/clientbound_config.rs" +test = false +doc = false +bench = false +[[bin]] +name = "clientbound_game" +path = "fuzz_targets/clientbound_game.rs" +test = false +doc = false +bench = false +[[bin]] +name = "clientbound_handshake" +path = "fuzz_targets/clientbound_handshake.rs" +test = false +doc = false +bench = false +[[bin]] +name = "clientbound_login" +path = "fuzz_targets/clientbound_login.rs" +test = false +doc = false +bench = false +[[bin]] +name = "clientbound_status" +path = "fuzz_targets/clientbound_status.rs" +test = false +doc = false +bench = false + + +[[bin]] +name = "serverbound_config" +path = "fuzz_targets/serverbound_config.rs" +test = false +doc = false +bench = false +[[bin]] +name = "serverbound_game" +path = "fuzz_targets/serverbound_game.rs" +test = false +doc = false +bench = false +[[bin]] +name = "serverbound_handshake" +path = "fuzz_targets/serverbound_handshake.rs" +test = false +doc = false +bench = false +[[bin]] +name = "serverbound_login" +path = "fuzz_targets/serverbound_login.rs" +test = false +doc = false +bench = false +[[bin]] +name = "serverbound_status" +path = "fuzz_targets/serverbound_status.rs" +test = false +doc = false +bench = false diff --git a/azalea-protocol/fuzz/README.md b/azalea-protocol/fuzz/README.md new file mode 100644 index 00000000..42ae188c --- /dev/null +++ b/azalea-protocol/fuzz/README.md @@ -0,0 +1,10 @@ +Fuzzing for `azalea-protocol`. + +## Usage + +```sh +cargo fuzz run clientbound_game # {clientbound,serverbound}_{config,game,handshake,login,status} +# optionally, add `-s none` for a speedup at the cost of catching less memory safety issues +# see https://appsec.guide/docs/fuzzing/rust/cargo-fuzz/#addresssanitizer +``` + diff --git a/azalea-protocol/fuzz/fuzz_targets/clientbound_config.rs b/azalea-protocol/fuzz/fuzz_targets/clientbound_config.rs new file mode 100644 index 00000000..79ffd95b --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/clientbound_config.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::config::ClientboundConfigPacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ClientboundConfigPacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/clientbound_game.rs b/azalea-protocol/fuzz/fuzz_targets/clientbound_game.rs new file mode 100644 index 00000000..a253a859 --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/clientbound_game.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::game::ClientboundGamePacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ClientboundGamePacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/clientbound_handshake.rs b/azalea-protocol/fuzz/fuzz_targets/clientbound_handshake.rs new file mode 100644 index 00000000..84061965 --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/clientbound_handshake.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::handshake::ClientboundHandshakePacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ClientboundHandshakePacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/clientbound_login.rs b/azalea-protocol/fuzz/fuzz_targets/clientbound_login.rs new file mode 100644 index 00000000..6339fcea --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/clientbound_login.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::login::ClientboundLoginPacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ClientboundLoginPacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/clientbound_status.rs b/azalea-protocol/fuzz/fuzz_targets/clientbound_status.rs new file mode 100644 index 00000000..38264f64 --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/clientbound_status.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::status::ClientboundStatusPacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ClientboundStatusPacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/serverbound_config.rs b/azalea-protocol/fuzz/fuzz_targets/serverbound_config.rs new file mode 100644 index 00000000..d2a13d1d --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/serverbound_config.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::config::ServerboundConfigPacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ServerboundConfigPacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/serverbound_game.rs b/azalea-protocol/fuzz/fuzz_targets/serverbound_game.rs new file mode 100644 index 00000000..8891485c --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/serverbound_game.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::game::ServerboundGamePacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ServerboundGamePacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/serverbound_handshake.rs b/azalea-protocol/fuzz/fuzz_targets/serverbound_handshake.rs new file mode 100644 index 00000000..be3fca35 --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/serverbound_handshake.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::handshake::ServerboundHandshakePacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ServerboundHandshakePacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/serverbound_login.rs b/azalea-protocol/fuzz/fuzz_targets/serverbound_login.rs new file mode 100644 index 00000000..e0e4a384 --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/serverbound_login.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::login::ServerboundLoginPacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ServerboundLoginPacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/fuzz/fuzz_targets/serverbound_status.rs b/azalea-protocol/fuzz/fuzz_targets/serverbound_status.rs new file mode 100644 index 00000000..65429b29 --- /dev/null +++ b/azalea-protocol/fuzz/fuzz_targets/serverbound_status.rs @@ -0,0 +1,10 @@ +#![no_main] + +use std::io::Cursor; + +use azalea_protocol::{packets::status::ServerboundStatusPacket, read::deserialize_packet}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + let _ = deserialize_packet::<ServerboundStatusPacket>(&mut Cursor::new(data)); +}); diff --git a/azalea-protocol/src/common/tags.rs b/azalea-protocol/src/common/tags.rs index f22175ee..3f9a2ef2 100644 --- a/azalea-protocol/src/common/tags.rs +++ b/azalea-protocol/src/common/tags.rs @@ -19,11 +19,11 @@ pub struct Tags { impl AzaleaRead for TagMap { fn azalea_read(buf: &mut Cursor<&[u8]>) -> Result<Self, BufReadError> { let length = u32::azalea_read_var(buf)? as usize; - let mut data = IndexMap::with_capacity(length); + let mut data = IndexMap::new(); for _ in 0..length { let tag_type = Identifier::azalea_read(buf)?; let tags_count = i32::azalea_read_var(buf)? as usize; - let mut tags_vec = Vec::with_capacity(tags_count); + let mut tags_vec = Vec::new(); for _ in 0..tags_count { let tags = Tags::azalea_read(buf)?; tags_vec.push(tags); diff --git a/azalea-protocol/src/read.rs b/azalea-protocol/src/read.rs index d6c8c65a..664e2593 100644 --- a/azalea-protocol/src/read.rs +++ b/azalea-protocol/src/read.rs @@ -401,3 +401,36 @@ where Ok(Some(buf)) } + +#[cfg(test)] +mod tests { + use std::io::Cursor; + + use crate::{packets::game::ClientboundGamePacket, read::deserialize_packet}; + + #[test] + fn fuzzed_1() { + // oom: checks for unbounded TagMap + let _ = deserialize_packet::<ClientboundGamePacket>(&mut Cursor::new( + [132, 1, 255, 255, 255, 255, 255].as_slice(), + )); + } + #[test] + fn fuzzed_2() { + // oom: also checks for unbounded TagMap + let _ = deserialize_packet::<ClientboundGamePacket>(&mut Cursor::new( + [132, 1, 75, 0, 255, 255, 255, 255, 24, 0].as_slice(), + )); + } + #[test] + fn fuzzed_3() { + // panic: integer overflow in HolderSet::azalea_read + let _ = deserialize_packet::<ClientboundGamePacket>(&mut Cursor::new( + [ + 94, 44, 157, 38, 61, 37, 37, 37, 37, 37, 37, 65, 128, 128, 1, 1, 255, 252, 128, + 128, 128, 128, 128, 128, 128, 40, 0, + ] + .as_slice(), + )); + } +} |