zebra: add fuzzing shim

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/zebra/main.c b/zebra/main.c
index 038022ceb28649d8a6e1f82f94549824909de1ab..f7a017056f23925bf3ccd1c515b7988df4684234 100644 (file)
--- a/zebra/main.c
+++ b/zebra/main.c
@@ -35,6 +35,8 @@
 #include "libfrr.h"
 #include "routemap.h"
 #include "routing_nb.h"
+#include "fuzz.h"
+#include "frr_pthread.h"
 
 #include "zebra/zebra_router.h"
 #include "zebra/zebra_errors.h"
@@ -59,6 +61,7 @@
 #include "zebra/zebra_srte.h"
 #include "zebra/zebra_srv6.h"
 #include "zebra/zebra_srv6_vty.h"
+#include "zebra/zapi_msg.h"
 
 #define ZEBRA_PTM_SUPPORT
 
@@ -287,16 +290,65 @@ int main(int argc, char **argv)
        bool asic_offload = false;
        bool notify_on_ack = true;
 
+#if defined(HANDLE_NETLINK_FUZZING)
+       char *netlink_fuzzing = NULL;
+#endif /* HANDLE_NETLINK_FUZZING */
+
        graceful_restart = 0;
        vrf_configure_backend(VRF_BACKEND_VRF_LITE);
 
        frr_preinit(&zebra_di, argc, argv);
 
+#ifdef FUZZING
+       zrouter.master = frr_init_fast();
+
+       /* Zebra related initialize. */
+       zebra_router_init();
+       zserv_init();
+       rib_init();
+       zebra_if_init();
+       zebra_debug_init();
+       router_id_cmd_init();
+       zebra_ns_init((const char *)vrf_default_name_configured);
+       zebra_vty_init();
+       access_list_init();
+       prefix_list_init();
+       zebra_mpls_init();
+       zebra_mpls_vty_init();
+       zebra_pw_vty_init();
+       zebra_pbr_init();
+       zrouter.startup_time = monotime(NULL);
+       label_manager_init();
+       zebra_rnh_init();
+       zebra_evpn_init();
+       zebra_error_init();
+       frr_pthread_init();
+
+       struct zserv *zc = zserv_client_create(69);
+
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+       __AFL_INIT();
+#endif /* __AFL_HAVE_MANUAL_CONTROL */
+
+       uint8_t *input;
+       int r = frrfuzz_read_input(&input);
+
+       struct stream *s = stream_new(r + 1);
+       stream_put(s, input, r);
+
+       zserv_handle_commands(zc, s);
+
+       exit(0);
+#endif /* FUZZING */
+
        frr_opt_add(
                "baz:e:o:rK:"
 #ifdef HAVE_NETLINK
                "s:n"
 #endif
+#if defined(HANDLE_NETLINK_FUZZING)
+               "w:"
+#endif /* HANDLE_NETLINK_FUZZING */
                ,
                longopts,
                "  -b, --batch              Runs in batch mode\n"
@@ -312,6 +364,9 @@ int main(int argc, char **argv)
                "  -s, --nl-bufsize         Set netlink receive buffer size\n"
                "      --v6-rr-semantics    Use v6 RR semantics\n"
 #endif /* HAVE_NETLINK */
+#if defined(HANDLE_NETLINK_FUZZING)
+               "  -w <file>                Bypass normal startup and use this file for testing of netlink input\n"
+#endif /* HANDLE_NETLINK_FUZZING */
        );
 
        while (1) {
@@ -380,6 +435,16 @@ int main(int argc, char **argv)
                        asic_offload = true;
                        break;
 #endif /* HAVE_NETLINK */
+#if defined(HANDLE_NETLINK_FUZZING)
+               case 'w':
+                       netlink_fuzzing = optarg;
+                       /* This ensures we are aren't writing any of the
+                        * startup netlink messages that happen when we
+                        * just want to read.
+                        */
+                       netlink_read = true;
+                       break;
+#endif /* HANDLE_NETLINK_FUZZING */
                default:
                        frr_help_exit(1);
                }
@@ -467,6 +532,14 @@ int main(int argc, char **argv)
        /* Error init */
        zebra_error_init();
 
+#if defined(HANDLE_NETLINK_FUZZING)
+       if (netlink_fuzzing) {
+               netlink_read_init(netlink_fuzzing);
+               exit(0);
+       }
+#endif /* HANDLE_NETLINK_FUZZING */
+
+
        frr_run(zrouter.master);
 
        /* Not reached... */

diff --git a/zebra/zapi_msg.c b/zebra/zapi_msg.c
index 85721d7d7052a5f0ddeff04f334bf926d4fa4bc4..d1cd92eb07d33ee8f996c5521aba52d0ff1ad6b9 100644 (file)
--- a/zebra/zapi_msg.c
+++ b/zebra/zapi_msg.c
@@ -3781,7 +3781,6 @@ void zserv_handle_commands(struct zserv *client, struct stream_fifo *fifo)
                        zserv_log_message(NULL, msg, &hdr);
 
                hdr.length -= ZEBRA_HEADER_SIZE;
-
                /* Before checking for a handler function, check for
                 * special messages that are handled in another module;
                 * we'll treat these as opaque.

diff --git a/zebra/zserv.c b/zebra/zserv.c
index abb9c5ca5dc2d5e5184795b0d432885b5691338b..3cc0f5b2b8ca217edc19c996fd121346302a8335 100644 (file)
--- a/zebra/zserv.c
+++ b/zebra/zserv.c
@@ -732,7 +732,7 @@ static int zserv_handle_client_fail(struct thread *thread)
  * sock
  *    client's socket file descriptor
  */
-static struct zserv *zserv_client_create(int sock)
+struct zserv *zserv_client_create(int sock)
 {
        struct zserv *client;
        size_t stream_size =
@@ -785,7 +785,9 @@ static struct zserv *zserv_client_create(int sock)
        hook_call(zserv_client_connect, client);
 
        /* start pthread */
+#ifndef FUZZING
        frr_pthread_run(client->pthread, NULL);
+#endif
 
        return client;
 }

diff --git a/zebra/zserv.h b/zebra/zserv.h
index 203670ac1dd5186f33c376c1424aa62004cbb83c..d19f330dbba011dadcf0167fd7a245c65fdd66da 100644 (file)
--- a/zebra/zserv.h
+++ b/zebra/zserv.h
@@ -391,6 +391,10 @@ extern void zread_client_capabilities(struct zserv *client, struct zmsghdr *hdr,
                                      struct stream *msg,
                                      struct zebra_vrf *zvrf);
 
+#ifdef FUZZING
+struct zserv *zserv_client_create(int sock);
+#endif
+
 #ifdef __cplusplus
 }
 #endif