Add fuzzers for SDP and STUN parsing.

Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=true

Committed: https://crrev.com/7b496e026b0de7e42945cefc2c0165c8bd807af8
Cr-Commit-Position: refs/heads/master@{#13050}

[katrielc, 2016-06-06 16:12:38]

katrielc@chromium.org changed reviewers:
+ katrielc@chromium.org, pbos@webrtc.org

[katrielc, 2016-06-06 16:14:50]

On 2016/06/06 16:12:39, katrielc wrote:

FWIW I have corpora for both of these, but haven't checked them in until we sort
out how to do that properly for webrtc libfuzzers (in progress).

[pbos-webrtc, 2016-06-06 16:20:43]

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/sdp_parse...
File webrtc/test/fuzzers/sdp_parser_fuzzer.cc (right):

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/sdp_parse...
webrtc/test/fuzzers/sdp_parser_fuzzer.cc:21: CreateSessionDescription("offer",
message, &error);
Does this leak a description? unique_ptr?

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_pars...
File webrtc/test/fuzzers/stun_parser_fuzzer.cc (right):

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_pars...
webrtc/test/fuzzers/stun_parser_fuzzer.cc:20: // Normally we'd check the
integrity first; that's done elsewhere.
"but integrity is fuzzed separately in stun_validator_fuzzer.cc", or otherwise
motivate why the attack surface is still valid.

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_vali...
File webrtc/test/fuzzers/stun_validator_fuzzer.cc (right):

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_vali...
webrtc/test/fuzzers/stun_validator_fuzzer.cc:18: auto message =
reinterpret_cast<const char*>(data);
replace auto with const char* or inline the cast below

[katrielc, 2016-06-06 16:32:21]

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/sdp_parse...
File webrtc/test/fuzzers/sdp_parser_fuzzer.cc (right):

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/sdp_parse...
webrtc/test/fuzzers/sdp_parser_fuzzer.cc:21: CreateSessionDescription("offer",
message, &error);
On 2016/06/06 16:20:42, pbos-webrtc wrote:
> Does this leak a description? unique_ptr?

Done.

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_pars...
File webrtc/test/fuzzers/stun_parser_fuzzer.cc (right):

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_pars...
webrtc/test/fuzzers/stun_parser_fuzzer.cc:20: // Normally we'd check the
integrity first; that's done elsewhere.
On 2016/06/06 16:20:42, pbos-webrtc wrote:
> "but integrity is fuzzed separately in stun_validator_fuzzer.cc", or otherwise
> motivate why the attack surface is still valid.

Done.

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_vali...
File webrtc/test/fuzzers/stun_validator_fuzzer.cc (right):

https://codereview.webrtc.org/2044523002/diff/1/webrtc/test/fuzzers/stun_vali...
webrtc/test/fuzzers/stun_validator_fuzzer.cc:18: auto message =
reinterpret_cast<const char*>(data);
On 2016/06/06 16:20:43, pbos-webrtc wrote:
> replace auto with const char* or inline the cast below

Done.

[pbos-webrtc, 2016-06-06 16:37:13]

lgtm

[katrielc, 2016-06-06 16:42:59]

Description was changed from

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.
==========

to

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=trye
==========

[katrielc, 2016-06-06 16:43:00]

katrielc@chromium.org changed reviewers:
- katrielc@chromium.org

[katrielc, 2016-06-06 16:43:16]

Description was changed from

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=trye
==========

to

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=true
==========

[katrielc1, 2016-06-06 16:43:38]

The CQ bit was checked by katrielc@webrtc.org

[commit-bot: I haz the power, 2016-06-06 16:43:49]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/2044523002/20001

[commit-bot: I haz the power, 2016-06-06 16:45:32]

Description was changed from

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=true
==========

to

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=true
==========

[commit-bot: I haz the power, 2016-06-06 16:45:33]

Committed patchset #2 (id:20001)

[commit-bot: I haz the power, 2016-06-06 16:45:37]

Description was changed from

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=true
==========

to

==========
Add fuzzers for SDP and STUN parsing.

The STUN fuzzer is split into two parts: validation and parsing. The
latter should be able to handle invalid packets instead of assuming
the validation deals with them, since an adversary could set a valid
HMAC on an invalid packet.

NOTRY=true

Committed: https://crrev.com/7b496e026b0de7e42945cefc2c0165c8bd807af8
Cr-Commit-Position: refs/heads/master@{#13050}
==========

[commit-bot: I haz the power, 2016-06-06 16:45:38]

Patchset 2 (id:??) landed as
https://crrev.com/7b496e026b0de7e42945cefc2c0165c8bd807af8
Cr-Commit-Position: refs/heads/master@{#13050}

[aizatsky, 2016-06-09 21:10:19]

aizatsky@chromium.org changed reviewers:
+ aizatsky@chromium.org

[aizatsky, 2016-06-09 21:10:20]

I think this change breaks libfuzzer build:

ERROR at //third_party/webrtc/test/fuzzers/BUILD.gn:92:5: Can't load input file.
    "//webrtc/api:libjingle_peerconnection",
    ^--------------------------------------
Unable to load:
  /usr/local/google/home/aizatsky/src/chrome/src/webrtc/api/BUILD.gn
I also checked in the secondary tree for:
 
/usr/local/google/home/aizatsky/src/chrome/src/build/secondary/webrtc/api/BUILD.gn

[pbos-webrtc, 2016-06-09 21:12:12]

On 2016/06/09 21:10:20, aizatsky wrote:
> I think this change breaks libfuzzer build:
> 
> ERROR at //third_party/webrtc/test/fuzzers/BUILD.gn:92:5: Can't load input
file.
>     "//webrtc/api:libjingle_peerconnection",
>     ^--------------------------------------
> Unable to load:
>   /usr/local/google/home/aizatsky/src/chrome/src/webrtc/api/BUILD.gn
> I also checked in the secondary tree for:
>  
>
/usr/local/google/home/aizatsky/src/chrome/src/build/secondary/webrtc/api/BUILD.gn

Yes, this should have been ../../api and ../../p2p respectively. Will do a CL
and TBR it.

[pbos-webrtc, 2016-06-09 21:17:04]

On 2016/06/09 21:12:12, pbos-webrtc wrote:
> On 2016/06/09 21:10:20, aizatsky wrote:
> > I think this change breaks libfuzzer build:
> > 
> > ERROR at //third_party/webrtc/test/fuzzers/BUILD.gn:92:5: Can't load input
> file.
> >     "//webrtc/api:libjingle_peerconnection",
> >     ^--------------------------------------
> > Unable to load:
> >   /usr/local/google/home/aizatsky/src/chrome/src/webrtc/api/BUILD.gn
> > I also checked in the secondary tree for:
> >  
> >
>
/usr/local/google/home/aizatsky/src/chrome/src/build/secondary/webrtc/api/BUILD.gn
> 
> Yes, this should have been ../../api and ../../p2p respectively. Will do a CL
> and TBR it.

CL here: https://codereview.webrtc.org/2053093002/