summaryrefslogtreecommitdiffstats
path: root/CAN-binder/libs/nanopb/tests/fuzztest
diff options
context:
space:
mode:
authorRomain Forlot <romain.forlot@iot.bzh>2017-05-02 17:51:53 +0200
committerRomain Forlot <romain.forlot@iot.bzh>2017-05-02 17:51:53 +0200
commit3102ec9ce009d0f28355c5b7df9c5bd5013e6e75 (patch)
tree80a1ea19ff06cc9308b236a0d8d6358d21dd0381 /CAN-binder/libs/nanopb/tests/fuzztest
parent12e680a3c97a2750c657a8c561a79706f3689149 (diff)
parent278ffb890e3d8722e4c7d824baaf221a1e375fc4 (diff)
Add 'CAN-binder/libs/nanopb/' from commit '278ffb890e3d8722e4c7d824baaf221a1e375fc4'
git-subtree-dir: CAN-binder/libs/nanopb git-subtree-mainline: 12e680a3c97a2750c657a8c561a79706f3689149 git-subtree-split: 278ffb890e3d8722e4c7d824baaf221a1e375fc4
Diffstat (limited to 'CAN-binder/libs/nanopb/tests/fuzztest')
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/SConscript43
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/alltypes_pointer.options3
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/alltypes_static.options4
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/fuzzstub.c189
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/fuzztest.c432
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/generate_message.c101
-rwxr-xr-xCAN-binder/libs/nanopb/tests/fuzztest/run_radamsa.sh12
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample1.pbbin0 -> 573 bytes
-rw-r--r--CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample2.pbbin0 -> 466 bytes
9 files changed, 784 insertions, 0 deletions
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/SConscript b/CAN-binder/libs/nanopb/tests/fuzztest/SConscript
new file mode 100644
index 0000000..d2fb689
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/SConscript
@@ -0,0 +1,43 @@
+# Run a fuzz test to verify robustness against corrupted/malicious data.
+
+Import("env", "malloc_env")
+
+def set_pkgname(src, dst, pkgname):
+ data = open(str(src)).read()
+ placeholder = '// package name placeholder'
+ assert placeholder in data
+ data = data.replace(placeholder, 'package %s;' % pkgname)
+ open(str(dst), 'w').write(data)
+
+# We want both pointer and static versions of the AllTypes message
+# Prefix them with package name.
+env.Command("alltypes_static.proto", "#alltypes/alltypes.proto",
+ lambda target, source, env: set_pkgname(source[0], target[0], 'alltypes_static'))
+env.Command("alltypes_pointer.proto", "#alltypes/alltypes.proto",
+ lambda target, source, env: set_pkgname(source[0], target[0], 'alltypes_pointer'))
+
+p1 = env.NanopbProto(["alltypes_pointer", "alltypes_pointer.options"])
+p2 = env.NanopbProto(["alltypes_static", "alltypes_static.options"])
+fuzz = malloc_env.Program(["fuzztest.c",
+ "alltypes_pointer.pb.c",
+ "alltypes_static.pb.c",
+ "$COMMON/pb_encode_with_malloc.o",
+ "$COMMON/pb_decode_with_malloc.o",
+ "$COMMON/pb_common_with_malloc.o",
+ "$COMMON/malloc_wrappers.o"])
+
+env.RunTest(fuzz)
+
+fuzzstub = malloc_env.Program(["fuzzstub.c",
+ "alltypes_pointer.pb.c",
+ "alltypes_static.pb.c",
+ "$COMMON/pb_encode_with_malloc.o",
+ "$COMMON/pb_decode_with_malloc.o",
+ "$COMMON/pb_common_with_malloc.o",
+ "$COMMON/malloc_wrappers.o"])
+
+generate_message = malloc_env.Program(["generate_message.c",
+ "alltypes_static.pb.c",
+ "$COMMON/pb_encode.o",
+ "$COMMON/pb_common.o"])
+
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/alltypes_pointer.options b/CAN-binder/libs/nanopb/tests/fuzztest/alltypes_pointer.options
new file mode 100644
index 0000000..7e3ad1e
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/alltypes_pointer.options
@@ -0,0 +1,3 @@
+# Generate all fields as pointers.
+* type:FT_POINTER
+*.*fbytes fixed_length:true max_size:4
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/alltypes_static.options b/CAN-binder/libs/nanopb/tests/fuzztest/alltypes_static.options
new file mode 100644
index 0000000..e197e1d
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/alltypes_static.options
@@ -0,0 +1,4 @@
+* max_size:32
+* max_count:8
+*.extensions type:FT_IGNORE
+*.*fbytes fixed_length:true max_size:4
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/fuzzstub.c b/CAN-binder/libs/nanopb/tests/fuzztest/fuzzstub.c
new file mode 100644
index 0000000..ec9e2af
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/fuzzstub.c
@@ -0,0 +1,189 @@
+/* Fuzz testing for the nanopb core.
+ * This can be used with external fuzzers, e.g. radamsa.
+ * It performs most of the same checks as fuzztest, but does not feature data generation.
+ */
+
+#include <pb_decode.h>
+#include <pb_encode.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <time.h>
+#include <malloc_wrappers.h>
+#include "alltypes_static.pb.h"
+#include "alltypes_pointer.pb.h"
+
+#define BUFSIZE 4096
+
+static bool do_static_decode(uint8_t *buffer, size_t msglen, bool assert_success)
+{
+ pb_istream_t stream;
+ bool status;
+
+ alltypes_static_AllTypes *msg = malloc_with_check(sizeof(alltypes_static_AllTypes));
+ stream = pb_istream_from_buffer(buffer, msglen);
+ status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg);
+
+ if (!status && assert_success)
+ {
+ /* Anything that was successfully encoded, should be decodeable.
+ * One exception: strings without null terminator are encoded up
+ * to end of buffer, but refused on decode because the terminator
+ * would not fit. */
+ if (strcmp(stream.errmsg, "string overflow") != 0)
+ assert(status);
+ }
+
+ free_with_check(msg);
+ return status;
+}
+
+static bool do_pointer_decode(uint8_t *buffer, size_t msglen, bool assert_success)
+{
+ pb_istream_t stream;
+ bool status;
+ alltypes_pointer_AllTypes *msg;
+
+ msg = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
+ memset(msg, 0, sizeof(alltypes_pointer_AllTypes));
+ stream = pb_istream_from_buffer(buffer, msglen);
+
+ assert(get_alloc_count() == 0);
+ status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg);
+
+ if (assert_success)
+ assert(status);
+
+ pb_release(alltypes_pointer_AllTypes_fields, msg);
+ assert(get_alloc_count() == 0);
+
+ free_with_check(msg);
+
+ return status;
+}
+
+/* Do a decode -> encode -> decode -> encode roundtrip */
+static void do_static_roundtrip(uint8_t *buffer, size_t msglen)
+{
+ bool status;
+ uint8_t *buf2 = malloc_with_check(BUFSIZE);
+ uint8_t *buf3 = malloc_with_check(BUFSIZE);
+ size_t msglen2, msglen3;
+ alltypes_static_AllTypes *msg1 = malloc_with_check(sizeof(alltypes_static_AllTypes));
+ alltypes_static_AllTypes *msg2 = malloc_with_check(sizeof(alltypes_static_AllTypes));
+ memset(msg1, 0, sizeof(alltypes_static_AllTypes));
+ memset(msg2, 0, sizeof(alltypes_static_AllTypes));
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
+ status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg1);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf2, BUFSIZE);
+ status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg1);
+ assert(status);
+ msglen2 = stream.bytes_written;
+ }
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
+ status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg2);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf3, BUFSIZE);
+ status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg2);
+ assert(status);
+ msglen3 = stream.bytes_written;
+ }
+
+ assert(msglen2 == msglen3);
+ assert(memcmp(buf2, buf3, msglen2) == 0);
+
+ free_with_check(msg1);
+ free_with_check(msg2);
+ free_with_check(buf2);
+ free_with_check(buf3);
+}
+
+/* Do decode -> encode -> decode -> encode roundtrip */
+static void do_pointer_roundtrip(uint8_t *buffer, size_t msglen)
+{
+ bool status;
+ uint8_t *buf2 = malloc_with_check(BUFSIZE);
+ uint8_t *buf3 = malloc_with_check(BUFSIZE);
+ size_t msglen2, msglen3;
+ alltypes_pointer_AllTypes *msg1 = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
+ alltypes_pointer_AllTypes *msg2 = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
+ memset(msg1, 0, sizeof(alltypes_pointer_AllTypes));
+ memset(msg2, 0, sizeof(alltypes_pointer_AllTypes));
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
+ status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg1);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf2, BUFSIZE);
+ status = pb_encode(&stream, alltypes_pointer_AllTypes_fields, msg1);
+ assert(status);
+ msglen2 = stream.bytes_written;
+ }
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
+ status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg2);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf3, BUFSIZE);
+ status = pb_encode(&stream, alltypes_pointer_AllTypes_fields, msg2);
+ assert(status);
+ msglen3 = stream.bytes_written;
+ }
+
+ assert(msglen2 == msglen3);
+ assert(memcmp(buf2, buf3, msglen2) == 0);
+
+ pb_release(alltypes_pointer_AllTypes_fields, msg1);
+ pb_release(alltypes_pointer_AllTypes_fields, msg2);
+ free_with_check(msg1);
+ free_with_check(msg2);
+ free_with_check(buf2);
+ free_with_check(buf3);
+}
+
+static void run_iteration()
+{
+ uint8_t *buffer = malloc_with_check(BUFSIZE);
+ size_t msglen;
+ bool status;
+
+ msglen = fread(buffer, 1, BUFSIZE, stdin);
+
+ status = do_static_decode(buffer, msglen, false);
+
+ if (status)
+ do_static_roundtrip(buffer, msglen);
+
+ status = do_pointer_decode(buffer, msglen, false);
+
+ if (status)
+ do_pointer_roundtrip(buffer, msglen);
+
+ free_with_check(buffer);
+}
+
+int main(int argc, char **argv)
+{
+ run_iteration();
+
+ return 0;
+}
+
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/fuzztest.c b/CAN-binder/libs/nanopb/tests/fuzztest/fuzztest.c
new file mode 100644
index 0000000..ee851ec
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/fuzztest.c
@@ -0,0 +1,432 @@
+/* Fuzz testing for the nanopb core.
+ * Attempts to verify all the properties defined in the security model document.
+ */
+
+#include <pb_decode.h>
+#include <pb_encode.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <time.h>
+#include <malloc_wrappers.h>
+#include "alltypes_static.pb.h"
+#include "alltypes_pointer.pb.h"
+
+static uint64_t random_seed;
+
+/* Uses xorshift64 here instead of rand() for both speed and
+ * reproducibility across platforms. */
+static uint32_t rand_word()
+{
+ random_seed ^= random_seed >> 12;
+ random_seed ^= random_seed << 25;
+ random_seed ^= random_seed >> 27;
+ return random_seed * 2685821657736338717ULL;
+}
+
+/* Get a random integer in range, with approximately flat distribution. */
+static int rand_int(int min, int max)
+{
+ return rand_word() % (max + 1 - min) + min;
+}
+
+static bool rand_bool()
+{
+ return rand_word() & 1;
+}
+
+/* Get a random byte, with skewed distribution.
+ * Important corner cases like 0xFF, 0x00 and 0xFE occur more
+ * often than other values. */
+static uint8_t rand_byte()
+{
+ uint32_t w = rand_word();
+ uint8_t b = w & 0xFF;
+ if (w & 0x100000)
+ b >>= (w >> 8) & 7;
+ if (w & 0x200000)
+ b <<= (w >> 12) & 7;
+ if (w & 0x400000)
+ b ^= 0xFF;
+ return b;
+}
+
+/* Get a random length, with skewed distribution.
+ * Favors the shorter lengths, but always atleast 1. */
+static size_t rand_len(size_t max)
+{
+ uint32_t w = rand_word();
+ size_t s;
+ if (w & 0x800000)
+ w &= 3;
+ else if (w & 0x400000)
+ w &= 15;
+ else if (w & 0x200000)
+ w &= 255;
+
+ s = (w % max);
+ if (s == 0)
+ s = 1;
+
+ return s;
+}
+
+/* Fills a buffer with random data with skewed distribution. */
+static void rand_fill(uint8_t *buf, size_t count)
+{
+ while (count--)
+ *buf++ = rand_byte();
+}
+
+/* Fill with random protobuf-like data */
+static size_t rand_fill_protobuf(uint8_t *buf, size_t min_bytes, size_t max_bytes, int min_tag)
+{
+ pb_ostream_t stream = pb_ostream_from_buffer(buf, max_bytes);
+
+ while(stream.bytes_written < min_bytes)
+ {
+ pb_wire_type_t wt = rand_int(0, 3);
+ if (wt == 3) wt = 5; /* Gap in values */
+
+ if (!pb_encode_tag(&stream, wt, rand_int(min_tag, min_tag + 512)))
+ break;
+
+ if (wt == PB_WT_VARINT)
+ {
+ uint64_t value;
+ rand_fill((uint8_t*)&value, sizeof(value));
+ pb_encode_varint(&stream, value);
+ }
+ else if (wt == PB_WT_64BIT)
+ {
+ uint64_t value;
+ rand_fill((uint8_t*)&value, sizeof(value));
+ pb_encode_fixed64(&stream, &value);
+ }
+ else if (wt == PB_WT_32BIT)
+ {
+ uint32_t value;
+ rand_fill((uint8_t*)&value, sizeof(value));
+ pb_encode_fixed32(&stream, &value);
+ }
+ else if (wt == PB_WT_STRING)
+ {
+ size_t len;
+ uint8_t *buf;
+
+ if (min_bytes > stream.bytes_written)
+ len = rand_len(min_bytes - stream.bytes_written);
+ else
+ len = 0;
+
+ buf = malloc(len);
+ pb_encode_varint(&stream, len);
+ rand_fill(buf, len);
+ pb_write(&stream, buf, len);
+ free(buf);
+ }
+ }
+
+ return stream.bytes_written;
+}
+
+/* Given a buffer of data, mess it up a bit */
+static void rand_mess(uint8_t *buf, size_t count)
+{
+ int m = rand_int(0, 3);
+
+ if (m == 0)
+ {
+ /* Replace random substring */
+ int s = rand_int(0, count - 1);
+ int l = rand_len(count - s);
+ rand_fill(buf + s, l);
+ }
+ else if (m == 1)
+ {
+ /* Swap random bytes */
+ int a = rand_int(0, count - 1);
+ int b = rand_int(0, count - 1);
+ int x = buf[a];
+ buf[a] = buf[b];
+ buf[b] = x;
+ }
+ else if (m == 2)
+ {
+ /* Duplicate substring */
+ int s = rand_int(0, count - 2);
+ int l = rand_len((count - s) / 2);
+ memcpy(buf + s + l, buf + s, l);
+ }
+ else if (m == 3)
+ {
+ /* Add random protobuf noise */
+ int s = rand_int(0, count - 1);
+ int l = rand_len(count - s);
+ rand_fill_protobuf(buf + s, l, count - s, 1);
+ }
+}
+
+/* Some default data to put in the message */
+static const alltypes_static_AllTypes initval = alltypes_static_AllTypes_init_default;
+
+#define BUFSIZE 4096
+
+static bool do_static_encode(uint8_t *buffer, size_t *msglen)
+{
+ pb_ostream_t stream;
+ bool status;
+
+ /* Allocate a message and fill it with defaults */
+ alltypes_static_AllTypes *msg = malloc_with_check(sizeof(alltypes_static_AllTypes));
+ memcpy(msg, &initval, sizeof(initval));
+
+ /* Apply randomness to the data before encoding */
+ while (rand_int(0, 7))
+ rand_mess((uint8_t*)msg, sizeof(alltypes_static_AllTypes));
+
+ stream = pb_ostream_from_buffer(buffer, BUFSIZE);
+ status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg);
+ assert(stream.bytes_written <= BUFSIZE);
+ assert(stream.bytes_written <= alltypes_static_AllTypes_size);
+
+ *msglen = stream.bytes_written;
+ pb_release(alltypes_static_AllTypes_fields, msg);
+ free_with_check(msg);
+
+ return status;
+}
+
+/* Append or prepend protobuf noise */
+static void do_protobuf_noise(uint8_t *buffer, size_t *msglen)
+{
+ int m = rand_int(0, 2);
+ size_t max_size = BUFSIZE - 32 - *msglen;
+ if (m == 1)
+ {
+ /* Prepend */
+ uint8_t *tmp = malloc_with_check(BUFSIZE);
+ size_t s = rand_fill_protobuf(tmp, rand_len(max_size), BUFSIZE - *msglen, 512);
+ memmove(buffer + s, buffer, *msglen);
+ memcpy(buffer, tmp, s);
+ free_with_check(tmp);
+ *msglen += s;
+ }
+ else if (m == 2)
+ {
+ /* Append */
+ size_t s = rand_fill_protobuf(buffer + *msglen, rand_len(max_size), BUFSIZE - *msglen, 512);
+ *msglen += s;
+ }
+}
+
+static bool do_static_decode(uint8_t *buffer, size_t msglen, bool assert_success)
+{
+ pb_istream_t stream;
+ bool status;
+
+ alltypes_static_AllTypes *msg = malloc_with_check(sizeof(alltypes_static_AllTypes));
+ rand_fill((uint8_t*)msg, sizeof(alltypes_static_AllTypes));
+ stream = pb_istream_from_buffer(buffer, msglen);
+ status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg);
+
+ if (!status && assert_success)
+ {
+ /* Anything that was successfully encoded, should be decodeable.
+ * One exception: strings without null terminator are encoded up
+ * to end of buffer, but refused on decode because the terminator
+ * would not fit. */
+ if (strcmp(stream.errmsg, "string overflow") != 0)
+ assert(status);
+ }
+
+ free_with_check(msg);
+ return status;
+}
+
+static bool do_pointer_decode(uint8_t *buffer, size_t msglen, bool assert_success)
+{
+ pb_istream_t stream;
+ bool status;
+ alltypes_pointer_AllTypes *msg;
+
+ msg = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
+ memset(msg, 0, sizeof(alltypes_pointer_AllTypes));
+ stream = pb_istream_from_buffer(buffer, msglen);
+
+ assert(get_alloc_count() == 0);
+ status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg);
+
+ if (assert_success)
+ assert(status);
+
+ pb_release(alltypes_pointer_AllTypes_fields, msg);
+ assert(get_alloc_count() == 0);
+
+ free_with_check(msg);
+
+ return status;
+}
+
+/* Do a decode -> encode -> decode -> encode roundtrip */
+static void do_static_roundtrip(uint8_t *buffer, size_t msglen)
+{
+ bool status;
+ uint8_t *buf2 = malloc_with_check(BUFSIZE);
+ uint8_t *buf3 = malloc_with_check(BUFSIZE);
+ size_t msglen2, msglen3;
+ alltypes_static_AllTypes *msg1 = malloc_with_check(sizeof(alltypes_static_AllTypes));
+ alltypes_static_AllTypes *msg2 = malloc_with_check(sizeof(alltypes_static_AllTypes));
+ memset(msg1, 0, sizeof(alltypes_static_AllTypes));
+ memset(msg2, 0, sizeof(alltypes_static_AllTypes));
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
+ status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg1);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf2, BUFSIZE);
+ status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg1);
+ assert(status);
+ msglen2 = stream.bytes_written;
+ }
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
+ status = pb_decode(&stream, alltypes_static_AllTypes_fields, msg2);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf3, BUFSIZE);
+ status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg2);
+ assert(status);
+ msglen3 = stream.bytes_written;
+ }
+
+ assert(msglen2 == msglen3);
+ assert(memcmp(buf2, buf3, msglen2) == 0);
+
+ free_with_check(msg1);
+ free_with_check(msg2);
+ free_with_check(buf2);
+ free_with_check(buf3);
+}
+
+/* Do decode -> encode -> decode -> encode roundtrip */
+static void do_pointer_roundtrip(uint8_t *buffer, size_t msglen)
+{
+ bool status;
+ uint8_t *buf2 = malloc_with_check(BUFSIZE);
+ uint8_t *buf3 = malloc_with_check(BUFSIZE);
+ size_t msglen2, msglen3;
+ alltypes_pointer_AllTypes *msg1 = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
+ alltypes_pointer_AllTypes *msg2 = malloc_with_check(sizeof(alltypes_pointer_AllTypes));
+ memset(msg1, 0, sizeof(alltypes_pointer_AllTypes));
+ memset(msg2, 0, sizeof(alltypes_pointer_AllTypes));
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
+ status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg1);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf2, BUFSIZE);
+ status = pb_encode(&stream, alltypes_pointer_AllTypes_fields, msg1);
+ assert(status);
+ msglen2 = stream.bytes_written;
+ }
+
+ {
+ pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
+ status = pb_decode(&stream, alltypes_pointer_AllTypes_fields, msg2);
+ assert(status);
+ }
+
+ {
+ pb_ostream_t stream = pb_ostream_from_buffer(buf3, BUFSIZE);
+ status = pb_encode(&stream, alltypes_pointer_AllTypes_fields, msg2);
+ assert(status);
+ msglen3 = stream.bytes_written;
+ }
+
+ assert(msglen2 == msglen3);
+ assert(memcmp(buf2, buf3, msglen2) == 0);
+
+ pb_release(alltypes_pointer_AllTypes_fields, msg1);
+ pb_release(alltypes_pointer_AllTypes_fields, msg2);
+ free_with_check(msg1);
+ free_with_check(msg2);
+ free_with_check(buf2);
+ free_with_check(buf3);
+}
+
+static void run_iteration()
+{
+ uint8_t *buffer = malloc_with_check(BUFSIZE);
+ size_t msglen;
+ bool status;
+
+ rand_fill(buffer, BUFSIZE);
+
+ if (do_static_encode(buffer, &msglen))
+ {
+ do_protobuf_noise(buffer, &msglen);
+
+ status = do_static_decode(buffer, msglen, true);
+
+ if (status)
+ do_static_roundtrip(buffer, msglen);
+
+ status = do_pointer_decode(buffer, msglen, true);
+
+ if (status)
+ do_pointer_roundtrip(buffer, msglen);
+
+ /* Apply randomness to the encoded data */
+ while (rand_bool())
+ rand_mess(buffer, BUFSIZE);
+
+ /* Apply randomness to encoded data length */
+ if (rand_bool())
+ msglen = rand_int(0, BUFSIZE);
+
+ status = do_static_decode(buffer, msglen, false);
+ do_pointer_decode(buffer, msglen, status);
+
+ if (status)
+ {
+ do_static_roundtrip(buffer, msglen);
+ do_pointer_roundtrip(buffer, msglen);
+ }
+ }
+
+ free_with_check(buffer);
+}
+
+int main(int argc, char **argv)
+{
+ int i;
+ if (argc > 1)
+ {
+ random_seed = atol(argv[1]);
+ }
+ else
+ {
+ random_seed = time(NULL);
+ }
+
+ fprintf(stderr, "Random seed: %llu\n", (long long unsigned)random_seed);
+
+ for (i = 0; i < 10000; i++)
+ {
+ run_iteration();
+ }
+
+ return 0;
+}
+
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/generate_message.c b/CAN-binder/libs/nanopb/tests/fuzztest/generate_message.c
new file mode 100644
index 0000000..6e49299
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/generate_message.c
@@ -0,0 +1,101 @@
+/* Generates a random, valid protobuf message. Useful to seed
+ * external fuzzers such as afl-fuzz.
+ */
+
+#include <pb_encode.h>
+#include <pb_common.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <time.h>
+#include "alltypes_static.pb.h"
+
+static uint64_t random_seed;
+
+/* Uses xorshift64 here instead of rand() for both speed and
+ * reproducibility across platforms. */
+static uint32_t rand_word()
+{
+ random_seed ^= random_seed >> 12;
+ random_seed ^= random_seed << 25;
+ random_seed ^= random_seed >> 27;
+ return random_seed * 2685821657736338717ULL;
+}
+
+/* Fills a buffer with random data. */
+static void rand_fill(uint8_t *buf, size_t count)
+{
+ while (count--)
+ {
+ *buf++ = rand_word() & 0xff;
+ }
+}
+
+/* Check that size/count fields do not exceed their max size.
+ * Otherwise we would have to loop pretty long in generate_message().
+ * Note that there may still be a few encoding errors from submessages.
+ */
+static void limit_sizes(alltypes_static_AllTypes *msg)
+{
+ pb_field_iter_t iter;
+ pb_field_iter_begin(&iter, alltypes_static_AllTypes_fields, msg);
+ while (pb_field_iter_next(&iter))
+ {
+ if (PB_LTYPE(iter.pos->type) == PB_LTYPE_BYTES)
+ {
+ ((pb_bytes_array_t*)iter.pData)->size %= iter.pos->data_size - PB_BYTES_ARRAY_T_ALLOCSIZE(0);
+ }
+
+ if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REPEATED)
+ {
+ *((pb_size_t*)iter.pSize) %= iter.pos->array_size;
+ }
+
+ if (PB_HTYPE(iter.pos->type) == PB_HTYPE_ONEOF)
+ {
+ /* Set the oneof to this message type with 50% chance. */
+ if (rand_word() & 1)
+ {
+ *((pb_size_t*)iter.pSize) = iter.pos->tag;
+ }
+ }
+ }
+}
+
+static void generate_message()
+{
+ alltypes_static_AllTypes msg;
+ uint8_t buf[8192];
+ pb_ostream_t stream = {0};
+
+ do {
+ if (stream.errmsg)
+ fprintf(stderr, "Encoder error: %s\n", stream.errmsg);
+
+ stream = pb_ostream_from_buffer(buf, sizeof(buf));
+ rand_fill((void*)&msg, sizeof(msg));
+ limit_sizes(&msg);
+ } while (!pb_encode(&stream, alltypes_static_AllTypes_fields, &msg));
+
+ fwrite(buf, 1, stream.bytes_written, stdout);
+}
+
+int main(int argc, char **argv)
+{
+ if (argc > 1)
+ {
+ random_seed = atol(argv[1]);
+ }
+ else
+ {
+ random_seed = time(NULL);
+ }
+
+ fprintf(stderr, "Random seed: %llu\n", (long long unsigned)random_seed);
+
+ generate_message();
+
+ return 0;
+}
+
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/run_radamsa.sh b/CAN-binder/libs/nanopb/tests/fuzztest/run_radamsa.sh
new file mode 100755
index 0000000..52cd40a
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/run_radamsa.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+TMP=`tempfile`
+
+echo $TMP
+while true
+do
+ radamsa sample_data/* > $TMP
+ $1 < $TMP
+ test $? -gt 127 && break
+done
+
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample1.pb b/CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample1.pb
new file mode 100644
index 0000000..0752788
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample1.pb
Binary files differ
diff --git a/CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample2.pb b/CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample2.pb
new file mode 100644
index 0000000..cc89f91
--- /dev/null
+++ b/CAN-binder/libs/nanopb/tests/fuzztest/sample_data/sample2.pb
Binary files differ