lib/fuzzing: Split up automatically build fuzzers into TYPE_{IN,OUT,STRUCT}

The advise is that a fuzz target should be as small as possible
so we split this up.  Splitting up by function would build too
many fuzzers, but this should help a little.

See for example:
https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md#large-apis

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>

diff --git a/buildtools/wafsamba/samba_pidl.py b/buildtools/wafsamba/samba_pidl.py
index b92120edd23fbe8e65381160b48c21df7bab5b13..d7e1247aa20ea6d50129c775b6413adcf279b009 100644 (file)
--- a/buildtools/wafsamba/samba_pidl.py
+++ b/buildtools/wafsamba/samba_pidl.py
@@ -123,7 +123,19 @@ def SAMBA_PIDL_LIST(bld, name, source,
         # the fuzzers rely
         if generate_tables and generate_fuzzers:
             interface = p[0:-4] # strip off the .idl suffix
-            bld.SAMBA_NDR_FUZZ(interface, auto_deps=True)
+            bld.SAMBA_NDR_FUZZ(interface,
+                               auto_deps=True,
+                               fuzz_type="TYPE_STRUCT")
+
+            # Only generate the TYPE_STRUCT fuzzer if this isn't
+            # really DCE/RPC
+            if '--client' in options:
+                bld.SAMBA_NDR_FUZZ(interface,
+                                   auto_deps=True,
+                                   fuzz_type="TYPE_IN")
+                bld.SAMBA_NDR_FUZZ(interface,
+                                   auto_deps=True,
+                                   fuzz_type="TYPE_OUT")
 Build.BuildContext.SAMBA_PIDL_LIST = SAMBA_PIDL_LIST
 
 

diff --git a/lib/fuzzing/fuzz_ndr_X.c b/lib/fuzzing/fuzz_ndr_X.c
index cdc9de50a8c05b25e4c963c66db68bbd421ebd1f..5fc21dcef263b9f87a634cef62eaa3ac16bfb768 100644 (file)
--- a/lib/fuzzing/fuzz_ndr_X.c
+++ b/lib/fuzzing/fuzz_ndr_X.c
@@ -192,6 +192,20 @@ int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
        function = SVAL(data, 2);
 
        type = fuzz_packet_flags & 3;
+
+#ifdef FUZZ_TYPE
+       /*
+        * Fuzz targets should have as small an interface as possible.
+        * This allows us to create 3 binaries for most pipes,
+        * TYPE_IN, TYPE_OUT and TYPE_STRUCT
+        *
+        * We keep the header format, and just exit early if it does
+        * not match.
+        */
+       if (type != FUZZ_TYPE) {
+               return 0;
+       }
+#endif
 #endif
 
        switch (type) {

diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index 191aa69b6d737f8fd209f55693e14222caa1b501..e77eea88df56a76c4751c2396283e90e37284255 100644 (file)
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -59,10 +59,12 @@ def SAMBA_NDR_FUZZ(bld, interface, auto_deps=False,
     fuzz_src = os.path.join(fuzz_reldir, 'fuzz_ndr_X.c')
 
     cflags = "-D FUZZ_PIPE_TABLE=ndr_table_%s" % interface
+    if fuzz_type:
+        name += "_%s" % (fuzz_type)
+        cflags += " -D FUZZ_TYPE=%s " % (fuzz_type)
     if fuzz_type and fuzz_function:
-        name += "_%s_%d" % (fuzz_type, fuzz_function)
-        cflags += " -D FUZZ_TYPE=%s -DFUZZ_FUNCTION=%d" % (fuzz_type,
-                                                           fuzz_function)
+        name += "_%d" % (fuzz_function)
+        cflags += " -D FUZZ_FUNCTION=%d" % (fuzz_function)
 
     fuzz_named_src = os.path.join(fuzz_reldir,
                                   '%s.c' % (name))