1 // Copyright (c) 2020-2021 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <banman.h>
6 #include <chainparams.h>
7 #include <consensus/consensus.h>
8 #include <net.h>
9 #include <net_processing.h>
10 #include <protocol.h>
11 #include <scheduler.h>
12 #include <script/script.h>
13 #include <streams.h>
14 #include <test/fuzz/FuzzedDataProvider.h>
15 #include <test/fuzz/fuzz.h>
16 #include <test/fuzz/util.h>
17 #include <test/util/mining.h>
18 #include <test/util/net.h>
19 #include <test/util/setup_common.h>
20 #include <test/util/validation.h>
21 #include <txorphanage.h>
22 #include <validationinterface.h>
23 #include <version.h>
24 
25 #include <atomic>
26 #include <cassert>
27 #include <chrono>
28 #include <cstdint>
29 #include <iosfwd>
30 #include <iostream>
31 #include <memory>
32 #include <string>
33 
34 namespace {
35 const TestingSetup* g_setup;
36 } // namespace
37 
GetNumMsgTypes()38 size_t& GetNumMsgTypes()
39 {
40     static size_t g_num_msg_types{0};
41     return g_num_msg_types;
42 }
43 #define FUZZ_TARGET_MSG(msg_type)                                            \
44     struct msg_type##_Count_Before_Main {                                    \
45         msg_type##_Count_Before_Main()                                       \
46         {                                                                    \
47             ++GetNumMsgTypes();                                              \
48         }                                                                    \
49     } const static g_##msg_type##_count_before_main;                         \
50     FUZZ_TARGET_INIT(process_message_##msg_type, initialize_process_message) \
51     {                                                                        \
52         fuzz_target(buffer, #msg_type);                                      \
53     }
54 
initialize_process_message()55 void initialize_process_message()
56 {
57     Assert(GetNumMsgTypes() == getAllNetMessageTypes().size()); // If this fails, add or remove the message type below
58 
59     static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
60     g_setup = testing_setup.get();
61     for (int i = 0; i < 2 * COINBASE_MATURITY; i++) {
62         MineBlock(g_setup->m_node, CScript() << OP_TRUE);
63     }
64     SyncWithValidationInterfaceQueue();
65 }
66 
fuzz_target(FuzzBufferType buffer,const std::string & LIMIT_TO_MESSAGE_TYPE)67 void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE)
68 {
69     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
70 
71     ConnmanTestMsg& connman = *static_cast<ConnmanTestMsg*>(g_setup->m_node.connman.get());
72     TestChainState& chainstate = *static_cast<TestChainState*>(&g_setup->m_node.chainman->ActiveChainstate());
73     SetMockTime(1610000000); // any time to successfully reset ibd
74     chainstate.ResetIbd();
75 
76     const std::string random_message_type{fuzzed_data_provider.ConsumeBytesAsString(CMessageHeader::COMMAND_SIZE).c_str()};
77     if (!LIMIT_TO_MESSAGE_TYPE.empty() && random_message_type != LIMIT_TO_MESSAGE_TYPE) {
78         return;
79     }
80     CNode& p2p_node = *ConsumeNodeAsUniquePtr(fuzzed_data_provider).release();
81 
82     const bool successfully_connected{fuzzed_data_provider.ConsumeBool()};
83     p2p_node.fSuccessfullyConnected = successfully_connected;
84     connman.AddTestNode(p2p_node);
85     g_setup->m_node.peerman->InitializeNode(&p2p_node);
86     FillNode(fuzzed_data_provider, p2p_node, /* init_version */ successfully_connected);
87 
88     const auto mock_time = ConsumeTime(fuzzed_data_provider);
89     SetMockTime(mock_time);
90 
91     // fuzzed_data_provider is fully consumed after this call, don't use it
92     CDataStream random_bytes_data_stream{fuzzed_data_provider.ConsumeRemainingBytes<unsigned char>(), SER_NETWORK, PROTOCOL_VERSION};
93     try {
94         g_setup->m_node.peerman->ProcessMessage(p2p_node, random_message_type, random_bytes_data_stream,
95                                                 GetTime<std::chrono::microseconds>(), std::atomic<bool>{false});
96     } catch (const std::ios_base::failure&) {
97     }
98     {
99         LOCK(p2p_node.cs_sendProcessing);
100         g_setup->m_node.peerman->SendMessages(&p2p_node);
101     }
102     SyncWithValidationInterfaceQueue();
103     g_setup->m_node.connman->StopNodes();
104 }
105 
FUZZ_TARGET_INIT(process_message,initialize_process_message)106 FUZZ_TARGET_INIT(process_message, initialize_process_message) { fuzz_target(buffer, ""); }
107 FUZZ_TARGET_MSG(addr);
108 FUZZ_TARGET_MSG(addrv2);
109 FUZZ_TARGET_MSG(block);
110 FUZZ_TARGET_MSG(blocktxn);
111 FUZZ_TARGET_MSG(cfcheckpt);
112 FUZZ_TARGET_MSG(cfheaders);
113 FUZZ_TARGET_MSG(cfilter);
114 FUZZ_TARGET_MSG(cmpctblock);
115 FUZZ_TARGET_MSG(feefilter);
116 FUZZ_TARGET_MSG(filteradd);
117 FUZZ_TARGET_MSG(filterclear);
118 FUZZ_TARGET_MSG(filterload);
119 FUZZ_TARGET_MSG(getaddr);
120 FUZZ_TARGET_MSG(getblocks);
121 FUZZ_TARGET_MSG(getblocktxn);
122 FUZZ_TARGET_MSG(getcfcheckpt);
123 FUZZ_TARGET_MSG(getcfheaders);
124 FUZZ_TARGET_MSG(getcfilters);
125 FUZZ_TARGET_MSG(getdata);
126 FUZZ_TARGET_MSG(getheaders);
127 FUZZ_TARGET_MSG(headers);
128 FUZZ_TARGET_MSG(inv);
129 FUZZ_TARGET_MSG(mempool);
130 FUZZ_TARGET_MSG(merkleblock);
131 FUZZ_TARGET_MSG(notfound);
132 FUZZ_TARGET_MSG(ping);
133 FUZZ_TARGET_MSG(pong);
134 FUZZ_TARGET_MSG(sendaddrv2);
135 FUZZ_TARGET_MSG(sendcmpct);
136 FUZZ_TARGET_MSG(sendheaders);
137 FUZZ_TARGET_MSG(tx);
138 FUZZ_TARGET_MSG(verack);
139 FUZZ_TARGET_MSG(version);
140 FUZZ_TARGET_MSG(wtxidrelay);
141