fix(svc): rdpdr channel fuzzing harness and associated issues (#408)

.github/workflows/fuzz.yml

@@ -41,7 +41,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target: [ pdu_decoding, rle_decompression, bitmap_stream, cliprdr_format ]
+        target: [ pdu_decoding, rle_decompression, bitmap_stream, cliprdr_format, channel_processing ]
 
     steps:
       - uses: actions/checkout@v3

Cargo.lock

@@ -1806,6 +1806,7 @@ dependencies = [
  "ironrdp-graphics",
  "ironrdp-pdu",
  "ironrdp-rdpdr",
+ "ironrdp-svc",
 ]
 
 [[package]]

crates/ironrdp-fuzzing/Cargo.toml

@@ -16,4 +16,5 @@ ironrdp-pdu.workspace = true
 ironrdp-cliprdr.workspace = true
 ironrdp-rdpdr.workspace = true
 ironrdp-cliprdr-format.workspace = true
-ironrdp-displaycontrol.workspace = true
+ironrdp-displaycontrol.workspace = true
+ironrdp-svc.workspace = true

crates/ironrdp-fuzzing/src/oracles/mod.rs

@@ -136,3 +136,13 @@ pub fn cliprdr_format(input: &[u8]) {
         let _ = plain_html_to_cf_html(input);
     }
 }
+
+pub fn channel_process(input: &[u8]) {
+    use ironrdp_svc::SvcProcessor;
+
+    let mut rdpdr = ironrdp_rdpdr::Rdpdr::new(Box::new(ironrdp_rdpdr::NoopRdpdrBackend), "Backend".to_owned())
+        .with_smartcard(1)
+        .with_drives(None);
+
+    let _ = rdpdr.process(input);
+}

crates/ironrdp-rdpdr/src/pdu/efs.rs

@@ -1214,12 +1214,13 @@ impl<T: IoCtlCode> DeviceControlRequest<T>
 where
     T::Error: ironrdp_error::Source,
 {
-    fn headerless_size() -> usize {
-        size_of::<u32>() * 3 // OutputBufferLength, InputBufferLength, IoControlCode
-    }
+    const HEADERLESS_SIZE: usize = 4 // OutputBufferLength
+        + 4 // InputBufferLength
+        + 4 // IoControlCode
+        + 20; // Additional 20 bytes for padding
 
     pub fn decode(header: DeviceIoRequest, src: &mut ReadCursor<'_>) -> PduResult<Self> {
-        ensure_size!(ctx: "DeviceControlRequest", in: src, size: Self::headerless_size());
+        ensure_size!(ctx: "DeviceControlRequest", in: src, size: Self::HEADERLESS_SIZE);
         let output_buffer_length = src.read_u32();
         let input_buffer_length = src.read_u32();
         let io_control_code = T::try_from(src.read_u32()).map_err(|e| {

fuzz/Cargo.lock

@@ -321,6 +321,7 @@ dependencies = [
  "ironrdp-graphics",
  "ironrdp-pdu",
  "ironrdp-rdpdr",
+ "ironrdp-svc",
 ]
 
 [[package]]

fuzz/Cargo.toml

@@ -40,3 +40,10 @@ name = "cliprdr_format"
 path = "fuzz_targets/cliprdr_format.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "channel_processing"
+path = "fuzz_targets/channel_processing.rs"
+test = false
+doc = false
+bench = false

fuzz/fuzz_targets/channel_processing.rs

@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    ironrdp_fuzzing::oracles::channel_process(data);
+});

xtask/src/main.rs

@@ -33,7 +33,13 @@ pub const CARGO: &str = env!("CARGO");
 
 pub const WASM_PACKAGES: &[&str] = &["ironrdp-web"];
 
-pub const FUZZ_TARGETS: &[&str] = &["pdu_decoding", "rle_decompression", "bitmap_stream", "cliprdr_format"];
+pub const FUZZ_TARGETS: &[&str] = &[
+    "pdu_decoding",
+    "rle_decompression",
+    "bitmap_stream",
+    "cliprdr_format",
+    "channel_processing",
+];
 
 fn main() -> anyhow::Result<()> {
     let args = match cli::parse_args() {