fix(svc): rdpdr channel fuzzing harness and associated issues (#408)

2025-07-07 17:45:01 +00:00 · 2024-03-11 11:28:27 +01:00 · 2024-03-11 11:28:27 +01:00 · c4193371bd
commit c4193371bd
parent e92d8c3e17
10 changed files with 41 additions and 7 deletions
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@ -41,7 +41,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        target: [ pdu_decoding, rle_decompression, bitmap_stream, cliprdr_format ]
+        target: [ pdu_decoding, rle_decompression, bitmap_stream, cliprdr_format, channel_processing ]
    steps:
      - uses: actions/checkout@v3
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1806,6 +1806,7 @@ dependencies = [
 "ironrdp-graphics",
 "ironrdp-pdu",
 "ironrdp-rdpdr",
 "ironrdp-svc",
 ]
 [[package]]
--- a/crates/ironrdp-fuzzing/Cargo.toml
+++ b/crates/ironrdp-fuzzing/Cargo.toml
@ -16,4 +16,5 @@ ironrdp-pdu.workspace = true
 ironrdp-cliprdr.workspace = true
 ironrdp-rdpdr.workspace = true
 ironrdp-cliprdr-format.workspace = true
-ironrdp-displaycontrol.workspace = true
+ironrdp-displaycontrol.workspace = true
 ironrdp-svc.workspace = true
--- a/crates/ironrdp-fuzzing/src/oracles/mod.rs
+++ b/crates/ironrdp-fuzzing/src/oracles/mod.rs
@ -136,3 +136,13 @@ pub fn cliprdr_format(input: &[u8]) {
        let _ = plain_html_to_cf_html(input);
    }
 }
 pub fn channel_process(input: &[u8]) {
    use ironrdp_svc::SvcProcessor;
    let mut rdpdr = ironrdp_rdpdr::Rdpdr::new(Box::new(ironrdp_rdpdr::NoopRdpdrBackend), "Backend".to_owned())
        .with_smartcard(1)
        .with_drives(None);
    let _ = rdpdr.process(input);
 }
--- a/crates/ironrdp-rdpdr/src/pdu/efs.rs
+++ b/crates/ironrdp-rdpdr/src/pdu/efs.rs
@ -1214,12 +1214,13 @@ impl<T: IoCtlCode> DeviceControlRequest<T>
 where
    T::Error: ironrdp_error::Source,
 {
-    fn headerless_size() -> usize {
+    const HEADERLESS_SIZE: usize = 4 // OutputBufferLength
-        size_of::<u32>() * 3 // OutputBufferLength, InputBufferLength, IoControlCode
+        + 4 // InputBufferLength
-    }
+        + 4 // IoControlCode
        + 20; // Additional 20 bytes for padding
    pub fn decode(header: DeviceIoRequest, src: &mut ReadCursor<'_>) -> PduResult<Self> {
-        ensure_size!(ctx: "DeviceControlRequest", in: src, size: Self::headerless_size());
+        ensure_size!(ctx: "DeviceControlRequest", in: src, size: Self::HEADERLESS_SIZE);
        let output_buffer_length = src.read_u32();
        let input_buffer_length = src.read_u32();
        let io_control_code = T::try_from(src.read_u32()).map_err(|e| {
--- a/crates/ironrdp-testsuite-core/test_data/fuzz_regression/channel_processing/minimized-from-46dc7754493e2231055dddc1c56c88b4b38e7a6e
+++ b/crates/ironrdp-testsuite-core/test_data/fuzz_regression/channel_processing/minimized-from-46dc7754493e2231055dddc1c56c88b4b38e7a6e
--- a/fuzz/Cargo.lock
+++ b/fuzz/Cargo.lock
@ -321,6 +321,7 @@ dependencies = [
 "ironrdp-graphics",
 "ironrdp-pdu",
 "ironrdp-rdpdr",
 "ironrdp-svc",
 ]
 [[package]]
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -40,3 +40,10 @@ name = "cliprdr_format"
 path = "fuzz_targets/cliprdr_format.rs"
 test = false
 doc = false
 [[bin]]
 name = "channel_processing"
 path = "fuzz_targets/channel_processing.rs"
 test = false
 doc = false
 bench = false
--- a/fuzz/fuzz_targets/channel_processing.rs
+++ b/fuzz/fuzz_targets/channel_processing.rs
@ -0,0 +1,7 @@
 #![no_main]
 use libfuzzer_sys::fuzz_target;
 fuzz_target!(|data: &[u8]| {
    ironrdp_fuzzing::oracles::channel_process(data);
 });
--- a/xtask/src/main.rs
+++ b/xtask/src/main.rs
@ -33,7 +33,13 @@ pub const CARGO: &str = env!("CARGO");
 pub const WASM_PACKAGES: &[&str] = &["ironrdp-web"];
-pub const FUZZ_TARGETS: &[&str] = &["pdu_decoding", "rle_decompression", "bitmap_stream", "cliprdr_format"];
+pub const FUZZ_TARGETS: &[&str] = &[
    "pdu_decoding",
    "rle_decompression",
    "bitmap_stream",
    "cliprdr_format",
    "channel_processing",
 ];
 fn main() -> anyhow::Result<()> {
    let args = match cli::parse_args() {