AFL + Libfuzzer harnesses (#455)

* Package fuzzers

* Provide ability to remove main

* Don't build fuzzers by default

apps/fuzz-afl/Makefile

@@ -0,0 +1,79 @@
+#Makefile to build BACnet Application for the GCC port
+
+# tools - only if you need them.
+# Most platforms have this already defined
+# CC = gcc
+
+# Executable file name
+TARGET = fuzz-afl
+
+TARGET_BIN = ${TARGET}$(TARGET_EXT)
+
+# BACNET_PORT, BACNET_PORT_DIR, BACNET_PORT_SRC are defined in common Makefile
+# BACNET_SRC_DIR is defined in common apps Makefile
+BACNET_OBJECT_DIR = $(BACNET_SRC_DIR)/bacnet/basic/object
+SRC = main.c \
+	$(BACNET_OBJECT_DIR)/netport.c \
+	$(BACNET_OBJECT_DIR)/client/device-client.c
+
+PORT_MSTP_SRC = \
+	$(BACNET_PORT_DIR)/rs485.c \
+	$(BACNET_PORT_DIR)/dlmstp.c \
+	$(BACNET_SRC_DIR)/bacnet/datalink/mstp.c \
+	$(BACNET_SRC_DIR)/bacnet/datalink/mstptext.c \
+	$(BACNET_SRC_DIR)/bacnet/datalink/crc.c
+
+PORT_BIP_SRC = \
+	$(BACNET_PORT_DIR)/bip-init.c \
+	$(BACNET_SRC_DIR)/bacnet/datalink/bvlc.c \
+	$(BACNET_SRC_DIR)/bacnet/basic/bbmd/h_bbmd.c
+
+# WARNINGS, DEBUGGING, OPTIMIZATION are defined in common apps Makefile
+# BACNET_DEFINES is defined in common apps Makefile
+# put all the flags together
+INCLUDES = -I$(BACNET_SRC_DIR) -I$(BACNET_PORT_DIR)
+CFLAGS += $(WARNINGS) $(DEBUGGING) $(OPTIMIZATION) $(BACNET_DEFINES) $(INCLUDES)
+LFLAGS += -Wl,$(SYSTEM_LIB)
+ifneq (${BACNET_LIB},)
+LFLAGS += -Wl,$(BACNET_LIB)
+endif
+# GCC dead code removal
+CFLAGS += -ffunction-sections -fdata-sections
+LFLAGS += -Wl,--gc-sections
+
+BACNET_SRC = \
+	$(wildcard $(BACNET_SRC_DIR)/bacnet/*.c) \
+	$(wildcard $(BACNET_SRC_DIR)/bacnet/basic/*.c) \
+	$(wildcard $(BACNET_SRC_DIR)/bacnet/basic/binding/*.c) \
+	$(wildcard $(BACNET_SRC_DIR)/bacnet/basic/service/*.c) \
+	$(wildcard $(BACNET_SRC_DIR)/bacnet/basic/sys/*.c) \
+	$(BACNET_SRC_DIR)/bacnet/basic/npdu/h_routed_npdu.c \
+	$(BACNET_SRC_DIR)/bacnet/basic/npdu/s_router.c \
+	$(BACNET_SRC_DIR)/bacnet/basic/tsm/tsm.c
+
+SRCS = ${SRC} ${BACNET_SRC} ${PORT_MSTP_SRC} ${PORT_BIP_SRC}
+
+OBJS += ${SRCS:.c=.o}
+
+.PHONY: all
+all: Makefile ${TARGET_BIN}
+
+${TARGET_BIN}: ${OBJS}
+	${CC} ${PFLAGS} ${OBJS} ${LFLAGS} -o $@
+	size $@
+	cp $@ ../../bin
+
+.c.o:
+	${CC} -c ${CFLAGS} $*.c -o $@
+
+.PHONY: depend
+depend:
+	rm -f .depend
+	${CC} -MM ${CFLAGS} *.c >> .depend
+
+.PHONY: clean
+clean:
+	rm -f core ${TARGET_BIN} ${OBJS} $(TARGET).map
+
+.PHONY: include
+include: .depend

apps/fuzz-afl/README.md

@@ -0,0 +1,24 @@
+# Getting Started
+
+* Install [AFL](https://github.com/google/AFL), ensure afl-gcc exists on the system:
+
+```
+$ afl-gcc
+afl-cc 2.57b by <lcamtuf@google.com>
+```
+
+* Build via `make fuzz-afl` from repository root
+* Clone a decent [corpus](https://github.com/CrystalPeakSecurity/bacnet-corpus/tree/main)
+* Start AFL and feed it the input/output directories along with target executable
+
+```
+afl-fuzz -i </path/to/corpus/> -o </path/to/output_dir/> -m none ./apps/fuzz-afl/fuzz-afl
+```
+
+Caveats: 
+
+* This builds the target with ASAN (Address Sanitizer). This makes AFL require the `-m none` to not interpret ASAN's behavior as a crash
+* AFL uses a fork/exec model to launch the target. This is nice because each testcase is from a clean state. But this also brings in a lot of overhead. If you need something faster, check out ../fuzz-libfuzzer/
+
+
+

apps/fuzz-afl/main.c

@@ -0,0 +1,126 @@
+/**
+ * @file
+ * @author Steve Karg, Anthony Delorenzo
+ * @date 2020
+ * @brief
+ *
+ * @section LICENSE
+ *
+ * Copyright (C) 2020 Steve Karg <skarg@users.sourceforge.net>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <time.h>
+#include <assert.h>
+
+#include "bacnet/bacdef.h"
+#include "bacnet/config.h"
+#include "bacnet/bactext.h"
+#include "bacnet/bacerror.h"
+#include "bacnet/iam.h"
+#include "bacnet/arf.h"
+#include "bacnet/npdu.h"
+#include "bacnet/apdu.h"
+#include "bacnet/version.h"
+/* some demo modules we use */
+#include "bacnet/basic/sys/debug.h"
+#include "bacnet/basic/tsm/tsm.h"
+#include "bacnet/basic/binding/address.h"
+#include "bacnet/basic/services.h"
+/* port agnostic file */
+#include "bacport.h"
+/* our datalink layers */
+#include "bacnet/datalink/dlmstp.h"
+#include "bacnet/datalink/bip.h"
+#include "bacnet/datalink/bvlc.h"
+#include "bacnet/basic/bbmd/h_bbmd.h"
+
+// Pull in all of this... 
+#include "../router-mstp/main.c"
+
+static void Init_Service_Handlers()
+{
+
+    apdu_set_unconfirmed_handler(SERVICE_UNCONFIRMED_WHO_IS, handler_who_is_unicast);
+    apdu_set_unconfirmed_handler(SERVICE_UNCONFIRMED_WHO_HAS, handler_who_has);
+    apdu_set_unrecognized_service_handler_handler(handler_unrecognized_service);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_READ_PROPERTY, handler_read_property);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_READ_PROP_MULTIPLE, handler_read_property_multiple);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_WRITE_PROPERTY, handler_write_property);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_READ_RANGE, handler_read_range);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_REINITIALIZE_DEVICE, handler_reinitialize_device);
+    apdu_set_unconfirmed_handler(SERVICE_UNCONFIRMED_UTC_TIME_SYNCHRONIZATION, handler_timesync_utc);
+    apdu_set_unconfirmed_handler(SERVICE_UNCONFIRMED_TIME_SYNCHRONIZATION, handler_timesync);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_SUBSCRIBE_COV, handler_cov_subscribe);
+    apdu_set_unconfirmed_handler(SERVICE_UNCONFIRMED_COV_NOTIFICATION, handler_ucov_notification);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_DEVICE_COMMUNICATION_CONTROL, handler_device_communication_control);
+    apdu_set_unconfirmed_handler(SERVICE_UNCONFIRMED_WHO_IS, handler_who_is);
+    apdu_set_unrecognized_service_handler_handler(handler_unrecognized_service);
+    apdu_set_confirmed_handler(SERVICE_CONFIRMED_READ_PROPERTY, handler_read_property);
+    apdu_set_unconfirmed_handler(SERVICE_UNCONFIRMED_I_AM, handler_i_am_add);
+}
+
+
+/*
+ * FIXME: This is a hack to get things linking correctly
+ */
+extern int cov_subscribe(void) {
+    return 0;
+}
+extern int Device_Value_List_Supported(void) {
+    return 0;
+}
+extern int Encode_RR_payload(void) {
+    return 0;
+}
+extern int Device_Objects_RR_Info(void) {
+    return 0;
+}
+extern int Device_Write_Property(void) {
+    return 0;
+}
+extern int Device_Reinitialize(void) {
+    return 0;
+}
+
+
+int main(int argc, char *argv[])
+{
+    BACNET_ADDRESS src = { 0 }; 
+    uint16_t pdu_len = 0;
+
+    Init_Service_Handlers();
+
+    pdu_len = read(0, &BIP_Rx_Buffer[0], sizeof(BIP_Rx_Buffer));
+
+    /* process fuzz input*/
+    if (pdu_len) {
+        my_routing_npdu_handler(BIP_Net, &src, &BIP_Rx_Buffer[0], pdu_len);
+    }
+
+    return 0;
+
+}