lib/fuzzing: Split up automatically build fuzzers into TYPE_{IN,OUT,STRUCT}

The advise is that a fuzz target should be as small as possible
so we split this up.  Splitting up by function would build too
many fuzzers, but this should help a little.

See for example:
https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md#large-apis

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>

buildtools/wafsamba/samba_pidl.py

@@ -123,7 +123,19 @@ def SAMBA_PIDL_LIST(bld, name, source,
         # the fuzzers rely
         if generate_tables and generate_fuzzers:
             interface = p[0:-4] # strip off the .idl suffix
-            bld.SAMBA_NDR_FUZZ(interface, auto_deps=True)
+            bld.SAMBA_NDR_FUZZ(interface,
+                               auto_deps=True,
+                               fuzz_type="TYPE_STRUCT")
+
+            # Only generate the TYPE_STRUCT fuzzer if this isn't
+            # really DCE/RPC
+            if '--client' in options:
+                bld.SAMBA_NDR_FUZZ(interface,
+                                   auto_deps=True,
+                                   fuzz_type="TYPE_IN")
+                bld.SAMBA_NDR_FUZZ(interface,
+                                   auto_deps=True,
+                                   fuzz_type="TYPE_OUT")
 Build.BuildContext.SAMBA_PIDL_LIST = SAMBA_PIDL_LIST
 
 

lib/fuzzing/fuzz_ndr_X.c

@@ -192,6 +192,20 @@ int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
 	function = SVAL(data, 2);
 
 	type = fuzz_packet_flags & 3;
+
+#ifdef FUZZ_TYPE
+	/*
+	 * Fuzz targets should have as small an interface as possible.
+	 * This allows us to create 3 binaries for most pipes,
+	 * TYPE_IN, TYPE_OUT and TYPE_STRUCT
+	 *
+	 * We keep the header format, and just exit early if it does
+	 * not match.
+	 */
+	if (type != FUZZ_TYPE) {
+		return 0;
+	}
+#endif
 #endif
 
 	switch (type) {

lib/fuzzing/wscript_build

@@ -59,10 +59,12 @@ def SAMBA_NDR_FUZZ(bld, interface, auto_deps=False,
     fuzz_src = os.path.join(fuzz_reldir, 'fuzz_ndr_X.c')
 
     cflags = "-D FUZZ_PIPE_TABLE=ndr_table_%s" % interface
+    if fuzz_type:
+        name += "_%s" % (fuzz_type)
+        cflags += " -D FUZZ_TYPE=%s " % (fuzz_type)
     if fuzz_type and fuzz_function:
-        name += "_%s_%d" % (fuzz_type, fuzz_function)
-        cflags += " -D FUZZ_TYPE=%s -DFUZZ_FUNCTION=%d" % (fuzz_type,
-                                                           fuzz_function)
+        name += "_%d" % (fuzz_function)
+        cflags += " -D FUZZ_FUNCTION=%d" % (fuzz_function)
 
     fuzz_named_src = os.path.join(fuzz_reldir,
                                   '%s.c' % (name))