Try2 increase code coverage

CMakeLists.txt

@@ -94,30 +94,52 @@ IF (CMAKE_SYSTEM_NAME STREQUAL "Linux")
      SET(CMAKE_C_FLAGS "-D_GNU_SOURCE -pthread ${CMAKE_C_FLAGS}")
 ENDIF ()
 
+
 IF (BUILD_FUZZER)
-    MESSAGE(STATUS "************* Making the fuzzer")
+    MESSAGE(STATUS "************* Making the packet fuzzer")
+    SET(FUZZER_EXE "quicly-fuzzer-packet")
+    SET(FUZZER_CC "fuzz/packet.cc")
+
     IF(NOT CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
         MESSAGE(FATAL_ERROR "The fuzzer needs clang as a compiler")
     ENDIF()
-    ADD_EXECUTABLE(quicly-fuzzer-packet fuzz/packet.cc ${PICOTLS_OPENSSL_FILES})
+    ADD_EXECUTABLE(${FUZZER_EXE} ${FUZZER_CC} ${PICOTLS_OPENSSL_FILES} lib/quicly.c)
     SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_C_FLAGS}")
     IF (OSS_FUZZ)
         # Use https://github.com/google/oss-fuzz compatible options
         SET(LIB_FUZZER FuzzingEngine)
         SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer")
         SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-omit-frame-pointer")
-        TARGET_LINK_LIBRARIES(quicly-fuzzer-packet quicly ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
+        TARGET_LINK_LIBRARIES(${FUZZER_EXE} quicly ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
     ELSEIF (USE_CLANG_RT)
         SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer -fsanitize=fuzzer,address,undefined -fsanitize-coverage=edge,indirect-calls")
         SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -fno-omit-frame-pointer -fsanitize=fuzzer,address,undefined -fsanitize-coverage=edge,indirect-calls")
-        TARGET_LINK_LIBRARIES(quicly-fuzzer-packet quicly ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
+        TARGET_LINK_LIBRARIES(${FUZZER_EXE} quicly ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
     ELSE()
         SET(LIB_FUZZER "${CMAKE_CURRENT_BINARY_DIR}/libFuzzer.a")
         SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link")
         SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link")
         ADD_CUSTOM_TARGET(libFuzzer ${CMAKE_CURRENT_SOURCE_DIR}/misc/build_libFuzzer.sh WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-        ADD_DEPENDENCIES(quicly-fuzzer-packet libFuzzer)
-        TARGET_LINK_LIBRARIES(quicly-fuzzer-packet quicly ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS} ${LIB_FUZZER})
+        ADD_DEPENDENCIES(${FUZZER_EXE} libFuzzer)
+        TARGET_LINK_LIBRARIES(${FUZZER_EXE} quicly ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS} ${LIB_FUZZER})
     ENDIF(OSS_FUZZ)
 ENDIF()
 
+IF (BUILD_FUZZER_ADDRESS_TOKEN)
+    MESSAGE(STATUS "===== Making the adddress token fuzzer")
+    SET(FUZZER_EXE "quicly-fuzzer-address-token")
+    SET(FUZZER_CC "fuzz/address_token.cc")
+
+    IF(NOT CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
+	MESSAGE(FATAL_ERROR "The fuzzer needs clang as a compiler")
+    ENDIF()
+    ADD_EXECUTABLE(${FUZZER_EXE} ${FUZZER_CC} ${PICOTLS_OPENSSL_FILES})
+    SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_C_FLAGS}")
+    SET(LIB_FUZZER "${CMAKE_CURRENT_BINARY_DIR}/libFuzzer.a")
+        SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link")
+        SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link")
+    ADD_CUSTOM_TARGET(libFuzzer ${CMAKE_CURRENT_SOURCE_DIR}/misc/build_libFuzzer.sh WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+    ADD_DEPENDENCIES(${FUZZER_EXE} quicly libFuzzer)
+    TARGET_LINK_LIBRARIES(${FUZZER_EXE} quicly ${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS} ${LIB_FUZZER})
+ENDIF()
+

fuzz/address_token.cc

@@ -0,0 +1,23 @@
+#include <string.h>
+#include <stdio.h>
+#include "picotls.h"
+#include "picotls/openssl.h"
+#include "quicly.h"
+#include "quicly/defaults.h"
+#include "quicly/streambuf.h"
+
+void __sanitizer_cov_trace_pc(void)
+{
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
+{
+
+	static const uint8_t zero_key[PTLS_MAX_SECRET_SIZE] = {0};
+	ptls_buffer_t buf;
+        char b[3];
+	ptls_aead_context_t *enc = ptls_aead_new(&ptls_openssl_aes128gcm, &ptls_openssl_sha256, 1, zero_key, "");
+	ptls_buffer_init(&buf, b, 0);
+
+	quicly_encrypt_address_token(ptls_openssl_random_bytes, enc, &buf, Size, (quicly_address_token_plaintext_t *)Data);	
+}

fuzz/packet.cc

@@ -71,6 +71,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
                     if ((ret = quicly_decode_max_streams_frame(&src, end, &frame)) != 0)
                         return 0;
                 } break;
+	        case QUICLY_FRAME_TYPE_PADDING:
                 case QUICLY_FRAME_TYPE_PING:
                     ret = 0;
                     break;

lib/quicly.c

@@ -4909,7 +4909,10 @@ void quicly_amend_ptls_context(ptls_context_t *ptls)
 int quicly_encrypt_address_token(void (*random_bytes)(void *, size_t), ptls_aead_context_t *aead, ptls_buffer_t *buf,
                                  size_t start_off, const quicly_address_token_plaintext_t *plaintext)
 {
-    int ret;
+    int ret = 0;
+
+    if (start_off < sizeof(quicly_address_token_plaintext_t))
+	goto Exit; 
 
     /* IV */
     if ((ret = ptls_buffer_reserve(buf, aead->algo->iv_size)) != 0)