diff options
author | Haibo Huang <hhb@google.com> | 2019-02-25 18:53:35 -0800 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2019-02-25 18:53:35 -0800 |
commit | b7bc4c1a1a355ba5f92bd70520eb2af461324a14 (patch) | |
tree | 0216d428d963507374a444f568ff2b53ae0cf266 /socketfuzzer.c | |
parent | 5faf245112142c13404fb02cb09a96d3b82de342 (diff) | |
parent | a6d17d9d6e427aafa40978de8a3c4dc1380bc36a (diff) | |
download | honggfuzz-b7bc4c1a1a355ba5f92bd70520eb2af461324a14.tar.gz |
Upgrade honggfuzz to 1.8 am: c5fb7d209d am: 37df9eb97eandroid-mainline-10.0.0_r9android-mainline-10.0.0_r7android-mainline-10.0.0_r5android-mainline-10.0.0_r4android-mainline-10.0.0_r10android-10.0.0_r9android-10.0.0_r8android-10.0.0_r7android-10.0.0_r45android-10.0.0_r44android-10.0.0_r43android-10.0.0_r42android-10.0.0_r41android-10.0.0_r40android-10.0.0_r39android-10.0.0_r38android-10.0.0_r37android-10.0.0_r36android-10.0.0_r35android-10.0.0_r34android-10.0.0_r33android-10.0.0_r32android-10.0.0_r31android-10.0.0_r30android-10.0.0_r29android-10.0.0_r28android-10.0.0_r27android-10.0.0_r26android-10.0.0_r25android-10.0.0_r24android-10.0.0_r23android-10.0.0_r22android-10.0.0_r21android-10.0.0_r20android-10.0.0_r19android-10.0.0_r18android-10.0.0_r16android-10.0.0_r15android-10.0.0_r14android-10.0.0_r13android-10.0.0_r12android10-qpr3-s1-releaseandroid10-qpr3-releaseandroid10-qpr2-s4-releaseandroid10-qpr2-s3-releaseandroid10-qpr2-s2-releaseandroid10-qpr2-s1-releaseandroid10-qpr2-releaseandroid10-qpr1-releaseandroid10-qpr1-mainline-releaseandroid10-qpr1-d-releaseandroid10-qpr1-c-s1-releaseandroid10-qpr1-c-releaseandroid10-qpr1-b-s1-releaseandroid10-qpr1-b-releaseandroid10-mainline-media-releaseandroid10-devandroid10-d4-s1-releaseandroid10-d4-releaseandroid10-c2f2-s2-releaseandroid10-c2f2-s1-releaseandroid10-c2f2-release
am: a6d17d9d6e
Change-Id: I275c440913c57f697926db26034f30dc24a88eb7
Diffstat (limited to 'socketfuzzer.c')
-rw-r--r-- | socketfuzzer.c | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/socketfuzzer.c b/socketfuzzer.c new file mode 100644 index 00000000..14a5f246 --- /dev/null +++ b/socketfuzzer.c @@ -0,0 +1,165 @@ +#include <errno.h> +#include <fcntl.h> +#include <inttypes.h> +#include <libgen.h> +#include <pthread.h> +#include <signal.h> +#include <stddef.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/mman.h> +#include <sys/param.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <sys/types.h> +#include <time.h> +#include <unistd.h> + +#include <errno.h> +#include <string.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <sys/un.h> +#include <unistd.h> + +#include "honggfuzz.h" +#include "libhfcommon/common.h" +#include "libhfcommon/files.h" +#include "libhfcommon/log.h" +#include "libhfcommon/ns.h" +#include "libhfcommon/util.h" + +#include "socketfuzzer.h" + +bool fuzz_waitForExternalInput(run_t* run) { + /* tell the external fuzzer to do his thing */ + if (!fuzz_prepareSocketFuzzer(run)) { + LOG_F("fuzz_prepareSocketFuzzer() failed"); + return false; + } + + /* the external fuzzer may inform us of a crash */ + int result = fuzz_waitforSocketFuzzer(run); + if (result == 2) { + return false; + } + + return true; +} + +bool fuzz_prepareSocketFuzzer(run_t* run) { + ssize_t ret; + + // Notify fuzzer that he should send teh things + LOG_D("fuzz_prepareSocketFuzzer: SEND Fuzz"); + ret = send(run->global->socketFuzzer.clientSocket, "Fuzz", 4, 0); + if (ret < 0) { + LOG_F("fuzz_prepareSocketFuzzer: received: %zu", ret); + return false; + } + + return true; +} + +/* Return values: + 0: error + 1: okay + 2: target unresponsive +*/ +int fuzz_waitforSocketFuzzer(run_t* run) { + ssize_t ret; + char buf[16]; + + // Wait until the external fuzzer did his thing + bzero(buf, 16); + ret = recv(run->global->socketFuzzer.clientSocket, buf, 4, 0); + LOG_D("fuzz_waitforSocketFuzzer: RECV: %s", buf); + + // We dont care what we receive, its just to block here + if (ret < 0) { + LOG_F("fuzz_waitforSocketFuzzer: received: %zu", ret); + return 0; + } + + if (memcmp(buf, "okay", 4) == 0) { + return 1; + } else if (memcmp(buf, "bad!", 4) == 0) { + return 2; + } + + return 0; +} + +bool fuzz_notifySocketFuzzerNewCov(honggfuzz_t* hfuzz) { + ssize_t ret; + + // Tell the fuzzer that the thing he sent reached new BB's + ret = send(hfuzz->socketFuzzer.clientSocket, "New!", 4, 0); + LOG_D("fuzz_notifySocketFuzzer: SEND: New!"); + if (ret < 0) { + LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret); + return false; + } + + return true; +} + +bool fuzz_notifySocketFuzzerCrash(run_t* run) { + ssize_t ret; + + ret = send(run->global->socketFuzzer.clientSocket, "Cras", 4, 0); + LOG_D("fuzz_notifySocketFuzzer: SEND: Crash"); + if (ret < 0) { + LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret); + return false; + } + + return true; +} + +bool setupSocketFuzzer(honggfuzz_t* run) { + int s, len; + socklen_t t; + struct sockaddr_un local, remote; + char socketPath[512]; + snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid()); + + if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { + perror("socket"); + return false; + } + + local.sun_family = AF_UNIX; + strcpy(local.sun_path, socketPath); + unlink(local.sun_path); + len = strlen(local.sun_path) + sizeof(local.sun_family); + if (bind(s, (struct sockaddr*)&local, len) == -1) { + perror("bind"); + return false; + } + + if (listen(s, 5) == -1) { + perror("listen"); + return false; + } + + printf("Waiting for SocketFuzzer connection on socket: %s\n", socketPath); + t = sizeof(remote); + if ((run->socketFuzzer.clientSocket = accept(s, (struct sockaddr*)&remote, &t)) == -1) { + perror("accept"); + return false; + } + + run->socketFuzzer.serverSocket = s; + printf("A SocketFuzzer client connected. Continuing.\n"); + + return true; +} + +void cleanupSocketFuzzer() { + char socketPath[512]; + snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid()); + unlink(socketPath); +} |