diff options
author | Felix Weinrank <weinrank@fh-muenster.de> | 2020-03-18 00:38:11 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-18 00:38:11 +0100 |
commit | 7b87cd42ea036919a69acf299601469f2aa79b75 (patch) | |
tree | e8d3534cde75ec5f9f08839cb54beaa384dda99f /fuzzer/fuzzer_connect.c | |
parent | 3212d5413a75d4d039e80874dffd2e44f8087ce4 (diff) | |
download | usrsctp-7b87cd42ea036919a69acf299601469f2aa79b75.tar.gz |
Fuzzer (#446)
Diffstat (limited to 'fuzzer/fuzzer_connect.c')
-rw-r--r-- | fuzzer/fuzzer_connect.c | 222 |
1 files changed, 96 insertions, 126 deletions
diff --git a/fuzzer/fuzzer_connect.c b/fuzzer/fuzzer_connect.c index 79505db6..be44941d 100644 --- a/fuzzer/fuzzer_connect.c +++ b/fuzzer/fuzzer_connect.c @@ -39,9 +39,16 @@ //#define FUZZ_VERBOSE #define FUZZ_INTERLEAVING -//#define FUZZ_EXPLICIT_EOR #define FUZZ_STREAM_RESET -#define FUZZ_DISABLE_LINGER + +#define FUZZ_B_INJECT_INIT_ACK (1 << 0) +#define FUZZ_B_INJECT_COOKIE_ACK (1 << 1) +#define FUZZ_B_SEND_DATA (1 << 2) +#define FUZZ_B_SEND_STREAM_RESET (1 << 3) +#define FUZZ_B_INJECT_DATA (1 << 4) +#define FUZZ_B_I_DATA_SUPPORT (1 << 5) +#define FUZZ_B_RESERVED1 (1 << 6) +#define FUZZ_B_RESERVED2 (1 << 7) #define BUFFER_SIZE 4096 #define COMMON_HEADER_SIZE 12 @@ -70,6 +77,7 @@ dump_packet(const void *buffer, size_t bufferlen, int inout) { #endif // FUZZ_VERBOSE } + static int conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df) { @@ -176,7 +184,7 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) SCTP_STREAM_CHANGE_EVENT, SCTP_SEND_FAILED_EVENT }; - int enable; + int optval; int result; struct sctp_initmsg initmsg; #if defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING) @@ -184,52 +192,41 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) #endif // defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING) // WITH COMMON HEADER! - char fuzz_init_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x02\x00\x01\xf8" \ - "\xc7\xa1\xb0\x4d\x00\x1c\x71\xc7\x00\x0a\xff\xff\x03\x91\x94\x1b" \ - "\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80" \ - "\x82\x00\x00\x00\x80\x02\x00\x24\x61\x6c\x7e\x52\x2a\xdb\xe0\xa2" \ - "\xaa\x78\x25\x1e\x12\xc5\x01\x9e\x4c\x60\x16\xdf\x01\x6d\xa1\xd5" \ - "\xcd\xbe\xa7\x5d\xa2\x73\xf4\x1b\x80\x04\x00\x08\x00\x03\x00\x01" \ - "\x80\x03\x00\x07\x00\x80\xc1\x00\x00\x06\x00\x14\x2a\x02\xc6\xa0" \ - "\x40\x15\x00\x11\x00\x00\x00\x00\x00\x00\x00\x83\x00\x05\x00\x08" \ - "\xd4\xc9\x79\x53\x00\x07\x01\x80\x4b\x41\x4d\x45\x2d\x42\x53\x44" \ - "\x20\x31\x2e\x31\x00\x00\x00\x00\x64\x11\x49\x00\x00\x00\x00\x00" \ - "\xac\xde\x0c\x00\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00" \ - "\x00\x00\x00\x00\xb2\xd4\x38\x45\xc7\xa1\xb0\x4d\xd4\xc9\x79\x52" \ + char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \ + "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \ + "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \ + "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \ + "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \ + "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \ + "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \ + "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \ + "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \ + "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ + "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \ + "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \ - "\xd4\xc9\x79\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ - "\x05\x00\x00\x00\x00\x00\x00\x00\xd9\x05\x13\x89\x01\x01\x00\x00" \ - "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x80\x45\x38\xd4\xb2" \ - "\x00\x1c\x71\xc7\x00\x01\xff\xff\xac\x40\x9b\x94\x80\x00\x00\x04" \ - "\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80\x82\x00\x00\x00" \ - "\x80\x02\x00\x24\xc8\x24\x46\x8c\x7e\x88\x2e\xb7\x88\x8b\xdd\xa1" \ - "\x55\x8b\xb4\xc0\x26\xe3\x21\xbb\xb0\x66\xfd\xb2\xd4\xde\xf9\x77" \ - "\x4f\xe4\x7c\xbf\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x07" \ - "\x00\x80\xc1\x00\x00\x0c\x00\x08\x00\x05\x00\x06\x00\x06\x00\x14" \ - "\x2a\x02\xc6\xa0\x40\x15\x00\x11\x00\x00\x00\x00\x00\x00\x00\x82" \ - "\x00\x05\x00\x08\xd4\xc9\x79\x52\x02\x00\x01\xf8\xc7\xa1\xb0\x4d" \ - "\x00\x1c\x71\xc7\x00\x01\xff\xff\x03\x91\x94\x1b\x80\x00\x00\x04" \ - "\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80\x82\x00\x00\x00" \ - "\x80\x02\x00\x24\x61\x6c\x7e\x52\x2a\xdb\xe0\xa2\xaa\x78\x25\x1e" \ - "\x12\xc5\x01\x9e\x4c\x60\x16\xdf\x01\x6d\xa1\xd5\xcd\xbe\xa7\x5d" \ - "\xa2\x73\xf4\x1b\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x07" \ - "\x00\x80\xc1\x00\x00\x06\x00\x14\x2a\x02\xc6\xa0\x40\x15\x00\x11" \ - "\x00\x00\x00\x00\x00\x00\x00\x83\x00\x05\x00\x08\xd4\xc9\x79\x53" \ - "\x64\x30\x8a\xb9\x7c\xe5\x93\x69\x52\xa9\xc8\xd5\xa1\x1b\x7d\xef" \ - "\xea\xfa\x23\x32"; + "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \ + "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \ + "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \ + "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \ + "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \ + "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \ + "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \ + "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \ + "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \ + "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \ + "\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \ + "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \ + "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \ + "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \ + "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00"; // WITH COMMON HEADER! char fuzz_cookie_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x0b\x00\x00\x04"; // WITH COMMON HEADER! - char fuzz_abort[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x06\x00\x00\x08\x00\x0c\x00\x04"; - - // WITH COMMON HEADER! - char fuzz_i_data[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00" \ - "\x00\x1b\x04\x42\xa3\x58\x90\xe2\xba\x9e\x8c\xfc\x08\x00\x45\x02" \ - "\x04\x34\x00\x00\x40\x00\x40\x84\x9a\x0b\xd4\xc9\x79\x52\xd4\xc9" \ - "\x79\x53\x65\x75\x13\x89\x11\x97\x93\x37\x26\x6c\xb7\x65\x40\x02" \ - "\x04\x14\x96\xff\xad\xc1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ + char fuzz_i_data[] = "\x13\x89\x13\x88\x07\x01\x6c\xd3\x00\x00\x00\x00\x40\x03" \ + "\x00\xdc\x2d\x2b\x46\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ "\x00\x27\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ @@ -242,6 +239,11 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; + + // WITH COMMON HEADER! + char fuzz_data[] = "\x13\x89\x13\x88\x27\xc4\xbf\xdf\x00\x00\x00\x00\x00\x03" \ + "\x00\xd8\x79\x64\xb7\xc1\x00\x00\x00\x00\x00\x00\x00\x27\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ @@ -254,47 +256,8 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \ - "\x41\x41"; + "\x41\x41\x41\x41\x41\x41"; + char fuzz_common_header[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00"; @@ -326,7 +289,6 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) assert(result == 0); memset(&event, 0, sizeof(event)); - event.se_assoc_id = SCTP_ALL_ASSOC; event.se_on = 1; for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) { event.se_type = event_types[i]; @@ -334,19 +296,13 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) assert(result == 0); } - enable = 1; - result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &enable, sizeof(enable)); - assert(result == 0); - - enable = 1; - result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &enable, sizeof(enable)); + optval = 1; + result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval)); assert(result == 0); -#if defined(FUZZ_EXPLICIT_EOR) - enable = 1; - result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EXPLICIT_EOR, &enable, sizeof(enable)); + optval = 1; + result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval)); assert(result == 0); -#endif // defined(FUZZ_EXPLICIT_EOR) #if defined(FUZZ_STREAM_RESET) assoc_val.assoc_id = SCTP_ALL_ASSOC; @@ -359,14 +315,17 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) #if !defined(SCTP_INTERLEAVING_SUPPORTED) #define SCTP_INTERLEAVING_SUPPORTED 0x00001206 #endif // !defined(SCTP_INTERLEAVING_SUPPORTED) - enable = 2; - result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &enable, sizeof(enable)); - assert(result == 0); - memset(&assoc_val, 0, sizeof(assoc_val)); - assoc_val.assoc_value = 1; - result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val)); - assert(result == 0); + if (data[0] & FUZZ_B_I_DATA_SUPPORT) { + optval = 2; + result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval)); + assert(result == 0); + + memset(&assoc_val, 0, sizeof(assoc_val)); + assoc_val.assoc_value = 1; + result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val)); + assert(result == 0); + } #endif // defined(FUZZ_INTERLEAVING) memset((void *)&bind6, 0, sizeof(struct sockaddr_in6)); @@ -380,6 +339,11 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) result = usrsctp_bind(socket_client, (struct sockaddr *)&bind6, sizeof(bind6)); assert(result == 0); + // Disable Nagle. + optval = 1; + result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval)); + assert(result == 0); + usrsctp_set_upcall(socket_client, handle_upcall, NULL); memset(&sconn, 0, sizeof(struct sockaddr_conn)); @@ -394,17 +358,17 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn)); assert(result == 0 || errno == EINPROGRESS); - if (data[0] & (1 << 0)) { + if (data[0] & FUZZ_B_INJECT_INIT_ACK) { fuzzer_printf("Injecting INIT-ACK\n"); common_header = (struct sctp_common_header*) fuzz_init_ack; common_header->verification_tag = assoc_vtag; - dump_packet(fuzz_init_ack, 516, SCTP_DUMP_INBOUND); - usrsctp_conninput((void *)1, fuzz_init_ack, 516, 0); + dump_packet(fuzz_init_ack, 448, SCTP_DUMP_INBOUND); + usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0); } - if (data[0] & (1 << 1)) { + if (data[0] & FUZZ_B_INJECT_COOKIE_ACK) { fuzzer_printf("Injecting COOKIE-ACK\n"); common_header = (struct sctp_common_header*) fuzz_cookie_ack; @@ -414,32 +378,18 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0); } - // Required: INIT-ACK and COOKIE-ACK - if (data[0] & (1 << 0) && - data[0] & (1 << 1) && - data[0] & (1 << 2)) { + if (data[0] & FUZZ_B_INJECT_INIT_ACK && + data[0] & FUZZ_B_INJECT_COOKIE_ACK && + data[0] & FUZZ_B_SEND_DATA) { const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!"; fuzzer_printf("Calling usrsctp_sendv()\n"); usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0); } // Required: INIT-ACK and COOKIE-ACK - if (data[0] & (1 << 0) && - data[0] & (1 << 1) && - data[0] & (1 << 3)) { - fuzzer_printf("Injecting I-DATA\n"); - - common_header = (struct sctp_common_header*) fuzz_i_data; - common_header->verification_tag = assoc_vtag; - - dump_packet(fuzz_i_data, 1102, SCTP_DUMP_INBOUND); - usrsctp_conninput((void *)1, fuzz_i_data, 1102, 0); - } - - // Required: INIT-ACK and COOKIE-ACK - if (data[0] & (1 << 0) && - data[0] & (1 << 1) && - data[0] & (1 << 4)) { + if (data[0] & FUZZ_B_INJECT_INIT_ACK && + data[0] & FUZZ_B_INJECT_COOKIE_ACK && + data[0] & FUZZ_B_SEND_STREAM_RESET) { fuzzer_printf("Sending Stream Reset for all streams\n"); struct sctp_reset_streams srs; @@ -449,6 +399,26 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) assert(result == 0); } + // Required: INIT-ACK and COOKIE-ACK + if (data[0] & FUZZ_B_INJECT_INIT_ACK && + data[0] & FUZZ_B_INJECT_COOKIE_ACK && + data[0] & FUZZ_B_INJECT_DATA) { + + if (data[0] & FUZZ_B_I_DATA_SUPPORT) { + fuzzer_printf("Injecting I-DATA\n"); + common_header = (struct sctp_common_header*) fuzz_i_data; + common_header->verification_tag = assoc_vtag; + dump_packet(fuzz_i_data, 232, SCTP_DUMP_INBOUND); + usrsctp_conninput((void *)1, fuzz_i_data, 232, 0); + } else { + fuzzer_printf("Injecting DATA\n"); + common_header = (struct sctp_common_header*) fuzz_data; + common_header->verification_tag = assoc_vtag; + dump_packet(fuzz_data, 228, SCTP_DUMP_INBOUND); + usrsctp_conninput((void *)1, fuzz_data, 228, 0); + } + } + fuzz_packet_buffer = malloc(data_size - 1 + COMMON_HEADER_SIZE); memcpy(fuzz_packet_buffer, fuzz_common_header, COMMON_HEADER_SIZE); // common header memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data + 1, data_size - 1); |