aboutsummaryrefslogtreecommitdiff
path: root/fuzzer/fuzzer_connect.c
diff options
context:
space:
mode:
authorFelix Weinrank <weinrank@fh-muenster.de>2020-03-18 00:38:11 +0100
committerGitHub <noreply@github.com>2020-03-18 00:38:11 +0100
commit7b87cd42ea036919a69acf299601469f2aa79b75 (patch)
treee8d3534cde75ec5f9f08839cb54beaa384dda99f /fuzzer/fuzzer_connect.c
parent3212d5413a75d4d039e80874dffd2e44f8087ce4 (diff)
downloadusrsctp-7b87cd42ea036919a69acf299601469f2aa79b75.tar.gz
Fuzzer (#446)
Diffstat (limited to 'fuzzer/fuzzer_connect.c')
-rw-r--r--fuzzer/fuzzer_connect.c222
1 files changed, 96 insertions, 126 deletions
diff --git a/fuzzer/fuzzer_connect.c b/fuzzer/fuzzer_connect.c
index 79505db6..be44941d 100644
--- a/fuzzer/fuzzer_connect.c
+++ b/fuzzer/fuzzer_connect.c
@@ -39,9 +39,16 @@
//#define FUZZ_VERBOSE
#define FUZZ_INTERLEAVING
-//#define FUZZ_EXPLICIT_EOR
#define FUZZ_STREAM_RESET
-#define FUZZ_DISABLE_LINGER
+
+#define FUZZ_B_INJECT_INIT_ACK (1 << 0)
+#define FUZZ_B_INJECT_COOKIE_ACK (1 << 1)
+#define FUZZ_B_SEND_DATA (1 << 2)
+#define FUZZ_B_SEND_STREAM_RESET (1 << 3)
+#define FUZZ_B_INJECT_DATA (1 << 4)
+#define FUZZ_B_I_DATA_SUPPORT (1 << 5)
+#define FUZZ_B_RESERVED1 (1 << 6)
+#define FUZZ_B_RESERVED2 (1 << 7)
#define BUFFER_SIZE 4096
#define COMMON_HEADER_SIZE 12
@@ -70,6 +77,7 @@ dump_packet(const void *buffer, size_t bufferlen, int inout) {
#endif // FUZZ_VERBOSE
}
+
static int
conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df)
{
@@ -176,7 +184,7 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
SCTP_STREAM_CHANGE_EVENT,
SCTP_SEND_FAILED_EVENT
};
- int enable;
+ int optval;
int result;
struct sctp_initmsg initmsg;
#if defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)
@@ -184,52 +192,41 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
#endif // defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)
// WITH COMMON HEADER!
- char fuzz_init_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x02\x00\x01\xf8" \
- "\xc7\xa1\xb0\x4d\x00\x1c\x71\xc7\x00\x0a\xff\xff\x03\x91\x94\x1b" \
- "\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80" \
- "\x82\x00\x00\x00\x80\x02\x00\x24\x61\x6c\x7e\x52\x2a\xdb\xe0\xa2" \
- "\xaa\x78\x25\x1e\x12\xc5\x01\x9e\x4c\x60\x16\xdf\x01\x6d\xa1\xd5" \
- "\xcd\xbe\xa7\x5d\xa2\x73\xf4\x1b\x80\x04\x00\x08\x00\x03\x00\x01" \
- "\x80\x03\x00\x07\x00\x80\xc1\x00\x00\x06\x00\x14\x2a\x02\xc6\xa0" \
- "\x40\x15\x00\x11\x00\x00\x00\x00\x00\x00\x00\x83\x00\x05\x00\x08" \
- "\xd4\xc9\x79\x53\x00\x07\x01\x80\x4b\x41\x4d\x45\x2d\x42\x53\x44" \
- "\x20\x31\x2e\x31\x00\x00\x00\x00\x64\x11\x49\x00\x00\x00\x00\x00" \
- "\xac\xde\x0c\x00\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00" \
- "\x00\x00\x00\x00\xb2\xd4\x38\x45\xc7\xa1\xb0\x4d\xd4\xc9\x79\x52" \
+ char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
+ "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
+ "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
+ "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
+ "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
+ "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
+ "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
+ "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
+ "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
+ "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
+ "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
- "\xd4\xc9\x79\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
- "\x05\x00\x00\x00\x00\x00\x00\x00\xd9\x05\x13\x89\x01\x01\x00\x00" \
- "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x80\x45\x38\xd4\xb2" \
- "\x00\x1c\x71\xc7\x00\x01\xff\xff\xac\x40\x9b\x94\x80\x00\x00\x04" \
- "\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80\x82\x00\x00\x00" \
- "\x80\x02\x00\x24\xc8\x24\x46\x8c\x7e\x88\x2e\xb7\x88\x8b\xdd\xa1" \
- "\x55\x8b\xb4\xc0\x26\xe3\x21\xbb\xb0\x66\xfd\xb2\xd4\xde\xf9\x77" \
- "\x4f\xe4\x7c\xbf\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x07" \
- "\x00\x80\xc1\x00\x00\x0c\x00\x08\x00\x05\x00\x06\x00\x06\x00\x14" \
- "\x2a\x02\xc6\xa0\x40\x15\x00\x11\x00\x00\x00\x00\x00\x00\x00\x82" \
- "\x00\x05\x00\x08\xd4\xc9\x79\x52\x02\x00\x01\xf8\xc7\xa1\xb0\x4d" \
- "\x00\x1c\x71\xc7\x00\x01\xff\xff\x03\x91\x94\x1b\x80\x00\x00\x04" \
- "\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80\x82\x00\x00\x00" \
- "\x80\x02\x00\x24\x61\x6c\x7e\x52\x2a\xdb\xe0\xa2\xaa\x78\x25\x1e" \
- "\x12\xc5\x01\x9e\x4c\x60\x16\xdf\x01\x6d\xa1\xd5\xcd\xbe\xa7\x5d" \
- "\xa2\x73\xf4\x1b\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x07" \
- "\x00\x80\xc1\x00\x00\x06\x00\x14\x2a\x02\xc6\xa0\x40\x15\x00\x11" \
- "\x00\x00\x00\x00\x00\x00\x00\x83\x00\x05\x00\x08\xd4\xc9\x79\x53" \
- "\x64\x30\x8a\xb9\x7c\xe5\x93\x69\x52\xa9\xc8\xd5\xa1\x1b\x7d\xef" \
- "\xea\xfa\x23\x32";
+ "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
+ "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
+ "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
+ "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
+ "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
+ "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
+ "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
+ "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
+ "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
+ "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
+ "\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
+ "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
+ "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
+ "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
+ "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
// WITH COMMON HEADER!
char fuzz_cookie_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x0b\x00\x00\x04";
// WITH COMMON HEADER!
- char fuzz_abort[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x06\x00\x00\x08\x00\x0c\x00\x04";
-
- // WITH COMMON HEADER!
- char fuzz_i_data[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00" \
- "\x00\x1b\x04\x42\xa3\x58\x90\xe2\xba\x9e\x8c\xfc\x08\x00\x45\x02" \
- "\x04\x34\x00\x00\x40\x00\x40\x84\x9a\x0b\xd4\xc9\x79\x52\xd4\xc9" \
- "\x79\x53\x65\x75\x13\x89\x11\x97\x93\x37\x26\x6c\xb7\x65\x40\x02" \
- "\x04\x14\x96\xff\xad\xc1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
+ char fuzz_i_data[] = "\x13\x89\x13\x88\x07\x01\x6c\xd3\x00\x00\x00\x00\x40\x03" \
+ "\x00\xdc\x2d\x2b\x46\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x27\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
@@ -242,6 +239,11 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
+
+ // WITH COMMON HEADER!
+ char fuzz_data[] = "\x13\x89\x13\x88\x27\xc4\xbf\xdf\x00\x00\x00\x00\x00\x03" \
+ "\x00\xd8\x79\x64\xb7\xc1\x00\x00\x00\x00\x00\x00\x00\x27\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
@@ -254,47 +256,8 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
- "\x41\x41";
+ "\x41\x41\x41\x41\x41\x41";
+
char fuzz_common_header[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00";
@@ -326,7 +289,6 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
assert(result == 0);
memset(&event, 0, sizeof(event));
- event.se_assoc_id = SCTP_ALL_ASSOC;
event.se_on = 1;
for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) {
event.se_type = event_types[i];
@@ -334,19 +296,13 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
assert(result == 0);
}
- enable = 1;
- result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &enable, sizeof(enable));
- assert(result == 0);
-
- enable = 1;
- result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &enable, sizeof(enable));
+ optval = 1;
+ result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval));
assert(result == 0);
-#if defined(FUZZ_EXPLICIT_EOR)
- enable = 1;
- result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EXPLICIT_EOR, &enable, sizeof(enable));
+ optval = 1;
+ result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval));
assert(result == 0);
-#endif // defined(FUZZ_EXPLICIT_EOR)
#if defined(FUZZ_STREAM_RESET)
assoc_val.assoc_id = SCTP_ALL_ASSOC;
@@ -359,14 +315,17 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
#if !defined(SCTP_INTERLEAVING_SUPPORTED)
#define SCTP_INTERLEAVING_SUPPORTED 0x00001206
#endif // !defined(SCTP_INTERLEAVING_SUPPORTED)
- enable = 2;
- result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &enable, sizeof(enable));
- assert(result == 0);
- memset(&assoc_val, 0, sizeof(assoc_val));
- assoc_val.assoc_value = 1;
- result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
- assert(result == 0);
+ if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
+ optval = 2;
+ result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval));
+ assert(result == 0);
+
+ memset(&assoc_val, 0, sizeof(assoc_val));
+ assoc_val.assoc_value = 1;
+ result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
+ assert(result == 0);
+ }
#endif // defined(FUZZ_INTERLEAVING)
memset((void *)&bind6, 0, sizeof(struct sockaddr_in6));
@@ -380,6 +339,11 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
result = usrsctp_bind(socket_client, (struct sockaddr *)&bind6, sizeof(bind6));
assert(result == 0);
+ // Disable Nagle.
+ optval = 1;
+ result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval));
+ assert(result == 0);
+
usrsctp_set_upcall(socket_client, handle_upcall, NULL);
memset(&sconn, 0, sizeof(struct sockaddr_conn));
@@ -394,17 +358,17 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
assert(result == 0 || errno == EINPROGRESS);
- if (data[0] & (1 << 0)) {
+ if (data[0] & FUZZ_B_INJECT_INIT_ACK) {
fuzzer_printf("Injecting INIT-ACK\n");
common_header = (struct sctp_common_header*) fuzz_init_ack;
common_header->verification_tag = assoc_vtag;
- dump_packet(fuzz_init_ack, 516, SCTP_DUMP_INBOUND);
- usrsctp_conninput((void *)1, fuzz_init_ack, 516, 0);
+ dump_packet(fuzz_init_ack, 448, SCTP_DUMP_INBOUND);
+ usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0);
}
- if (data[0] & (1 << 1)) {
+ if (data[0] & FUZZ_B_INJECT_COOKIE_ACK) {
fuzzer_printf("Injecting COOKIE-ACK\n");
common_header = (struct sctp_common_header*) fuzz_cookie_ack;
@@ -414,32 +378,18 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0);
}
- // Required: INIT-ACK and COOKIE-ACK
- if (data[0] & (1 << 0) &&
- data[0] & (1 << 1) &&
- data[0] & (1 << 2)) {
+ if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
+ data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
+ data[0] & FUZZ_B_SEND_DATA) {
const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
fuzzer_printf("Calling usrsctp_sendv()\n");
usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
}
// Required: INIT-ACK and COOKIE-ACK
- if (data[0] & (1 << 0) &&
- data[0] & (1 << 1) &&
- data[0] & (1 << 3)) {
- fuzzer_printf("Injecting I-DATA\n");
-
- common_header = (struct sctp_common_header*) fuzz_i_data;
- common_header->verification_tag = assoc_vtag;
-
- dump_packet(fuzz_i_data, 1102, SCTP_DUMP_INBOUND);
- usrsctp_conninput((void *)1, fuzz_i_data, 1102, 0);
- }
-
- // Required: INIT-ACK and COOKIE-ACK
- if (data[0] & (1 << 0) &&
- data[0] & (1 << 1) &&
- data[0] & (1 << 4)) {
+ if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
+ data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
+ data[0] & FUZZ_B_SEND_STREAM_RESET) {
fuzzer_printf("Sending Stream Reset for all streams\n");
struct sctp_reset_streams srs;
@@ -449,6 +399,26 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
assert(result == 0);
}
+ // Required: INIT-ACK and COOKIE-ACK
+ if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
+ data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
+ data[0] & FUZZ_B_INJECT_DATA) {
+
+ if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
+ fuzzer_printf("Injecting I-DATA\n");
+ common_header = (struct sctp_common_header*) fuzz_i_data;
+ common_header->verification_tag = assoc_vtag;
+ dump_packet(fuzz_i_data, 232, SCTP_DUMP_INBOUND);
+ usrsctp_conninput((void *)1, fuzz_i_data, 232, 0);
+ } else {
+ fuzzer_printf("Injecting DATA\n");
+ common_header = (struct sctp_common_header*) fuzz_data;
+ common_header->verification_tag = assoc_vtag;
+ dump_packet(fuzz_data, 228, SCTP_DUMP_INBOUND);
+ usrsctp_conninput((void *)1, fuzz_data, 228, 0);
+ }
+ }
+
fuzz_packet_buffer = malloc(data_size - 1 + COMMON_HEADER_SIZE);
memcpy(fuzz_packet_buffer, fuzz_common_header, COMMON_HEADER_SIZE); // common header
memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data + 1, data_size - 1);
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 14:41:59 +0000