diff options
Diffstat (limited to 'fuzzer/fuzzer_listen.c')
-rw-r--r-- | fuzzer/fuzzer_listen.c | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/fuzzer/fuzzer_listen.c b/fuzzer/fuzzer_listen.c new file mode 100644 index 00000000..e6e873c0 --- /dev/null +++ b/fuzzer/fuzzer_listen.c @@ -0,0 +1,170 @@ +/* + * Copyright (C) 2017-2019 Felix Weinrank + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <usrsctp.h> +#include "../programs/programs_helper.h" + +#define FUZZ_FAST 1 + +#ifdef FUZZ_VERBOSE +#define fuzzer_printf(...) \ + do { \ + fprintf(stderr, "[P]"); \ + debug_printf_runtime(); \ + fprintf(stderr, __VA_ARGS__); \ + } while (0) +#else +#define fuzzer_printf(...) +#endif + +struct sockaddr_conn sconn; +struct socket *s_l; + +static int +conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df) +{ +#if 0 + char *dump_buf; + if ((dump_buf = usrsctp_dumppacket(buf, length, SCTP_DUMP_OUTBOUND)) != NULL) { + fprintf(stderr, "%s", dump_buf); + usrsctp_freedumpbuffer(dump_buf); + } +#endif + return (0); +} + +static void +handle_upcall(struct socket *sock, void *arg, int flgs) +{ + fuzzer_printf("Listening socket established, implement logic!\n"); + exit(EXIT_FAILURE); +} + +int +init_fuzzer(void) { + static uint8_t initialized = 0; + struct sctp_event event; + uint16_t event_types[] = { + SCTP_ASSOC_CHANGE, + SCTP_PEER_ADDR_CHANGE, + SCTP_SEND_FAILED_EVENT, + SCTP_REMOTE_ERROR, + SCTP_SHUTDOWN_EVENT, + SCTP_ADAPTATION_INDICATION, + SCTP_PARTIAL_DELIVERY_EVENT}; + unsigned long i; + +#if defined(FUZZ_FAST) + if (initialized) { + return 0; + } +#endif + +#ifdef FUZZ_VERBOSE + usrsctp_init(0, conn_output, debug_printf_stack); +#else + usrsctp_init(0, conn_output, NULL); +#endif + + usrsctp_enable_crc32c_offload(); + +#ifdef SCTP_DEBUG + usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL); +#endif + usrsctp_register_address((void *)1); + + if ((s_l = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0)) == NULL) { + perror("usrsctp_socket"); + exit(EXIT_FAILURE); + } + usrsctp_set_non_blocking(s_l, 1); + + /* Bind the server side. */ + memset(&sconn, 0, sizeof(struct sockaddr_conn)); + sconn.sconn_family = AF_CONN; +#ifdef HAVE_SCONN_LEN + sconn.sconn_len = sizeof(struct sockaddr_conn); +#endif + sconn.sconn_port = htons(5001); + sconn.sconn_addr = (void *)1; + if (usrsctp_bind(s_l, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn)) < 0) { + perror("usrsctp_bind"); + exit(EXIT_FAILURE); + } + + memset(&event, 0, sizeof(event)); + event.se_assoc_id = SCTP_FUTURE_ASSOC; + event.se_on = 1; + for (i = 0; i < sizeof(event_types)/sizeof(uint16_t); i++) { + event.se_type = event_types[i]; + if (usrsctp_setsockopt(s_l, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event)) < 0) { + perror("setsockopt SCTP_EVENT s_l"); + exit(EXIT_FAILURE); + } + } + + /* Make server side passive... */ + if (usrsctp_listen(s_l, 1) < 0) { + perror("usrsctp_listen"); + exit(EXIT_FAILURE); + } + + usrsctp_set_upcall(s_l, handle_upcall, NULL); + + initialized = 1; + + return (0); +} + +int +LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) +{ + init_fuzzer(); + + if (data_size < 8 || data_size > 65535) { + // Skip too small and too large packets + return (0); + } + usrsctp_conninput((void *)1, data, data_size, 0); + +#if !defined(FUZZ_FAST) + usrsctp_close(s_l); + while (usrsctp_finish() != 0) { + //sleep(1); + } +#endif + + return (0); +} + + |