Date: Sat, 17 Jun 2006 11:01:13 GMT From: Clément Lecigne <clem1@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 99414 for review Message-ID: <200606171101.k5HB1Djp030857@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=99414 Change 99414 by clem1@clem1_ipv6vulns on 2006/06/17 11:00:35 Local fuzzer improvement (setsockopt with IPV6_RTHDR). Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/global/funcs.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/fuzzer.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/setsockopt.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/rand/rand.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/main.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/setsockopt.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/global/funcs.c#2 (text+ko) ==== @@ -97,6 +97,11 @@ fprintf(fd, " returned %d\n", d); goto end; break; + case 'S': + s = va_arg(ap, char *); + fprintf(fd, " returned %s\n", s); + goto end; + break; default: break; } ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/fuzzer.h#2 (text+ko) ==== @@ -38,6 +38,7 @@ #include <fcntl.h> #include <netinet6/ip6.h> #include <sys/queue.h> +#include <arpa/inet.h> #include <netinet6/ip6_fw.h> #include <netinet/icmp6.h> #define PAYLOAD_SIZE_MAX 104096 ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/setsockopt.h#2 (text+ko) ==== @@ -62,6 +62,7 @@ void ssf_mtu(int); void ssf_ipsec(int); void ssf_mcast(int); +void ssf_rthdr(int); void ssf_others(int); void ssf_pr(int); void ssf_icmp6(int); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/rand/rand.c#2 (text+ko) ==== @@ -48,7 +48,7 @@ char *randipv6(void){ char *ip, *p; int i; - p = ip = malloc(16); + p = ip = malloc(32); if(ip == NULL){ fprintf(stderr, "randipv6(): malloc failled.\n"); exit(EXIT_FAILURE); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/main.c#2 (text+ko) ==== @@ -34,6 +34,7 @@ int sock; unsigned int occ = 40; /* nb operation by socket. */ printf("ssf - setsockopt() ipv6 fuzzer.\n"); + srand(randseed()); while(1){ sock = getsock(); ssf_main(sock, occ); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/setsockopt.c#2 (text+ko) ==== @@ -177,6 +177,73 @@ } /* + * routing extension header setsockopt fuzzer. + */ +void ssf_rthdr(int sock){ + int on = 1; + char payload[PAYLOAD_SIZE_MAX]; + struct in6_addr v6; + struct cmsghdr *cmsg = NULL; + struct ip6_rthdr *rthdr; + int optlen, optname = IPV6_RTHDR, i, ret, segments; + unsigned int optval; + + fuzzlog("setsockopt", "ddddd", sock, IPPROTO_IPV6, IPV6_RECVRTHDR, on, sizeof(int)); + ret = setsockopt(sock, IPPROTO_IPV6, IPV6_RECVRTHDR, &on, sizeof(int)); + fuzzlog("", "r", ret); + + switch(rand() % 5){ + case 0: + optlen = rand(); + optval = (unsigned int)randaddr(); + break; + case 1: + optlen = rand() % PAYLOAD_SIZE_MAX; + randpayload(payload, optlen); + optval = (unsigned int)&payload; + break; + case 2: + case 3: + segments = rand() % 127; + optlen = CMSG_SPACE(inet6_rth_space(IPV6_RTHDR_TYPE_0, segments)); + cmsg = malloc(optlen); + if(cmsg == NULL) + return; + cmsg->cmsg_len = CMSG_LEN(rand()); + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_RTHDR; + rthdr = (struct ip6_rthdr *)CMSG_DATA(cmsg); + rthdr = inet6_rth_init((void *)rthdr, optlen, + IPV6_RTHDR_TYPE_0, segments); + if(rthdr == NULL) + return; + for(i = 0; i < segments; i++){ + inet_pton(AF_INET6, (char *)randipv6(), &v6); + inet6_rth_add(rthdr, &v6); + } + optlen = (rthdr->ip6r_len + 1) << 3; + optval = (unsigned int)&rthdr; + break; + case 4: + cmsg = (struct cmsghdr *)payload; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_RTHDR; + cmsg->cmsg_len = CMSG_LEN(rand()); + randpayload(payload + sizeof(struct cmsghdr), rand()); + optlen = rand(); + optval = (unsigned int)&payload; + break; + default: + break; + } + + fuzzlog("setsockopt", "dddad", sock, IPPROTO_IPV6, optname, optval, optlen); + ret = setsockopt(sock, IPPROTO_IPV6, optname, (void *)optval, optlen); + fuzzlog("", "r", ret); + return; +} + +/* * ipsec related options setsockopt fuzzer. */ void ssf_ipsec(int sock){ @@ -351,14 +418,14 @@ break; case 4: optname = IPV6_JOIN_GROUP; - inet_pton(AF_INET6, randmcast(), &im.ipv6mr_multiaddr); + inet_pton(AF_INET6, (char *)randmcast(), &im.ipv6mr_multiaddr); im.ipv6mr_interface = rand(); optval = (unsigned int)&im; optlen = sizeof(struct ipv6_mreq); break; case 5: optname = IPV6_LEAVE_GROUP; - inet_pton(AF_INET6, randmcast(), &im.ipv6mr_multiaddr); + inet_pton(AF_INET6, (char *)randmcast(), &im.ipv6mr_multiaddr); im.ipv6mr_interface = rand(); optval = (unsigned int)&im; optlen = sizeof(struct ipv6_mreq); @@ -626,7 +693,7 @@ if(!sock) sock = getsock(); for(i = 0; i < occ; i++){ /* XXX: adjust rand() range if you add ssf_ function. */ - switch(rand() % 12){ + switch(rand() % 13){ case 0: ssf_ss(sock); break; @@ -660,6 +727,9 @@ case 11: ssf_ipsec(sock); break; + case 12: + ssf_rthdr(sock); + break; default: ssf_ss(sock); break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200606171101.k5HB1Djp030857>