From owner-p4-projects@FreeBSD.ORG Sat Jun 17 11:01:15 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id E50C016A47A; Sat, 17 Jun 2006 11:01:14 +0000 (UTC) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3DF816A479 for ; Sat, 17 Jun 2006 11:01:14 +0000 (UTC) (envelope-from clem1@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5290743D46 for ; Sat, 17 Jun 2006 11:01:14 +0000 (GMT) (envelope-from clem1@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k5HB1EDx030860 for ; Sat, 17 Jun 2006 11:01:14 GMT (envelope-from clem1@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k5HB1Djp030857 for perforce@freebsd.org; Sat, 17 Jun 2006 11:01:13 GMT (envelope-from clem1@FreeBSD.org) Date: Sat, 17 Jun 2006 11:01:13 GMT Message-Id: <200606171101.k5HB1Djp030857@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to clem1@FreeBSD.org using -f From: Clément Lecigne To: Perforce Change Reviews Cc: Subject: PERFORCE change 99414 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2006 11:01:15 -0000 http://perforce.freebsd.org/chv.cgi?CH=99414 Change 99414 by clem1@clem1_ipv6vulns on 2006/06/17 11:00:35 Local fuzzer improvement (setsockopt with IPV6_RTHDR). Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/global/funcs.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/fuzzer.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/setsockopt.h#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/rand/rand.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/main.c#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/setsockopt.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/global/funcs.c#2 (text+ko) ==== @@ -97,6 +97,11 @@ fprintf(fd, " returned %d\n", d); goto end; break; + case 'S': + s = va_arg(ap, char *); + fprintf(fd, " returned %s\n", s); + goto end; + break; default: break; } ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/fuzzer.h#2 (text+ko) ==== @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #define PAYLOAD_SIZE_MAX 104096 ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/setsockopt.h#2 (text+ko) ==== @@ -62,6 +62,7 @@ void ssf_mtu(int); void ssf_ipsec(int); void ssf_mcast(int); +void ssf_rthdr(int); void ssf_others(int); void ssf_pr(int); void ssf_icmp6(int); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/rand/rand.c#2 (text+ko) ==== @@ -48,7 +48,7 @@ char *randipv6(void){ char *ip, *p; int i; - p = ip = malloc(16); + p = ip = malloc(32); if(ip == NULL){ fprintf(stderr, "randipv6(): malloc failled.\n"); exit(EXIT_FAILURE); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/main.c#2 (text+ko) ==== @@ -34,6 +34,7 @@ int sock; unsigned int occ = 40; /* nb operation by socket. */ printf("ssf - setsockopt() ipv6 fuzzer.\n"); + srand(randseed()); while(1){ sock = getsock(); ssf_main(sock, occ); ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/setsockopt.c#2 (text+ko) ==== @@ -177,6 +177,73 @@ } /* + * routing extension header setsockopt fuzzer. + */ +void ssf_rthdr(int sock){ + int on = 1; + char payload[PAYLOAD_SIZE_MAX]; + struct in6_addr v6; + struct cmsghdr *cmsg = NULL; + struct ip6_rthdr *rthdr; + int optlen, optname = IPV6_RTHDR, i, ret, segments; + unsigned int optval; + + fuzzlog("setsockopt", "ddddd", sock, IPPROTO_IPV6, IPV6_RECVRTHDR, on, sizeof(int)); + ret = setsockopt(sock, IPPROTO_IPV6, IPV6_RECVRTHDR, &on, sizeof(int)); + fuzzlog("", "r", ret); + + switch(rand() % 5){ + case 0: + optlen = rand(); + optval = (unsigned int)randaddr(); + break; + case 1: + optlen = rand() % PAYLOAD_SIZE_MAX; + randpayload(payload, optlen); + optval = (unsigned int)&payload; + break; + case 2: + case 3: + segments = rand() % 127; + optlen = CMSG_SPACE(inet6_rth_space(IPV6_RTHDR_TYPE_0, segments)); + cmsg = malloc(optlen); + if(cmsg == NULL) + return; + cmsg->cmsg_len = CMSG_LEN(rand()); + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_RTHDR; + rthdr = (struct ip6_rthdr *)CMSG_DATA(cmsg); + rthdr = inet6_rth_init((void *)rthdr, optlen, + IPV6_RTHDR_TYPE_0, segments); + if(rthdr == NULL) + return; + for(i = 0; i < segments; i++){ + inet_pton(AF_INET6, (char *)randipv6(), &v6); + inet6_rth_add(rthdr, &v6); + } + optlen = (rthdr->ip6r_len + 1) << 3; + optval = (unsigned int)&rthdr; + break; + case 4: + cmsg = (struct cmsghdr *)payload; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_RTHDR; + cmsg->cmsg_len = CMSG_LEN(rand()); + randpayload(payload + sizeof(struct cmsghdr), rand()); + optlen = rand(); + optval = (unsigned int)&payload; + break; + default: + break; + } + + fuzzlog("setsockopt", "dddad", sock, IPPROTO_IPV6, optname, optval, optlen); + ret = setsockopt(sock, IPPROTO_IPV6, optname, (void *)optval, optlen); + fuzzlog("", "r", ret); + return; +} + +/* * ipsec related options setsockopt fuzzer. */ void ssf_ipsec(int sock){ @@ -351,14 +418,14 @@ break; case 4: optname = IPV6_JOIN_GROUP; - inet_pton(AF_INET6, randmcast(), &im.ipv6mr_multiaddr); + inet_pton(AF_INET6, (char *)randmcast(), &im.ipv6mr_multiaddr); im.ipv6mr_interface = rand(); optval = (unsigned int)&im; optlen = sizeof(struct ipv6_mreq); break; case 5: optname = IPV6_LEAVE_GROUP; - inet_pton(AF_INET6, randmcast(), &im.ipv6mr_multiaddr); + inet_pton(AF_INET6, (char *)randmcast(), &im.ipv6mr_multiaddr); im.ipv6mr_interface = rand(); optval = (unsigned int)&im; optlen = sizeof(struct ipv6_mreq); @@ -626,7 +693,7 @@ if(!sock) sock = getsock(); for(i = 0; i < occ; i++){ /* XXX: adjust rand() range if you add ssf_ function. */ - switch(rand() % 12){ + switch(rand() % 13){ case 0: ssf_ss(sock); break; @@ -660,6 +727,9 @@ case 11: ssf_ipsec(sock); break; + case 12: + ssf_rthdr(sock); + break; default: ssf_ss(sock); break;