From owner-p4-projects@FreeBSD.ORG Mon Jul 3 12:34:34 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D98ED16A415; Mon, 3 Jul 2006 12:34:33 +0000 (UTC) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4F2416A407 for ; Mon, 3 Jul 2006 12:34:33 +0000 (UTC) (envelope-from clem1@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6997C43D46 for ; Mon, 3 Jul 2006 12:34:33 +0000 (GMT) (envelope-from clem1@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k63CYXVY079367 for ; Mon, 3 Jul 2006 12:34:33 GMT (envelope-from clem1@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k63CYXJ0079364 for perforce@freebsd.org; Mon, 3 Jul 2006 12:34:33 GMT (envelope-from clem1@FreeBSD.org) Date: Mon, 3 Jul 2006 12:34:33 GMT Message-Id: <200607031234.k63CYXJ0079364@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to clem1@FreeBSD.org using -f From: Clément Lecigne To: Perforce Change Reviews Cc: Subject: PERFORCE change 100492 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 12:34:34 -0000 http://perforce.freebsd.org/chv.cgi?CH=100492 Change 100492 by clem1@clem1_ipv6vulns on 2006/07/03 12:34:23 Now we can choose which kind of icmp msg we want. Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#2 (text+ko) ==== @@ -30,7 +30,7 @@ u_short *payload = NULL; u_int payload_s = 0; - struct icmp *icmp = NULL; + struct libnet_icmpv6_hdr *icmp = NULL; /* libnet variables */ char errbuf[LIBNET_ERRBUF_SIZE]; @@ -51,7 +51,7 @@ /* Functionality Variables */ - int src_ip_rand = 0, dst_ip_rand = 0, dst_ok = 0; + int src_ip_rand = 0, dst_ip_rand = 0, dst_ok = 0, what; struct timeval tv, tv2; float sec; unsigned int cx = 0; @@ -66,21 +66,51 @@ float FragPct = 30; float BadIPVer = 10; float ICMPCksm = 10; + float TooBig = 5; + float Redir = 5; + float Echo = 1; + float Unreach = 5; + float MLD = 15; + float ND = 15; + float RT = 15; + float NI = 15; - - /* Not crypto strong randomness but we don't really care. And this * * gives us a way to determine the seed while the program is running * * if we need to repeat the results */ seed = getpid(); - while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:I:vx:")) != EOF) + while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:I:T:R:E:U:M:O:N:W:vx:")) != EOF) { switch (c) { case 'i': device = optarg; break; + case 'T': + TooBig = atof(optarg); + break; + case 'R': + Redir = atof(optarg); + break; + case 'E': + Echo = atof(optarg); + break; + case 'U': + Unreach = atof(optarg); + break; + case 'M': + MLD = atof(optarg); + break; + case 'O': + RT = atof(optarg); + break; + case 'N': + ND = atof(optarg); + break; + case 'W': + NI = atof(optarg); + break; case 'h': usage(argv[0]); exit(0); @@ -227,14 +257,24 @@ printf("Bad IP Version\t= %.0f%%\t\t", BadIPVer); printf("Frag header\t= %.0f%%\n", FragPct); + printf("TooBig=%.0f%% Redirect=%.0f%% Echo=%.0f%% Router=%.0f%%\n", TooBig, Redir, Echo, RT); + printf("Unreach=%.0f%% MLD=%.0f%% ND=%.0f%% NI=%.0f%%\n", Unreach, MLD, ND, NI); + printf("Bad ICMP Cksm\t= %.0f%%\n", ICMPCksm); /* Drop them down to floats so we can multiply and not overflow */ BadIPVer /= 100; FragPct /= 100; ICMPCksm /= 100; - + TooBig /= 100; + Redir = Redir / 100 + TooBig; + Echo = Echo / 100 + Redir; + Unreach = Unreach / 100 + Echo; + MLD = MLD / 100 + Unreach; + ND = ND / 100 + MLD; + RT = RT / 100 + ND; + NI = NI / 100 + RT; /************* * Main Loop * @@ -245,6 +285,7 @@ for(acx = 0; acx < num_to_send; acx++) { off = eo; + memset(buf + eo, 0x0, IP_MAXPACKET - eo); hl = rand() & 0xff; flow = rand(); @@ -289,14 +330,113 @@ off += 8; } - icmp = (struct icmp *)(buf + off); + icmp = (struct libnet_icmpv6_hdr *)(buf + off); - icmp->icmp_type = rand() & 0xff; - icmp->icmp_code = rand() & 0xff; - icmp->icmp_cksum = 0; + what = rand(); + if (what <= (RAND_MAX * TooBig)) + { + icmp->icmp_type = 2; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_mtu = rand(); + off += 8; + } + else if (what <= (RAND_MAX * Redir)) + { + icmp->icmp_type = 137; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_unused = (rand() % 2) ? 0 : rand(); + for (c = 0; c < 16; c++) + { + if (c < 8) + icmp->icmp_target1[c] = rand() & 0xff; + else + icmp->icmp_target2[c] = rand() & 0xff; + } + icmp->icmp_dst = randipv6(); + off += 36; + + } + else if (what <= (RAND_MAX * Echo)) + { + icmp->icmp_type = 128 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_unused = rand(); /* seq + id */ + off += 8; + } + else if (what <= (RAND_MAX * Unreach)) + { + icmp->icmp_type = 1; + icmp->icmp_code = (rand() % 2) ? rand() % 5 : rand() & 0xff; + icmp->icmp_unused = (rand() % 2) ? 0 : rand(); + off += 8; + } + else if (what <= (RAND_MAX * MLD)) + { + icmp->icmp_type = 130 + rand() % 3; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_maxdelay = rand() & 0xff; + icmp->icmp_reserved2 = (rand() % 2) ? 0 : rand() & 0xffff; + for (c = 0; c < 16; c++) + { + if (c < 8) + icmp->icmp_mcast1[c] = rand() & 0xff; + else + icmp->icmp_mcast2[c] = rand() & 0xff; + } + off += 24; + } + else if (what <= (RAND_MAX * ND)) + { + icmp->icmp_type = 135 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_unused = (rand() % 2) ? 0 : rand(); + for (c = 0; c < 16; c++) + { + if (c < 8) + icmp->icmp_target1[c] = rand() & 0xff; + else + icmp->icmp_target2[c] = rand() & 0xff; + } + off += 24; + } + else if (what <= (RAND_MAX * RT)) + { + icmp->icmp_type = 133 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? rand() & 0xff : 0; + if (icmp->icmp_type == 133) + { + /* solicitation msg */ + icmp->icmp_unused = (rand() % 2) ? rand() : 0; + off += 8; + } + else + { + /* advertisement msg */ + icmp->icmp_chl = rand() & 0xff; + icmp->icmp_mo = rand() & 0xff; + icmp->icmp_rlf = rand() & 0xffff; + icmp->icmp_rct = rand(); + icmp->icmp_rtt = rand(); + off += 14; + } + } + else if (what <= (RAND_MAX * NI)) + { + icmp->icmp_type = 139 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? rand() & 0xff : rand() % 3; + icmp->icmp_qtype = rand() & 0xffff; + icmp->icmp_flags = rand() & 0xffff; + for (c = 0; c < 8; c++) + icmp->icmp_nonce[c] = rand() & 0xff; + off += 14; + } + else + { + icmp->icmp_type = rand() & 0xff; + icmp->icmp_code = rand() & 0xff; + off += 4; + } - off += 4; - #ifdef LIBNET_BSDISH_OS if ((payload_s - off + 0xe + 40) > payload_s) payload_s = 0; @@ -315,10 +455,9 @@ if (rand() <= (RAND_MAX * ICMPCksm)) - icmp->icmp_cksum = rand() & 0xffff; + icmp->icmp_sum = rand() & 0xffff; else - libnet_do_checksum(l, buf + eo, IPPROTO_ICMP6, payload_s + 4); - + libnet_do_checksum(l, buf + eo, IPPROTO_ICMP6, payload_s + (off - 40 - eo)); if (skip <= acx) { for (cx = 0; cx < repeat; cx++) @@ -355,7 +494,7 @@ - (tv.tv_usec - tv2.tv_usec) / 1000000.0; if ((datapushed / sec) >= max_pushed) usleep(10); /* 10 should give up our timeslice */ - usleep(1000); + usleep(500); } @@ -384,8 +523,11 @@ " [-r seed] [-m ]\n" " [-p ] [-k ] [-x ]\n" "\n" - " Percentage Opts: [-F frags] [-V ]\n" - " [-I ]\n" + " Percentage Opts: [-F frags] [-V Bad IP Version]\n" + " [-I Bad checksum>]\n" + " [-T Toobig] [-R Redirect] [-E Echo]\n" + " [-U Unreach] [-M MLD] [-O Router]\n" + " [-N Neighbor] [-W node info]\n" "\n" " [-v] causes packet info to be printed out -- DEBUGGING\n\n" " ex: -s a:b:c::d -d b:c:d::e -I 100\n"