Date: Sun, 2 Jul 2006 19:20:38 GMT From: Clément Lecigne <clem1@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 100443 for review Message-ID: <200607021920.k62JKcN9069049@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100443 Change 100443 by clem1@clem1_ipv6vulns on 2006/07/02 19:20:22 extension headers support for isicng.c Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#2 (text+ko) ==== @@ -37,9 +37,14 @@ struct libnet_in6_addr ip_src, ip_dst; u_int32_t flow; u_int16_t plen; - u_int8_t tc, hl, nh, ver; + u_int8_t tc, hl, nh, ver, *nx, eo; struct libnet_ipv6_frag_hdr *ip6f = NULL; + struct libnet_ipv6_routing_hdr *ip6r = NULL; + struct libnet_ipv6_destopts_hdr *ip6d = NULL; + struct libnet_ipv6_hbhopts_hdr *ip6h = NULL; + struct libnet_ah_hdr *ip6ah = NULL; + struct libnet_esp_hdr *ip6esp = NULL; #ifdef LIBNET_BSDISH_OS char *smac = NULL, *dmac = NULL; @@ -53,14 +58,21 @@ u_long max_pushed = 10240; /* 10MB/sec */ u_long num_to_send = 0xffffffff; /* Send 4billion packets */ u_long skip = 0; /* Skip how many packets */ + u_int off = 0; int printout = 0; /* Debugging */ u_int repeat = 1; /* How many times to send * each packet */ /* Defaults */ float FragPct = 30; + float RthPct = 10; + float DopPct = 10; + float HbhPct = 20; + float EspPct = 10; + float AhPct = 10; float BadIPVer = 10; float IPLength = 20; + int MaxEHdr = 10; /* Not crypto strong randomness but we don't really care. And this * * gives us a way to determine the seed while the program is running * @@ -68,7 +80,7 @@ seed = getpid(); - while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:vx:S:D:")) != EOF) + while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:O:E:M:H:R:A:vx:S:D:")) != EOF) { switch (c) { @@ -140,6 +152,24 @@ case 'I': IPLength = atof(optarg); break; + case 'H': + HbhPct = atof(optarg); + break; + case 'O': + DopPct = atof(optarg); + break; + case 'R': + RthPct = atof(optarg); + break; + case 'E': + EspPct = atof(optarg); + break; + case 'A': + AhPct = atof(optarg); + break; + case 'M': + MaxEHdr = atoi(optarg); + break; case 'x': repeat = atoi(optarg); break; @@ -211,6 +241,9 @@ else memcpy(buf + 6, smac, 6); memcpy(buf + 12, "\x86\xdd", 2); + eo = 0xe; +#else /* !BSD */ + eo = 0; /* no ethernet header */ #endif @@ -221,13 +254,23 @@ printf("Bad IP Version\t= %.0f%%\t\t", BadIPVer); printf("Odd IP Header Length\t= %.0f%%\t\t", IPLength); - printf("Frag'd Pcnt\t= %.0f%%\n", FragPct); + printf("Routing hdr\t=%.0f%%\t\t", RthPct); + printf("Destination opts hdr\t=%.0f%%\t\t", DopPct); + printf("Hop by hop hdr\t=%.0f%%\t\t", HbhPct); + printf("Esp hdr\t=%.0f%%\t\t", EspPct); + printf("Ah hdr\t=%.0f%%\t\t", AhPct); + printf("Frag hdr\t= %.0f%%\n", FragPct); /* Drop them down to floats so we can multiply and not overflow */ BadIPVer /= 100; FragPct /= 100; - IPLength /= 100; + RthPct /= 100; + DopPct /= 100; + HbhPct /= 100; + EspPct /= 100; + AhPct /= 100; + IPLength /= 100; @@ -239,6 +282,8 @@ for(acx = 0; acx < num_to_send; acx++) { + off = eo; + hl = rand() & 0xff; nh = rand() & 0xff; flow = rand(); @@ -262,47 +307,119 @@ plen = payload_s; /* Build the IP header */ -#ifdef LIBNET_BSDISH_OS - ip6 = (struct libnet_ipv6_hdr *) (buf + 0xe); -#else /* !BSD */ - ip6 = (struct libnet_ipv6_hdr *) buf; -#endif + ip6 = (struct libnet_ipv6_hdr *) (buf + off); + ip6->ip_flags[0] = ver << 4; ip6->ip_flags[1] = ((tc & 0x0F) << 4) | ((flow & 0xF0000) >> 16); ip6->ip_flags[2] = (flow & 0x0FF00 >> 8); ip6->ip_flags[3] = (flow & 0x000FF); ip6->ip_nh = nh; + nx = &ip6->ip_nh; ip6->ip_hl = hl; ip6->ip_len = htons(plen); memcpy(&ip6->ip_src, &ip_src, 16); memcpy(&ip6->ip_dst, &ip_dst, 16); - if (rand() <= (RAND_MAX * FragPct)) - { + off += 40; + + for (c = 0; c < MaxEHdr; c++){ + switch (rand() % 6) + { + case 0: + /* Fragmentation header */ + if (rand() <= (RAND_MAX * FragPct)) + { + ip6f = (struct libnet_ipv6_frag_hdr *)(buf + off); + *nx = 44; + ip6f->ip_nh = rand() & 0xff; + nx = &ip6->ip_nh; + ip6f->ip_reserved = (rand() % 2) ? rand() & 0xff : 0; + ip6f->ip_frag = rand() & 0xffff; + ip6f->ip_id = (rand() % 10) ? rand() : getpid(); + off += 8; + } + break; + case 1: + /* Routing header */ + if (rand() <= (RAND_MAX * RthPct)) + { + ip6r = (struct libnet_ipv6_routing_hdr *)(buf + off); + *nx = 43; + ip6r->ip_nh = rand() & 0xff; + nx = &ip6r->ip_nh; + ip6r->ip_len = rand() & 0xff; + ip6r->ip_rtype = (rand() % 2) ? rand() & 0xff : 0; + ip6r->ip_segments = rand() & 0xff; + off += 4; + } + break; + case 2: + /* Destination opts */ + if (rand() <= (RAND_MAX * DopPct)) + { + ip6d = (struct libnet_ipv6_destopts_hdr *)(buf + off); + *nx = 60; + ip6d->ip_nh = rand() & 0xff; + nx = &ip6d->ip_nh; + ip6d->ip_len = rand() & 0xff; + off += 2; + } + break; + case 3: + /* Hop by hop header */ + if (rand() <= (RAND_MAX * HbhPct)) + { + ip6h = (struct libnet_ipv6_hbhopts_hdr *)(buf + off); + *nx = 0; + ip6h->ip_nh = rand() & 0xff; + nx = &ip6h->ip_nh; + ip6h->ip_len = rand() & 0xff; + off += 2; + } + break; + case 4: + /* AH header */ + if (rand() <= (RAND_MAX * AhPct)) + { + ip6ah = (struct libnet_ah_hdr *)(buf + off); + *nx = 51; + ip6ah->ah_nh = rand() & 0xff; + nx = &ip6ah->ah_nh; + ip6ah->ah_len = rand() & 0xff; + ip6ah->ah_res = (rand() % 2) ? 0 : rand() % 0xffff; + ip6ah->ah_spi = rand(); + ip6ah->ah_seq = rand(); + ip6ah->ah_auth = rand(); + off += 16; + } + break; + case 5: + /* ESP header */ + if (rand() <= (RAND_MAX * EspPct)) + { + ip6esp = (struct libnet_esp_hdr *)(buf + off); + *nx = 50; + ip6esp->esp_spi = rand(); + ip6esp->esp_seq = rand(); + ip6esp->esp_iv = rand(); + off += 12; + } + break; + } + } + #ifdef LIBNET_BSDISH_OS - ip6f = (struct libnet_ipv6_frag_hdr *)(buf + 0xe + 0x28); + if ((payload_s - off + 0xe) > payload_s) + payload_s = 0; + else + payload_s -= (off - 0xe); #else /* !BSD */ - ip6f = (struct libnet_ipv6_frag_hdr *)(buf + 0x28); -#endif - ip6->ip_nh = 44; - ip6f->ip_nh = rand() & 0xff; - ip6f->ip_reserved = (rand() % 2) ? rand() & 0xff : 0; - ip6f->ip_frag = rand() & 0xffff; - ip6f->ip_id = (rand() % 10) ? rand() : getpid(); -#ifdef LIBNET_BSDISH_OS - payload = (short int *)(buf + 0xe + 0x28 + 0x8); -#else /* !BSD */ - payload = (short int *)(buf + 0x28 + 0x8); -#endif - } + if ((payload_s - off) > payload_s) + payload_s = 0; else - { -#ifdef LIBNET_BSDISH_OS - payload = (short int *)(buf + 0xe + 0x28); -#else /* !BSD */ - payload = (short int *)(buf + 0x28); + payload_s -= off; #endif - } + payload = (short int *)(buf + off); for(cx = 0; cx <= (payload_s >> 1); cx+=1) (u_int16_t) payload[cx] = rand() & 0xffff; @@ -379,8 +496,10 @@ #endif "[-p <pkts to generate>] [-k <skip packets>]\n" " [-x <send packet X times>] [-r <random seed>]\n" - " [-m <max kB/s to generate>]\n" - " Percentage Opts: [-F frags] [-V <Bad IP Version>]\n" + " [-m <max kB/s to generate>] [-M <max ext header>]\n" + " Percentage Opts: [-F <frags>] [-R <routing>] [-H <hopbyhop>]\n" + " [-O <dstopts>] [-E <ipsecesp> [-A <ipsecah> ]\n" + " [-V <Bad IP Version>]\n" " [-I <Random IP Header length>]\n" "notes:\n" " [-v] causes packet info to be printed out -- DEBUGGING\n\n"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607021920.k62JKcN9069049>