PERFORCE change 99414 for review
Clément Lecigne
clem1 at FreeBSD.org
Sat Jun 17 11:01:15 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=99414
Change 99414 by clem1 at clem1_ipv6vulns on 2006/06/17 11:00:35
Local fuzzer improvement (setsockopt with IPV6_RTHDR).
Affected files ...
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/global/funcs.c#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/fuzzer.h#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/setsockopt.h#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/rand/rand.c#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/main.c#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/setsockopt.c#2 edit
Differences ...
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/global/funcs.c#2 (text+ko) ====
@@ -97,6 +97,11 @@
fprintf(fd, " returned %d\n", d);
goto end;
break;
+ case 'S':
+ s = va_arg(ap, char *);
+ fprintf(fd, " returned %s\n", s);
+ goto end;
+ break;
default:
break;
}
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/fuzzer.h#2 (text+ko) ====
@@ -38,6 +38,7 @@
#include <fcntl.h>
#include <netinet6/ip6.h>
#include <sys/queue.h>
+#include <arpa/inet.h>
#include <netinet6/ip6_fw.h>
#include <netinet/icmp6.h>
#define PAYLOAD_SIZE_MAX 104096
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/include/setsockopt.h#2 (text+ko) ====
@@ -62,6 +62,7 @@
void ssf_mtu(int);
void ssf_ipsec(int);
void ssf_mcast(int);
+void ssf_rthdr(int);
void ssf_others(int);
void ssf_pr(int);
void ssf_icmp6(int);
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/rand/rand.c#2 (text+ko) ====
@@ -48,7 +48,7 @@
char *randipv6(void){
char *ip, *p;
int i;
- p = ip = malloc(16);
+ p = ip = malloc(32);
if(ip == NULL){
fprintf(stderr, "randipv6(): malloc failled.\n");
exit(EXIT_FAILURE);
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/main.c#2 (text+ko) ====
@@ -34,6 +34,7 @@
int sock;
unsigned int occ = 40; /* nb operation by socket. */
printf("ssf - setsockopt() ipv6 fuzzer.\n");
+ srand(randseed());
while(1){
sock = getsock();
ssf_main(sock, occ);
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/local/setsockopt/setsockopt.c#2 (text+ko) ====
@@ -177,6 +177,73 @@
}
/*
+ * routing extension header setsockopt fuzzer.
+ */
+void ssf_rthdr(int sock){
+ int on = 1;
+ char payload[PAYLOAD_SIZE_MAX];
+ struct in6_addr v6;
+ struct cmsghdr *cmsg = NULL;
+ struct ip6_rthdr *rthdr;
+ int optlen, optname = IPV6_RTHDR, i, ret, segments;
+ unsigned int optval;
+
+ fuzzlog("setsockopt", "ddddd", sock, IPPROTO_IPV6, IPV6_RECVRTHDR, on, sizeof(int));
+ ret = setsockopt(sock, IPPROTO_IPV6, IPV6_RECVRTHDR, &on, sizeof(int));
+ fuzzlog("", "r", ret);
+
+ switch(rand() % 5){
+ case 0:
+ optlen = rand();
+ optval = (unsigned int)randaddr();
+ break;
+ case 1:
+ optlen = rand() % PAYLOAD_SIZE_MAX;
+ randpayload(payload, optlen);
+ optval = (unsigned int)&payload;
+ break;
+ case 2:
+ case 3:
+ segments = rand() % 127;
+ optlen = CMSG_SPACE(inet6_rth_space(IPV6_RTHDR_TYPE_0, segments));
+ cmsg = malloc(optlen);
+ if(cmsg == NULL)
+ return;
+ cmsg->cmsg_len = CMSG_LEN(rand());
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_RTHDR;
+ rthdr = (struct ip6_rthdr *)CMSG_DATA(cmsg);
+ rthdr = inet6_rth_init((void *)rthdr, optlen,
+ IPV6_RTHDR_TYPE_0, segments);
+ if(rthdr == NULL)
+ return;
+ for(i = 0; i < segments; i++){
+ inet_pton(AF_INET6, (char *)randipv6(), &v6);
+ inet6_rth_add(rthdr, &v6);
+ }
+ optlen = (rthdr->ip6r_len + 1) << 3;
+ optval = (unsigned int)&rthdr;
+ break;
+ case 4:
+ cmsg = (struct cmsghdr *)payload;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_RTHDR;
+ cmsg->cmsg_len = CMSG_LEN(rand());
+ randpayload(payload + sizeof(struct cmsghdr), rand());
+ optlen = rand();
+ optval = (unsigned int)&payload;
+ break;
+ default:
+ break;
+ }
+
+ fuzzlog("setsockopt", "dddad", sock, IPPROTO_IPV6, optname, optval, optlen);
+ ret = setsockopt(sock, IPPROTO_IPV6, optname, (void *)optval, optlen);
+ fuzzlog("", "r", ret);
+ return;
+}
+
+/*
* ipsec related options setsockopt fuzzer.
*/
void ssf_ipsec(int sock){
@@ -351,14 +418,14 @@
break;
case 4:
optname = IPV6_JOIN_GROUP;
- inet_pton(AF_INET6, randmcast(), &im.ipv6mr_multiaddr);
+ inet_pton(AF_INET6, (char *)randmcast(), &im.ipv6mr_multiaddr);
im.ipv6mr_interface = rand();
optval = (unsigned int)&im;
optlen = sizeof(struct ipv6_mreq);
break;
case 5:
optname = IPV6_LEAVE_GROUP;
- inet_pton(AF_INET6, randmcast(), &im.ipv6mr_multiaddr);
+ inet_pton(AF_INET6, (char *)randmcast(), &im.ipv6mr_multiaddr);
im.ipv6mr_interface = rand();
optval = (unsigned int)&im;
optlen = sizeof(struct ipv6_mreq);
@@ -626,7 +693,7 @@
if(!sock) sock = getsock();
for(i = 0; i < occ; i++){
/* XXX: adjust rand() range if you add ssf_ function. */
- switch(rand() % 12){
+ switch(rand() % 13){
case 0:
ssf_ss(sock);
break;
@@ -660,6 +727,9 @@
case 11:
ssf_ipsec(sock);
break;
+ case 12:
+ ssf_rthdr(sock);
+ break;
default:
ssf_ss(sock);
break;
More information about the p4-projects
mailing list