PERFORCE change 100443 for review
Clément Lecigne
clem1 at FreeBSD.org
Sun Jul 2 19:20:39 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=100443
Change 100443 by clem1 at clem1_ipv6vulns on 2006/07/02 19:20:22
extension headers support for isicng.c
Affected files ...
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#2 edit
Differences ...
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#2 (text+ko) ====
@@ -37,9 +37,14 @@
struct libnet_in6_addr ip_src, ip_dst;
u_int32_t flow;
u_int16_t plen;
- u_int8_t tc, hl, nh, ver;
+ u_int8_t tc, hl, nh, ver, *nx, eo;
struct libnet_ipv6_frag_hdr *ip6f = NULL;
+ struct libnet_ipv6_routing_hdr *ip6r = NULL;
+ struct libnet_ipv6_destopts_hdr *ip6d = NULL;
+ struct libnet_ipv6_hbhopts_hdr *ip6h = NULL;
+ struct libnet_ah_hdr *ip6ah = NULL;
+ struct libnet_esp_hdr *ip6esp = NULL;
#ifdef LIBNET_BSDISH_OS
char *smac = NULL, *dmac = NULL;
@@ -53,14 +58,21 @@
u_long max_pushed = 10240; /* 10MB/sec */
u_long num_to_send = 0xffffffff; /* Send 4billion packets */
u_long skip = 0; /* Skip how many packets */
+ u_int off = 0;
int printout = 0; /* Debugging */
u_int repeat = 1; /* How many times to send
* each packet */
/* Defaults */
float FragPct = 30;
+ float RthPct = 10;
+ float DopPct = 10;
+ float HbhPct = 20;
+ float EspPct = 10;
+ float AhPct = 10;
float BadIPVer = 10;
float IPLength = 20;
+ int MaxEHdr = 10;
/* Not crypto strong randomness but we don't really care. And this *
* gives us a way to determine the seed while the program is running *
@@ -68,7 +80,7 @@
seed = getpid();
- while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:vx:S:D:")) != EOF)
+ while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:O:E:M:H:R:A:vx:S:D:")) != EOF)
{
switch (c)
{
@@ -140,6 +152,24 @@
case 'I':
IPLength = atof(optarg);
break;
+ case 'H':
+ HbhPct = atof(optarg);
+ break;
+ case 'O':
+ DopPct = atof(optarg);
+ break;
+ case 'R':
+ RthPct = atof(optarg);
+ break;
+ case 'E':
+ EspPct = atof(optarg);
+ break;
+ case 'A':
+ AhPct = atof(optarg);
+ break;
+ case 'M':
+ MaxEHdr = atoi(optarg);
+ break;
case 'x':
repeat = atoi(optarg);
break;
@@ -211,6 +241,9 @@
else
memcpy(buf + 6, smac, 6);
memcpy(buf + 12, "\x86\xdd", 2);
+ eo = 0xe;
+#else /* !BSD */
+ eo = 0; /* no ethernet header */
#endif
@@ -221,13 +254,23 @@
printf("Bad IP Version\t= %.0f%%\t\t", BadIPVer);
printf("Odd IP Header Length\t= %.0f%%\t\t", IPLength);
- printf("Frag'd Pcnt\t= %.0f%%\n", FragPct);
+ printf("Routing hdr\t=%.0f%%\t\t", RthPct);
+ printf("Destination opts hdr\t=%.0f%%\t\t", DopPct);
+ printf("Hop by hop hdr\t=%.0f%%\t\t", HbhPct);
+ printf("Esp hdr\t=%.0f%%\t\t", EspPct);
+ printf("Ah hdr\t=%.0f%%\t\t", AhPct);
+ printf("Frag hdr\t= %.0f%%\n", FragPct);
/* Drop them down to floats so we can multiply and not overflow */
BadIPVer /= 100;
FragPct /= 100;
- IPLength /= 100;
+ RthPct /= 100;
+ DopPct /= 100;
+ HbhPct /= 100;
+ EspPct /= 100;
+ AhPct /= 100;
+ IPLength /= 100;
@@ -239,6 +282,8 @@
for(acx = 0; acx < num_to_send; acx++)
{
+ off = eo;
+
hl = rand() & 0xff;
nh = rand() & 0xff;
flow = rand();
@@ -262,47 +307,119 @@
plen = payload_s;
/* Build the IP header */
-#ifdef LIBNET_BSDISH_OS
- ip6 = (struct libnet_ipv6_hdr *) (buf + 0xe);
-#else /* !BSD */
- ip6 = (struct libnet_ipv6_hdr *) buf;
-#endif
+ ip6 = (struct libnet_ipv6_hdr *) (buf + off);
+
ip6->ip_flags[0] = ver << 4;
ip6->ip_flags[1] = ((tc & 0x0F) << 4) | ((flow & 0xF0000) >> 16);
ip6->ip_flags[2] = (flow & 0x0FF00 >> 8);
ip6->ip_flags[3] = (flow & 0x000FF);
ip6->ip_nh = nh;
+ nx = &ip6->ip_nh;
ip6->ip_hl = hl;
ip6->ip_len = htons(plen);
memcpy(&ip6->ip_src, &ip_src, 16);
memcpy(&ip6->ip_dst, &ip_dst, 16);
- if (rand() <= (RAND_MAX * FragPct))
- {
+ off += 40;
+
+ for (c = 0; c < MaxEHdr; c++){
+ switch (rand() % 6)
+ {
+ case 0:
+ /* Fragmentation header */
+ if (rand() <= (RAND_MAX * FragPct))
+ {
+ ip6f = (struct libnet_ipv6_frag_hdr *)(buf + off);
+ *nx = 44;
+ ip6f->ip_nh = rand() & 0xff;
+ nx = &ip6->ip_nh;
+ ip6f->ip_reserved = (rand() % 2) ? rand() & 0xff : 0;
+ ip6f->ip_frag = rand() & 0xffff;
+ ip6f->ip_id = (rand() % 10) ? rand() : getpid();
+ off += 8;
+ }
+ break;
+ case 1:
+ /* Routing header */
+ if (rand() <= (RAND_MAX * RthPct))
+ {
+ ip6r = (struct libnet_ipv6_routing_hdr *)(buf + off);
+ *nx = 43;
+ ip6r->ip_nh = rand() & 0xff;
+ nx = &ip6r->ip_nh;
+ ip6r->ip_len = rand() & 0xff;
+ ip6r->ip_rtype = (rand() % 2) ? rand() & 0xff : 0;
+ ip6r->ip_segments = rand() & 0xff;
+ off += 4;
+ }
+ break;
+ case 2:
+ /* Destination opts */
+ if (rand() <= (RAND_MAX * DopPct))
+ {
+ ip6d = (struct libnet_ipv6_destopts_hdr *)(buf + off);
+ *nx = 60;
+ ip6d->ip_nh = rand() & 0xff;
+ nx = &ip6d->ip_nh;
+ ip6d->ip_len = rand() & 0xff;
+ off += 2;
+ }
+ break;
+ case 3:
+ /* Hop by hop header */
+ if (rand() <= (RAND_MAX * HbhPct))
+ {
+ ip6h = (struct libnet_ipv6_hbhopts_hdr *)(buf + off);
+ *nx = 0;
+ ip6h->ip_nh = rand() & 0xff;
+ nx = &ip6h->ip_nh;
+ ip6h->ip_len = rand() & 0xff;
+ off += 2;
+ }
+ break;
+ case 4:
+ /* AH header */
+ if (rand() <= (RAND_MAX * AhPct))
+ {
+ ip6ah = (struct libnet_ah_hdr *)(buf + off);
+ *nx = 51;
+ ip6ah->ah_nh = rand() & 0xff;
+ nx = &ip6ah->ah_nh;
+ ip6ah->ah_len = rand() & 0xff;
+ ip6ah->ah_res = (rand() % 2) ? 0 : rand() % 0xffff;
+ ip6ah->ah_spi = rand();
+ ip6ah->ah_seq = rand();
+ ip6ah->ah_auth = rand();
+ off += 16;
+ }
+ break;
+ case 5:
+ /* ESP header */
+ if (rand() <= (RAND_MAX * EspPct))
+ {
+ ip6esp = (struct libnet_esp_hdr *)(buf + off);
+ *nx = 50;
+ ip6esp->esp_spi = rand();
+ ip6esp->esp_seq = rand();
+ ip6esp->esp_iv = rand();
+ off += 12;
+ }
+ break;
+ }
+ }
+
#ifdef LIBNET_BSDISH_OS
- ip6f = (struct libnet_ipv6_frag_hdr *)(buf + 0xe + 0x28);
+ if ((payload_s - off + 0xe) > payload_s)
+ payload_s = 0;
+ else
+ payload_s -= (off - 0xe);
#else /* !BSD */
- ip6f = (struct libnet_ipv6_frag_hdr *)(buf + 0x28);
-#endif
- ip6->ip_nh = 44;
- ip6f->ip_nh = rand() & 0xff;
- ip6f->ip_reserved = (rand() % 2) ? rand() & 0xff : 0;
- ip6f->ip_frag = rand() & 0xffff;
- ip6f->ip_id = (rand() % 10) ? rand() : getpid();
-#ifdef LIBNET_BSDISH_OS
- payload = (short int *)(buf + 0xe + 0x28 + 0x8);
-#else /* !BSD */
- payload = (short int *)(buf + 0x28 + 0x8);
-#endif
- }
+ if ((payload_s - off) > payload_s)
+ payload_s = 0;
else
- {
-#ifdef LIBNET_BSDISH_OS
- payload = (short int *)(buf + 0xe + 0x28);
-#else /* !BSD */
- payload = (short int *)(buf + 0x28);
+ payload_s -= off;
#endif
- }
+ payload = (short int *)(buf + off);
for(cx = 0; cx <= (payload_s >> 1); cx+=1)
(u_int16_t) payload[cx] = rand() & 0xffff;
@@ -379,8 +496,10 @@
#endif
"[-p <pkts to generate>] [-k <skip packets>]\n"
" [-x <send packet X times>] [-r <random seed>]\n"
- " [-m <max kB/s to generate>]\n"
- " Percentage Opts: [-F frags] [-V <Bad IP Version>]\n"
+ " [-m <max kB/s to generate>] [-M <max ext header>]\n"
+ " Percentage Opts: [-F <frags>] [-R <routing>] [-H <hopbyhop>]\n"
+ " [-O <dstopts>] [-E <ipsecesp> [-A <ipsecah> ]\n"
+ " [-V <Bad IP Version>]\n"
" [-I <Random IP Header length>]\n"
"notes:\n"
" [-v] causes packet info to be printed out -- DEBUGGING\n\n"
More information about the p4-projects
mailing list