PERFORCE change 100570 for review
Clément Lecigne
clem1 at FreeBSD.org
Tue Jul 4 19:28:00 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=100570
Change 100570 by clem1 at clem1_ipv6vulns on 2006/07/04 19:27:45
Some improvements around icmpsicng.c (mainly for rtadvd and rtsol fuzzing)
Affected files ...
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#3 edit
Differences ...
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#2 (text+ko) ====
@@ -1,8 +1,17 @@
+ISICNG (v0.0.2) 04/07/03, by Clément Lecigne (clem1 at FreeBSD.org)
+
+ o Some new feature added to icmpsicng.c
+ o new parameters related to packet size
+ -z minsize -Z maxsize -K multiple
+ o support of icmp option for neighbor discovery
+ related icmp message.
+ o bug fix around checksum calculation.
+
-ISICNG (v0.1) 06/07/03, by Clément Lecigne (clem1 at FreeBSD.org)
+ISICNG (v0.0.1) 03/07/03, by Clément Lecigne (clem1 at FreeBSD.org)
- - Port of all *sic.c to IPv6
- isicng.c supports IPv6 and extension headers fuzzing.
- tcpsicng.c is used to exercise the `TCPv6 stack'.
- udpsicng.c is used to exercise the `UDPv6 stack'.
- icmpsicng.c is used to exercise the `ICMPv6 stack'.
+ o Port of all *sic.c to IPv6
+ isicng.c supports IPv6 and extension headers fuzzing.
+ tcpsicng.c is used to exercise the `TCPv6 stack'.
+ udpsicng.c is used to exercise the `UDPv6 stack'.
+ icmpsicng.c is used to exercise the `ICMPv6 stack'.
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#3 (text+ko) ====
@@ -26,12 +26,18 @@
main(int argc, char **argv)
{
int c;
+ u_int a;
u_char *buf = NULL;
u_short *payload = NULL;
u_int payload_s = 0;
struct libnet_icmpv6_hdr *icmp = NULL;
+ struct icmp_option_base_header {
+ u_int8_t type;
+ u_int8_t length;
+ } *icmp_opt;
+
/* libnet variables */
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
@@ -41,8 +47,8 @@
struct libnet_ipv6_hdr *ip6;
struct libnet_in6_addr ip_src, ip_dst;
u_int32_t flow;
- u_int8_t tc, hl, ver, *nx, eo;
-
+ u_int8_t tc, hl = 0, ver, *nx, eo;
+ u_int32_t maxsize, minsize, multiple;
struct libnet_ipv6_frag_hdr *ip6f = NULL;
#ifdef LIBNET_BSDISH_OS
@@ -74,13 +80,18 @@
float ND = 15;
float RT = 15;
float NI = 15;
+ float IcmpOpt = 0;
+
+ maxsize = 1279;
+ minsize = 128;
+ multiple = 1;
/* Not crypto strong randomness but we don't really care. And this *
* gives us a way to determine the seed while the program is running *
* if we need to repeat the results */
seed = getpid();
- while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:I:T:R:E:U:M:O:N:W:vx:")) != EOF)
+ while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:H:V:F:I:T:R:E:U:M:O:N:W:P:z:Z:K:vx:")) != EOF)
{
switch (c)
{
@@ -93,6 +104,9 @@
case 'R':
Redir = atof(optarg);
break;
+ case 'P':
+ IcmpOpt = atof(optarg);
+ break;
case 'E':
Echo = atof(optarg);
break;
@@ -111,10 +125,22 @@
case 'W':
NI = atof(optarg);
break;
+ case 'z':
+ minsize = atoi(optarg);
+ break;
+ case 'Z':
+ maxsize = atoi(optarg);
+ break;
+ case 'K':
+ multiple = atoi(optarg);
+ break;
case 'h':
usage(argv[0]);
exit(0);
break;
+ case 'H':
+ hl = atoi(optarg);
+ break;
case 'd':
dst_ok = 1;
if (strncmp(optarg, "rand", sizeof("rand")) == 0)
@@ -242,7 +268,7 @@
if (smac == NULL)
memcpy(buf + 6, libnet_get_hwaddr(l), 6);
else
- memcpy(buf + 6, smac, 6);
+ memcpy(buf + 6, libnet_mac2eth(smac), 6);
memcpy(buf + 12, "\x86\xdd", 2);
eo = 0xe;
#else /* !BSD */
@@ -266,7 +292,7 @@
BadIPVer /= 100;
FragPct /= 100;
ICMPCksm /= 100;
-
+ IcmpOpt /= 100;
TooBig /= 100;
Redir = Redir / 100 + TooBig;
Echo = Echo / 100 + Redir;
@@ -287,7 +313,8 @@
off = eo;
memset(buf + eo, 0x0, IP_MAXPACKET - eo);
- hl = rand() & 0xff;
+ if (!hl)
+ hl = rand() & 0xff;
flow = rand();
tc = rand() & 0xff;
@@ -300,7 +327,9 @@
ver = rand() & 0xf;
else ver = 6;
- payload_s = rand() & 0x4ff; /* length of 1279 */
+ do{
+ payload_s = (rand() % maxsize) + minsize; /* length of 1279 */
+ }while (payload_s % multiple);
/* build ipv6 header */
ip6 = (struct libnet_ipv6_hdr *) (buf + off);
@@ -328,6 +357,7 @@
ip6f->ip_frag = rand() & 0xffff;
ip6f->ip_id = (rand() % 10) ? rand() : getpid();
off += 8;
+ payload_s -= 8;
}
icmp = (struct libnet_icmpv6_hdr *)(buf + off);
@@ -339,6 +369,7 @@
icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff;
icmp->icmp_mtu = rand();
off += 8;
+ payload_s -= 8;
}
else if (what <= (RAND_MAX * Redir))
{
@@ -354,6 +385,7 @@
}
icmp->icmp_dst = randipv6();
off += 36;
+ payload_s -= 36;
}
else if (what <= (RAND_MAX * Echo))
@@ -362,6 +394,7 @@
icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff;
icmp->icmp_unused = rand(); /* seq + id */
off += 8;
+ payload_s -= 8;
}
else if (what <= (RAND_MAX * Unreach))
{
@@ -369,6 +402,7 @@
icmp->icmp_code = (rand() % 2) ? rand() % 5 : rand() & 0xff;
icmp->icmp_unused = (rand() % 2) ? 0 : rand();
off += 8;
+ payload_s -= 8;
}
else if (what <= (RAND_MAX * MLD))
{
@@ -384,6 +418,7 @@
icmp->icmp_mcast2[c] = rand() & 0xff;
}
off += 24;
+ payload_s -= 24;
}
else if (what <= (RAND_MAX * ND))
{
@@ -398,6 +433,7 @@
icmp->icmp_target2[c] = rand() & 0xff;
}
off += 24;
+ payload_s -= 24;
}
else if (what <= (RAND_MAX * RT))
{
@@ -408,6 +444,7 @@
/* solicitation msg */
icmp->icmp_unused = (rand() % 2) ? rand() : 0;
off += 8;
+ payload_s -= 8;
}
else
{
@@ -417,7 +454,8 @@
icmp->icmp_rlf = rand() & 0xffff;
icmp->icmp_rct = rand();
icmp->icmp_rtt = rand();
- off += 14;
+ off += 16;
+ payload_s -= 16;
}
}
else if (what <= (RAND_MAX * NI))
@@ -429,30 +467,44 @@
for (c = 0; c < 8; c++)
icmp->icmp_nonce[c] = rand() & 0xff;
off += 14;
+ payload_s -= 14;
}
else
{
icmp->icmp_type = rand() & 0xff;
icmp->icmp_code = rand() & 0xff;
off += 4;
+ payload_s -= 4;
}
-
-#ifdef LIBNET_BSDISH_OS
- if ((payload_s - off + 0xe + 40) > payload_s)
- payload_s = 0;
- else
- payload_s -= (off - 0xe - 40);
-#else /* !BSD */
- if ((payload_s - off) > payload_s)
- payload_s = 0;
- else
- payload_s -= (off - 40);
-#endif
-
- payload = (short int *)(buf + off);
- for(cx = 0; cx <= (payload_s >> 1); cx+=1)
- (u_short) payload[cx] = rand() & 0xffff;
-
+
+ if (rand() <= (RAND_MAX * IcmpOpt))
+ {
+ while (payload_s >= 24)
+ {
+ icmp_opt = (struct icmp_option_base_header *)(buf + off);
+ icmp_opt->type = rand() % 5;
+ icmp_opt->length = (rand() % 2) + 1;
+ off += 2;
+ payload = (short int *)(buf + off);
+ for (a = 0; a < 6; a++)
+ payload[a] = rand() & 0xff;
+ if (icmp_opt->length > 1)
+ {
+ for (; (signed)a < 6 + ((icmp_opt->length - 1) * 8); a++)
+ payload[a] = rand() & 0xff;
+ }
+ off += ((8 * icmp_opt->length) - 2);
+ payload_s -= (8 * icmp_opt->length);
+ }
+ /* padding */
+ payload = (short int *)(buf + off);
+ for (a = 0; a < payload_s; a++)
+ payload[a] = rand() & 0xff;
+ }else{
+ payload = (short int *)(buf + off);
+ for(cx = 0; cx <= (payload_s >> 1); cx+=1)
+ (u_short) payload[cx] = rand() & 0xffff;
+ }
if (rand() <= (RAND_MAX * ICMPCksm))
icmp->icmp_sum = rand() & 0xffff;
@@ -494,7 +546,7 @@
- (tv.tv_usec - tv2.tv_usec) / 1000000.0;
if ((datapushed / sec) >= max_pushed)
usleep(10); /* 10 should give up our timeslice */
- usleep(500);
+ sleep(1);
}
@@ -514,17 +566,19 @@
void usage(u_char *name)
{
fprintf(stderr,
- "usage: %s [-v] [-D] -s <sourceip> -d <destination ip>"
+ "usage: %s [-v] -s <sourceip> -d <destination ip>"
#ifdef LIBNET_BSDISH_OS
- "-i <iface> -D <destination mac>\n [-S <source mac>]"
+ " -i <iface> -D <destination mac>\n [-S <source mac>]"
#else /* !BSD */
"[-i <iface>\n "
#endif
" [-r seed] [-m <max kB/s to generate>]\n"
" [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n"
+ " [-z <minsize>] [-Z <maxsize>] [-K <size multiple>]\n"
"\n"
" Percentage Opts: [-F frags] [-V Bad IP Version]\n"
- " [-I Bad checksum>]\n"
+ " [-H hop limit] [-I Bad checksum]\n"
+ " [-P IcmpOpt]\n"
" [-T Toobig] [-R Redirect] [-E Echo]\n"
" [-U Unreach] [-M MLD] [-O Router]\n"
" [-N Neighbor] [-W node info]\n"
More information about the p4-projects
mailing list