PERFORCE change 100626 for review
Clément Lecigne
clem1 at FreeBSD.org
Wed Jul 5 13:14:04 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=100626
Change 100626 by clem1 at clem1_ipv6vulns on 2006/07/05 13:14:00
Some improvements around icmpsicng and random ipv6 address generation.
Affected files ...
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#3 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#4 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#4 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.h#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/tcpsicng.c#2 edit
.. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/udpsicng.c#2 edit
Differences ...
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#3 (text+ko) ====
@@ -1,4 +1,13 @@
-ISICNG (v0.0.2) 04/07/03, by Clément Lecigne (clem1 at FreeBSD.org)
+ISICNG (v0.0.3) 06/07/05, by Clément Lecigne (clem1 at FreeBSD.org)
+
+ o randipv6() improvements
+ o -L number of link local random ipv6 addresses (in percent)
+ o -A number of site local random ipv6 addresses (in percent)
+ o with special icmp6 messages (ie. toobig, unreach) icmpsicng
+ will generate a random ipv6 packet as data... especially for
+ *6_ctlinput() functions fuzzing.
+
+ISICNG (v0.0.2) 06/07/04, by Clément Lecigne (clem1 at FreeBSD.org)
o Some new feature added to icmpsicng.c
o new parameters related to packet size
@@ -8,7 +17,7 @@
o bug fix around checksum calculation.
-ISICNG (v0.0.1) 03/07/03, by Clément Lecigne (clem1 at FreeBSD.org)
+ISICNG (v0.0.1) 06/07/03, by Clément Lecigne (clem1 at FreeBSD.org)
o Port of all *sic.c to IPv6
isicng.c supports IPv6 and extension headers fuzzing.
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#4 (text+ko) ====
@@ -60,6 +60,7 @@
int src_ip_rand = 0, dst_ip_rand = 0, dst_ok = 0, what;
struct timeval tv, tv2;
float sec;
+ unsigned int wwait;
unsigned int cx = 0;
u_long max_pushed = 10240; /* 10MB/sec */
u_long num_to_send = 0xffffffff; /* Send 4billion packets */
@@ -81,23 +82,33 @@
float RT = 15;
float NI = 15;
float IcmpOpt = 0;
+ float Llocal = 10;
+ float Slocal = 5;
maxsize = 1279;
minsize = 128;
multiple = 1;
+ wwait = 500; /* wait microseconds between each write() */
+
/* Not crypto strong randomness but we don't really care. And this *
* gives us a way to determine the seed while the program is running *
* if we need to repeat the results */
seed = getpid();
- while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:H:V:F:I:T:R:E:U:M:O:N:W:P:z:Z:K:vx:")) != EOF)
+ while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:H:V:F:I:T:R:E:U:M:O:N:W:P:z:Z:K:vx:w:L:A:")) != EOF)
{
switch (c)
{
case 'i':
device = optarg;
break;
+ case 'L':
+ Llocal = atof(optarg);
+ break;
+ case 'A':
+ Slocal = atof(optarg);
+ break;
case 'T':
TooBig = atof(optarg);
break;
@@ -134,6 +145,9 @@
case 'K':
multiple = atoi(optarg);
break;
+ case 'w':
+ wwait = atoi(optarg);
+ break;
case 'h':
usage(argv[0]);
exit(0);
@@ -301,6 +315,8 @@
ND = ND / 100 + MLD;
RT = RT / 100 + ND;
NI = NI / 100 + RT;
+ Llocal /= 100;
+ Slocal = Slocal / 100 + Llocal;
/*************
* Main Loop *
@@ -319,9 +335,9 @@
tc = rand() & 0xff;
if (src_ip_rand == 1)
- ip_src = randipv6();
+ ip_src = randipv6(Llocal, Slocal);
if (dst_ip_rand == 1)
- ip_dst = randipv6();
+ ip_dst = randipv6(Llocal, Slocal);
if (rand() <= (RAND_MAX * BadIPVer))
ver = rand() & 0xf;
@@ -370,6 +386,11 @@
icmp->icmp_mtu = rand();
off += 8;
payload_s -= 8;
+ if(rand() % 5){
+ cx = makepkt(buf + off, ip_dst, ip_src);
+ off += cx;
+ payload_s -= cx;
+ }
}
else if (what <= (RAND_MAX * Redir))
{
@@ -383,10 +404,14 @@
else
icmp->icmp_target2[c] = rand() & 0xff;
}
- icmp->icmp_dst = randipv6();
+ icmp->icmp_dst = randipv6(Llocal, Slocal);
off += 36;
payload_s -= 36;
-
+ if(rand() % 5){
+ cx = makepkt(buf + off, ip_dst, ip_src);
+ off += cx;
+ payload_s -= cx;
+ }
}
else if (what <= (RAND_MAX * Echo))
{
@@ -403,6 +428,11 @@
icmp->icmp_unused = (rand() % 2) ? 0 : rand();
off += 8;
payload_s -= 8;
+ if(rand() % 5){
+ cx = makepkt(buf + off, ip_dst, ip_src);
+ off += cx;
+ payload_s -= cx;
+ }
}
else if (what <= (RAND_MAX * MLD))
{
@@ -514,6 +544,7 @@
if (skip <= acx) {
for (cx = 0; cx < repeat; cx++)
{
+ usleep(wwait);
#ifdef LIBNET_BSDISH_OS
c = libnet_write_link(l, buf, off + payload_s);
#else /* !BSD */
@@ -546,7 +577,6 @@
- (tv.tv_usec - tv2.tv_usec) / 1000000.0;
if ((datapushed / sec) >= max_pushed)
usleep(10); /* 10 should give up our timeslice */
- sleep(1);
}
@@ -562,7 +592,88 @@
return (0);
}
+u_int32_t makepkt(char *payload, struct libnet_in6_addr ip_src,
+ struct libnet_in6_addr ip_dst)
+{
+ struct libnet_ipv6_hdr *ip6;
+ u_int32_t off = 0;
+
+ ip6 = (struct libnet_ipv6_hdr *)(payload);
+ ip6->ip_flags[0] = 6 << 4;
+ ip6->ip_flags[1] = ((rand() & 0x0F) << 4) | ((rand() & 0xF0000) >> 16);
+ ip6->ip_flags[2] = (rand() & 0x0FF00 >> 8);
+ ip6->ip_flags[3] = (rand() & 0x000FF);
+ ip6->ip_hl = rand() & 0xff;
+ memcpy(&ip6->ip_src, &ip_src, 16);
+ memcpy(&ip6->ip_dst, &ip_dst, 16);
+
+ off += 40;
+
+ switch(rand() % 4)
+ {
+ case 0:
+ {
+ /* tcp header */
+ struct tcphdr *tcp = (struct tcphdr *)(payload + off);
+ ip6->ip_nh = IPPROTO_TCP;
+ ip6->ip_len = LIBNET_TCP_H + rand() % 0xFF;
+
+ tcp->th_off = rand() & 0xf;
+ tcp->th_sport = rand() & 0xffff;
+ tcp->th_dport = rand() & 0xffff;
+ tcp->th_seq = ((rand() & 0xffff) << 8) | (rand() & 0xffff);
+ tcp->th_ack = ((rand() & 0xffff) << 8) | (rand() & 0xffff);
+ tcp->th_x2 = rand() & 0xf; /* 4bit */
+ tcp->th_flags = rand() & 0xff;
+ tcp->th_win = rand() & 0xffff;
+ tcp->th_sum = rand() & 0xffff;
+ tcp->th_urp = rand() & 0xffff;
+
+ off += 20;
+ break;
+ }
+ case 1:
+ {
+ /* udp header */
+ struct udphdr *udp = (struct udphdr *)(payload + off);
+ ip6->ip_nh = IPPROTO_UDP;
+ ip6->ip_len = LIBNET_UDP_H + rand() % 0xff;
+
+ udp->uh_sport = rand() & 0xffff;
+ udp->uh_dport = rand() & 0xffff;
+ udp->uh_ulen = rand() & 0xffff;
+ udp->uh_sum = rand() & 0xffff;
+
+ off += 8;
+ break;
+ }
+ case 2:
+ {
+ /* icmp header */
+ struct libnet_icmpv6_hdr *icmp =
+ (struct libnet_icmpv6_hdr *)(payload + off);
+ ip6->ip_nh = IPPROTO_ICMP6;
+ ip6->ip_len = LIBNET_ICMPV6_H + rand() % 0xff;
+ icmp->icmp_type = rand() & 0xff;
+ icmp->icmp_code = rand() & 0xff;
+ icmp->icmp_sum = rand() & 0xffff;
+ off += 4;
+ break;
+ }
+ case 3:
+ /*
+ * XXX : extension header support
+ */
+ ip6->ip_nh = rand() & 0xff;
+ ip6->ip_len = rand() & 0xffff;
+ break;
+ default:
+ break;
+ }
+ return (off);
+}
+
void usage(u_char *name)
{
fprintf(stderr,
@@ -574,10 +685,11 @@
#endif
" [-r seed] [-m <max kB/s to generate>]\n"
" [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n"
- " [-z <minsize>] [-Z <maxsize>] [-K <size multiple>]\n"
+ " [-z <minsize>] [-Z <maxsize>] [-K <size multiple>] [-w <wait time in ms>]\n"
"\n"
" Percentage Opts: [-F frags] [-V Bad IP Version]\n"
" [-H hop limit] [-I Bad checksum]\n"
+ " [-L linklocal addr] [-A sitelocal addr]\n"
" [-P IcmpOpt]\n"
" [-T Toobig] [-R Redirect] [-E Echo]\n"
" [-U Unreach] [-M MLD] [-O Router]\n"
@@ -618,7 +730,7 @@
exit(0);
}
-struct libnet_in6_addr randipv6(void)
+struct libnet_in6_addr randipv6(float Llocal, float Slocal)
{
char *ip, *p;
int i;
@@ -629,8 +741,19 @@
exit(EXIT_FAILURE);
}
for(i = 0; i < 8; i++){
+ if (i == 0)
+ {
+ if (rand() <= (RAND_MAX * Llocal))
+ {
+ p += sprintf(p, "fe80:");
+ continue;
+ }else if (rand() <= (RAND_MAX * Slocal)){
+ p += sprintf(p, "fec0:");
+ continue;
+ }
+ }
p += sprintf(p, "%x", rand() % 0xffff);
- if(i != 7) p += sprintf(p, ":");
+ if (i != 7) p += sprintf(p, ":");
}
ip6 = libnet_name2addr6(NULL, ip, 0);
free(ip);
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.c#4 (text+ko) ====
@@ -72,6 +72,8 @@
float AhPct = 10;
float BadIPVer = 10;
float IPLength = 20;
+ float Llocal = 10;
+ float Slocal = 5;
int MaxEHdr = 10;
/* Not crypto strong randomness but we don't really care. And this *
@@ -79,8 +81,7 @@
* if we need to repeat the results */
seed = getpid();
-
- while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:O:E:M:H:R:A:vx:S:D:")) != EOF)
+ while((c = getopt(argc, argv, "hd:i:I:s:r:m:k:p:V:F:O:E:M:H:R:A:vx:S:D:L:Q:")) != EOF)
{
switch (c)
{
@@ -91,6 +92,12 @@
case 'i':
device = optarg;
break;
+ case 'L':
+ Llocal = atof(optarg);
+ break;
+ case 'Q':
+ Slocal = atof(optarg);
+ break;
case 'd':
dst_ok = 1; /* just to pass sanity checks */
if (strncmp(optarg, "rand", sizeof("rand")) == 0)
@@ -271,6 +278,8 @@
EspPct /= 100;
AhPct /= 100;
IPLength /= 100;
+ Llocal /= 100;
+ Slocal = Slocal / 100 + Llocal;
@@ -290,9 +299,9 @@
tc = rand() & 0xff;
if (src_ip_rand == 1)
- ip_src = randipv6();
+ ip_src = randipv6(Llocal, Slocal);
if (dst_ip_rand == 1)
- ip_dst = randipv6();
+ ip_dst = randipv6(Llocal, Slocal);
if (rand() <= (RAND_MAX * BadIPVer))
ver = rand() & 0xffff;
@@ -489,6 +498,7 @@
" [-m <max kB/s to generate>] [-M <max ext header>]\n"
" Percentage Opts: [-F <frags>] [-R <routing>] [-H <hopbyhop>]\n"
" [-O <dstopts>] [-E <ipsecesp> [-A <ipsecah> ]\n"
+ " [-L <linklocal addr>] [-A <sitelocal addr>]\n"
" [-V <Bad IP Version>]\n"
" [-I <Random IP Header length>]\n"
"notes:\n"
@@ -508,7 +518,7 @@
: (char *) rindex(name, '/') + 1);
}
-struct libnet_in6_addr randipv6(void)
+struct libnet_in6_addr randipv6(float Llocal, float Slocal)
{
char *ip, *p;
int i;
@@ -519,8 +529,19 @@
exit(EXIT_FAILURE);
}
for(i = 0; i < 8; i++){
+ if (i == 0)
+ {
+ if (rand() <= (RAND_MAX * Llocal))
+ {
+ p += sprintf(p, "fe80:");
+ continue;
+ }else if (rand() <= (RAND_MAX * Slocal)){
+ p += sprintf(p, "fec0:");
+ continue;
+ }
+ }
p += sprintf(p, "%x", rand() % 0xffff);
- if(i != 7) p += sprintf(p, ":");
+ if (i != 7) p += sprintf(p, ":");
}
ip6 = libnet_name2addr6(NULL, ip, 0);
free(ip);
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/isicng.h#2 (text+ko) ====
@@ -13,4 +13,5 @@
void usage(u_char *);
void sighandler(int);
-struct libnet_in6_addr randipv6(void);
+struct libnet_in6_addr randipv6(float, float);
+u_int32_t makepkt(char *, struct libnet_in6_addr, struct libnet_in6_addr);
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/tcpsicng.c#2 (text+ko) ====
@@ -71,6 +71,8 @@
float UrgPct = 30;
float TCPOptsPct= 50;
float TCPCksm = 10;
+ float Llocal = 10;
+ float Slocal = 5;
@@ -79,7 +81,7 @@
* if we need to repeat the results */
seed = getpid();
- while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:u:T:t:vx:")) != EOF)
+ while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:u:T:t:vx:L:A:")) != EOF)
{
switch (c)
{
@@ -90,6 +92,12 @@
usage(argv[0]);
exit(0);
break;
+ case 'L':
+ Llocal = atof(optarg);
+ break;
+ case 'A':
+ Slocal = atof(optarg);
+ break;
case 'd':
dst_ok = 1;
if ((tmp_port = index(optarg, ',')) != NULL)
@@ -277,6 +285,8 @@
UrgPct /= 100;
TCPOptsPct /= 100;
TCPCksm /= 100;
+ Llocal /= 100;
+ Slocal = Slocal / 100 + Llocal;
@@ -295,9 +305,9 @@
tc = rand() & 0xff;
if (src_ip_rand == 1)
- ip_src = randipv6();
+ ip_src = randipv6(Llocal, Slocal);
if (dst_ip_rand == 1)
- ip_dst = randipv6();
+ ip_dst = randipv6(Llocal, Slocal);
if (rand() <= (RAND_MAX * BadIPVer))
ver = rand() & 0xf;
@@ -452,6 +462,7 @@
" [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n"
"\n"
" Percentage Opts: [-F frags] [-V <Bad IP Version>]\n"
+ " [-L <linklocal addr>] [-A <sitelocal addr>]\n"
" [-T <TCP Options>] [-u <urgent data>] [-t <TCP Cksm>]\n"
"\n"
" [-v] causes packet info to be printed out -- DEBUGGING\n\n"
@@ -489,7 +500,7 @@
exit(0);
}
-struct libnet_in6_addr randipv6(void)
+struct libnet_in6_addr randipv6(float Llocal, float Slocal)
{
char *ip, *p;
int i;
@@ -500,8 +511,19 @@
exit(EXIT_FAILURE);
}
for(i = 0; i < 8; i++){
+ if (i == 0)
+ {
+ if (rand() <= (RAND_MAX * Llocal))
+ {
+ p += sprintf(p, "fe80:");
+ continue;
+ }else if (rand() <= (RAND_MAX * Slocal)){
+ p += sprintf(p, "fec0:");
+ continue;
+ }
+ }
p += sprintf(p, "%x", rand() % 0xffff);
- if(i != 7) p += sprintf(p, ":");
+ if (i != 7) p += sprintf(p, ":");
}
ip6 = libnet_name2addr6(NULL, ip, 0);
free(ip);
==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/udpsicng.c#2 (text+ko) ====
@@ -69,6 +69,8 @@
float FragPct = 30;
float BadIPVer = 10;
float UDPCksm = 5;
+ float Llocal = 10;
+ float Slocal = 5;
dst_prt = src_prt = 0;
@@ -77,13 +79,19 @@
* if we need to repeat the results */
seed = getpid();
- while((c = getopt(argc, argv, "hd:s:i:r:m:k:D:S:p:V:F:U:vx:")) != EOF)
+ while((c = getopt(argc, argv, "hd:s:i:r:m:k:D:S:p:V:F:U:A:L:vx:")) != EOF)
{
switch (c)
{
case 'i':
device = optarg;
break;
+ case 'L':
+ Llocal = atof(optarg);
+ break;
+ case 'A':
+ Slocal = atof(optarg);
+ break;
case 'h':
usage(argv[0]);
exit(EXIT_SUCCESS);
@@ -261,6 +269,8 @@
BadIPVer /= 100;
FragPct /= 100;
UDPCksm /= 100;
+ Llocal /= 100;
+ Slocal = Slocal / 100 + Llocal;
/*************
* Main Loop *
@@ -276,9 +286,9 @@
tc = rand() & 0xff;
if (src_ip_rand == 1)
- ip_src = randipv6();
+ ip_src = randipv6(Llocal, Slocal);
if (dst_ip_rand == 1)
- ip_dst = randipv6();
+ ip_dst = randipv6(Llocal, Slocal);
if (rand() <= (RAND_MAX * BadIPVer))
ver = rand() & 0xf;
@@ -416,6 +426,7 @@
" [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n"
"\n"
" Percentage Opts: [-F frags] [-V <Bad IP Version>]\n"
+ " [-L linklocal addr] [-A sitelocal addr]\n"
" [-U <UDP Checksum>]\n"
"\n"
" [-v] causes packet info to be printed out -- DEBUGGING\n\n"
@@ -453,7 +464,7 @@
exit(0);
}
-struct libnet_in6_addr randipv6(void)
+struct libnet_in6_addr randipv6(float Llocal, float Slocal)
{
char *ip, *p;
int i;
@@ -464,8 +475,19 @@
exit(EXIT_FAILURE);
}
for(i = 0; i < 8; i++){
+ if (i == 0)
+ {
+ if (rand() <= (RAND_MAX * Llocal))
+ {
+ p += sprintf(p, "fe80:");
+ continue;
+ }else if (rand() <= (RAND_MAX * Slocal)){
+ p += sprintf(p, "fec0:");
+ continue;
+ }
+ }
p += sprintf(p, "%x", rand() % 0xffff);
- if(i != 7) p += sprintf(p, ":");
+ if (i != 7) p += sprintf(p, ":");
}
ip6 = libnet_name2addr6(NULL, ip, 0);
free(ip);
More information about the p4-projects
mailing list