Skip to content

Commit

Permalink
Merge pull request #742 from appneta/Bug_#725_test_suite_bus_error_on…
Browse files Browse the repository at this point in the history 
…_armhf

Bug #725 FORCE_ALIGN on arm
  • Loading branch information
@fklassen
fklassen authored Aug 6, 2022
2 parents 1de1a21 + 1c6ddc7 commit 2ef2c40
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 41 deletions.
2 changes: 1 addition & 1 deletion configure.ac
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1717,7 +1717,7 @@ case "$host_os" in
case "$host_cpu" in
# XXX: should also check that they don't do weird things
alpha*|hp*|mips*|sparc*|ia64)
alpha*|arm*|hp*|mips*|sparc*|ia64)
unaligned_cv_fail=yes
;;
Expand Down
1 change: 1 addition & 0 deletions docs/CHANGELOG
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
08/02/2022 Version 4.4.2 Beta 1
- replaying on a loopback interface is broken (#732)
- test suite bus error on armhf (#725)
- format string vulnerability in fix_ipv6_checksums (#723)
- heap-overflow in parse_mpls (#719)
- heap-overflow in get_ipv6_next (#718)
Expand Down
2 changes: 1 addition & 1 deletion src/common/get.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ int parse_mpls(const u_char *pktdata,
uint32_t *l2offset)
{
struct tcpr_mpls_label *mpls_label;
u_char *end_ptr = pktdata + datalen;
const u_char *end_ptr = pktdata + datalen;
u_char first_nibble;
eth_hdr_t *eth_hdr;
bool bos = false;
Expand Down
79 changes: 40 additions & 39 deletions src/tcpedit/fuzzing.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,11 +73,11 @@ int
fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
u_char **pktdata)
{
int packet_changed = 0;
int chksum_update_required = 0;
uint32_t r, s;
uint16_t l2proto;
uint8_t l4proto;
u_char *packet, *l3data, *l4data;
u_char *packet, *l3data, *l4data, *end_ptr;
tcpeditdlt_plugin_t *plugin;
int l2len, l4len;
tcpeditdlt_t *ctx;
Expand All @@ -102,6 +102,7 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
/* initializations */
ctx = tcpedit->dlt_ctx;
packet = *pktdata;
end_ptr = packet + pkthdr->caplen;
plugin = tcpedit->dlt_ctx->encoder;
l2len = plugin->plugin_l2len(ctx, packet, pkthdr->caplen);
l2proto = ntohs(plugin->plugin_proto(ctx, packet, pkthdr->caplen));
Expand All @@ -119,53 +120,53 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
if (!l3data)
goto done;

l4len = pkthdr->caplen - l2len;
switch (l2proto) {
case (ETHERTYPE_IP):
{
l4data = get_layer4_v4((ipv4_hdr_t*)l3data,
l3data + pkthdr->caplen - l2len);
l4data = get_layer4_v4((ipv4_hdr_t*)(packet + l2len), end_ptr);
if (!l4data)
goto done;

l4len = l4data - packet;
l4proto = ((ipv4_hdr_t *)l3data)->ip_p;
break;
}
case (ETHERTYPE_IP6): {
l4data = get_layer4_v6((ipv6_hdr_t*)l3data,
l3data + pkthdr->caplen - l2len);
l4data = get_layer4_v6((ipv6_hdr_t*)(packet + l2len), end_ptr);
if (!l4data)
goto done;

l4len = l4data - packet;
l4proto = ((ipv6_hdr_t *)l3data)->ip_nh;
break;
}
default:
/* apply fuzzing on unknown packet types */
l4data = l3data;
l4proto = IPPROTO_RAW;
l4len = pkthdr->caplen - l2len;
l4data = packet + l2len;
l4proto = IPPROTO_RAW;

}

/* adjust payload length based on layer 3 protocol */
switch (l4proto) {
case IPPROTO_TCP:
l4len -= sizeof(tcp_hdr_t);
l4data += sizeof(tcp_hdr_t);
break;
case IPPROTO_UDP:
l4len -= sizeof(udp_hdr_t);
l4data += sizeof(udp_hdr_t);
break;
}

if (l4len <= 1)
if (l4len <= 1 || l4data > end_ptr)
goto done;

/* add some additional randomization */
r ^= r >> 16;

s = r % FUZZING_TOTAL_ACTION_NUMBER;

dbgx(3, "packet fuzzed : %d", s);
switch (s) {
case FUZZING_DROP_PACKET:
{
Expand All @@ -174,26 +175,25 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
/* could not change packet size, so packet left unchanged */
goto done;

packet_changed = 1;
break;
}
case FUZZING_REDUCE_SIZE:
{
/* reduce packet size */
uint32_t new_len = (r % ((l4len) - 1)) + 1;
uint32_t new_len = (r % (l4len - 1)) + 1;
if (fuzz_reduce_packet_size(tcpedit, pkthdr, new_len) < 0)
/* could not change packet size, so packet left unchanged */
goto done;

packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_START_ZERO:
{
/* fuzz random-size segment at the beginning of the packet with 0x00 */
uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
memset(l4data, 0x00, sgt_size);
packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_START_RANDOM:
Expand All @@ -210,7 +210,7 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
for (i = 0; i < sgt_size; i++)
l4data[i] = l4data[i] ^ (u_char)(r >> 4);

packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_START_FF:
Expand All @@ -224,67 +224,73 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
goto done;

memset(l4data, 0xff, sgt_size);
packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_MID_ZERO:
{
/* fuzz random-size segment inside the packet payload with 0x00 */
if (l4len <= 2)
goto done;

uint32_t offset = ((r >> 16) % (l4len - 1)) + 1;
uint32_t sgt_size = fuzz_get_sgt_size(r, l4len - offset);
if (!sgt_size)
goto done;

memset(l4data + offset, 0x00, sgt_size);
packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_MID_FF:
{
/* fuzz random-size segment inside the packet payload with 0xff */
if (l4len <= 2)
goto done;

uint32_t offset = ((r >> 16) % (l4len - 1)) + 1;
uint32_t sgt_size = fuzz_get_sgt_size(r, l4len - offset);
if (!sgt_size)
goto done;

memset(l4data + offset, 0xff, sgt_size);
packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_END_ZERO:
{
/* fuzz random-sized segment at the end of the packet payload with 0x00 */
uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
if (!sgt_size)
int sgt_size = fuzz_get_sgt_size(r, l4len);
if (!sgt_size || sgt_size > l4len)
goto done;

memset(l4data + l4len - sgt_size, 0x00, sgt_size);
packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_END_RANDOM:
{
/* fuzz random-sized segment at the end of the packet with random Bytes */
int i;
uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
if (!sgt_size)
int sgt_size = fuzz_get_sgt_size(r, l4len);
if (!sgt_size || sgt_size > l4len)
goto done;

for (i = (l4len - sgt_size); i < l4len; i++)
l4data[i] = l4data[i] ^ (u_char)(r >> 4);

packet_changed = 1;
chksum_update_required = 1;
break;
}
case FUZZING_CHANGE_END_FF:
{
/* fuzz random-sized segment at the end of the packet with 0xff00 */
uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
if (!sgt_size)
int sgt_size = fuzz_get_sgt_size(r, l4len);
if (!sgt_size || sgt_size > l4len)
goto done;

memset(l4data + l4len - sgt_size, 0xff, sgt_size);
packet_changed = 1;
chksum_update_required = 1;
break;
}

Expand All @@ -293,27 +299,22 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
/* fuzz random-size segment inside the packet with random Bytes */
size_t i;
uint32_t offset = ((r >> 16) % (l4len - 1)) + 1;
uint32_t sgt_size = fuzz_get_sgt_size(r, l4len - offset);
if (!sgt_size)
int sgt_size = fuzz_get_sgt_size(r, l4len - offset);
if (!sgt_size || sgt_size > l4len)
goto done;

for (i = offset; i < offset + sgt_size; i++)
l4data[i] = l4data[i] ^ (u_char)(r >> 4);

packet_changed = 1;
chksum_update_required = 1;
break;
}
default:
assert(false);
}

/* in cases where 'l3data' is a working buffer, copy it back to '*pkthdr' */
plugin->plugin_merge_layer3(ctx,
packet,
pkthdr->caplen,
(l2proto == ETHERTYPE_IP) ? l4data : NULL,
(l2proto == ETHERTYPE_IP6) ? l4data : NULL);
dbgx(3, "packet %llu fuzzed : %d", tcpedit->runtime.packetnum, s);

done:
return packet_changed;
return chksum_update_required;
}
Binary file modified test/test.rewrite_l7fuzzing
View file
Binary file not shown.
Binary file modified test/test2.rewrite_l7fuzzing
View file
Binary file not shown.

0 comments on commit 2ef2c40

Please sign in to comment.