/src/hostap/tests/fuzzing/ap-mgmt/ap-mgmt.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * hostapd - Management frame fuzzer |
3 | | * Copyright (c) 2015-2019, Jouni Malinen <j@w1.fi> |
4 | | * |
5 | | * This software may be distributed under the terms of the BSD license. |
6 | | * See README for more details. |
7 | | */ |
8 | | |
9 | | #include "utils/includes.h" |
10 | | |
11 | | #include "utils/common.h" |
12 | | #include "utils/eloop.h" |
13 | | #include "ap/hostapd.h" |
14 | | #include "ap/hw_features.h" |
15 | | #include "ap/ieee802_11.h" |
16 | | #include "ap/sta_info.h" |
17 | | #include "ap/ap_list.h" |
18 | | #include "../fuzzer-common.h" |
19 | | |
20 | | |
21 | | const struct wpa_driver_ops *const wpa_drivers[] = |
22 | | { |
23 | | NULL |
24 | | }; |
25 | | |
26 | | |
27 | | struct arg_ctx { |
28 | | const u8 *data; |
29 | | size_t data_len; |
30 | | struct hostapd_iface iface; |
31 | | struct hostapd_data hapd; |
32 | | struct wpa_driver_ops driver; |
33 | | struct hostapd_config iconf; |
34 | | struct hostapd_bss_config conf; |
35 | | }; |
36 | | |
37 | | |
38 | | static void test_send_mgmt(void *eloop_data, void *user_ctx) |
39 | 2.21k | { |
40 | 2.21k | struct arg_ctx *ctx = eloop_data; |
41 | 2.21k | struct hostapd_frame_info fi; |
42 | 2.21k | const u8 *pos, *end; |
43 | | |
44 | 2.21k | os_memset(&fi, 0, sizeof(fi)); |
45 | | |
46 | 2.21k | pos = ctx->data; |
47 | 2.21k | end = pos + ctx->data_len; |
48 | | |
49 | 2.09M | while (end - pos > 2) { |
50 | 2.09M | u16 flen; |
51 | | |
52 | 2.09M | flen = WPA_GET_BE16(pos); |
53 | 2.09M | pos += 2; |
54 | 2.09M | if (end - pos < flen) |
55 | 60 | break; |
56 | 2.09M | wpa_hexdump(MSG_MSGDUMP, "fuzzer - frame", pos, flen); |
57 | 2.09M | ieee802_11_mgmt(&ctx->hapd, pos, flen, &fi); |
58 | 2.09M | pos += flen; |
59 | 2.09M | } |
60 | | |
61 | 2.21k | eloop_terminate(); |
62 | 2.21k | } |
63 | | |
64 | | |
65 | | static struct hostapd_hw_modes * gen_modes(void) |
66 | 2.21k | { |
67 | 2.21k | struct hostapd_hw_modes *mode; |
68 | 2.21k | struct hostapd_channel_data *chan; |
69 | | |
70 | 2.21k | mode = os_zalloc(sizeof(struct hostapd_hw_modes)); |
71 | 2.21k | if (!mode) |
72 | 0 | return NULL; |
73 | | |
74 | 2.21k | mode->mode = HOSTAPD_MODE_IEEE80211G; |
75 | 2.21k | chan = os_zalloc(sizeof(struct hostapd_channel_data)); |
76 | 2.21k | if (!chan) { |
77 | 0 | os_free(mode); |
78 | 0 | return NULL; |
79 | 0 | } |
80 | 2.21k | chan->chan = 1; |
81 | 2.21k | chan->freq = 2412; |
82 | 2.21k | mode->channels = chan; |
83 | 2.21k | mode->num_channels = 1; |
84 | | |
85 | 2.21k | mode->rates = os_zalloc(sizeof(int)); |
86 | 2.21k | if (!mode->rates) { |
87 | 0 | os_free(chan); |
88 | 0 | os_free(mode); |
89 | 0 | return NULL; |
90 | 0 | } |
91 | 2.21k | mode->rates[0] = 10; |
92 | 2.21k | mode->num_rates = 1; |
93 | | |
94 | 2.21k | return mode; |
95 | 2.21k | } |
96 | | |
97 | | |
98 | | static int init_hapd(struct arg_ctx *ctx) |
99 | 2.21k | { |
100 | 2.21k | struct hostapd_data *hapd = &ctx->hapd; |
101 | 2.21k | struct sta_info *sta; |
102 | 2.21k | struct hostapd_bss_config *bss; |
103 | | |
104 | 2.21k | hapd->driver = &ctx->driver; |
105 | 2.21k | os_memcpy(hapd->own_addr, "\x02\x00\x00\x00\x03\x00", ETH_ALEN); |
106 | 2.21k | hapd->iface = &ctx->iface; |
107 | 2.21k | hapd->iface->conf = hostapd_config_defaults(); |
108 | 2.21k | if (!hapd->iface->conf) |
109 | 0 | return -1; |
110 | 2.21k | hapd->iface->hw_features = gen_modes(); |
111 | 2.21k | hapd->iface->num_hw_features = 1; |
112 | 2.21k | hapd->iface->current_mode = hapd->iface->hw_features; |
113 | 2.21k | hapd->iconf = hapd->iface->conf; |
114 | 2.21k | hapd->iconf->hw_mode = HOSTAPD_MODE_IEEE80211G; |
115 | 2.21k | hapd->iconf->channel = 1; |
116 | 2.21k | bss = hapd->conf = hapd->iconf->bss[0]; |
117 | 2.21k | hostapd_config_defaults_bss(hapd->conf); |
118 | 2.21k | os_memcpy(bss->ssid.ssid, "test", 4); |
119 | 2.21k | bss->ssid.ssid_len = 4; |
120 | 2.21k | bss->ssid.ssid_set = 1; |
121 | | |
122 | 2.21k | sta = ap_sta_add(hapd, (u8 *) "\x02\x00\x00\x00\x00\x00"); |
123 | 2.21k | if (sta) |
124 | 2.21k | sta->flags |= WLAN_STA_ASSOC | WLAN_STA_WMM; |
125 | | |
126 | 2.21k | return 0; |
127 | 2.21k | } |
128 | | |
129 | | |
130 | | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
131 | 2.21k | { |
132 | 2.21k | struct arg_ctx ctx; |
133 | | |
134 | 2.21k | wpa_fuzzer_set_debug_level(); |
135 | | |
136 | 2.21k | if (os_program_init()) |
137 | 0 | return 0; |
138 | | |
139 | 2.21k | if (eloop_init()) { |
140 | 0 | wpa_printf(MSG_ERROR, "Failed to initialize event loop"); |
141 | 0 | return 0; |
142 | 0 | } |
143 | | |
144 | 2.21k | os_memset(&ctx, 0, sizeof(ctx)); |
145 | 2.21k | ctx.data = data; |
146 | 2.21k | ctx.data_len = size; |
147 | | |
148 | 2.21k | if (init_hapd(&ctx)) |
149 | 0 | goto fail; |
150 | | |
151 | 2.21k | eloop_register_timeout(0, 0, test_send_mgmt, &ctx, NULL); |
152 | | |
153 | 2.21k | wpa_printf(MSG_DEBUG, "Starting eloop"); |
154 | 2.21k | eloop_run(); |
155 | 2.21k | wpa_printf(MSG_DEBUG, "eloop done"); |
156 | 2.21k | hostapd_free_stas(&ctx.hapd); |
157 | 2.21k | hostapd_free_hw_features(ctx.hapd.iface->hw_features, |
158 | 2.21k | ctx.hapd.iface->num_hw_features); |
159 | | |
160 | 2.21k | fail: |
161 | 2.21k | hostapd_config_free(ctx.hapd.iconf); |
162 | 2.21k | ap_list_deinit(&ctx.iface); |
163 | 2.21k | eloop_destroy(); |
164 | 2.21k | os_program_deinit(); |
165 | | |
166 | 2.21k | return 0; |
167 | 2.21k | } |