/src/hostap/tests/fuzzing/wnm/wnm.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * wpa_supplicant - WNM fuzzer |
3 | | * Copyright (c) 2015-2019, Jouni Malinen <j@w1.fi> |
4 | | * |
5 | | * This software may be distributed under the terms of the BSD license. |
6 | | * See README for more details. |
7 | | */ |
8 | | |
9 | | #include "utils/includes.h" |
10 | | |
11 | | #include "utils/common.h" |
12 | | #include "utils/eloop.h" |
13 | | #include "common/ieee802_11_defs.h" |
14 | | #include "rsn_supp/wpa.h" |
15 | | #include "rsn_supp/wpa_i.h" |
16 | | #include "wpa_supplicant_i.h" |
17 | | #include "bss.h" |
18 | | #include "wnm_sta.h" |
19 | | #include "../../../wpa_supplicant/config.h" |
20 | | #include "../fuzzer-common.h" |
21 | | |
22 | | |
23 | | struct arg_ctx { |
24 | | const u8 *data; |
25 | | size_t data_len; |
26 | | struct wpa_supplicant wpa_s; |
27 | | struct wpa_bss bss; |
28 | | struct wpa_driver_ops driver; |
29 | | struct wpa_sm wpa; |
30 | | struct wpa_config conf; |
31 | | struct wpa_ssid ssid; |
32 | | }; |
33 | | |
34 | | |
35 | | static void test_send_wnm(void *eloop_data, void *user_ctx) |
36 | 1.27k | { |
37 | 1.27k | struct arg_ctx *ctx = eloop_data; |
38 | 1.27k | const struct ieee80211_mgmt *mgmt; |
39 | | |
40 | 1.27k | wpa_hexdump(MSG_MSGDUMP, "fuzzer - WNM", ctx->data, ctx->data_len); |
41 | | |
42 | 1.27k | mgmt = (const struct ieee80211_mgmt *) ctx->data; |
43 | 1.27k | ieee802_11_rx_wnm_action(&ctx->wpa_s, mgmt, ctx->data_len); |
44 | | |
45 | 1.27k | eloop_terminate(); |
46 | 1.27k | } |
47 | | |
48 | | |
49 | | static int init_wpa(struct arg_ctx *ctx) |
50 | 1.27k | { |
51 | 1.27k | ctx->wpa_s.wpa_state = WPA_COMPLETED; |
52 | 1.27k | os_memcpy(ctx->wpa_s.bssid, "\x02\x00\x00\x00\x03\x00", ETH_ALEN); |
53 | 1.27k | ctx->wpa_s.current_bss = &ctx->bss; |
54 | 1.27k | ctx->wpa_s.current_ssid = &ctx->ssid; |
55 | 1.27k | ctx->wpa_s.driver = &ctx->driver; |
56 | 1.27k | ctx->wpa_s.wpa = &ctx->wpa; |
57 | 1.27k | ctx->wpa_s.conf = &ctx->conf; |
58 | 1.27k | if (wpa_bss_init(&ctx->wpa_s) < 0) |
59 | 0 | return -1; |
60 | | |
61 | 1.27k | return 0; |
62 | 1.27k | } |
63 | | |
64 | | |
65 | | static void deinit_wpa(struct arg_ctx *ctx) |
66 | 1.27k | { |
67 | 1.27k | wnm_btm_reset(&ctx->wpa_s); |
68 | 1.27k | wpa_bss_flush(&ctx->wpa_s); |
69 | 1.27k | } |
70 | | |
71 | | |
72 | | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
73 | 3.42k | { |
74 | 3.42k | struct arg_ctx ctx; |
75 | | |
76 | 3.42k | wpa_fuzzer_set_debug_level(); |
77 | | |
78 | 3.42k | if (os_program_init()) |
79 | 0 | return 0; |
80 | | |
81 | 3.42k | if (eloop_init()) { |
82 | 0 | wpa_printf(MSG_ERROR, "Failed to initialize event loop"); |
83 | 0 | return 0; |
84 | 0 | } |
85 | | |
86 | 3.42k | os_memset(&ctx, 0, sizeof(ctx)); |
87 | 3.42k | ctx.data = data; |
88 | 3.42k | ctx.data_len = size; |
89 | 3.42k | if (init_wpa(&ctx)) |
90 | 0 | goto fail; |
91 | | |
92 | 3.42k | eloop_register_timeout(0, 0, test_send_wnm, &ctx, NULL); |
93 | | |
94 | 3.42k | wpa_printf(MSG_DEBUG, "Starting eloop"); |
95 | 3.42k | eloop_run(); |
96 | 3.42k | wpa_printf(MSG_DEBUG, "eloop done"); |
97 | 3.42k | deinit_wpa(&ctx); |
98 | | |
99 | 3.42k | fail: |
100 | 3.42k | eloop_destroy(); |
101 | 3.42k | os_program_deinit(); |
102 | | |
103 | 3.42k | return 0; |
104 | 3.42k | } |