/src/hostap/tests/fuzzing/ap-mgmt/ap-mgmt.c

Source
/*
 * hostapd - Management frame fuzzer
 * Copyright (c) 2015-2019, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "utils/includes.h"

#include "utils/common.h"
#include "utils/eloop.h"
#include "ap/hostapd.h"
#include "ap/hw_features.h"
#include "ap/ieee802_11.h"
#include "ap/sta_info.h"
#include "ap/ap_list.h"
#include "../fuzzer-common.h"


const struct wpa_driver_ops *const wpa_drivers[] =
{
  NULL
};


struct arg_ctx {
  const u8 *data;
  size_t data_len;
  struct hostapd_iface iface;
  struct hostapd_data hapd;
  struct wpa_driver_ops driver;
  struct hostapd_config iconf;
  struct hostapd_bss_config conf;
};


static void test_send_mgmt(void *eloop_data, void *user_ctx)
{
  struct arg_ctx *ctx = eloop_data;
  struct hostapd_frame_info fi;
  const u8 *pos, *end;

  os_memset(&fi, 0, sizeof(fi));

  pos = ctx->data;
  end = pos + ctx->data_len;

  while (end - pos > 2) {
    u16 flen;

    flen = WPA_GET_BE16(pos);
    pos += 2;
    if (end - pos < flen)
      break;
    wpa_hexdump(MSG_MSGDUMP, "fuzzer - frame", pos, flen);
    ieee802_11_mgmt(&ctx->hapd, pos, flen, &fi);
    pos += flen;
  }

  eloop_terminate();
}


static struct hostapd_hw_modes * gen_modes(void)
{
  struct hostapd_hw_modes *mode;
  struct hostapd_channel_data *chan;

  mode = os_zalloc(sizeof(struct hostapd_hw_modes));
  if (!mode)
    return NULL;

  mode->mode = HOSTAPD_MODE_IEEE80211G;
  chan = os_zalloc(sizeof(struct hostapd_channel_data));
  if (!chan) {
    os_free(mode);
    return NULL;
  }
  chan->chan = 1;
  chan->freq = 2412;
  mode->channels = chan;
  mode->num_channels = 1;

  mode->rates = os_zalloc(sizeof(int));
  if (!mode->rates) {
    os_free(chan);
    os_free(mode);
    return NULL;
  }
  mode->rates[0] = 10;
  mode->num_rates = 1;

  return mode;
}


static int init_hapd(struct arg_ctx *ctx)
{
  struct hostapd_data *hapd = &ctx->hapd;
  struct sta_info *sta;
  struct hostapd_bss_config *bss;

  hapd->driver = &ctx->driver;
  os_memcpy(hapd->own_addr, "\x02\x00\x00\x00\x03\x00", ETH_ALEN);
  hapd->iface = &ctx->iface;
  hapd->iface->conf = hostapd_config_defaults();
  if (!hapd->iface->conf)
    return -1;
  hapd->iface->hw_features = gen_modes();
  hapd->iface->num_hw_features = 1;
  hapd->iface->current_mode = hapd->iface->hw_features;
  hapd->iconf = hapd->iface->conf;
  hapd->iconf->hw_mode = HOSTAPD_MODE_IEEE80211G;
  hapd->iconf->channel = 1;
  bss = hapd->conf = hapd->iconf->bss[0];
  hostapd_config_defaults_bss(hapd->conf);
  os_memcpy(bss->ssid.ssid, "test", 4);
  bss->ssid.ssid_len = 4;
  bss->ssid.ssid_set = 1;

  sta = ap_sta_add(hapd, (u8 *) "\x02\x00\x00\x00\x00\x00");
  if (sta)
    sta->flags |= WLAN_STA_ASSOC | WLAN_STA_WMM;

  return 0;
}


int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
  struct arg_ctx ctx;

  wpa_fuzzer_set_debug_level();

  if (os_program_init())
    return 0;

  if (eloop_init()) {
    wpa_printf(MSG_ERROR, "Failed to initialize event loop");
    return 0;
  }

  os_memset(&ctx, 0, sizeof(ctx));
  ctx.data = data;
  ctx.data_len = size;

  if (init_hapd(&ctx))
    goto fail;

  eloop_register_timeout(0, 0, test_send_mgmt, &ctx, NULL);

  wpa_printf(MSG_DEBUG, "Starting eloop");
  eloop_run();
  wpa_printf(MSG_DEBUG, "eloop done");
  hostapd_free_stas(&ctx.hapd);
  hostapd_free_hw_features(ctx.hapd.iface->hw_features,
         ctx.hapd.iface->num_hw_features);

fail:
  hostapd_config_free(ctx.hapd.iconf);
  ap_list_deinit(&ctx.iface);
  eloop_destroy();
  os_program_deinit();

  return 0;
}

Line	Count	Source
1		/*
2		* hostapd - Management frame fuzzer
3		* Copyright (c) 2015-2019, Jouni Malinen <j@w1.fi>
4		*
5		* This software may be distributed under the terms of the BSD license.
6		* See README for more details.
7		*/
8
9		#include "utils/includes.h"
10
11		#include "utils/common.h"
12		#include "utils/eloop.h"
13		#include "ap/hostapd.h"
14		#include "ap/hw_features.h"
15		#include "ap/ieee802_11.h"
16		#include "ap/sta_info.h"
17		#include "ap/ap_list.h"
18		#include "../fuzzer-common.h"
19
20
21		const struct wpa_driver_ops *const wpa_drivers[] =
22		{
23		NULL
24		};
25
26
27		struct arg_ctx {
28		const u8 *data;
29		size_t data_len;
30		struct hostapd_iface iface;
31		struct hostapd_data hapd;
32		struct wpa_driver_ops driver;
33		struct hostapd_config iconf;
34		struct hostapd_bss_config conf;
35		};
36
37
38		static void test_send_mgmt(void eloop_data, void user_ctx)
39	2.37k	{
40	2.37k	struct arg_ctx *ctx = eloop_data;
41	2.37k	struct hostapd_frame_info fi;
42	2.37k	const u8 pos, end;
43
44	2.37k	os_memset(&fi, 0, sizeof(fi));
45
46	2.37k	pos = ctx->data;
47	2.37k	end = pos + ctx->data_len;
48
49	1.53M	while (end - pos > 2) {
50	1.53M	u16 flen;
51
52	1.53M	flen = WPA_GET_BE16(pos);
53	1.53M	pos += 2;
54	1.53M	if (end - pos < flen)
55	83	break;
56	1.53M	wpa_hexdump(MSG_MSGDUMP, "fuzzer - frame", pos, flen);
57	1.53M	ieee802_11_mgmt(&ctx->hapd, pos, flen, &fi);
58	1.53M	pos += flen;
59	1.53M	}
60
61	2.37k	eloop_terminate();
62	2.37k	}
63
64
65		static struct hostapd_hw_modes * gen_modes(void)
66	2.37k	{
67	2.37k	struct hostapd_hw_modes *mode;
68	2.37k	struct hostapd_channel_data *chan;
69
70	2.37k	mode = os_zalloc(sizeof(struct hostapd_hw_modes));
71	2.37k	if (!mode)
72	0	return NULL;
73
74	2.37k	mode->mode = HOSTAPD_MODE_IEEE80211G;
75	2.37k	chan = os_zalloc(sizeof(struct hostapd_channel_data));
76	2.37k	if (!chan) {
77	0	os_free(mode);
78	0	return NULL;
79	0	}
80	2.37k	chan->chan = 1;
81	2.37k	chan->freq = 2412;
82	2.37k	mode->channels = chan;
83	2.37k	mode->num_channels = 1;
84
85	2.37k	mode->rates = os_zalloc(sizeof(int));
86	2.37k	if (!mode->rates) {
87	0	os_free(chan);
88	0	os_free(mode);
89	0	return NULL;
90	0	}
91	2.37k	mode->rates[0] = 10;
92	2.37k	mode->num_rates = 1;
93
94	2.37k	return mode;
95	2.37k	}
96
97
98		static int init_hapd(struct arg_ctx *ctx)
99	2.37k	{
100	2.37k	struct hostapd_data *hapd = &ctx->hapd;
101	2.37k	struct sta_info *sta;
102	2.37k	struct hostapd_bss_config *bss;
103
104	2.37k	hapd->driver = &ctx->driver;
105	2.37k	os_memcpy(hapd->own_addr, "\x02\x00\x00\x00\x03\x00", ETH_ALEN);
106	2.37k	hapd->iface = &ctx->iface;
107	2.37k	hapd->iface->conf = hostapd_config_defaults();
108	2.37k	if (!hapd->iface->conf)
109	0	return -1;
110	2.37k	hapd->iface->hw_features = gen_modes();
111	2.37k	hapd->iface->num_hw_features = 1;
112	2.37k	hapd->iface->current_mode = hapd->iface->hw_features;
113	2.37k	hapd->iconf = hapd->iface->conf;
114	2.37k	hapd->iconf->hw_mode = HOSTAPD_MODE_IEEE80211G;
115	2.37k	hapd->iconf->channel = 1;
116	2.37k	bss = hapd->conf = hapd->iconf->bss[0];
117	2.37k	hostapd_config_defaults_bss(hapd->conf);
118	2.37k	os_memcpy(bss->ssid.ssid, "test", 4);
119	2.37k	bss->ssid.ssid_len = 4;
120	2.37k	bss->ssid.ssid_set = 1;
121
122	2.37k	sta = ap_sta_add(hapd, (u8 *) "\x02\x00\x00\x00\x00\x00");
123	2.37k	if (sta)
124	2.37k	sta->flags \|= WLAN_STA_ASSOC \| WLAN_STA_WMM;
125
126	2.37k	return 0;
127	2.37k	}
128
129
130		int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
131	4.01k	{
132	4.01k	struct arg_ctx ctx;
133
134	4.01k	wpa_fuzzer_set_debug_level();
135
136	4.01k	if (os_program_init())
137	0	return 0;
138
139	4.01k	if (eloop_init()) {
140	0	wpa_printf(MSG_ERROR, "Failed to initialize event loop");
141	0	return 0;
142	0	}
143
144	4.01k	os_memset(&ctx, 0, sizeof(ctx));
145	4.01k	ctx.data = data;
146	4.01k	ctx.data_len = size;
147
148	4.01k	if (init_hapd(&ctx))
149	0	goto fail;
150
151	4.01k	eloop_register_timeout(0, 0, test_send_mgmt, &ctx, NULL);
152
153	4.01k	wpa_printf(MSG_DEBUG, "Starting eloop");
154	4.01k	eloop_run();
155	4.01k	wpa_printf(MSG_DEBUG, "eloop done");
156	4.01k	hostapd_free_stas(&ctx.hapd);
157	4.01k	hostapd_free_hw_features(ctx.hapd.iface->hw_features,
158	4.01k	ctx.hapd.iface->num_hw_features);
159
160	4.01k	fail:
161	4.01k	hostapd_config_free(ctx.hapd.iconf);
162	4.01k	ap_list_deinit(&ctx.iface);
163	4.01k	eloop_destroy();
164	4.01k	os_program_deinit();
165
166	4.01k	return 0;
167	4.01k	}

Coverage Report

Created: 2026-04-29 07:00