Coverage Report

Created: 2022-08-24 06:02

/src/usrsctp/fuzzer/fuzzer_connect.c
Line
Count
Source
1
/*
2
 * Copyright (C) 2017-2020 Felix Weinrank
3
 *
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in the
13
 *    documentation and/or other materials provided with the distribution.
14
 * 3. Neither the name of the project nor the names of its contributors
15
 *    may be used to endorse or promote products derived from this software
16
 *    without specific prior written permission.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28
 * SUCH DAMAGE.
29
 */
30
31
#include <stdio.h>
32
#include <stdlib.h>
33
#include <string.h>
34
#include <stdarg.h>
35
#include <assert.h>
36
#include <usrsctp.h>
37
#include "../programs/programs_helper.h"
38
39
//#define FUZZ_ALWAYS_INITIALIZE
40
41
//#define FUZZ_VERBOSE
42
#define FUZZ_INTERLEAVING
43
#define FUZZ_STREAM_RESET
44
45
81.5k
#define FUZZ_B_INJECT_INIT_ACK        (1 << 0)
46
71.8k
#define FUZZ_B_INJECT_COOKIE_ACK      (1 << 1)
47
4.34k
#define FUZZ_B_SEND_DATA              (1 << 2)
48
4.34k
#define FUZZ_B_SEND_STREAM_RESET      (1 << 3)
49
4.34k
#define FUZZ_B_INJECT_DATA            (1 << 4)
50
37.4k
#define FUZZ_B_I_DATA_SUPPORT         (1 << 5)
51
6.69k
#define FUZZ_B_SEND_DATA_FORCE        (1 << 6)
52
#define FUZZ_B_RESERVED               (1 << 7)
53
54
1.26M
#define BUFFER_SIZE 4096
55
159k
#define COMMON_HEADER_SIZE 12
56
57
static uint32_t assoc_vtag = 0;
58
59
#ifdef FUZZ_VERBOSE
60
#define fuzzer_printf(...) debug_printf(__VA_ARGS__)
61
#else
62
#define fuzzer_printf(...)
63
#endif
64
65
static void
66
dump_packet(const void *buffer, size_t bufferlen, int inout)
67
83.2k
{
68
#ifdef FUZZ_VERBOSE
69
  static char *dump_buf;
70
  if ((dump_buf = usrsctp_dumppacket(buffer, bufferlen, inout)) != NULL) {
71
    fprintf(stderr, "%s", dump_buf);
72
    usrsctp_freedumpbuffer(dump_buf);
73
  }
74
#endif // FUZZ_VERBOSE
75
83.2k
}
76
77
78
static int
79
conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df)
80
54.8k
{
81
54.8k
  struct sctp_init_chunk *init_chunk;
82
54.8k
  const char *init_chunk_first_bytes = "\x13\x88\x13\x89\x00\x00\x00\x00\x00\x00\x00\x00\x01";
83
  // Looking for the outgoing VTAG.
84
  // length >= (COMMON_HEADER_SIZE + 16 (min size of INIT))
85
  // If the common header has no VTAG (all zero), we're assuming it carries an INIT
86
54.8k
  if ((length >= (COMMON_HEADER_SIZE + 16)) && (memcmp(buf, init_chunk_first_bytes, COMMON_HEADER_SIZE) == 0)) {
87
19.3k
    init_chunk = (struct sctp_init_chunk*) ((char *)buf + sizeof(struct sctp_common_header));
88
19.3k
    fuzzer_printf("Found outgoing INIT, extracting VTAG : %u\n", init_chunk->initiate_tag);
89
19.3k
    assoc_vtag = init_chunk->initiate_tag;
90
19.3k
  }
91
92
54.8k
  dump_packet(buf, length, SCTP_DUMP_OUTBOUND);
93
54.8k
  return (0);
94
54.8k
}
95
96
97
static void
98
handle_upcall(struct socket *sock, void *arg, int flgs)
99
15.3k
{
100
15.3k
  fuzzer_printf("handle_upcall()\n");
101
15.3k
  int events = usrsctp_get_events(sock);
102
103
646k
  while (events & SCTP_EVENT_READ) {
104
632k
    struct sctp_recvv_rn rn;
105
632k
    ssize_t n;
106
632k
    struct sockaddr_in addr;
107
632k
    char *buf = calloc(1, BUFFER_SIZE);
108
632k
    int flags = 0;
109
632k
    socklen_t len = (socklen_t)sizeof(struct sockaddr_in);
110
632k
    unsigned int infotype = 0;
111
632k
    socklen_t infolen = sizeof(struct sctp_recvv_rn);
112
632k
    memset(&rn, 0, sizeof(struct sctp_recvv_rn));
113
632k
    n = usrsctp_recvv(sock, buf, BUFFER_SIZE, (struct sockaddr *) &addr, &len, (void *)&rn, &infolen, &infotype, &flags);
114
632k
    fuzzer_printf("usrsctp_recvv() - returned %zd\n", n);
115
116
632k
    if (flags & MSG_NOTIFICATION) {
117
629k
      fuzzer_printf("NOTIFICATION received\n");
118
#ifdef FUZZ_VERBOSE
119
      handle_notification((union sctp_notification *)buf, n);
120
#endif // FUZZ_VERBOSE
121
629k
    } else {
122
3.08k
      fuzzer_printf("DATA received\n");
123
3.08k
    }
124
125
632k
    free(buf);
126
127
632k
    if (n <= 0) {
128
1.82k
      break;
129
1.82k
    }
130
131
630k
    events = usrsctp_get_events(sock);
132
630k
  }
133
15.3k
}
134
135
136
int
137
1
initialize_fuzzer(void) {
138
#ifdef FUZZ_VERBOSE
139
  usrsctp_init(0, conn_output, debug_printf_stack);
140
#else // FUZZ_VERBOSE
141
1
  usrsctp_init(0, conn_output, NULL);
142
1
#endif // FUZZ_VERBOSE
143
144
1
  usrsctp_enable_crc32c_offload();
145
146
#ifdef SCTP_DEBUG
147
  usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL);
148
#endif // SCTP_DEBUG
149
150
1
  usrsctp_register_address((void *)1);
151
1
  usrsctp_sysctl_set_sctp_pktdrop_enable(1);
152
1
  usrsctp_sysctl_set_sctp_nrsack_enable(1);
153
154
1
  fuzzer_printf("usrsctp initialized\n");
155
1
  return (1);
156
1
}
157
158
159
int
160
LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
161
11.6k
{
162
11.6k
  static int initialized;
163
11.6k
  char *fuzz_packet_buffer;
164
11.6k
  struct sockaddr_conn sconn;
165
11.6k
  struct socket *socket_client;
166
11.6k
  struct linger so_linger;
167
11.6k
  struct sctp_event event;
168
11.6k
  unsigned long i;
169
11.6k
  struct sctp_common_header* common_header;
170
11.6k
  uint16_t event_types[] = {
171
11.6k
    SCTP_ASSOC_CHANGE,
172
11.6k
    SCTP_PEER_ADDR_CHANGE,
173
11.6k
    SCTP_REMOTE_ERROR,
174
11.6k
    SCTP_SEND_FAILED,
175
11.6k
    SCTP_SHUTDOWN_EVENT,
176
11.6k
    SCTP_ADAPTATION_INDICATION,
177
11.6k
    SCTP_PARTIAL_DELIVERY_EVENT,
178
11.6k
    SCTP_AUTHENTICATION_EVENT,
179
11.6k
    SCTP_STREAM_RESET_EVENT,
180
11.6k
    SCTP_SENDER_DRY_EVENT,
181
11.6k
    SCTP_ASSOC_RESET_EVENT,
182
11.6k
    SCTP_STREAM_CHANGE_EVENT,
183
11.6k
    SCTP_SEND_FAILED_EVENT
184
11.6k
  };
185
11.6k
  int optval;
186
11.6k
  int result;
187
11.6k
  struct sctp_initmsg initmsg;
188
11.6k
#if defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)
189
11.6k
  struct sctp_assoc_value assoc_val;
190
11.6k
#endif // defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)
191
192
  // WITH COMMON HEADER!
193
11.6k
  char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
194
11.6k
    "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
195
11.6k
    "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
196
11.6k
    "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
197
11.6k
    "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
198
11.6k
    "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
199
11.6k
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
200
11.6k
    "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
201
11.6k
    "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
202
11.6k
    "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
203
11.6k
    "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
204
11.6k
    "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
205
11.6k
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
206
11.6k
    "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
207
11.6k
    "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
208
11.6k
    "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
209
11.6k
    "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
210
11.6k
    "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
211
11.6k
    "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
212
11.6k
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
213
11.6k
    "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
214
11.6k
    "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
215
11.6k
    "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
216
11.6k
    "\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
217
11.6k
    "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
218
11.6k
    "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
219
11.6k
    "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
220
11.6k
    "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
221
222
  // WITH COMMON HEADER!
223
11.6k
  char fuzz_cookie_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x0b\x00\x00\x04";
224
225
  // WITH COMMON HEADER!
226
11.6k
  char fuzz_i_data[] = "\x13\x89\x13\x88\x07\x01\x6c\xd3\x00\x00\x00\x00\x40\x03" \
227
11.6k
    "\x00\xdc\x2d\x2b\x46\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
228
11.6k
    "\x00\x27\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
229
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
230
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
231
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
232
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
233
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
234
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
235
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
236
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
237
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
238
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
239
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
240
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
241
242
  // WITH COMMON HEADER!
243
11.6k
  char fuzz_data[] = "\x13\x89\x13\x88\x27\xc4\xbf\xdf\x00\x00\x00\x00\x00\x03" \
244
11.6k
    "\x00\xd8\x79\x64\xb7\xc1\x00\x00\x00\x00\x00\x00\x00\x27\x41\x41" \
245
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
246
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
247
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
248
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
249
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
250
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
251
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
252
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
253
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
254
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
255
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
256
11.6k
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
257
11.6k
    "\x41\x41\x41\x41\x41\x41";
258
259
260
11.6k
  char fuzz_common_header[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00";
261
262
11.6k
  fuzzer_printf("LLVMFuzzerTestOneInput()\n");
263
264
#ifdef FUZZ_ALWAYS_INITIALIZE
265
  initialize_fuzzer();
266
#else
267
11.6k
  if (!initialized) {
268
1
    initialized = initialize_fuzzer();
269
1
  }
270
11.6k
#endif
271
272
11.6k
  if (data_size < 5 || data_size > 65535) {
273
    // Skip too small and too large packets
274
13
    fuzzer_printf("data_size %zu makes no sense, skipping\n", data_size);
275
13
    return (0);
276
13
  }
277
278
11.6k
  socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0);
279
11.6k
  FUZZER_ASSERT(socket_client != NULL);
280
281
11.6k
  usrsctp_set_non_blocking(socket_client, 1);
282
283
  // all max!
284
11.6k
  memset(&initmsg, 1, sizeof(struct sctp_initmsg));
285
11.6k
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(struct sctp_initmsg));
286
11.6k
  FUZZER_ASSERT(result == 0);
287
288
11.6k
  so_linger.l_onoff = 1;
289
11.6k
  so_linger.l_linger = 0;
290
11.6k
  result = usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger));
291
11.6k
  FUZZER_ASSERT(result == 0);
292
293
11.6k
  memset(&event, 0, sizeof(event));
294
11.6k
  event.se_on = 1;
295
163k
  for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) {
296
151k
    event.se_type = event_types[i];
297
151k
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event));
298
151k
    FUZZER_ASSERT(result == 0);
299
151k
  }
300
301
11.6k
  optval = 1;
302
11.6k
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval));
303
11.6k
  FUZZER_ASSERT(result == 0);
304
305
11.6k
  optval = 1;
306
11.6k
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval));
307
11.6k
  FUZZER_ASSERT(result == 0);
308
309
11.6k
#if defined(FUZZ_STREAM_RESET)
310
11.6k
  assoc_val.assoc_id = SCTP_ALL_ASSOC;
311
11.6k
  assoc_val.assoc_value = SCTP_ENABLE_RESET_STREAM_REQ | SCTP_ENABLE_RESET_ASSOC_REQ | SCTP_ENABLE_CHANGE_ASSOC_REQ;
312
11.6k
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_ENABLE_STREAM_RESET, &assoc_val, sizeof(struct sctp_assoc_value));
313
11.6k
  FUZZER_ASSERT(result == 0);
314
11.6k
#endif // defined(FUZZ_STREAM_RESET)
315
316
11.6k
#if defined(FUZZ_INTERLEAVING)
317
11.6k
#if !defined(SCTP_INTERLEAVING_SUPPORTED)
318
11.6k
#define SCTP_INTERLEAVING_SUPPORTED 0x00001206
319
11.6k
#endif // !defined(SCTP_INTERLEAVING_SUPPORTED)
320
321
11.6k
  if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
322
6.69k
    optval = 2;
323
6.69k
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval));
324
6.69k
    FUZZER_ASSERT(result == 0);
325
326
6.69k
    memset(&assoc_val, 0, sizeof(assoc_val));
327
6.69k
    assoc_val.assoc_value = 1;
328
6.69k
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
329
6.69k
    FUZZER_ASSERT(result == 0);
330
6.69k
  }
331
11.6k
#endif // defined(FUZZ_INTERLEAVING)
332
333
11.6k
  optval = 1;
334
11.6k
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_REUSE_PORT, &optval, sizeof(optval));
335
11.6k
  FUZZER_ASSERT(result == 0);
336
337
11.6k
  memset(&sconn, 0, sizeof(struct sockaddr_conn));
338
11.6k
  sconn.sconn_family = AF_CONN;
339
#ifdef HAVE_SCONN_LEN
340
  sconn.sconn_len = sizeof(struct sockaddr_conn);
341
#endif // HAVE_SCONN_LEN
342
11.6k
  sconn.sconn_port = htons(5000);
343
11.6k
  sconn.sconn_addr = (void *)1;
344
345
11.6k
  result = usrsctp_bind(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
346
11.6k
  FUZZER_ASSERT(result == 0);
347
348
  // Disable Nagle.
349
11.6k
  optval = 1;
350
11.6k
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval));
351
11.6k
  FUZZER_ASSERT(result == 0);
352
353
11.6k
  usrsctp_set_upcall(socket_client, handle_upcall, NULL);
354
355
11.6k
  memset(&sconn, 0, sizeof(struct sockaddr_conn));
356
11.6k
  sconn.sconn_family = AF_CONN;
357
#ifdef HAVE_SCONN_LEN
358
  sconn.sconn_len = sizeof(struct sockaddr_conn);
359
#endif // HAVE_SCONN_LEN
360
11.6k
  sconn.sconn_port = htons(5001);
361
11.6k
  sconn.sconn_addr = (void *)1;
362
363
11.6k
  fuzzer_printf("Calling usrsctp_connect()\n");
364
11.6k
  result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
365
11.6k
  FUZZER_ASSERT(result == 0 || errno == EINPROGRESS);
366
367
11.6k
  if (data[0] & FUZZ_B_INJECT_INIT_ACK) {
368
8.40k
    fuzzer_printf("Injecting INIT-ACK\n");
369
370
8.40k
    common_header = (struct sctp_common_header*) fuzz_init_ack;
371
8.40k
    common_header->verification_tag = assoc_vtag;
372
373
8.40k
    dump_packet(fuzz_init_ack, 448, SCTP_DUMP_INBOUND);
374
8.40k
    usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0);
375
8.40k
  }
376
377
11.6k
  if (data[0] & FUZZ_B_INJECT_COOKIE_ACK) {
378
5.85k
    fuzzer_printf("Injecting COOKIE-ACK\n");
379
380
5.85k
    common_header = (struct sctp_common_header*) fuzz_cookie_ack;
381
5.85k
    common_header->verification_tag = assoc_vtag;
382
383
5.85k
    dump_packet(fuzz_cookie_ack, 16, SCTP_DUMP_INBOUND);
384
5.85k
    usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0);
385
5.85k
  }
386
387
11.6k
  if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
388
11.6k
    data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
389
11.6k
    data[0] & FUZZ_B_SEND_DATA) {
390
2.69k
    const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
391
2.69k
    fuzzer_printf("Calling usrsctp_sendv()\n");
392
2.69k
    usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
393
2.69k
  }
394
395
  // Required: INIT-ACK and COOKIE-ACK
396
11.6k
  if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
397
11.6k
    data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
398
11.6k
    data[0] & FUZZ_B_SEND_STREAM_RESET) {
399
2.72k
    fuzzer_printf("Sending Stream Reset for all streams\n");
400
401
2.72k
    struct sctp_reset_streams srs;
402
2.72k
    memset(&srs, 0, sizeof(struct sctp_reset_streams));
403
2.72k
    srs.srs_flags = SCTP_STREAM_RESET_INCOMING | SCTP_STREAM_RESET_OUTGOING;
404
2.72k
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RESET_STREAMS, &srs, sizeof(struct sctp_reset_streams));
405
2.72k
    FUZZER_ASSERT(result == 0);
406
2.72k
  }
407
408
  // Required: INIT-ACK and COOKIE-ACK
409
11.6k
  if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
410
11.6k
    data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
411
11.6k
    data[0] & FUZZ_B_INJECT_DATA) {
412
413
2.53k
    if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
414
1.50k
      fuzzer_printf("Injecting I-DATA\n");
415
1.50k
      common_header = (struct sctp_common_header*) fuzz_i_data;
416
1.50k
      common_header->verification_tag = assoc_vtag;
417
1.50k
      dump_packet(fuzz_i_data, 232, SCTP_DUMP_INBOUND);
418
1.50k
      usrsctp_conninput((void *)1, fuzz_i_data, 232, 0);
419
1.50k
    } else {
420
1.03k
      fuzzer_printf("Injecting DATA\n");
421
1.03k
      common_header = (struct sctp_common_header*) fuzz_data;
422
1.03k
      common_header->verification_tag = assoc_vtag;
423
1.03k
      dump_packet(fuzz_data, 228, SCTP_DUMP_INBOUND);
424
1.03k
      usrsctp_conninput((void *)1, fuzz_data, 228, 0);
425
1.03k
    }
426
2.53k
  }
427
428
11.6k
  if (data[0] & FUZZ_B_I_DATA_SUPPORT &&
429
11.6k
    data[0] & FUZZ_B_SEND_DATA_FORCE) {
430
4.23k
      const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
431
4.23k
      fuzzer_printf("Calling usrsctp_sendv()\n");
432
4.23k
      usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
433
4.23k
    }
434
  
435
436
11.6k
  fuzz_packet_buffer = malloc(data_size - 1 + COMMON_HEADER_SIZE);
437
11.6k
  memcpy(fuzz_packet_buffer, fuzz_common_header, COMMON_HEADER_SIZE); // common header
438
11.6k
  memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data + 1, data_size - 1);
439
440
11.6k
  common_header = (struct sctp_common_header*) fuzz_packet_buffer;
441
11.6k
  common_header->verification_tag = assoc_vtag;
442
443
11.6k
  fuzzer_printf("Injecting FUZZER-Packet\n");
444
11.6k
  dump_packet(fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, SCTP_DUMP_INBOUND);
445
11.6k
  usrsctp_conninput((void *)1, fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, 0);
446
447
11.6k
  free(fuzz_packet_buffer);
448
449
11.6k
  fuzzer_printf("Calling usrsctp_close()\n");
450
11.6k
  usrsctp_close(socket_client);
451
452
#ifdef FUZZ_ALWAYS_INITIALIZE
453
  fuzzer_printf("Calling usrsctp_finish()\n");
454
  while (usrsctp_finish() != 0) {}
455
  fuzzer_printf("Done!\n");
456
#endif
457
458
11.6k
  return (0);
459
11.6k
}
460
461
462