/src/usrsctp/fuzzer/fuzzer_connect.c

Source
/*
 * Copyright (C) 2017-2020 Felix Weinrank
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <assert.h>
#include <usrsctp.h>
#include "../programs/programs_helper.h"

//#define FUZZ_ALWAYS_INITIALIZE

//#define FUZZ_VERBOSE
#define FUZZ_INTERLEAVING
#define FUZZ_STREAM_RESET

#define FUZZ_B_INJECT_INIT_ACK        (1 << 0)
#define FUZZ_B_INJECT_COOKIE_ACK      (1 << 1)
#define FUZZ_B_SEND_DATA              (1 << 2)
#define FUZZ_B_SEND_STREAM_RESET      (1 << 3)
#define FUZZ_B_INJECT_DATA            (1 << 4)
#define FUZZ_B_I_DATA_SUPPORT         (1 << 5)
#define FUZZ_B_SEND_DATA_FORCE        (1 << 6)
#define FUZZ_B_RESERVED               (1 << 7)

#define BUFFER_SIZE 4096
#define COMMON_HEADER_SIZE 12

static uint32_t assoc_vtag = 0;

#ifdef FUZZ_VERBOSE
#define fuzzer_printf(...) debug_printf(__VA_ARGS__)
#else
#define fuzzer_printf(...)
#endif

static void
dump_packet(const void *buffer, size_t bufferlen, int inout)
{
#ifdef FUZZ_VERBOSE
  static char *dump_buf;
  if ((dump_buf = usrsctp_dumppacket(buffer, bufferlen, inout)) != NULL) {
    fprintf(stderr, "%s", dump_buf);
    usrsctp_freedumpbuffer(dump_buf);
  }
#endif // FUZZ_VERBOSE
}


static int
conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df)
{
  struct sctp_init_chunk *init_chunk;
  const char *init_chunk_first_bytes = "\x13\x88\x13\x89\x00\x00\x00\x00\x00\x00\x00\x00\x01";
  // Looking for the outgoing VTAG.
  // length >= (COMMON_HEADER_SIZE + 16 (min size of INIT))
  // If the common header has no VTAG (all zero), we're assuming it carries an INIT
  if ((length >= (COMMON_HEADER_SIZE + 16)) && (memcmp(buf, init_chunk_first_bytes, COMMON_HEADER_SIZE) == 0)) {
    init_chunk = (struct sctp_init_chunk*) ((char *)buf + sizeof(struct sctp_common_header));
    fuzzer_printf("Found outgoing INIT, extracting VTAG : %u\n", init_chunk->initiate_tag);
    assoc_vtag = init_chunk->initiate_tag;
  }

  dump_packet(buf, length, SCTP_DUMP_OUTBOUND);
  return (0);
}


static void
handle_upcall(struct socket *sock, void *arg, int flgs)
{
  fuzzer_printf("handle_upcall()\n");
  int events = usrsctp_get_events(sock);

  while (events & SCTP_EVENT_READ) {
    struct sctp_recvv_rn rn;
    ssize_t n;
    struct sockaddr_in addr;
    char *buf = calloc(1, BUFFER_SIZE);
    int flags = 0;
    socklen_t len = (socklen_t)sizeof(struct sockaddr_in);
    unsigned int infotype = 0;
    socklen_t infolen = sizeof(struct sctp_recvv_rn);
    memset(&rn, 0, sizeof(struct sctp_recvv_rn));
    n = usrsctp_recvv(sock, buf, BUFFER_SIZE, (struct sockaddr *) &addr, &len, (void *)&rn, &infolen, &infotype, &flags);
    fuzzer_printf("usrsctp_recvv() - returned %zd\n", n);

    if (flags & MSG_NOTIFICATION) {
      fuzzer_printf("NOTIFICATION received\n");
#ifdef FUZZ_VERBOSE
      handle_notification((union sctp_notification *)buf, n);
#endif // FUZZ_VERBOSE
    } else {
      fuzzer_printf("DATA received\n");
    }

    free(buf);

    if (n <= 0) {
      break;
    }

    events = usrsctp_get_events(sock);
  }
}


int
initialize_fuzzer(void) {
#ifdef FUZZ_VERBOSE
  usrsctp_init(0, conn_output, debug_printf_stack);
#else // FUZZ_VERBOSE
  usrsctp_init(0, conn_output, NULL);
#endif // FUZZ_VERBOSE

  usrsctp_enable_crc32c_offload();

#ifdef SCTP_DEBUG
  usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL);
#endif // SCTP_DEBUG

  usrsctp_register_address((void *)1);
  usrsctp_sysctl_set_sctp_pktdrop_enable(1);
  usrsctp_sysctl_set_sctp_nrsack_enable(1);

  fuzzer_printf("usrsctp initialized\n");
  return (1);
}


int
LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
{
  static int initialized;
  char *fuzz_packet_buffer;
  struct sockaddr_conn sconn;
  struct socket *socket_client;
  struct linger so_linger;
  struct sctp_event event;
  unsigned long i;
  struct sctp_common_header* common_header;
  uint16_t event_types[] = {
    SCTP_ASSOC_CHANGE,
    SCTP_PEER_ADDR_CHANGE,
    SCTP_REMOTE_ERROR,
    SCTP_SEND_FAILED,
    SCTP_SHUTDOWN_EVENT,
    SCTP_ADAPTATION_INDICATION,
    SCTP_PARTIAL_DELIVERY_EVENT,
    SCTP_AUTHENTICATION_EVENT,
    SCTP_STREAM_RESET_EVENT,
    SCTP_SENDER_DRY_EVENT,
    SCTP_ASSOC_RESET_EVENT,
    SCTP_STREAM_CHANGE_EVENT,
    SCTP_SEND_FAILED_EVENT
  };
  int optval;
  int result;
  struct sctp_initmsg initmsg;
#if defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)
  struct sctp_assoc_value assoc_val;
#endif // defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)

  // WITH COMMON HEADER!
  char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
    "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
    "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
    "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
    "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
    "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
    "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
    "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
    "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
    "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
    "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
    "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
    "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
    "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
    "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
    "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
    "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
    "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
    "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
    "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
    "\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
    "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
    "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
    "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
    "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";

  // WITH COMMON HEADER!
  char fuzz_cookie_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x0b\x00\x00\x04";

  // WITH COMMON HEADER!
  char fuzz_i_data[] = "\x13\x89\x13\x88\x07\x01\x6c\xd3\x00\x00\x00\x00\x40\x03" \
    "\x00\xdc\x2d\x2b\x46\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
    "\x00\x27\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

  // WITH COMMON HEADER!
  char fuzz_data[] = "\x13\x89\x13\x88\x27\xc4\xbf\xdf\x00\x00\x00\x00\x00\x03" \
    "\x00\xd8\x79\x64\xb7\xc1\x00\x00\x00\x00\x00\x00\x00\x27\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
    "\x41\x41\x41\x41\x41\x41";


  char fuzz_common_header[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00";

  fuzzer_printf("LLVMFuzzerTestOneInput()\n");

#ifdef FUZZ_ALWAYS_INITIALIZE
  initialize_fuzzer();
#else
  if (!initialized) {
    initialized = initialize_fuzzer();
  }
#endif

  if (data_size < 5 || data_size > 65535) {
    // Skip too small and too large packets
    fuzzer_printf("data_size %zu makes no sense, skipping\n", data_size);
    return (0);
  }

  socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0);
  FUZZER_ASSERT(socket_client != NULL);

  usrsctp_set_non_blocking(socket_client, 1);

  // all max!
  memset(&initmsg, 1, sizeof(struct sctp_initmsg));
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(struct sctp_initmsg));
  FUZZER_ASSERT(result == 0);

  so_linger.l_onoff = 1;
  so_linger.l_linger = 0;
  result = usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger));
  FUZZER_ASSERT(result == 0);

  memset(&event, 0, sizeof(event));
  event.se_on = 1;
  for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) {
    event.se_type = event_types[i];
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event));
    FUZZER_ASSERT(result == 0);
  }

  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

#if defined(FUZZ_STREAM_RESET)
  assoc_val.assoc_id = SCTP_ALL_ASSOC;
  assoc_val.assoc_value = SCTP_ENABLE_RESET_STREAM_REQ | SCTP_ENABLE_RESET_ASSOC_REQ | SCTP_ENABLE_CHANGE_ASSOC_REQ;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_ENABLE_STREAM_RESET, &assoc_val, sizeof(struct sctp_assoc_value));
  FUZZER_ASSERT(result == 0);
#endif // defined(FUZZ_STREAM_RESET)

#if defined(FUZZ_INTERLEAVING)
#if !defined(SCTP_INTERLEAVING_SUPPORTED)
#define SCTP_INTERLEAVING_SUPPORTED 0x00001206
#endif // !defined(SCTP_INTERLEAVING_SUPPORTED)

  if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
    optval = 2;
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval));
    FUZZER_ASSERT(result == 0);

    memset(&assoc_val, 0, sizeof(assoc_val));
    assoc_val.assoc_value = 1;
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
    FUZZER_ASSERT(result == 0);
  }
#endif // defined(FUZZ_INTERLEAVING)

  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_REUSE_PORT, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

  memset(&sconn, 0, sizeof(struct sockaddr_conn));
  sconn.sconn_family = AF_CONN;
#ifdef HAVE_SCONN_LEN
  sconn.sconn_len = sizeof(struct sockaddr_conn);
#endif // HAVE_SCONN_LEN
  sconn.sconn_port = htons(5000);
  sconn.sconn_addr = (void *)1;

  result = usrsctp_bind(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
  FUZZER_ASSERT(result == 0);

  // Disable Nagle.
  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

  usrsctp_set_upcall(socket_client, handle_upcall, NULL);

  memset(&sconn, 0, sizeof(struct sockaddr_conn));
  sconn.sconn_family = AF_CONN;
#ifdef HAVE_SCONN_LEN
  sconn.sconn_len = sizeof(struct sockaddr_conn);
#endif // HAVE_SCONN_LEN
  sconn.sconn_port = htons(5001);
  sconn.sconn_addr = (void *)1;

  fuzzer_printf("Calling usrsctp_connect()\n");
  result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
  FUZZER_ASSERT(result == 0 || errno == EINPROGRESS);

  if (data[0] & FUZZ_B_INJECT_INIT_ACK) {
    fuzzer_printf("Injecting INIT-ACK\n");

    common_header = (struct sctp_common_header*) fuzz_init_ack;
    common_header->verification_tag = assoc_vtag;

    dump_packet(fuzz_init_ack, 448, SCTP_DUMP_INBOUND);
    usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0);
  }

  if (data[0] & FUZZ_B_INJECT_COOKIE_ACK) {
    fuzzer_printf("Injecting COOKIE-ACK\n");

    common_header = (struct sctp_common_header*) fuzz_cookie_ack;
    common_header->verification_tag = assoc_vtag;

    dump_packet(fuzz_cookie_ack, 16, SCTP_DUMP_INBOUND);
    usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0);
  }

  if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
    data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
    data[0] & FUZZ_B_SEND_DATA) {
    const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
    fuzzer_printf("Calling usrsctp_sendv()\n");
    usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
  }

  // Required: INIT-ACK and COOKIE-ACK
  if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
    data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
    data[0] & FUZZ_B_SEND_STREAM_RESET) {
    fuzzer_printf("Sending Stream Reset for all streams\n");

    struct sctp_reset_streams srs;
    memset(&srs, 0, sizeof(struct sctp_reset_streams));
    srs.srs_flags = SCTP_STREAM_RESET_INCOMING | SCTP_STREAM_RESET_OUTGOING;
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RESET_STREAMS, &srs, sizeof(struct sctp_reset_streams));
    FUZZER_ASSERT(result == 0);
  }

  // Required: INIT-ACK and COOKIE-ACK
  if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
    data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
    data[0] & FUZZ_B_INJECT_DATA) {

    if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
      fuzzer_printf("Injecting I-DATA\n");
      common_header = (struct sctp_common_header*) fuzz_i_data;
      common_header->verification_tag = assoc_vtag;
      dump_packet(fuzz_i_data, 232, SCTP_DUMP_INBOUND);
      usrsctp_conninput((void *)1, fuzz_i_data, 232, 0);
    } else {
      fuzzer_printf("Injecting DATA\n");
      common_header = (struct sctp_common_header*) fuzz_data;
      common_header->verification_tag = assoc_vtag;
      dump_packet(fuzz_data, 228, SCTP_DUMP_INBOUND);
      usrsctp_conninput((void *)1, fuzz_data, 228, 0);
    }
  }

  if (data[0] & FUZZ_B_I_DATA_SUPPORT &&
    data[0] & FUZZ_B_SEND_DATA_FORCE) {
      const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
      fuzzer_printf("Calling usrsctp_sendv()\n");
      usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
    }
  

  fuzz_packet_buffer = malloc(data_size - 1 + COMMON_HEADER_SIZE);
  memcpy(fuzz_packet_buffer, fuzz_common_header, COMMON_HEADER_SIZE); // common header
  memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data + 1, data_size - 1);

  common_header = (struct sctp_common_header*) fuzz_packet_buffer;
  common_header->verification_tag = assoc_vtag;

  fuzzer_printf("Injecting FUZZER-Packet\n");
  dump_packet(fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, SCTP_DUMP_INBOUND);
  usrsctp_conninput((void *)1, fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, 0);

  free(fuzz_packet_buffer);

  fuzzer_printf("Calling usrsctp_close()\n");
  usrsctp_close(socket_client);

#ifdef FUZZ_ALWAYS_INITIALIZE
  fuzzer_printf("Calling usrsctp_finish()\n");
  while (usrsctp_finish() != 0) {}
  fuzzer_printf("Done!\n");
#endif

  return (0);
}




Coverage Report

Created: 2025-08-28 06:37

Line	Count	Source
1		/*
2		* Copyright (C) 2017-2020 Felix Weinrank
3		*
4		* All rights reserved.
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		* 1. Redistributions of source code must retain the above copyright
10		* notice, this list of conditions and the following disclaimer.
11		* 2. Redistributions in binary form must reproduce the above copyright
12		* notice, this list of conditions and the following disclaimer in the
13		* documentation and/or other materials provided with the distribution.
14		* 3. Neither the name of the project nor the names of its contributors
15		* may be used to endorse or promote products derived from this software
16		* without specific prior written permission.
17		*
18		* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21		* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28		* SUCH DAMAGE.
29		*/
30
31		#include <stdio.h>
32		#include <stdlib.h>
33		#include <string.h>
34		#include <stdarg.h>
35		#include <assert.h>
36		#include <usrsctp.h>
37		#include "../programs/programs_helper.h"
38
39		//#define FUZZ_ALWAYS_INITIALIZE
40
41		//#define FUZZ_VERBOSE
42		#define FUZZ_INTERLEAVING
43		#define FUZZ_STREAM_RESET
44
45	69.1k	#define FUZZ_B_INJECT_INIT_ACK (1 << 0)
46	61.1k	#define FUZZ_B_INJECT_COOKIE_ACK (1 << 1)
47	3.29k	#define FUZZ_B_SEND_DATA (1 << 2)
48	3.29k	#define FUZZ_B_SEND_STREAM_RESET (1 << 3)
49	3.29k	#define FUZZ_B_INJECT_DATA (1 << 4)
50	31.3k	#define FUZZ_B_I_DATA_SUPPORT (1 << 5)
51	5.45k	#define FUZZ_B_SEND_DATA_FORCE (1 << 6)
52		#define FUZZ_B_RESERVED (1 << 7)
53
54	1.00M	#define BUFFER_SIZE 4096
55	146k	#define COMMON_HEADER_SIZE 12
56
57		static uint32_t assoc_vtag = 0;
58
59		#ifdef FUZZ_VERBOSE
60		#define fuzzer_printf(...) debug_printf(__VA_ARGS__)
61		#else
62		#define fuzzer_printf(...)
63		#endif
64
65		static void
66		dump_packet(const void *buffer, size_t bufferlen, int inout)
67	75.8k	{
68		#ifdef FUZZ_VERBOSE
69		static char *dump_buf;
70		if ((dump_buf = usrsctp_dumppacket(buffer, bufferlen, inout)) != NULL) {
71		fprintf(stderr, "%s", dump_buf);
72		usrsctp_freedumpbuffer(dump_buf);
73		}
74		#endif // FUZZ_VERBOSE
75	75.8k	}
76
77
78		static int
79		conn_output(void addr, void buf, size_t length, uint8_t tos, uint8_t set_df)
80	52.5k	{
81	52.5k	struct sctp_init_chunk *init_chunk;
82	52.5k	const char *init_chunk_first_bytes = "\x13\x88\x13\x89\x00\x00\x00\x00\x00\x00\x00\x00\x01";
83		// Looking for the outgoing VTAG.
84		// length >= (COMMON_HEADER_SIZE + 16 (min size of INIT))
85		// If the common header has no VTAG (all zero), we're assuming it carries an INIT
86	52.5k	if ((length >= (COMMON_HEADER_SIZE + 16)) && (memcmp(buf, init_chunk_first_bytes, COMMON_HEADER_SIZE) == 0)) {
87	24.0k	init_chunk = (struct sctp_init_chunk) ((char )buf + sizeof(struct sctp_common_header));
88	24.0k	fuzzer_printf("Found outgoing INIT, extracting VTAG : %u\n", init_chunk->initiate_tag);
89	24.0k	assoc_vtag = init_chunk->initiate_tag;
90	24.0k	}
91
92	52.5k	dump_packet(buf, length, SCTP_DUMP_OUTBOUND);
93	52.5k	return (0);
94	52.5k	}
95
96
97		static void
98		handle_upcall(struct socket sock, void arg, int flgs)
99	12.1k	{
100	12.1k	fuzzer_printf("handle_upcall()\n");
101	12.1k	int events = usrsctp_get_events(sock);
102
103	514k	while (events & SCTP_EVENT_READ) {
104	504k	struct sctp_recvv_rn rn;
105	504k	ssize_t n;
106	504k	struct sockaddr_in addr;
107	504k	char *buf = calloc(1, BUFFER_SIZE);
108	504k	int flags = 0;
109	504k	socklen_t len = (socklen_t)sizeof(struct sockaddr_in);
110	504k	unsigned int infotype = 0;
111	504k	socklen_t infolen = sizeof(struct sctp_recvv_rn);
112	504k	memset(&rn, 0, sizeof(struct sctp_recvv_rn));
113	504k	n = usrsctp_recvv(sock, buf, BUFFER_SIZE, (struct sockaddr ) &addr, &len, (void )&rn, &infolen, &infotype, &flags);
114	504k	fuzzer_printf("usrsctp_recvv() - returned %zd\n", n);
115
116	504k	if (flags & MSG_NOTIFICATION) {
117	501k	fuzzer_printf("NOTIFICATION received\n");
118		#ifdef FUZZ_VERBOSE
119		handle_notification((union sctp_notification *)buf, n);
120		#endif // FUZZ_VERBOSE
121	501k	} else {
122	2.64k	fuzzer_printf("DATA received\n");
123	2.64k	}
124
125	504k	free(buf);
126
127	504k	if (n <= 0) {
128	1.57k	break;
129	1.57k	}
130
131	502k	events = usrsctp_get_events(sock);
132	502k	}
133	12.1k	}
134
135
136		int
137	1	initialize_fuzzer(void) {
138		#ifdef FUZZ_VERBOSE
139		usrsctp_init(0, conn_output, debug_printf_stack);
140		#else // FUZZ_VERBOSE
141	1	usrsctp_init(0, conn_output, NULL);
142	1	#endif // FUZZ_VERBOSE
143
144	1	usrsctp_enable_crc32c_offload();
145
146		#ifdef SCTP_DEBUG
147		usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL);
148		#endif // SCTP_DEBUG
149
150	1	usrsctp_register_address((void *)1);
151	1	usrsctp_sysctl_set_sctp_pktdrop_enable(1);
152	1	usrsctp_sysctl_set_sctp_nrsack_enable(1);
153
154	1	fuzzer_printf("usrsctp initialized\n");
155	1	return (1);
156	1	}
157
158
159		int
160		LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
161	9.88k	{
162	9.88k	static int initialized;
163	9.88k	char *fuzz_packet_buffer;
164	9.88k	struct sockaddr_conn sconn;
165	9.88k	struct socket *socket_client;
166	9.88k	struct linger so_linger;
167	9.88k	struct sctp_event event;
168	9.88k	unsigned long i;
169	9.88k	struct sctp_common_header* common_header;
170	9.88k	uint16_t event_types[] = {
171	9.88k	SCTP_ASSOC_CHANGE,
172	9.88k	SCTP_PEER_ADDR_CHANGE,
173	9.88k	SCTP_REMOTE_ERROR,
174	9.88k	SCTP_SEND_FAILED,
175	9.88k	SCTP_SHUTDOWN_EVENT,
176	9.88k	SCTP_ADAPTATION_INDICATION,
177	9.88k	SCTP_PARTIAL_DELIVERY_EVENT,
178	9.88k	SCTP_AUTHENTICATION_EVENT,
179	9.88k	SCTP_STREAM_RESET_EVENT,
180	9.88k	SCTP_SENDER_DRY_EVENT,
181	9.88k	SCTP_ASSOC_RESET_EVENT,
182	9.88k	SCTP_STREAM_CHANGE_EVENT,
183	9.88k	SCTP_SEND_FAILED_EVENT
184	9.88k	};
185	9.88k	int optval;
186	9.88k	int result;
187	9.88k	struct sctp_initmsg initmsg;
188	9.88k	#if defined(FUZZ_STREAM_RESET) \|\| defined(FUZZ_INTERLEAVING)
189	9.88k	struct sctp_assoc_value assoc_val;
190	9.88k	#endif // defined(FUZZ_STREAM_RESET) \|\| defined(FUZZ_INTERLEAVING)
191
192		// WITH COMMON HEADER!
193	9.88k	char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
194	9.88k	"\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
195	9.88k	"\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
196	9.88k	"\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
197	9.88k	"\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
198	9.88k	"\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
199	9.88k	"\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
200	9.88k	"\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
201	9.88k	"\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
202	9.88k	"\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
203	9.88k	"\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
204	9.88k	"\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
205	9.88k	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
206	9.88k	"\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
207	9.88k	"\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
208	9.88k	"\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
209	9.88k	"\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
210	9.88k	"\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
211	9.88k	"\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
212	9.88k	"\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
213	9.88k	"\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
214	9.88k	"\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
215	9.88k	"\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
216	9.88k	"\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
217	9.88k	"\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
218	9.88k	"\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
219	9.88k	"\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
220	9.88k	"\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
221
222		// WITH COMMON HEADER!
223	9.88k	char fuzz_cookie_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x0b\x00\x00\x04";
224
225		// WITH COMMON HEADER!
226	9.88k	char fuzz_i_data[] = "\x13\x89\x13\x88\x07\x01\x6c\xd3\x00\x00\x00\x00\x40\x03" \
227	9.88k	"\x00\xdc\x2d\x2b\x46\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
228	9.88k	"\x00\x27\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
229	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
230	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
231	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
232	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
233	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
234	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
235	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
236	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
237	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
238	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
239	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
240	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
241
242		// WITH COMMON HEADER!
243	9.88k	char fuzz_data[] = "\x13\x89\x13\x88\x27\xc4\xbf\xdf\x00\x00\x00\x00\x00\x03" \
244	9.88k	"\x00\xd8\x79\x64\xb7\xc1\x00\x00\x00\x00\x00\x00\x00\x27\x41\x41" \
245	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
246	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
247	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
248	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
249	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
250	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
251	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
252	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
253	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
254	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
255	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
256	9.88k	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
257	9.88k	"\x41\x41\x41\x41\x41\x41";
258
259
260	9.88k	char fuzz_common_header[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00";
261
262	9.88k	fuzzer_printf("LLVMFuzzerTestOneInput()\n");
263
264		#ifdef FUZZ_ALWAYS_INITIALIZE
265		initialize_fuzzer();
266		#else
267	9.88k	if (!initialized) {
268	1	initialized = initialize_fuzzer();
269	1	}
270	9.88k	#endif
271
272	9.88k	if (data_size < 5 \|\| data_size > 65535) {
273		// Skip too small and too large packets
274	7	fuzzer_printf("data_size %zu makes no sense, skipping\n", data_size);
275	7	return (0);
276	7	}
277
278	9.87k	socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0);
279	9.87k	FUZZER_ASSERT(socket_client != NULL);
280
281	9.87k	usrsctp_set_non_blocking(socket_client, 1);
282
283		// all max!
284	9.87k	memset(&initmsg, 1, sizeof(struct sctp_initmsg));
285	9.87k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(struct sctp_initmsg));
286	9.87k	FUZZER_ASSERT(result == 0);
287
288	9.87k	so_linger.l_onoff = 1;
289	9.87k	so_linger.l_linger = 0;
290	9.87k	result = usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger));
291	9.87k	FUZZER_ASSERT(result == 0);
292
293	9.87k	memset(&event, 0, sizeof(event));
294	9.87k	event.se_on = 1;
295	138k	for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) {
296	128k	event.se_type = event_types[i];
297	128k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event));
298	128k	FUZZER_ASSERT(result == 0);
299	128k	}
300
301	9.87k	optval = 1;
302	9.87k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval));
303	9.87k	FUZZER_ASSERT(result == 0);
304
305	9.87k	optval = 1;
306	9.87k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval));
307	9.87k	FUZZER_ASSERT(result == 0);
308
309	9.87k	#if defined(FUZZ_STREAM_RESET)
310	9.87k	assoc_val.assoc_id = SCTP_ALL_ASSOC;
311	9.87k	assoc_val.assoc_value = SCTP_ENABLE_RESET_STREAM_REQ \| SCTP_ENABLE_RESET_ASSOC_REQ \| SCTP_ENABLE_CHANGE_ASSOC_REQ;
312	9.87k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_ENABLE_STREAM_RESET, &assoc_val, sizeof(struct sctp_assoc_value));
313	9.87k	FUZZER_ASSERT(result == 0);
314	9.87k	#endif // defined(FUZZ_STREAM_RESET)
315
316	9.87k	#if defined(FUZZ_INTERLEAVING)
317	9.87k	#if !defined(SCTP_INTERLEAVING_SUPPORTED)
318	9.87k	#define SCTP_INTERLEAVING_SUPPORTED 0x00001206
319	9.87k	#endif // !defined(SCTP_INTERLEAVING_SUPPORTED)
320
321	9.87k	if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
322	5.45k	optval = 2;
323	5.45k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval));
324	5.45k	FUZZER_ASSERT(result == 0);
325
326	5.45k	memset(&assoc_val, 0, sizeof(assoc_val));
327	5.45k	assoc_val.assoc_value = 1;
328	5.45k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
329	5.45k	FUZZER_ASSERT(result == 0);
330	5.45k	}
331	9.87k	#endif // defined(FUZZ_INTERLEAVING)
332
333	9.87k	optval = 1;
334	9.87k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_REUSE_PORT, &optval, sizeof(optval));
335	9.87k	FUZZER_ASSERT(result == 0);
336
337	9.87k	memset(&sconn, 0, sizeof(struct sockaddr_conn));
338	9.87k	sconn.sconn_family = AF_CONN;
339		#ifdef HAVE_SCONN_LEN
340		sconn.sconn_len = sizeof(struct sockaddr_conn);
341		#endif // HAVE_SCONN_LEN
342	9.87k	sconn.sconn_port = htons(5000);
343	9.87k	sconn.sconn_addr = (void *)1;
344
345	9.87k	result = usrsctp_bind(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
346	9.87k	FUZZER_ASSERT(result == 0);
347
348		// Disable Nagle.
349	9.87k	optval = 1;
350	9.87k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval));
351	9.87k	FUZZER_ASSERT(result == 0);
352
353	9.87k	usrsctp_set_upcall(socket_client, handle_upcall, NULL);
354
355	9.87k	memset(&sconn, 0, sizeof(struct sockaddr_conn));
356	9.87k	sconn.sconn_family = AF_CONN;
357		#ifdef HAVE_SCONN_LEN
358		sconn.sconn_len = sizeof(struct sockaddr_conn);
359		#endif // HAVE_SCONN_LEN
360	9.87k	sconn.sconn_port = htons(5001);
361	9.87k	sconn.sconn_addr = (void *)1;
362
363	9.87k	fuzzer_printf("Calling usrsctp_connect()\n");
364	9.87k	result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
365	9.87k	FUZZER_ASSERT(result == 0 \|\| errno == EINPROGRESS);
366
367	9.87k	if (data[0] & FUZZ_B_INJECT_INIT_ACK) {
368	7.22k	fuzzer_printf("Injecting INIT-ACK\n");
369
370	7.22k	common_header = (struct sctp_common_header*) fuzz_init_ack;
371	7.22k	common_header->verification_tag = assoc_vtag;
372
373	7.22k	dump_packet(fuzz_init_ack, 448, SCTP_DUMP_INBOUND);
374	7.22k	usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0);
375	7.22k	}
376
377	9.87k	if (data[0] & FUZZ_B_INJECT_COOKIE_ACK) {
378	4.52k	fuzzer_printf("Injecting COOKIE-ACK\n");
379
380	4.52k	common_header = (struct sctp_common_header*) fuzz_cookie_ack;
381	4.52k	common_header->verification_tag = assoc_vtag;
382
383	4.52k	dump_packet(fuzz_cookie_ack, 16, SCTP_DUMP_INBOUND);
384	4.52k	usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0);
385	4.52k	}
386
387	9.87k	if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
388	9.87k	data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
389	9.87k	data[0] & FUZZ_B_SEND_DATA) {
390	2.11k	const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
391	2.11k	fuzzer_printf("Calling usrsctp_sendv()\n");
392	2.11k	usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
393	2.11k	}
394
395		// Required: INIT-ACK and COOKIE-ACK
396	9.87k	if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
397	9.87k	data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
398	9.87k	data[0] & FUZZ_B_SEND_STREAM_RESET) {
399	2.19k	fuzzer_printf("Sending Stream Reset for all streams\n");
400
401	2.19k	struct sctp_reset_streams srs;
402	2.19k	memset(&srs, 0, sizeof(struct sctp_reset_streams));
403	2.19k	srs.srs_flags = SCTP_STREAM_RESET_INCOMING \| SCTP_STREAM_RESET_OUTGOING;
404	2.19k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RESET_STREAMS, &srs, sizeof(struct sctp_reset_streams));
405	2.19k	FUZZER_ASSERT(result == 0);
406	2.19k	}
407
408		// Required: INIT-ACK and COOKIE-ACK
409	9.87k	if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
410	9.87k	data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
411	9.87k	data[0] & FUZZ_B_INJECT_DATA) {
412
413	1.74k	if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
414	780	fuzzer_printf("Injecting I-DATA\n");
415	780	common_header = (struct sctp_common_header*) fuzz_i_data;
416	780	common_header->verification_tag = assoc_vtag;
417	780	dump_packet(fuzz_i_data, 232, SCTP_DUMP_INBOUND);
418	780	usrsctp_conninput((void *)1, fuzz_i_data, 232, 0);
419	961	} else {
420	961	fuzzer_printf("Injecting DATA\n");
421	961	common_header = (struct sctp_common_header*) fuzz_data;
422	961	common_header->verification_tag = assoc_vtag;
423	961	dump_packet(fuzz_data, 228, SCTP_DUMP_INBOUND);
424	961	usrsctp_conninput((void *)1, fuzz_data, 228, 0);
425	961	}
426	1.74k	}
427
428	9.87k	if (data[0] & FUZZ_B_I_DATA_SUPPORT &&
429	9.87k	data[0] & FUZZ_B_SEND_DATA_FORCE) {
430	4.04k	const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
431	4.04k	fuzzer_printf("Calling usrsctp_sendv()\n");
432	4.04k	usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
433	4.04k	}
434
435
436	9.87k	fuzz_packet_buffer = malloc(data_size - 1 + COMMON_HEADER_SIZE);
437	9.87k	memcpy(fuzz_packet_buffer, fuzz_common_header, COMMON_HEADER_SIZE); // common header
438	9.87k	memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data + 1, data_size - 1);
439
440	9.87k	common_header = (struct sctp_common_header*) fuzz_packet_buffer;
441	9.87k	common_header->verification_tag = assoc_vtag;
442
443	9.87k	fuzzer_printf("Injecting FUZZER-Packet\n");
444	9.87k	dump_packet(fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, SCTP_DUMP_INBOUND);
445	9.87k	usrsctp_conninput((void *)1, fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, 0);
446
447	9.87k	free(fuzz_packet_buffer);
448
449	9.87k	fuzzer_printf("Calling usrsctp_close()\n");
450	9.87k	usrsctp_close(socket_client);
451
452		#ifdef FUZZ_ALWAYS_INITIALIZE
453		fuzzer_printf("Calling usrsctp_finish()\n");
454		while (usrsctp_finish() != 0) {}
455		fuzzer_printf("Done!\n");
456		#endif
457
458	9.87k	return (0);
459	9.87k	}
460
461
462