/src/usrsctp/fuzzer/fuzzer_fragment.c

Source (jump to first uncovered line)
/*-
 * Copyright (c) 2020 Yuquan Wang
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <usrsctp.h>
#include "../programs/programs_helper.h"
#define FUZZ_B_RESERVED1          (1 << 0)
#define SACK_FLAG                 (1 << 1)
#define FUZZ_B_RESERVED3            (1 << 2)
#define FUZZ_B_RESERVED4            (1 << 3)
#define NR_SACK_FLAG                (1 << 4)
#define FUZZ_B_RESERVED5            (1 << 5)
#define I_DATA_FLAG                 (1 << 6)
#define FUZZ_B_RESERVED6            (1 << 7)

#define fuzzer_printf(...)
#define BUFFER_SIZE 4096
#define COMMON_HEADER_SIZE 12
#define SCTP_INTERLEAVING_SUPPORTED 0x00001206
#define SEND_DATA_SIZE 4096
static uint32_t assoc_vtag = 0;

static void
handle_upcall(struct socket *sock, void *arg, int flgs)
{
  fuzzer_printf("handle_upcall()\n");
  int events = usrsctp_get_events(sock);

  while (events & SCTP_EVENT_READ) {
    struct sctp_recvv_rn rn;
    ssize_t n;
    struct sockaddr_in addr;
    char *buf = calloc(1, BUFFER_SIZE);
    int flags = 0;
    socklen_t len = (socklen_t)sizeof(struct sockaddr_in);
    unsigned int infotype = 0;
    socklen_t infolen = sizeof(struct sctp_recvv_rn);
    memset(&rn, 0, sizeof(struct sctp_recvv_rn));
    n = usrsctp_recvv(sock, buf, BUFFER_SIZE, (struct sockaddr *) &addr, &len, (void *)&rn, &infolen, &infotype, &flags);
    fuzzer_printf("usrsctp_recvv() - returned %zd\n", n);

    if (flags & MSG_NOTIFICATION) {
      fuzzer_printf("NOTIFICATION received\n");
#ifdef FUZZ_VERBOSE
      handle_notification((union sctp_notification *)buf, n);
#endif // FUZZ_VERBOSE
    } else {
      fuzzer_printf("DATA received\n");
    }

    free(buf);

    if (n <= 0) {
      break;
    }

    events = usrsctp_get_events(sock);
  }
}


static int
conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df)
{
  struct sctp_init_chunk *init_chunk;
  const char *init_chunk_first_bytes = "\x13\x88\x13\x89\x00\x00\x00\x00\x00\x00\x00\x00\x01";
  // Looking for the outgoing VTAG.
  // length >= (COMMON_HEADER_SIZE + 16 (min size of INIT))
  // If the common header has no VTAG (all zero), we're assuming it carries an INIT
  if ((length >= (COMMON_HEADER_SIZE + 16)) && (memcmp(buf, init_chunk_first_bytes, COMMON_HEADER_SIZE) == 0)) {
    init_chunk = (struct sctp_init_chunk*) ((char *)buf + sizeof(struct sctp_common_header));
    fuzzer_printf("Found outgoing INIT, extracting VTAG : %u\n", init_chunk->initiate_tag);
    assoc_vtag = init_chunk->initiate_tag;
  }

  return (0);
}


int
initialize_fuzzer(void) {
  usrsctp_init(0, conn_output, NULL);

  usrsctp_enable_crc32c_offload();

#ifdef SCTP_DEBUG
  usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL);
#endif // SCTP_DEBUG

  usrsctp_register_address((void *)1);
  usrsctp_sysctl_set_sctp_pktdrop_enable(1);
  usrsctp_sysctl_set_sctp_nrsack_enable(1);
  fuzzer_printf("usrsctp initialized\n");

  return (1);
}

int
LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
{
  static int initialized;
  char *fuzz_packet_buffer;
  size_t fuzz_data_count;
  struct socket *socket_client;
  struct linger so_linger;
  struct sctp_initmsg initmsg;
  struct sctp_event event;
  struct sockaddr_conn sconn;
  struct sctp_common_header* common_header;
  struct sctp_assoc_value assoc_val;
  int result;
  int optval;
  unsigned long i;
  char* send_data_buffer;
  uint16_t event_types[] = {
    SCTP_ASSOC_CHANGE,
    SCTP_PEER_ADDR_CHANGE,
    SCTP_REMOTE_ERROR,
    SCTP_SEND_FAILED,
    SCTP_SHUTDOWN_EVENT,
    SCTP_ADAPTATION_INDICATION,
    SCTP_PARTIAL_DELIVERY_EVENT,
    SCTP_AUTHENTICATION_EVENT,
    SCTP_STREAM_RESET_EVENT,
    SCTP_SENDER_DRY_EVENT,
    SCTP_ASSOC_RESET_EVENT,
    SCTP_STREAM_CHANGE_EVENT,
    SCTP_SEND_FAILED_EVENT
  };
  char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
    "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
    "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
    "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
    "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
    "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
    "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
    "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
    "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
    "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
    "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
    "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
    "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
    "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
    "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
    "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
    "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
    "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
    "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
    "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
    "\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
    "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
    "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
    "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
    "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
  char fuzz_init_ack_nrsack_support[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
    "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
    "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
    "\x80\x08\x00\x0b\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
    "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
    "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
    "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
    "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
    "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
    "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
    "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
    "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
    "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
    "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
    "\x80\x08\x00\x0b\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
    "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
    "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
    "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
    "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
    "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
    "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
    "\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
    "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
    "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
    "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
    "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
  char fuzz_cookie_ack[] = "\x13\x89\x13\x88\xb7\x0d\x32\x66\x00\x00\x00\x00\x0b\x00\x00\x04";

  char data_common_headr[] = "\x13\x89\x13\x88\xb7\x0d\x32\x66\x00\x00\x00\x00";

  if (!initialized) {
    initialized = initialize_fuzzer();
  }

  if (data_size < 10) {
    // Skip too small packets
    fuzzer_printf("data_size %zu makes no sense, skipping\n", data_size);
    return (0);
  }

  socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0);
  FUZZER_ASSERT(socket_client != NULL);

  usrsctp_set_non_blocking(socket_client, 1);

  memset(&initmsg, 1, sizeof(struct sctp_initmsg));
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(struct sctp_initmsg));
  FUZZER_ASSERT(result == 0);

  so_linger.l_onoff = 1;
  so_linger.l_linger = 0;
  result = usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger));
  FUZZER_ASSERT(result == 0);

  memset(&event, 0, sizeof(event));
  event.se_on = 1;
  for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) {
    event.se_type = event_types[i];
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event));
  }

  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

  if (data[0] & I_DATA_FLAG) {
    // set the program supporting I-DATA
    optval = 2;
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval));
    FUZZER_ASSERT(result == 0);

    memset(&assoc_val, 0, sizeof(assoc_val));
    assoc_val.assoc_value = 1;
    result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
    FUZZER_ASSERT(result == 0);
  }

  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_REUSE_PORT, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

  memset(&sconn, 0, sizeof(struct sockaddr_conn));
  sconn.sconn_family = AF_CONN;
#ifdef HAVE_SCONN_LEN
  sconn.sconn_len = sizeof(struct sockaddr_conn);
#endif // HAVE_SCONN_LEN
  sconn.sconn_port = htons(5000);
  sconn.sconn_addr = (void *)1;

  result = usrsctp_bind(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
  FUZZER_ASSERT(result == 0);

  optval = 1;
  result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval));
  FUZZER_ASSERT(result == 0);

  usrsctp_set_upcall(socket_client, handle_upcall, NULL);

  memset(&sconn, 0, sizeof(struct sockaddr_conn));
  sconn.sconn_family = AF_CONN;
#ifdef HAVE_SCONN_LEN
  sconn.sconn_len = sizeof(struct sockaddr_conn);
#endif // HAVE_SCONN_LEN
  sconn.sconn_port = htons(5001);
  sconn.sconn_addr = (void *)1;

  result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
  FUZZER_ASSERT(result == 0 || errno == EINPROGRESS);

  if (data[0] & NR_SACK_FLAG) {
    common_header = (struct sctp_common_header*) fuzz_init_ack_nrsack_support;
    common_header->verification_tag = assoc_vtag;
    usrsctp_conninput((void *)1, fuzz_init_ack_nrsack_support, 448, 0);
  } else {
    common_header = (struct sctp_common_header*) fuzz_init_ack;
    common_header->verification_tag = assoc_vtag;
    usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0);
  }


  common_header = (struct sctp_common_header*) fuzz_cookie_ack;
  common_header->verification_tag = assoc_vtag;
  usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0);

  fuzz_data_count = 0;
  while (fuzz_data_count+4 < data_size) {
    size_t data_chunk_size = (data[fuzz_data_count+2]<<8) + data[fuzz_data_count+3];
    if (data_chunk_size == 0) {
      break;
    }
    if (fuzz_data_count + data_chunk_size > data_size) {
      data_chunk_size = data_size - fuzz_data_count;
    }
    if (data[fuzz_data_count] & NR_SACK_FLAG ||
        data[fuzz_data_count] & SACK_FLAG) {
      send_data_buffer = malloc(SEND_DATA_SIZE);
      FUZZER_ASSERT(send_data_buffer != NULL );
      memset(send_data_buffer, 1, SEND_DATA_SIZE);
      fuzzer_printf("Calling usrsctp_sendv()\n");
      usrsctp_sendv(socket_client, send_data_buffer, SEND_DATA_SIZE, NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
      free(send_data_buffer);
    }
    fuzz_packet_buffer = malloc(data_chunk_size + COMMON_HEADER_SIZE);
    memcpy(fuzz_packet_buffer, data_common_headr, COMMON_HEADER_SIZE); // common header
    memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data+fuzz_data_count, data_chunk_size);
    usrsctp_conninput((void *)1, fuzz_packet_buffer, data_chunk_size + COMMON_HEADER_SIZE, 0);
    free(fuzz_packet_buffer);
    fuzz_data_count += data_chunk_size;
  }

  usrsctp_close(socket_client);

  return (0);
}

Coverage Report

Created: 2022-08-24 06:02

Line	Count	Source (jump to first uncovered line)
1		/*-
2		* Copyright (c) 2020 Yuquan Wang
3		*
4		* All rights reserved.
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		* 1. Redistributions of source code must retain the above copyright
10		* notice, this list of conditions and the following disclaimer.
11		* 2. Redistributions in binary form must reproduce the above copyright
12		* notice, this list of conditions and the following disclaimer in the
13		* documentation and/or other materials provided with the distribution.
14		*
15		* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18		* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25		* SUCH DAMAGE.
26		*/
27
28		#include <stdio.h>
29		#include <stdlib.h>
30		#include <string.h>
31		#include <stdarg.h>
32		#include <usrsctp.h>
33		#include "../programs/programs_helper.h"
34		#define FUZZ_B_RESERVED1 (1 << 0)
35	13.0M	#define SACK_FLAG (1 << 1)
36		#define FUZZ_B_RESERVED3 (1 << 2)
37		#define FUZZ_B_RESERVED4 (1 << 3)
38	26.3M	#define NR_SACK_FLAG (1 << 4)
39		#define FUZZ_B_RESERVED5 (1 << 5)
40	1.73k	#define I_DATA_FLAG (1 << 6)
41		#define FUZZ_B_RESERVED6 (1 << 7)
42
43		#define fuzzer_printf(...)
44	6.92k	#define BUFFER_SIZE 4096
45	52.7M	#define COMMON_HEADER_SIZE 12
46	186	#define SCTP_INTERLEAVING_SUPPORTED 0x00001206
47	39.4M	#define SEND_DATA_SIZE 4096
48		static uint32_t assoc_vtag = 0;
49
50		static void
51		handle_upcall(struct socket sock, void arg, int flgs)
52	18.4k	{
53	18.4k	fuzzer_printf("handle_upcall()\n");
54	18.4k	int events = usrsctp_get_events(sock);
55
56	21.9k	while (events & SCTP_EVENT_READ) {
57	3.46k	struct sctp_recvv_rn rn;
58	3.46k	ssize_t n;
59	3.46k	struct sockaddr_in addr;
60	3.46k	char *buf = calloc(1, BUFFER_SIZE);
61	3.46k	int flags = 0;
62	3.46k	socklen_t len = (socklen_t)sizeof(struct sockaddr_in);
63	3.46k	unsigned int infotype = 0;
64	3.46k	socklen_t infolen = sizeof(struct sctp_recvv_rn);
65	3.46k	memset(&rn, 0, sizeof(struct sctp_recvv_rn));
66	3.46k	n = usrsctp_recvv(sock, buf, BUFFER_SIZE, (struct sockaddr ) &addr, &len, (void )&rn, &infolen, &infotype, &flags);
67	3.46k	fuzzer_printf("usrsctp_recvv() - returned %zd\n", n);
68
69	3.46k	if (flags & MSG_NOTIFICATION) {
70	3.46k	fuzzer_printf("NOTIFICATION received\n");
71		#ifdef FUZZ_VERBOSE
72		handle_notification((union sctp_notification *)buf, n);
73		#endif // FUZZ_VERBOSE
74	3.46k	} else {
75	0	fuzzer_printf("DATA received\n");
76	0	}
77
78	3.46k	free(buf);
79
80	3.46k	if (n <= 0) {
81	0	break;
82	0	}
83
84	3.46k	events = usrsctp_get_events(sock);
85	3.46k	}
86	18.4k	}
87
88
89		static int
90		conn_output(void addr, void buf, size_t length, uint8_t tos, uint8_t set_df)
91	18.1k	{
92	18.1k	struct sctp_init_chunk *init_chunk;
93	18.1k	const char *init_chunk_first_bytes = "\x13\x88\x13\x89\x00\x00\x00\x00\x00\x00\x00\x00\x01";
94		// Looking for the outgoing VTAG.
95		// length >= (COMMON_HEADER_SIZE + 16 (min size of INIT))
96		// If the common header has no VTAG (all zero), we're assuming it carries an INIT
97	18.1k	if ((length >= (COMMON_HEADER_SIZE + 16)) && (memcmp(buf, init_chunk_first_bytes, COMMON_HEADER_SIZE) == 0)) {
98	1.73k	init_chunk = (struct sctp_init_chunk) ((char )buf + sizeof(struct sctp_common_header));
99	1.73k	fuzzer_printf("Found outgoing INIT, extracting VTAG : %u\n", init_chunk->initiate_tag);
100	1.73k	assoc_vtag = init_chunk->initiate_tag;
101	1.73k	}
102
103	18.1k	return (0);
104	18.1k	}
105
106
107		int
108	2	initialize_fuzzer(void) {
109	2	usrsctp_init(0, conn_output, NULL);
110
111	2	usrsctp_enable_crc32c_offload();
112
113		#ifdef SCTP_DEBUG
114		usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL);
115		#endif // SCTP_DEBUG
116
117	2	usrsctp_register_address((void *)1);
118	2	usrsctp_sysctl_set_sctp_pktdrop_enable(1);
119	2	usrsctp_sysctl_set_sctp_nrsack_enable(1);
120	2	fuzzer_printf("usrsctp initialized\n");
121
122	2	return (1);
123	2	}
124
125		int
126		LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
127	1.73k	{
128	1.73k	static int initialized;
129	1.73k	char *fuzz_packet_buffer;
130	1.73k	size_t fuzz_data_count;
131	1.73k	struct socket *socket_client;
132	1.73k	struct linger so_linger;
133	1.73k	struct sctp_initmsg initmsg;
134	1.73k	struct sctp_event event;
135	1.73k	struct sockaddr_conn sconn;
136	1.73k	struct sctp_common_header* common_header;
137	1.73k	struct sctp_assoc_value assoc_val;
138	1.73k	int result;
139	1.73k	int optval;
140	1.73k	unsigned long i;
141	1.73k	char* send_data_buffer;
142	1.73k	uint16_t event_types[] = {
143	1.73k	SCTP_ASSOC_CHANGE,
144	1.73k	SCTP_PEER_ADDR_CHANGE,
145	1.73k	SCTP_REMOTE_ERROR,
146	1.73k	SCTP_SEND_FAILED,
147	1.73k	SCTP_SHUTDOWN_EVENT,
148	1.73k	SCTP_ADAPTATION_INDICATION,
149	1.73k	SCTP_PARTIAL_DELIVERY_EVENT,
150	1.73k	SCTP_AUTHENTICATION_EVENT,
151	1.73k	SCTP_STREAM_RESET_EVENT,
152	1.73k	SCTP_SENDER_DRY_EVENT,
153	1.73k	SCTP_ASSOC_RESET_EVENT,
154	1.73k	SCTP_STREAM_CHANGE_EVENT,
155	1.73k	SCTP_SEND_FAILED_EVENT
156	1.73k	};
157	1.73k	char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
158	1.73k	"\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
159	1.73k	"\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
160	1.73k	"\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
161	1.73k	"\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
162	1.73k	"\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
163	1.73k	"\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
164	1.73k	"\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
165	1.73k	"\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
166	1.73k	"\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
167	1.73k	"\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
168	1.73k	"\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
169	1.73k	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
170	1.73k	"\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
171	1.73k	"\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
172	1.73k	"\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
173	1.73k	"\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
174	1.73k	"\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
175	1.73k	"\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
176	1.73k	"\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
177	1.73k	"\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
178	1.73k	"\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
179	1.73k	"\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
180	1.73k	"\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
181	1.73k	"\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
182	1.73k	"\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
183	1.73k	"\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
184	1.73k	"\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
185	1.73k	char fuzz_init_ack_nrsack_support[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
186	1.73k	"\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
187	1.73k	"\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
188	1.73k	"\x80\x08\x00\x0b\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
189	1.73k	"\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
190	1.73k	"\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
191	1.73k	"\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
192	1.73k	"\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
193	1.73k	"\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
194	1.73k	"\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
195	1.73k	"\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
196	1.73k	"\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
197	1.73k	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
198	1.73k	"\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
199	1.73k	"\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
200	1.73k	"\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
201	1.73k	"\x80\x08\x00\x0b\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
202	1.73k	"\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
203	1.73k	"\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
204	1.73k	"\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
205	1.73k	"\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
206	1.73k	"\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
207	1.73k	"\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
208	1.73k	"\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
209	1.73k	"\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
210	1.73k	"\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
211	1.73k	"\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
212	1.73k	"\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
213	1.73k	char fuzz_cookie_ack[] = "\x13\x89\x13\x88\xb7\x0d\x32\x66\x00\x00\x00\x00\x0b\x00\x00\x04";
214
215	1.73k	char data_common_headr[] = "\x13\x89\x13\x88\xb7\x0d\x32\x66\x00\x00\x00\x00";
216
217	1.73k	if (!initialized) {
218	1	initialized = initialize_fuzzer();
219	1	}
220
221	1.73k	if (data_size < 10) {
222		// Skip too small packets
223	7	fuzzer_printf("data_size %zu makes no sense, skipping\n", data_size);
224	7	return (0);
225	7	}
226
227	1.73k	socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0);
228	1.73k	FUZZER_ASSERT(socket_client != NULL);
229
230	1.73k	usrsctp_set_non_blocking(socket_client, 1);
231
232	1.73k	memset(&initmsg, 1, sizeof(struct sctp_initmsg));
233	1.73k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(struct sctp_initmsg));
234	1.73k	FUZZER_ASSERT(result == 0);
235
236	1.73k	so_linger.l_onoff = 1;
237	1.73k	so_linger.l_linger = 0;
238	1.73k	result = usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger));
239	1.73k	FUZZER_ASSERT(result == 0);
240
241	1.73k	memset(&event, 0, sizeof(event));
242	1.73k	event.se_on = 1;
243	24.2k	for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) {
244	22.5k	event.se_type = event_types[i];
245	22.5k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event));
246	22.5k	}
247
248	1.73k	optval = 1;
249	1.73k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval));
250	1.73k	FUZZER_ASSERT(result == 0);
251
252	1.73k	optval = 1;
253	1.73k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval));
254	1.73k	FUZZER_ASSERT(result == 0);
255
256	1.73k	if (data[0] & I_DATA_FLAG) {
257		// set the program supporting I-DATA
258	186	optval = 2;
259	186	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval));
260	186	FUZZER_ASSERT(result == 0);
261
262	186	memset(&assoc_val, 0, sizeof(assoc_val));
263	186	assoc_val.assoc_value = 1;
264	186	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
265	186	FUZZER_ASSERT(result == 0);
266	186	}
267
268	1.73k	optval = 1;
269	1.73k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_REUSE_PORT, &optval, sizeof(optval));
270	1.73k	FUZZER_ASSERT(result == 0);
271
272	1.73k	memset(&sconn, 0, sizeof(struct sockaddr_conn));
273	1.73k	sconn.sconn_family = AF_CONN;
274		#ifdef HAVE_SCONN_LEN
275		sconn.sconn_len = sizeof(struct sockaddr_conn);
276		#endif // HAVE_SCONN_LEN
277	1.73k	sconn.sconn_port = htons(5000);
278	1.73k	sconn.sconn_addr = (void *)1;
279
280	1.73k	result = usrsctp_bind(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
281	1.73k	FUZZER_ASSERT(result == 0);
282
283	1.73k	optval = 1;
284	1.73k	result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval));
285	1.73k	FUZZER_ASSERT(result == 0);
286
287	1.73k	usrsctp_set_upcall(socket_client, handle_upcall, NULL);
288
289	1.73k	memset(&sconn, 0, sizeof(struct sockaddr_conn));
290	1.73k	sconn.sconn_family = AF_CONN;
291		#ifdef HAVE_SCONN_LEN
292		sconn.sconn_len = sizeof(struct sockaddr_conn);
293		#endif // HAVE_SCONN_LEN
294	1.73k	sconn.sconn_port = htons(5001);
295	1.73k	sconn.sconn_addr = (void *)1;
296
297	1.73k	result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
298	1.73k	FUZZER_ASSERT(result == 0 \|\| errno == EINPROGRESS);
299
300	1.73k	if (data[0] & NR_SACK_FLAG) {
301	113	common_header = (struct sctp_common_header*) fuzz_init_ack_nrsack_support;
302	113	common_header->verification_tag = assoc_vtag;
303	113	usrsctp_conninput((void *)1, fuzz_init_ack_nrsack_support, 448, 0);
304	1.61k	} else {
305	1.61k	common_header = (struct sctp_common_header*) fuzz_init_ack;
306	1.61k	common_header->verification_tag = assoc_vtag;
307	1.61k	usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0);
308	1.61k	}
309
310
311	1.73k	common_header = (struct sctp_common_header*) fuzz_cookie_ack;
312	1.73k	common_header->verification_tag = assoc_vtag;
313	1.73k	usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0);
314
315	1.73k	fuzz_data_count = 0;
316	13.1M	while (fuzz_data_count+4 < data_size) {
317	13.1M	size_t data_chunk_size = (data[fuzz_data_count+2]<<8) + data[fuzz_data_count+3];
318	13.1M	if (data_chunk_size == 0) {
319	37	break;
320	37	}
321	13.1M	if (fuzz_data_count + data_chunk_size > data_size) {
322	706	data_chunk_size = data_size - fuzz_data_count;
323	706	}
324	13.1M	if (data[fuzz_data_count] & NR_SACK_FLAG \|\|
325	13.1M	data[fuzz_data_count] & SACK_FLAG) {
326	13.1M	send_data_buffer = malloc(SEND_DATA_SIZE);
327	13.1M	FUZZER_ASSERT(send_data_buffer != NULL );
328	13.1M	memset(send_data_buffer, 1, SEND_DATA_SIZE);
329	13.1M	fuzzer_printf("Calling usrsctp_sendv()\n");
330	13.1M	usrsctp_sendv(socket_client, send_data_buffer, SEND_DATA_SIZE, NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
331	13.1M	free(send_data_buffer);
332	13.1M	}
333	13.1M	fuzz_packet_buffer = malloc(data_chunk_size + COMMON_HEADER_SIZE);
334	13.1M	memcpy(fuzz_packet_buffer, data_common_headr, COMMON_HEADER_SIZE); // common header
335	13.1M	memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data+fuzz_data_count, data_chunk_size);
336	13.1M	usrsctp_conninput((void *)1, fuzz_packet_buffer, data_chunk_size + COMMON_HEADER_SIZE, 0);
337	13.1M	free(fuzz_packet_buffer);
338	13.1M	fuzz_data_count += data_chunk_size;
339	13.1M	}
340
341	1.73k	usrsctp_close(socket_client);
342
343	1.73k	return (0);
344	1.73k	}