/src/usrsctp/fuzzer/fuzzer_fragment.c
Line | Count | Source (jump to first uncovered line) |
1 | | /*- |
2 | | * Copyright (c) 2020 Yuquan Wang |
3 | | * |
4 | | * All rights reserved. |
5 | | * |
6 | | * Redistribution and use in source and binary forms, with or without |
7 | | * modification, are permitted provided that the following conditions |
8 | | * are met: |
9 | | * 1. Redistributions of source code must retain the above copyright |
10 | | * notice, this list of conditions and the following disclaimer. |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in the |
13 | | * documentation and/or other materials provided with the distribution. |
14 | | * |
15 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
16 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
17 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
18 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
19 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
20 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
21 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
22 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
23 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
24 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
25 | | * SUCH DAMAGE. |
26 | | */ |
27 | | |
28 | | #include <stdio.h> |
29 | | #include <stdlib.h> |
30 | | #include <string.h> |
31 | | #include <stdarg.h> |
32 | | #include <usrsctp.h> |
33 | | #include "../programs/programs_helper.h" |
34 | | #define FUZZ_B_RESERVED1 (1 << 0) |
35 | 13.0M | #define SACK_FLAG (1 << 1) |
36 | | #define FUZZ_B_RESERVED3 (1 << 2) |
37 | | #define FUZZ_B_RESERVED4 (1 << 3) |
38 | 26.3M | #define NR_SACK_FLAG (1 << 4) |
39 | | #define FUZZ_B_RESERVED5 (1 << 5) |
40 | 1.73k | #define I_DATA_FLAG (1 << 6) |
41 | | #define FUZZ_B_RESERVED6 (1 << 7) |
42 | | |
43 | | #define fuzzer_printf(...) |
44 | 6.92k | #define BUFFER_SIZE 4096 |
45 | 52.7M | #define COMMON_HEADER_SIZE 12 |
46 | 186 | #define SCTP_INTERLEAVING_SUPPORTED 0x00001206 |
47 | 39.4M | #define SEND_DATA_SIZE 4096 |
48 | | static uint32_t assoc_vtag = 0; |
49 | | |
50 | | static void |
51 | | handle_upcall(struct socket *sock, void *arg, int flgs) |
52 | 18.4k | { |
53 | 18.4k | fuzzer_printf("handle_upcall()\n"); |
54 | 18.4k | int events = usrsctp_get_events(sock); |
55 | | |
56 | 21.9k | while (events & SCTP_EVENT_READ) { |
57 | 3.46k | struct sctp_recvv_rn rn; |
58 | 3.46k | ssize_t n; |
59 | 3.46k | struct sockaddr_in addr; |
60 | 3.46k | char *buf = calloc(1, BUFFER_SIZE); |
61 | 3.46k | int flags = 0; |
62 | 3.46k | socklen_t len = (socklen_t)sizeof(struct sockaddr_in); |
63 | 3.46k | unsigned int infotype = 0; |
64 | 3.46k | socklen_t infolen = sizeof(struct sctp_recvv_rn); |
65 | 3.46k | memset(&rn, 0, sizeof(struct sctp_recvv_rn)); |
66 | 3.46k | n = usrsctp_recvv(sock, buf, BUFFER_SIZE, (struct sockaddr *) &addr, &len, (void *)&rn, &infolen, &infotype, &flags); |
67 | 3.46k | fuzzer_printf("usrsctp_recvv() - returned %zd\n", n); |
68 | | |
69 | 3.46k | if (flags & MSG_NOTIFICATION) { |
70 | 3.46k | fuzzer_printf("NOTIFICATION received\n"); |
71 | | #ifdef FUZZ_VERBOSE |
72 | | handle_notification((union sctp_notification *)buf, n); |
73 | | #endif // FUZZ_VERBOSE |
74 | 3.46k | } else { |
75 | 0 | fuzzer_printf("DATA received\n"); |
76 | 0 | } |
77 | | |
78 | 3.46k | free(buf); |
79 | | |
80 | 3.46k | if (n <= 0) { |
81 | 0 | break; |
82 | 0 | } |
83 | | |
84 | 3.46k | events = usrsctp_get_events(sock); |
85 | 3.46k | } |
86 | 18.4k | } |
87 | | |
88 | | |
89 | | static int |
90 | | conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df) |
91 | 18.1k | { |
92 | 18.1k | struct sctp_init_chunk *init_chunk; |
93 | 18.1k | const char *init_chunk_first_bytes = "\x13\x88\x13\x89\x00\x00\x00\x00\x00\x00\x00\x00\x01"; |
94 | | // Looking for the outgoing VTAG. |
95 | | // length >= (COMMON_HEADER_SIZE + 16 (min size of INIT)) |
96 | | // If the common header has no VTAG (all zero), we're assuming it carries an INIT |
97 | 18.1k | if ((length >= (COMMON_HEADER_SIZE + 16)) && (memcmp(buf, init_chunk_first_bytes, COMMON_HEADER_SIZE) == 0)) { |
98 | 1.73k | init_chunk = (struct sctp_init_chunk*) ((char *)buf + sizeof(struct sctp_common_header)); |
99 | 1.73k | fuzzer_printf("Found outgoing INIT, extracting VTAG : %u\n", init_chunk->initiate_tag); |
100 | 1.73k | assoc_vtag = init_chunk->initiate_tag; |
101 | 1.73k | } |
102 | | |
103 | 18.1k | return (0); |
104 | 18.1k | } |
105 | | |
106 | | |
107 | | int |
108 | 2 | initialize_fuzzer(void) { |
109 | 2 | usrsctp_init(0, conn_output, NULL); |
110 | | |
111 | 2 | usrsctp_enable_crc32c_offload(); |
112 | | |
113 | | #ifdef SCTP_DEBUG |
114 | | usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL); |
115 | | #endif // SCTP_DEBUG |
116 | | |
117 | 2 | usrsctp_register_address((void *)1); |
118 | 2 | usrsctp_sysctl_set_sctp_pktdrop_enable(1); |
119 | 2 | usrsctp_sysctl_set_sctp_nrsack_enable(1); |
120 | 2 | fuzzer_printf("usrsctp initialized\n"); |
121 | | |
122 | 2 | return (1); |
123 | 2 | } |
124 | | |
125 | | int |
126 | | LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) |
127 | 1.73k | { |
128 | 1.73k | static int initialized; |
129 | 1.73k | char *fuzz_packet_buffer; |
130 | 1.73k | size_t fuzz_data_count; |
131 | 1.73k | struct socket *socket_client; |
132 | 1.73k | struct linger so_linger; |
133 | 1.73k | struct sctp_initmsg initmsg; |
134 | 1.73k | struct sctp_event event; |
135 | 1.73k | struct sockaddr_conn sconn; |
136 | 1.73k | struct sctp_common_header* common_header; |
137 | 1.73k | struct sctp_assoc_value assoc_val; |
138 | 1.73k | int result; |
139 | 1.73k | int optval; |
140 | 1.73k | unsigned long i; |
141 | 1.73k | char* send_data_buffer; |
142 | 1.73k | uint16_t event_types[] = { |
143 | 1.73k | SCTP_ASSOC_CHANGE, |
144 | 1.73k | SCTP_PEER_ADDR_CHANGE, |
145 | 1.73k | SCTP_REMOTE_ERROR, |
146 | 1.73k | SCTP_SEND_FAILED, |
147 | 1.73k | SCTP_SHUTDOWN_EVENT, |
148 | 1.73k | SCTP_ADAPTATION_INDICATION, |
149 | 1.73k | SCTP_PARTIAL_DELIVERY_EVENT, |
150 | 1.73k | SCTP_AUTHENTICATION_EVENT, |
151 | 1.73k | SCTP_STREAM_RESET_EVENT, |
152 | 1.73k | SCTP_SENDER_DRY_EVENT, |
153 | 1.73k | SCTP_ASSOC_RESET_EVENT, |
154 | 1.73k | SCTP_STREAM_CHANGE_EVENT, |
155 | 1.73k | SCTP_SEND_FAILED_EVENT |
156 | 1.73k | }; |
157 | 1.73k | char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \ |
158 | 1.73k | "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \ |
159 | 1.73k | "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \ |
160 | 1.73k | "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \ |
161 | 1.73k | "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \ |
162 | 1.73k | "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \ |
163 | 1.73k | "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \ |
164 | 1.73k | "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \ |
165 | 1.73k | "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \ |
166 | 1.73k | "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ |
167 | 1.73k | "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \ |
168 | 1.73k | "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \ |
169 | 1.73k | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \ |
170 | 1.73k | "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \ |
171 | 1.73k | "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \ |
172 | 1.73k | "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \ |
173 | 1.73k | "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \ |
174 | 1.73k | "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \ |
175 | 1.73k | "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \ |
176 | 1.73k | "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \ |
177 | 1.73k | "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \ |
178 | 1.73k | "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \ |
179 | 1.73k | "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \ |
180 | 1.73k | "\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \ |
181 | 1.73k | "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \ |
182 | 1.73k | "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \ |
183 | 1.73k | "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \ |
184 | 1.73k | "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00"; |
185 | 1.73k | char fuzz_init_ack_nrsack_support[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \ |
186 | 1.73k | "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \ |
187 | 1.73k | "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \ |
188 | 1.73k | "\x80\x08\x00\x0b\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \ |
189 | 1.73k | "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \ |
190 | 1.73k | "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \ |
191 | 1.73k | "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \ |
192 | 1.73k | "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \ |
193 | 1.73k | "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \ |
194 | 1.73k | "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ |
195 | 1.73k | "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \ |
196 | 1.73k | "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \ |
197 | 1.73k | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \ |
198 | 1.73k | "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \ |
199 | 1.73k | "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \ |
200 | 1.73k | "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \ |
201 | 1.73k | "\x80\x08\x00\x0b\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \ |
202 | 1.73k | "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \ |
203 | 1.73k | "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \ |
204 | 1.73k | "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \ |
205 | 1.73k | "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \ |
206 | 1.73k | "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \ |
207 | 1.73k | "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \ |
208 | 1.73k | "\xc0\x10\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \ |
209 | 1.73k | "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \ |
210 | 1.73k | "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \ |
211 | 1.73k | "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \ |
212 | 1.73k | "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00"; |
213 | 1.73k | char fuzz_cookie_ack[] = "\x13\x89\x13\x88\xb7\x0d\x32\x66\x00\x00\x00\x00\x0b\x00\x00\x04"; |
214 | | |
215 | 1.73k | char data_common_headr[] = "\x13\x89\x13\x88\xb7\x0d\x32\x66\x00\x00\x00\x00"; |
216 | | |
217 | 1.73k | if (!initialized) { |
218 | 1 | initialized = initialize_fuzzer(); |
219 | 1 | } |
220 | | |
221 | 1.73k | if (data_size < 10) { |
222 | | // Skip too small packets |
223 | 7 | fuzzer_printf("data_size %zu makes no sense, skipping\n", data_size); |
224 | 7 | return (0); |
225 | 7 | } |
226 | | |
227 | 1.73k | socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0); |
228 | 1.73k | FUZZER_ASSERT(socket_client != NULL); |
229 | | |
230 | 1.73k | usrsctp_set_non_blocking(socket_client, 1); |
231 | | |
232 | 1.73k | memset(&initmsg, 1, sizeof(struct sctp_initmsg)); |
233 | 1.73k | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(struct sctp_initmsg)); |
234 | 1.73k | FUZZER_ASSERT(result == 0); |
235 | | |
236 | 1.73k | so_linger.l_onoff = 1; |
237 | 1.73k | so_linger.l_linger = 0; |
238 | 1.73k | result = usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger)); |
239 | 1.73k | FUZZER_ASSERT(result == 0); |
240 | | |
241 | 1.73k | memset(&event, 0, sizeof(event)); |
242 | 1.73k | event.se_on = 1; |
243 | 24.2k | for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) { |
244 | 22.5k | event.se_type = event_types[i]; |
245 | 22.5k | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event)); |
246 | 22.5k | } |
247 | | |
248 | 1.73k | optval = 1; |
249 | 1.73k | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval)); |
250 | 1.73k | FUZZER_ASSERT(result == 0); |
251 | | |
252 | 1.73k | optval = 1; |
253 | 1.73k | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval)); |
254 | 1.73k | FUZZER_ASSERT(result == 0); |
255 | | |
256 | 1.73k | if (data[0] & I_DATA_FLAG) { |
257 | | // set the program supporting I-DATA |
258 | 186 | optval = 2; |
259 | 186 | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval)); |
260 | 186 | FUZZER_ASSERT(result == 0); |
261 | | |
262 | 186 | memset(&assoc_val, 0, sizeof(assoc_val)); |
263 | 186 | assoc_val.assoc_value = 1; |
264 | 186 | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val)); |
265 | 186 | FUZZER_ASSERT(result == 0); |
266 | 186 | } |
267 | | |
268 | 1.73k | optval = 1; |
269 | 1.73k | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_REUSE_PORT, &optval, sizeof(optval)); |
270 | 1.73k | FUZZER_ASSERT(result == 0); |
271 | | |
272 | 1.73k | memset(&sconn, 0, sizeof(struct sockaddr_conn)); |
273 | 1.73k | sconn.sconn_family = AF_CONN; |
274 | | #ifdef HAVE_SCONN_LEN |
275 | | sconn.sconn_len = sizeof(struct sockaddr_conn); |
276 | | #endif // HAVE_SCONN_LEN |
277 | 1.73k | sconn.sconn_port = htons(5000); |
278 | 1.73k | sconn.sconn_addr = (void *)1; |
279 | | |
280 | 1.73k | result = usrsctp_bind(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn)); |
281 | 1.73k | FUZZER_ASSERT(result == 0); |
282 | | |
283 | 1.73k | optval = 1; |
284 | 1.73k | result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval)); |
285 | 1.73k | FUZZER_ASSERT(result == 0); |
286 | | |
287 | 1.73k | usrsctp_set_upcall(socket_client, handle_upcall, NULL); |
288 | | |
289 | 1.73k | memset(&sconn, 0, sizeof(struct sockaddr_conn)); |
290 | 1.73k | sconn.sconn_family = AF_CONN; |
291 | | #ifdef HAVE_SCONN_LEN |
292 | | sconn.sconn_len = sizeof(struct sockaddr_conn); |
293 | | #endif // HAVE_SCONN_LEN |
294 | 1.73k | sconn.sconn_port = htons(5001); |
295 | 1.73k | sconn.sconn_addr = (void *)1; |
296 | | |
297 | 1.73k | result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn)); |
298 | 1.73k | FUZZER_ASSERT(result == 0 || errno == EINPROGRESS); |
299 | | |
300 | 1.73k | if (data[0] & NR_SACK_FLAG) { |
301 | 113 | common_header = (struct sctp_common_header*) fuzz_init_ack_nrsack_support; |
302 | 113 | common_header->verification_tag = assoc_vtag; |
303 | 113 | usrsctp_conninput((void *)1, fuzz_init_ack_nrsack_support, 448, 0); |
304 | 1.61k | } else { |
305 | 1.61k | common_header = (struct sctp_common_header*) fuzz_init_ack; |
306 | 1.61k | common_header->verification_tag = assoc_vtag; |
307 | 1.61k | usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0); |
308 | 1.61k | } |
309 | | |
310 | | |
311 | 1.73k | common_header = (struct sctp_common_header*) fuzz_cookie_ack; |
312 | 1.73k | common_header->verification_tag = assoc_vtag; |
313 | 1.73k | usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0); |
314 | | |
315 | 1.73k | fuzz_data_count = 0; |
316 | 13.1M | while (fuzz_data_count+4 < data_size) { |
317 | 13.1M | size_t data_chunk_size = (data[fuzz_data_count+2]<<8) + data[fuzz_data_count+3]; |
318 | 13.1M | if (data_chunk_size == 0) { |
319 | 37 | break; |
320 | 37 | } |
321 | 13.1M | if (fuzz_data_count + data_chunk_size > data_size) { |
322 | 706 | data_chunk_size = data_size - fuzz_data_count; |
323 | 706 | } |
324 | 13.1M | if (data[fuzz_data_count] & NR_SACK_FLAG || |
325 | 13.1M | data[fuzz_data_count] & SACK_FLAG) { |
326 | 13.1M | send_data_buffer = malloc(SEND_DATA_SIZE); |
327 | 13.1M | FUZZER_ASSERT(send_data_buffer != NULL ); |
328 | 13.1M | memset(send_data_buffer, 1, SEND_DATA_SIZE); |
329 | 13.1M | fuzzer_printf("Calling usrsctp_sendv()\n"); |
330 | 13.1M | usrsctp_sendv(socket_client, send_data_buffer, SEND_DATA_SIZE, NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0); |
331 | 13.1M | free(send_data_buffer); |
332 | 13.1M | } |
333 | 13.1M | fuzz_packet_buffer = malloc(data_chunk_size + COMMON_HEADER_SIZE); |
334 | 13.1M | memcpy(fuzz_packet_buffer, data_common_headr, COMMON_HEADER_SIZE); // common header |
335 | 13.1M | memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data+fuzz_data_count, data_chunk_size); |
336 | 13.1M | usrsctp_conninput((void *)1, fuzz_packet_buffer, data_chunk_size + COMMON_HEADER_SIZE, 0); |
337 | 13.1M | free(fuzz_packet_buffer); |
338 | 13.1M | fuzz_data_count += data_chunk_size; |
339 | 13.1M | } |
340 | | |
341 | 1.73k | usrsctp_close(socket_client); |
342 | | |
343 | 1.73k | return (0); |
344 | 1.73k | } |