DhcpFuzzer: Added AFL test for dhcpserver with sample packets

2018-05-14 15:03:37 +02:00 · 2018-05-14 15:03:37 +02:00 · 3a6d256d3e
parent adc3315677
commit 3a6d256d3e
11 changed files with 184 additions and 0 deletions
--- a/components/lwip/test_afl_host/Makefile
+++ b/components/lwip/test_afl_host/Makefile
@ -0,0 +1,36 @@
+COMPONENTS_DIR=../..
+CFLAGS=-std=gnu99 -Og -ggdb -ffunction-sections -fdata-sections -nostdlib -Wall -Werror=all -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=deprecated-declarations -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-address   -Wno-unused-variable -DESP_PLATFORM -D IDF_VER=\"v3.1-dev-961-ga2556229-dirty\" -MMD -MP   -DWITH_POSIX \
+-DIRAM_ATTR='' -D__ESP_ATTR_H__
+INC_DIRS=-I . -I $(COMPONENTS_DIR)/lwip/include/lwip -I $(COMPONENTS_DIR)/lwip/include/lwip/port -I $(COMPONENTS_DIR)/lwip/include/lwip/posix -I $(COMPONENTS_DIR)/lwip/apps/ping -I $(COMPONENTS_DIR)/app_trace/include -I $(COMPONENTS_DIR)/app_update/include -I $(COMPONENTS_DIR)/bootloader_support/include -I $(COMPONENTS_DIR)/bt/include -I $(COMPONENTS_DIR)/coap/port/include -I $(COMPONENTS_DIR)/coap/port/include/coap -I $(COMPONENTS_DIR)/coap/libcoap/include -I \ $(COMPONENTS_DIR)/coap/libcoap/include/coap -I $(COMPONENTS_DIR)/console -I $(COMPONENTS_DIR)/cxx/include -I $(COMPONENTS_DIR)/driver/include -I $(COMPONENTS_DIR)/esp-tls -I $(COMPONENTS_DIR)/esp32/include -I $(COMPONENTS_DIR)/esp_adc_cal/include -I $(COMPONENTS_DIR)/ethernet/include -I $(COMPONENTS_DIR)/expat/port/include -I $(COMPONENTS_DIR)/expat/include/expat -I $(COMPONENTS_DIR)/fatfs/src -I $(COMPONENTS_DIR)/freertos/include -I $(COMPONENTS_DIR)/heap/include -I \ $(COMPONENTS_DIR)/idf_test/include -I $(COMPONENTS_DIR)/jsmn/include -I $(COMPONENTS_DIR)/json/cJSON -I $(COMPONENTS_DIR)/libsodium/libsodium/src/libsodium/include -I $(COMPONENTS_DIR)/libsodium/port_include -I $(COMPONENTS_DIR)/log/include -I /home/david/esp/esp-idf/examples/wifi/simple_wifi/main/include -I $(COMPONENTS_DIR)/mbedtls/port/include -I $(COMPONENTS_DIR)/mbedtls/include -I $(COMPONENTS_DIR)/mdns/include -I $(COMPONENTS_DIR)/micro-ecc/micro-ecc -I \ $(COMPONENTS_DIR)/newlib/platform_include -I $(COMPONENTS_DIR)/newlib/include -I $(COMPONENTS_DIR)/nghttp/port/include -I $(COMPONENTS_DIR)/nghttp/nghttp2/lib/includes -I $(COMPONENTS_DIR)/nvs_flash/include -I $(COMPONENTS_DIR)/openssl/include -I $(COMPONENTS_DIR)/pthread/include -I $(COMPONENTS_DIR)/sdmmc/include -I $(COMPONENTS_DIR)/smartconfig/include -I $(COMPONENTS_DIR)/soc/esp32/include -I $(COMPONENTS_DIR)/soc/include -I $(COMPONENTS_DIR)/spi_flash/include -I \ $(COMPONENTS_DIR)/spiffs/include -I $(COMPONENTS_DIR)/tcpip_adapter/include -I $(COMPONENTS_DIR)/ulp/include -I $(COMPONENTS_DIR)/vfs/include -I $(COMPONENTS_DIR)/wear_levelling/include -I $(COMPONENTS_DIR)/wpa_supplicant/include -I $(COMPONENTS_DIR)/wpa_supplicant/port/include -I $(COMPONENTS_DIR)/esp32/include -I $(COMPONENTS_DIR)/xtensa-debug-module/include
+TEST_NAME=test
+FUZZ=afl-fuzz
+LD=$(CC)
+DHCPSERVER_C_DEPENDENCY_INJECTION=-include dhcpserver_di.h
+
+ifeq ($(MODE),sim)
+    CC=gcc
+    CFLAGS+=-DSIM
+    TEST_NAME=test_sim
+else
+    CC=afl-clang-fast
+endif
+
+CFLAGS+=$(INC_DIRS)
+OBJECTS=dhcpserver.o test.o network_mock.o
+
+all: $(TEST_NAME)
+
+dhcpserver.o: ../apps/dhcpserver.c
+	@echo "[CC] $<"
+	$(CC) $(CFLAGS) $(DHCPSERVER_C_DEPENDENCY_INJECTION) -c $< -o $@
+
+%.o: %.c
+	@echo "[CC] $<"
+	@$(CC) $(CFLAGS) -c $< -o $@
+
+$(TEST_NAME): $(OBJECTS)
+	@echo "[LD] $@"
+	@$(LD)  $(OBJECTS) -o $@ $(LDLIBS)
+
+fuzz: $(TEST_NAME)
+	@$(FUZZ) -i "in" -o "out" -- ./$(TEST_NAME)
--- a/components/lwip/test_afl_host/dhcpserver_di.h
+++ b/components/lwip/test_afl_host/dhcpserver_di.h
@ -0,0 +1,21 @@
+/*
+ * dhcpserver dependecy injection -- preincluded to inject interface test functions into static variables
+ * 
+ */
+#include "lwip/pbuf.h"
+#include "lwip/udp.h"
+#include "tcpip_adapter.h"
+
+static void handle_dhcp(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port);
+
+void (*dhcp_test_static_handle_hdcp)(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port) = NULL;
+
+void dhcp_test_init_di()
+{
+    dhcp_test_static_handle_hdcp = handle_dhcp;
+}
+
+void dhcp_test_handle_dhcp(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port)
+{
+    dhcp_test_static_handle_hdcp(arg, pcb, p, addr, port);
+}
--- a/components/lwip/test_afl_host/in/data0.bin
+++ b/components/lwip/test_afl_host/in/data0.bin
--- a/components/lwip/test_afl_host/in/data1.bin
+++ b/components/lwip/test_afl_host/in/data1.bin
--- a/components/lwip/test_afl_host/in/data2.bin
+++ b/components/lwip/test_afl_host/in/data2.bin
--- a/components/lwip/test_afl_host/in/data3.bin
+++ b/components/lwip/test_afl_host/in/data3.bin
--- a/components/lwip/test_afl_host/in/data4.bin
+++ b/components/lwip/test_afl_host/in/data4.bin
--- a/components/lwip/test_afl_host/in/data5.bin
+++ b/components/lwip/test_afl_host/in/data5.bin
--- a/components/lwip/test_afl_host/in/data6.bin
+++ b/components/lwip/test_afl_host/in/data6.bin
--- a/components/lwip/test_afl_host/network_mock.c
+++ b/components/lwip/test_afl_host/network_mock.c
@ -0,0 +1,74 @@
+#include <stdio.h>
+#include "lwip/opt.h"
+#include "lwip/def.h"
+#include "lwip/pbuf.h"
+#include "lwip/udp.h"
+#include "tcpip_adapter.h"
+#include <string.h>
+
+u16_t lwip_htons(u16_t n)
+{
+    return 0;
+}
+
+u32_t lwip_htonl(u32_t n)
+{
+    return 0;
+}
+
+esp_err_t tcpip_adapter_get_ip_info(tcpip_adapter_if_t tcpip_if, tcpip_adapter_ip_info_t *ip_info)
+{
+ return ESP_OK;
+}
+
+struct pbuf * pbuf_alloc(pbuf_layer layer, u16_t length, pbuf_type type)
+{
+    struct pbuf * p;
+    p = (struct pbuf *)malloc(MEMP_PBUF_POOL);
+    p->tot_len = length;
+    p->next = NULL;
+    p->type = PBUF_POOL;
+    p->len = length;
+    p->payload = malloc(length);
+    return p;
+}
+
+u8_t pbuf_free(struct pbuf *p)
+{
+    if (p) {
+        if (p->payload) {
+            free(p->payload);
+            p->payload = NULL;
+        }
+        free (p);
+        p = NULL;
+    }
+    return 1;
+}
+
+err_t udp_sendto(struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *dst_ip, u16_t dst_port)
+{
+    return ESP_OK;
+}
+
+void udp_remove(struct udp_pcb *pcb)
+{
+}
+
+struct udp_pcb *udp_new(void)
+{
+    return NULL;
+}
+
+err_t udp_bind(struct udp_pcb *pcb, const ip_addr_t *ipaddr, u16_t port)
+{
+    return ESP_OK;
+}
+
+void udp_recv(struct udp_pcb *pcb, udp_recv_fn recv, void *recv_arg)
+{
+}
+
+void udp_disconnect(struct udp_pcb *pcb)
+{
+}
--- a/components/lwip/test_afl_host/test.c
+++ b/components/lwip/test_afl_host/test.c
@ -0,0 +1,53 @@
+#include <stdio.h>
+#include "lwip/pbuf.h"
+#include "lwip/udp.h"
+#include "tcpip_adapter.h"
+#include <string.h>
+
+const ip_addr_t ip_addr_any;
+ip4_addr_t server_ip;
+struct netif mynetif;
+
+// Dependency injected static function to pass the packet into parser
+void dhcp_test_handle_dhcp(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port);
+void dhcp_test_init_di();
+
+// Starting the test
+int main()
+{
+    uint8_t *buf;
+    struct pbuf *p;
+    FILE *file;
+    size_t len = 1460;
+
+    dhcp_test_init_di();
+
+    p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL);
+    buf = p->payload;
+
+    IP4_ADDR(&server_ip, 192,168,4,1);
+    dhcps_start(&mynetif, server_ip);
+
+#ifdef SIM
+    memset(buf, 0, 1460);
+
+    file = fopen("in/data1.bin", "r");
+    if (file) {
+    len = fread(buf, 1, 1460, file);
+    }
+    fclose(file);
+    int i;
+    for (i=0; i<1; i++) {
+#else
+    while (__AFL_LOOP(1000)) {
+        memset(buf, 0, 1460);
+        size_t len = read(0, buf, 1460);
+#endif
+        p->len = len;
+        p->tot_len = len;
+        p->next = NULL;
+
+        dhcp_test_handle_dhcp(NULL, NULL, p, &ip_addr_any, 0);
+    }
+    return 0;
+}