From 3a6d256d3e81d7057ec6c9bd86f14d007df9e8eb Mon Sep 17 00:00:00 2001 From: David Cermak Date: Mon, 14 May 2018 15:03:37 +0200 Subject: [PATCH 1/3] DhcpFuzzer: Added AFL test for dhcpserver with sample packets --- components/lwip/test_afl_host/Makefile | 36 +++++++++ components/lwip/test_afl_host/dhcpserver_di.h | 21 +++++ components/lwip/test_afl_host/in/data0.bin | Bin 0 -> 300 bytes components/lwip/test_afl_host/in/data1.bin | Bin 0 -> 300 bytes components/lwip/test_afl_host/in/data2.bin | Bin 0 -> 300 bytes components/lwip/test_afl_host/in/data3.bin | Bin 0 -> 305 bytes components/lwip/test_afl_host/in/data4.bin | Bin 0 -> 300 bytes components/lwip/test_afl_host/in/data5.bin | Bin 0 -> 311 bytes components/lwip/test_afl_host/in/data6.bin | Bin 0 -> 316 bytes components/lwip/test_afl_host/network_mock.c | 74 ++++++++++++++++++ components/lwip/test_afl_host/test.c | 53 +++++++++++++ 11 files changed, 184 insertions(+) create mode 100644 components/lwip/test_afl_host/Makefile create mode 100644 components/lwip/test_afl_host/dhcpserver_di.h create mode 100644 components/lwip/test_afl_host/in/data0.bin create mode 100644 components/lwip/test_afl_host/in/data1.bin create mode 100644 components/lwip/test_afl_host/in/data2.bin create mode 100644 components/lwip/test_afl_host/in/data3.bin create mode 100644 components/lwip/test_afl_host/in/data4.bin create mode 100644 components/lwip/test_afl_host/in/data5.bin create mode 100644 components/lwip/test_afl_host/in/data6.bin create mode 100644 components/lwip/test_afl_host/network_mock.c create mode 100644 components/lwip/test_afl_host/test.c diff --git a/components/lwip/test_afl_host/Makefile b/components/lwip/test_afl_host/Makefile new file mode 100644 index 000000000..1762fc6fa --- /dev/null +++ b/components/lwip/test_afl_host/Makefile @@ -0,0 +1,36 @@ +COMPONENTS_DIR=../.. +CFLAGS=-std=gnu99 -Og -ggdb -ffunction-sections -fdata-sections -nostdlib -Wall -Werror=all -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=deprecated-declarations -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-address -Wno-unused-variable -DESP_PLATFORM -D IDF_VER=\"v3.1-dev-961-ga2556229-dirty\" -MMD -MP -DWITH_POSIX \ +-DIRAM_ATTR='' -D__ESP_ATTR_H__ +INC_DIRS=-I . -I $(COMPONENTS_DIR)/lwip/include/lwip -I $(COMPONENTS_DIR)/lwip/include/lwip/port -I $(COMPONENTS_DIR)/lwip/include/lwip/posix -I $(COMPONENTS_DIR)/lwip/apps/ping -I $(COMPONENTS_DIR)/app_trace/include -I $(COMPONENTS_DIR)/app_update/include -I $(COMPONENTS_DIR)/bootloader_support/include -I $(COMPONENTS_DIR)/bt/include -I $(COMPONENTS_DIR)/coap/port/include -I $(COMPONENTS_DIR)/coap/port/include/coap -I $(COMPONENTS_DIR)/coap/libcoap/include -I \ $(COMPONENTS_DIR)/coap/libcoap/include/coap -I $(COMPONENTS_DIR)/console -I $(COMPONENTS_DIR)/cxx/include -I $(COMPONENTS_DIR)/driver/include -I $(COMPONENTS_DIR)/esp-tls -I $(COMPONENTS_DIR)/esp32/include -I $(COMPONENTS_DIR)/esp_adc_cal/include -I $(COMPONENTS_DIR)/ethernet/include -I $(COMPONENTS_DIR)/expat/port/include -I $(COMPONENTS_DIR)/expat/include/expat -I $(COMPONENTS_DIR)/fatfs/src -I $(COMPONENTS_DIR)/freertos/include -I $(COMPONENTS_DIR)/heap/include -I \ $(COMPONENTS_DIR)/idf_test/include -I $(COMPONENTS_DIR)/jsmn/include -I $(COMPONENTS_DIR)/json/cJSON -I $(COMPONENTS_DIR)/libsodium/libsodium/src/libsodium/include -I $(COMPONENTS_DIR)/libsodium/port_include -I $(COMPONENTS_DIR)/log/include -I /home/david/esp/esp-idf/examples/wifi/simple_wifi/main/include -I $(COMPONENTS_DIR)/mbedtls/port/include -I $(COMPONENTS_DIR)/mbedtls/include -I $(COMPONENTS_DIR)/mdns/include -I $(COMPONENTS_DIR)/micro-ecc/micro-ecc -I \ $(COMPONENTS_DIR)/newlib/platform_include -I $(COMPONENTS_DIR)/newlib/include -I $(COMPONENTS_DIR)/nghttp/port/include -I $(COMPONENTS_DIR)/nghttp/nghttp2/lib/includes -I $(COMPONENTS_DIR)/nvs_flash/include -I $(COMPONENTS_DIR)/openssl/include -I $(COMPONENTS_DIR)/pthread/include -I $(COMPONENTS_DIR)/sdmmc/include -I $(COMPONENTS_DIR)/smartconfig/include -I $(COMPONENTS_DIR)/soc/esp32/include -I $(COMPONENTS_DIR)/soc/include -I $(COMPONENTS_DIR)/spi_flash/include -I \ $(COMPONENTS_DIR)/spiffs/include -I $(COMPONENTS_DIR)/tcpip_adapter/include -I $(COMPONENTS_DIR)/ulp/include -I $(COMPONENTS_DIR)/vfs/include -I $(COMPONENTS_DIR)/wear_levelling/include -I $(COMPONENTS_DIR)/wpa_supplicant/include -I $(COMPONENTS_DIR)/wpa_supplicant/port/include -I $(COMPONENTS_DIR)/esp32/include -I $(COMPONENTS_DIR)/xtensa-debug-module/include +TEST_NAME=test +FUZZ=afl-fuzz +LD=$(CC) +DHCPSERVER_C_DEPENDENCY_INJECTION=-include dhcpserver_di.h + +ifeq ($(MODE),sim) + CC=gcc + CFLAGS+=-DSIM + TEST_NAME=test_sim +else + CC=afl-clang-fast +endif + +CFLAGS+=$(INC_DIRS) +OBJECTS=dhcpserver.o test.o network_mock.o + +all: $(TEST_NAME) + +dhcpserver.o: ../apps/dhcpserver.c + @echo "[CC] $<" + $(CC) $(CFLAGS) $(DHCPSERVER_C_DEPENDENCY_INJECTION) -c $< -o $@ + +%.o: %.c + @echo "[CC] $<" + @$(CC) $(CFLAGS) -c $< -o $@ + +$(TEST_NAME): $(OBJECTS) + @echo "[LD] $@" + @$(LD) $(OBJECTS) -o $@ $(LDLIBS) + +fuzz: $(TEST_NAME) + @$(FUZZ) -i "in" -o "out" -- ./$(TEST_NAME) diff --git a/components/lwip/test_afl_host/dhcpserver_di.h b/components/lwip/test_afl_host/dhcpserver_di.h new file mode 100644 index 000000000..4e5224eea --- /dev/null +++ b/components/lwip/test_afl_host/dhcpserver_di.h @@ -0,0 +1,21 @@ +/* + * dhcpserver dependecy injection -- preincluded to inject interface test functions into static variables + * + */ +#include "lwip/pbuf.h" +#include "lwip/udp.h" +#include "tcpip_adapter.h" + +static void handle_dhcp(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port); + +void (*dhcp_test_static_handle_hdcp)(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port) = NULL; + +void dhcp_test_init_di() +{ + dhcp_test_static_handle_hdcp = handle_dhcp; +} + +void dhcp_test_handle_dhcp(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port) +{ + dhcp_test_static_handle_hdcp(arg, pcb, p, addr, port); +} diff --git a/components/lwip/test_afl_host/in/data0.bin b/components/lwip/test_afl_host/in/data0.bin new file mode 100644 index 0000000000000000000000000000000000000000..2875ab855fc74a11fa5aa714f774dee80f6f2e52 GIT binary patch literal 300 zcmZQ%WMi=AxmLvh1P4~IFo9?o=(zrksdE{OH}vV`rr=~#Ms_n6php>bI8qYJGE;N| Joc|N+GXSYq4ekH{ literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in/data1.bin b/components/lwip/test_afl_host/in/data1.bin new file mode 100644 index 0000000000000000000000000000000000000000..17c8877f8f27245440561427a5eabe62cdae5446 GIT binary patch literal 300 zcmZQ%WMlBHo$khf1$12h#?-kCi^LEWN^S~HHf3ZqVmYvag^7nFC9y0sMK{3NoR?9C TiJ70RoJU7rs#5DePTv6lQ)mvI literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in/data2.bin b/components/lwip/test_afl_host/in/data2.bin new file mode 100644 index 0000000000000000000000000000000000000000..b1c32b9bdeb8cbaf3963cc1fc17a299eb10e15ad GIT binary patch literal 300 zcmZQ%WMlBHo$khf1$12h#?-kCi^LEWN^S~HHf3ZsV>z&bh0zE^GVySvB$j2S=mt2O W^D@dXG4r#P^XTYHRcigm;zt00{18R} literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in/data3.bin b/components/lwip/test_afl_host/in/data3.bin new file mode 100644 index 0000000000000000000000000000000000000000..6c6a7ae2d9da5e536fd24677cdde1f4e7e519596 GIT binary patch literal 305 zcmZQ%WMgPra_$ZT7Lan=*+n!Oi^LEWN^S~HHf3ZsVmYvaF~yRJ^^OfsN=9-)a*D30 uo~fQ0k3?c#N>P4hif)>@g<-0NMQU=QvAMa0X|g#dqargKzl^b!^?v|hwHLhr literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in/data4.bin b/components/lwip/test_afl_host/in/data4.bin new file mode 100644 index 0000000000000000000000000000000000000000..6d10ed9bd7996be4928f575f7592e9d96d662dc7 GIT binary patch literal 300 zcmZQ%WMg>g%qhu$1*F_|b`g!nA~8gTlAD5)O&J+2nON`G@T6oU7bK_Xn(CSAnej*@ p=A{(nXQt?;nOhj9T3DneCmNfZTbL%Bb22J2v+>IqTUq~S000{)6gB_= literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in/data5.bin b/components/lwip/test_afl_host/in/data5.bin new file mode 100644 index 0000000000000000000000000000000000000000..51f77595fb40ec25a156cdd01cf30cfe40cea8cc GIT binary patch literal 311 zcmZQ%WMg>g%qhu$1*F_|b`g!nA~8gTlAD5)O&OVuSPraUVKxJijFwEScWii4GLj3D yQ*=%BO!droBogydit;m4bkoc&3{x#EQj-&n&CM-Llg&996`9%iWsI$?{{sLQ8W)5B literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in/data6.bin b/components/lwip/test_afl_host/in/data6.bin new file mode 100644 index 0000000000000000000000000000000000000000..636fb4101427df688b1167edff5a87906262ad0b GIT binary patch literal 316 zcmZQ%WMj}gUB!S6yb-9@TKyZF%+M4|ZVFB|Wn{KxXN367h~>Zv78WxQ$!N*MddEf} yF)yVkKQl!)B_p{&*IdtlhtEARC$XYZ*U?zl$iUFtoQsi}jbBQ}*veY_KLY?XKpMON literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/network_mock.c b/components/lwip/test_afl_host/network_mock.c new file mode 100644 index 000000000..be624cee1 --- /dev/null +++ b/components/lwip/test_afl_host/network_mock.c @@ -0,0 +1,74 @@ +#include +#include "lwip/opt.h" +#include "lwip/def.h" +#include "lwip/pbuf.h" +#include "lwip/udp.h" +#include "tcpip_adapter.h" +#include + +u16_t lwip_htons(u16_t n) +{ + return 0; +} + +u32_t lwip_htonl(u32_t n) +{ + return 0; +} + +esp_err_t tcpip_adapter_get_ip_info(tcpip_adapter_if_t tcpip_if, tcpip_adapter_ip_info_t *ip_info) +{ + return ESP_OK; +} + +struct pbuf * pbuf_alloc(pbuf_layer layer, u16_t length, pbuf_type type) +{ + struct pbuf * p; + p = (struct pbuf *)malloc(MEMP_PBUF_POOL); + p->tot_len = length; + p->next = NULL; + p->type = PBUF_POOL; + p->len = length; + p->payload = malloc(length); + return p; +} + +u8_t pbuf_free(struct pbuf *p) +{ + if (p) { + if (p->payload) { + free(p->payload); + p->payload = NULL; + } + free (p); + p = NULL; + } + return 1; +} + +err_t udp_sendto(struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *dst_ip, u16_t dst_port) +{ + return ESP_OK; +} + +void udp_remove(struct udp_pcb *pcb) +{ +} + +struct udp_pcb *udp_new(void) +{ + return NULL; +} + +err_t udp_bind(struct udp_pcb *pcb, const ip_addr_t *ipaddr, u16_t port) +{ + return ESP_OK; +} + +void udp_recv(struct udp_pcb *pcb, udp_recv_fn recv, void *recv_arg) +{ +} + +void udp_disconnect(struct udp_pcb *pcb) +{ +} diff --git a/components/lwip/test_afl_host/test.c b/components/lwip/test_afl_host/test.c new file mode 100644 index 000000000..821e56f57 --- /dev/null +++ b/components/lwip/test_afl_host/test.c @@ -0,0 +1,53 @@ +#include +#include "lwip/pbuf.h" +#include "lwip/udp.h" +#include "tcpip_adapter.h" +#include + +const ip_addr_t ip_addr_any; +ip4_addr_t server_ip; +struct netif mynetif; + +// Dependency injected static function to pass the packet into parser +void dhcp_test_handle_dhcp(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port); +void dhcp_test_init_di(); + +// Starting the test +int main() +{ + uint8_t *buf; + struct pbuf *p; + FILE *file; + size_t len = 1460; + + dhcp_test_init_di(); + + p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); + buf = p->payload; + + IP4_ADDR(&server_ip, 192,168,4,1); + dhcps_start(&mynetif, server_ip); + +#ifdef SIM + memset(buf, 0, 1460); + + file = fopen("in/data1.bin", "r"); + if (file) { + len = fread(buf, 1, 1460, file); + } + fclose(file); + int i; + for (i=0; i<1; i++) { +#else + while (__AFL_LOOP(1000)) { + memset(buf, 0, 1460); + size_t len = read(0, buf, 1460); +#endif + p->len = len; + p->tot_len = len; + p->next = NULL; + + dhcp_test_handle_dhcp(NULL, NULL, p, &ip_addr_any, 0); + } + return 0; +} From 5ecf717e40ae1f067821c9779b0c7f8144b066f4 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 15 May 2018 15:49:10 +0200 Subject: [PATCH 2/3] DhcpFuzzer: dhcp client addded --- components/lwip/test_afl_host/Makefile | 27 ++- components/lwip/test_afl_host/dhcp_di.h | 32 +++ components/lwip/test_afl_host/dhcpserver_di.h | 1 + .../lwip/test_afl_host/in_client/data0.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data1.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data2.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data3.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data4.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data5.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data6.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data7.bin | Bin 0 -> 548 bytes .../lwip/test_afl_host/in_client/data8.bin | Bin 0 -> 548 bytes .../test_afl_host/{in => in_server}/data0.bin | Bin .../test_afl_host/{in => in_server}/data1.bin | Bin .../test_afl_host/{in => in_server}/data2.bin | Bin .../test_afl_host/{in => in_server}/data3.bin | Bin .../test_afl_host/{in => in_server}/data4.bin | Bin .../test_afl_host/{in => in_server}/data5.bin | Bin .../test_afl_host/{in => in_server}/data6.bin | Bin components/lwip/test_afl_host/network_mock.c | 70 +++++- components/lwip/test_afl_host/no_warn_host.h | 5 + components/lwip/test_afl_host/sdkconfig.h | 220 ++++++++++++++++++ components/lwip/test_afl_host/test_client.c | 84 +++++++ .../test_afl_host/{test.c => test_server.c} | 29 ++- 24 files changed, 449 insertions(+), 19 deletions(-) create mode 100644 components/lwip/test_afl_host/dhcp_di.h create mode 100644 components/lwip/test_afl_host/in_client/data0.bin create mode 100644 components/lwip/test_afl_host/in_client/data1.bin create mode 100644 components/lwip/test_afl_host/in_client/data2.bin create mode 100644 components/lwip/test_afl_host/in_client/data3.bin create mode 100644 components/lwip/test_afl_host/in_client/data4.bin create mode 100644 components/lwip/test_afl_host/in_client/data5.bin create mode 100644 components/lwip/test_afl_host/in_client/data6.bin create mode 100644 components/lwip/test_afl_host/in_client/data7.bin create mode 100644 components/lwip/test_afl_host/in_client/data8.bin rename components/lwip/test_afl_host/{in => in_server}/data0.bin (100%) rename components/lwip/test_afl_host/{in => in_server}/data1.bin (100%) rename components/lwip/test_afl_host/{in => in_server}/data2.bin (100%) rename components/lwip/test_afl_host/{in => in_server}/data3.bin (100%) rename components/lwip/test_afl_host/{in => in_server}/data4.bin (100%) rename components/lwip/test_afl_host/{in => in_server}/data5.bin (100%) rename components/lwip/test_afl_host/{in => in_server}/data6.bin (100%) create mode 100644 components/lwip/test_afl_host/no_warn_host.h create mode 100644 components/lwip/test_afl_host/sdkconfig.h create mode 100644 components/lwip/test_afl_host/test_client.c rename components/lwip/test_afl_host/{test.c => test_server.c} (70%) diff --git a/components/lwip/test_afl_host/Makefile b/components/lwip/test_afl_host/Makefile index 1762fc6fa..a3da02e11 100644 --- a/components/lwip/test_afl_host/Makefile +++ b/components/lwip/test_afl_host/Makefile @@ -1,28 +1,39 @@ COMPONENTS_DIR=../.. -CFLAGS=-std=gnu99 -Og -ggdb -ffunction-sections -fdata-sections -nostdlib -Wall -Werror=all -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=deprecated-declarations -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-address -Wno-unused-variable -DESP_PLATFORM -D IDF_VER=\"v3.1-dev-961-ga2556229-dirty\" -MMD -MP -DWITH_POSIX \ --DIRAM_ATTR='' -D__ESP_ATTR_H__ +CFLAGS=-std=gnu99 -Og -ggdb -ffunction-sections -fdata-sections -nostdlib -Wall -Werror=all -Wno-int-to-pointer-cast -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=deprecated-declarations -Wextra \ +-Wno-unused-parameter -Wno-sign-compare -Wno-address -Wno-unused-variable -DESP_PLATFORM -D IDF_VER=\"v3.1\" -MMD -MP -DWITH_POSIX INC_DIRS=-I . -I $(COMPONENTS_DIR)/lwip/include/lwip -I $(COMPONENTS_DIR)/lwip/include/lwip/port -I $(COMPONENTS_DIR)/lwip/include/lwip/posix -I $(COMPONENTS_DIR)/lwip/apps/ping -I $(COMPONENTS_DIR)/app_trace/include -I $(COMPONENTS_DIR)/app_update/include -I $(COMPONENTS_DIR)/bootloader_support/include -I $(COMPONENTS_DIR)/bt/include -I $(COMPONENTS_DIR)/coap/port/include -I $(COMPONENTS_DIR)/coap/port/include/coap -I $(COMPONENTS_DIR)/coap/libcoap/include -I \ $(COMPONENTS_DIR)/coap/libcoap/include/coap -I $(COMPONENTS_DIR)/console -I $(COMPONENTS_DIR)/cxx/include -I $(COMPONENTS_DIR)/driver/include -I $(COMPONENTS_DIR)/esp-tls -I $(COMPONENTS_DIR)/esp32/include -I $(COMPONENTS_DIR)/esp_adc_cal/include -I $(COMPONENTS_DIR)/ethernet/include -I $(COMPONENTS_DIR)/expat/port/include -I $(COMPONENTS_DIR)/expat/include/expat -I $(COMPONENTS_DIR)/fatfs/src -I $(COMPONENTS_DIR)/freertos/include -I $(COMPONENTS_DIR)/heap/include -I \ $(COMPONENTS_DIR)/idf_test/include -I $(COMPONENTS_DIR)/jsmn/include -I $(COMPONENTS_DIR)/json/cJSON -I $(COMPONENTS_DIR)/libsodium/libsodium/src/libsodium/include -I $(COMPONENTS_DIR)/libsodium/port_include -I $(COMPONENTS_DIR)/log/include -I /home/david/esp/esp-idf/examples/wifi/simple_wifi/main/include -I $(COMPONENTS_DIR)/mbedtls/port/include -I $(COMPONENTS_DIR)/mbedtls/include -I $(COMPONENTS_DIR)/mdns/include -I $(COMPONENTS_DIR)/micro-ecc/micro-ecc -I \ $(COMPONENTS_DIR)/newlib/platform_include -I $(COMPONENTS_DIR)/newlib/include -I $(COMPONENTS_DIR)/nghttp/port/include -I $(COMPONENTS_DIR)/nghttp/nghttp2/lib/includes -I $(COMPONENTS_DIR)/nvs_flash/include -I $(COMPONENTS_DIR)/openssl/include -I $(COMPONENTS_DIR)/pthread/include -I $(COMPONENTS_DIR)/sdmmc/include -I $(COMPONENTS_DIR)/smartconfig/include -I $(COMPONENTS_DIR)/soc/esp32/include -I $(COMPONENTS_DIR)/soc/include -I $(COMPONENTS_DIR)/spi_flash/include -I \ $(COMPONENTS_DIR)/spiffs/include -I $(COMPONENTS_DIR)/tcpip_adapter/include -I $(COMPONENTS_DIR)/ulp/include -I $(COMPONENTS_DIR)/vfs/include -I $(COMPONENTS_DIR)/wear_levelling/include -I $(COMPONENTS_DIR)/wpa_supplicant/include -I $(COMPONENTS_DIR)/wpa_supplicant/port/include -I $(COMPONENTS_DIR)/esp32/include -I $(COMPONENTS_DIR)/xtensa-debug-module/include TEST_NAME=test FUZZ=afl-fuzz LD=$(CC) -DHCPSERVER_C_DEPENDENCY_INJECTION=-include dhcpserver_di.h +ifeq ($(MODE),client) + DHCP_C_DEPENDENCY_INJECTION=-include dhcp_di.h + OBJECTS=dhcp.o network_mock.o test_client.o + SAMPLE_PACKETS=in_client +else + DHCP_C_DEPENDENCY_INJECTION=-include dhcpserver_di.h + OBJECTS=dhcpserver.o test_server.o network_mock.o + SAMPLE_PACKETS=in_server +endif -ifeq ($(MODE),sim) +ifeq ($(INSTR),off) CC=gcc - CFLAGS+=-DSIM + CFLAGS+=-DINSTR_IS_OFF TEST_NAME=test_sim else CC=afl-clang-fast endif CFLAGS+=$(INC_DIRS) -OBJECTS=dhcpserver.o test.o network_mock.o all: $(TEST_NAME) +dhcp.o: ../core/ipv4/dhcp.c + @echo "[CC] $<" + @$(CC) $(CFLAGS) $(DHCP_C_DEPENDENCY_INJECTION) -c $< -o $@ + dhcpserver.o: ../apps/dhcpserver.c @echo "[CC] $<" - $(CC) $(CFLAGS) $(DHCPSERVER_C_DEPENDENCY_INJECTION) -c $< -o $@ + @$(CC) $(CFLAGS) $(DHCP_C_DEPENDENCY_INJECTION) -c $< -o $@ %.o: %.c @echo "[CC] $<" @@ -33,4 +44,4 @@ $(TEST_NAME): $(OBJECTS) @$(LD) $(OBJECTS) -o $@ $(LDLIBS) fuzz: $(TEST_NAME) - @$(FUZZ) -i "in" -o "out" -- ./$(TEST_NAME) + @$(FUZZ) -t 500 -i "$(SAMPLE_PACKETS)" -o "out" -- ./$(TEST_NAME) diff --git a/components/lwip/test_afl_host/dhcp_di.h b/components/lwip/test_afl_host/dhcp_di.h new file mode 100644 index 000000000..5e7d9606f --- /dev/null +++ b/components/lwip/test_afl_host/dhcp_di.h @@ -0,0 +1,32 @@ +#include "no_warn_host.h" +#include "lwip/opt.h" +#include "lwip/stats.h" +#include "lwip/mem.h" +#include "lwip/udp.h" +#include "lwip/ip_addr.h" +#include "lwip/netif.h" +#include "lwip/def.h" +#include "lwip/dhcp.h" +#include "lwip/autoip.h" +#include "lwip/dns.h" +#include "netif/etharp.h" + +void __assert_func(const char *file, int line, const char *func, const char *expr) +{ + printf("Assert failed in %s, %s:%d (%s)", func, file, line, expr); + abort(); +} + +static void dhcp_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port); + +void (*dhcp_test_static_dhcp_recv)(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port) = NULL; + +void dhcp_test_init_di() +{ + dhcp_test_static_dhcp_recv = dhcp_recv; +} + +void dhcp_test_dhcp_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port) +{ + dhcp_test_static_dhcp_recv(arg, pcb, p, addr, port); +} diff --git a/components/lwip/test_afl_host/dhcpserver_di.h b/components/lwip/test_afl_host/dhcpserver_di.h index 4e5224eea..4b38aa5a4 100644 --- a/components/lwip/test_afl_host/dhcpserver_di.h +++ b/components/lwip/test_afl_host/dhcpserver_di.h @@ -2,6 +2,7 @@ * dhcpserver dependecy injection -- preincluded to inject interface test functions into static variables * */ +#include "no_warn_host.h" #include "lwip/pbuf.h" #include "lwip/udp.h" #include "tcpip_adapter.h" diff --git a/components/lwip/test_afl_host/in_client/data0.bin b/components/lwip/test_afl_host/in_client/data0.bin new file mode 100644 index 0000000000000000000000000000000000000000..afd14b5305cca31b377f2baa35e859cf0cb35a88 GIT binary patch literal 548 zcmZQ#WMlBHo$kiK(7*r!2Uf5!ff+!eg%qhvh(7*r!2Uf5!gBd^~<+ihnXf%vB^y%cL;AB%qCPtS3|Nk=>voJ8o pD44MTJg%qhvh(7*r!2Uf5!gBd^~<+ihnXf%vB^y%cL;AB%qRz{Zp|Nk=>voJ8o pD44MTJc4LVERAwJx_rT0FeF^$p8QV literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_client/data6.bin b/components/lwip/test_afl_host/in_client/data6.bin new file mode 100644 index 0000000000000000000000000000000000000000..65695216c9c01db080a91148cd3e56df0bc4c6b2 GIT binary patch literal 548 zcmZQ#WMj}gUB$q_&;Y~?3c4LVERAwJx_rT0F;yz%m4rY literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_client/data7.bin b/components/lwip/test_afl_host/in_client/data7.bin new file mode 100644 index 0000000000000000000000000000000000000000..6e26d917cc6777b845409aa2e5e3ff24077fe854 GIT binary patch literal 548 zcmZQ#WMf#XEt${2(7*r!2Uf7Kf*C-f +#include "no_warn_host.h" #include "lwip/opt.h" #include "lwip/def.h" #include "lwip/pbuf.h" #include "lwip/udp.h" #include "tcpip_adapter.h" #include +#include + +const ip_addr_t ip_addr_any; +const ip_addr_t ip_addr_broadcast; +struct ip_globals ip_data; +struct netif *netif_list; + u16_t lwip_htons(u16_t n) { @@ -53,11 +60,15 @@ err_t udp_sendto(struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *dst_ip, u void udp_remove(struct udp_pcb *pcb) { + if (pcb == NULL) + { + free(pcb); + } } struct udp_pcb *udp_new(void) { - return NULL; + return malloc(sizeof(struct udp_pcb)); } err_t udp_bind(struct udp_pcb *pcb, const ip_addr_t *ipaddr, u16_t port) @@ -72,3 +83,58 @@ void udp_recv(struct udp_pcb *pcb, udp_recv_fn recv, void *recv_arg) void udp_disconnect(struct udp_pcb *pcb) { } + +void dns_setserver(u8_t numdns, const ip_addr_t *dnsserver) +{ +} + +uint32_t esp_random(void) +{ + return 0; +} + +err_t etharp_query(struct netif *netif, const ip4_addr_t *ipaddr, struct pbuf *q) +{ + return ESP_OK; +} + +u32_t lwip_ntohl(u32_t x) +{ + return 0; +} + +void netif_set_addr(struct netif *netif, const ip4_addr_t *ipaddr, const ip4_addr_t *netmask, + const ip4_addr_t *gw) +{ +} + +void pbuf_realloc(struct pbuf *p, u16_t size) +{ + if (p != NULL) + { + uint8_t *buf = malloc(size); + free(p->payload); + p->payload = buf; + p->len = size; + p->tot_len = size; + } +} + +u16_t pbuf_copy_partial(struct pbuf *p, void *dataptr, u16_t len, u16_t offset) +{ + return 0; +} +err_t udp_connect(struct udp_pcb *pcb, const ip_addr_t *ipaddr, u16_t port) +{ + return ESP_OK; +} + +err_t udp_sendto_if(struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *dst_ip, u16_t dst_port, struct netif *netif) +{ + return ESP_OK; +} + +err_t udp_sendto_if_src(struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *dst_ip, u16_t dst_port, struct netif *netif, const ip_addr_t *src_ip) +{ + return ESP_OK; +} \ No newline at end of file diff --git a/components/lwip/test_afl_host/no_warn_host.h b/components/lwip/test_afl_host/no_warn_host.h new file mode 100644 index 000000000..37ab01ebe --- /dev/null +++ b/components/lwip/test_afl_host/no_warn_host.h @@ -0,0 +1,5 @@ +// Note: these undefs and defines are used to suppress warnings and errors when compiling esp32 idf on host gcc/clang +#undef __nonnull +#define __warning__ deprecated +#define IRAM_ATTR +#define __ESP_ATTR_H__ diff --git a/components/lwip/test_afl_host/sdkconfig.h b/components/lwip/test_afl_host/sdkconfig.h new file mode 100644 index 000000000..6f14a269a --- /dev/null +++ b/components/lwip/test_afl_host/sdkconfig.h @@ -0,0 +1,220 @@ +/* + * + * Automatically generated file; DO NOT EDIT. + * Espressif IoT Development Framework Configuration + * + */ +#define CONFIG_ESP32_PHY_MAX_TX_POWER 20 +#define CONFIG_TRACEMEM_RESERVE_DRAM 0x0 +#define CONFIG_FREERTOS_MAX_TASK_NAME_LEN 16 +#define CONFIG_FATFS_LFN_NONE 1 +#define CONFIG_TCP_RECVMBOX_SIZE 6 +#define CONFIG_FATFS_CODEPAGE_437 1 +#define CONFIG_LWIP_ETHARP_TRUST_IP_MAC 1 +#define CONFIG_TCP_WND_DEFAULT 5744 +#define CONFIG_SPIFFS_USE_MAGIC_LENGTH 1 +#define CONFIG_IPC_TASK_STACK_SIZE 1024 +#define CONFIG_FATFS_PER_FILE_CACHE 1 +#define CONFIG_ESPTOOLPY_FLASHFREQ "40m" +#define CONFIG_MBEDTLS_KEY_EXCHANGE_RSA 1 +#define CONFIG_UDP_RECVMBOX_SIZE 6 +#define CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE 0 +#define CONFIG_MBEDTLS_AES_C 1 +#define CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED 1 +#define CONFIG_MBEDTLS_GCM_C 1 +#define CONFIG_ESPTOOLPY_FLASHSIZE "2MB" +#define CONFIG_HEAP_POISONING_DISABLED 1 +#define CONFIG_SPIFFS_CACHE_WR 1 +#define CONFIG_BROWNOUT_DET_LVL_SEL_0 1 +#define CONFIG_ESP32_WIFI_DYNAMIC_TX_BUFFER 1 +#define CONFIG_SPIFFS_CACHE 1 +#define CONFIG_INT_WDT 1 +#define CONFIG_MBEDTLS_SSL_PROTO_TLS1 1 +#define CONFIG_MBEDTLS_ECDSA_C 1 +#define CONFIG_ESPTOOLPY_FLASHFREQ_40M 1 +#define CONFIG_LOG_BOOTLOADER_LEVEL_INFO 1 +#define CONFIG_ESPTOOLPY_FLASHSIZE_2MB 1 +#define CONFIG_BTDM_CONTROLLER_PINNED_TO_CORE 0 +#define CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS 1 +#define CONFIG_MBEDTLS_ECDH_C 1 +#define CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE 1 +#define CONFIG_ESP32_WIFI_STATIC_RX_BUFFER_NUM 10 +#define CONFIG_MBEDTLS_SSL_ALPN 1 +#define CONFIG_MBEDTLS_PEM_WRITE_C 1 +#define CONFIG_LOG_DEFAULT_LEVEL_INFO 1 +#define CONFIG_BT_RESERVE_DRAM 0x0 +#define CONFIG_FATFS_FS_LOCK 0 +#define CONFIG_IP_LOST_TIMER_INTERVAL 120 +#define CONFIG_SPIFFS_META_LENGTH 4 +#define CONFIG_ESP32_PANIC_PRINT_REBOOT 1 +#define CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED 1 +#define CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED 1 +#define CONFIG_CONSOLE_UART_BAUDRATE 115200 +#define CONFIG_LWIP_MAX_SOCKETS 10 +#define CONFIG_LWIP_NETIF_LOOPBACK 1 +#define CONFIG_ESP_WIFI_MODE_AP 1 +#define CONFIG_EMAC_TASK_PRIORITY 20 +#define CONFIG_TIMER_TASK_STACK_DEPTH 2048 +#define CONFIG_TCP_MSS 1436 +#define CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED 1 +#define CONFIG_FATFS_CODEPAGE 437 +#define CONFIG_ESP32_DEFAULT_CPU_FREQ_160 1 +#define CONFIG_ULP_COPROC_RESERVE_MEM 0 +#define CONFIG_LWIP_MAX_UDP_PCBS 16 +#define CONFIG_ESPTOOLPY_BAUD 115200 +#define CONFIG_INT_WDT_CHECK_CPU1 1 +#define CONFIG_ADC_CAL_LUT_ENABLE 1 +#define CONFIG_FLASHMODE_DIO 1 +#define CONFIG_ESPTOOLPY_AFTER_RESET 1 +#define CONFIG_OPTIMIZATION_ASSERTIONS_ENABLED 1 +#define CONFIG_LWIP_DHCPS_MAX_STATION_NUM 8 +#define CONFIG_TOOLPREFIX "xtensa-esp32-elf-" +#define CONFIG_MBEDTLS_ECP_C 1 +#define CONFIG_FREERTOS_IDLE_TASK_STACKSIZE 1024 +#define CONFIG_MBEDTLS_RC4_DISABLED 1 +#define CONFIG_CONSOLE_UART_NUM 0 +#define CONFIG_ESP32_APPTRACE_LOCK_ENABLE 1 +#define CONFIG_ESP32_RTC_CLOCK_SOURCE_INTERNAL_RC 1 +#define CONFIG_ESPTOOLPY_BAUD_115200B 1 +#define CONFIG_TCP_OVERSIZE_MSS 1 +#define CONFIG_FOUR_UNIVERSAL_MAC_ADDRESS 1 +#define CONFIG_CONSOLE_UART_DEFAULT 1 +#define CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN 16384 +#define CONFIG_NUMBER_OF_UNIVERSAL_MAC_ADDRESS 4 +#define CONFIG_ESPTOOLPY_FLASHSIZE_DETECT 1 +#define CONFIG_TIMER_TASK_STACK_SIZE 3584 +#define CONFIG_ESP32_ENABLE_COREDUMP_TO_NONE 1 +#define CONFIG_MBEDTLS_X509_CRL_PARSE_C 1 +#define CONFIG_LWIP_DHCPS_LEASE_UNIT 60 +#define CONFIG_SPIFFS_USE_MAGIC 1 +#define CONFIG_TCPIP_TASK_STACK_SIZE 2048 +#define CONFIG_TASK_WDT 1 +#define CONFIG_MAIN_TASK_STACK_SIZE 3584 +#define CONFIG_SPIFFS_PAGE_CHECK 1 +#define CONFIG_LWIP_MAX_ACTIVE_TCP 16 +#define CONFIG_TASK_WDT_TIMEOUT_S 5 +#define CONFIG_INT_WDT_TIMEOUT_MS 300 +#define CONFIG_ESP32_RTC_XTAL_BOOTSTRAP_CYCLES 100 +#define CONFIG_ESPTOOLPY_FLASHMODE "dio" +#define CONFIG_NEWLIB_STDIN_LINE_ENDING_CR 1 +#define CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA 1 +#define CONFIG_ESPTOOLPY_BEFORE "default_reset" +#define CONFIG_ADC2_DISABLE_DAC 1 +#define CONFIG_LOG_DEFAULT_LEVEL 3 +#define CONFIG_FREERTOS_ASSERT_ON_UNTESTED_FUNCTION 1 +#define CONFIG_TIMER_QUEUE_LENGTH 10 +#define CONFIG_MAKE_WARN_UNDEFINED_VARIABLES 1 +#define CONFIG_FATFS_TIMEOUT_MS 10000 +#define CONFIG_ESP32_WIFI_DYNAMIC_RX_BUFFER_NUM 32 +#define CONFIG_MAX_STA_CONN 4 +#define CONFIG_MBEDTLS_CCM_C 1 +#define CONFIG_ESP32_PHY_MAX_WIFI_TX_POWER 20 +#define CONFIG_ESP32_RTC_CLK_CAL_CYCLES 1024 +#define CONFIG_ESP32_WIFI_TX_BA_WIN 6 +#define CONFIG_ESP32_WIFI_NVS_ENABLED 1 +#define CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED 1 +#define CONFIG_LIBSODIUM_USE_MBEDTLS_SHA 1 +#define CONFIG_DMA_RX_BUF_NUM 10 +#define CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED 1 +#define CONFIG_TCP_SYNMAXRTX 6 +#define CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA 1 +#define CONFIG_ESP_WIFI_SSID "myssid" +#define CONFIG_PYTHON "python" +#define CONFIG_MBEDTLS_ECP_NIST_OPTIM 1 +#define CONFIG_ESP32_TIME_SYSCALL_USE_RTC_FRC1 1 +#define CONFIG_ESPTOOLPY_COMPRESSED 1 +#define CONFIG_PARTITION_TABLE_FILENAME "partitions_singleapp.csv" +#define CONFIG_TCP_SND_BUF_DEFAULT 5744 +#define CONFIG_LWIP_DHCP_MAX_NTP_SERVERS 1 +#define CONFIG_TCP_MSL 60000 +#define CONFIG_MBEDTLS_SSL_PROTO_TLS1_1 1 +#define CONFIG_LWIP_SO_REUSE_RXTOALL 1 +#define CONFIG_PARTITION_TABLE_SINGLE_APP 1 +#define CONFIG_ESP32_WIFI_RX_BA_WIN 6 +#define CONFIG_MBEDTLS_X509_CSR_PARSE_C 1 +#define CONFIG_SPIFFS_USE_MTIME 1 +#define CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA 1 +#define CONFIG_LWIP_DHCP_DOES_ARP_CHECK 1 +#define CONFIG_SYSTEM_EVENT_TASK_STACK_SIZE 2304 +#define CONFIG_BOOTLOADER_VDDSDIO_BOOST_1_9V 1 +#define CONFIG_ESP32_DEEP_SLEEP_WAKEUP_DELAY 2000 +#define CONFIG_BROWNOUT_DET_LVL 0 +#define CONFIG_MBEDTLS_PEM_PARSE_C 1 +#define CONFIG_SPIFFS_GC_MAX_RUNS 10 +#define CONFIG_ESP_WIFI_PASSWORD "mypassword" +#define CONFIG_ESP32_APPTRACE_DEST_NONE 1 +#define CONFIG_PARTITION_TABLE_CUSTOM_APP_BIN_OFFSET 0x10000 +#define CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 1 +#define CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA 1 +#define CONFIG_ESP32_WIFI_DYNAMIC_TX_BUFFER_NUM 32 +#define CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED 1 +#define CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED 1 +#define CONFIG_TASK_WDT_CHECK_IDLE_TASK_CPU1 1 +#define CONFIG_ESP32_DEFAULT_CPU_FREQ_MHZ 160 +#define CONFIG_MBEDTLS_HARDWARE_AES 1 +#define CONFIG_FREERTOS_HZ 100 +#define CONFIG_LOG_COLORS 1 +#define CONFIG_ESP32_PHY_CALIBRATION_AND_DATA_STORAGE 1 +#define CONFIG_STACK_CHECK_NONE 1 +#define CONFIG_ADC_CAL_EFUSE_TP_ENABLE 1 +#define CONFIG_FREERTOS_ASSERT_FAIL_ABORT 1 +#define CONFIG_BROWNOUT_DET 1 +#define CONFIG_ESP32_XTAL_FREQ 40 +#define CONFIG_MONITOR_BAUD_115200B 1 +#define CONFIG_LOG_BOOTLOADER_LEVEL 3 +#define CONFIG_MBEDTLS_TLS_ENABLED 1 +#define CONFIG_LWIP_MAX_RAW_PCBS 16 +#define CONFIG_MBEDTLS_SSL_SESSION_TICKETS 1 +#define CONFIG_SPIFFS_MAX_PARTITIONS 3 +#define CONFIG_ESP_ERR_TO_NAME_LOOKUP 1 +#define CONFIG_MBEDTLS_SSL_RENEGOTIATION 1 +#define CONFIG_ESPTOOLPY_BEFORE_RESET 1 +#define CONFIG_ESPTOOLPY_BAUD_OTHER_VAL 115200 +#define CONFIG_SPIFFS_OBJ_NAME_LEN 32 +#define CONFIG_ESP32_PTHREAD_TASK_PRIO_DEFAULT 5 +#define CONFIG_PARTITION_TABLE_MD5 1 +#define CONFIG_TCPIP_RECVMBOX_SIZE 32 +#define CONFIG_TCP_MAXRTX 12 +#define CONFIG_ESPTOOLPY_AFTER "hard_reset" +#define CONFIG_LWIP_SO_REUSE 1 +#define CONFIG_ESP32_XTAL_FREQ_40 1 +#define CONFIG_DMA_TX_BUF_NUM 10 +#define CONFIG_LWIP_MAX_LISTENING_TCP 16 +#define CONFIG_FREERTOS_INTERRUPT_BACKTRACE 1 +#define CONFIG_WL_SECTOR_SIZE 4096 +#define CONFIG_ESP32_DEBUG_OCDAWARE 1 +#define CONFIG_TIMER_TASK_PRIORITY 1 +#define CONFIG_MBEDTLS_TLS_CLIENT 1 +#define CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED 1 +#define CONFIG_MONITOR_BAUD 115200 +#define CONFIG_FREERTOS_CORETIMER_0 1 +#define CONFIG_PARTITION_TABLE_CUSTOM_FILENAME "partitions.csv" +#define CONFIG_MBEDTLS_HAVE_TIME 1 +#define CONFIG_FREERTOS_CHECK_STACKOVERFLOW_CANARY 1 +#define CONFIG_TCP_QUEUE_OOSEQ 1 +#define CONFIG_ADC_CAL_EFUSE_VREF_ENABLE 1 +#define CONFIG_MBEDTLS_TLS_SERVER 1 +#define CONFIG_MBEDTLS_TLS_SERVER_AND_CLIENT 1 +#define CONFIG_FREERTOS_ISR_STACKSIZE 1536 +#define CONFIG_OPENSSL_ASSERT_DO_NOTHING 1 +#define CONFIG_WL_SECTOR_SIZE_4096 1 +#define CONFIG_OPTIMIZATION_LEVEL_DEBUG 1 +#define CONFIG_ESP32_WIFI_AMPDU_TX_ENABLED 1 +#define CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED 1 +#define CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED 1 +#define CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA 1 +#define CONFIG_SYSTEM_EVENT_QUEUE_SIZE 32 +#define CONFIG_ESP32_WIFI_TX_BUFFER_TYPE 1 +#define CONFIG_ESP32_WIFI_AMPDU_RX_ENABLED 1 +#define CONFIG_LWIP_LOOPBACK_MAX_PBUFS 8 +#define CONFIG_APP_OFFSET 0x10000 +#define CONFIG_SPI_FLASH_ROM_DRIVER_PATCH 1 +#define CONFIG_SPIFFS_PAGE_SIZE 256 +#define CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED 1 +#define CONFIG_TASK_WDT_CHECK_IDLE_TASK_CPU0 1 +#define CONFIG_ESP32_PTHREAD_TASK_STACK_SIZE_DEFAULT 3072 +#define CONFIG_MONITOR_BAUD_OTHER_VAL 115200 +#define CONFIG_NEWLIB_STDOUT_LINE_ENDING_CRLF 1 +#define CONFIG_ESPTOOLPY_PORT "/dev/ttyUSB0" +#define CONFIG_SPI_FLASH_WRITING_DANGEROUS_REGIONS_ABORTS 1 +#define CONFIG_ESP_WIFI_IS_SOFTAP 1 diff --git a/components/lwip/test_afl_host/test_client.c b/components/lwip/test_afl_host/test_client.c new file mode 100644 index 000000000..fee5d01b1 --- /dev/null +++ b/components/lwip/test_afl_host/test_client.c @@ -0,0 +1,84 @@ +#include "no_warn_host.h" +#include "lwip/opt.h" +#include "lwip/stats.h" +#include "lwip/mem.h" +#include "lwip/udp.h" +#include "lwip/ip_addr.h" +#include "lwip/netif.h" +#include "lwip/def.h" +#include "lwip/dhcp.h" +#include "lwip/autoip.h" +#include "lwip/dns.h" +#include "netif/etharp.h" +#include + +const ip_addr_t ip_addr_any; +const ip_addr_t ip_addr_broadcast; +struct ip_globals ip_data; +struct netif *netif_list; +struct netif mynetif; +ip4_addr_t server_ip; + +// +// Dependency injected test functions +void dhcp_test_dhcp_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port); +void dhcp_test_init_di(); + +// +// Test starts here +// +int main(int argc, char** argv) +{ + uint8_t *buf; + struct pbuf *p; + FILE *file; + size_t len = 1460; + + dhcp_test_init_di(); + + mynetif.flags = NETIF_FLAG_UP | NETIF_FLAG_ETHARP; + mynetif.mtu = 576; + + + IP4_ADDR(&server_ip, 192,168,4,1); + dhcp_start(&mynetif); + + ip_data.current_input_netif = &mynetif; + ip_data.current_netif = &mynetif; + +#ifdef INSTR_IS_OFF + p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); + buf = p->payload; + memset(buf, 0, 1460); + if (argc != 2) + { + printf("Non-instrumentation mode: please supply a file name created by AFL to reproduce crash\n"); + return 1; + } + // + // Note: parameter1 is a file (mangled packet) which caused the crash + file = fopen(argv[1], "r"); + if (file) { + len = fread(buf, 1, 1460, file); + } + fclose(file); + int i; + for (i=0; i<1; i++) { +#else + while (__AFL_LOOP(1000)) { + p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); + buf = p->payload; + memset(buf, 0, 1460); + size_t len = read(0, buf, 1460); +#endif + p->len = len; + p->tot_len = len; + p->next = NULL; + + dhcp_test_dhcp_recv(NULL, NULL, p, &ip_addr_any, 0); + } + + + + return 0; +} diff --git a/components/lwip/test_afl_host/test.c b/components/lwip/test_afl_host/test_server.c similarity index 70% rename from components/lwip/test_afl_host/test.c rename to components/lwip/test_afl_host/test_server.c index 821e56f57..4ed3792bf 100644 --- a/components/lwip/test_afl_host/test.c +++ b/components/lwip/test_afl_host/test_server.c @@ -1,8 +1,9 @@ -#include +#include "no_warn_host.h" #include "lwip/pbuf.h" #include "lwip/udp.h" #include "tcpip_adapter.h" #include +#include const ip_addr_t ip_addr_any; ip4_addr_t server_ip; @@ -12,8 +13,10 @@ struct netif mynetif; void dhcp_test_handle_dhcp(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port); void dhcp_test_init_di(); -// Starting the test -int main() +// +// Test starts here +// +int main(int argc, char** argv) { uint8_t *buf; struct pbuf *p; @@ -22,24 +25,32 @@ int main() dhcp_test_init_di(); - p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); - buf = p->payload; - IP4_ADDR(&server_ip, 192,168,4,1); dhcps_start(&mynetif, server_ip); -#ifdef SIM +#ifdef INSTR_IS_OFF + p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); + buf = p->payload; memset(buf, 0, 1460); - - file = fopen("in/data1.bin", "r"); + if (argc != 2) + { + printf("Non-instrumentation mode: please supply a file name created by AFL to reproduce crash\n"); + return 1; + } + // + // Note: parameter1 is a file (mangled packet) which caused the crash + file = fopen(argv[1], "r"); if (file) { len = fread(buf, 1, 1460, file); } fclose(file); + int i; for (i=0; i<1; i++) { #else while (__AFL_LOOP(1000)) { + p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); + buf = p->payload; memset(buf, 0, 1460); size_t len = read(0, buf, 1460); #endif From bb25d0a348c6bc5431f7c5af1c36b4cb24ced819 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Fri, 18 May 2018 15:54:08 +0200 Subject: [PATCH 3/3] DnsFuzzer: Added fuzzer test for exercising lwip/dns receiving DNS responses --- components/lwip/test_afl_host/Makefile | 31 +++-- components/lwip/test_afl_host/dns_di.h | 59 ++++++++++ .../{in_client => in_dhcp_client}/data0.bin | Bin .../{in_client => in_dhcp_client}/data1.bin | Bin .../{in_client => in_dhcp_client}/data2.bin | Bin .../{in_client => in_dhcp_client}/data3.bin | Bin .../{in_client => in_dhcp_client}/data4.bin | Bin .../{in_client => in_dhcp_client}/data5.bin | Bin .../{in_client => in_dhcp_client}/data6.bin | Bin .../{in_client => in_dhcp_client}/data7.bin | Bin .../{in_client => in_dhcp_client}/data8.bin | Bin .../{in_server => in_dhcp_server}/data0.bin | Bin .../{in_server => in_dhcp_server}/data1.bin | Bin .../{in_server => in_dhcp_server}/data2.bin | Bin .../{in_server => in_dhcp_server}/data3.bin | Bin .../{in_server => in_dhcp_server}/data4.bin | Bin .../{in_server => in_dhcp_server}/data5.bin | Bin .../{in_server => in_dhcp_server}/data6.bin | Bin components/lwip/test_afl_host/in_dns/out0.bin | Bin 0 -> 77 bytes .../lwip/test_afl_host/in_dns/out10.bin | Bin 0 -> 53 bytes .../lwip/test_afl_host/in_dns/out28.bin | Bin 0 -> 53 bytes .../lwip/test_afl_host/in_dns/out29.bin | Bin 0 -> 135 bytes .../lwip/test_afl_host/in_dns/out30.bin | Bin 0 -> 301 bytes .../lwip/test_afl_host/in_dns/out31.bin | Bin 0 -> 113 bytes .../lwip/test_afl_host/in_dns/out32.bin | Bin 0 -> 117 bytes .../lwip/test_afl_host/in_dns/out33.bin | Bin 0 -> 360 bytes .../lwip/test_afl_host/in_dns/out34.bin | Bin 0 -> 57 bytes .../lwip/test_afl_host/in_dns/out35.bin | Bin 0 -> 85 bytes .../lwip/test_afl_host/in_dns/out36.bin | Bin 0 -> 300 bytes .../lwip/test_afl_host/in_dns/out37.bin | Bin 0 -> 312 bytes .../lwip/test_afl_host/in_dns/out38.bin | Bin 0 -> 164 bytes components/lwip/test_afl_host/network_mock.c | 109 +++++++++++++++++- .../{test_client.c => test_dhcp_client.c} | 0 .../{test_server.c => test_dhcp_server.c} | 0 components/lwip/test_afl_host/test_dns.c | 79 +++++++++++++ 35 files changed, 262 insertions(+), 16 deletions(-) create mode 100644 components/lwip/test_afl_host/dns_di.h rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data0.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data1.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data2.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data3.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data4.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data5.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data6.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data7.bin (100%) rename components/lwip/test_afl_host/{in_client => in_dhcp_client}/data8.bin (100%) rename components/lwip/test_afl_host/{in_server => in_dhcp_server}/data0.bin (100%) rename components/lwip/test_afl_host/{in_server => in_dhcp_server}/data1.bin (100%) rename components/lwip/test_afl_host/{in_server => in_dhcp_server}/data2.bin (100%) rename components/lwip/test_afl_host/{in_server => in_dhcp_server}/data3.bin (100%) rename components/lwip/test_afl_host/{in_server => in_dhcp_server}/data4.bin (100%) rename components/lwip/test_afl_host/{in_server => in_dhcp_server}/data5.bin (100%) rename components/lwip/test_afl_host/{in_server => in_dhcp_server}/data6.bin (100%) create mode 100644 components/lwip/test_afl_host/in_dns/out0.bin create mode 100644 components/lwip/test_afl_host/in_dns/out10.bin create mode 100644 components/lwip/test_afl_host/in_dns/out28.bin create mode 100644 components/lwip/test_afl_host/in_dns/out29.bin create mode 100644 components/lwip/test_afl_host/in_dns/out30.bin create mode 100644 components/lwip/test_afl_host/in_dns/out31.bin create mode 100644 components/lwip/test_afl_host/in_dns/out32.bin create mode 100644 components/lwip/test_afl_host/in_dns/out33.bin create mode 100644 components/lwip/test_afl_host/in_dns/out34.bin create mode 100644 components/lwip/test_afl_host/in_dns/out35.bin create mode 100644 components/lwip/test_afl_host/in_dns/out36.bin create mode 100644 components/lwip/test_afl_host/in_dns/out37.bin create mode 100644 components/lwip/test_afl_host/in_dns/out38.bin rename components/lwip/test_afl_host/{test_client.c => test_dhcp_client.c} (100%) rename components/lwip/test_afl_host/{test_server.c => test_dhcp_server.c} (100%) create mode 100644 components/lwip/test_afl_host/test_dns.c diff --git a/components/lwip/test_afl_host/Makefile b/components/lwip/test_afl_host/Makefile index a3da02e11..d20537977 100644 --- a/components/lwip/test_afl_host/Makefile +++ b/components/lwip/test_afl_host/Makefile @@ -5,14 +5,21 @@ INC_DIRS=-I . -I $(COMPONENTS_DIR)/lwip/include/lwip -I $(COMPONENTS_DIR)/lwip/i TEST_NAME=test FUZZ=afl-fuzz LD=$(CC) -ifeq ($(MODE),client) - DHCP_C_DEPENDENCY_INJECTION=-include dhcp_di.h - OBJECTS=dhcp.o network_mock.o test_client.o - SAMPLE_PACKETS=in_client -else - DHCP_C_DEPENDENCY_INJECTION=-include dhcpserver_di.h - OBJECTS=dhcpserver.o test_server.o network_mock.o - SAMPLE_PACKETS=in_server +ifeq ($(MODE),dhcp_client) + DEPENDENCY_INJECTION=-include dhcp_di.h + OBJECTS=dhcp.o network_mock.o test_dhcp_client.o + SAMPLE_PACKETS=in_dhcp_client +else ifeq ($(MODE),dhcp_server) + DEPENDENCY_INJECTION=-include dhcpserver_di.h + OBJECTS=dhcpserver.o test_dhcp_server.o network_mock.o + SAMPLE_PACKETS=in_dhcp_server +else ifeq ($(MODE),dns) + CFLAGS+=-DNOT_MOCK_DNS + DEPENDENCY_INJECTION=-include dns_di.h + OBJECTS=dns.o test_dns.o network_mock.o + SAMPLE_PACKETS=in_dns +else + $(error Please specify MODE: dhcp_server, dhcp_client, dns) endif ifeq ($(INSTR),off) @@ -27,13 +34,17 @@ CFLAGS+=$(INC_DIRS) all: $(TEST_NAME) +dns.o: ../core/dns.c + @echo "[CC] $<" + @$(CC) $(CFLAGS) $(DEPENDENCY_INJECTION) -c $< -o $@ + dhcp.o: ../core/ipv4/dhcp.c @echo "[CC] $<" - @$(CC) $(CFLAGS) $(DHCP_C_DEPENDENCY_INJECTION) -c $< -o $@ + @$(CC) $(CFLAGS) $(DEPENDENCY_INJECTION) -c $< -o $@ dhcpserver.o: ../apps/dhcpserver.c @echo "[CC] $<" - @$(CC) $(CFLAGS) $(DHCP_C_DEPENDENCY_INJECTION) -c $< -o $@ + @$(CC) $(CFLAGS) $(DEPENDENCY_INJECTION) -c $< -o $@ %.o: %.c @echo "[CC] $<" diff --git a/components/lwip/test_afl_host/dns_di.h b/components/lwip/test_afl_host/dns_di.h new file mode 100644 index 000000000..4cb0b715c --- /dev/null +++ b/components/lwip/test_afl_host/dns_di.h @@ -0,0 +1,59 @@ +/* + * dns.c dependecy injection -- preincluded to inject interface test functions into static variables + * + */ +#include "no_warn_host.h" + +#include "lwip/opt.h" +#include "lwip/udp.h" +#include "lwip/mem.h" +#include "lwip/memp.h" +#include "lwip/dns.h" +#include "lwip/ip_addr.h" + +#define ipaddr_aton(cp, addr) ip4addr_aton(cp, addr) + +extern uint32_t g_random_numbers[8]; +extern uint32_t g_random_numbers_cnt; + +void __assert_func(const char *file, int line, const char *func, const char *expr) +{ + printf("Assert failed in %s, %s:%d (%s)", func, file, line, expr); + abort(); +} + +int ip4addr_aton(const char *cp, ip4_addr_t *addr) +{ + return 0; +} + +static err_t dns_enqueue(const char *name, size_t hostnamelen, dns_found_callback found, void *callback_arg, u8_t dns_addrtype); +static void dns_recv(void *s, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port); + +void (*dns_test_static_dns_recv)(void *s, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port) = NULL; +err_t (*dns_test_static_dns_enqueue)(const char *name, size_t hostnamelen, dns_found_callback found, void *callback_arg, u8_t dns_addrtype) = NULL; + + +void dns_test_init_di() +{ + dns_test_static_dns_recv = dns_recv; + dns_test_static_dns_enqueue = dns_enqueue; +} + +err_t dns_test_dns_enqueue(const char *name, size_t hostnamelen, dns_found_callback found, void *callback_arg, u8_t dns_addrtype) +{ + return dns_test_static_dns_enqueue(name, hostnamelen, found, callback_arg, dns_addrtype); +} + +void dns_test_dns_recv(void *s, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port) +{ + dns_test_static_dns_recv(s, pcb, p, addr, port); +} + +void dns_test_inject_port_and_txid(int port, int txid) +{ + // inject random numbers + g_random_numbers[0] = port; //for port + g_random_numbers[1] = txid; //for txid + g_random_numbers_cnt = 0; // let's start with the port +} \ No newline at end of file diff --git a/components/lwip/test_afl_host/in_client/data0.bin b/components/lwip/test_afl_host/in_dhcp_client/data0.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data0.bin rename to components/lwip/test_afl_host/in_dhcp_client/data0.bin diff --git a/components/lwip/test_afl_host/in_client/data1.bin b/components/lwip/test_afl_host/in_dhcp_client/data1.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data1.bin rename to components/lwip/test_afl_host/in_dhcp_client/data1.bin diff --git a/components/lwip/test_afl_host/in_client/data2.bin b/components/lwip/test_afl_host/in_dhcp_client/data2.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data2.bin rename to components/lwip/test_afl_host/in_dhcp_client/data2.bin diff --git a/components/lwip/test_afl_host/in_client/data3.bin b/components/lwip/test_afl_host/in_dhcp_client/data3.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data3.bin rename to components/lwip/test_afl_host/in_dhcp_client/data3.bin diff --git a/components/lwip/test_afl_host/in_client/data4.bin b/components/lwip/test_afl_host/in_dhcp_client/data4.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data4.bin rename to components/lwip/test_afl_host/in_dhcp_client/data4.bin diff --git a/components/lwip/test_afl_host/in_client/data5.bin b/components/lwip/test_afl_host/in_dhcp_client/data5.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data5.bin rename to components/lwip/test_afl_host/in_dhcp_client/data5.bin diff --git a/components/lwip/test_afl_host/in_client/data6.bin b/components/lwip/test_afl_host/in_dhcp_client/data6.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data6.bin rename to components/lwip/test_afl_host/in_dhcp_client/data6.bin diff --git a/components/lwip/test_afl_host/in_client/data7.bin b/components/lwip/test_afl_host/in_dhcp_client/data7.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data7.bin rename to components/lwip/test_afl_host/in_dhcp_client/data7.bin diff --git a/components/lwip/test_afl_host/in_client/data8.bin b/components/lwip/test_afl_host/in_dhcp_client/data8.bin similarity index 100% rename from components/lwip/test_afl_host/in_client/data8.bin rename to components/lwip/test_afl_host/in_dhcp_client/data8.bin diff --git a/components/lwip/test_afl_host/in_server/data0.bin b/components/lwip/test_afl_host/in_dhcp_server/data0.bin similarity index 100% rename from components/lwip/test_afl_host/in_server/data0.bin rename to components/lwip/test_afl_host/in_dhcp_server/data0.bin diff --git a/components/lwip/test_afl_host/in_server/data1.bin b/components/lwip/test_afl_host/in_dhcp_server/data1.bin similarity index 100% rename from components/lwip/test_afl_host/in_server/data1.bin rename to components/lwip/test_afl_host/in_dhcp_server/data1.bin diff --git a/components/lwip/test_afl_host/in_server/data2.bin b/components/lwip/test_afl_host/in_dhcp_server/data2.bin similarity index 100% rename from components/lwip/test_afl_host/in_server/data2.bin rename to components/lwip/test_afl_host/in_dhcp_server/data2.bin diff --git a/components/lwip/test_afl_host/in_server/data3.bin b/components/lwip/test_afl_host/in_dhcp_server/data3.bin similarity index 100% rename from components/lwip/test_afl_host/in_server/data3.bin rename to components/lwip/test_afl_host/in_dhcp_server/data3.bin diff --git a/components/lwip/test_afl_host/in_server/data4.bin b/components/lwip/test_afl_host/in_dhcp_server/data4.bin similarity index 100% rename from components/lwip/test_afl_host/in_server/data4.bin rename to components/lwip/test_afl_host/in_dhcp_server/data4.bin diff --git a/components/lwip/test_afl_host/in_server/data5.bin b/components/lwip/test_afl_host/in_dhcp_server/data5.bin similarity index 100% rename from components/lwip/test_afl_host/in_server/data5.bin rename to components/lwip/test_afl_host/in_dhcp_server/data5.bin diff --git a/components/lwip/test_afl_host/in_server/data6.bin b/components/lwip/test_afl_host/in_dhcp_server/data6.bin similarity index 100% rename from components/lwip/test_afl_host/in_server/data6.bin rename to components/lwip/test_afl_host/in_dhcp_server/data6.bin diff --git a/components/lwip/test_afl_host/in_dns/out0.bin b/components/lwip/test_afl_host/in_dns/out0.bin new file mode 100644 index 0000000000000000000000000000000000000000..8a68ce66350feb3cb04cd9edc6602d281d7bf717 GIT binary patch literal 77 zcmezNscBmr8 WoCBf<3_-FC3`{}{ENgCxp9264x)VnL literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out10.bin b/components/lwip/test_afl_host/in_dns/out10.bin new file mode 100644 index 0000000000000000000000000000000000000000..e9f8c73fcbd2a911a8677624f6ba4303c5db1cdf GIT binary patch literal 53 zcmYf9Xl!6$1VSKSOV2FHNlfBQEiNcZEiTSXV@l3r07)L;fhb|T#=vqpUUw1zTWk!p literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out28.bin b/components/lwip/test_afl_host/in_dns/out28.bin new file mode 100644 index 0000000000000000000000000000000000000000..92ed4c510b1b63a38cbf20bf85188ef261530906 GIT binary patch literal 53 zcmdm_+t|Rs2!ueumY!LXlbFPrT3k?+T3no&#+01L0Fpew15v^h!N77kUUw1zRpAUP literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out29.bin b/components/lwip/test_afl_host/in_dns/out29.bin new file mode 100644 index 0000000000000000000000000000000000000000..40dc982a03372303489b1d769cfc07bd671e0233 GIT binary patch literal 135 zcmccA)7Zek$iT_~1Y9MVxv9FjiOKoJtce8$IjPLa`MC^0S;hlAKoyJ(4BV0oq8wmV q`Nb8C>FkM#1v#0y=?7#F7=e@l&A7(EBKX(jFB-oVm2Za5{|f-t)*)g5 literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out30.bin b/components/lwip/test_afl_host/in_dns/out30.bin new file mode 100644 index 0000000000000000000000000000000000000000..d7eff8b989a174190e8ad9bd6c238f3e2e844c5e GIT binary patch literal 301 zcmY$dYHVO&WZ+<6VPIe>$jnRUOwLFwDoILBEMd+|Enxu4F&^LnkwE4i1{NcMtLi9x z!Q*#P`JeWq@P+R%pz?!NQ28NcD13oO8m6Y1R0n>F7SNFAjzIrtZQg)WX73T zUYr7C8yPbt=QEXNGaxAvW&=uC8koY=m{=Z=Mv@i-NgEo$r43D)lk;Dd;WMBYcrko`9_>{b2-QpCM_|lXDMgv9zWS_TaIoH_Z)i8&eh#U%`EdHG5CDV0F=Wr;bNDL|7!iueQ=7+5wi Ka9TBhGynkWQ5i=7 literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out33.bin b/components/lwip/test_afl_host/in_dns/out33.bin new file mode 100644 index 0000000000000000000000000000000000000000..dc5b666c7d4bec296dfd366ba6dd4d15e38337d2 GIT binary patch literal 360 zcmYe_(AdDh$iT_K!oa{%l$n>!nUSBIom!b#P{5p*TEYO7V?4mazzU=pSdKCni4>P4 zrev1pmK7xH8kw0|8X6c_SaOyY>!v0am*^TYr{*MaCgvtq<>w`q7c(d4=Q12H0GR4eG>WWLE6`7OwNr9*9hkono-{lAgN_CwO&A-OBJ<6bcI-aj z%D@D&pG}8BoIS5t*U-?=k`w5-6fm1PzbKsnNr@y_iMgdQOo_1(Q*u62X*RMVVK$&% aBV$vT8Y9aCu}Efsr7ew3VA7^W2c!Wy{!@AY literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out34.bin b/components/lwip/test_afl_host/in_dns/out34.bin new file mode 100644 index 0000000000000000000000000000000000000000..55e9f0c3d8c0753d43c8e0a81f9acebb9afd5eea GIT binary patch literal 57 zcmeYiXl!6$1VSL-%1taONiE9FFD~IsEiNcZEiTSXV@l3r04X@Y15w5l!N77kUUw1z Dj+G6D literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out35.bin b/components/lwip/test_afl_host/in_dns/out35.bin new file mode 100644 index 0000000000000000000000000000000000000000..8d7c652e0abbea48110c41e3d9cb43c432191e02 GIT binary patch literal 85 zcmcbs+t|Rs$iTz^1RRM~=4K{FmZnT)`E0qxsmXaM%z3FL3_y9t13V0@K$?LemqCyv jx!A~vxx65mwag$nCGUXz0TYlC1_pK)29_Deg%4F%WZ+<6VPIfREXZUpPEF5E%`0Kb%x3_KGaldpkqitBwhSz0Q#W~|@K116 zq41|Hw?N@fJ===H-?jEQ3V+J?%c%SiGgQ9+(gOkvOi=s9+4G8Z4GoQrITOo^Q$TEE z=KP{`1|%htU?pY-W-uiN7EHV9rY| GVE_Ozr#yK8 literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out37.bin b/components/lwip/test_afl_host/in_dns/out37.bin new file mode 100644 index 0000000000000000000000000000000000000000..9c06a7b29259c34a1ae85cb22042c77e184a5701 GIT binary patch literal 312 zcmaFu+1S9q$iTtC!oa{&U|^}6oS#>cm|RlKl$OewSWu9Ys+*Em%$%26!T?mpcz_2) zGB7aoF|Y{!n9PU9UxCIqLgSmE@rBX&rfB>QG``RQNd_jM{Y*zMGDx!L73&(Bnj3K@ zmKOuvsB2)tl$_60n$3WuNQ@0AVPs(rQ)6t(oSdJFtU?&1!ra6HrozbbfEtnk;$T}0 PjZ9$jhDOZ!Md=Ixa3@J? literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/in_dns/out38.bin b/components/lwip/test_afl_host/in_dns/out38.bin new file mode 100644 index 0000000000000000000000000000000000000000..31bf8c2da53e77c3412444de1050f4ee22c1e5bb GIT binary patch literal 164 zcmZQ-YHVO&WMF0h0^YLX?oNV&=Tm5(c0`#sfSI ztU#K9g_A)~uspH6Sht`kKSehwu~OH-#FDuzvj9~idwFJFN`86q0gVH;5S>gG46>Ly cIg)eoOH&dH3V;gBK^8GE02Q)m1aCVB0JRG)i~s-t literal 0 HcmV?d00001 diff --git a/components/lwip/test_afl_host/network_mock.c b/components/lwip/test_afl_host/network_mock.c index 9e9ae4829..cf35fdb63 100644 --- a/components/lwip/test_afl_host/network_mock.c +++ b/components/lwip/test_afl_host/network_mock.c @@ -9,23 +9,84 @@ const ip_addr_t ip_addr_any; const ip_addr_t ip_addr_broadcast; +const ip_addr_t ip_addr_any_type; struct ip_globals ip_data; struct netif *netif_list; +struct udp_pcb mock_pcb; +uint32_t g_random_numbers[8] = {0}; +uint32_t g_random_numbers_cnt = 0; +struct pbuf* pbuf_skip(struct pbuf* in, u16_t in_offset, u16_t* out_offset) +{ + u16_t offset_left = in_offset; + struct pbuf* q = in; + + /* get the correct pbuf */ + while ((q != NULL) && (q->len <= offset_left)) { + offset_left -= q->len; + q = q->next; + } + if (out_offset != NULL) { + *out_offset = offset_left; + } + return q; +} + +void pbuf_put_at(struct pbuf* p, u16_t offset, u8_t data) +{ + u16_t q_idx; + struct pbuf* q = pbuf_skip(p, offset, &q_idx); + + /* write requested data if pbuf is OK */ + if ((q != NULL) && (q->len > q_idx)) { + ((u8_t*)q->payload)[q_idx] = data; + } +} + +u8_t pbuf_get_at(struct pbuf* p, u16_t offset) +{ + u16_t q_idx; + struct pbuf* q = pbuf_skip(p, offset, &q_idx); + + /* return requested data if pbuf is OK */ + if ((q != NULL) && (q->len > q_idx)) { + return ((u8_t*)q->payload)[q_idx]; + } + return 0; +} + +err_t pbuf_take(struct pbuf *buf, const void *dataptr, u16_t len) +{ + return ERR_OK; +} + +err_t pbuf_take_at(struct pbuf *buf, const void *dataptr, u16_t len, u16_t offset) +{ + return ERR_OK; +} + +struct udp_pcb * udp_new_ip_type(u8_t type) +{ + return &mock_pcb; +} + u16_t lwip_htons(u16_t n) { - return 0; + return ((n & 0xff) << 8) | ((n & 0xff00) >> 8); } u32_t lwip_htonl(u32_t n) { - return 0; +return ((n & 0xff) << 24) | + ((n & 0xff00) << 8) | + ((n & 0xff0000UL) >> 8) | + ((n & 0xff000000UL) >> 24); } esp_err_t tcpip_adapter_get_ip_info(tcpip_adapter_if_t tcpip_if, tcpip_adapter_ip_info_t *ip_info) { - return ESP_OK; + return ESP_OK; } struct pbuf * pbuf_alloc(pbuf_layer layer, u16_t length, pbuf_type type) @@ -84,13 +145,16 @@ void udp_disconnect(struct udp_pcb *pcb) { } +#ifndef NOT_MOCK_DNS void dns_setserver(u8_t numdns, const ip_addr_t *dnsserver) { } +#endif uint32_t esp_random(void) { - return 0; + // Preparation for injecting favorable random numbers + return g_random_numbers[g_random_numbers_cnt++ % 8]; } err_t etharp_query(struct netif *netif, const ip4_addr_t *ipaddr, struct pbuf *q) @@ -100,7 +164,7 @@ err_t etharp_query(struct netif *netif, const ip4_addr_t *ipaddr, struct pbuf *q u32_t lwip_ntohl(u32_t x) { - return 0; + return lwip_htonl(x); } void netif_set_addr(struct netif *netif, const ip4_addr_t *ipaddr, const ip4_addr_t *netmask, @@ -120,10 +184,43 @@ void pbuf_realloc(struct pbuf *p, u16_t size) } } -u16_t pbuf_copy_partial(struct pbuf *p, void *dataptr, u16_t len, u16_t offset) +u16_t pbuf_copy_partial(struct pbuf *buf, void *dataptr, u16_t len, u16_t offset) { + struct pbuf *p; + u16_t left; + u16_t buf_copy_len; + u16_t copied_total = 0; + + LWIP_ERROR("pbuf_copy_partial: invalid buf", (buf != NULL), return 0;); + LWIP_ERROR("pbuf_copy_partial: invalid dataptr", (dataptr != NULL), return 0;); + + left = 0; + + if ((buf == NULL) || (dataptr == NULL)) { return 0; + } + + /* Note some systems use byte copy if dataptr or one of the pbuf payload pointers are unaligned. */ + for (p = buf; len != 0 && p != NULL; p = p->next) { + if ((offset != 0) && (offset >= p->len)) { + /* don't copy from this buffer -> on to the next */ + offset -= p->len; + } else { + /* copy from this buffer. maybe only partially. */ + buf_copy_len = p->len - offset; + if (buf_copy_len > len) + buf_copy_len = len; + /* copy the necessary parts of the buffer */ + MEMCPY(&((char*)dataptr)[left], &((char*)p->payload)[offset], buf_copy_len); + copied_total += buf_copy_len; + left += buf_copy_len; + len -= buf_copy_len; + offset = 0; + } + } + return copied_total; } + err_t udp_connect(struct udp_pcb *pcb, const ip_addr_t *ipaddr, u16_t port) { return ESP_OK; diff --git a/components/lwip/test_afl_host/test_client.c b/components/lwip/test_afl_host/test_dhcp_client.c similarity index 100% rename from components/lwip/test_afl_host/test_client.c rename to components/lwip/test_afl_host/test_dhcp_client.c diff --git a/components/lwip/test_afl_host/test_server.c b/components/lwip/test_afl_host/test_dhcp_server.c similarity index 100% rename from components/lwip/test_afl_host/test_server.c rename to components/lwip/test_afl_host/test_dhcp_server.c diff --git a/components/lwip/test_afl_host/test_dns.c b/components/lwip/test_afl_host/test_dns.c new file mode 100644 index 000000000..131a8b3ed --- /dev/null +++ b/components/lwip/test_afl_host/test_dns.c @@ -0,0 +1,79 @@ +#include "no_warn_host.h" + +#include "lwip/opt.h" +#include "lwip/udp.h" +#include "lwip/mem.h" +#include "lwip/memp.h" +#include "lwip/dns.h" +#include "lwip/ip_addr.h" + +#include + +const ip_addr_t ip_addr_any; +const ip_addr_t ip_addr_broadcast; +struct ip_globals ip_data; +struct netif *netif_list; +struct netif mynetif; +ip4_addr_t server_ip; + +// +// Dependency injected test functions +void dns_test_dns_recv(void *s, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port); +void dns_test_inject_port_and_txid(int port, int txid); + +void dns_test_init_di(); +err_t dns_test_dns_enqueue(const char *name, size_t hostnamelen, dns_found_callback found, void *callback_arg, u8_t dns_addrtype); + +// +// Test starts here +// +int main(int argc, char** argv) +{ + uint8_t *buf; + struct pbuf *p; + FILE *file; + size_t len = 1460; + + dns_test_init_di(); + +#ifdef INSTR_IS_OFF + p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); + buf = p->payload; + memset(buf, 0, 1460); + if (argc != 2) + { + printf("Non-instrumentation mode: please supply a file name created by AFL to reproduce crash\n"); + return 1; + } + // + // Note: parameter1 is a file (mangled packet) which caused the crash + file = fopen(argv[1], "r"); + if (file) { + len = fread(buf, 1, 1460, file); + } + fclose(file); + int i; + for (i=0; i<1; i++) { +#else + while (__AFL_LOOP(1000)) { + p = pbuf_alloc(PBUF_RAW, len, PBUF_POOL); + buf = p->payload; + memset(buf, 0, 1460); + size_t len = read(0, buf, 1460); +#endif + p->len = len; + p->tot_len = len; + p->next = NULL; + + // Pretend that the response is from our pending querries + dns_test_inject_port_and_txid(1024, (buf[0]<<8) + buf[1]); + dns_test_dns_enqueue("test", 4, NULL, NULL, 0); + + // Process the packet + dns_test_dns_recv(NULL, NULL, p, &ip_addr_any, 0); + } + + + + return 0; +}