fuzzing.c 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314
  1. #include <assert.h>
  2. #include <stdint.h>
  3. #include <stdlib.h>
  4. #include <string.h>
  5. #include "defines.h"
  6. #include "fuzzing.h"
  7. #include "common/utils.h"
  8. #include "tcpedit/tcpedit.h"
  9. static unsigned int fuzz_seed;
  10. static unsigned int fuzz_factor;
  11. static unsigned int fuzz_running;
  12. void
  13. fuzzing_init(uint32_t _fuzz_seed, uint32_t _fuzz_factor)
  14. {
  15. assert(_fuzz_factor);
  16. fuzz_seed = _fuzz_seed;
  17. fuzz_factor = _fuzz_factor;
  18. fuzz_running = 1;
  19. }
  20. #define SGT_MAX_SIZE 16
  21. static inline int
  22. fuzz_get_sgt_size(uint32_t r, uint32_t caplen)
  23. {
  24. if (0 == caplen)
  25. return 0;
  26. if (caplen <= SGT_MAX_SIZE)
  27. /* packet too small, fuzzing only one byte */
  28. return 1;
  29. /* return random value between 1 and SGT_MAX_SIZE */
  30. return (1 + (r % (SGT_MAX_SIZE - 1)));
  31. }
  32. static inline int
  33. fuzz_reduce_packet_size(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
  34. uint32_t new_len)
  35. {
  36. if (pkthdr->len < pkthdr->caplen) {
  37. tcpedit_seterr(tcpedit, "Packet length %u smaller than capture length %u",
  38. pkthdr->len, pkthdr->caplen);
  39. return -1;
  40. }
  41. if (new_len > pkthdr->caplen) {
  42. tcpedit_seterr(tcpedit, "Cannot fuzz packet of capture length %u to length %u",
  43. pkthdr->caplen, new_len);
  44. return -1;
  45. }
  46. if (new_len == pkthdr->caplen) {
  47. return 0;
  48. }
  49. pkthdr->len = new_len;
  50. pkthdr->caplen = pkthdr->len;
  51. /* do not fix lengths in ip/tcp/udp layers.
  52. * fixlen option already does so, and can be called with fuzzing option. */
  53. return 1;
  54. }
  55. int
  56. fuzzing(tcpedit_t *tcpedit, struct pcap_pkthdr *pkthdr,
  57. u_char **pktdata)
  58. {
  59. int packet_changed = 0;
  60. uint32_t r, s;
  61. uint16_t l2proto;
  62. uint8_t l4proto;
  63. u_char *packet, *l3data, *l4data;
  64. tcpeditdlt_plugin_t *plugin;
  65. int caplen, l2len, l4len;
  66. tcpeditdlt_t *ctx;
  67. assert(tcpedit);
  68. assert(pkthdr);
  69. assert(*pktdata);
  70. if (!fuzz_running)
  71. goto done;
  72. assert(fuzz_factor);
  73. /*
  74. * Determine if this is one of the packets that is going to be altered.
  75. * No fuzzing for the other 7 out of 8 packets
  76. */
  77. r = tcpr_random(&fuzz_seed);
  78. if ((r % fuzz_factor) != 0)
  79. goto done;
  80. /* initializations */
  81. ctx = tcpedit->dlt_ctx;
  82. packet = *pktdata;
  83. caplen = pkthdr->caplen;
  84. plugin = tcpedit->dlt_ctx->encoder;
  85. l2len = plugin->plugin_l2len(ctx, packet, caplen);
  86. l2proto = ntohs(ctx->proto);
  87. if (l2len == -1 || caplen < l2len)
  88. goto done;
  89. /*
  90. * Get a pointer to the network layer
  91. *
  92. * Note that this pointer may be in a working buffer and not on directly
  93. * to '*pktdata'. All alterations are done in this buffer, which later
  94. * will be copied back to '*pktdata', if necessary
  95. */
  96. l3data = plugin->plugin_get_layer3(ctx, packet, caplen);
  97. if (!l3data)
  98. goto done;
  99. l4len = caplen - l2len;
  100. switch (l2proto) {
  101. case (ETHERTYPE_IP):
  102. {
  103. l4data = get_layer4_v4((ipv4_hdr_t*)l3data, caplen - l2len);
  104. if (!l4data)
  105. goto done;
  106. l4proto = ((ipv4_hdr_t *)l3data)->ip_p;
  107. break;
  108. }
  109. case (ETHERTYPE_IP6): {
  110. l4data = get_layer4_v6((ipv6_hdr_t*)l3data, caplen - l2len);
  111. if (!l4data)
  112. goto done;
  113. l4proto = ((ipv6_hdr_t *)l3data)->ip_nh;
  114. break;
  115. }
  116. default:
  117. /* apply fuzzing on unknown packet types */
  118. l4data = l3data;
  119. l4proto = IPPROTO_RAW;
  120. }
  121. /* adjust payload length based on layer 3 protocol */
  122. switch (l4proto) {
  123. case IPPROTO_TCP:
  124. l4len -= sizeof(tcp_hdr_t);
  125. break;
  126. case IPPROTO_UDP:
  127. l4len -= sizeof(udp_hdr_t);
  128. break;
  129. }
  130. if (l4len <= 1)
  131. goto done;
  132. /* add some additional randomization */
  133. r ^= r >> 16;
  134. s = r % FUZZING_TOTAL_ACTION_NUMBER;
  135. dbgx(3, "packet fuzzed : %d", s);
  136. switch (s) {
  137. case FUZZING_DROP_PACKET:
  138. {
  139. /* simulate dropping the packet */
  140. if (fuzz_reduce_packet_size(tcpedit, pkthdr, 0) < 0)
  141. /* could not change packet size, so packet left unchanged */
  142. goto done;
  143. packet_changed = 1;
  144. break;
  145. }
  146. case FUZZING_REDUCE_SIZE:
  147. {
  148. /* reduce packet size */
  149. uint32_t new_len = (r % ((l4len) - 1)) + 1;
  150. if (fuzz_reduce_packet_size(tcpedit, pkthdr, new_len) < 0)
  151. /* could not change packet size, so packet left unchanged */
  152. goto done;
  153. packet_changed = 1;
  154. break;
  155. }
  156. case FUZZING_CHANGE_START_ZERO:
  157. {
  158. /* fuzz random-size segment at the beginning of the packet with 0x00 */
  159. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
  160. memset(l4data, 0x00, sgt_size);
  161. packet_changed = 1;
  162. break;
  163. }
  164. case FUZZING_CHANGE_START_RANDOM:
  165. {
  166. /*
  167. * fuzz random-size segment at the beginning of the packet payload
  168. * with random bytes
  169. */
  170. size_t i;
  171. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
  172. if (!sgt_size)
  173. goto done;
  174. for (i = 0; i < sgt_size; i++)
  175. l4data[i] = l4data[i] ^ (u_char)(r >> 4);
  176. packet_changed = 1;
  177. break;
  178. }
  179. case FUZZING_CHANGE_START_FF:
  180. {
  181. /*
  182. * fuzz random-size segment at the beginning of the packet
  183. * payload with 0xff
  184. */
  185. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
  186. if (!sgt_size)
  187. goto done;
  188. memset(l4data, 0xff, sgt_size);
  189. packet_changed = 1;
  190. break;
  191. }
  192. case FUZZING_CHANGE_MID_ZERO:
  193. {
  194. /* fuzz random-size segment inside the packet payload with 0x00 */
  195. uint32_t offset = ((r >> 16) % (l4len - 1)) + 1;
  196. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len - offset);
  197. if (!sgt_size)
  198. goto done;
  199. memset(l4data + offset, 0x00, sgt_size);
  200. packet_changed = 1;
  201. break;
  202. }
  203. case FUZZING_CHANGE_MID_FF:
  204. {
  205. /* fuzz random-size segment inside the packet payload with 0xff */
  206. uint32_t offset = ((r >> 16) % (l4len - 1)) + 1;
  207. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len - offset);
  208. if (!sgt_size)
  209. goto done;
  210. memset(l4data + offset, 0xff, sgt_size);
  211. packet_changed = 1;
  212. break;
  213. }
  214. case FUZZING_CHANGE_END_ZERO:
  215. {
  216. /* fuzz random-sized segment at the end of the packet payload with 0x00 */
  217. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
  218. if (!sgt_size)
  219. goto done;
  220. memset(l4data + l4len - sgt_size, 0x00, sgt_size);
  221. packet_changed = 1;
  222. break;
  223. }
  224. case FUZZING_CHANGE_END_RANDOM:
  225. {
  226. /* fuzz random-sized segment at the end of the packet with random Bytes */
  227. int i;
  228. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
  229. if (!sgt_size)
  230. goto done;
  231. for (i = (l4len - sgt_size); i < l4len; i++)
  232. l4data[i] = l4data[i] ^ (u_char)(r >> 4);
  233. packet_changed = 1;
  234. break;
  235. }
  236. case FUZZING_CHANGE_END_FF:
  237. {
  238. /* fuzz random-sized segment at the end of the packet with 0xff00 */
  239. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len);
  240. if (!sgt_size)
  241. goto done;
  242. memset(l4data + l4len - sgt_size, 0xff, sgt_size);
  243. packet_changed = 1;
  244. break;
  245. }
  246. case FUZZING_CHANGE_MID_RANDOM:
  247. {
  248. /* fuzz random-size segment inside the packet with random Bytes */
  249. size_t i;
  250. uint32_t offset = ((r >> 16) % (l4len - 1)) + 1;
  251. uint32_t sgt_size = fuzz_get_sgt_size(r, l4len - offset);
  252. if (!sgt_size)
  253. goto done;
  254. for (i = offset; i < offset + sgt_size; i++)
  255. l4data[i] = l4data[i] ^ (u_char)(r >> 4);
  256. packet_changed = 1;
  257. break;
  258. }
  259. default:
  260. assert(false);
  261. }
  262. /* in cases where 'l3data' is a working buffer, copy it back to '*pkthdr' */
  263. plugin->plugin_merge_layer3(ctx, packet, caplen, l3data);
  264. done:
  265. return packet_changed;
  266. }