Fuzzer integration (#356)

* Cleanup of merge error

* Refactor fuzzing options

* merge upcall with unconnected

* Update CMAKE files

* sync

* disable prints, enable features

* move setsockopt call

* checkout master

* revert compiler options

* Revert compiler options

* Do not dump packets to file by default

* add sanitizer blacklist entries

* update black list, rename programs

* revert experimental changes

* add mutex timeout

* sync

* sync

* sync

* sync

* sync

* cleanup

* compile fix for gcc

* fuzzer sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* Rever temporary fix

* compilefix

* improve directory handling

* be more verbose (#312)

* Improve and of ICMP messages on Windows.

When an ICMP message is received on Windows 10 for a UDP socket,
WSAECONNRESET is reported as an error. In this case, just read
again.

Thanks to nxrighthere for reporting the issue and helping to
nail it down.

This fixes #309.

* Fix broken links, Make URLs' protocols consistent (#315)

Two Links missed leading `http(s)://` and were broken.
All links to `tools.ietf.org` now consistently use https.

* Backport https://svnweb.freebsd.org/base?view=revision&revision=340783

* Improve input validation for the IPPROTO_SCTP level socket options
SCTP_CONNECT_X and SCTP_CONNECT_X_DELAYED.

* Allow sending on demand SCTP HEARTBEATS only in the ESTABLISHED state.

* Fix cross-build linux->mingw (#320)

* sync

* sync

* sync

* sync

* sync

* cmake cleanup

* sync

* sync

* sync

* sync

* revert changes

* Sync

* sync

* bugfix

* bugfix

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* sync

* Improve RNG for fuzzing

* sync

* fuzzer_connected

* Sync

* sync

* sync

* sync

* sync

* Sync

* sync

* chain.sh removed

* sync

* sync

CMakeLists.txt

@@ -77,6 +77,12 @@ option(sctp_sanitizer_address "Compile with address sanitizer" 0)
 
 option(sctp_sanitizer_memory "Compile with memory sanitizer" 0)
 
+option(sctp_build_fuzzer "Compile in clang fuzzing mode" 0)
+if (sctp_build_fuzzer)
+	add_definitions(-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer-no-link")
+endif ()
+
 if (sctp_sanitizer_address AND sctp_sanitizer_memory)
 	message(FATAL_ERROR "Can not compile with both sanitizer options")
 endif ()
@@ -212,12 +218,17 @@ if (CMAKE_C_COMPILER_ID MATCHES "Clang" OR CMAKE_C_COMPILER_ID MATCHES "AppleCla
 	endif ()
 
 	if (sctp_sanitizer_address)
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fno-omit-frame-pointer -g")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address,undefined,signed-integer-overflow -fno-sanitize-recover=all -fsanitize-address-use-after-scope ")
 	endif ()
 
 	if (sctp_sanitizer_memory)
-		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fno-omit-frame-pointer -g -fsanitize-memory-track-origins")
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fPIE")
+	endif ()
+
+	if (sctp_sanitizer_address OR sctp_sanitizer_memory)
+		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer -fsanitize-coverage=edge,indirect-calls,trace-cmp,trace-div,trace-gep")
 	endif ()
+
 endif ()
 
 # SETTINGS FOR VISUAL STUDIO COMPILER
@@ -258,3 +269,7 @@ add_subdirectory(usrsctplib)
 if (sctp_build_programs)
 	add_subdirectory(programs)
 endif ()
+
+if (sctp_build_fuzzer)
+	add_subdirectory(fuzzer)
+endif ()

fuzzer/CMakeLists.txt

@@ -0,0 +1,93 @@
+#
+# Copyright (C) 2015-2019 Felix Weinrank
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. Neither the name of the project nor the names of its contributors
+#    may be used to endorse or promote products derived from this software
+#    without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+
+#project(usrsctp-fuzzer C)
+
+#################################################
+# INCLUDE MODULES
+#################################################
+
+include(CheckIncludeFile)
+
+
+#################################################
+# CHECK INCLUDES
+#################################################
+
+include_directories(${CMAKE_SOURCE_DIR}/usrsctplib)
+
+
+#################################################
+# OS DEPENDENT
+#################################################
+
+if (CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_definitions(-D_GNU_SOURCE)
+endif ()
+
+if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
+	add_definitions(-D__APPLE_USE_RFC_2292)
+endif ()
+
+#################################################
+# COMPILER FLAGS
+#################################################
+
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-gnu-zero-variadic-macro-arguments")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer")
+
+
+#################################################
+# PROGRAMS
+#################################################
+
+# if in fuzzing mode, only build the fuzzer
+configure_file(crashtest.py crashtest.py COPYONLY)
+configure_file(fuzzer_unconnected.sh fuzzer_unconnected.sh COPYONLY)
+configure_file(fuzzer_connected.sh fuzzer_connected.sh COPYONLY)
+
+list(APPEND check_programs
+	fuzzer_unconnected.c
+	fuzzer_connected.c
+)
+
+foreach (source_file ${check_programs})
+	get_filename_component(source_file_we ${source_file} NAME_WE)
+	add_executable(
+		${source_file_we}
+		${source_file}
+	)
+
+	target_link_libraries(
+		${source_file_we}
+		usrsctp-static
+	)
+endforeach ()
+

fuzzer/crashtest.py

@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+import glob
+import subprocess
+import os
+
+reportdir = "reports/"
+fuzzer = "./fuzzer_connected"
+
+class bcolors:
+	HEADER = '\033[95m'
+	OKBLUE = '\033[94m'
+	OKGREEN = '\033[92m'
+	WARNING = '\033[93m'
+	FAIL = '\033[91m'
+	ENDC = '\033[0m'
+	BOLD = '\033[1m'
+	UNDERLINE = '\033[4m'
+
+
+print("Testing crashfiles")
+
+FNULL = open(os.devnull, "w")
+crashfiles = []
+crashfiles.extend(glob.glob("crash-*"))
+crashfiles.extend(glob.glob("timeout-*"))
+
+if not os.path.exists(reportdir):
+	os.makedirs(reportdir)
+
+num_files = len(crashfiles)
+filecounter = 1
+for filename in crashfiles:
+	filename_report = '{}{}{}'.format(reportdir, filename, '.report')
+	reportfile = open(filename_report, "w")
+	fuzzer_retval = subprocess.call([fuzzer, "-timeout=6", filename], stdout=reportfile, stderr=reportfile)
+	if fuzzer_retval == 0:
+		print(bcolors.FAIL, "[", filecounter, "/", num_files, "]", filename,"- not reproducable", bcolors.ENDC)
+		reportfile.close()
+		os.remove(filename_report)
+	else:
+		print(bcolors.OKGREEN, "[", filecounter, "/", num_files, "]", filename, "- reproducable", bcolors.ENDC)
+		reportfile.write("\n>> HEXDUMP <<\n\n")
+		reportfile.flush()
+		subprocess.call(["hexdump", "-Cv", filename], stdout=reportfile)
+
+	filecounter = filecounter + 1