From 04d617c9c194666747d0294526a388db053edaa7 Mon Sep 17 00:00:00 2001 From: Felix Weinrank Date: Sun, 25 Aug 2019 17:56:12 +0200 Subject: [PATCH] Fuzzer integration (#356) * Cleanup of merge error * Refactor fuzzing options * merge upcall with unconnected * Update CMAKE files * sync * disable prints, enable features * move setsockopt call * checkout master * revert compiler options * Revert compiler options * Do not dump packets to file by default * add sanitizer blacklist entries * update black list, rename programs * revert experimental changes * add mutex timeout * sync * sync * sync * sync * sync * cleanup * compile fix for gcc * fuzzer sync * sync * sync * sync * sync * sync * sync * sync * sync * sync * Rever temporary fix * compilefix * improve directory handling * be more verbose (#312) * Improve and of ICMP messages on Windows. When an ICMP message is received on Windows 10 for a UDP socket, WSAECONNRESET is reported as an error. In this case, just read again. Thanks to nxrighthere for reporting the issue and helping to nail it down. This fixes #309. * Fix broken links, Make URLs' protocols consistent (#315) Two Links missed leading `http(s)://` and were broken. All links to `tools.ietf.org` now consistently use https. * Backport https://svnweb.freebsd.org/base?view=revision&revision=340783 * Improve input validation for the IPPROTO_SCTP level socket options SCTP_CONNECT_X and SCTP_CONNECT_X_DELAYED. * Allow sending on demand SCTP HEARTBEATS only in the ESTABLISHED state. * Fix cross-build linux->mingw (#320) * sync * sync * sync * sync * sync * cmake cleanup * sync * sync * sync * sync * revert changes * Sync * sync * bugfix * bugfix * sync * sync * sync * sync * sync * sync * sync * sync * sync * sync * sync * sync * sync * sync * sync * Improve RNG for fuzzing * sync * fuzzer_connected * Sync * sync * sync * sync * sync * Sync * sync * chain.sh removed * sync * sync --- CMakeLists.txt | 19 ++- fuzzer/CMakeLists.txt | 93 +++++++++++ fuzzer/CORPUS_CONNECTED/tsctp-000000 | Bin 0 -> 128 bytes fuzzer/CORPUS_CONNECTED/tsctp-000001 | Bin 0 -> 504 bytes fuzzer/CORPUS_CONNECTED/tsctp-000002 | Bin 0 -> 384 bytes fuzzer/CORPUS_CONNECTED/tsctp-000003 | Bin 0 -> 14 bytes fuzzer/CORPUS_CONNECTED/tsctp-000004 | Bin 0 -> 44 bytes fuzzer/CORPUS_CONNECTED/tsctp-000005 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000006 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000007 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000008 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000009 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000010 | Bin 0 -> 44 bytes fuzzer/CORPUS_CONNECTED/tsctp-000011 | Bin 0 -> 44 bytes fuzzer/CORPUS_CONNECTED/tsctp-000012 | Bin 0 -> 44 bytes fuzzer/CORPUS_CONNECTED/tsctp-000013 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000014 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000015 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000016 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000017 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000018 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000019 | Bin 0 -> 1040 bytes fuzzer/CORPUS_CONNECTED/tsctp-000020 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000021 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000022 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000023 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000024 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000025 | Bin 0 -> 16 bytes fuzzer/CORPUS_CONNECTED/tsctp-000026 | Bin 0 -> 8 bytes fuzzer/CORPUS_CONNECTED/tsctp-000027 | Bin 0 -> 14 bytes fuzzer/CORPUS_CONNECTED/tsctp-000028 | Bin 0 -> 4 bytes fuzzer/crashtest.py | 46 ++++++ fuzzer/fuzzer_connected.c | 236 +++++++++++++++++++++++++++ fuzzer/fuzzer_connected.sh | 5 + fuzzer/fuzzer_unconnected.c | 148 +++++++++++++++++ fuzzer/fuzzer_unconnected.sh | 5 + fuzzer/text2pcap.sh | 1 + programs/CMakeLists.txt | 2 +- programs/programs_helper.c | 2 +- usrsctplib/CMakeLists.txt | 9 +- usrsctplib/netinet/sctp_usrreq.c | 8 + usrsctplib/user_environment.c | 9 + 42 files changed, 577 insertions(+), 6 deletions(-) create mode 100644 fuzzer/CMakeLists.txt create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000000 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000001 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000002 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000003 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000004 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000005 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000006 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000007 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000008 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000009 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000010 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000011 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000012 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000013 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000014 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000015 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000016 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000017 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000018 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000019 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000020 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000021 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000022 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000023 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000024 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000025 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000026 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000027 create mode 100644 fuzzer/CORPUS_CONNECTED/tsctp-000028 create mode 100755 fuzzer/crashtest.py create mode 100644 fuzzer/fuzzer_connected.c create mode 100755 fuzzer/fuzzer_connected.sh create mode 100644 fuzzer/fuzzer_unconnected.c create mode 100755 fuzzer/fuzzer_unconnected.sh create mode 100644 fuzzer/text2pcap.sh diff --git a/CMakeLists.txt b/CMakeLists.txt index b381c1369..dfc2fb6ef 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -77,6 +77,12 @@ option(sctp_sanitizer_address "Compile with address sanitizer" 0) option(sctp_sanitizer_memory "Compile with memory sanitizer" 0) +option(sctp_build_fuzzer "Compile in clang fuzzing mode" 0) +if (sctp_build_fuzzer) + add_definitions(-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer-no-link") +endif () + if (sctp_sanitizer_address AND sctp_sanitizer_memory) message(FATAL_ERROR "Can not compile with both sanitizer options") endif () @@ -212,12 +218,17 @@ if (CMAKE_C_COMPILER_ID MATCHES "Clang" OR CMAKE_C_COMPILER_ID MATCHES "AppleCla endif () if (sctp_sanitizer_address) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fno-omit-frame-pointer -g") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address,undefined,signed-integer-overflow -fno-sanitize-recover=all -fsanitize-address-use-after-scope ") endif () if (sctp_sanitizer_memory) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fno-omit-frame-pointer -g -fsanitize-memory-track-origins") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fPIE") + endif () + + if (sctp_sanitizer_address OR sctp_sanitizer_memory) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer -fsanitize-coverage=edge,indirect-calls,trace-cmp,trace-div,trace-gep") endif () + endif () # SETTINGS FOR VISUAL STUDIO COMPILER @@ -258,3 +269,7 @@ add_subdirectory(usrsctplib) if (sctp_build_programs) add_subdirectory(programs) endif () + +if (sctp_build_fuzzer) + add_subdirectory(fuzzer) +endif () diff --git a/fuzzer/CMakeLists.txt b/fuzzer/CMakeLists.txt new file mode 100644 index 000000000..c2b342732 --- /dev/null +++ b/fuzzer/CMakeLists.txt @@ -0,0 +1,93 @@ +# +# Copyright (C) 2015-2019 Felix Weinrank +# +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. Neither the name of the project nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# + +#project(usrsctp-fuzzer C) + +################################################# +# INCLUDE MODULES +################################################# + +include(CheckIncludeFile) + + +################################################# +# CHECK INCLUDES +################################################# + +include_directories(${CMAKE_SOURCE_DIR}/usrsctplib) + + +################################################# +# OS DEPENDENT +################################################# + +if (CMAKE_SYSTEM_NAME MATCHES "Linux") + add_definitions(-D_GNU_SOURCE) +endif () + +if (CMAKE_SYSTEM_NAME MATCHES "Darwin") + add_definitions(-D__APPLE_USE_RFC_2292) +endif () + +################################################# +# COMPILER FLAGS +################################################# + +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-gnu-zero-variadic-macro-arguments") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=fuzzer") + + +################################################# +# PROGRAMS +################################################# + +# if in fuzzing mode, only build the fuzzer +configure_file(crashtest.py crashtest.py COPYONLY) +configure_file(fuzzer_unconnected.sh fuzzer_unconnected.sh COPYONLY) +configure_file(fuzzer_connected.sh fuzzer_connected.sh COPYONLY) + +list(APPEND check_programs + fuzzer_unconnected.c + fuzzer_connected.c +) + +foreach (source_file ${check_programs}) + get_filename_component(source_file_we ${source_file} NAME_WE) + add_executable( + ${source_file_we} + ${source_file} + ) + + target_link_libraries( + ${source_file_we} + usrsctp-static + ) +endforeach () + diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000000 b/fuzzer/CORPUS_CONNECTED/tsctp-000000 new file mode 100644 index 0000000000000000000000000000000000000000..5f4b76f2b35c2c61cc732228dacf0825a8edfffe GIT binary patch literal 128 zcmZQ%U}!K?G5pUUQ+S+#@&A8Slcnn$7#LU%0C58c1Lpz$gAGj#Kt)UpDidP%97x#T z*mp%lA)0OCPu5LhkEfrr`LKFd*^d9Z`fs%wSQt1Mm>C!wm>Jj_4gxjt0Qsy8Y(OZY Y#dK_egD8U_P!t53f#MujPF4m306DNEZ~y=R literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000001 b/fuzzer/CORPUS_CONNECTED/tsctp-000001 new file mode 100644 index 0000000000000000000000000000000000000000..f3f91d478c7d126d10b02943469e774a4ddce298 GIT binary patch literal 504 zcmZQ#VEn=CSvZ|RrtmleUBuJP>GPU}fOAa22ShPExW^8r6JCKSF!A3| z#SG+5px$7FC26 z3HuxSu81f^vrYWTx=HNu^m8^JR_`j?@n2W}trmt~d4PUr1^O7%&&^Oj2Qv*&SigPB X_N?&t<+$aYC;4)=S}s5EOsoR{!On$r literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000002 b/fuzzer/CORPUS_CONNECTED/tsctp-000002 new file mode 100644 index 0000000000000000000000000000000000000000..869584a95285828c038a82ec75592e42f949bced GIT binary patch literal 384 zcmd;LU~KSq^mWyB3U*O2)H7rNg1losAd2C^J$5ji@Crn5?s)6dy_SiP%k$A4Y@w^|J>3>*y1Ku<6; zur(Y6YT^O%SsB=XP(+LA*a8Pp20@@G2s8u5IY91aVqp9M@&nBNUAbAfOQd$?6D` literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000005 b/fuzzer/CORPUS_CONNECTED/tsctp-000005 new file mode 100644 index 0000000000000000000000000000000000000000..7663ed143b8858703f0f6b714872c5eea0a01136 GIT binary patch literal 1040 dcmZQzW)V;|S-PG90@NKx!DtAKhQNpo0RUp{1^WO1 literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000006 b/fuzzer/CORPUS_CONNECTED/tsctp-000006 new file mode 100644 index 0000000000000000000000000000000000000000..68612f5066b01ab4c1b38781935c3cda97d128fe GIT binary patch literal 1040 gcmZQzW)V;|S-OFNfq@Z-)g4E{Xb6mkz=#b20BZXM{Qv*} literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000007 b/fuzzer/CORPUS_CONNECTED/tsctp-000007 new file mode 100644 index 0000000000000000000000000000000000000000..a2575142a68a7bdea3d168e286ddb3dd3fe2780c GIT binary patch literal 1040 gcmZQzW)V;|S-O#dfq@B#)g4E{Xb6mkz=#b20CNci{{R30 literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000008 b/fuzzer/CORPUS_CONNECTED/tsctp-000008 new file mode 100644 index 0000000000000000000000000000000000000000..9bab1d94e8467f2bc3cb7bae57fd971f522c9d64 GIT binary patch literal 1040 gcmZQzW)V;|S-OdVfq@x_)g4E{Xb6mkz=#b20DBh(0RR91 literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000009 b/fuzzer/CORPUS_CONNECTED/tsctp-000009 new file mode 100644 index 0000000000000000000000000000000000000000..5c66cd4b3415bc79abf32ccd9310f4576eceaaee GIT binary patch literal 1040 gcmZQzW)V;|S-P2lfq?~x)g4E{Xb6mkz=#b20D~n40{{R3 literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000010 b/fuzzer/CORPUS_CONNECTED/tsctp-000010 new file mode 100644 index 0000000000000000000000000000000000000000..f1a5f41406b0015e9d5c01d5ae7c2c905d1d4b67 GIT binary patch literal 44 vcmZQ!V9;S;WYEYv=ELyd9y^2K?)z=~c2tUAbAfOQd$`%Ne literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000013 b/fuzzer/CORPUS_CONNECTED/tsctp-000013 new file mode 100644 index 0000000000000000000000000000000000000000..4f80bf75196a1af5db4c8348d6007615461d9977 GIT binary patch literal 16 WcmZQ(U=UC>S-PG)g4E{Xb6mkz=#b20IRD84FCWD literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000015 b/fuzzer/CORPUS_CONNECTED/tsctp-000015 new file mode 100644 index 0000000000000000000000000000000000000000..b6c31ae8975cf4d6fc2ae58eb0ffd59c607f6dfb GIT binary patch literal 1040 gcmZSJW)V;|S-O>hfq@N()g4E{Xb6mkz=#b20JFIU4*&oF literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000016 b/fuzzer/CORPUS_CONNECTED/tsctp-000016 new file mode 100644 index 0000000000000000000000000000000000000000..509437a11be9ca568bea75c30a27ba80bcdfb0bf GIT binary patch literal 16 WcmZQ(U=UC>S-O!yCg(T<5C8xe;sX)@ literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000017 b/fuzzer/CORPUS_CONNECTED/tsctp-000017 new file mode 100644 index 0000000000000000000000000000000000000000..c7674e229edfe7f0673531cf7341dca3aec4ff13 GIT binary patch literal 1040 gcmZSJW)V;|S-OpZfq@-})g4E{Xb6mkz=#b20K3Nq5dZ)H literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000018 b/fuzzer/CORPUS_CONNECTED/tsctp-000018 new file mode 100644 index 0000000000000000000000000000000000000000..482769e55db8037f959333894b382f4d4aa2b0e2 GIT binary patch literal 1040 gcmZSJW)V;|S-PEpfq?^v)g4E{Xb6mkz=#b20K?S=6951J literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000019 b/fuzzer/CORPUS_CONNECTED/tsctp-000019 new file mode 100644 index 0000000000000000000000000000000000000000..622af61b41b0c195613df6fd0766c637619d7d7c GIT binary patch literal 1040 gcmZSJW)V;|S-OLPfq@f<)g4E{Xb6mkz=#b20L$YB6#xJL literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000020 b/fuzzer/CORPUS_CONNECTED/tsctp-000020 new file mode 100644 index 0000000000000000000000000000000000000000..7074c9f3018f9434929e5e4a747bfbed8971bc50 GIT binary patch literal 16 WcmZQ(U=UC>S-P1)Cg(T<5C8xe^aB(C literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000021 b/fuzzer/CORPUS_CONNECTED/tsctp-000021 new file mode 100644 index 0000000000000000000000000000000000000000..1b2990f546dc556e6d61793b17a7f715bd86216b GIT binary patch literal 16 WcmZQ(U=UC>S-OQmCg(T<5C8xe{R0&M literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000022 b/fuzzer/CORPUS_CONNECTED/tsctp-000022 new file mode 100644 index 0000000000000000000000000000000000000000..2ccb150ada1005492748778cd5ed050b1910bfab GIT binary patch literal 16 WcmZQ(U=UC>S-O=$Cg(T<5C8xf1_KrV literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000023 b/fuzzer/CORPUS_CONNECTED/tsctp-000023 new file mode 100644 index 0000000000000000000000000000000000000000..dd56535fabd32c9a5253ee3a3962e5b0d2e684be GIT binary patch literal 16 WcmZQ(U=UC>S-OouCg(T<5C8xf4+9qf literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000024 b/fuzzer/CORPUS_CONNECTED/tsctp-000024 new file mode 100644 index 0000000000000000000000000000000000000000..9108b6c9a9e4d01def7f2c1c8ce1ab4776d8eae5 GIT binary patch literal 16 WcmZQ(U=UC>S-PD;Cg(T<5C8xf7y}pp literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000025 b/fuzzer/CORPUS_CONNECTED/tsctp-000025 new file mode 100644 index 0000000000000000000000000000000000000000..6ee1c5b4f0d4ce21d0d08d4e2256fa9644889230 GIT binary patch literal 16 WcmZQ(U=UC>S-OKkCg(T<5C8xfAp;oz literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000026 b/fuzzer/CORPUS_CONNECTED/tsctp-000026 new file mode 100644 index 0000000000000000000000000000000000000000..503dd8e5f11972ed96fa44a7f2f8c01d0c2ea808 GIT binary patch literal 8 PcmZQ)VBk0&>+Asl1!)1l literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000027 b/fuzzer/CORPUS_CONNECTED/tsctp-000027 new file mode 100644 index 0000000000000000000000000000000000000000..bd689bc93c35931ae38a544ad1dc02e935f0d03d GIT binary patch literal 14 Ncmd;JU|?Z@0{{T301W^D literal 0 HcmV?d00001 diff --git a/fuzzer/CORPUS_CONNECTED/tsctp-000028 b/fuzzer/CORPUS_CONNECTED/tsctp-000028 new file mode 100644 index 0000000000000000000000000000000000000000..d1e11efca0b43934dc1555e35064abfbab965c81 GIT binary patch literal 4 Lcmd;MU|<0N06+i} literal 0 HcmV?d00001 diff --git a/fuzzer/crashtest.py b/fuzzer/crashtest.py new file mode 100755 index 000000000..d9c3fe655 --- /dev/null +++ b/fuzzer/crashtest.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +import glob +import subprocess +import os + +reportdir = "reports/" +fuzzer = "./fuzzer_connected" + +class bcolors: + HEADER = '\033[95m' + OKBLUE = '\033[94m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + FAIL = '\033[91m' + ENDC = '\033[0m' + BOLD = '\033[1m' + UNDERLINE = '\033[4m' + + +print("Testing crashfiles") + +FNULL = open(os.devnull, "w") +crashfiles = [] +crashfiles.extend(glob.glob("crash-*")) +crashfiles.extend(glob.glob("timeout-*")) + +if not os.path.exists(reportdir): + os.makedirs(reportdir) + +num_files = len(crashfiles) +filecounter = 1 +for filename in crashfiles: + filename_report = '{}{}{}'.format(reportdir, filename, '.report') + reportfile = open(filename_report, "w") + fuzzer_retval = subprocess.call([fuzzer, "-timeout=6", filename], stdout=reportfile, stderr=reportfile) + if fuzzer_retval == 0: + print(bcolors.FAIL, "[", filecounter, "/", num_files, "]", filename,"- not reproducable", bcolors.ENDC) + reportfile.close() + os.remove(filename_report) + else: + print(bcolors.OKGREEN, "[", filecounter, "/", num_files, "]", filename, "- reproducable", bcolors.ENDC) + reportfile.write("\n>> HEXDUMP <<\n\n") + reportfile.flush() + subprocess.call(["hexdump", "-Cv", filename], stdout=reportfile) + + filecounter = filecounter + 1 diff --git a/fuzzer/fuzzer_connected.c b/fuzzer/fuzzer_connected.c new file mode 100644 index 000000000..ab049835c --- /dev/null +++ b/fuzzer/fuzzer_connected.c @@ -0,0 +1,236 @@ +/* + * Copyright (C) 2017-2019 Felix Weinrank + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include + +//#define FUZZ_VERBOSE + +static const char *init_ack = "\x13\x89\xe7\xd0\xef\x38\x12\x25\x00\x00\x00\x00\x02\x00\x01\x4c" \ +"\x20\x0f\x67\x0d\x00\x02\x00\x00\x00\x04\x00\x04\xbd\xf0\x8d\x18" \ +"\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80\x82\x00\x00\x00" \ +"\x80\x02\x00\x24\xfd\x30\xc7\x17\x34\x27\x17\x1c\xa2\xc6\x78\x20" \ +"\x62\xc3\xa1\x3f\xb6\x86\x92\x42\xc5\x0b\xb6\x36\xd7\xf6\xf4\x19" \ +"\xee\xd3\xc9\x1e\x80\x04\x00\x06\x00\x01\x00\x00\x80\x03\x00\x06" \ +"\x80\xc1\x00\x00\x00\x07\x00\xf4\x4b\x41\x4d\x45\x2d\x42\x53\x44" \ +"\x20\x31\x2e\x31\x00\x00\x00\x00\x25\xfa\x5e\x5d\x00\x00\x00\x00" \ +"\xe6\xc3\x0a\x00\x00\x00\x00\x00\x60\xea\x00\x00\x54\x6f\x2d\xff" \ +"\xd1\x7f\x68\x2a\x00\x00\x00\x01\x20\x0f\x67\x0d\x80\x3b\x00\x00" \ +"\xc0\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00" \ +"\x80\x3b\x00\x00\xc0\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ +"\x04\x00\x00\x00\x00\x00\x00\x00\x13\x88\x13\x88\x00\x00\x01\x00" \ +"\x01\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x14\x01\x00\x00\x00" \ +"\x00\x00\x20\x00\x00\x08\x00\x08\x00\x00\x00\x01\x02\x00\x01\x4c" \ +"\x20\x0f\x67\x0d\x00\x02\x00\x00\x00\x04\x00\x04\xbd\xf0\x8d\x18" \ +"\xc0\x00\x00\x04\x80\x08\x00\x09\xc0\x0f\xc1\x80\x82\x00\x00\x00" \ +"\x80\x02\x00\x24\xfd\x30\xc7\x17\x34\x27\x17\x1c\xa2\xc6\x78\x20" \ +"\x62\xc3\xa1\x3f\xb6\x86\x92\x42\xc5\x0b\xb6\x36\xd7\xf6\xf4\x19" \ +"\xee\xd3\xc9\x1e\x80\x04\x00\x06\x00\x01\x00\x00\x80\x03\x00\x06" \ +"\x80\xc1\x00\x00\x41\xc3\xed\x62\x2c\x1c\x3c\x03\x41\x6d\x17\xc8" \ +"\xd8\x64\xff\xe2\x25\xd6\x81\x9e"; + +static const char *cookie_ack = "\x13\x89\xe7\xd0\xef\x38\x12\x25\x00\x00\x00\x00\x0b\x00\x00\x04"; +static const char *common_header = "\x13\x89\xe7\xd0\xef\x38\x12\x25\x00\x00\x00\x00"; + +#ifdef FUZZ_VERBOSE +static char *dump_buf; +void +debug_printf(const char *format, ...) +{ + static struct timeval time_main; + + va_list ap; + struct timeval time_now; + struct timeval time_delta; + + if (time_main.tv_sec == 0 && time_main.tv_usec == 0) { + gettimeofday(&time_main, NULL); + } + + gettimeofday(&time_now, NULL); + timersub(&time_now, &time_main, &time_delta); + + fprintf(stderr, "[%u.%03u] ", (unsigned int) time_delta.tv_sec, (unsigned int) time_delta.tv_usec / 1000); + + va_start(ap, format); + vprintf(format, ap); + va_end(ap); +} +#else +void +debug_printf(const char *format, ...) +{ +} +#endif + + +static int +conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df) +{ +#ifdef FUZZ_VERBOSE + if ((dump_buf = usrsctp_dumppacket(buf, length, SCTP_DUMP_OUTBOUND)) != NULL) { + fprintf(stderr, "%s", dump_buf); + usrsctp_freedumpbuffer(dump_buf); + } +#endif + return (0); +} + + +static void +handle_upcall(struct socket *sock, void *arg, int flgs) +{ + debug_printf("handle_upcall() called - implement logic!\n"); +} + + +int +initialize_fuzzer(void) { +#ifdef FUZZ_VERBOSE + usrsctp_init(0, conn_output, debug_printf); +#else + usrsctp_init(0, conn_output, NULL); +#endif + usrsctp_enable_crc32c_offload(); + /* set up a connected UDP socket */ +#ifdef SCTP_DEBUG + usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL); +#endif + usrsctp_register_address((void *)1); + debug_printf("usrsctp initialized\n"); + return 1; +} + + +int +LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) +{ + static int initialized; + char *pktbuf; + struct sockaddr_conn sconn; + struct socket *socket_client; + struct linger so_linger; + struct sctp_event event; + unsigned long i; + uint16_t event_types[] = { + SCTP_ASSOC_CHANGE, + SCTP_PEER_ADDR_CHANGE, + SCTP_SEND_FAILED_EVENT, + SCTP_REMOTE_ERROR, + SCTP_SHUTDOWN_EVENT, + SCTP_ADAPTATION_INDICATION, + SCTP_PARTIAL_DELIVERY_EVENT + }; + + if (!initialized) { + initialized = initialize_fuzzer(); + } + + if ((socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0)) == NULL) { + perror("usrsctp_socket"); + exit(EXIT_FAILURE); + } + + usrsctp_set_non_blocking(socket_client, 1); + + so_linger.l_onoff = 1; + so_linger.l_linger = 0; + if (usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger)) < 0) { + perror("usrsctp_setsockopt 1"); + exit(EXIT_FAILURE); + } + + memset(&event, 0, sizeof(event)); + event.se_assoc_id = SCTP_FUTURE_ASSOC; + event.se_on = 1; + for (i = 0; i < sizeof(event_types)/sizeof(uint16_t); i++) { + event.se_type = event_types[i]; + if (usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event)) < 0) { + perror("setsockopt SCTP_EVENT socket_client"); + exit(EXIT_FAILURE); + } + } + + usrsctp_set_upcall(socket_client, handle_upcall, NULL); + + memset(&sconn, 0, sizeof(struct sockaddr_conn)); + sconn.sconn_family = AF_CONN; +#ifdef HAVE_SCONN_LEN + sconn.sconn_len = sizeof(struct sockaddr_conn); +#endif + sconn.sconn_port = htons(5001); + sconn.sconn_addr = (void *)1; + if (usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn)) < 0) { + if (errno != EINPROGRESS) { + perror("usrsctp_connect"); + exit(EXIT_FAILURE); + } + } + +#ifdef FUZZ_VERBOSE + if ((dump_buf = usrsctp_dumppacket(init_ack, 344, SCTP_DUMP_INBOUND)) != NULL) { + fprintf(stderr, "%s", dump_buf); + usrsctp_freedumpbuffer(dump_buf); + } +#endif + usrsctp_conninput((void *)1, init_ack, 344, 0); + +#ifdef FUZZ_VERBOSE + if ((dump_buf = usrsctp_dumppacket(cookie_ack, 16, SCTP_DUMP_INBOUND)) != NULL) { + fprintf(stderr, "%s", dump_buf); + usrsctp_freedumpbuffer(dump_buf); + } +#endif + usrsctp_conninput((void *)1, cookie_ack, 16, 0); + + // concat common header and fuzzer input + pktbuf = malloc(data_size + 12); + memcpy(pktbuf, common_header, 12); + memcpy(pktbuf + 12, data, data_size); + +#ifdef FUZZ_VERBOSE + debug_printf(">>>> INJECTING\n"); + if ((dump_buf = usrsctp_dumppacket(pktbuf, data_size + 12, SCTP_DUMP_INBOUND)) != NULL) { + fprintf(stderr, "%s", dump_buf); + usrsctp_freedumpbuffer(dump_buf); + } +#endif + usrsctp_conninput((void *)1, pktbuf, data_size + 12, 0); + + usrsctp_close(socket_client); + free(pktbuf); + return (0); +} + + diff --git a/fuzzer/fuzzer_connected.sh b/fuzzer/fuzzer_connected.sh new file mode 100755 index 000000000..b591bb970 --- /dev/null +++ b/fuzzer/fuzzer_connected.sh @@ -0,0 +1,5 @@ +#!/bin/bash +export ASAN_OPTIONS=abort_on_error=1:disable_core=0:unmap_shadow_on_exit=1:disable_coredump=0 +ulimit -c unlimited +mkdir -p CORPUS_CONNECTED +./fuzzer_connected -jobs=32 -timeout=10 -max_len=4086 CORPUS_CONNECTED diff --git a/fuzzer/fuzzer_unconnected.c b/fuzzer/fuzzer_unconnected.c new file mode 100644 index 000000000..2cc353f1c --- /dev/null +++ b/fuzzer/fuzzer_unconnected.c @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2017-2019 Felix Weinrank + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +#include +#include +#include + +#define FUZZ_FAST 1 + +struct sockaddr_conn sconn; +struct socket *s_l; + +static int +conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df) +{ +#if 0 + char *dump_buf; + if ((dump_buf = usrsctp_dumppacket(buf, length, SCTP_DUMP_OUTBOUND)) != NULL) { + fprintf(stderr, "%s", dump_buf); + usrsctp_freedumpbuffer(dump_buf); + } +#endif + return (0); +} + +static void +handle_upcall(struct socket *sock, void *arg, int flgs) +{ + fprintf(stderr, "Listening socket established, implement logic!\n"); + exit(EXIT_FAILURE); +} + +int +init_fuzzer(void) { + static uint8_t initialized = 0; + struct sctp_event event; + uint16_t event_types[] = { + SCTP_ASSOC_CHANGE, + SCTP_PEER_ADDR_CHANGE, + SCTP_SEND_FAILED_EVENT, + SCTP_REMOTE_ERROR, + SCTP_SHUTDOWN_EVENT, + SCTP_ADAPTATION_INDICATION, + SCTP_PARTIAL_DELIVERY_EVENT}; + unsigned long i; + +#if defined(FUZZ_FAST) + if (initialized) { + return 0; + } +#endif + + usrsctp_init(0, conn_output, NULL); + usrsctp_enable_crc32c_offload(); + /* set up a connected UDP socket */ +#ifdef SCTP_DEBUG + usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL); +#endif + usrsctp_register_address((void *)1); + + if ((s_l = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0)) == NULL) { + perror("usrsctp_socket"); + exit(EXIT_FAILURE); + } + usrsctp_set_non_blocking(s_l, 1); + + /* Bind the server side. */ + memset(&sconn, 0, sizeof(struct sockaddr_conn)); + sconn.sconn_family = AF_CONN; +#ifdef HAVE_SCONN_LEN + sconn.sconn_len = sizeof(struct sockaddr_conn); +#endif + sconn.sconn_port = htons(5001); + sconn.sconn_addr = (void *)1; + if (usrsctp_bind(s_l, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn)) < 0) { + perror("usrsctp_bind"); + exit(EXIT_FAILURE); + } + + memset(&event, 0, sizeof(event)); + event.se_assoc_id = SCTP_FUTURE_ASSOC; + event.se_on = 1; + for (i = 0; i < sizeof(event_types)/sizeof(uint16_t); i++) { + event.se_type = event_types[i]; + if (usrsctp_setsockopt(s_l, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event)) < 0) { + perror("setsockopt SCTP_EVENT s_l"); + exit(EXIT_FAILURE); + } + } + + /* Make server side passive... */ + if (usrsctp_listen(s_l, 1) < 0) { + perror("usrsctp_listen"); + exit(EXIT_FAILURE); + } + + usrsctp_set_upcall(s_l, handle_upcall, NULL); + + initialized = 1; + + return (0); +} + +int +LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) +{ + init_fuzzer(); + usrsctp_conninput((void *)1, data, data_size, 0); + +#if !defined(FUZZ_FAST) + usrsctp_close(s_l); + while (usrsctp_finish() != 0) { + //sleep(1); + } +#endif + + return (0); +} + + diff --git a/fuzzer/fuzzer_unconnected.sh b/fuzzer/fuzzer_unconnected.sh new file mode 100755 index 000000000..d9efd5250 --- /dev/null +++ b/fuzzer/fuzzer_unconnected.sh @@ -0,0 +1,5 @@ +#!/bin/bash +export ASAN_OPTIONS=abort_on_error=1:disable_core=0:unmap_shadow_on_exit=1:disable_coredump=0 +ulimit -c unlimited +mkdir -p CORPUS_UNCONNECTED +./fuzzer_unconnected -jobs=32 -timeout=10 -max_len=4086 CORPUS_UNCONNECTED diff --git a/fuzzer/text2pcap.sh b/fuzzer/text2pcap.sh new file mode 100644 index 000000000..0c46c3be6 --- /dev/null +++ b/fuzzer/text2pcap.sh @@ -0,0 +1 @@ +text2pcap -n -l 248 -D -t "%H:%M:%S." fuzzer.log fuzzer.pcapng diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index 45c772b87..d9b89d823 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -65,7 +65,7 @@ if (MSYS OR MINGW) if (CMAKE_C_COMPILER_ID MATCHES "GNU") message(STATUS "MSYS / MINGW + GCC") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-format") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-format") endif () endif () diff --git a/programs/programs_helper.c b/programs/programs_helper.c index 0325a816e..0119f3053 100644 --- a/programs/programs_helper.c +++ b/programs/programs_helper.c @@ -47,7 +47,7 @@ debug_printf(const char *format, ...) gettimeofday(&time_now, NULL); timersub(&time_now, &time_main, &time_delta); - printf("[%u.%03u] ", (unsigned int) time_delta.tv_sec, (unsigned int) time_delta.tv_usec / 1000); + fprintf(stderr, "[%u.%03u] ", (unsigned int) time_delta.tv_sec, (unsigned int) time_delta.tv_usec / 1000); va_start(ap, format); vprintf(format, ap); diff --git a/usrsctplib/CMakeLists.txt b/usrsctplib/CMakeLists.txt index 3194e253d..2d95610a3 100644 --- a/usrsctplib/CMakeLists.txt +++ b/usrsctplib/CMakeLists.txt @@ -59,13 +59,13 @@ endif () if (CMAKE_SYSTEM_NAME MATCHES "FreeBSD") add_definitions(-U__FreeBSD__) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-address-of-packed-member") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-address-of-packed-member") endif () if (CMAKE_SYSTEM_NAME MATCHES "Darwin") add_definitions(-U__APPLE__) add_definitions(-D__APPLE_USE_RFC_2292) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-address-of-packed-member -Wno-deprecated-declarations") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-address-of-packed-member -Wno-deprecated-declarations") endif () if (CMAKE_SYSTEM_NAME MATCHES "DragonFly") @@ -80,6 +80,11 @@ if (CMAKE_SYSTEM_NAME MATCHES "OpenBSD") add_definitions(-U__OpenBSD__) endif () +################################################# +# MISC +################################################# + + ################################################# # LIBRARY FILES diff --git a/usrsctplib/netinet/sctp_usrreq.c b/usrsctplib/netinet/sctp_usrreq.c index 5ff7a2a8a..dd5929dc7 100755 --- a/usrsctplib/netinet/sctp_usrreq.c +++ b/usrsctplib/netinet/sctp_usrreq.c @@ -92,11 +92,19 @@ sctp_init(void) sctp_init_sysctls(); #if defined(__Userspace__) #if defined(__Userspace_os_Windows) || defined(__Userspace_os_NaCl) +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + srand(0); +#else srand((unsigned int)time(NULL)); +#endif +#else +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + srandom(0); #else srandom(getpid()); /* so inp->sctp_ep.random_numbers are truly random... */ #endif #endif +#endif #if defined(__Panda__) sctp_sendspace = SB_MAX; sctp_recvspace = SB_MAX; diff --git a/usrsctplib/user_environment.c b/usrsctplib/user_environment.c index 767c4ba4d..cb77a220e 100755 --- a/usrsctplib/user_environment.c +++ b/usrsctplib/user_environment.c @@ -64,6 +64,14 @@ userland_mutex_t atomic_mtx; * provide _some_ kind of randomness. This should only be used * inside other RNG's, like arc4random(9). */ +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +static int +read_random_phony(void *buf, int count) +{ + memset(buf, 'A', count); + return (count); +} +#else #if defined(__Userspace_os_FreeBSD) || defined(__Userspace_os_Darwin) static int read_random_phony(void *buf, int count) @@ -92,6 +100,7 @@ read_random_phony(void *buf, int count) return (count); } #endif +#endif static int (*read_func)(void *, int) = read_random_phony;