1 /*
2 * Copyright (c) 2001-2003 Swedish Institute of Computer Science.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without modification,
6 * are permitted provided that the following conditions are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
19 * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
20 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
21 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
24 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
25 * OF SUCH DAMAGE.
26 *
27 * This file is part of the lwIP TCP/IP stack.
28 *
29 * Author: Erik Ekman <erik@kryo.se>
30 * Simon Goldschmidt <goldsimon@gmx.de>
31 *
32 */
33
34 #include "fuzz_common.h"
35
36 #include "lwip/altcp_tcp.h"
37 #include "lwip/dns.h"
38 #include "lwip/init.h"
39 #include "lwip/netif.h"
40 #include "lwip/sys.h"
41 #include "lwip/timeouts.h"
42 #include "lwip/udp.h"
43 #include "netif/etharp.h"
44 #if LWIP_IPV6
45 #include "lwip/ethip6.h"
46 #include "lwip/nd6.h"
47 #endif
48
49 #include "lwip/apps/httpd.h"
50 #include "lwip/apps/snmp.h"
51 #include "lwip/apps/lwiperf.h"
52 #include "lwip/apps/mdns.h"
53
54 #include <string.h>
55 #include <stdio.h>
56
57 static u8_t pktbuf[200000];
58 static const u8_t *remfuzz_ptr; /* remaining fuzz pointer */
59 static size_t remfuzz_len; /* remaining fuzz length */
60
61 #ifndef FUZZ_DEBUG
62 #define FUZZ_DEBUG LWIP_DBG_OFF
63 #endif
64
65 #ifdef LWIP_FUZZ_SYS_NOW
66 /* This offset should be added to the time 'sys_now()' returns */
67 u32_t sys_now_offset;
68 #endif
69
70 /** Set this to 1 and define FUZZ_DUMP_PCAP_FILE to dump tx and rx packets into
71 * a pcap file. At the same time, packet info is written via LWIP_DEBUGF so
72 * packets can be matched to other events for debugging them.
73 */
74 #ifndef FUZZ_DUMP_PCAP
75 #define FUZZ_DUMP_PCAP 0
76 #endif
77
78 #if FUZZ_DUMP_PCAP
79 const u8_t pcap_file_header[24] = {
80 0xd4, 0xc3, 0xb2, 0xa1, 0x02, 0x00, 0x04, 0x00,
81 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
82 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00
83 };
84
85 static FILE* fpcap;
86 static u32_t pcap_packet;
87
pcap_dump_init(void)88 static void pcap_dump_init(void)
89 {
90 fpcap = fopen(FUZZ_DUMP_PCAP_FILE, "wb");
91 if (fpcap != NULL) {
92 /* write header */
93 fwrite(pcap_file_header, 1, sizeof(pcap_file_header), fpcap);
94 }
95 }
96
97 /* This function might have to be called from LWIP_PLATFORM_ASSERT()
98 * in order to produce correct pcap results on crash.
99 * Define this global so that for a test, we can call this from anywhere...
100 */
101 void pcap_dump_stop(void);
pcap_dump_stop(void)102 void pcap_dump_stop(void)
103 {
104 if (fpcap != NULL) {
105 fclose(fpcap);
106 fpcap = NULL;
107 }
108 }
109
pcap_dump_packet(struct pbuf * p,int is_tx)110 static void pcap_dump_packet(struct pbuf *p, int is_tx)
111 {
112 if (fpcap != NULL) {
113 struct pbuf *q;
114 u32_t data;
115 pcap_packet++;
116 if (is_tx) {
117 LWIP_DEBUGF(FUZZ_DEBUG, ("> %d fuzz: netif: send %u bytes\n", pcap_packet, p->tot_len));
118 } else {
119 LWIP_DEBUGF(FUZZ_DEBUG, ("< %d fuzz: RX packet of %u bytes\n", pcap_packet, p->tot_len));
120 if (pcap_packet == 50 || pcap_packet == 33 || pcap_packet == 29) {
121 pcap_packet++;
122 pcap_packet--;
123 }
124 }
125 /* write packet header */
126 fwrite(&pcap_packet, 1, sizeof(pcap_packet), fpcap);
127 data = 0;
128 fwrite(&data, 1, sizeof(data), fpcap);
129 data = p->tot_len;
130 fwrite(&data, 1, sizeof(data), fpcap);
131 fwrite(&data, 1, sizeof(data), fpcap);
132 /* write packet data */
133 for(q = p; q != NULL; q = q->next) {
134 fwrite(q->payload, 1, q->len, fpcap);
135 }
136 }
137 }
138
pcap_dump_rx_packet(struct pbuf * p)139 static void pcap_dump_rx_packet(struct pbuf *p)
140 {
141 pcap_dump_packet(p, 0);
142 }
143
pcap_dump_tx_packet(struct pbuf * p)144 static void pcap_dump_tx_packet(struct pbuf *p)
145 {
146 pcap_dump_packet(p, 1);
147 }
148 #else /* FUZZ_DUMP_PCAP */
149 #define pcap_dump_rx_packet(p)
150 #define pcap_dump_tx_packet(p)
151 #define pcap_dump_init()
152 #define pcap_dump_stop()
153 #endif /* FUZZ_DUMP_PCAP */
154
155 /* no-op send function */
lwip_tx_func(struct netif * netif,struct pbuf * p)156 static err_t lwip_tx_func(struct netif *netif, struct pbuf *p)
157 {
158 pcap_dump_tx_packet(p);
159 LWIP_UNUSED_ARG(netif);
160 LWIP_UNUSED_ARG(p);
161 return ERR_OK;
162 }
163
testif_init(struct netif * netif)164 static err_t testif_init(struct netif *netif)
165 {
166 netif->name[0] = 'f';
167 netif->name[1] = 'z';
168 netif->output = etharp_output;
169 netif->linkoutput = lwip_tx_func;
170 netif->mtu = 1500;
171 netif->hwaddr_len = 6;
172 netif->flags = NETIF_FLAG_BROADCAST | NETIF_FLAG_ETHARP | NETIF_FLAG_IGMP;
173
174 netif->hwaddr[0] = 0x00;
175 netif->hwaddr[1] = 0x23;
176 netif->hwaddr[2] = 0xC1;
177 netif->hwaddr[3] = 0xDE;
178 netif->hwaddr[4] = 0xD0;
179 netif->hwaddr[5] = 0x0D;
180
181 #if LWIP_IPV6
182 netif->output_ip6 = ethip6_output;
183 netif_create_ip6_linklocal_address(netif, 1);
184 netif->flags |= NETIF_FLAG_MLD6;
185 #endif
186
187 return ERR_OK;
188 }
189
input_pkt(struct netif * netif,const u8_t * data,size_t len)190 static void input_pkt(struct netif *netif, const u8_t *data, size_t len)
191 {
192 struct pbuf *p, *q;
193 err_t err;
194
195 if (len > 0xFFFF) {
196 printf("pkt too big (%#zX bytes)\n", len);
197 return;
198 }
199
200 p = pbuf_alloc(PBUF_RAW, (u16_t)len, PBUF_POOL);
201 LWIP_ASSERT("alloc failed", p);
202 for(q = p; q != NULL; q = q->next) {
203 MEMCPY(q->payload, data, q->len);
204 data += q->len;
205 }
206 remfuzz_ptr += len;
207 remfuzz_len -= len;
208 pcap_dump_rx_packet(p);
209 err = netif->input(p, netif);
210 if (err != ERR_OK) {
211 pbuf_free(p);
212 }
213 }
214
input_pkts(enum lwip_fuzz_type type,struct netif * netif,const u8_t * data,size_t len)215 static void input_pkts(enum lwip_fuzz_type type, struct netif *netif, const u8_t *data, size_t len)
216 {
217 size_t packet_nr = 0;
218 remfuzz_ptr = data;
219 remfuzz_len = len;
220
221 if (type == LWIP_FUZZ_SINGLE) {
222 input_pkt(netif, data, len);
223 } else {
224 const u16_t max_packet_size = 1514;
225 const size_t minlen = sizeof(u16_t) + (type == LWIP_FUZZ_MULTIPACKET_TIME ? sizeof(u32_t) : 0);
226
227 while (remfuzz_len > minlen) {
228 u16_t frame_len;
229 #ifdef LWIP_FUZZ_SYS_NOW
230 u32_t external_delay = 0;
231 #endif
232 packet_nr++;
233 if (type == LWIP_FUZZ_MULTIPACKET_TIME) {
234 #ifdef LWIP_FUZZ_SYS_NOW
235 /* Extract external delay time from fuzz pool */
236 memcpy(&external_delay, remfuzz_ptr, sizeof(u32_t));
237 external_delay = ntohl(external_delay);
238 #endif
239 remfuzz_ptr += sizeof(u32_t);
240 remfuzz_len -= sizeof(u32_t);
241 }
242 memcpy(&frame_len, remfuzz_ptr, sizeof(u16_t));
243 remfuzz_ptr += sizeof(u16_t);
244 remfuzz_len -= sizeof(u16_t);
245 frame_len = ntohs(frame_len) & 0x7FF;
246 frame_len = LWIP_MIN(frame_len, max_packet_size);
247 if (frame_len > remfuzz_len) {
248 frame_len = (u16_t)remfuzz_len;
249 }
250 if (frame_len != 0) {
251 if (type == LWIP_FUZZ_MULTIPACKET_TIME) {
252 #ifdef LWIP_FUZZ_SYS_NOW
253 /* Update total external delay time, and check timeouts */
254 sys_now_offset += external_delay;
255 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: sys_now_offset += %u -> %u\n", external_delay, sys_now_offset));
256 #endif
257 sys_check_timeouts();
258 }
259 input_pkt(netif, remfuzz_ptr, frame_len);
260 /* Check timeouts again */
261 sys_check_timeouts();
262 }
263 }
264 }
265 }
266
267 #if LWIP_TCP
268 static struct altcp_pcb *tcp_client_pcb; /* a pcb for the TCP client */
269 static struct altcp_pcb *tcp_server_pcb; /* a pcb for the TCP server */
270 static u16_t tcp_remote_port; /* a TCP port number of the destination */
271 static u16_t tcp_local_port; /* a TCP port number of the local server */
272
273 /**
274 * tcp_app_fuzz_input
275 * Input fuzz with a write function for TCP.
276 */
277 static void
tcp_app_fuzz_input(struct altcp_pcb * pcb)278 tcp_app_fuzz_input(struct altcp_pcb *pcb)
279 {
280 if (remfuzz_len > sizeof(u16_t)) {
281 /*
282 * (max IP packet size) - ((minimum IP header size) + (minimum TCP header size))
283 * = 65535 - (20 + 20)
284 * = 65495
285 */
286 const u16_t max_data_size = 65495;
287 u16_t data_len;
288
289 memcpy(&data_len, remfuzz_ptr, sizeof(u16_t));
290 remfuzz_ptr += sizeof(u16_t);
291 remfuzz_len -= sizeof(u16_t);
292 data_len = ntohs(data_len);
293 data_len = LWIP_MIN(data_len, max_data_size);
294 if (data_len > remfuzz_len) {
295 data_len = (u16_t)remfuzz_len;
296 }
297
298 if (data_len != 0) {
299 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: write %u bytes\n", data_len));
300 altcp_write(pcb, remfuzz_ptr, data_len, TCP_WRITE_FLAG_COPY);
301 altcp_output(pcb);
302 } else {
303 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: close\n"));
304 altcp_close(pcb);
305 }
306
307 remfuzz_ptr += data_len;
308 remfuzz_len -= data_len;
309 }
310 }
311
312 /**
313 * tcp_client_connected
314 * A connected callback function (for the TCP client)
315 */
316 static err_t
tcp_client_connected(void * arg,struct altcp_pcb * pcb,err_t err)317 tcp_client_connected(void *arg, struct altcp_pcb *pcb, err_t err)
318 {
319 LWIP_UNUSED_ARG(arg);
320 LWIP_UNUSED_ARG(err);
321
322 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: tcp_client_connected\n"));
323 tcp_app_fuzz_input(pcb);
324
325 return ERR_OK;
326 }
327
328 /**
329 * tcp_client_recv
330 * A recv callback function (for the TCP client)
331 */
332 static err_t
tcp_client_recv(void * arg,struct altcp_pcb * pcb,struct pbuf * p,err_t err)333 tcp_client_recv(void *arg, struct altcp_pcb *pcb, struct pbuf *p, err_t err)
334 {
335 LWIP_UNUSED_ARG(arg);
336 LWIP_UNUSED_ARG(err);
337
338 if (p == NULL) {
339 altcp_close(pcb);
340 } else {
341 altcp_recved(pcb, p->tot_len);
342 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: tcp_client_recv: %d\n", p->tot_len));
343 tcp_app_fuzz_input(pcb);
344 pbuf_free(p);
345 }
346
347 return ERR_OK;
348 }
349
350 /**
351 * tcp_client_sent
352 * A sent callback function (for the TCP client)
353 */
354 static err_t
tcp_client_sent(void * arg,struct altcp_pcb * pcb,u16_t len)355 tcp_client_sent(void *arg, struct altcp_pcb *pcb, u16_t len)
356 {
357 LWIP_UNUSED_ARG(arg);
358 LWIP_UNUSED_ARG(pcb);
359 LWIP_UNUSED_ARG(len);
360 return ERR_OK;
361 }
362
363 /**
364 * tcp_client_poll
365 * A poll callback function (for the TCP client)
366 */
367 static err_t
tcp_client_poll(void * arg,struct altcp_pcb * pcb)368 tcp_client_poll(void *arg, struct altcp_pcb *pcb)
369 {
370 LWIP_UNUSED_ARG(arg);
371 LWIP_UNUSED_ARG(pcb);
372 return ERR_OK;
373 }
374
375 /**
376 * tcp_client_err
377 * An err callback function (for the TCP client)
378 */
379 static void
tcp_client_err(void * arg,err_t err)380 tcp_client_err(void *arg, err_t err)
381 {
382 LWIP_UNUSED_ARG(arg);
383 LWIP_UNUSED_ARG(err);
384 }
385
386 /**
387 * tcp_server_recv
388 * A recv callback function (for the TCP server)
389 */
390 static err_t
tcp_server_recv(void * arg,struct altcp_pcb * pcb,struct pbuf * p,err_t err)391 tcp_server_recv(void *arg, struct altcp_pcb *pcb, struct pbuf *p, err_t err)
392 {
393 LWIP_UNUSED_ARG(arg);
394 LWIP_UNUSED_ARG(err);
395
396 if (p == NULL) {
397 altcp_close(pcb);
398 } else {
399 altcp_recved(pcb, p->tot_len);
400 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: tcp: tcp_server_recv: %d\n", p->tot_len));
401 tcp_app_fuzz_input(pcb);
402 pbuf_free(p);
403 }
404
405 return ERR_OK;
406 }
407
408 /**
409 * tcp_server_sent
410 * A sent callback function (for the TCP server)
411 */
412 static err_t
tcp_server_sent(void * arg,struct altcp_pcb * pcb,u16_t len)413 tcp_server_sent(void *arg, struct altcp_pcb *pcb, u16_t len)
414 {
415 LWIP_UNUSED_ARG(arg);
416 LWIP_UNUSED_ARG(pcb);
417 LWIP_UNUSED_ARG(len);
418 return ERR_OK;
419 }
420
421 /**
422 * tcp_server_poll
423 * A poll callback function (for the TCP server)
424 */
425 static err_t
tcp_server_poll(void * arg,struct altcp_pcb * pcb)426 tcp_server_poll(void *arg, struct altcp_pcb *pcb)
427 {
428 LWIP_UNUSED_ARG(arg);
429 LWIP_UNUSED_ARG(pcb);
430 return ERR_OK;
431 }
432
433 /**
434 * tcp_server_err
435 * An err callbuck function (for the TCP server)
436 */
437 static void
tcp_server_err(void * arg,err_t err)438 tcp_server_err(void *arg, err_t err)
439 {
440 LWIP_UNUSED_ARG(arg);
441 LWIP_UNUSED_ARG(err);
442 }
443
444 /**
445 * tcp_server_accept
446 * An accept callbuck function (for the TCP server)
447 */
448 static err_t
tcp_server_accept(void * arg,struct altcp_pcb * pcb,err_t err)449 tcp_server_accept(void *arg, struct altcp_pcb *pcb, err_t err)
450 {
451 LWIP_UNUSED_ARG(arg);
452 LWIP_UNUSED_ARG(err);
453
454 if ((err != ERR_OK) || (pcb == NULL)) {
455 return ERR_VAL;
456 }
457 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: accept from remote\n"));
458
459 altcp_setprio(pcb, TCP_PRIO_MIN);
460
461 altcp_recv(pcb, tcp_server_recv);
462 altcp_err(pcb, tcp_server_err);
463 altcp_poll(pcb, tcp_server_poll, 10);
464 altcp_sent(pcb, tcp_server_sent);
465
466 return ERR_OK;
467 }
468 #endif /* LWIP_TCP */
469
470 #if LWIP_UDP
471 static struct udp_pcb *udp_client_pcb; /* a pcb for the UDP client */
472 static struct udp_pcb *udp_server_pcb; /* a pcb for the UDP server */
473 static u16_t udp_remote_port; /* a UDP port number of the destination */
474 static u16_t udp_local_port; /* a UDP port number of the local server*/
475
476 /**
477 * udp_app_fuzz_input
478 * Input fuzz with write functions for UDP.
479 */
480 static void
udp_app_fuzz_input(struct udp_pcb * pcb,const ip_addr_t * addr,u16_t port)481 udp_app_fuzz_input(struct udp_pcb *pcb, const ip_addr_t *addr, u16_t port)
482 {
483 if (remfuzz_len > sizeof(u16_t)) {
484 /*
485 * (max IP packet size) - ((minimum IP header size) - (minimum UDP header size))
486 * = 65535 - (20 + 8)
487 * = 65507
488 */
489 const u16_t max_data_size = 65507;
490 u16_t data_len;
491
492 memcpy(&data_len, remfuzz_ptr, sizeof(u16_t));
493 remfuzz_ptr += sizeof(u16_t);
494 remfuzz_len -= sizeof(u16_t);
495 data_len = ntohs(data_len);
496 data_len = LWIP_MIN(data_len, max_data_size);
497 if (data_len > remfuzz_len) {
498 data_len = (u16_t)remfuzz_len;
499 }
500
501 LWIP_DEBUGF(FUZZ_DEBUG, ("fuzz: udp: send %u bytes\n", data_len));
502 if (data_len != 0) {
503 struct pbuf *p, *q;
504
505 p = pbuf_alloc(PBUF_RAW, (u16_t)data_len, PBUF_POOL);
506 LWIP_ASSERT("alloc failed", p);
507
508 for (q = p; q != NULL; q = q->next) {
509 MEMCPY(q->payload, remfuzz_ptr, q->len);
510 remfuzz_ptr += q->len;
511 }
512 remfuzz_len -= data_len;
513
514 /*
515 * Trying input from ...
516 *
517 * client:
518 * The pcb has information about the destination.
519 * We use udp_send().
520 *
521 * server:
522 * The pcb does NOT have information about the destination.
523 * We use udp_sendto().
524 */
525 if (addr == NULL) {
526 udp_send(pcb, p);
527 } else {
528 udp_sendto(pcb, p, addr, port);
529 }
530 pbuf_free(p);
531 }
532 }
533 }
534
535 /**
536 * udp_client_recv
537 * A recv callback function (for the UDP client)
538 */
539 static void
udp_client_recv(void * arg,struct udp_pcb * pcb,struct pbuf * p,const ip_addr_t * addr,u16_t port)540 udp_client_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port)
541 {
542 LWIP_UNUSED_ARG(arg);
543 LWIP_UNUSED_ARG(p);
544 LWIP_UNUSED_ARG(addr);
545 LWIP_UNUSED_ARG(port);
546
547 if (p == NULL) {
548 udp_disconnect(pcb);
549 } else {
550 /*
551 * We call the function with 2nd argument set to NULL
552 * to input fuzz from udp_send.
553 */
554 udp_app_fuzz_input(pcb, NULL, port);
555 pbuf_free(p);
556 }
557 }
558
559 /**
560 * udp_server_recv
561 * A recv callback functyion (for the UDP server)
562 */
563 static void
udp_server_recv(void * arg,struct udp_pcb * pcb,struct pbuf * p,const ip_addr_t * addr,u16_t port)564 udp_server_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, const ip_addr_t *addr, u16_t port)
565 {
566 LWIP_UNUSED_ARG(arg);
567 LWIP_UNUSED_ARG(p);
568 LWIP_UNUSED_ARG(addr);
569 LWIP_UNUSED_ARG(port);
570
571 if (p != NULL) {
572 udp_app_fuzz_input(pcb, addr, port);
573 pbuf_free(p);
574 }
575 }
576 #endif /* LWIP_UDP */
577
lwip_fuzztest(int argc,char ** argv,enum lwip_fuzz_type type,u32_t test_apps)578 int lwip_fuzztest(int argc, char** argv, enum lwip_fuzz_type type, u32_t test_apps)
579 {
580 struct netif net_test;
581 ip4_addr_t addr;
582 ip4_addr_t netmask;
583 ip4_addr_t gw;
584 size_t len;
585 err_t err;
586 ip_addr_t remote_addr; /* a IPv4 addr of the destination */
587 struct eth_addr remote_mac = ETH_ADDR(0x28, 0x00, 0x00, 0x22, 0x2b, 0x38); /* a MAC addr of the destination */
588
589 pcap_dump_init();
590 lwip_init();
591
592 IP4_ADDR(&addr, 172, 30, 115, 84);
593 IP4_ADDR(&netmask, 255, 255, 255, 0);
594 IP4_ADDR(&gw, 172, 30, 115, 1);
595
596 netif_add(&net_test, &addr, &netmask, &gw, &net_test, testif_init, ethernet_input);
597 netif_set_up(&net_test);
598 netif_set_link_up(&net_test);
599
600 if (test_apps & LWIP_FUZZ_STATICARP) {
601 /* Add the ARP entry */
602 IP_ADDR4(&remote_addr, 172, 30, 115, 37);
603 etharp_add_static_entry(&(remote_addr.u_addr.ip4), &remote_mac);
604 }
605
606 #if LWIP_IPV6
607 nd6_tmr(); /* tick nd to join multicast groups */
608 #endif
609 dns_setserver(0, &net_test.gw);
610
611 if (test_apps & LWIP_FUZZ_DEFAULT) {
612 /* initialize apps */
613 httpd_init();
614 lwiperf_start_tcp_server_default(NULL, NULL);
615 mdns_resp_init();
616 mdns_resp_add_netif(&net_test, "hostname");
617 snmp_init();
618 }
619 if (test_apps & LWIP_FUZZ_TCP_CLIENT) {
620 tcp_client_pcb = altcp_tcp_new_ip_type(IPADDR_TYPE_ANY);
621 LWIP_ASSERT("Error: altcp_new() failed", tcp_client_pcb != NULL);
622 tcp_remote_port = 80;
623 err = altcp_connect(tcp_client_pcb, &remote_addr, tcp_remote_port, tcp_client_connected);
624 LWIP_ASSERT("Error: altcp_connect() failed", err == ERR_OK);
625 altcp_recv(tcp_client_pcb, tcp_client_recv);
626 altcp_err(tcp_client_pcb, tcp_client_err);
627 altcp_poll(tcp_client_pcb, tcp_client_poll, 10);
628 altcp_sent(tcp_client_pcb, tcp_client_sent);
629 }
630 if (test_apps & LWIP_FUZZ_TCP_SERVER) {
631 tcp_server_pcb = altcp_tcp_new_ip_type(IPADDR_TYPE_ANY);
632 LWIP_ASSERT("Error: altcp_new() failed", tcp_server_pcb != NULL);
633 altcp_setprio(tcp_server_pcb, TCP_PRIO_MIN);
634 tcp_local_port = 80;
635 err = altcp_bind(tcp_server_pcb, IP_ANY_TYPE, tcp_local_port);
636 LWIP_ASSERT("Error: altcp_bind() failed", err == ERR_OK);
637 tcp_server_pcb = altcp_listen(tcp_server_pcb);
638 LWIP_ASSERT("Error: altcp_listen() failed", err == ERR_OK);
639 altcp_accept(tcp_server_pcb, tcp_server_accept);
640 }
641 if (test_apps & LWIP_FUZZ_UDP_CLIENT) {
642 udp_client_pcb = udp_new();
643 udp_new_ip_type(IPADDR_TYPE_ANY);
644 udp_recv(udp_client_pcb, udp_client_recv, NULL);
645 udp_remote_port = 161;
646 udp_connect(udp_client_pcb, &remote_addr, udp_remote_port);
647 }
648 if (test_apps & LWIP_FUZZ_UDP_SERVER) {
649 udp_server_pcb = udp_new();
650 udp_new_ip_type(IPADDR_TYPE_ANY);
651 udp_local_port = 161;
652 udp_bind(udp_server_pcb, IP_ANY_TYPE, udp_local_port);
653 udp_recv(udp_server_pcb, udp_server_recv, NULL);
654 }
655
656 if(argc > 1) {
657 FILE* f;
658 const char* filename;
659 printf("reading input from file... ");
660 fflush(stdout);
661 filename = argv[1];
662 LWIP_ASSERT("invalid filename", filename != NULL);
663 f = fopen(filename, "rb");
664 LWIP_ASSERT("open failed", f != NULL);
665 len = fread(pktbuf, 1, sizeof(pktbuf), f);
666 fclose(f);
667 printf("testing file: \"%s\"...\r\n", filename);
668 } else {
669 len = fread(pktbuf, 1, sizeof(pktbuf), stdin);
670 }
671 input_pkts(type, &net_test, pktbuf, len);
672
673 pcap_dump_stop();
674 return 0;
675 }
676
677 #ifdef LWIP_RAND_FOR_FUZZ
lwip_fuzz_rand(void)678 u32_t lwip_fuzz_rand(void)
679 {
680 #ifdef LWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC
681 /* this is what glibc rand() returns (first 20 numbers) */
682 static u32_t rand_nrs[] = {0x6b8b4567, 0x327b23c6, 0x643c9869, 0x66334873, 0x74b0dc51,
683 0x19495cff, 0x2ae8944a, 0x625558ec, 0x238e1f29, 0x46e87ccd,
684 0x3d1b58ba, 0x507ed7ab, 0x2eb141f2, 0x41b71efb, 0x79e2a9e3,
685 0x7545e146, 0x515f007c, 0x5bd062c2, 0x12200854, 0x4db127f8};
686 static unsigned idx = 0;
687 u32_t ret = rand_nrs[idx];
688 idx++;
689 if (idx >= sizeof(rand_nrs)/sizeof((rand_nrs)[0])) {
690 idx = 0;
691 }
692 return ret;
693 #else
694 /* a simple LCG, unsafe but should give the same result for every execution (best for fuzzing) */
695 u32_t result;
696 static s32_t state[1] = {0xdeadbeef};
697 uint64_t val = state[0] & 0xffffffff;
698 val = ((val * 1103515245) + 12345) & 0x7fffffff;
699 state[0] = (s32_t)val;
700 result = (u32_t)val;
701 return result;
702 #endif
703 }
704 #endif
705