1 /*
2 * Copyright (C) 2017-2019 Felix Weinrank
3 *
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of the project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <stdarg.h>
35 #include <assert.h>
36 #include <usrsctp.h>
37 #include <openssl/sha.h>
38 #include "../programs/programs_helper.h"
39
40 //#define FUZZ_VERBOSE
41 #define FUZZ_INTERLEAVING
42 #define FUZZ_STREAM_RESET
43
44 #define FUZZ_B_INJECT_INIT_ACK (1 << 0)
45 #define FUZZ_B_INJECT_COOKIE_ACK (1 << 1)
46 #define FUZZ_B_SEND_DATA (1 << 2)
47 #define FUZZ_B_SEND_STREAM_RESET (1 << 3)
48 #define FUZZ_B_INJECT_DATA (1 << 4)
49 #define FUZZ_B_I_DATA_SUPPORT (1 << 5)
50 #define FUZZ_B_RESERVED1 (1 << 6)
51 #define FUZZ_B_RESERVED2 (1 << 7)
52
53 #define BUFFER_SIZE 4096
54 #define COMMON_HEADER_SIZE 12
55
56 static uint32_t assoc_vtag = 0;
57
58 #ifdef FUZZ_VERBOSE
59 #define fuzzer_printf(...) \
60 do { \
61 fprintf(stderr, "[P]"); \
62 debug_printf_runtime(); \
63 fprintf(stderr, __VA_ARGS__); \
64 } while (0)
65 #else
66 #define fuzzer_printf(...)
67 #endif
68
69 static void
dump_packet(const void * buffer,size_t bufferlen,int inout)70 dump_packet(const void *buffer, size_t bufferlen, int inout) {
71 (void) buffer;
72 (void) bufferlen;
73 (void) inout;
74 #ifdef FUZZ_VERBOSE
75 static char *dump_buf;
76 if ((dump_buf = usrsctp_dumppacket(buffer, bufferlen, inout)) != NULL) {
77 fprintf(stderr, "%s", dump_buf);
78 usrsctp_freedumpbuffer(dump_buf);
79 }
80 #endif // FUZZ_VERBOSE
81 }
82
83
84 static int
conn_output(void * addr,void * buf,size_t length,uint8_t tos,uint8_t set_df)85 conn_output(void *addr, void *buf, size_t length, uint8_t tos, uint8_t set_df)
86 {
87 (void) addr;
88 (void) tos;
89 (void) set_df;
90 struct sctp_init_chunk *init_chunk;
91 const char *init_chunk_first_bytes = "\x13\x88\x13\x89\x00\x00\x00\x00\x00\x00\x00\x00\x01";
92 // Looking for the outgoing VTAG.
93 // length >= (COMMON_HEADER_SIZE + 16 (min size of INIT))
94 // If the common header has no VTAG (all zero), we're assuming it carries an INIT
95 if ((length >= (COMMON_HEADER_SIZE + 16)) && (memcmp(buf, init_chunk_first_bytes, COMMON_HEADER_SIZE) == 0)) {
96 init_chunk = (struct sctp_init_chunk*) ((char *)buf + sizeof(struct sctp_common_header));
97 fuzzer_printf("Found outgoing INIT, extracting VTAG : %u\n", init_chunk->initiate_tag);
98 assoc_vtag = init_chunk->initiate_tag;
99 }
100
101 dump_packet(buf, length, SCTP_DUMP_OUTBOUND);
102 return (0);
103 }
104
105
106 static void
handle_upcall(struct socket * sock,void * arg,int flgs)107 handle_upcall(struct socket *sock, void *arg, int flgs)
108 {
109 (void) arg;
110 (void) flgs;
111 fuzzer_printf("handle_upcall()\n");
112 int events = usrsctp_get_events(sock);
113
114 while (events & SCTP_EVENT_READ) {
115 struct sctp_recvv_rn rn;
116 ssize_t n;
117 struct sockaddr_in addr;
118 char *buf = calloc(1, BUFFER_SIZE);
119 int flags = 0;
120 socklen_t len = (socklen_t)sizeof(struct sockaddr_in);
121 unsigned int infotype = 0;
122 socklen_t infolen = sizeof(struct sctp_recvv_rn);
123 memset(&rn, 0, sizeof(struct sctp_recvv_rn));
124 n = usrsctp_recvv(sock, buf, BUFFER_SIZE, (struct sockaddr *) &addr, &len, (void *)&rn, &infolen, &infotype, &flags);
125 fuzzer_printf("usrsctp_recvv() - returned %zd\n", n);
126
127 if (flags & MSG_NOTIFICATION) {
128 fuzzer_printf("NOTIFICATION received\n");
129 #ifdef FUZZ_VERBOSE
130 handle_notification((union sctp_notification *)buf, n);
131 #endif // FUZZ_VERBOSE
132 } else {
133 fuzzer_printf("DATA received\n");
134 }
135
136 free(buf);
137
138 if (n <= 0) {
139 break;
140 }
141
142 events = usrsctp_get_events(sock);
143 }
144 }
145
146
147 int
initialize_fuzzer(void)148 initialize_fuzzer(void) {
149 #ifdef FUZZ_VERBOSE
150 usrsctp_init(0, conn_output, debug_printf_stack);
151 #else // FUZZ_VERBOSE
152 usrsctp_init(0, conn_output, NULL);
153 #endif // FUZZ_VERBOSE
154
155 usrsctp_enable_crc32c_offload();
156
157 #ifdef SCTP_DEBUG
158 usrsctp_sysctl_set_sctp_debug_on(SCTP_DEBUG_ALL);
159 #endif // SCTP_DEBUG
160
161 usrsctp_register_address((void *)1);
162
163 fuzzer_printf("usrsctp initialized\n");
164 return (1);
165 }
166
167
168 int
LLVMFuzzerTestOneInput(const uint8_t * data,size_t data_size)169 LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size)
170 {
171 static int initialized;
172 char *fuzz_packet_buffer;
173 struct sockaddr_in6 bind6;
174 struct sockaddr_conn sconn;
175 struct socket *socket_client;
176 struct linger so_linger;
177 struct sctp_event event;
178 unsigned long i;
179 struct sctp_common_header* common_header;
180 uint16_t event_types[] = {
181 SCTP_ASSOC_CHANGE,
182 SCTP_PEER_ADDR_CHANGE,
183 SCTP_REMOTE_ERROR,
184 SCTP_SEND_FAILED,
185 SCTP_SHUTDOWN_EVENT,
186 SCTP_ADAPTATION_INDICATION,
187 SCTP_PARTIAL_DELIVERY_EVENT,
188 SCTP_AUTHENTICATION_EVENT,
189 SCTP_STREAM_RESET_EVENT,
190 SCTP_SENDER_DRY_EVENT,
191 SCTP_ASSOC_RESET_EVENT,
192 SCTP_STREAM_CHANGE_EVENT,
193 SCTP_SEND_FAILED_EVENT
194 };
195 int optval;
196 int result;
197 struct sctp_initmsg initmsg;
198 #if defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)
199 struct sctp_assoc_value assoc_val;
200 #endif // defined(FUZZ_STREAM_RESET) || defined(FUZZ_INTERLEAVING)
201
202 // WITH COMMON HEADER!
203 char fuzz_init_ack[] = "\x13\x89\x13\x88\x49\xa4\xac\xb2\x00\x00\x00\x00\x02\x00\x01\xb4" \
204 "\x2b\xe8\x47\x40\x00\x1c\x71\xc7\xff\xff\xff\xff\xed\x69\x58\xec" \
205 "\xc0\x06\x00\x08\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04" \
206 "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
207 "\x40\x39\xcf\x32\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6" \
208 "\x2f\xb7\x81\x96\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa" \
209 "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
210 "\x00\x07\x01\x50\x4b\x41\x4d\x45\x2d\x42\x53\x44\x20\x31\x2e\x31" \
211 "\x00\x00\x00\x00\x64\xdb\x63\x00\x00\x00\x00\x00\xc9\x76\x03\x00" \
212 "\x00\x00\x00\x00\x60\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
213 "\xb2\xac\xa4\x49\x2b\xe8\x47\x40\xd4\xc9\x79\x52\x00\x00\x00\x00" \
214 "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\xd4\xc9\x79\x53" \
215 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00" \
216 "\x00\x00\x00\x00\x5a\x76\x13\x89\x01\x00\x00\x00\x00\x00\x00\x00" \
217 "\x00\x00\x00\x00\x01\x00\x00\x62\x49\xa4\xac\xb2\x00\x1c\x71\xc7" \
218 "\x00\x01\xff\xff\x82\xe6\xc8\x44\x80\x00\x00\x04\xc0\x00\x00\x04" \
219 "\x80\x08\x00\x0b\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24" \
220 "\xb6\xbb\xb5\x7f\xbb\x4b\x0e\xb5\x42\xf6\x75\x18\x4f\x79\x0f\x24" \
221 "\x1c\x44\x0b\xd6\x62\xa9\x84\xe7\x2c\x3c\x7f\xad\x1b\x67\x81\x57" \
222 "\x80\x04\x00\x08\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00" \
223 "\x00\x0c\x00\x06\x00\x05\x00\x00\x02\x00\x01\xb4\x2b\xe8\x47\x40" \
224 "\x00\x1c\x71\xc7\x00\x01\xff\xff\xed\x69\x58\xec\xc0\x06\x00\x08" \
225 "\x00\x00\x07\xc4\x80\x00\x00\x04\xc0\x00\x00\x04\x80\x08\x00\x0b" \
226 "\xc0\xc2\x0f\xc1\x80\x82\x40\x00\x80\x02\x00\x24\x40\x39\xcf\x32" \
227 "\xd6\x60\xcf\xfa\x3f\x2f\xa9\x52\xed\x2b\xf2\xe6\x2f\xb7\x81\x96" \
228 "\xf8\xda\xe9\xa0\x62\x01\x79\xe1\x0d\x5f\x38\xaa\x80\x04\x00\x08" \
229 "\x00\x03\x00\x01\x80\x03\x00\x06\x80\xc1\x00\x00\x81\xe1\x1e\x81" \
230 "\xea\x41\xeb\xf0\x12\xd9\x74\xbe\x13\xfd\x4b\x6c\x5c\xa2\x8f\x00";
231
232 // WITH COMMON HEADER!
233 char fuzz_cookie_ack[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00\x0b\x00\x00\x04";
234
235 // WITH COMMON HEADER!
236 char fuzz_i_data[] = "\x13\x89\x13\x88\x07\x01\x6c\xd3\x00\x00\x00\x00\x40\x03" \
237 "\x00\xdc\x2d\x2b\x46\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
238 "\x00\x27\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
239 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
240 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
241 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
242 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
243 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
244 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
245 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
246 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
247 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
248 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
249 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
250 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
251
252 // WITH COMMON HEADER!
253 char fuzz_data[] = "\x13\x89\x13\x88\x27\xc4\xbf\xdf\x00\x00\x00\x00\x00\x03" \
254 "\x00\xd8\x79\x64\xb7\xc1\x00\x00\x00\x00\x00\x00\x00\x27\x41\x41" \
255 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
256 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
257 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
258 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
259 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
260 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
261 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
262 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
263 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
264 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
265 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
266 "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" \
267 "\x41\x41\x41\x41\x41\x41";
268
269
270 char fuzz_common_header[] = "\x13\x89\x13\x88\x54\xc2\x7c\x46\x00\x00\x00\x00";
271
272 fuzzer_printf("LLVMFuzzerTestOneInput()\n");
273
274 if (!initialized) {
275 initialized = initialize_fuzzer();
276 }
277
278 if (data_size < 5 || data_size > 65535) {
279 // Skip too small and too large packets
280 fuzzer_printf("data_size %zu makes no sense, skipping\n", data_size);
281 return (0);
282 }
283
284 socket_client = usrsctp_socket(AF_CONN, SOCK_STREAM, IPPROTO_SCTP, NULL, NULL, 0, 0);
285 assert(socket_client != NULL);
286
287 usrsctp_set_non_blocking(socket_client, 1);
288
289 // all max!
290 memset(&initmsg, 1, sizeof(struct sctp_initmsg));
291 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(struct sctp_initmsg));
292 assert(result == 0);
293
294 so_linger.l_onoff = 1;
295 so_linger.l_linger = 0;
296 result = usrsctp_setsockopt(socket_client, SOL_SOCKET, SO_LINGER, &so_linger, sizeof(struct linger));
297 assert(result == 0);
298
299 memset(&event, 0, sizeof(event));
300 event.se_on = 1;
301 for (i = 0; i < (sizeof(event_types) / sizeof(uint16_t)); i++) {
302 event.se_type = event_types[i];
303 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(event));
304 assert(result == 0);
305 }
306
307 optval = 1;
308 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVRCVINFO, &optval, sizeof(optval));
309 assert(result == 0);
310
311 optval = 1;
312 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RECVNXTINFO, &optval, sizeof(optval));
313 assert(result == 0);
314
315 #if defined(FUZZ_STREAM_RESET)
316 assoc_val.assoc_id = SCTP_ALL_ASSOC;
317 assoc_val.assoc_value = SCTP_ENABLE_RESET_STREAM_REQ | SCTP_ENABLE_RESET_ASSOC_REQ | SCTP_ENABLE_CHANGE_ASSOC_REQ;
318 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_ENABLE_STREAM_RESET, &assoc_val, sizeof(struct sctp_assoc_value));
319 assert(result == 0);
320 #endif // defined(FUZZ_STREAM_RESET)
321
322 #if defined(FUZZ_INTERLEAVING)
323 #if !defined(SCTP_INTERLEAVING_SUPPORTED)
324 #define SCTP_INTERLEAVING_SUPPORTED 0x00001206
325 #endif // !defined(SCTP_INTERLEAVING_SUPPORTED)
326
327 if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
328 optval = 2;
329 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_FRAGMENT_INTERLEAVE, &optval, sizeof(optval));
330 assert(result == 0);
331
332 memset(&assoc_val, 0, sizeof(assoc_val));
333 assoc_val.assoc_value = 1;
334 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_INTERLEAVING_SUPPORTED, &assoc_val, sizeof(assoc_val));
335 assert(result == 0);
336 }
337 #endif // defined(FUZZ_INTERLEAVING)
338
339 memset((void *)&bind6, 0, sizeof(struct sockaddr_in6));
340 #ifdef HAVE_SIN_LEN
341 bind6.sin6_len = sizeof(struct sockaddr_in6);
342 #endif // HAVE_SIN_LEN
343 bind6.sin6_family = AF_INET6;
344 bind6.sin6_port = htons(5000);
345 bind6.sin6_addr = in6addr_any;
346
347 result = usrsctp_bind(socket_client, (struct sockaddr *)&bind6, sizeof(bind6));
348 assert(result == 0);
349
350 // Disable Nagle.
351 optval = 1;
352 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_NODELAY, &optval, sizeof(optval));
353 assert(result == 0);
354
355 usrsctp_set_upcall(socket_client, handle_upcall, NULL);
356
357 memset(&sconn, 0, sizeof(struct sockaddr_conn));
358 sconn.sconn_family = AF_CONN;
359 #ifdef HAVE_SCONN_LEN
360 sconn.sconn_len = sizeof(struct sockaddr_conn);
361 #endif // HAVE_SCONN_LEN
362 sconn.sconn_port = htons(5001);
363 sconn.sconn_addr = (void *)1;
364
365 fuzzer_printf("Calling usrsctp_connect()\n");
366 result = usrsctp_connect(socket_client, (struct sockaddr *)&sconn, sizeof(struct sockaddr_conn));
367 assert(result == 0 || errno == EINPROGRESS);
368
369 if (data[0] & FUZZ_B_INJECT_INIT_ACK) {
370 fuzzer_printf("Injecting INIT-ACK\n");
371
372 common_header = (struct sctp_common_header*) fuzz_init_ack;
373 common_header->verification_tag = assoc_vtag;
374
375 dump_packet(fuzz_init_ack, 448, SCTP_DUMP_INBOUND);
376 usrsctp_conninput((void *)1, fuzz_init_ack, 448, 0);
377 }
378
379 if (data[0] & FUZZ_B_INJECT_COOKIE_ACK) {
380 fuzzer_printf("Injecting COOKIE-ACK\n");
381
382 common_header = (struct sctp_common_header*) fuzz_cookie_ack;
383 common_header->verification_tag = assoc_vtag;
384
385 dump_packet(fuzz_cookie_ack, 16, SCTP_DUMP_INBOUND);
386 usrsctp_conninput((void *)1, fuzz_cookie_ack, 16, 0);
387 }
388
389 if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
390 data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
391 data[0] & FUZZ_B_SEND_DATA) {
392 const char *sendbuffer = "Geologie ist keine richtige Wissenschaft!";
393 fuzzer_printf("Calling usrsctp_sendv()\n");
394 usrsctp_sendv(socket_client, sendbuffer, strlen(sendbuffer), NULL, 0, NULL, 0, SCTP_SENDV_NOINFO, 0);
395 }
396
397 // Required: INIT-ACK and COOKIE-ACK
398 if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
399 data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
400 data[0] & FUZZ_B_SEND_STREAM_RESET) {
401 fuzzer_printf("Sending Stream Reset for all streams\n");
402
403 struct sctp_reset_streams srs;
404 memset(&srs, 0, sizeof(struct sctp_reset_streams));
405 srs.srs_flags = SCTP_STREAM_RESET_INCOMING | SCTP_STREAM_RESET_OUTGOING;
406 result = usrsctp_setsockopt(socket_client, IPPROTO_SCTP, SCTP_RESET_STREAMS, &srs, sizeof(struct sctp_reset_streams));
407 assert(result == 0);
408 }
409
410 // Required: INIT-ACK and COOKIE-ACK
411 if (data[0] & FUZZ_B_INJECT_INIT_ACK &&
412 data[0] & FUZZ_B_INJECT_COOKIE_ACK &&
413 data[0] & FUZZ_B_INJECT_DATA) {
414
415 if (data[0] & FUZZ_B_I_DATA_SUPPORT) {
416 fuzzer_printf("Injecting I-DATA\n");
417 common_header = (struct sctp_common_header*) fuzz_i_data;
418 common_header->verification_tag = assoc_vtag;
419 dump_packet(fuzz_i_data, 232, SCTP_DUMP_INBOUND);
420 usrsctp_conninput((void *)1, fuzz_i_data, 232, 0);
421 } else {
422 fuzzer_printf("Injecting DATA\n");
423 common_header = (struct sctp_common_header*) fuzz_data;
424 common_header->verification_tag = assoc_vtag;
425 dump_packet(fuzz_data, 228, SCTP_DUMP_INBOUND);
426 usrsctp_conninput((void *)1, fuzz_data, 228, 0);
427 }
428 }
429
430 fuzz_packet_buffer = malloc(data_size - 1 + COMMON_HEADER_SIZE);
431 memcpy(fuzz_packet_buffer, fuzz_common_header, COMMON_HEADER_SIZE); // common header
432 memcpy(fuzz_packet_buffer + COMMON_HEADER_SIZE, data + 1, data_size - 1);
433
434 common_header = (struct sctp_common_header*) fuzz_packet_buffer;
435 common_header->verification_tag = assoc_vtag;
436
437 fuzzer_printf("Injecting FUZZER-Packet\n");
438 dump_packet(fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, SCTP_DUMP_INBOUND);
439 usrsctp_conninput((void *)1, fuzz_packet_buffer, data_size - 1 + COMMON_HEADER_SIZE, 0);
440
441 free(fuzz_packet_buffer);
442
443 fuzzer_printf("Calling usrsctp_close()\n");
444 usrsctp_close(socket_client);
445 #if 0
446 fuzzer_printf("Calling usrsctp_finish()\n");
447 while (usrsctp_finish() != 0) {
448 }
449 fuzzer_printf("Done!\n");
450 #endif
451
452 return (0);
453 }
454
455