fuzz.c revision f89adb2c2a52b505501c3eaa2aec9fd4df6bd60a
/*
* Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
*
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
#include "config.h"
#ifdef ENABLE_AFL
#include <isc/condition.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <pthread.h>
#ifndef __AFL_LOOP
#endif
/*
* We are using pthreads directly because we might be using it with unthreaded
* version of BIND, where all thread functions are mocks. Since AFL for now only
* works on Linux it's not a problem.
*/
static pthread_cond_t cond;
static pthread_mutex_t mutex;
static isc_boolean_t ready;
static void *
fuzz_main_client(void *arg) {
char *host;
char *port;
struct sockaddr_in servaddr;
int sockfd;
int loop;
void *buf;
/*
* Parse named -A argument in the "address:port" syntax. Due to
* the syntax used, this only supports IPv4 addresses.
*/
*port = 0;
++port;
/* Wait for named to start. */
while (!ns_g_run_done) {
usleep(10000);
}
loop = 100000;
while (loop--) {
if (length <= 0) {
usleep(1000000);
continue;
}
if (length > 4096) {
if (getenv("AFL_CMIN")) {
return (NULL);
}
continue;
}
/* unclog */
while (!ready)
}
return (NULL);
}
static void *
fuzz_main_resolver(void *arg) {
/* Query for A? aaaaaaaaaa.example. */
char respacket[] =
"\0\0\1 \0\1\0\0\0\0\0\0\naaaaaaaaaa\7example\0\0\1\0\1";
int sockfd;
int listenfd;
int loop;
/*
* Parse named -A argument in the "laddress:sport:raddress:rport"
* syntax. Due to the syntax used, this only supports IPv4 addresses.
*/
*sport = 0;
sport++;
*rhost = 0;
rhost++;
*rport = 0;
rport++;
/* Wait for named to start */
while (!ns_g_run_done) {
usleep(10000);
}
sizeof(struct sockaddr_in)) == 0);
loop = 100000;
while (loop--) {
if (length <= 0) {
usleep(1000000);
continue;
}
if (length > 4096) {
if (getenv("AFL_CMIN")) {
return (NULL);
}
continue;
}
if (length < 16) {
length = 16;
}
/* Randomize query ID. */
/* flush */
RUNTIME_CHECK(sent > 0);
/* Copy QID and set QR so that response is always processed. */
/* We might get additional questions here (e.g. for CNAME). */
for (;;) {
int rv;
int max;
RUNTIME_CHECK(rv > 0);
/* It's the reply, we're done. */
break;
}
/*
* We've got additional question (eg. cname chain)
* We are bouncing it - setting QR flag and NOERROR
* rcode and sending it back.
*/
sizeof(recvaddr));
}
while (!ready)
}
/*
* It's here just for the signature, that's how AFL detects if it's
* a 'persistent mode' binary.
*/
__AFL_LOOP(0);
return (NULL);
}
static void *
fuzz_main_tcp(void *arg) {
char *host;
char *port;
struct sockaddr_in servaddr;
int sockfd;
char *buf;
int loop;
/*
* Parse named -A argument in the "address:port" syntax. Due to
* the syntax used, this only supports IPv4 addresses.
*/
*port = 0;
++port;
/* Wait for named to start */
while (!ns_g_run_done) {
usleep(10000);
}
loop = 100000;
while (loop--) {
if (ns_g_fuzz_type == ns_fuzz_tcpclient) {
/*
* To fuzz TCP client we have to put length at
* the start of packet.
*/
length += 2;
} else {
}
if (length <= 0) {
usleep(1000000);
continue;
}
if (ns_g_fuzz_type == ns_fuzz_http) {
/*
* This guarantees that the request will be processed.
*/
}
int yes = 1;
int r;
&yes, sizeof(int)) == 0);
do {
sizeof(servaddr));
} while (r != 0);
/* unclog */
while (!ready)
}
return (NULL);
}
#endif /* ENABLE_AFL */
void
named_fuzz_notify(void) {
#ifdef ENABLE_AFL
if (getenv("AFL_CMIN")) {
return;
}
#endif /* ENABLE_AFL */
}
void
named_fuzz_setup(void) {
#ifdef ENABLE_AFL
switch (ns_g_fuzz_type) {
case ns_fuzz_client:
break;
case ns_fuzz_http:
case ns_fuzz_tcpclient:
case ns_fuzz_rndc:
fn = fuzz_main_tcp;
break;
case ns_fuzz_resolver:
break;
default:
}
}
#endif /* ENABLE_AFL */
}