blob: 431967852f7a902e94ff8dfb95657a6ecbe9047c [file] [log] [blame]
dobinedf9f8d2018-01-21 13:57:02 +01001#include <errno.h>
2#include <fcntl.h>
3#include <inttypes.h>
4#include <libgen.h>
5#include <pthread.h>
6#include <signal.h>
7#include <stddef.h>
8#include <stdint.h>
9#include <stdio.h>
10#include <stdlib.h>
11#include <string.h>
12#include <sys/mman.h>
13#include <sys/param.h>
14#include <sys/stat.h>
15#include <sys/time.h>
16#include <sys/types.h>
17#include <time.h>
18#include <unistd.h>
19
20#include <errno.h>
21#include <string.h>
22#include <sys/types.h>
23#include <sys/socket.h>
24#include <sys/un.h>
25#include <unistd.h>
26
27#include "honggfuzz.h"
28#include "libhfcommon/common.h"
29#include "libhfcommon/files.h"
30#include "libhfcommon/log.h"
31#include "libhfcommon/ns.h"
32#include "libhfcommon/util.h"
33
34#include "socketfuzzer.h"
35
36
37bool fuzz_waitForExternalInput(run_t* run) {
38 /* tell the external fuzzer to do his thing */
39 if (!fuzz_prepareSocketFuzzer(run)) {
40 LOG_F("fuzz_prepareSocketFuzzer() failed");
41 return false;
42 }
43
44 /* the external fuzzer may inform us of a crash */
45 int result = fuzz_waitforSocketFuzzer(run);
46 if (result == 2) {
47 return false;
48 }
49
50 return true;
51}
52
53bool fuzz_prepareSocketFuzzer(run_t* run)
54{
55 ssize_t ret;
56
57 // Notify fuzzer that he should send teh things
58 LOG_D("fuzz_prepareSocketFuzzer: SEND Fuzz");
59 ret = send(run->global->socketFuzzerData.clientSocket, "Fuzz", 4, 0);
60 if(ret < 0) {
Robert Swieckif3ecc0e2018-01-21 15:42:22 +010061 LOG_F("fuzz_prepareSocketFuzzer: received: %zu", ret);
dobinedf9f8d2018-01-21 13:57:02 +010062 return false;
63 }
64
65 return true;
66}
67
68/* Return values:
69 0: error
70 1: okay
71 2: target unresponsive
72*/
73int fuzz_waitforSocketFuzzer(run_t* run)
74{
75 ssize_t ret;
76 char buf[16];
77
78 // Wait until the external fuzzer did his thing
79 bzero(buf, 16);
80 ret = recv(run->global->socketFuzzerData.clientSocket, buf, 4, 0);
81 LOG_D("fuzz_waitforSocketFuzzer: RECV: %s", buf);
82
83 // We dont care what we receive, its just to block here
84 if(ret < 0) {
Robert Swieckif3ecc0e2018-01-21 15:42:22 +010085 LOG_F("fuzz_waitforSocketFuzzer: received: %zu", ret);
dobinedf9f8d2018-01-21 13:57:02 +010086 return 0;
87 }
88
89 if(memcmp(buf, "okay", 4) == 0) {
90 return 1;
91 } else if(memcmp(buf, "bad!", 4) == 0) {
92 return 2;
93 }
94
95 return 0;
96}
97
98bool fuzz_notifySocketFuzzerNewCov(honggfuzz_t *hfuzz)
99{
100 ssize_t ret;
101
102 // Tell the fuzzer that the thing he sent reached new BB's
103 ret = send(hfuzz->socketFuzzerData.clientSocket, "New!", 4, 0);
104 LOG_D("fuzz_notifySocketFuzzer: SEND: New!");
105 if(ret < 0) {
Robert Swieckif3ecc0e2018-01-21 15:42:22 +0100106 LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret);
dobinedf9f8d2018-01-21 13:57:02 +0100107 return false;
108 }
109
110 return true;
111}
112
113bool fuzz_notifySocketFuzzerCrash(run_t* run)
114{
115 ssize_t ret;
116
117 ret = send(run->global->socketFuzzerData.clientSocket, "Cras", 4, 0);
118 LOG_D("fuzz_notifySocketFuzzer: SEND: Crash");
119 if(ret < 0) {
Robert Swieckif3ecc0e2018-01-21 15:42:22 +0100120 LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret);
dobinedf9f8d2018-01-21 13:57:02 +0100121 return false;
122 }
123
124 return true;
125}
126
127bool setupSocketFuzzer(honggfuzz_t *run) {
128 int s, len;
129 socklen_t t;
130 struct sockaddr_un local, remote;
131 char socketPath[512];
132 //snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid());
133 snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket");
134
135 if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
136 perror("socket");
137 return false;
138 }
139
140 local.sun_family = AF_UNIX;
141 strcpy(local.sun_path, socketPath);
142 unlink(local.sun_path);
143 len = strlen(local.sun_path) + sizeof(local.sun_family);
144 if (bind(s, (struct sockaddr *)&local, len) == -1) {
145 perror("bind");
146 return false;
147 }
148
149 if (listen(s, 5) == -1) {
150 perror("listen");
151 return false;
152 }
153
154 printf("Waiting for SocketFuzzer connection on socket: %s\n", socketPath);
155 t = sizeof(remote);
156 if ((run->socketFuzzerData.clientSocket = accept(s, (struct sockaddr *)&remote, &t)) == -1) {
157 perror("accept");
158 return false;
159 }
160
161 run->socketFuzzerData.serverSocket = s;
162 printf("A SocketFuzzer client connected. Continuing.\n");
163
164 return true;
165}
166
167void cleanupSocketFuzzer() {
168 char socketPath[512];
169 //snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid());
170 snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket");
171 unlink(socketPath);
172}