Blame - socketfuzzer.c - platform/external/honggfuzz

blob: 431967852f7a902e94ff8dfb95657a6ecbe9047c [file] [log] [blame]

dobin	edf9f8d	2018-01-21 13:57:02 +0100	[diff] [blame]	1	#include <errno.h>
				2	#include <fcntl.h>
				3	#include <inttypes.h>
				4	#include <libgen.h>
				5	#include <pthread.h>
				6	#include <signal.h>
				7	#include <stddef.h>
				8	#include <stdint.h>
				9	#include <stdio.h>
				10	#include <stdlib.h>
				11	#include <string.h>
				12	#include <sys/mman.h>
				13	#include <sys/param.h>
				14	#include <sys/stat.h>
				15	#include <sys/time.h>
				16	#include <sys/types.h>
				17	#include <time.h>
				18	#include <unistd.h>
				19
				20	#include <errno.h>
				21	#include <string.h>
				22	#include <sys/types.h>
				23	#include <sys/socket.h>
				24	#include <sys/un.h>
				25	#include <unistd.h>
				26
				27	#include "honggfuzz.h"
				28	#include "libhfcommon/common.h"
				29	#include "libhfcommon/files.h"
				30	#include "libhfcommon/log.h"
				31	#include "libhfcommon/ns.h"
				32	#include "libhfcommon/util.h"
				33
				34	#include "socketfuzzer.h"
				35
				36
				37	bool fuzz_waitForExternalInput(run_t* run) {
				38	/* tell the external fuzzer to do his thing */
				39	if (!fuzz_prepareSocketFuzzer(run)) {
				40	LOG_F("fuzz_prepareSocketFuzzer() failed");
				41	return false;
				42	}
				43
				44	/* the external fuzzer may inform us of a crash */
				45	int result = fuzz_waitforSocketFuzzer(run);
				46	if (result == 2) {
				47	return false;
				48	}
				49
				50	return true;
				51	}
				52
				53	bool fuzz_prepareSocketFuzzer(run_t* run)
				54	{
				55	ssize_t ret;
				56
				57	// Notify fuzzer that he should send teh things
				58	LOG_D("fuzz_prepareSocketFuzzer: SEND Fuzz");
				59	ret = send(run->global->socketFuzzerData.clientSocket, "Fuzz", 4, 0);
				60	if(ret < 0) {
Robert Swiecki	f3ecc0e	2018-01-21 15:42:22 +0100	[diff] [blame^]	61	LOG_F("fuzz_prepareSocketFuzzer: received: %zu", ret);
dobin	edf9f8d	2018-01-21 13:57:02 +0100	[diff] [blame]	62	return false;
				63	}
				64
				65	return true;
				66	}
				67
				68	/* Return values:
				69	0: error
				70	1: okay
				71	2: target unresponsive
				72	*/
				73	int fuzz_waitforSocketFuzzer(run_t* run)
				74	{
				75	ssize_t ret;
				76	char buf[16];
				77
				78	// Wait until the external fuzzer did his thing
				79	bzero(buf, 16);
				80	ret = recv(run->global->socketFuzzerData.clientSocket, buf, 4, 0);
				81	LOG_D("fuzz_waitforSocketFuzzer: RECV: %s", buf);
				82
				83	// We dont care what we receive, its just to block here
				84	if(ret < 0) {
Robert Swiecki	f3ecc0e	2018-01-21 15:42:22 +0100	[diff] [blame^]	85	LOG_F("fuzz_waitforSocketFuzzer: received: %zu", ret);
dobin	edf9f8d	2018-01-21 13:57:02 +0100	[diff] [blame]	86	return 0;
				87	}
				88
				89	if(memcmp(buf, "okay", 4) == 0) {
				90	return 1;
				91	} else if(memcmp(buf, "bad!", 4) == 0) {
				92	return 2;
				93	}
				94
				95	return 0;
				96	}
				97
				98	bool fuzz_notifySocketFuzzerNewCov(honggfuzz_t *hfuzz)
				99	{
				100	ssize_t ret;
				101
				102	// Tell the fuzzer that the thing he sent reached new BB's
				103	ret = send(hfuzz->socketFuzzerData.clientSocket, "New!", 4, 0);
				104	LOG_D("fuzz_notifySocketFuzzer: SEND: New!");
				105	if(ret < 0) {
Robert Swiecki	f3ecc0e	2018-01-21 15:42:22 +0100	[diff] [blame^]	106	LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret);
dobin	edf9f8d	2018-01-21 13:57:02 +0100	[diff] [blame]	107	return false;
				108	}
				109
				110	return true;
				111	}
				112
				113	bool fuzz_notifySocketFuzzerCrash(run_t* run)
				114	{
				115	ssize_t ret;
				116
				117	ret = send(run->global->socketFuzzerData.clientSocket, "Cras", 4, 0);
				118	LOG_D("fuzz_notifySocketFuzzer: SEND: Crash");
				119	if(ret < 0) {
Robert Swiecki	f3ecc0e	2018-01-21 15:42:22 +0100	[diff] [blame^]	120	LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret);
dobin	edf9f8d	2018-01-21 13:57:02 +0100	[diff] [blame]	121	return false;
				122	}
				123
				124	return true;
				125	}
				126
				127	bool setupSocketFuzzer(honggfuzz_t *run) {
				128	int s, len;
				129	socklen_t t;
				130	struct sockaddr_un local, remote;
				131	char socketPath[512];
				132	//snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid());
				133	snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket");
				134
				135	if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
				136	perror("socket");
				137	return false;
				138	}
				139
				140	local.sun_family = AF_UNIX;
				141	strcpy(local.sun_path, socketPath);
				142	unlink(local.sun_path);
				143	len = strlen(local.sun_path) + sizeof(local.sun_family);
				144	if (bind(s, (struct sockaddr *)&local, len) == -1) {
				145	perror("bind");
				146	return false;
				147	}
				148
				149	if (listen(s, 5) == -1) {
				150	perror("listen");
				151	return false;
				152	}
				153
				154	printf("Waiting for SocketFuzzer connection on socket: %s\n", socketPath);
				155	t = sizeof(remote);
				156	if ((run->socketFuzzerData.clientSocket = accept(s, (struct sockaddr *)&remote, &t)) == -1) {
				157	perror("accept");
				158	return false;
				159	}
				160
				161	run->socketFuzzerData.serverSocket = s;
				162	printf("A SocketFuzzer client connected. Continuing.\n");
				163
				164	return true;
				165	}
				166
				167	void cleanupSocketFuzzer() {
				168	char socketPath[512];
				169	//snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid());
				170	snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket");
				171	unlink(socketPath);
				172	}