Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / honggfuzz / refs/tags/rel/11/fp3/8901.4.A.0017.3 / . / socketfuzzer.c
blob: 29783582f78930f3c886ed577fa54776db87d830 [file] [log] [blame]
Robert Swieckic6e51b12019-05-22 16:02:57 +0200[diff] [blame]1#include "socketfuzzer.h"
2
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]3#include <errno.h>
4#include <fcntl.h>
5#include <inttypes.h>
6#include <libgen.h>
7#include <pthread.h>
8#include <signal.h>
9#include <stddef.h>
10#include <stdint.h>
11#include <stdio.h>
12#include <stdlib.h>
13#include <string.h>
14#include <sys/mman.h>
15#include <sys/param.h>
Robert Swieckic6e51b12019-05-22 16:02:57 +0200[diff] [blame]16#include <sys/socket.h>
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]17#include <sys/stat.h>
18#include <sys/time.h>
19#include <sys/types.h>
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]20#include <sys/un.h>
Robert Swieckic6e51b12019-05-22 16:02:57 +0200[diff] [blame]21#include <time.h>
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]22#include <unistd.h>
23
24#include "honggfuzz.h"
25#include "libhfcommon/common.h"
26#include "libhfcommon/files.h"
27#include "libhfcommon/log.h"
28#include "libhfcommon/ns.h"
29#include "libhfcommon/util.h"
30
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]31bool fuzz_waitForExternalInput(run_t* run) {
32 /* tell the external fuzzer to do his thing */
33 if (!fuzz_prepareSocketFuzzer(run)) {
34 LOG_F("fuzz_prepareSocketFuzzer() failed");
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]35 }
36
37 /* the external fuzzer may inform us of a crash */
38 int result = fuzz_waitforSocketFuzzer(run);
39 if (result == 2) {
40 return false;
41 }
42
43 return true;
44}
45
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]46bool fuzz_prepareSocketFuzzer(run_t* run) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]47 // Notify fuzzer that he should send teh things
48 LOG_D("fuzz_prepareSocketFuzzer: SEND Fuzz");
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]49 return files_sendToSocket(
50 run->global->socketFuzzer.clientSocket, (uint8_t*)"Fuzz", strlen("Fuzz"));
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]51}
52
53/* Return values:
54 0: error
55 1: okay
56 2: target unresponsive
57*/
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]58int fuzz_waitforSocketFuzzer(run_t* run) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]59 ssize_t ret;
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]60 uint8_t buf[16];
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]61
62 // Wait until the external fuzzer did his thing
63 bzero(buf, 16);
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]64 ret = files_readFromFd(run->global->socketFuzzer.clientSocket, buf, 4);
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]65 LOG_D("fuzz_waitforSocketFuzzer: RECV: %s", buf);
66
67 // We dont care what we receive, its just to block here
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]68 if (ret < 0) {
Robert Swieckif3ecc0e2018-01-21 15:42:22 +0100[diff] [blame]69 LOG_F("fuzz_waitforSocketFuzzer: received: %zu", ret);
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]70 }
71
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]72 if (memcmp(buf, "okay", 4) == 0) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]73 return 1;
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]74 } else if (memcmp(buf, "bad!", 4) == 0) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]75 return 2;
76 }
77
78 return 0;
79}
80
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]81bool fuzz_notifySocketFuzzerNewCov(honggfuzz_t* hfuzz) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]82 // Tell the fuzzer that the thing he sent reached new BB's
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]83 bool ret = files_sendToSocket(hfuzz->socketFuzzer.clientSocket, (uint8_t*)"New!", 4);
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]84 LOG_D("fuzz_notifySocketFuzzer: SEND: New!");
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]85 if (!ret) {
86 LOG_F("fuzz_notifySocketFuzzer");
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]87 }
88
89 return true;
90}
91
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]92bool fuzz_notifySocketFuzzerCrash(run_t* run) {
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]93 bool ret = files_sendToSocket(run->global->socketFuzzer.clientSocket, (uint8_t*)"Cras", 4);
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]94 LOG_D("fuzz_notifySocketFuzzer: SEND: Crash");
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]95 if (!ret) {
96 LOG_F("fuzz_notifySocketFuzzer");
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]97 }
98
99 return true;
100}
101
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]102bool setupSocketFuzzer(honggfuzz_t* run) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]103 int s, len;
104 socklen_t t;
105 struct sockaddr_un local, remote;
106 char socketPath[512];
dobin040a98e2018-04-14 15:55:23 +0200[diff] [blame]107 snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid());
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]108
109 if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
110 perror("socket");
111 return false;
112 }
113
114 local.sun_family = AF_UNIX;
115 strcpy(local.sun_path, socketPath);
116 unlink(local.sun_path);
117 len = strlen(local.sun_path) + sizeof(local.sun_family);
Robert Swiecki56276192018-01-21 15:43:02 +0100[diff] [blame]118 if (bind(s, (struct sockaddr*)&local, len) == -1) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]119 perror("bind");
120 return false;
121 }
122
123 if (listen(s, 5) == -1) {
124 perror("listen");
125 return false;
126 }
127
128 printf("Waiting for SocketFuzzer connection on socket: %s\n", socketPath);
129 t = sizeof(remote);
Robert Swiecki251ee7c2019-04-17 21:56:22 +0200[diff] [blame]130 if ((run->socketFuzzer.clientSocket =
131 TEMP_FAILURE_RETRY(accept(s, (struct sockaddr*)&remote, &t))) == -1) {
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]132 perror("accept");
133 return false;
134 }
135
Robert Swiecki5e26bd92018-03-02 12:09:34 +0100[diff] [blame]136 run->socketFuzzer.serverSocket = s;
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]137 printf("A SocketFuzzer client connected. Continuing.\n");
138
139 return true;
140}
141
142void cleanupSocketFuzzer() {
143 char socketPath[512];
dobin040a98e2018-04-14 15:55:23 +0200[diff] [blame]144 snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid());
dobinedf9f8d2018-01-21 13:57:02 +0100[diff] [blame]145 unlink(socketPath);
146}