Date: Mon, 3 Jul 2006 12:34:33 GMT From: Clément Lecigne <clem1@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 100492 for review Message-ID: <200607031234.k63CYXJ0079364@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100492 Change 100492 by clem1@clem1_ipv6vulns on 2006/07/03 12:34:23 Now we can choose which kind of icmp msg we want. Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#2 (text+ko) ==== @@ -30,7 +30,7 @@ u_short *payload = NULL; u_int payload_s = 0; - struct icmp *icmp = NULL; + struct libnet_icmpv6_hdr *icmp = NULL; /* libnet variables */ char errbuf[LIBNET_ERRBUF_SIZE]; @@ -51,7 +51,7 @@ /* Functionality Variables */ - int src_ip_rand = 0, dst_ip_rand = 0, dst_ok = 0; + int src_ip_rand = 0, dst_ip_rand = 0, dst_ok = 0, what; struct timeval tv, tv2; float sec; unsigned int cx = 0; @@ -66,21 +66,51 @@ float FragPct = 30; float BadIPVer = 10; float ICMPCksm = 10; + float TooBig = 5; + float Redir = 5; + float Echo = 1; + float Unreach = 5; + float MLD = 15; + float ND = 15; + float RT = 15; + float NI = 15; - - /* Not crypto strong randomness but we don't really care. And this * * gives us a way to determine the seed while the program is running * * if we need to repeat the results */ seed = getpid(); - while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:I:vx:")) != EOF) + while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:I:T:R:E:U:M:O:N:W:vx:")) != EOF) { switch (c) { case 'i': device = optarg; break; + case 'T': + TooBig = atof(optarg); + break; + case 'R': + Redir = atof(optarg); + break; + case 'E': + Echo = atof(optarg); + break; + case 'U': + Unreach = atof(optarg); + break; + case 'M': + MLD = atof(optarg); + break; + case 'O': + RT = atof(optarg); + break; + case 'N': + ND = atof(optarg); + break; + case 'W': + NI = atof(optarg); + break; case 'h': usage(argv[0]); exit(0); @@ -227,14 +257,24 @@ printf("Bad IP Version\t= %.0f%%\t\t", BadIPVer); printf("Frag header\t= %.0f%%\n", FragPct); + printf("TooBig=%.0f%% Redirect=%.0f%% Echo=%.0f%% Router=%.0f%%\n", TooBig, Redir, Echo, RT); + printf("Unreach=%.0f%% MLD=%.0f%% ND=%.0f%% NI=%.0f%%\n", Unreach, MLD, ND, NI); + printf("Bad ICMP Cksm\t= %.0f%%\n", ICMPCksm); /* Drop them down to floats so we can multiply and not overflow */ BadIPVer /= 100; FragPct /= 100; ICMPCksm /= 100; - + TooBig /= 100; + Redir = Redir / 100 + TooBig; + Echo = Echo / 100 + Redir; + Unreach = Unreach / 100 + Echo; + MLD = MLD / 100 + Unreach; + ND = ND / 100 + MLD; + RT = RT / 100 + ND; + NI = NI / 100 + RT; /************* * Main Loop * @@ -245,6 +285,7 @@ for(acx = 0; acx < num_to_send; acx++) { off = eo; + memset(buf + eo, 0x0, IP_MAXPACKET - eo); hl = rand() & 0xff; flow = rand(); @@ -289,14 +330,113 @@ off += 8; } - icmp = (struct icmp *)(buf + off); + icmp = (struct libnet_icmpv6_hdr *)(buf + off); - icmp->icmp_type = rand() & 0xff; - icmp->icmp_code = rand() & 0xff; - icmp->icmp_cksum = 0; + what = rand(); + if (what <= (RAND_MAX * TooBig)) + { + icmp->icmp_type = 2; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_mtu = rand(); + off += 8; + } + else if (what <= (RAND_MAX * Redir)) + { + icmp->icmp_type = 137; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_unused = (rand() % 2) ? 0 : rand(); + for (c = 0; c < 16; c++) + { + if (c < 8) + icmp->icmp_target1[c] = rand() & 0xff; + else + icmp->icmp_target2[c] = rand() & 0xff; + } + icmp->icmp_dst = randipv6(); + off += 36; + + } + else if (what <= (RAND_MAX * Echo)) + { + icmp->icmp_type = 128 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_unused = rand(); /* seq + id */ + off += 8; + } + else if (what <= (RAND_MAX * Unreach)) + { + icmp->icmp_type = 1; + icmp->icmp_code = (rand() % 2) ? rand() % 5 : rand() & 0xff; + icmp->icmp_unused = (rand() % 2) ? 0 : rand(); + off += 8; + } + else if (what <= (RAND_MAX * MLD)) + { + icmp->icmp_type = 130 + rand() % 3; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_maxdelay = rand() & 0xff; + icmp->icmp_reserved2 = (rand() % 2) ? 0 : rand() & 0xffff; + for (c = 0; c < 16; c++) + { + if (c < 8) + icmp->icmp_mcast1[c] = rand() & 0xff; + else + icmp->icmp_mcast2[c] = rand() & 0xff; + } + off += 24; + } + else if (what <= (RAND_MAX * ND)) + { + icmp->icmp_type = 135 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; + icmp->icmp_unused = (rand() % 2) ? 0 : rand(); + for (c = 0; c < 16; c++) + { + if (c < 8) + icmp->icmp_target1[c] = rand() & 0xff; + else + icmp->icmp_target2[c] = rand() & 0xff; + } + off += 24; + } + else if (what <= (RAND_MAX * RT)) + { + icmp->icmp_type = 133 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? rand() & 0xff : 0; + if (icmp->icmp_type == 133) + { + /* solicitation msg */ + icmp->icmp_unused = (rand() % 2) ? rand() : 0; + off += 8; + } + else + { + /* advertisement msg */ + icmp->icmp_chl = rand() & 0xff; + icmp->icmp_mo = rand() & 0xff; + icmp->icmp_rlf = rand() & 0xffff; + icmp->icmp_rct = rand(); + icmp->icmp_rtt = rand(); + off += 14; + } + } + else if (what <= (RAND_MAX * NI)) + { + icmp->icmp_type = 139 + rand() % 2; + icmp->icmp_code = (rand() % 2) ? rand() & 0xff : rand() % 3; + icmp->icmp_qtype = rand() & 0xffff; + icmp->icmp_flags = rand() & 0xffff; + for (c = 0; c < 8; c++) + icmp->icmp_nonce[c] = rand() & 0xff; + off += 14; + } + else + { + icmp->icmp_type = rand() & 0xff; + icmp->icmp_code = rand() & 0xff; + off += 4; + } - off += 4; - #ifdef LIBNET_BSDISH_OS if ((payload_s - off + 0xe + 40) > payload_s) payload_s = 0; @@ -315,10 +455,9 @@ if (rand() <= (RAND_MAX * ICMPCksm)) - icmp->icmp_cksum = rand() & 0xffff; + icmp->icmp_sum = rand() & 0xffff; else - libnet_do_checksum(l, buf + eo, IPPROTO_ICMP6, payload_s + 4); - + libnet_do_checksum(l, buf + eo, IPPROTO_ICMP6, payload_s + (off - 40 - eo)); if (skip <= acx) { for (cx = 0; cx < repeat; cx++) @@ -355,7 +494,7 @@ - (tv.tv_usec - tv2.tv_usec) / 1000000.0; if ((datapushed / sec) >= max_pushed) usleep(10); /* 10 should give up our timeslice */ - usleep(1000); + usleep(500); } @@ -384,8 +523,11 @@ " [-r seed] [-m <max kB/s to generate>]\n" " [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n" "\n" - " Percentage Opts: [-F frags] [-V <Bad IP Version>]\n" - " [-I <Bad ICMP checksum>]\n" + " Percentage Opts: [-F frags] [-V Bad IP Version]\n" + " [-I Bad checksum>]\n" + " [-T Toobig] [-R Redirect] [-E Echo]\n" + " [-U Unreach] [-M MLD] [-O Router]\n" + " [-N Neighbor] [-W node info]\n" "\n" " [-v] causes packet info to be printed out -- DEBUGGING\n\n" " ex: -s a:b:c::d -d b:c:d::e -I 100\n"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607031234.k63CYXJ0079364>