[server] add --test mode to enable broader fuzzing coverage

2014-05-05 23:51:21 -04:00 · 2014-05-05 23:51:21 -04:00 · 0c544f2690
commit 0c544f2690
parent 64a4642c47
6 changed files with 50 additions and 4 deletions
--- a/5
+++ b/5
@ -2,6 +2,11 @@ fwknop-2.6.3 (05//2014):
    - [server] Bug fix to handle SPA packets over HTTP by making sure to honor
      the ENABLE_SPA_OVER_HTTP fwknopd.conf variable and to properly account
      for SPA packet lengths when delivered via HTTP.
+    - [server] Add --test mode to instruct fwknopd to acquire and process
+      SPA packets, but not manipulate firewall rules or execute commands that
+      are provided by SPA clients. This option is mostly useful for the fuzzing
+      tests in the test suite to ensure broad code coverage under adverse
+      conditions.

 fwknop-2.6.2 (04/28/2014):
    - [libfko] fix double free bug in SPA parser discovered with the new
--- a/doc/fwknopd.man.asciidoc
+++ b/doc/fwknopd.man.asciidoc
@ -157,6 +157,12 @@ COMMAND-LINE OPTIONS
 *--syslog-enable*::
    Allow messages to be sent to syslog even if the foreground mode is set.

+*-t, --test*::
+    Run *fwknopd* in test mode. This instructs *fwknopd* to acquire and process
+    SPA packets, but not manipulate firewall rules or execute commands that are
+    provided by SPA clients. This option is mostly useful for the fuzzing tests
+    in the test suite to ensure broad code coverage under adverse conditions.
+
 *-v, --verbose*::
    Run *fwknopd* in verbose mode. This can option can be specified
    multiple times to increase the verbosity of the output to the system
--- a/server/cmd_opts.h
+++ b/server/cmd_opts.h
@ -132,7 +132,7 @@ enum {

 /* Our getopt_long options string.
 */
-#define GETOPTS_OPTION_STRING "a:c:C:d:Dfhi:Kl:O:p:P:RSvV"
+#define GETOPTS_OPTION_STRING "a:c:C:d:Dfhi:Kl:O:p:P:RStvV"

 /* Our program command-line options...
 */
@ -165,6 +165,7 @@ static struct option cmd_opts[] =
    {"pid-file",             1, NULL, 'p'},
    {"restart",              0, NULL, 'R'},
    {"status",               0, NULL, 'S'},
+    {"test",                 0, NULL, 't'},
    {"verbose",              0, NULL, 'v'},
    {"version",              0, NULL, 'V'},
    {0, 0, 0, 0}
--- a/server/config_init.c
+++ b/server/config_init.c
@ -953,6 +953,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
            case 'S':
                opts->status = 1;
                break;
+            case 't':
+                opts->test = 1;
+                break;
            /* Verbosity level */
            case 'v':
                opts->verbose++;
--- a/server/fwknopd.8.in
+++ b/server/fwknopd.8.in
@ -2,12 +2,12 @@
 .\"     Title: fwknopd
 .\"    Author: [see the "AUTHORS" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 05/04/2014
+.\"      Date: 05/08/2014
 .\"    Manual: Fwknop Server
 .\"    Source: Fwknop Server
 .\"  Language: English
 .\"
-.TH "FWKNOPD" "8" "05/04/2014" "Fwknop Server" "Fwknop Server"
+.TH "FWKNOPD" "8" "05/08/2014" "Fwknop Server" "Fwknop Server"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@ -232,6 +232,15 @@ processes that may or not be running\&. If there is an existing fwknopd process
 Allow messages to be sent to syslog even if the foreground mode is set\&.
 .RE
 .PP
+\fB\-t, \-\-test\fR
+.RS 4
+Run
+\fBfwknopd\fR
+in test mode\&. This instructs
+\fBfwknopd\fR
+to acquire and process SPA packets, but not manipulate firewall rules or execute commands that are provided by SPA clients\&. This option is mostly useful for the fuzzing tests in the test suite to ensure broad code coverage under adverse conditions\&.
+.RE
+.PP
 \fB\-v, \-\-verbose\fR
 .RS 4
 Run
--- a/server/incoming_spa.c
+++ b/server/incoming_spa.c
@ -831,6 +831,15 @@ incoming_spa(fko_srv_options_t *opts)
                acc = acc->next;
                continue;
            }
+            else if(opts->test)
+            {
+                log_msg(LOG_WARNING,
+                    "[%s] (stanza #%d) --test mode enabled, skipping command execution.",
+                    spadat.pkt_source_ip, stanza_num
+                );
+                acc = acc->next;
+                continue;
+            }
            else
            {
                log_msg(LOG_INFO,
@ -905,7 +914,20 @@ incoming_spa(fko_srv_options_t *opts)
         * access stanza loop (first valid access stanza stops us looking
         * for others).
        */
-        process_spa_request(opts, acc, &spadat);
+        if(opts->test)  /* no firewall changes in --test mode */
+        {
+            log_msg(LOG_WARNING,
+                "[%s] (stanza #%d) --test mode enabled, skipping firewall manipulation.",
+                spadat.pkt_source_ip, stanza_num
+            );
+            acc = acc->next;
+            continue;
+        }
+        else
+        {
+            process_spa_request(opts, acc, &spadat);
+        }
+
        if(ctx != NULL)
        {
            if(fko_destroy(ctx) == FKO_ERROR_ZERO_OUT_DATA)