From 136d017afb5c7021251db2be741d30cc1e13ed91 Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Thu, 14 May 2015 17:51:25 -0700 Subject: [PATCH] [client] ensure no dns, http, or other network comms in AFL fuzzing mode --- client/config_init.c | 6 ------ client/http_resolve_host.c | 30 ++++++++++++++++++++++++++++++ client/spa_comm.c | 19 +++++++++++++++++++ 3 files changed, 49 insertions(+), 6 deletions(-) diff --git a/client/config_init.c b/client/config_init.c index 96fb5fc9..cdb233d0 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -1869,12 +1869,6 @@ validate_options(fko_cli_options_t *options) snprintf(options->http_user_agent, HTTP_MAX_USER_AGENT_LEN, "%s%s", "Fwknop/", MY_VERSION); -#if AFL_FUZZING - /* Don't issue IP resolution requests in AFL fuzzing mode - */ - options->resolve_ip_http_https = 0; -#endif - if(options->http_proxy[0] != 0x0 && options->spa_proto != FKO_PROTO_HTTP) { log_msg(LOG_VERBOSITY_ERROR, diff --git a/client/http_resolve_host.c b/client/http_resolve_host.c index ae4ef690..0e509f13 100644 --- a/client/http_resolve_host.c +++ b/client/http_resolve_host.c @@ -45,6 +45,10 @@ #include #endif +#if AFL_FUZZING + #define AFL_SET_RESOLVE_HOST "192.168.12.123" /* force to non-routable IP */ +#endif + struct url { char port[MAX_PORT_STR_LEN+1]; @@ -95,6 +99,19 @@ try_url(struct url *url, fko_cli_options_t *options) hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; +#if AFL_FUZZING + /* Make sure to not generate any resolution requests when compiled + * for AFL fuzzing cycles + */ + strlcpy(options->allow_ip_str, AFL_SET_RESOLVE_HOST, + sizeof(options->allow_ip_str)); + log_msg(LOG_VERBOSITY_INFO, + "\n[+] AFL fuzzing cycle, force IP resolution to: %s", + options->allow_ip_str); + + return(1); +#endif + error = getaddrinfo(url->host, url->port, &hints, &result); if (error != 0) { @@ -381,6 +398,19 @@ resolve_ip_https(fko_cli_options_t *options) strlcat(wget_ssl_cmd, WGET_RESOLVE_URL_SSL, sizeof(wget_ssl_cmd)); } +#if AFL_FUZZING + /* Make sure to not generate any resolution requests when compiled + * for AFL fuzzing cycles + */ + strlcpy(options->allow_ip_str, AFL_SET_RESOLVE_HOST, + sizeof(options->allow_ip_str)); + log_msg(LOG_VERBOSITY_INFO, + "\n[+] AFL fuzzing cycle, force IP resolution to: %s", + options->allow_ip_str); + + return(1); +#endif + #if HAVE_EXECVPE if(strtoargv(wget_ssl_cmd, wget_argv, &wget_argc, options) != 1) { diff --git a/client/spa_comm.c b/client/spa_comm.c index 20a9b196..3b27f918 100644 --- a/client/spa_comm.c +++ b/client/spa_comm.c @@ -119,6 +119,14 @@ send_spa_packet_tcp_or_udp(const char *spa_data, const int sd_len, snprintf(port_str, MAX_PORT_STR_LEN+1, "%d", options->spa_dst_port); +#if AFL_FUZZING + /* Make sure to never send SPA packets under AFL fuzzing cycles + */ + log_msg(LOG_VERBOSITY_NORMAL, + "AFL fuzzing enabled, SPA packet not actually sent."); + return res; +#endif + error = getaddrinfo(options->spa_server_str, port_str, &hints, &result); if (error != 0) @@ -590,6 +598,9 @@ send_spa_packet_http(const char *spa_data, const int sd_len, return 0; } + /* In AFL fuzzing mode, the following function will not send + * the SPA packet. + */ return send_spa_packet_tcp_or_udp(http_buf, strlen(http_buf), options); } @@ -684,6 +695,14 @@ send_spa_packet(fko_ctx_t ctx, fko_cli_options_t *options) * the ip address */ hints.ai_family = AF_INET; +#if AFL_FUZZING + /* Make sure to never send SPA packets under AFL fuzzing cycles + */ + log_msg(LOG_VERBOSITY_NORMAL, + "AFL fuzzing enabled, SPA packet not actually sent."); + return res; +#endif + if (resolve_dest_adr(options->spa_server_str, &hints, ip_str, sizeof(ip_str)) != 0) { log_msg(LOG_VERBOSITY_ERROR, "[*] Unable to resolve %s as an ip address",