diff options
Diffstat (limited to '')
| -rwxr-xr-x | tools/fuzz-test.sh | 317 |
1 files changed, 317 insertions, 0 deletions
diff --git a/tools/fuzz-test.sh b/tools/fuzz-test.sh new file mode 100755 index 0000000..b63f647 --- /dev/null +++ b/tools/fuzz-test.sh @@ -0,0 +1,317 @@ +#!/bin/bash +# +# Fuzz-testing script for TShark +# +# This script uses Editcap to add random errors ("fuzz") to a set of +# capture files specified on the command line. It runs TShark on +# each fuzzed file and checks for errors. The files are processed +# repeatedly until an error is found. +# +# Copyright 2013 Gerald Combs <gerald@wireshark.org> +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later + +TEST_TYPE="fuzz" +# shellcheck source=tools/test-common.sh +. "$( dirname "$0" )"/test-common.sh || exit 1 + +# Sanity check to make sure we can find our plugins. Zero or less disables. +MIN_PLUGINS=0 + +# Did we catch a signal or time out? +DONE=false + +# Currently running children +RUNNER_PIDS= + +# Perform a two-pass analysis on the capture file? +TWO_PASS= + +# Specific config profile ? +CONFIG_PROFILE= + +# Run under valgrind ? +VALGRIND=0 + +# Abort on UTF-8 encoding errors +CHECK_UTF_8="--log-fatal-domains=UTF-8 " + +# Run under AddressSanitizer ? +ASAN=$CONFIGURED_WITH_ASAN + +# Don't skip any byte from being changed +CHANGE_OFFSET=0 + +# The maximum permitted amount of memory leaked. Eventually this should be +# worked down to zero, but right now that would fail on every single capture. +# Only has effect when running under valgrind. +MAX_LEAK=$(( 1024 * 100 )) + +# Our maximum run time. +RUN_START_SECONDS=$SECONDS +RUN_MAX_SECONDS=$(( RUN_START_SECONDS + 86400 )) + +# To do: add options for file names and limits +while getopts "2b:C:d:e:agp:P:o:t:U" OPTCHAR ; do + case $OPTCHAR in + a) ASAN=1 ;; + 2) TWO_PASS="-2 " ;; + b) WIRESHARK_BIN_DIR=$OPTARG ;; + C) CONFIG_PROFILE="-C $OPTARG " ;; + d) TMP_DIR=$OPTARG ;; + e) ERR_PROB=$OPTARG ;; + g) VALGRIND=1 ;; + p) MAX_PASSES=$OPTARG ;; + P) MIN_PLUGINS=$OPTARG ;; + o) CHANGE_OFFSET=$OPTARG ;; + t) RUN_MAX_SECONDS=$(( RUN_START_SECONDS + OPTARG )) ;; + U) CHECK_UTF_8= ;; # disable + *) printf "Unknown option %s\n" "$OPTCHAR" + esac +done +shift $((OPTIND - 1)) + +### usually you won't have to change anything below this line ### + +ws_bind_exec_paths +ws_check_exec "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR" + +COMMON_ARGS="${CONFIG_PROFILE}${TWO_PASS}${CHECK_UTF_8}" +KEEP= +PACKET_RANGE= +if [ $VALGRIND -eq 1 ]; then + RUNNER=$( dirname "$0" )"/valgrind-wireshark.sh" + COMMON_ARGS="-b $WIRESHARK_BIN_DIR $COMMON_ARGS" + declare -a RUNNER_ARGS=("" "-T") + # Valgrind requires more resources, so permit 1.5x memory and 3x time + # (1.5x time is too small for a few large captures in the menagerie) + MAX_CPU_TIME=$(( 3 * MAX_CPU_TIME )) + MAX_VMEM=$(( 3 * MAX_VMEM / 2 )) + # Valgrind is slow. Trim captures to the first 10k packets so that + # we don't time out. + KEEP=-r + PACKET_RANGE=1-10000 +else + # Not using valgrind, use regular tshark. + # TShark arguments (you won't have to change these) + # n Disable network object name resolution + # V Print a view of the details of the packet rather than a one-line summary of the packet + # x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details + # r Read packet data from the following infile + RUNNER="$TSHARK" + declare -a RUNNER_ARGS=("-nVxr" "-nr") + # Running with a read filter but without generating the tree exposes some + # "More than 100000 items in tree" bugs. + # Not sure if we want to add even more cycles to the fuzz bot's work load... + #declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-nVxr" "${CONFIG_PROFILE}${TWO_PASS}-nr" "-Yframe ${CONFIG_PROFILE}${TWO_PASS}-nr") +fi + + +# Make sure we have a valid test set +FOUND=0 +for CF in "$@" ; do + if [ "$OSTYPE" == "cygwin" ] ; then + CF=$( cygpath --windows "$CF" ) + fi + "$CAPINFOS" "$CF" > /dev/null 2>&1 && FOUND=1 + if [ $FOUND -eq 1 ] ; then break ; fi +done + +if [ $FOUND -eq 0 ] ; then + cat <<FIN +Error: No valid capture files found. + +Usage: $( basename "$0" ) [-2] [-b bin_dir] [-C config_profile] [-d work_dir] [-e error probability] [-o changes offset] [-g] [-a] [-p passes] capture file 1 [capture file 2]... +FIN + exit 1 +fi + +PLUGIN_COUNT=$( $TSHARK -G plugins | grep -c dissector ) +if [ "$MIN_PLUGINS" -gt 0 ] && [ "$PLUGIN_COUNT" -lt "$MIN_PLUGINS" ] ; then + echo "Warning: Found fewer plugins than expected ($PLUGIN_COUNT vs $MIN_PLUGINS)." + exit 1 +fi + +if [ $ASAN -ne 0 ]; then + echo -n "ASan enabled. Virtual memory limit is " + ulimit -v +else + echo "ASan disabled. Virtual memory limit is $MAX_VMEM" +fi + +HOWMANY="forever" +if [ "$MAX_PASSES" -gt 0 ]; then + HOWMANY="$MAX_PASSES passes" +fi +echo -n "Running $RUNNER $COMMON_ARGS with args: " +printf "\"%s\"\n" "${RUNNER_ARGS[@]}" +echo "($HOWMANY)" +echo "" + +# Clean up on <ctrl>C, etc +trap_all() { + printf '\n\nCaught signal. Exiting.\n' + rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE"* + exit 0 +} + +trap_abrt() { + for RUNNER_PID in $RUNNER_PIDS ; do + kill -ABRT "$RUNNER_PID" + done + trap_all +} + +trap trap_all HUP INT TERM +trap trap_abrt ABRT + +# Iterate over our capture files. +PASS=0 +while { [ $PASS -lt "$MAX_PASSES" ] || [ "$MAX_PASSES" -lt 1 ]; } && ! $DONE ; do + PASS=$(( PASS+1 )) + echo "Pass $PASS:" + RUN=0 + + for CF in "$@" ; do + if $DONE; then + break # We caught a signal or timed out + fi + RUN=$(( RUN + 1 )) + if [ $(( RUN % 50 )) -eq 0 ] ; then + echo " [Pass $PASS]" + fi + if [ "$OSTYPE" == "cygwin" ] ; then + CF=$( cygpath --windows "$CF" ) + fi + + "$CAPINFOS" "$CF" > /dev/null 2> "$TMP_DIR/$ERR_FILE" + RETVAL=$? + if [ $RETVAL -eq 1 ] || [ $RETVAL -eq 2 ] ; then + echo "Not a valid capture file" + rm -f "$TMP_DIR/$ERR_FILE" + continue + elif [ $RETVAL -ne 0 ] && ! $DONE ; then + # Some other error + ws_exit_error + fi + + # Choose a random subset of large captures. + KEEP= + PACKET_RANGE= + CF_PACKETS=$( "$CAPINFOS" -T -r -c "$CF" | cut -f2 ) + if [[ CF_PACKETS -gt $MAX_FUZZ_PACKETS ]] ; then + START_PACKET=$(( CF_PACKETS - MAX_FUZZ_PACKETS )) + START_PACKET=$( shuf --input-range=1-$START_PACKET --head-count=1 ) + END_PACKET=$(( START_PACKET + MAX_FUZZ_PACKETS )) + KEEP=-r + PACKET_RANGE="$START_PACKET-$END_PACKET" + printf " Fuzzing packets %d-%d of %d\n" "$START_PACKET" "$END_PACKET" "$CF_PACKETS" + fi + + DISSECTOR_BUG=0 + VG_ERR_CNT=0 + + printf " %s: " "$( basename "$CF" )" + # shellcheck disable=SC2086 + "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE > /dev/null 2>&1 + RETVAL=$? + if [ $RETVAL -ne 0 ] ; then + # shellcheck disable=SC2086 + "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP -T ether "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE \ + > /dev/null 2>&1 + RETVAL=$? + if [ $RETVAL -ne 0 ] ; then + echo "Invalid format for editcap" + continue + fi + fi + + FILE_START_SECONDS=$SECONDS + RUNNER_PIDS= + RUNNER_ERR_FILES= + for ARGS in "${RUNNER_ARGS[@]}" ; do + if $DONE; then + break # We caught a signal + fi + echo -n "($ARGS) " + + # Run in a child process with limits. + ( + # Set some limits to the child processes, e.g. stop it if + # it's running longer than MAX_CPU_TIME seconds. (ulimit + # is not supported well on cygwin - it shows some warnings - + # and the features we use may not all be supported on some + # UN*X platforms.) + ulimit -S -t "$MAX_CPU_TIME" -s "$MAX_STACK" + + # Allow core files to be generated + ulimit -c unlimited + + # Don't enable ulimit -v when using ASAN. See + # https://github.com/google/sanitizers/wiki/AddressSanitizer#ulimit--v + if [ $ASAN -eq 0 ]; then + ulimit -S -v "$MAX_VMEM" + fi + + # shellcheck disable=SC2016 + SUBSHELL_PID=$($SHELL -c 'echo $PPID') + + printf 'Command and args: %s %s %s\n' "$RUNNER" "$COMMON_ARGS" "$ARGS" > "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID" + # shellcheck disable=SC2086 + "$RUNNER" $COMMON_ARGS $ARGS "$TMP_DIR/$TMP_FILE" \ + > /dev/null 2>> "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID" + ) & + RUNNER_PID=$! + RUNNER_PIDS="$RUNNER_PIDS $RUNNER_PID" + RUNNER_ERR_FILES="$RUNNER_ERR_FILES $TMP_DIR/$ERR_FILE.$RUNNER_PID" + + if [ $SECONDS -ge $RUN_MAX_SECONDS ] ; then + printf "\nStopping after %d seconds.\n" $(( SECONDS - RUN_START_SECONDS )) + DONE=true + fi + done + + for RUNNER_PID in $RUNNER_PIDS ; do + wait "$RUNNER_PID" + RUNNER_RETVAL=$? + mv "$TMP_DIR/$ERR_FILE.$RUNNER_PID" "$TMP_DIR/$ERR_FILE" + + # Uncomment the next two lines to enable dissector bug + # checking. + #grep -i "dissector bug" $TMP_DIR/$ERR_FILE \ + # > /dev/null 2>&1 && DISSECTOR_BUG=1 + + if [ $VALGRIND -eq 1 ] && ! $DONE; then + VG_ERR_CNT=$( grep "ERROR SUMMARY:" "$TMP_DIR/$ERR_FILE" | cut -f4 -d' ' ) + VG_DEF_LEAKED=$( grep "definitely lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , ) + VG_IND_LEAKED=$( grep "indirectly lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , ) + VG_TOTAL_LEAKED=$(( VG_DEF_LEAKED + VG_IND_LEAKED )) + if [ $RUNNER_RETVAL -ne 0 ] ; then + echo "General Valgrind failure." + VG_ERR_CNT=1 + elif [ "$VG_TOTAL_LEAKED" -gt "$MAX_LEAK" ] ; then + echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)." + echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)." >> "$TMP_DIR/$ERR_FILE" + VG_ERR_CNT=1 + fi + if grep -q "Valgrind cannot continue" "$TMP_DIR/$ERR_FILE" ; then + echo "Valgrind unable to continue." + VG_ERR_CNT=-1 + fi + fi + + if ! $DONE && { [ $RUNNER_RETVAL -ne 0 ] || [ $DISSECTOR_BUG -ne 0 ] || [ $VG_ERR_CNT -ne 0 ]; } ; then + # shellcheck disable=SC2086 + rm -f $RUNNER_ERR_FILES + ws_exit_error + fi + done + + printf " OK (%s seconds)\\n" $(( SECONDS - FILE_START_SECONDS )) + rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE" + done +done |