#!/bin/bash # # Fuzz-testing script for TShark # # This script uses Editcap to add random errors ("fuzz") to a set of # capture files specified on the command line. It runs TShark on # each fuzzed file and checks for errors. The files are processed # repeatedly until an error is found. # # Copyright 2013 Gerald Combs # # Wireshark - Network traffic analyzer # By Gerald Combs # Copyright 1998 Gerald Combs # # SPDX-License-Identifier: GPL-2.0-or-later TEST_TYPE="fuzz" # shellcheck source=tools/test-common.sh . "$( dirname "$0" )"/test-common.sh || exit 1 # Sanity check to make sure we can find our plugins. Zero or less disables. MIN_PLUGINS=0 # Did we catch a signal or time out? DONE=false # Currently running children RUNNER_PIDS= # Perform a two-pass analysis on the capture file? TWO_PASS= # Specific config profile ? CONFIG_PROFILE= # Run under valgrind ? VALGRIND=0 # Abort on UTF-8 encoding errors CHECK_UTF_8="--log-fatal-domains=UTF-8 " # Run under AddressSanitizer ? ASAN=$CONFIGURED_WITH_ASAN # Don't skip any byte from being changed CHANGE_OFFSET=0 # The maximum permitted amount of memory leaked. Eventually this should be # worked down to zero, but right now that would fail on every single capture. # Only has effect when running under valgrind. MAX_LEAK=$(( 1024 * 100 )) # Our maximum run time. RUN_START_SECONDS=$SECONDS RUN_MAX_SECONDS=$(( RUN_START_SECONDS + 86400 )) # To do: add options for file names and limits while getopts "2b:C:d:e:agp:P:o:t:U" OPTCHAR ; do case $OPTCHAR in a) ASAN=1 ;; 2) TWO_PASS="-2 " ;; b) WIRESHARK_BIN_DIR=$OPTARG ;; C) CONFIG_PROFILE="-C $OPTARG " ;; d) TMP_DIR=$OPTARG ;; e) ERR_PROB=$OPTARG ;; g) VALGRIND=1 ;; p) MAX_PASSES=$OPTARG ;; P) MIN_PLUGINS=$OPTARG ;; o) CHANGE_OFFSET=$OPTARG ;; t) RUN_MAX_SECONDS=$(( RUN_START_SECONDS + OPTARG )) ;; U) CHECK_UTF_8= ;; # disable *) printf "Unknown option %s\n" "$OPTCHAR" esac done shift $((OPTIND - 1)) ### usually you won't have to change anything below this line ### ws_bind_exec_paths ws_check_exec "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR" COMMON_ARGS="${CONFIG_PROFILE}${TWO_PASS}${CHECK_UTF_8}" KEEP= PACKET_RANGE= if [ $VALGRIND -eq 1 ]; then RUNNER=$( dirname "$0" )"/valgrind-wireshark.sh" COMMON_ARGS="-b $WIRESHARK_BIN_DIR $COMMON_ARGS" declare -a RUNNER_ARGS=("" "-T") # Valgrind requires more resources, so permit 1.5x memory and 3x time # (1.5x time is too small for a few large captures in the menagerie) MAX_CPU_TIME=$(( 3 * MAX_CPU_TIME )) MAX_VMEM=$(( 3 * MAX_VMEM / 2 )) # Valgrind is slow. Trim captures to the first 10k packets so that # we don't time out. KEEP=-r PACKET_RANGE=1-10000 else # Not using valgrind, use regular tshark. # TShark arguments (you won't have to change these) # n Disable network object name resolution # V Print a view of the details of the packet rather than a one-line summary of the packet # x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details # r Read packet data from the following infile RUNNER="$TSHARK" declare -a RUNNER_ARGS=("-nVxr" "-nr") # Running with a read filter but without generating the tree exposes some # "More than 100000 items in tree" bugs. # Not sure if we want to add even more cycles to the fuzz bot's work load... #declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-nVxr" "${CONFIG_PROFILE}${TWO_PASS}-nr" "-Yframe ${CONFIG_PROFILE}${TWO_PASS}-nr") fi # Make sure we have a valid test set FOUND=0 for CF in "$@" ; do if [ "$OSTYPE" == "cygwin" ] ; then CF=$( cygpath --windows "$CF" ) fi "$CAPINFOS" "$CF" > /dev/null 2>&1 && FOUND=1 if [ $FOUND -eq 1 ] ; then break ; fi done if [ $FOUND -eq 0 ] ; then cat <C, etc trap_all() { printf '\n\nCaught signal. Exiting.\n' rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE"* exit 0 } trap_abrt() { for RUNNER_PID in $RUNNER_PIDS ; do kill -ABRT "$RUNNER_PID" done trap_all } trap trap_all HUP INT TERM trap trap_abrt ABRT # Iterate over our capture files. PASS=0 while { [ $PASS -lt "$MAX_PASSES" ] || [ "$MAX_PASSES" -lt 1 ]; } && ! $DONE ; do PASS=$(( PASS+1 )) echo "Pass $PASS:" RUN=0 for CF in "$@" ; do if $DONE; then break # We caught a signal or timed out fi RUN=$(( RUN + 1 )) if [ $(( RUN % 50 )) -eq 0 ] ; then echo " [Pass $PASS]" fi if [ "$OSTYPE" == "cygwin" ] ; then CF=$( cygpath --windows "$CF" ) fi "$CAPINFOS" "$CF" > /dev/null 2> "$TMP_DIR/$ERR_FILE" RETVAL=$? if [ $RETVAL -eq 1 ] || [ $RETVAL -eq 2 ] ; then echo "Not a valid capture file" rm -f "$TMP_DIR/$ERR_FILE" continue elif [ $RETVAL -ne 0 ] && ! $DONE ; then # Some other error ws_exit_error fi # Choose a random subset of large captures. KEEP= PACKET_RANGE= CF_PACKETS=$( "$CAPINFOS" -T -r -c "$CF" | cut -f2 ) if [[ CF_PACKETS -gt $MAX_FUZZ_PACKETS ]] ; then START_PACKET=$(( CF_PACKETS - MAX_FUZZ_PACKETS )) START_PACKET=$( shuf --input-range=1-$START_PACKET --head-count=1 ) END_PACKET=$(( START_PACKET + MAX_FUZZ_PACKETS )) KEEP=-r PACKET_RANGE="$START_PACKET-$END_PACKET" printf " Fuzzing packets %d-%d of %d\n" "$START_PACKET" "$END_PACKET" "$CF_PACKETS" fi DISSECTOR_BUG=0 VG_ERR_CNT=0 printf " %s: " "$( basename "$CF" )" # shellcheck disable=SC2086 "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE > /dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ] ; then # shellcheck disable=SC2086 "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP -T ether "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE \ > /dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ] ; then echo "Invalid format for editcap" continue fi fi FILE_START_SECONDS=$SECONDS RUNNER_PIDS= RUNNER_ERR_FILES= for ARGS in "${RUNNER_ARGS[@]}" ; do if $DONE; then break # We caught a signal fi echo -n "($ARGS) " # Run in a child process with limits. ( # Set some limits to the child processes, e.g. stop it if # it's running longer than MAX_CPU_TIME seconds. (ulimit # is not supported well on cygwin - it shows some warnings - # and the features we use may not all be supported on some # UN*X platforms.) ulimit -S -t "$MAX_CPU_TIME" -s "$MAX_STACK" # Allow core files to be generated ulimit -c unlimited # Don't enable ulimit -v when using ASAN. See # https://github.com/google/sanitizers/wiki/AddressSanitizer#ulimit--v if [ $ASAN -eq 0 ]; then ulimit -S -v "$MAX_VMEM" fi # shellcheck disable=SC2016 SUBSHELL_PID=$($SHELL -c 'echo $PPID') printf 'Command and args: %s %s %s\n' "$RUNNER" "$COMMON_ARGS" "$ARGS" > "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID" # shellcheck disable=SC2086 "$RUNNER" $COMMON_ARGS $ARGS "$TMP_DIR/$TMP_FILE" \ > /dev/null 2>> "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID" ) & RUNNER_PID=$! RUNNER_PIDS="$RUNNER_PIDS $RUNNER_PID" RUNNER_ERR_FILES="$RUNNER_ERR_FILES $TMP_DIR/$ERR_FILE.$RUNNER_PID" if [ $SECONDS -ge $RUN_MAX_SECONDS ] ; then printf "\nStopping after %d seconds.\n" $(( SECONDS - RUN_START_SECONDS )) DONE=true fi done for RUNNER_PID in $RUNNER_PIDS ; do wait "$RUNNER_PID" RUNNER_RETVAL=$? mv "$TMP_DIR/$ERR_FILE.$RUNNER_PID" "$TMP_DIR/$ERR_FILE" # Uncomment the next two lines to enable dissector bug # checking. #grep -i "dissector bug" $TMP_DIR/$ERR_FILE \ # > /dev/null 2>&1 && DISSECTOR_BUG=1 if [ $VALGRIND -eq 1 ] && ! $DONE; then VG_ERR_CNT=$( grep "ERROR SUMMARY:" "$TMP_DIR/$ERR_FILE" | cut -f4 -d' ' ) VG_DEF_LEAKED=$( grep "definitely lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , ) VG_IND_LEAKED=$( grep "indirectly lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , ) VG_TOTAL_LEAKED=$(( VG_DEF_LEAKED + VG_IND_LEAKED )) if [ $RUNNER_RETVAL -ne 0 ] ; then echo "General Valgrind failure." VG_ERR_CNT=1 elif [ "$VG_TOTAL_LEAKED" -gt "$MAX_LEAK" ] ; then echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)." echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)." >> "$TMP_DIR/$ERR_FILE" VG_ERR_CNT=1 fi if grep -q "Valgrind cannot continue" "$TMP_DIR/$ERR_FILE" ; then echo "Valgrind unable to continue." VG_ERR_CNT=-1 fi fi if ! $DONE && { [ $RUNNER_RETVAL -ne 0 ] || [ $DISSECTOR_BUG -ne 0 ] || [ "$VG_ERR_CNT" -ne 0 ]; } ; then # shellcheck disable=SC2086 rm -f $RUNNER_ERR_FILES ws_exit_error fi done printf " OK (%s seconds)\\n" $(( SECONDS - FILE_START_SECONDS )) rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE" done done