1
/* vim: et ts=2 sw=2 tw=80: */
3
* This file is part of the Nice GLib ICE library.
5
* (C) 2010, 2014 Collabora Ltd.
6
* Contact: Philip Withnall
8
* The contents of this file are subject to the Mozilla Public License Version
9
* 1.1 (the "License"); you may not use this file except in compliance with
10
* the License. You may obtain a copy of the License at
11
* http://www.mozilla.org/MPL/
13
* Software distributed under the License is distributed on an "AS IS" basis,
14
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
15
* for the specific language governing rights and limitations under the
18
* The Original Code is the Nice GLib ICE library.
20
* The Initial Developers of the Original Code are Collabora Ltd and Nokia
21
* Corporation. All Rights Reserved.
24
* Philip Withnall, Collabora Ltd.
25
* Youness Alaoui, Collabora Ltd.
27
* Alternatively, the contents of this file may be used under the terms of the
28
* the GNU Lesser General Public License Version 2.1 (the "LGPL"), in which
29
* case the provisions of LGPL are applicable instead of those above. If you
30
* wish to allow use of your version of this file only under the terms of the
31
* LGPL and not to allow others to use your version of this file under the
32
* MPL, indicate your decision by deleting the provisions above and replace
33
* them with the notice and other provisions required by the LGPL. If you do
34
* not delete the provisions above, a recipient may use your version of this
35
* file under either the MPL or the LGPL.
49
#include "pseudotcp.h"
53
* A fuzzing test for the pseudotcp socket. This connects two sockets in a
54
* loopback arrangement, with the packet output from one being fed to the other,
55
* and vice-versa. Fuzzing happens on the packet interface between the two,
56
* mutating the packets slightly and seeing what happens.
58
* The input data to the left-most socket is read from a file. The output data
59
* from the loopback is written to another file, although this probably isn’t
60
* very useful. If no files are provided, a small amount of dummy data is sent
61
* through the sockets instead. This almost certainly won’t catch any bugs, and
62
* is just present to allow this test to be run as part of `make check` so it
65
* A good command to generate an input file is:
66
* dd if=/dev/urandom of=rand count=10000 ibs=1024
68
* None of the data is validated, and the test results are effectively the 1-bit
69
* value of ‘did it crash?’. In particular, the output file is not validated,
70
* and the TCP packets emitted by both sockets are not checked for validity.
72
* It is suggested that this test is run under GDB and Valgrind. Any crashes or
73
* errors which are detected can be reproduced by providing the same input file
74
* and seed (using the --seed option). The seed is printed out at the beginning
79
PseudoTcpSocket *left;
80
PseudoTcpSocket *right;
81
GMainLoop *main_loop = NULL;
89
guint right_clock = 0;
90
gboolean left_closed = FALSE;
91
gboolean right_closed = FALSE;
92
gboolean reading_done = FALSE;
94
/* Number of bytes of payload each socket has received so far. */
95
guint32 left_stream_pos = 0;
96
guint32 right_stream_pos = 0;
98
/* Configuration options. */
100
guint32 fuzz_start_pos = 1; /* bytes into stream payload; after the SYN-ACKs */
101
guint n_changes_lambda = 2; /* lambda parameter for a Poisson distribution
102
* controlling the number of mutations made to each
107
adjust_clock (PseudoTcpSocket *sock);
111
write_to_sock (PseudoTcpSocket *sock)
119
len = fread (buf, 1, sizeof(buf), in);
121
g_debug ("Done reading data from file");
122
g_assert (feof (in));
124
pseudo_tcp_socket_close (sock, FALSE);
127
wlen = pseudo_tcp_socket_send (sock, buf, len);
128
g_debug ("Sending %" G_GSIZE_FORMAT " bytes : %d", len, wlen);
131
if (wlen < (gint) len) {
132
g_debug ("seeking %ld from %lu", wlen - len, ftell (in));
133
fseek (in, wlen - len, SEEK_CUR);
134
g_assert (!feof (in));
135
g_debug ("Socket queue full after %d bytes written", total);
144
opened (PseudoTcpSocket *sock, gpointer data)
146
g_debug ("Socket %p Opened", sock);
149
write_to_sock (sock);
151
pseudo_tcp_socket_send (sock, "abcdefghijklmnopqrstuvwxyz", 26);
153
pseudo_tcp_socket_close (sock, FALSE);
159
readable (PseudoTcpSocket *sock, gpointer data)
163
g_debug ("Socket %p Readable", sock);
166
len = pseudo_tcp_socket_recv (sock, buf, sizeof(buf));
169
g_debug ("Read %d bytes", len);
171
if (fwrite (buf, len, 1, out) == 0)
172
g_debug ("Error writing to output file");
176
g_assert (total_wrote <= total_read);
177
g_debug ("Written %d bytes, need %d bytes", total_wrote, total_read);
178
if (total_wrote == total_read && feof (in)) {
179
g_assert (reading_done);
180
pseudo_tcp_socket_close (sock, FALSE);
184
pseudo_tcp_socket_close (sock, FALSE);
190
pseudo_tcp_socket_get_error (sock) != EWOULDBLOCK) {
191
g_printerr ("Error reading from socket: error code %d.\n",
192
pseudo_tcp_socket_get_error (sock));
195
g_main_loop_quit (main_loop);
201
writable (PseudoTcpSocket *sock, gpointer data)
203
g_debug ("Socket %p Writable", sock);
204
if (in && sock == left)
205
write_to_sock (sock);
209
closed (PseudoTcpSocket *sock, guint32 err, gpointer data)
211
/* Don’t treat this as an error, since we’re throwing rubbish into the
212
* socket and can hardly expect it to complete successfully. */
213
g_debug ("Socket %p Closed : %d", sock, err);
215
g_main_loop_quit (main_loop);
219
PseudoTcpSocket *sock;
226
* random_int_poisson:
227
* @lambda: Lambda parameter for the distribution function, which must be
230
* Generate a random variable from a Poisson distribution with parameter
231
* @lambda. This consumes one %gdouble’s worth of randomness from the global
234
* This is implemented using the inverse transform of the Poisson CDF, and is
235
* guaranteed to return in time linearly proportional to @lambda.
237
* Returns: Poisson-distributed pseudo-random variable
240
random_int_poisson (guint lambda)
246
g_return_val_if_fail (lambda > 0, 0);
249
* Reference: http://www.cs.bgu.ac.il/~mps042/invtransnote.htm,
250
* §Simulating a Poisson random variable.
252
U = g_rand_double (prng); /* step 1 */
254
p = exp (0.0 - (gdouble) lambda);
257
while (U >= F) { /* step 3 */
258
p = (lambda * p) / (i + 1);
260
i += 1; /* step 4 and 5 */
267
fuzz_packet (guint8 *buf, guint32 len, guint32 stream_pos)
271
#define TCP_HEADER_LENGTH 32 /* bytes; or thereabouts (include some options) */
273
/* Do we want to fuzz this packet? */
274
if (stream_pos < fuzz_start_pos) {
278
/* Get fuzzing. Only bother fuzzing the header; fuzzing the payload is
279
* pointless. Weight the number of changes towards having only a few changes,
280
* since that makes them less likely to be summarily rejected. */
281
n_changes = random_int_poisson (n_changes_lambda);
282
g_debug ("Making %u changes for bytes at stream position %u:",
283
n_changes, stream_pos);
285
for (i = 0; i < n_changes; i++) {
286
guint32 pos = g_rand_int_range (prng, 0, MIN (len, TCP_HEADER_LENGTH));
287
g_debug (" • Changing byte %u.", stream_pos + pos);
288
buf[pos] = g_rand_int_range (prng, 0, G_MAXUINT8 + 1);
295
notify_packet (gpointer user_data)
297
struct notify_data *data = (struct notify_data*) user_data;
299
/* Fuzz the packet. */
300
data->len = fuzz_packet (data->buffer, data->len, data->stream_pos);
302
pseudo_tcp_socket_notify_packet (data->sock,
303
(gchar *) data->buffer, data->len);
304
adjust_clock (data->sock);
310
static PseudoTcpWriteResult
311
write_packet (PseudoTcpSocket *sock, const gchar *buffer, guint32 len,
314
struct notify_data *data;
315
PseudoTcpState state;
316
g_object_get (sock, "state", &state, NULL);
318
data = g_malloc (sizeof(struct notify_data) + len);
320
g_debug ("Socket %p(%d) Writing : %d bytes", sock, state, len);
322
memcpy (data->buffer, buffer, len);
326
data->stream_pos = left_stream_pos;
327
left_stream_pos += len;
330
data->stream_pos = right_stream_pos;
331
right_stream_pos += len;
335
g_idle_add (notify_packet, data);
341
static gboolean notify_clock (gpointer data)
343
PseudoTcpSocket *sock = (PseudoTcpSocket *)data;
344
//g_debug ("Socket %p: Notifying clock", sock);
345
pseudo_tcp_socket_notify_clock (sock);
350
static void adjust_clock (PseudoTcpSocket *sock)
354
if (pseudo_tcp_socket_get_next_clock (sock, &timeout)) {
355
timeout -= g_get_monotonic_time () / 1000;
356
g_debug ("Socket %p: Adjusting clock to %ld ms", sock, timeout);
359
g_source_remove (left_clock);
360
left_clock = g_timeout_add (timeout, notify_clock, sock);
362
if (right_clock != 0)
363
g_source_remove (right_clock);
364
right_clock = g_timeout_add (timeout, notify_clock, sock);
367
g_debug ("Socket %p should be destroyed, it's done", sock);
372
if (left_closed && right_closed)
373
g_main_loop_quit (main_loop);
377
static GOptionEntry entries[] = {
378
{ "seed", 's', 0, G_OPTION_ARG_INT64, &seed, "PRNG seed", "N" },
379
{ "fuzz-start-position", 'p', 0, G_OPTION_ARG_INT, &fuzz_start_pos,
380
"Number of bytes into the stream to start fuzzing after", "B" },
381
{ "fuzz-n-changes-lambda", 'l', 0, G_OPTION_ARG_INT, &n_changes_lambda,
382
"Lambda value for the Poisson distribution controlling the number of "
383
"changes made to each packet", "λ" },
387
int main (int argc, char *argv[])
389
PseudoTcpCallbacks cbs = {
390
NULL, opened, readable, writable, closed, write_packet
392
GOptionContext *context;
393
GError *error = NULL;
395
setlocale (LC_ALL, "");
399
context = g_option_context_new ("— fuzz-test the pseudotcp socket");
400
g_option_context_add_main_entries (context, entries, NULL);
402
if (!g_option_context_parse (context, &argc, &argv, &error)) {
403
g_printerr ("Option parsing failed: %s\n", error->message);
407
if (n_changes_lambda == 0) {
408
g_printerr ("Option parsing failed: %s\n",
409
"Lambda values must be positive.");
413
g_option_context_free (context);
415
/* Tweak the configuration. */
417
seed = g_get_real_time ();
420
/* Open the input and output files */
422
in = fopen (argv[1], "r");
423
out = fopen (argv[2], "w");
426
/* Set up the main loop and sockets. */
427
main_loop = g_main_loop_new (NULL, FALSE);
429
g_print ("Using seed: %" G_GINT64_FORMAT ", start position: %u, λ: %u\n",
430
seed, fuzz_start_pos, n_changes_lambda);
431
prng = g_rand_new_with_seed (seed);
433
pseudo_tcp_set_debug_level (PSEUDO_TCP_DEBUG_VERBOSE);
435
left = pseudo_tcp_socket_new (0, &cbs);
436
right = pseudo_tcp_socket_new (0, &cbs);
437
g_debug ("Left: %p. Right: %p", left, right);
439
pseudo_tcp_socket_notify_mtu (left, 1496);
440
pseudo_tcp_socket_notify_mtu (right, 1496);
442
pseudo_tcp_socket_connect (left);
444
adjust_clock (right);
446
/* Run the main loop. */
447
g_main_loop_run (main_loop);
448
g_main_loop_unref (main_loop);
450
g_object_unref (left);
451
g_object_unref (right);
463
g_printerr ("\n%s\n", g_option_context_get_help (context, TRUE, NULL));
464
g_option_context_free (context);