diff options
| author | Patrick Wildt <patrick@cvs.openbsd.org> | 2018-03-22 21:11:50 +0000 |
|---|---|---|
| committer | Patrick Wildt <patrick@cvs.openbsd.org> | 2018-03-22 21:11:50 +0000 |
| commit | 3fa93884da29a2aedca978ed4cabd5eeda87d232 (patch) | |
| tree | ab2b4bb262e889f13bb57221cf993a033155604d /regress | |
| parent | 9aa48c48827b8bdb2dd70cf6da7d59652f34dd0c (diff) | |
The iked(8) fuzzer did not fuzz encrypted payloads. With that changed
the regression test uncovered code paths in the TS and CP payload parser
that can trigger access to invalid memory locations. This changes the
TS and CP payload parsing to add additional length checks.
With hshoexer@ and markus@; OK sthen@
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/sbin/iked/parser/test_parser_fuzz.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/regress/sbin/iked/parser/test_parser_fuzz.c b/regress/sbin/iked/parser/test_parser_fuzz.c index 52c3729c6eb..3d0d86c6263 100644 --- a/regress/sbin/iked/parser/test_parser_fuzz.c +++ b/regress/sbin/iked/parser/test_parser_fuzz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_parser_fuzz.c,v 1.1 2017/05/29 20:59:28 markus Exp $ */ +/* $OpenBSD: test_parser_fuzz.c,v 1.2 2018/03/22 21:11:49 patrick Exp $ */ /* * Fuzz tests for payload parsing * @@ -229,16 +229,25 @@ u_int8_t sk_pld[] = { u_int8_t cp_pld[] = { 0x2f, 0x00, 0x00, 0x0c, - 0x01, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, /* REQUEST */ + 0x00, 0x01, 0x00, 0x00, /* INTERNAL_IP4_ADDRESS */ 0x2f, 0x00, 0x00, 0x10, - 0x02, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x00, 0x04, - 0xaa, 0xbb, 0xcc, 0xdd, + 0x02, 0x00, 0x00, 0x00, /* REPLY */ + 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ + 0xaa, 0xbb, 0xcc, 0xdd, /* 170.187.204.221 */ 0x2f, 0x00, 0x00, 0x08, - 0x03, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, /* SET (empty) */ + 0x2f, 0x00, 0x00, 0x24, + 0x02, 0x00, 0x00, 0x00, /* REPLY */ + 0x00, 0x01, 0x00, 0x04, /* INTERNAL_IP4_ADDRESS */ + 0xaa, 0xaa, 0xaa, 0xaa, /* 170.170.170.170 */ + 0x00, 0x02, 0x00, 0x04, /* INTERNAL_IP4_NETMASK */ + 0xbb, 0xbb, 0xbb, 0xbb, /* 187.187.187.187 */ + 0x00, 0x03, 0x00, 0x04, /* INTERNAL_IP4_DNS */ + 0xcc, 0xcc, 0xcc, 0xcc, /* 204.204.204.204 */ + 0x00, 0x08, 0x00, 0x00, /* INTERNAL_IP6_ADDRESS */ 0x00, 0x00, 0x00, 0x08, - 0x04, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, /* ACK (empty) */ }; u_int8_t eap_pld[] = { @@ -383,6 +392,7 @@ prepare_message(struct iked_message *msg, struct ibuf *data) msg->msg_sa = &sa; msg->msg_data = data; + msg->msg_e = 1; } static void |