Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix divide by zero in fuzzing #570

Merged
merged 1 commit into from Jun 3, 2020
Merged

Fix divide by zero in fuzzing #570

merged 1 commit into from Jun 3, 2020

Conversation

amajoke
Copy link
Contributor

@amajoke amajoke commented Dec 15, 2019

Some fuzzer mutations do divide by zero when l4len equals to 1.

Note that the patch affects on fuzzer ability to fuzz packets where l4len equals to 1.

Tested on:
OS: Ubuntu 18.04 x64

./tcprewrite --version
tcprewrite version: 4.3.2 (build git:v4.3.2-5-g11507365)
Copyright 2013-2018 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.8.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Fragroute engine: disabled

Minimized test case as an attachment. FPE-6a2-06c-a94.zip

To reproduce, extract the .zip and run:

: ./tcprewrite --verbose --fuzz-seed=2 --fuzz-factor=2 -i ./FPE-6a2-06c-a94 -o /dev/null
reading from file -, link-type EN10MB (Ethernet)
21:33:38.1113852818 IP 204.178.31.8 > 192.168.1.33: [|tcp]
AddressSanitizer:DEADLYSIGNAL
=================================================================
==16839==ERROR: AddressSanitizer: FPE on unknown address 0x0000004df6a2 (pc 0x0000004df6a2 bp 0x631000000817 sp 0x7ffe24ee0740 T0)
    #0 0x4df6a2 in fuzzing /tcpreplay/src/tcpedit/fuzzing.c:244:38
    #1 0x4c806c in tcpedit_packet /tcpreplay/src/tcpedit/tcpedit.c:273:18
    #2 0x4c6a94 in rewrite_packets /tcpreplay/src/tcprewrite.c:291:22
    #3 0x4c5a22 in main /tcpreplay/src/tcprewrite.c:130:9
    #4 0x7fbf61913b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41be59 in _start (/tcpreplay/src/tcprewrite+0x41be59)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tcpreplay/src/tcpedit/fuzzing.c:244:38 in fuzzing
==16839==ABORTING

I used AddressSanitizer for better stack trace, but divide by zero reproduces even without it.

@amajoke
Fix divide by zero in fuzzing
8fa67aa 
Some fuzzer mutations do divide by zero when l4len equals to 1
@fklassen fklassen self-assigned this Jun 3, 2020
@fklassen fklassen added this to In progress in 4.3.3 via automation Jun 3, 2020
@fklassen fklassen changed the base branch from master to Bug_#570_divide_by_zero_fuzzing June 3, 2020 19:40
@fklassen fklassen merged commit acd97e8 into appneta:Bug_#570_divide_by_zero_fuzzing Jun 3, 2020
4.3.3 automation moved this from In progress to Done Jun 3, 2020
fklassen added a commit that referenced this pull request Jun 3, 2020
@fklassen
Bug #570 update CHANGELOG
9327618
fklassen added a commit that referenced this pull request Jun 3, 2020
@fklassen
Merge pull request #596 from appneta/Bug_#570_divide_by_zero_fuzzing
f288981 
Bug #570 divide by zero fuzzing
@fklassen fklassen mentioned this pull request Jun 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@fklassen fklassen

Labels
4.3.3 bug
Projects
No open projects
4.3.3
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@amajoke @fklassen