3 # Fuzz-testing script for TShark
5 # This script uses Editcap to add random errors ("fuzz") to a set of
6 # capture files specified on the command line. It runs TShark on
7 # each fuzzed file and checks for errors. The files are processed
8 # repeatedly until an error is found.
10 # Copyright 2013 Gerald Combs <gerald@wireshark.org>
12 # Wireshark - Network traffic analyzer
13 # By Gerald Combs <gerald@wireshark.org>
14 # Copyright 1998 Gerald Combs
16 # SPDX-License-Identifier: GPL-2.0-or-later
19 # shellcheck source=tools/test-common.sh
20 . "$( dirname "$0" )"/test-common.sh || exit 1
22 # Sanity check to make sure we can find our plugins. Zero or less disables.
25 # Did we catch a signal?
28 # Currently running children
31 # Perform a two pass analysis on the capture file?
34 # Specific config profile ?
37 # Run under valgrind ?
40 # Run under AddressSanitizer ?
41 ASAN=$CONFIGURED_WITH_ASAN
43 # Don't skip any byte from being changed
46 # The maximum permitted amount of memory leaked. Eventually this should be
47 # worked down to zero, but right now that would fail on every single capture.
48 # Only has effect when running under valgrind.
49 MAX_LEAK=$(( 1024 * 100 ))
51 # To do: add options for file names and limits
52 while getopts "2b:C:d:e:agp:P:o:" OPTCHAR ; do
56 b) WIRESHARK_BIN_DIR=$OPTARG ;;
57 C) CONFIG_PROFILE="-C $OPTARG " ;;
59 e) ERR_PROB=$OPTARG ;;
61 p) MAX_PASSES=$OPTARG ;;
62 P) MIN_PLUGINS=$OPTARG ;;
63 o) CHANGE_OFFSET=$OPTARG ;;
64 *) printf "Unknown option %s" "$OPTCHAR"
69 ### usually you won't have to change anything below this line ###
72 ws_check_exec "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR"
74 COMMON_ARGS="${CONFIG_PROFILE}${TWO_PASS}"
77 if [ $VALGRIND -eq 1 ]; then
78 RUNNER=$( dirname "$0" )"/valgrind-wireshark.sh"
79 COMMON_ARGS="-b $WIRESHARK_BIN_DIR $COMMON_ARGS"
80 declare -a RUNNER_ARGS=("" "-T")
81 # Valgrind requires more resources, so permit 1.5x memory and 3x time
82 # (1.5x time is too small for a few large captures in the menagerie)
83 MAX_CPU_TIME=$(( 3 * MAX_CPU_TIME ))
84 MAX_VMEM=$(( 3 * MAX_VMEM / 2 ))
85 # Valgrind is slow. Trim captures to the first 10k packets so that
90 # Not using valgrind, use regular tshark.
91 # TShark arguments (you won't have to change these)
92 # n Disable network object name resolution
93 # V Print a view of the details of the packet rather than a one-line summary of the packet
94 # x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details
95 # r Read packet data from the following infile
97 declare -a RUNNER_ARGS=("-nVxr" "-nr")
98 # Running with a read filter but without generating the tree exposes some
99 # "More than 100000 items in tree" bugs.
100 # Not sure if we want to add even more cycles to the fuzz bot's work load...
101 #declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-nVxr" "${CONFIG_PROFILE}${TWO_PASS}-nr" "-Yframe ${CONFIG_PROFILE}${TWO_PASS}-nr")
105 # Make sure we have a valid test set
108 if [ "$OSTYPE" == "cygwin" ] ; then
109 CF=$( cygpath --windows "$CF" )
111 "$CAPINFOS" "$CF" > /dev/null 2>&1 && FOUND=1
112 if [ $FOUND -eq 1 ] ; then break ; fi
115 if [ $FOUND -eq 0 ] ; then
117 Error: No valid capture files found.
119 Usage: $( basename "$0" ) [-2] [-b bin_dir] [-C config_profile] [-d work_dir] [-e error probability] [-o changes offset] [-g] [-a] [-p passes] capture file 1 [capture file 2]...
124 PLUGIN_COUNT=$( $TSHARK -G plugins | grep -c dissector )
125 if [ "$MIN_PLUGINS" -gt 0 ] && [ "$PLUGIN_COUNT" -lt "$MIN_PLUGINS" ] ; then
126 echo "Warning: Found fewer plugins than expected ($PLUGIN_COUNT vs $MIN_PLUGINS)."
130 if [ $ASAN -ne 0 ]; then
131 echo -n "ASan enabled. Virtual memory limit is "
134 echo "ASan disabled. Virtual memory limit is $MAX_VMEM"
138 if [ "$MAX_PASSES" -gt 0 ]; then
139 HOWMANY="$MAX_PASSES passes"
141 echo -n "Running $RUNNER $COMMON_ARGS with args: "
142 printf "\"%s\" " "${RUNNER_ARGS[@]}"
146 # Clean up on <ctrl>C, etc
153 for RUNNER_PID in $RUNNER_PIDS ; do
154 kill -ABRT $RUNNER_PID
159 trap trap_all HUP INT TERM
162 # Iterate over our capture files.
164 while { [ $PASS -lt "$MAX_PASSES" ] || [ "$MAX_PASSES" -lt 1 ]; } && [ $DONE -ne 1 ] ; do
166 echo "Starting pass $PASS:"
170 if [ $DONE -eq 1 ]; then
171 break # We caught a signal
174 if [ $(( RUN % 50 )) -eq 0 ] ; then
177 if [ "$OSTYPE" == "cygwin" ] ; then
178 CF=$( cygpath --windows "$CF" )
182 "$CAPINFOS" "$CF" > /dev/null 2> "$TMP_DIR/$ERR_FILE"
184 if [ $RETVAL -eq 1 ] || [ $RETVAL -eq 2 ] ; then
185 echo "Not a valid capture file"
186 rm -f "$TMP_DIR/$ERR_FILE"
188 elif [ $RETVAL -ne 0 ] && [ $DONE -ne 1 ] ; then
196 "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE > /dev/null 2>&1
198 if [ $RETVAL -ne 0 ] ; then
199 "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP -T ether "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE \
202 if [ $RETVAL -ne 0 ] ; then
203 echo "Invalid format for editcap"
210 for ARGS in "${RUNNER_ARGS[@]}" ; do
211 if [ $DONE -eq 1 ]; then
212 break # We caught a signal
216 # Run in a child process with limits.
218 # Set some limits to the child processes, e.g. stop it if
219 # it's running longer than MAX_CPU_TIME seconds. (ulimit
220 # is not supported well on cygwin - it shows some warnings -
221 # and the features we use may not all be supported on some
223 ulimit -S -t "$MAX_CPU_TIME" -s "$MAX_STACK"
225 # Allow core files to be generated
228 # Don't enable ulimit -v when using ASAN. See
229 # https://github.com/google/sanitizers/wiki/AddressSanitizer#ulimit--v
230 if [ $ASAN -eq 0 ]; then
231 ulimit -S -v "$MAX_VMEM"
234 # shellcheck disable=SC2016
235 SUBSHELL_PID=$($SHELL -c 'echo $PPID')
237 printf 'Command and args: %s %s %s\n' "$RUNNER" "$COMMON_ARGS" "$ARGS" > "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID"
238 # shellcheck disable=SC2086
239 "$RUNNER" $COMMON_ARGS $ARGS "$TMP_DIR/$TMP_FILE" \
240 > /dev/null 2>> "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID"
243 RUNNER_PIDS="$RUNNER_PIDS $RUNNER_PID"
244 RUNNER_ERR_FILES="$RUNNER_ERR_FILES $TMP_DIR/$ERR_FILE.$RUNNER_PID"
247 for RUNNER_PID in $RUNNER_PIDS ; do
250 mv "$TMP_DIR/$ERR_FILE.$RUNNER_PID" "$TMP_DIR/$ERR_FILE"
252 # Uncomment the next two lines to enable dissector bug
254 #grep -i "dissector bug" $TMP_DIR/$ERR_FILE \
255 # > /dev/null 2>&1 && DISSECTOR_BUG=1
257 if [ $VALGRIND -eq 1 ] && [ $DONE -ne 1 ]; then
258 VG_ERR_CNT=$( grep "ERROR SUMMARY:" "$TMP_DIR/$ERR_FILE" | cut -f4 -d' ' )
259 VG_DEF_LEAKED=$( grep "definitely lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , )
260 VG_IND_LEAKED=$( grep "indirectly lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , )
261 VG_TOTAL_LEAKED=$(( VG_DEF_LEAKED + VG_IND_LEAKED ))
262 if [ $RUNNER_RETVAL -ne 0 ] ; then
263 echo "General Valgrind failure."
265 elif [ "$VG_TOTAL_LEAKED" -gt "$MAX_LEAK" ] ; then
266 echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)."
267 echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)." >> "$TMP_DIR/$ERR_FILE"
270 if grep -q "Valgrind cannot continue" "$TMP_DIR/$ERR_FILE" ; then
271 echo "Valgrind unable to continue."
276 if [ $DONE -ne 1 ] && { [ $RUNNER_RETVAL -ne 0 ] || [ $DISSECTOR_BUG -ne 0 ] || [ $VG_ERR_CNT -ne 0 ]; } ; then
277 # shellcheck disable=SC2086
278 rm -f $RUNNER_ERR_FILES
284 rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE"