5 # Fuzz-testing script for TShark
7 # This script uses Editcap to add random errors ("fuzz") to a set of
8 # capture files specified on the command line. It runs TShark on
9 # each fuzzed file and checks for errors. The files are processed
10 # repeatedly until an error is found.
13 . `dirname $0`/test-common.sh || exit 1
15 # Directory containing binaries. Default current directory.
18 # Sanity check to make sure we can find our plugins. Zero or less disables.
21 # Did we catch a signal?
24 # Perform a two pass analysis on the capture file?
27 # Specific config profile ?
30 # Run under valgrind ?
34 # To do: add options for file names and limits
35 while getopts ":2b:C:d:e:gp:P:" OPTCHAR ; do
39 C) CONFIG_PROFILE="-C $OPTARG " ;;
41 e) ERR_PROB=$OPTARG ;;
43 p) MAX_PASSES=$OPTARG ;;
44 P) MIN_PLUGINS=$OPTARG ;;
47 shift $(($OPTIND - 1))
49 ### usually you won't have to change anything below this line ###
51 if [ $VALGRIND -eq 1 ]; then
52 RUNNER="$BIN_DIR/tools/valgrind-wireshark.sh"
53 declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-T" "${CONFIG_PROFILE}${TWO_PASS} ")
55 # Not using valgrind, use regular tshark.
56 # TShark arguments (you won't have to change these)
57 # n Disable network object name resolution
58 # V Print a view of the details of the packet rather than a one-line summary of the packet
59 # x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details
60 # r Read packet data from the following infile
62 declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-nVxr" "${CONFIG_PROFILE}${TWO_PASS}-nr")
63 # Running with a read filter but without generating the tree exposes some
64 # "More than 100000 items in tree" bugs.
65 # Not sure if we want to add even more cycles to the fuzz bot's work load...
66 #declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-nVxr" "${CONFIG_PROFILE}${TWO_PASS}-nr" "-Yframe ${CONFIG_PROFILE}${TWO_PASS}-nr")
71 for i in "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR" ; do
73 echo "Couldn't find $i"
77 if [ $NOTFOUND -eq 1 ]; then
81 # Make sure we have a valid test set
84 if [ "$OSTYPE" == "cygwin" ] ; then
85 CF=`cygpath --windows "$CF"`
87 "$CAPINFOS" "$CF" > /dev/null 2>&1 && FOUND=1
88 if [ $FOUND -eq 1 ] ; then break ; fi
91 if [ $FOUND -eq 0 ] ; then
93 Error: No valid capture files found.
95 Usage: `basename $0` [-2] [-b bin_dir] [-C config_profile] [-d work_dir] [-e error probability] [-g] [-p passes] capture file 1 [capture file 2]...
100 PLUGIN_COUNT=`$TSHARK -G plugins | grep dissector | wc -l`
101 if [ $MIN_PLUGINS -gt 0 -a $PLUGIN_COUNT -lt $MIN_PLUGINS ] ; then
102 echo "Warning: Found fewer plugins than expected ($PLUGIN_COUNT vs $MIN_PLUGINS)."
107 if [ $MAX_PASSES -gt 0 ]; then
108 HOWMANY="$MAX_PASSES passes"
110 echo -n "Running $RUNNER with args: "
111 printf "\"%s\" " "${RUNNER_ARGS[@]}"
115 # Clean up on <ctrl>C, etc
116 trap "DONE=1; echo 'Caught signal'" HUP INT TERM
119 # Iterate over our capture files.
121 while [ \( $PASS -lt $MAX_PASSES -o $MAX_PASSES -lt 1 \) -a $DONE -ne 1 ] ; do
123 echo "Starting pass $PASS:"
127 if [ $DONE -eq 1 ]; then
128 break # We caught a signal
131 if [ $(( $RUN % 50 )) -eq 0 ] ; then
134 if [ "$OSTYPE" == "cygwin" ] ; then
135 CF=`cygpath --windows "$CF"`
139 "$CAPINFOS" "$CF" > /dev/null 2> $TMP_DIR/$ERR_FILE
141 if [ $RETVAL -eq 1 ] ; then
142 echo "Not a valid capture file"
143 rm -f $TMP_DIR/$ERR_FILE
145 elif [ $RETVAL -ne 0 -a $DONE -ne 1 ] ; then
153 "$EDITCAP" -E $ERR_PROB "$CF" $TMP_DIR/$TMP_FILE > /dev/null 2>&1
154 if [ $? -ne 0 ] ; then
155 "$EDITCAP" -E $ERR_PROB -T ether "$CF" $TMP_DIR/$TMP_FILE \
157 if [ $? -ne 0 ] ; then
158 echo "Invalid format for editcap"
163 for ARGS in "${RUNNER_ARGS[@]}" ; do
165 echo -e "Command and args: $RUNNER $ARGS\n" > $TMP_DIR/$ERR_FILE
167 # Run in a child process with limits, e.g. stop it if it's running
168 # longer then MAX_CPU_TIME seconds. (ulimit may not be supported
169 # well on some platforms, particularly cygwin.)
171 ulimit -S -t $MAX_CPU_TIME -v $MAX_VMEM -s $MAX_STACK
174 "$RUNNER" $ARGS $TMP_DIR/$TMP_FILE \
175 > /dev/null 2>> $TMP_DIR/$ERR_FILE
178 if [ $RETVAL -ne 0 ] ; then break ; fi
181 # Uncomment the next two lines to enable dissector bug
183 #grep -i "dissector bug" $TMP_DIR/$ERR_FILE \
184 # > /dev/null 2>&1 && DISSECTOR_BUG=1
186 if [ $VALGRIND -eq 1 ]; then
187 VG_ERR_CNT="`grep "ERROR SUMMARY:" $TMP_DIR/$ERR_FILE | cut -f4 -d' '`"
188 if grep -q "Valgrind cannot continue" $TMP_DIR/$ERR_FILE; then
193 if [ \( $RETVAL -ne 0 -o $DISSECTOR_BUG -ne 0 -o $VG_ERR_CNT -ne 0 \) \
194 -a $DONE -ne 1 ] ; then
200 rm -f $TMP_DIR/$TMP_FILE $TMP_DIR/$ERR_FILE