#!/bin/bash
#
-# $Id$
-
# Fuzz-testing script for TShark
#
# This script uses Editcap to add random errors ("fuzz") to a set of
# capture files specified on the command line. It runs TShark on
# each fuzzed file and checks for errors. The files are processed
# repeatedly until an error is found.
+#
+# Copyright 2013 Gerald Combs <gerald@wireshark.org>
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
-# This needs to point to a 'date' that supports %s.
-DATE=/bin/date
-BASE_NAME=fuzz-`$DATE +%Y-%m-%d`-$$
+TEST_TYPE="fuzz"
+# shellcheck source=tools/test-common.sh
+. "$( dirname "$0" )"/test-common.sh || exit 1
-# Directory containing binaries. Default current directory.
-BIN_DIR=.
+# Sanity check to make sure we can find our plugins. Zero or less disables.
+MIN_PLUGINS=0
-# Temporary file directory and names.
-# (had problems with this on cygwin, tried TMP_DIR=./ which worked)
-TMP_DIR=/tmp
-if [ "$OSTYPE" == "cygwin" ] ; then
- TMP_DIR=`cygpath --windows "$TMP_DIR"`
-fi
-TMP_FILE=$BASE_NAME.pcap
-ERR_FILE=$BASE_NAME.err
+# Did we catch a signal?
+DONE=0
-# Loop this many times (< 1 loops forever)
-MAX_PASSES=0
+# Currently running children
+RUNNER_PIDS=
# Perform a two pass analysis on the capture file?
TWO_PASS=
# Specific config profile ?
CONFIG_PROFILE=
-# These may be set to your liking
-# Stop the child process if it's running longer than x seconds
-MAX_CPU_TIME=900
-# Stop the child process if it's using more than y * 1024 bytes
-MAX_VMEM=500000
-# Stop the child process if its stack is larger than than z * 1024 bytes
-# Windows XP: 2033
-# Windows 7: 2034
-# OS X 10.6: 8192
-# Linux 2.6.24: 8192
-# Solaris 10: 8192
-MAX_STACK=2033
-# Insert z times an error into the capture file (0.02 seems to be a good value to find errors)
-ERR_PROB=0.02
-# Trigger an abort if a dissector finds a bug.
-# Uncomment to enable
-# Note that if ABORT is enabled there will be no info
-# output to stderr about the DISSECTOR_BUG.
-# (There'll just be a core-dump).
-###export WIRESHARK_ABORT_ON_DISSECTOR_BUG="True"
+# Run under valgrind ?
+VALGRIND=0
+
+# Run under AddressSanitizer ?
+ASAN=$CONFIGURED_WITH_ASAN
+
+# Don't skip any byte from being changed
+CHANGE_OFFSET=0
+# The maximum permitted amount of memory leaked. Eventually this should be
+# worked down to zero, but right now that would fail on every single capture.
+# Only has effect when running under valgrind.
+MAX_LEAK=$(( 1024 * 100 ))
# To do: add options for file names and limits
-while getopts ":b:d:e:C:Pp:" OPTCHAR ; do
+while getopts "2b:C:d:e:agp:P:o:" OPTCHAR ; do
case $OPTCHAR in
- b) BIN_DIR=$OPTARG ;;
+ a) ASAN=1 ;;
+ 2) TWO_PASS="-2 " ;;
+ b) WIRESHARK_BIN_DIR=$OPTARG ;;
C) CONFIG_PROFILE="-C $OPTARG " ;;
d) TMP_DIR=$OPTARG ;;
e) ERR_PROB=$OPTARG ;;
+ g) VALGRIND=1 ;;
p) MAX_PASSES=$OPTARG ;;
- P) TWO_PASS="-P " ;;
+ P) MIN_PLUGINS=$OPTARG ;;
+ o) CHANGE_OFFSET=$OPTARG ;;
+ *) printf "Unknown option %s" "$OPTCHAR"
esac
done
-shift $(($OPTIND - 1))
-
-# Tweak the following to your liking. Editcap must support "-E".
-TSHARK="$BIN_DIR/tshark"
-EDITCAP="$BIN_DIR/editcap"
-CAPINFOS="$BIN_DIR/capinfos"
-
-if [ "$BIN_DIR" = "." ]; then
- export WIRESHARK_RUN_FROM_BUILD_DIRECTORY=1
-fi
-
-# set some limits to the child processes, e.g. stop it if it's running longer then MAX_CPU_TIME seconds
-# (ulimit is not supported well on cygwin and probably other platforms, e.g. cygwin shows some warnings)
-ulimit -S -t $MAX_CPU_TIME -v $MAX_VMEM -s $MAX_STACK
-ulimit -c unlimited
+shift $((OPTIND - 1))
### usually you won't have to change anything below this line ###
-# TShark arguments (you won't have to change these)
-# n Disable network object name resolution
-# V Print a view of the details of the packet rather than a one-line summary of the packet
-# x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details
-# r Read packet data from the following infile
-TSHARK_ARGS="${CONFIG_PROFILE}${TWO_PASS}-nVxr"
-
-NOTFOUND=0
-for i in "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR" ; do
- if [ ! -x $i ]; then
- echo "Couldn't find $i"
- NOTFOUND=1
- fi
-done
-if [ $NOTFOUND -eq 1 ]; then
- exit 1
+ws_bind_exec_paths
+ws_check_exec "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR"
+
+COMMON_ARGS="${CONFIG_PROFILE}${TWO_PASS}"
+KEEP=
+PACKET_RANGE=
+if [ $VALGRIND -eq 1 ]; then
+ RUNNER=$( dirname "$0" )"/valgrind-wireshark.sh"
+ COMMON_ARGS="-b $WIRESHARK_BIN_DIR $COMMON_ARGS"
+ declare -a RUNNER_ARGS=("" "-T")
+ # Valgrind requires more resources, so permit 1.5x memory and 3x time
+ # (1.5x time is too small for a few large captures in the menagerie)
+ MAX_CPU_TIME=$(( 3 * MAX_CPU_TIME ))
+ MAX_VMEM=$(( 3 * MAX_VMEM / 2 ))
+ # Valgrind is slow. Trim captures to the first 10k packets so that
+ # we don't time out.
+ KEEP=-r
+ PACKET_RANGE=1-10000
+else
+ # Not using valgrind, use regular tshark.
+ # TShark arguments (you won't have to change these)
+ # n Disable network object name resolution
+ # V Print a view of the details of the packet rather than a one-line summary of the packet
+ # x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details
+ # r Read packet data from the following infile
+ RUNNER="$TSHARK"
+ declare -a RUNNER_ARGS=("-nVxr" "-nr")
+ # Running with a read filter but without generating the tree exposes some
+ # "More than 100000 items in tree" bugs.
+ # Not sure if we want to add even more cycles to the fuzz bot's work load...
+ #declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-nVxr" "${CONFIG_PROFILE}${TWO_PASS}-nr" "-Yframe ${CONFIG_PROFILE}${TWO_PASS}-nr")
fi
+
# Make sure we have a valid test set
FOUND=0
for CF in "$@" ; do
if [ "$OSTYPE" == "cygwin" ] ; then
- CF=`cygpath --windows "$CF"`
+ CF=$( cygpath --windows "$CF" )
fi
"$CAPINFOS" "$CF" > /dev/null 2>&1 && FOUND=1
if [ $FOUND -eq 1 ] ; then break ; fi
cat <<FIN
Error: No valid capture files found.
-Usage: `basename $0` [-b bin_dir] [-C config_profile] [-p passes] [-d work_dir] [-P ] [-e error probability] capture file 1 [capture file 2]...
+Usage: $( basename "$0" ) [-2] [-b bin_dir] [-C config_profile] [-d work_dir] [-e error probability] [-o changes offset] [-g] [-a] [-p passes] capture file 1 [capture file 2]...
FIN
exit 1
fi
+PLUGIN_COUNT=$( $TSHARK -G plugins | grep -c dissector )
+if [ "$MIN_PLUGINS" -gt 0 ] && [ "$PLUGIN_COUNT" -lt "$MIN_PLUGINS" ] ; then
+ echo "Warning: Found fewer plugins than expected ($PLUGIN_COUNT vs $MIN_PLUGINS)."
+ exit 1
+fi
+
+if [ $ASAN -ne 0 ]; then
+ echo -n "ASan enabled. Virtual memory limit is "
+ ulimit -v
+else
+ echo "ASan disabled. Virtual memory limit is $MAX_VMEM"
+fi
+
HOWMANY="forever"
-if [ $MAX_PASSES -gt 0 ]; then
- HOWMANY="$MAX_PASSES passes"
+if [ "$MAX_PASSES" -gt 0 ]; then
+ HOWMANY="$MAX_PASSES passes"
fi
-echo "Running $TSHARK with args: $TSHARK_ARGS ($HOWMANY)"
+echo -n "Running $RUNNER $COMMON_ARGS with args: "
+printf "\"%s\" " "${RUNNER_ARGS[@]}"
+echo "($HOWMANY)"
echo ""
# Clean up on <ctrl>C, etc
-trap "rm -f $TMP_DIR/$TMP_FILE $TMP_DIR/$ERR_FILE; echo ""; exit 0" HUP INT TERM
-
-
-##############################################################################
-### Set up environment variables for fuzz testing ###
-##############################################################################
-# Initialize (ep_ and se_) allocated memory to 0xBADDCAFE and freed memory
-# to 0xDEADBEEF
-export WIRESHARK_DEBUG_SCRUB_MEMORY=
-# Use canaries in se_ allocations (off by default due to the memory usage)
-export WIRESHARK_DEBUG_SE_USE_CANARY=
-# Verify that ep_ and se_ allocated memory is not passed to certain routines
-# which need the memory to be persistent.
-export WIRESHARK_EP_VERIFY_POINTERS=
-export WIRESHARK_SE_VERIFY_POINTERS=
-
-# Turn on GLib memory debugging (since 2.13)
-export G_SLICE=debug-blocks
-# Cause glibc (Linux) to abort() if some memory errors are found
-export MALLOC_CHECK_=3
-# Cause FreeBSD (and other BSDs) to abort() on allocator warnings and
-# initialize allocated memory (to 0xa5) and freed memory (to 0x5a). see:
-# http://www.freebsd.org/cgi/man.cgi?query=malloc&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&format=html
-export MALLOC_OPTIONS=AJ
-
-# MacOS options; see http://developer.apple.com/library/mac/releasenotes/DeveloperTools/RN-MallocOptions/_index.html
-# Initialize allocated memory to 0xAA and freed memory to 0x55
-export MallocPreScribble=1
-export MallocScribble=1
-# Add guard pages before and after large allocations
-export MallocGuardEdges=1
-# Call abort() if heap corruption is detected. Heap is checked every 1000
-# allocations (may need to be tuned!)
-export MallocCheckHeapStart=1000
-export MallocCheckHeapEach=1000
-export MallocCheckHeapAbort=1
-# Call abort() if an illegal free() call is made
-export MallocBadFreeAbort=1
+trap_all() {
+ DONE=1
+ echo 'Caught signal'
+}
+
+trap_abrt() {
+ for RUNNER_PID in $RUNNER_PIDS ; do
+ kill -ABRT $RUNNER_PID
+ done
+ trap_all
+}
+trap trap_all HUP INT TERM
+trap trap_abrt ABRT
# Iterate over our capture files.
PASS=0
-while [ $PASS -lt $MAX_PASSES -o $MAX_PASSES -lt 1 ] ; do
- PASS=`expr $PASS + 1`
+while { [ $PASS -lt "$MAX_PASSES" ] || [ "$MAX_PASSES" -lt 1 ]; } && [ $DONE -ne 1 ] ; do
+ PASS=$(( PASS+1 ))
echo "Starting pass $PASS:"
RUN=0
for CF in "$@" ; do
- RUN=$(( $RUN + 1 ))
- if [ $(( $RUN % 50 )) -eq 0 ] ; then
+ if [ $DONE -eq 1 ]; then
+ break # We caught a signal
+ fi
+ RUN=$(( RUN + 1 ))
+ if [ $(( RUN % 50 )) -eq 0 ] ; then
echo " [Pass $PASS]"
fi
if [ "$OSTYPE" == "cygwin" ] ; then
- CF=`cygpath --windows "$CF"`
+ CF=$( cygpath --windows "$CF" )
+ fi
+ echo -n " $CF: "
+
+ "$CAPINFOS" "$CF" > /dev/null 2> "$TMP_DIR/$ERR_FILE"
+ RETVAL=$?
+ if [ $RETVAL -eq 1 ] || [ $RETVAL -eq 2 ] ; then
+ echo "Not a valid capture file"
+ rm -f "$TMP_DIR/$ERR_FILE"
+ continue
+ elif [ $RETVAL -ne 0 ] && [ $DONE -ne 1 ] ; then
+ # Some other error
+ ws_exit_error
+ fi
+
+ DISSECTOR_BUG=0
+ VG_ERR_CNT=0
+
+ "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE > /dev/null 2>&1
+ RETVAL=$?
+ if [ $RETVAL -ne 0 ] ; then
+ "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP -T ether "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE \
+ > /dev/null 2>&1
+ RETVAL=$?
+ if [ $RETVAL -ne 0 ] ; then
+ echo "Invalid format for editcap"
+ continue
+ fi
fi
- echo -n " $CF: "
-
- "$CAPINFOS" "$CF" > /dev/null 2> $TMP_DIR/$ERR_FILE
- RETVAL=$?
- if [ $RETVAL -eq 1 ] ; then
- echo "Not a valid capture file"
- rm -f $TMP_DIR/$ERR_FILE
- continue
- elif [ $RETVAL -ne 0 ] ; then
- # Some other error
- echo ""
- echo " ERROR"
- echo -e "Processing failed. Capture info follows:\n"
- echo " Input file: $CF"
- echo -e "stderr follows:\n"
- cat $TMP_DIR/$ERR_FILE
- exit 1
- fi
-
- DISSECTOR_BUG=0
-
- "$EDITCAP" -E $ERR_PROB "$CF" $TMP_DIR/$TMP_FILE > /dev/null 2>&1
- if [ $? -ne 0 ] ; then
- "$EDITCAP" -E $ERR_PROB -T ether "$CF" $TMP_DIR/$TMP_FILE \
- > /dev/null 2>&1
- if [ $? -ne 0 ] ; then
- echo "Invalid format for editcap"
- continue
- fi
- fi
-
- "$TSHARK" $TSHARK_ARGS $TMP_DIR/$TMP_FILE \
- > /dev/null 2>> $TMP_DIR/$ERR_FILE
- RETVAL=$?
- # Uncomment the next two lines to enable dissector bug
- # checking.
- #grep -i "dissector bug" $TMP_DIR/$ERR_FILE \
- # > /dev/null 2>&1 && DISSECTOR_BUG=1
- if [ $RETVAL -ne 0 -o $DISSECTOR_BUG -ne 0 ] ; then
- echo ""
- echo " ERROR"
- echo -e "Processing failed. Capture info follows:\n"
- echo " Output file: $TMP_DIR/$TMP_FILE"
- echo -e "stderr follows:\n"
- cat $TMP_DIR/$ERR_FILE
- exit 1
- fi
- echo " OK"
- rm -f $TMP_DIR/$TMP_FILE $TMP_DIR/$ERR_FILE
+
+ RUNNER_PIDS=
+ RUNNER_ERR_FILES=
+ for ARGS in "${RUNNER_ARGS[@]}" ; do
+ if [ $DONE -eq 1 ]; then
+ break # We caught a signal
+ fi
+ echo -n "($ARGS) "
+
+ # Run in a child process with limits.
+ (
+ # Set some limits to the child processes, e.g. stop it if
+ # it's running longer than MAX_CPU_TIME seconds. (ulimit
+ # is not supported well on cygwin - it shows some warnings -
+ # and the features we use may not all be supported on some
+ # UN*X platforms.)
+ ulimit -S -t "$MAX_CPU_TIME" -s "$MAX_STACK"
+
+ # Allow core files to be generated
+ ulimit -c unlimited
+
+ # Don't enable ulimit -v when using ASAN. See
+ # https://github.com/google/sanitizers/wiki/AddressSanitizer#ulimit--v
+ if [ $ASAN -eq 0 ]; then
+ ulimit -S -v "$MAX_VMEM"
+ fi
+
+ # shellcheck disable=SC2016
+ SUBSHELL_PID=$($SHELL -c 'echo $PPID')
+
+ printf 'Command and args: %s %s %s\n' "$RUNNER" "$COMMON_ARGS" "$ARGS" > "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID"
+ # shellcheck disable=SC2086
+ "$RUNNER" $COMMON_ARGS $ARGS "$TMP_DIR/$TMP_FILE" \
+ > /dev/null 2>> "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID"
+ ) &
+ RUNNER_PID=$!
+ RUNNER_PIDS="$RUNNER_PIDS $RUNNER_PID"
+ RUNNER_ERR_FILES="$RUNNER_ERR_FILES $TMP_DIR/$ERR_FILE.$RUNNER_PID"
+ done
+
+ for RUNNER_PID in $RUNNER_PIDS ; do
+ wait "$RUNNER_PID"
+ RUNNER_RETVAL=$?
+ mv "$TMP_DIR/$ERR_FILE.$RUNNER_PID" "$TMP_DIR/$ERR_FILE"
+
+ # Uncomment the next two lines to enable dissector bug
+ # checking.
+ #grep -i "dissector bug" $TMP_DIR/$ERR_FILE \
+ # > /dev/null 2>&1 && DISSECTOR_BUG=1
+
+ if [ $VALGRIND -eq 1 ] && [ $DONE -ne 1 ]; then
+ VG_ERR_CNT=$( grep "ERROR SUMMARY:" "$TMP_DIR/$ERR_FILE" | cut -f4 -d' ' )
+ VG_DEF_LEAKED=$( grep "definitely lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , )
+ VG_IND_LEAKED=$( grep "indirectly lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , )
+ VG_TOTAL_LEAKED=$(( VG_DEF_LEAKED + VG_IND_LEAKED ))
+ if [ $RUNNER_RETVAL -ne 0 ] ; then
+ echo "General Valgrind failure."
+ VG_ERR_CNT=1
+ elif [ "$VG_TOTAL_LEAKED" -gt "$MAX_LEAK" ] ; then
+ echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)."
+ echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)." >> "$TMP_DIR/$ERR_FILE"
+ VG_ERR_CNT=1
+ fi
+ if grep -q "Valgrind cannot continue" "$TMP_DIR/$ERR_FILE" ; then
+ echo "Valgrind unable to continue."
+ VG_ERR_CNT=-1
+ fi
+ fi
+
+ if [ $DONE -ne 1 ] && { [ $RUNNER_RETVAL -ne 0 ] || [ $DISSECTOR_BUG -ne 0 ] || [ $VG_ERR_CNT -ne 0 ]; } ; then
+ # shellcheck disable=SC2086
+ rm -f $RUNNER_ERR_FILES
+ ws_exit_error
+ fi
+ done
+
+ echo " OK"
+ rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE"
done
done
-