From 7d3f18d72c3c883112ee927fc402c0eaed09ff65 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 16 Nov 2016 18:17:08 +0200 Subject: [PATCH] tests: Allow multiple management frames to be used with ap-mgmt-fuzzer The optional "-m " command line option can now be used to specify a data file that can include multiple management frames with each one prefixed with a 16-bit big endian length field. This allows a single fuzzer run to be used to go through multi-frame exchanges. The multi.dat file shows an example of this with Probe Request frame, Authentication frame, Association Request frame, and an Action frame. Signed-off-by: Jouni Malinen --- tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c | 83 +++++++++++++++++++++++--- tests/ap-mgmt-fuzzer/multi.dat | Bin 0 -> 246 bytes 2 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 tests/ap-mgmt-fuzzer/multi.dat diff --git a/tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c b/tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c index dd061448e..2adb332e7 100644 --- a/tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c +++ b/tests/ap-mgmt-fuzzer/ap-mgmt-fuzzer.c @@ -11,6 +11,7 @@ #include "utils/common.h" #include "utils/eloop.h" #include "ap/hostapd.h" +#include "ap/hw_features.h" #include "ap/ieee802_11.h" #include "ap/sta_info.h" @@ -28,6 +29,7 @@ struct arg_ctx { struct wpa_driver_ops driver; struct hostapd_config iconf; struct hostapd_bss_config conf; + int multi_frame; }; @@ -46,10 +48,28 @@ static void test_send_mgmt(void *eloop_data, void *user_ctx) goto out; } - wpa_hexdump(MSG_MSGDUMP, "fuzzer - WNM", data, len); - os_memset(&fi, 0, sizeof(fi)); - ieee802_11_mgmt(&ctx->hapd, (u8 *) data, len, &fi); + if (ctx->multi_frame) { + u8 *pos, *end; + + pos = (u8 *) data; + end = pos + len; + + while (end - pos > 2) { + u16 flen; + + flen = WPA_GET_BE16(pos); + pos += 2; + if (end - pos < flen) + break; + wpa_hexdump(MSG_MSGDUMP, "fuzzer - frame", pos, flen); + ieee802_11_mgmt(&ctx->hapd, pos, flen, &fi); + pos += flen; + } + } else { + wpa_hexdump(MSG_MSGDUMP, "fuzzer - WNM", data, len); + ieee802_11_mgmt(&ctx->hapd, (u8 *) data, len, &fi); + } out: os_free(data); @@ -57,20 +77,62 @@ out: } +static struct hostapd_hw_modes * gen_modes(void) +{ + struct hostapd_hw_modes *mode; + struct hostapd_channel_data *chan; + + mode = os_zalloc(sizeof(struct hostapd_hw_modes)); + if (!mode) + return NULL; + + mode->mode = HOSTAPD_MODE_IEEE80211G; + chan = os_zalloc(sizeof(struct hostapd_channel_data)); + if (!chan) { + os_free(mode); + return NULL; + } + chan->chan = 1; + chan->freq = 2412; + mode->channels = chan; + mode->num_channels = 1; + + mode->rates = os_zalloc(sizeof(int)); + if (!mode->rates) { + os_free(chan); + os_free(mode); + return NULL; + } + mode->rates[0] = 10; + mode->num_rates = 1; + + return mode; +} + + static int init_hapd(struct arg_ctx *ctx) { struct hostapd_data *hapd = &ctx->hapd; struct sta_info *sta; + struct hostapd_bss_config *bss; hapd->driver = &ctx->driver; os_memcpy(hapd->own_addr, "\x02\x00\x00\x00\x03\x00", ETH_ALEN); hapd->iface = &ctx->iface; - hapd->iface->conf = hostapd_config_defaults();; + hapd->iface->conf = hostapd_config_defaults(); if (!hapd->iface->conf) return -1; + hapd->iface->hw_features = gen_modes(); + hapd->iface->num_hw_features = 1; + hapd->iface->current_mode = hapd->iface->hw_features; hapd->iconf = hapd->iface->conf; - hapd->conf = hapd->iconf->bss[0]; + hapd->iconf->hw_mode = HOSTAPD_MODE_IEEE80211G; + hapd->iconf->channel = 1; + bss = hapd->conf = hapd->iconf->bss[0]; hostapd_config_defaults_bss(hapd->conf); + os_memcpy(bss->ssid.ssid, "test", 4); + bss->ssid.ssid_len = 4; + bss->ssid.ssid_set = 1; sta = ap_sta_add(hapd, (u8 *) "\x02\x00\x00\x00\x00\x00"); if (sta) @@ -86,7 +148,7 @@ int main(int argc, char *argv[]) int ret = -1; if (argc < 2) { - printf("usage: %s \n", argv[0]); + printf("usage: %s [-m] \n", argv[0]); return -1; } @@ -102,7 +164,12 @@ int main(int argc, char *argv[]) } os_memset(&ctx, 0, sizeof(ctx)); - ctx.fname = argv[1]; + if (argc >= 3 && os_strcmp(argv[1], "-m") == 0) { + ctx.multi_frame = 1; + ctx.fname = argv[2]; + } else { + ctx.fname = argv[1]; + } if (init_hapd(&ctx)) goto fail; @@ -112,6 +179,8 @@ int main(int argc, char *argv[]) eloop_run(); wpa_printf(MSG_DEBUG, "eloop done"); hostapd_free_stas(&ctx.hapd); + hostapd_free_hw_features(ctx.hapd.iface->hw_features, + ctx.hapd.iface->num_hw_features); ret = 0; fail: diff --git a/tests/ap-mgmt-fuzzer/multi.dat b/tests/ap-mgmt-fuzzer/multi.dat new file mode 100644 index 0000000000000000000000000000000000000000..29d074e0c4142b61e5bdd36d34bfd0393772d89e GIT binary patch literal 246 zcmZPwc3@y&_zwn5Ko*P*Vli?sv2cs=2uY|Iu^4zHPi&}NdNy2l7#?97=wYK zo`Z#fiwP*;z#zAQ!HN-N95VyNPzYN9C<4}y%z#y1fkBalm4Sh!B(=B%-Ev(i8{9T? bfo*mG+RS*Dogv^86UZ8=3s@})06GEyltUk) literal 0 HcmV?d00001