From e30c7d5269389115788e9f5f8ef242d4f108388e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 1 Jun 2019 15:46:18 +0300
Subject: [PATCH] tests: New style fuzzing tool for AP Management frame
 processing

This is a newer version of tests/ap-mgmt-fuzzer tool.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 tests/fuzzing/ap-mgmt/Makefile                |  34 ++++
 tests/fuzzing/ap-mgmt/ap-mgmt.c               | 167 ++++++++++++++++++
 .../fuzzing/ap-mgmt/corpus/multi-sae-ffc.dat  | Bin 0 -> 506 bytes
 tests/fuzzing/ap-mgmt/corpus/multi-sae.dat    | Bin 0 -> 346 bytes
 tests/fuzzing/ap-mgmt/corpus/multi.dat        | Bin 0 -> 246 bytes
 5 files changed, 201 insertions(+)
 create mode 100644 tests/fuzzing/ap-mgmt/Makefile
 create mode 100644 tests/fuzzing/ap-mgmt/ap-mgmt.c
 create mode 100644 tests/fuzzing/ap-mgmt/corpus/multi-sae-ffc.dat
 create mode 100644 tests/fuzzing/ap-mgmt/corpus/multi-sae.dat
 create mode 100644 tests/fuzzing/ap-mgmt/corpus/multi.dat

diff --git a/tests/fuzzing/ap-mgmt/Makefile b/tests/fuzzing/ap-mgmt/Makefile
new file mode 100644
index 000000000..830ea013c
--- /dev/null
+++ b/tests/fuzzing/ap-mgmt/Makefile
@@ -0,0 +1,34 @@
+all: ap-mgmt
+include ../rules.include
+
+CFLAGS += -DCONFIG_WNM
+CFLAGS += -DCONFIG_INTERWORKING
+CFLAGS += -DCONFIG_GAS
+CFLAGS += -DCONFIG_HS20
+CFLAGS += -DIEEE8021X_EAPOL
+CFLAGS += -DNEED_AP_MLME
+CFLAGS += -DCONFIG_AIRTIME_POLICY
+
+LIBS += $(SRC)/common/libcommon.a
+LIBS += $(SRC)/crypto/libcrypto.a
+LIBS += $(SRC)/tls/libtls.a
+LIBS += $(SRC)/wps/libwps.a
+LIBS += $(SRC)/eap_server/libeap_server.a
+LIBS += $(SRC)/eap_common/libeap_common.a
+LIBS += $(SRC)/l2_packet/libl2_packet.a
+LIBS += $(SRC)/ap/libap.a
+LIBS += $(SRC)/eapol_auth/libeapol_auth.a
+LIBS += $(SRC)/radius/libradius.a
+LIBS += $(SRC)/utils/libutils.a
+
+ELIBS += $(SRC)/crypto/libcrypto.a
+ELIBS += $(SRC)/tls/libtls.a
+
+ap-mgmt: ap-mgmt.o $(OBJS) $(LIBS)
+	$(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS)
+
+clean:
+	$(MAKE) -C $(SRC) clean
+	rm -f ap-mgmt-fuzzer *~ *.o *.d ../*~ ../*.o ../*.d
+
+-include $(OBJS:%.o=%.d)
diff --git a/tests/fuzzing/ap-mgmt/ap-mgmt.c b/tests/fuzzing/ap-mgmt/ap-mgmt.c
new file mode 100644
index 000000000..d49ac5f08
--- /dev/null
+++ b/tests/fuzzing/ap-mgmt/ap-mgmt.c
@@ -0,0 +1,167 @@
+/*
+ * hostapd - Management frame fuzzer
+ * Copyright (c) 2015-2019, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "utils/eloop.h"
+#include "ap/hostapd.h"
+#include "ap/hw_features.h"
+#include "ap/ieee802_11.h"
+#include "ap/sta_info.h"
+#include "ap/ap_list.h"
+#include "../fuzzer-common.h"
+
+
+const struct wpa_driver_ops *const wpa_drivers[] =
+{
+	NULL
+};
+
+
+struct arg_ctx {
+	const u8 *data;
+	size_t data_len;
+	struct hostapd_iface iface;
+	struct hostapd_data hapd;
+	struct wpa_driver_ops driver;
+	struct hostapd_config iconf;
+	struct hostapd_bss_config conf;
+};
+
+
+static void test_send_mgmt(void *eloop_data, void *user_ctx)
+{
+	struct arg_ctx *ctx = eloop_data;
+	struct hostapd_frame_info fi;
+	const u8 *pos, *end;
+
+	os_memset(&fi, 0, sizeof(fi));
+
+	pos = ctx->data;
+	end = pos + ctx->data_len;
+
+	while (end - pos > 2) {
+		u16 flen;
+
+		flen = WPA_GET_BE16(pos);
+		pos += 2;
+		if (end - pos < flen)
+			break;
+		wpa_hexdump(MSG_MSGDUMP, "fuzzer - frame", pos, flen);
+		ieee802_11_mgmt(&ctx->hapd, pos, flen, &fi);
+		pos += flen;
+	}
+
+	eloop_terminate();
+}
+
+
+static struct hostapd_hw_modes * gen_modes(void)
+{
+	struct hostapd_hw_modes *mode;
+	struct hostapd_channel_data *chan;
+
+	mode = os_zalloc(sizeof(struct hostapd_hw_modes));
+	if (!mode)
+		return NULL;
+
+	mode->mode = HOSTAPD_MODE_IEEE80211G;
+	chan = os_zalloc(sizeof(struct hostapd_channel_data));
+	if (!chan) {
+		os_free(mode);
+		return NULL;
+	}
+	chan->chan = 1;
+	chan->freq = 2412;
+	mode->channels = chan;
+	mode->num_channels = 1;
+
+	mode->rates = os_zalloc(sizeof(int));
+	if (!mode->rates) {
+		os_free(chan);
+		os_free(mode);
+		return NULL;
+	}
+	mode->rates[0] = 10;
+	mode->num_rates = 1;
+
+	return mode;
+}
+
+
+static int init_hapd(struct arg_ctx *ctx)
+{
+	struct hostapd_data *hapd = &ctx->hapd;
+	struct sta_info *sta;
+	struct hostapd_bss_config *bss;
+
+	hapd->driver = &ctx->driver;
+	os_memcpy(hapd->own_addr, "\x02\x00\x00\x00\x03\x00", ETH_ALEN);
+	hapd->iface = &ctx->iface;
+	hapd->iface->conf = hostapd_config_defaults();
+	if (!hapd->iface->conf)
+		return -1;
+	hapd->iface->hw_features = gen_modes();
+	hapd->iface->num_hw_features = 1;
+	hapd->iface->current_mode = hapd->iface->hw_features;
+	hapd->iconf = hapd->iface->conf;
+	hapd->iconf->hw_mode = HOSTAPD_MODE_IEEE80211G;
+	hapd->iconf->channel = 1;
+	bss = hapd->conf = hapd->iconf->bss[0];
+	hostapd_config_defaults_bss(hapd->conf);
+	os_memcpy(bss->ssid.ssid, "test", 4);
+	bss->ssid.ssid_len = 4;
+	bss->ssid.ssid_set = 1;
+
+	sta = ap_sta_add(hapd, (u8 *) "\x02\x00\x00\x00\x00\x00");
+	if (sta)
+		sta->flags |= WLAN_STA_ASSOC | WLAN_STA_WMM;
+
+	return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct arg_ctx ctx;
+
+	wpa_fuzzer_set_debug_level();
+
+	if (os_program_init())
+		return 0;
+
+	if (eloop_init()) {
+		wpa_printf(MSG_ERROR, "Failed to initialize event loop");
+		return 0;
+	}
+
+	os_memset(&ctx, 0, sizeof(ctx));
+	ctx.data = data;
+	ctx.data_len = size;
+
+	if (init_hapd(&ctx))
+		goto fail;
+
+	eloop_register_timeout(0, 0, test_send_mgmt, &ctx, NULL);
+
+	wpa_printf(MSG_DEBUG, "Starting eloop");
+	eloop_run();
+	wpa_printf(MSG_DEBUG, "eloop done");
+	hostapd_free_stas(&ctx.hapd);
+	hostapd_free_hw_features(ctx.hapd.iface->hw_features,
+				 ctx.hapd.iface->num_hw_features);
+
+fail:
+	hostapd_config_free(ctx.hapd.iconf);
+	ap_list_deinit(&ctx.iface);
+	eloop_destroy();
+	os_program_deinit();
+
+	return 0;
+}
diff --git a/tests/fuzzing/ap-mgmt/corpus/multi-sae-ffc.dat b/tests/fuzzing/ap-mgmt/corpus/multi-sae-ffc.dat
new file mode 100644
index 0000000000000000000000000000000000000000..8c0059d5f32263267dc47fccafef1603cd408a7b
GIT binary patch
literal 506
zcmZQn*uY@L$i%?Fz{~(58Nehng8-1v2;_-@#pp%2oN-%j!~WiV?y<asUtgU06lnO%
zfnPSADNg85yU%xt!_kr#SL^PGPz+Q4crHz5uWYq!73aBIwY%Kfay}QhsLqaA<GV4g
z{&jiZorW2$-ji22yB}=jVS49VyT<Ky<&pB^h8(fcmR~cN&n|qo#!G+qnVn1B%;%~0
zFuZ<g`}e|PpC9L9LeEc#>J0OW<gOE)zhmNzmsig)IA9MU1$c<vF>8O^b3E4ZN_BDB
zmRoxq*W{+&tB83oWhkuLtvyXQi(v`_)-X0;Fl1q6VBjc8EiTb5PE2LwU}E7G;}Mcj
zF=8?BNXRh|0mcCT8WtpygMmR;>YK3i|Nn?60YwuO)N`>gcrh_LFgP$UT8jn-1_g%{
cmz0*3S5#J2*VNY4H#9cgWoHQZ!~~3603$DT=Kufz

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/ap-mgmt/corpus/multi-sae.dat b/tests/fuzzing/ap-mgmt/corpus/multi-sae.dat
new file mode 100644
index 0000000000000000000000000000000000000000..31a0d091dba9adea6542dfafa3b8803296144c70
GIT binary patch
literal 346
zcmZQ**uY@L$i%?Fz{~(58Nehng8-1v2;>Pf%$qfJ_NTimN|!8}^K#Sr_imqV7$i()
zR5?4(^6t6Ho@=w>kH+6f(w=xZ>C44G)7;#B>v!>gKlAKV#EzF)ljYc%6mFeZ@`7FE
zWBNgpIVT_fyxX+=c(vx0>7CoGi?*EbG?3C@aKP>Y1-Og;R&&UId6AyaoT%mK@b1p#
zgO#hTgm+pbANzjFRoG$YI)*6>Sp8tYV93JCz`#+GT3n)AoS4eU!NkHX#v>%5V#H$L
zk&t5`0`wvO8WtpygMmR;>YK3i|Nr2y0282KfP#8176vaSMh6B521aYqz`&s3km8ck
avhs?`s_L5By84F3rn~G60iT$FVFv)+;bO`F

literal 0
HcmV?d00001

diff --git a/tests/fuzzing/ap-mgmt/corpus/multi.dat b/tests/fuzzing/ap-mgmt/corpus/multi.dat
new file mode 100644
index 0000000000000000000000000000000000000000..29d074e0c4142b61e5bdd36d34bfd0393772d89e
GIT binary patch
literal 246
zcmZPwc3@y&_zwn5Ko*P*Vli?sv2cs=2uY|Iu^4zH<S;Wb>Pi&}NdNy2l7#?97=wYK
zo`Z#fiwP*;z#zAQ!HN-N95VyNPzYN9C<4}y%z#y1fkBalm4Sh!B(=B%-Ev(i8{9T?
bfo*mG+RS*Dogv^86UZ8=3s@})06GEyltUk)

literal 0
HcmV?d00001