Add fuzzing code

5 files changed, 143 insertions, 2 deletions

diff --git a/HACKING.md b/HACKING.md
index 0dbc86c..055b8dc 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -12,3 +12,11 @@
 9. Upload to http://www.habets.pp.se/synscan/files/
 10. Update webpage.
 11. Send email to synscan-announce@googlegroups.com
+
+## Fuzzing
+
+```shell
+CC=/path/to/afl-gcc ./configure
+make
+/path/to/afl-fuzz -i fuzz/pingip/ -o fuzz/out/ ./src/fuzz_pingip
+```
diff --git a/fuzz/pingip/normal.data b/fuzz/pingip/normal.data
new file mode 100644
index 0000000..e4f1251
--- /dev/null
+++ b/fuzz/pingip/normal.data
diff --git a/src/Makefile.am b/src/Makefile.am
index e8d722f..b901655 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -3,11 +3,15 @@
 include $(top_srcdir)/Makefile.am.common
 
 sbin_PROGRAMS = arping
-arping_SOURCES = arping.c arping_main.c unix.c
+noinst_PROGRAMS = fuzz_pingip
 
+arping_SOURCES = arping.c arping_main.c unix.c
 arping_LDADD = $(LIBOBJS)
 
+fuzz_pingip_SOURCES = arping.c fuzz_pingip.c unix.c mock_libpcap.c mock_libnet.c
+fuzz_pingip_LDADD = $(LIBOBJS)
+
 TESTS=arping_test
 check_PROGRAMS=arping_test
-arping_test_SOURCES=arping.c arping_test.c unix.c mock_libpcap.c mock_libnet.c
+arping_test_SOURCES=arping.c arping_test.c unix.c mock_libpcap.c mock_libnet.c.
 arping_test_LDADD=$(LIBOBJS) -lcheck -lpthread
diff --git a/src/fuzz_pingip.c b/src/fuzz_pingip.c
new file mode 100644
index 0000000..a59955b
--- /dev/null
+++ b/src/fuzz_pingip.c
@@ -0,0 +1,73 @@
+/* arping/src/fuzz_pingip.c
+ *
+ *  Copyright (C) 2016 Thomas Habets <thomas@habets.se>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include<errno.h>
+#include<string.h>
+#include<stdio.h>
+#include<stdlib.h>
+#include<unistd.h>
+#include<inttypes.h>
+
+#include<pcap.h>
+
+#include"arping.h"
+
+int
+main()
+{
+        const size_t maxpacket = 1500;
+        char* const packet = calloc(1, maxpacket);
+        size_t packet_size = 0;
+
+        // Read packet.
+        {
+                char* p = packet;
+                size_t size = maxpacket;
+                while (size > 0) {
+                        const ssize_t n = read(STDIN_FILENO, p, size);
+                        if (n == 0) {
+                                break;
+                        }
+                        if (n < 0) {
+                                fprintf(stderr, "read(): %s\n", strerror(errno));
+                                return 1;
+                        }
+                        size -= n;
+                        p += n;
+                }
+                packet_size = p - packet;
+        }
+
+        struct pcap_pkthdr pkthdr;
+        pkthdr.ts.tv_sec = time(NULL);
+        pkthdr.ts.tv_usec = 0;
+        pkthdr.len = packet_size;
+        pkthdr.caplen = packet_size;
+
+        dstip = htonl(0x12345678);
+        pingip_recv(NULL, &pkthdr, packet);
+
+        free(packet);
+        return 0;
+}
+/* ---- Emacs Variables ----
+ * Local Variables:
+ * c-basic-offset: 8
+ * indent-tabs-mode: nil
+ * End:
+ */
diff --git a/src/fuzz_pingmac.c b/src/fuzz_pingmac.c
new file mode 100644
index 0000000..f595e28
--- /dev/null
+++ b/src/fuzz_pingmac.c
@@ -0,0 +1,56 @@
+#include<errno.h>
+#include<string.h>
+#include<stdio.h>
+#include<stdlib.h>
+#include<unistd.h>
+#include<inttypes.h>
+
+#include<pcap.h>
+
+#include"arping.h"
+
+int
+main()
+{
+        const size_t maxpacket = 1500;
+        char* const packet = calloc(1, maxpacket);
+        size_t packet_size = 0;
+
+        // Read packet.
+        {
+                char* p = packet;
+                size_t size = maxpacket;
+                while (size > 0) {
+                        const ssize_t n = read(STDIN_FILENO, p, size);
+                        if (n == 0) {
+                                break;
+                        }
+                        if (n < 0) {
+                                fprintf(stderr, "read(): %s\n", strerror(errno));
+                                return 1;
+                        }
+                        size -= n;
+                        p += n;
+                }
+                packet_size = p - packet;
+        }
+
+        struct pcap_pkthdr pkthdr;
+        pkthdr.ts.tv_sec = time(NULL);
+        pkthdr.ts.tv_usec = 0;
+        pkthdr.len = packet_size;
+        pkthdr.caplen = packet_size;
+
+        verbose = 9;
+        dstip = htonl(0x12345678);
+        pingip_recv(NULL, &pkthdr, packet);
+
+        free(packet);
+        return 0;
+}
+/* ---- Emacs Variables ----
+ * Local Variables:
+ * c-basic-offset: 8
+ * indent-tabs-mode: nil
+ * End:
+ */