diafuzzer
diafuzzer copied to clipboard
Orange-OpenSource
Exceptions while making tests
Some of the requests were successfully sent, but most of them failed:
loaded scenario ./ro-client.scn
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "./ro-client.scn", line 44, in run
m.send(f)
File "/root/diafuzzer/Diameter.py", line 153, in send
f.send(data)
error: [Errno 32] Broken pipe
generated 81 scenarios of fuzzing
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
absent: <class 'socket.error'>
present 64 times: <class 'socket.error'>
Origin-Host empty value: <class 'socket.error'>
Origin-Host Generic overflow with 3 bytes: <type 'exceptions.IndexError'>
Origin-Host Generic overflow with 192 bytes: <type 'exceptions.IndexError'>
Origin-Host Generic overflow with 8256 bytes: <type 'exceptions.IndexError'>
Origin-Host Generic overflow with format specifier '%n': <type 'exceptions.IndexError'>
Origin-Host Generic overflow with format specifier '%-1$n': <type 'exceptions.IndexError'>
Origin-Host Generic overflow with format specifier '%4096$n': <type 'exceptions.IndexError'>
Origin-Realm empty value: <class 'socket.error'>
Origin-Realm Generic overflow with 3 bytes: <class 'socket.error'>
Origin-Realm Generic overflow with 192 bytes: <class 'socket.error'>
Origin-Realm Generic overflow with 8256 bytes: <class 'Diameter.IncompleteBuffer'>
Origin-Realm Generic overflow with format specifier '%n': <class 'socket.error'>
Origin-Realm Generic overflow with format specifier '%-1$n': <class 'socket.error'>
Origin-Realm Generic overflow with format specifier '%4096$n': <class 'Diameter.IncompleteBuffer'>
Vendor-Id empty value: <class 'socket.error'>
Vendor-Id Generic overflow with 3 bytes: <class 'socket.error'>
Vendor-Id Generic overflow with 192 bytes: <class 'socket.error'>
Vendor-Id Generic overflow with 8256 bytes: <class 'socket.error'>
Vendor-Id Generic overflow with format specifier '%n': <class 'socket.error'>
Vendor-Id Generic overflow with format specifier '%-1$n': <class 'socket.error'>
Vendor-Id Generic overflow with format specifier '%4096$n': <class 'socket.error'>
Origin-State-Id empty value: <class 'socket.error'>
Origin-State-Id Generic overflow with 3 bytes: <class 'socket.error'>
Origin-State-Id Generic overflow with 192 bytes: <class 'socket.error'>
Origin-State-Id Generic overflow with 8256 bytes: <class 'socket.error'>
Origin-State-Id Generic overflow with format specifier '%n': <class 'socket.error'>
Origin-State-Id Generic overflow with format specifier '%-1$n': <class 'socket.error'>
Origin-State-Id Generic overflow with format specifier '%4096$n': <class 'socket.error'>
Supported-Vendor-Id empty value: <class 'socket.error'>
Supported-Vendor-Id Generic overflow with 3 bytes: <class 'socket.error'>
Supported-Vendor-Id Generic overflow with 192 bytes: <class 'socket.error'>
Supported-Vendor-Id Generic overflow with 8256 bytes: <class 'socket.error'>
Supported-Vendor-Id Generic overflow with format specifier '%n': <class 'socket.error'>
Supported-Vendor-Id Generic overflow with format specifier '%-1$n': <class 'socket.error'>
Supported-Vendor-Id Generic overflow with format specifier '%4096$n': <class 'socket.error'>
Auth-Application-Id empty value: <class 'socket.error'>
Auth-Application-Id Generic overflow with 3 bytes: <class 'socket.error'>
Auth-Application-Id Generic overflow with 192 bytes: <class 'socket.error'>
Auth-Application-Id Generic overflow with 8256 bytes: <class 'socket.error'>
Auth-Application-Id Generic overflow with format specifier '%n': <class 'socket.error'>
Auth-Application-Id Generic overflow with format specifier '%-1$n': <class 'socket.error'>
Auth-Application-Id Generic overflow with format specifier '%4096$n': <class 'socket.error'>
Host-IP-Address empty value: <class 'socket.error'>
Host-IP-Address Generic overflow with 3 bytes: <class 'socket.error'>
Host-IP-Address Generic overflow with 192 bytes: <class 'socket.error'>
Host-IP-Address Generic overflow with 8256 bytes: <class 'socket.error'>
Host-IP-Address Generic overflow with format specifier '%n': <class 'socket.error'>
Host-IP-Address Generic overflow with format specifier '%-1$n': <class 'socket.error'>
Host-IP-Address Generic overflow with format specifier '%4096$n': <class 'socket.error'>
Product-Name UTF8String continuations: <class 'socket.error'>
Product-Name UTF8String continuations: <class 'socket.error'>
Product-Name UTF8String continuations: <class 'socket.error'>
Product-Name UTF8String lonely start: <class 'socket.error'>
Product-Name UTF8String impossible bytes: <class 'socket.error'>
Product-Name UTF8String impossible bytes: <class 'socket.error'>
Product-Name UTF8String overlong: <class 'socket.error'>
Product-Name UTF8String non-characters in 16bits: <class 'socket.error'>
Product-Name UTF8String non-characters in 16bits: <class 'socket.error'>
Product-Name empty value: <class 'socket.error'>
Product-Name Generic overflow with 3 bytes: <class 'socket.error'>
Product-Name Generic overflow with 192 bytes: <class 'socket.error'>
Traceback (most recent call last):
File "./fuzz.py", line 420, in <module>
(exc_info, msgs) = fuzz_handler(scenario, f, fuzz)
File "./fuzz.py", line 364, in fuzz_handler
m = dm.Msg.decode(b)
File "/root/diafuzzer/Diameter.py", line 184, in decode
data = read_exactly(f, length)
File "/root/diafuzzer/Diameter.py", line 43, in read_exactly
if len(b) != n: raise IncompleteBuffer()
Diameter.IncompleteBuffer
Thank you for your feedback. A few questions in order to better understand those errors:
- SCTP or TCP ? Even though Python code references AF_INET and SOCK_STREAM sockets, tests have only been performed using SCTP. You can use withsctp to transparently switch to SCTP instead of TCP sockets.
- Are you able to fuzz again and capture a network trace of the fuzzing session ? The vast majority of inner exceptions are socket.error. This can be associated to the remote peer tearing down the connnection.
Thank you for your prompt reply.
- I use only TCP connection from my Debian testing machine
This can be associated with the remote peer tearing down the connection.
- Firstly I have the same thoughts, but actually, some requests have reached the Diameter server.
Using TCP will raise some troubles at various levels. Handlers in fuzz.py and unit.py do not expect to receive a partial Diameter message. They do not implement the wait for more bytes and retry then function. The function Diameter.Msg.decodeshall raise a Diameter.IncompleteBuffer in this case.
README has been updated to add a few sentences regarding SCTP and TCP. TCP is to be supported at a later time.
I should install withsctp firstly, afterward command will look like ?
withsctp ./fuzz.py
You are right: prepend withsctp to the command line you run.
On debian and derivatives, this binary is provided by lksctp-tools package.
Thank you for your valuable effort. When do you plan to implement TCP support?