1 /* @generated by `generate-fortify-tests.lua "socket"` */
2
3 #define _FORTIFY_SOURCE 2
4 #define TMPFILE_SIZE (1024 * 32)
5
6 #include <sys/param.h>
7 #include <sys/random.h>
8 #include <sys/resource.h>
9 #include <sys/select.h>
10 #include <sys/socket.h>
11 #include <sys/time.h>
12 #include <sys/uio.h>
13 #include <sys/wait.h>
14 #include <dirent.h>
15 #include <errno.h>
16 #include <fcntl.h>
17 #include <limits.h>
18 #include <poll.h>
19 #include <signal.h>
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <strings.h>
24 #include <sysexits.h>
25 #include <unistd.h>
26 #include <wchar.h>
27 #include <atf-c.h>
28
29 static FILE * __unused
new_fp(size_t __len)30 new_fp(size_t __len)
31 {
32 static char fpbuf[LINE_MAX];
33 FILE *fp;
34
35 ATF_REQUIRE(__len <= sizeof(fpbuf));
36
37 memset(fpbuf, 'A', sizeof(fpbuf) - 1);
38 fpbuf[sizeof(fpbuf) - 1] = '\0';
39
40 fp = fmemopen(fpbuf, sizeof(fpbuf), "rb");
41 ATF_REQUIRE(fp != NULL);
42
43 return (fp);
44 }
45
46 /*
47 * Create a new symlink to use for readlink(2) style tests, we'll just use a
48 * random target name to have something interesting to look at.
49 */
50 static const char * __unused
new_symlink(size_t __len)51 new_symlink(size_t __len)
52 {
53 static const char linkname[] = "link";
54 char target[MAXNAMLEN];
55 int error;
56
57 ATF_REQUIRE(__len <= sizeof(target));
58
59 arc4random_buf(target, sizeof(target));
60
61 error = unlink(linkname);
62 ATF_REQUIRE(error == 0 || errno == ENOENT);
63
64 error = symlink(target, linkname);
65 ATF_REQUIRE(error == 0);
66
67 return (linkname);
68 }
69
70 /*
71 * For our purposes, first descriptor will be the reader; we'll send both
72 * raw data and a control message over it so that the result can be used for
73 * any of our recv*() tests.
74 */
75 static void __unused
new_socket(int sock[2])76 new_socket(int sock[2])
77 {
78 unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 };
79 static char sockbuf[256];
80 ssize_t rv;
81 size_t total = 0;
82 struct msghdr hdr = { 0 };
83 struct cmsghdr *cmsg;
84 int error, fd;
85
86 error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock);
87 ATF_REQUIRE(error == 0);
88
89 while (total != sizeof(sockbuf)) {
90 rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0);
91
92 ATF_REQUIRE_MSG(rv > 0,
93 "expected bytes sent, got %zd with %zu left (size %zu, total %zu)",
94 rv, sizeof(sockbuf) - total, sizeof(sockbuf), total);
95 ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf),
96 "%zd exceeds total %zu", rv, sizeof(sockbuf));
97 total += rv;
98 }
99
100 hdr.msg_control = ctrl;
101 hdr.msg_controllen = sizeof(ctrl);
102
103 cmsg = CMSG_FIRSTHDR(&hdr);
104 cmsg->cmsg_level = SOL_SOCKET;
105 cmsg->cmsg_type = SCM_RIGHTS;
106 cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
107 fd = STDIN_FILENO;
108 memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd));
109
110 error = sendmsg(sock[1], &hdr, 0);
111 ATF_REQUIRE(error != -1);
112 }
113
114 /*
115 * Constructs a tmpfile that we can use for testing read(2) and friends.
116 */
117 static int __unused
new_tmpfile(void)118 new_tmpfile(void)
119 {
120 char buf[1024];
121 ssize_t rv;
122 size_t written;
123 int fd;
124
125 fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644);
126 ATF_REQUIRE(fd >= 0);
127
128 written = 0;
129 while (written < TMPFILE_SIZE) {
130 rv = write(fd, buf, sizeof(buf));
131 ATF_REQUIRE(rv > 0);
132
133 written += rv;
134 }
135
136 ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET));
137 return (fd);
138 }
139
140 static void
disable_coredumps(void)141 disable_coredumps(void)
142 {
143 struct rlimit rl = { 0 };
144
145 if (setrlimit(RLIMIT_CORE, &rl) == -1)
146 _exit(EX_OSERR);
147 }
148
149 /*
150 * Replaces stdin with a file that we can actually read from, for tests where
151 * we want a FILE * or fd that we can get data from.
152 */
153 static void __unused
replace_stdin(void)154 replace_stdin(void)
155 {
156 int fd;
157
158 fd = new_tmpfile();
159
160 (void)dup2(fd, STDIN_FILENO);
161 if (fd != STDIN_FILENO)
162 close(fd);
163 }
164
165 ATF_TC_WITHOUT_HEAD(getpeername_before_end);
ATF_TC_BODY(getpeername_before_end,tc)166 ATF_TC_BODY(getpeername_before_end, tc)
167 {
168 #define BUF &__stack.__buf
169 struct {
170 uint8_t padding_l;
171 struct sockaddr __buf;
172 uint8_t padding_r;
173 } __stack;
174 const size_t __bufsz __unused = sizeof(__stack.__buf);
175 const size_t __len = sizeof(struct sockaddr) - 1;
176 const size_t __idx __unused = __len - 1;
177 int sock[2] = { -1, -1 };
178 socklen_t socklen;
179 new_socket(sock);
180 socklen = __len;
181
182 getpeername(sock[0], &__stack.__buf, &socklen);
183 #undef BUF
184
185 }
186
187 ATF_TC_WITHOUT_HEAD(getpeername_end);
ATF_TC_BODY(getpeername_end,tc)188 ATF_TC_BODY(getpeername_end, tc)
189 {
190 #define BUF &__stack.__buf
191 struct {
192 uint8_t padding_l;
193 struct sockaddr __buf;
194 uint8_t padding_r;
195 } __stack;
196 const size_t __bufsz __unused = sizeof(__stack.__buf);
197 const size_t __len = sizeof(struct sockaddr);
198 const size_t __idx __unused = __len - 1;
199 int sock[2] = { -1, -1 };
200 socklen_t socklen;
201 new_socket(sock);
202 socklen = __len;
203
204 getpeername(sock[0], &__stack.__buf, &socklen);
205 #undef BUF
206
207 }
208
209 ATF_TC_WITHOUT_HEAD(getpeername_heap_before_end);
ATF_TC_BODY(getpeername_heap_before_end,tc)210 ATF_TC_BODY(getpeername_heap_before_end, tc)
211 {
212 #define BUF __stack.__buf
213 struct {
214 uint8_t padding_l;
215 struct sockaddr * __buf;
216 uint8_t padding_r;
217 } __stack;
218 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
219 const size_t __len = sizeof(struct sockaddr) - 1;
220 const size_t __idx __unused = __len - 1;
221 int sock[2] = { -1, -1 };
222 socklen_t socklen;
223 __stack.__buf = malloc(__bufsz);
224 new_socket(sock);
225 socklen = __len;
226
227 getpeername(sock[0], __stack.__buf, &socklen);
228 #undef BUF
229
230 }
231
232 ATF_TC_WITHOUT_HEAD(getpeername_heap_end);
ATF_TC_BODY(getpeername_heap_end,tc)233 ATF_TC_BODY(getpeername_heap_end, tc)
234 {
235 #define BUF __stack.__buf
236 struct {
237 uint8_t padding_l;
238 struct sockaddr * __buf;
239 uint8_t padding_r;
240 } __stack;
241 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
242 const size_t __len = sizeof(struct sockaddr);
243 const size_t __idx __unused = __len - 1;
244 int sock[2] = { -1, -1 };
245 socklen_t socklen;
246 __stack.__buf = malloc(__bufsz);
247 new_socket(sock);
248 socklen = __len;
249
250 getpeername(sock[0], __stack.__buf, &socklen);
251 #undef BUF
252
253 }
254
255 ATF_TC_WITHOUT_HEAD(getpeername_heap_after_end);
ATF_TC_BODY(getpeername_heap_after_end,tc)256 ATF_TC_BODY(getpeername_heap_after_end, tc)
257 {
258 #define BUF __stack.__buf
259 struct {
260 uint8_t padding_l;
261 struct sockaddr * __buf;
262 uint8_t padding_r;
263 } __stack;
264 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
265 const size_t __len = sizeof(struct sockaddr) + 1;
266 const size_t __idx __unused = __len - 1;
267 pid_t __child;
268 int __status;
269 int sock[2] = { -1, -1 };
270 socklen_t socklen;
271 __child = fork();
272 ATF_REQUIRE(__child >= 0);
273 if (__child > 0)
274 goto monitor;
275
276 /* Child */
277 disable_coredumps();
278 __stack.__buf = malloc(__bufsz);
279 new_socket(sock);
280 socklen = __len;
281
282 getpeername(sock[0], __stack.__buf, &socklen);
283 _exit(EX_SOFTWARE); /* Should have aborted. */
284
285 monitor:
286 while (waitpid(__child, &__status, 0) != __child) {
287 ATF_REQUIRE_EQ(EINTR, errno);
288 }
289
290 if (!WIFSIGNALED(__status)) {
291 switch (WEXITSTATUS(__status)) {
292 case EX_SOFTWARE:
293 atf_tc_fail("FORTIFY_SOURCE failed to abort");
294 break;
295 case EX_OSERR:
296 atf_tc_fail("setrlimit(2) failed");
297 break;
298 default:
299 atf_tc_fail("child exited with status %d",
300 WEXITSTATUS(__status));
301 }
302 } else {
303 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
304 }
305 #undef BUF
306
307 }
308
309 ATF_TC_WITHOUT_HEAD(getsockname_before_end);
ATF_TC_BODY(getsockname_before_end,tc)310 ATF_TC_BODY(getsockname_before_end, tc)
311 {
312 #define BUF &__stack.__buf
313 struct {
314 uint8_t padding_l;
315 struct sockaddr __buf;
316 uint8_t padding_r;
317 } __stack;
318 const size_t __bufsz __unused = sizeof(__stack.__buf);
319 const size_t __len = sizeof(struct sockaddr) - 1;
320 const size_t __idx __unused = __len - 1;
321 int sock[2] = { -1, -1 };
322 socklen_t socklen;
323 new_socket(sock);
324 socklen = __len;
325
326 getsockname(sock[0], &__stack.__buf, &socklen);
327 #undef BUF
328
329 }
330
331 ATF_TC_WITHOUT_HEAD(getsockname_end);
ATF_TC_BODY(getsockname_end,tc)332 ATF_TC_BODY(getsockname_end, tc)
333 {
334 #define BUF &__stack.__buf
335 struct {
336 uint8_t padding_l;
337 struct sockaddr __buf;
338 uint8_t padding_r;
339 } __stack;
340 const size_t __bufsz __unused = sizeof(__stack.__buf);
341 const size_t __len = sizeof(struct sockaddr);
342 const size_t __idx __unused = __len - 1;
343 int sock[2] = { -1, -1 };
344 socklen_t socklen;
345 new_socket(sock);
346 socklen = __len;
347
348 getsockname(sock[0], &__stack.__buf, &socklen);
349 #undef BUF
350
351 }
352
353 ATF_TC_WITHOUT_HEAD(getsockname_heap_before_end);
ATF_TC_BODY(getsockname_heap_before_end,tc)354 ATF_TC_BODY(getsockname_heap_before_end, tc)
355 {
356 #define BUF __stack.__buf
357 struct {
358 uint8_t padding_l;
359 struct sockaddr * __buf;
360 uint8_t padding_r;
361 } __stack;
362 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
363 const size_t __len = sizeof(struct sockaddr) - 1;
364 const size_t __idx __unused = __len - 1;
365 int sock[2] = { -1, -1 };
366 socklen_t socklen;
367 __stack.__buf = malloc(__bufsz);
368 new_socket(sock);
369 socklen = __len;
370
371 getsockname(sock[0], __stack.__buf, &socklen);
372 #undef BUF
373
374 }
375
376 ATF_TC_WITHOUT_HEAD(getsockname_heap_end);
ATF_TC_BODY(getsockname_heap_end,tc)377 ATF_TC_BODY(getsockname_heap_end, tc)
378 {
379 #define BUF __stack.__buf
380 struct {
381 uint8_t padding_l;
382 struct sockaddr * __buf;
383 uint8_t padding_r;
384 } __stack;
385 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
386 const size_t __len = sizeof(struct sockaddr);
387 const size_t __idx __unused = __len - 1;
388 int sock[2] = { -1, -1 };
389 socklen_t socklen;
390 __stack.__buf = malloc(__bufsz);
391 new_socket(sock);
392 socklen = __len;
393
394 getsockname(sock[0], __stack.__buf, &socklen);
395 #undef BUF
396
397 }
398
399 ATF_TC_WITHOUT_HEAD(getsockname_heap_after_end);
ATF_TC_BODY(getsockname_heap_after_end,tc)400 ATF_TC_BODY(getsockname_heap_after_end, tc)
401 {
402 #define BUF __stack.__buf
403 struct {
404 uint8_t padding_l;
405 struct sockaddr * __buf;
406 uint8_t padding_r;
407 } __stack;
408 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
409 const size_t __len = sizeof(struct sockaddr) + 1;
410 const size_t __idx __unused = __len - 1;
411 pid_t __child;
412 int __status;
413 int sock[2] = { -1, -1 };
414 socklen_t socklen;
415 __child = fork();
416 ATF_REQUIRE(__child >= 0);
417 if (__child > 0)
418 goto monitor;
419
420 /* Child */
421 disable_coredumps();
422 __stack.__buf = malloc(__bufsz);
423 new_socket(sock);
424 socklen = __len;
425
426 getsockname(sock[0], __stack.__buf, &socklen);
427 _exit(EX_SOFTWARE); /* Should have aborted. */
428
429 monitor:
430 while (waitpid(__child, &__status, 0) != __child) {
431 ATF_REQUIRE_EQ(EINTR, errno);
432 }
433
434 if (!WIFSIGNALED(__status)) {
435 switch (WEXITSTATUS(__status)) {
436 case EX_SOFTWARE:
437 atf_tc_fail("FORTIFY_SOURCE failed to abort");
438 break;
439 case EX_OSERR:
440 atf_tc_fail("setrlimit(2) failed");
441 break;
442 default:
443 atf_tc_fail("child exited with status %d",
444 WEXITSTATUS(__status));
445 }
446 } else {
447 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
448 }
449 #undef BUF
450
451 }
452
453 ATF_TC_WITHOUT_HEAD(recv_before_end);
ATF_TC_BODY(recv_before_end,tc)454 ATF_TC_BODY(recv_before_end, tc)
455 {
456 #define BUF &__stack.__buf
457 struct {
458 uint8_t padding_l;
459 unsigned char __buf[42];
460 uint8_t padding_r;
461 } __stack;
462 const size_t __bufsz __unused = sizeof(__stack.__buf);
463 const size_t __len = 42 - 1;
464 const size_t __idx __unused = __len - 1;
465 int sock[2] = { -1, -1 };
466
467 new_socket(sock);
468
469 recv(sock[0], __stack.__buf, __len, 0);
470 #undef BUF
471
472 }
473
474 ATF_TC_WITHOUT_HEAD(recv_end);
ATF_TC_BODY(recv_end,tc)475 ATF_TC_BODY(recv_end, tc)
476 {
477 #define BUF &__stack.__buf
478 struct {
479 uint8_t padding_l;
480 unsigned char __buf[42];
481 uint8_t padding_r;
482 } __stack;
483 const size_t __bufsz __unused = sizeof(__stack.__buf);
484 const size_t __len = 42;
485 const size_t __idx __unused = __len - 1;
486 int sock[2] = { -1, -1 };
487
488 new_socket(sock);
489
490 recv(sock[0], __stack.__buf, __len, 0);
491 #undef BUF
492
493 }
494
495 ATF_TC_WITHOUT_HEAD(recv_heap_before_end);
ATF_TC_BODY(recv_heap_before_end,tc)496 ATF_TC_BODY(recv_heap_before_end, tc)
497 {
498 #define BUF __stack.__buf
499 struct {
500 uint8_t padding_l;
501 unsigned char * __buf;
502 uint8_t padding_r;
503 } __stack;
504 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
505 const size_t __len = 42 - 1;
506 const size_t __idx __unused = __len - 1;
507 int sock[2] = { -1, -1 };
508
509 __stack.__buf = malloc(__bufsz);
510 new_socket(sock);
511
512 recv(sock[0], __stack.__buf, __len, 0);
513 #undef BUF
514
515 }
516
517 ATF_TC_WITHOUT_HEAD(recv_heap_end);
ATF_TC_BODY(recv_heap_end,tc)518 ATF_TC_BODY(recv_heap_end, tc)
519 {
520 #define BUF __stack.__buf
521 struct {
522 uint8_t padding_l;
523 unsigned char * __buf;
524 uint8_t padding_r;
525 } __stack;
526 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
527 const size_t __len = 42;
528 const size_t __idx __unused = __len - 1;
529 int sock[2] = { -1, -1 };
530
531 __stack.__buf = malloc(__bufsz);
532 new_socket(sock);
533
534 recv(sock[0], __stack.__buf, __len, 0);
535 #undef BUF
536
537 }
538
539 ATF_TC_WITHOUT_HEAD(recv_heap_after_end);
ATF_TC_BODY(recv_heap_after_end,tc)540 ATF_TC_BODY(recv_heap_after_end, tc)
541 {
542 #define BUF __stack.__buf
543 struct {
544 uint8_t padding_l;
545 unsigned char * __buf;
546 uint8_t padding_r;
547 } __stack;
548 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
549 const size_t __len = 42 + 1;
550 const size_t __idx __unused = __len - 1;
551 pid_t __child;
552 int __status;
553 int sock[2] = { -1, -1 };
554
555 __child = fork();
556 ATF_REQUIRE(__child >= 0);
557 if (__child > 0)
558 goto monitor;
559
560 /* Child */
561 disable_coredumps();
562 __stack.__buf = malloc(__bufsz);
563 new_socket(sock);
564
565 recv(sock[0], __stack.__buf, __len, 0);
566 _exit(EX_SOFTWARE); /* Should have aborted. */
567
568 monitor:
569 while (waitpid(__child, &__status, 0) != __child) {
570 ATF_REQUIRE_EQ(EINTR, errno);
571 }
572
573 if (!WIFSIGNALED(__status)) {
574 switch (WEXITSTATUS(__status)) {
575 case EX_SOFTWARE:
576 atf_tc_fail("FORTIFY_SOURCE failed to abort");
577 break;
578 case EX_OSERR:
579 atf_tc_fail("setrlimit(2) failed");
580 break;
581 default:
582 atf_tc_fail("child exited with status %d",
583 WEXITSTATUS(__status));
584 }
585 } else {
586 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
587 }
588 #undef BUF
589
590 }
591
592 ATF_TC_WITHOUT_HEAD(recvfrom_before_end);
ATF_TC_BODY(recvfrom_before_end,tc)593 ATF_TC_BODY(recvfrom_before_end, tc)
594 {
595 #define BUF &__stack.__buf
596 struct {
597 uint8_t padding_l;
598 unsigned char __buf[42];
599 uint8_t padding_r;
600 } __stack;
601 const size_t __bufsz __unused = sizeof(__stack.__buf);
602 const size_t __len = 42 - 1;
603 const size_t __idx __unused = __len - 1;
604 int sock[2] = { -1, -1 };
605
606 new_socket(sock);
607
608 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
609 #undef BUF
610
611 }
612
613 ATF_TC_WITHOUT_HEAD(recvfrom_end);
ATF_TC_BODY(recvfrom_end,tc)614 ATF_TC_BODY(recvfrom_end, tc)
615 {
616 #define BUF &__stack.__buf
617 struct {
618 uint8_t padding_l;
619 unsigned char __buf[42];
620 uint8_t padding_r;
621 } __stack;
622 const size_t __bufsz __unused = sizeof(__stack.__buf);
623 const size_t __len = 42;
624 const size_t __idx __unused = __len - 1;
625 int sock[2] = { -1, -1 };
626
627 new_socket(sock);
628
629 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
630 #undef BUF
631
632 }
633
634 ATF_TC_WITHOUT_HEAD(recvfrom_heap_before_end);
ATF_TC_BODY(recvfrom_heap_before_end,tc)635 ATF_TC_BODY(recvfrom_heap_before_end, tc)
636 {
637 #define BUF __stack.__buf
638 struct {
639 uint8_t padding_l;
640 unsigned char * __buf;
641 uint8_t padding_r;
642 } __stack;
643 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
644 const size_t __len = 42 - 1;
645 const size_t __idx __unused = __len - 1;
646 int sock[2] = { -1, -1 };
647
648 __stack.__buf = malloc(__bufsz);
649 new_socket(sock);
650
651 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
652 #undef BUF
653
654 }
655
656 ATF_TC_WITHOUT_HEAD(recvfrom_heap_end);
ATF_TC_BODY(recvfrom_heap_end,tc)657 ATF_TC_BODY(recvfrom_heap_end, tc)
658 {
659 #define BUF __stack.__buf
660 struct {
661 uint8_t padding_l;
662 unsigned char * __buf;
663 uint8_t padding_r;
664 } __stack;
665 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
666 const size_t __len = 42;
667 const size_t __idx __unused = __len - 1;
668 int sock[2] = { -1, -1 };
669
670 __stack.__buf = malloc(__bufsz);
671 new_socket(sock);
672
673 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
674 #undef BUF
675
676 }
677
678 ATF_TC_WITHOUT_HEAD(recvfrom_heap_after_end);
ATF_TC_BODY(recvfrom_heap_after_end,tc)679 ATF_TC_BODY(recvfrom_heap_after_end, tc)
680 {
681 #define BUF __stack.__buf
682 struct {
683 uint8_t padding_l;
684 unsigned char * __buf;
685 uint8_t padding_r;
686 } __stack;
687 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
688 const size_t __len = 42 + 1;
689 const size_t __idx __unused = __len - 1;
690 pid_t __child;
691 int __status;
692 int sock[2] = { -1, -1 };
693
694 __child = fork();
695 ATF_REQUIRE(__child >= 0);
696 if (__child > 0)
697 goto monitor;
698
699 /* Child */
700 disable_coredumps();
701 __stack.__buf = malloc(__bufsz);
702 new_socket(sock);
703
704 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
705 _exit(EX_SOFTWARE); /* Should have aborted. */
706
707 monitor:
708 while (waitpid(__child, &__status, 0) != __child) {
709 ATF_REQUIRE_EQ(EINTR, errno);
710 }
711
712 if (!WIFSIGNALED(__status)) {
713 switch (WEXITSTATUS(__status)) {
714 case EX_SOFTWARE:
715 atf_tc_fail("FORTIFY_SOURCE failed to abort");
716 break;
717 case EX_OSERR:
718 atf_tc_fail("setrlimit(2) failed");
719 break;
720 default:
721 atf_tc_fail("child exited with status %d",
722 WEXITSTATUS(__status));
723 }
724 } else {
725 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
726 }
727 #undef BUF
728
729 }
730
731 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_before_end);
ATF_TC_BODY(recvfrom_sockaddr_before_end,tc)732 ATF_TC_BODY(recvfrom_sockaddr_before_end, tc)
733 {
734 #define BUF &__stack.__buf
735 struct {
736 uint8_t padding_l;
737 struct sockaddr __buf;
738 uint8_t padding_r;
739 } __stack;
740 const size_t __bufsz __unused = sizeof(__stack.__buf);
741 const size_t __len = sizeof(struct sockaddr) - 1;
742 const size_t __idx __unused = __len - 1;
743 int sock[2] = { -1, -1 };
744 char data[16];
745 socklen_t socklen;
746
747 new_socket(sock);
748 socklen = __len;
749
750 recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen);
751 #undef BUF
752
753 }
754
755 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_end);
ATF_TC_BODY(recvfrom_sockaddr_end,tc)756 ATF_TC_BODY(recvfrom_sockaddr_end, tc)
757 {
758 #define BUF &__stack.__buf
759 struct {
760 uint8_t padding_l;
761 struct sockaddr __buf;
762 uint8_t padding_r;
763 } __stack;
764 const size_t __bufsz __unused = sizeof(__stack.__buf);
765 const size_t __len = sizeof(struct sockaddr);
766 const size_t __idx __unused = __len - 1;
767 int sock[2] = { -1, -1 };
768 char data[16];
769 socklen_t socklen;
770
771 new_socket(sock);
772 socklen = __len;
773
774 recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen);
775 #undef BUF
776
777 }
778
779 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_before_end);
ATF_TC_BODY(recvfrom_sockaddr_heap_before_end,tc)780 ATF_TC_BODY(recvfrom_sockaddr_heap_before_end, tc)
781 {
782 #define BUF __stack.__buf
783 struct {
784 uint8_t padding_l;
785 struct sockaddr * __buf;
786 uint8_t padding_r;
787 } __stack;
788 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
789 const size_t __len = sizeof(struct sockaddr) - 1;
790 const size_t __idx __unused = __len - 1;
791 int sock[2] = { -1, -1 };
792 char data[16];
793 socklen_t socklen;
794
795 __stack.__buf = malloc(__bufsz);
796 new_socket(sock);
797 socklen = __len;
798
799 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
800 #undef BUF
801
802 }
803
804 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_end);
ATF_TC_BODY(recvfrom_sockaddr_heap_end,tc)805 ATF_TC_BODY(recvfrom_sockaddr_heap_end, tc)
806 {
807 #define BUF __stack.__buf
808 struct {
809 uint8_t padding_l;
810 struct sockaddr * __buf;
811 uint8_t padding_r;
812 } __stack;
813 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
814 const size_t __len = sizeof(struct sockaddr);
815 const size_t __idx __unused = __len - 1;
816 int sock[2] = { -1, -1 };
817 char data[16];
818 socklen_t socklen;
819
820 __stack.__buf = malloc(__bufsz);
821 new_socket(sock);
822 socklen = __len;
823
824 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
825 #undef BUF
826
827 }
828
829 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_after_end);
ATF_TC_BODY(recvfrom_sockaddr_heap_after_end,tc)830 ATF_TC_BODY(recvfrom_sockaddr_heap_after_end, tc)
831 {
832 #define BUF __stack.__buf
833 struct {
834 uint8_t padding_l;
835 struct sockaddr * __buf;
836 uint8_t padding_r;
837 } __stack;
838 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
839 const size_t __len = sizeof(struct sockaddr) + 1;
840 const size_t __idx __unused = __len - 1;
841 pid_t __child;
842 int __status;
843 int sock[2] = { -1, -1 };
844 char data[16];
845 socklen_t socklen;
846
847 __child = fork();
848 ATF_REQUIRE(__child >= 0);
849 if (__child > 0)
850 goto monitor;
851
852 /* Child */
853 disable_coredumps();
854 __stack.__buf = malloc(__bufsz);
855 new_socket(sock);
856 socklen = __len;
857
858 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
859 _exit(EX_SOFTWARE); /* Should have aborted. */
860
861 monitor:
862 while (waitpid(__child, &__status, 0) != __child) {
863 ATF_REQUIRE_EQ(EINTR, errno);
864 }
865
866 if (!WIFSIGNALED(__status)) {
867 switch (WEXITSTATUS(__status)) {
868 case EX_SOFTWARE:
869 atf_tc_fail("FORTIFY_SOURCE failed to abort");
870 break;
871 case EX_OSERR:
872 atf_tc_fail("setrlimit(2) failed");
873 break;
874 default:
875 atf_tc_fail("child exited with status %d",
876 WEXITSTATUS(__status));
877 }
878 } else {
879 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
880 }
881 #undef BUF
882
883 }
884
885 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_before_end);
ATF_TC_BODY(recvmsg_msg_name_before_end,tc)886 ATF_TC_BODY(recvmsg_msg_name_before_end, tc)
887 {
888 #define BUF &__stack.__buf
889 struct {
890 uint8_t padding_l;
891 struct sockaddr __buf;
892 uint8_t padding_r;
893 } __stack;
894 const size_t __bufsz __unused = sizeof(__stack.__buf);
895 const size_t __len = sizeof(struct sockaddr) - 1;
896 const size_t __idx __unused = __len - 1;
897 int sock[2] = { -1, -1 };
898 struct msghdr msg;
899
900 memset(&msg, 0, sizeof(msg));
901 msg.msg_name = BUF;
902 msg.msg_namelen = __len;
903
904 recvmsg(sock[0], &msg, 0);
905 #undef BUF
906
907 }
908
909 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_end);
ATF_TC_BODY(recvmsg_msg_name_end,tc)910 ATF_TC_BODY(recvmsg_msg_name_end, tc)
911 {
912 #define BUF &__stack.__buf
913 struct {
914 uint8_t padding_l;
915 struct sockaddr __buf;
916 uint8_t padding_r;
917 } __stack;
918 const size_t __bufsz __unused = sizeof(__stack.__buf);
919 const size_t __len = sizeof(struct sockaddr);
920 const size_t __idx __unused = __len - 1;
921 int sock[2] = { -1, -1 };
922 struct msghdr msg;
923
924 memset(&msg, 0, sizeof(msg));
925 msg.msg_name = BUF;
926 msg.msg_namelen = __len;
927
928 recvmsg(sock[0], &msg, 0);
929 #undef BUF
930
931 }
932
933 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_before_end);
ATF_TC_BODY(recvmsg_msg_name_heap_before_end,tc)934 ATF_TC_BODY(recvmsg_msg_name_heap_before_end, tc)
935 {
936 #define BUF __stack.__buf
937 struct {
938 uint8_t padding_l;
939 struct sockaddr * __buf;
940 uint8_t padding_r;
941 } __stack;
942 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
943 const size_t __len = sizeof(struct sockaddr) - 1;
944 const size_t __idx __unused = __len - 1;
945 int sock[2] = { -1, -1 };
946 struct msghdr msg;
947
948 __stack.__buf = malloc(__bufsz);
949 memset(&msg, 0, sizeof(msg));
950 msg.msg_name = BUF;
951 msg.msg_namelen = __len;
952
953 recvmsg(sock[0], &msg, 0);
954 #undef BUF
955
956 }
957
958 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_end);
ATF_TC_BODY(recvmsg_msg_name_heap_end,tc)959 ATF_TC_BODY(recvmsg_msg_name_heap_end, tc)
960 {
961 #define BUF __stack.__buf
962 struct {
963 uint8_t padding_l;
964 struct sockaddr * __buf;
965 uint8_t padding_r;
966 } __stack;
967 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
968 const size_t __len = sizeof(struct sockaddr);
969 const size_t __idx __unused = __len - 1;
970 int sock[2] = { -1, -1 };
971 struct msghdr msg;
972
973 __stack.__buf = malloc(__bufsz);
974 memset(&msg, 0, sizeof(msg));
975 msg.msg_name = BUF;
976 msg.msg_namelen = __len;
977
978 recvmsg(sock[0], &msg, 0);
979 #undef BUF
980
981 }
982
983 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_after_end);
ATF_TC_BODY(recvmsg_msg_name_heap_after_end,tc)984 ATF_TC_BODY(recvmsg_msg_name_heap_after_end, tc)
985 {
986 #define BUF __stack.__buf
987 struct {
988 uint8_t padding_l;
989 struct sockaddr * __buf;
990 uint8_t padding_r;
991 } __stack;
992 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
993 const size_t __len = sizeof(struct sockaddr) + 1;
994 const size_t __idx __unused = __len - 1;
995 pid_t __child;
996 int __status;
997 int sock[2] = { -1, -1 };
998 struct msghdr msg;
999
1000 __child = fork();
1001 ATF_REQUIRE(__child >= 0);
1002 if (__child > 0)
1003 goto monitor;
1004
1005 /* Child */
1006 disable_coredumps();
1007 __stack.__buf = malloc(__bufsz);
1008 memset(&msg, 0, sizeof(msg));
1009 msg.msg_name = BUF;
1010 msg.msg_namelen = __len;
1011
1012 recvmsg(sock[0], &msg, 0);
1013 _exit(EX_SOFTWARE); /* Should have aborted. */
1014
1015 monitor:
1016 while (waitpid(__child, &__status, 0) != __child) {
1017 ATF_REQUIRE_EQ(EINTR, errno);
1018 }
1019
1020 if (!WIFSIGNALED(__status)) {
1021 switch (WEXITSTATUS(__status)) {
1022 case EX_SOFTWARE:
1023 atf_tc_fail("FORTIFY_SOURCE failed to abort");
1024 break;
1025 case EX_OSERR:
1026 atf_tc_fail("setrlimit(2) failed");
1027 break;
1028 default:
1029 atf_tc_fail("child exited with status %d",
1030 WEXITSTATUS(__status));
1031 }
1032 } else {
1033 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1034 }
1035 #undef BUF
1036
1037 }
1038
1039 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_before_end);
ATF_TC_BODY(recvmsg_msg_iov_before_end,tc)1040 ATF_TC_BODY(recvmsg_msg_iov_before_end, tc)
1041 {
1042 #define BUF &__stack.__buf
1043 struct {
1044 uint8_t padding_l;
1045 unsigned char __buf[42];
1046 uint8_t padding_r;
1047 } __stack;
1048 const size_t __bufsz __unused = sizeof(__stack.__buf);
1049 const size_t __len = 42 - 1;
1050 const size_t __idx __unused = __len - 1;
1051 int sock[2] = { -1, -1 };
1052 struct msghdr msg;
1053 struct iovec iov[2];
1054
1055 memset(&msg, 0, sizeof(msg));
1056 memset(&iov[0], 0, sizeof(iov));
1057
1058 /*
1059 * We position the buffer second just so that we can confirm that the
1060 * fortification bits are traversing the iovec correctly.
1061 */
1062 iov[1].iov_base = BUF;
1063 iov[1].iov_len = __len;
1064
1065 msg.msg_iov = &iov[0];
1066 msg.msg_iovlen = nitems(iov);
1067
1068 recvmsg(sock[0], &msg, 0);
1069 #undef BUF
1070
1071 }
1072
1073 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_end);
ATF_TC_BODY(recvmsg_msg_iov_end,tc)1074 ATF_TC_BODY(recvmsg_msg_iov_end, tc)
1075 {
1076 #define BUF &__stack.__buf
1077 struct {
1078 uint8_t padding_l;
1079 unsigned char __buf[42];
1080 uint8_t padding_r;
1081 } __stack;
1082 const size_t __bufsz __unused = sizeof(__stack.__buf);
1083 const size_t __len = 42;
1084 const size_t __idx __unused = __len - 1;
1085 int sock[2] = { -1, -1 };
1086 struct msghdr msg;
1087 struct iovec iov[2];
1088
1089 memset(&msg, 0, sizeof(msg));
1090 memset(&iov[0], 0, sizeof(iov));
1091
1092 /*
1093 * We position the buffer second just so that we can confirm that the
1094 * fortification bits are traversing the iovec correctly.
1095 */
1096 iov[1].iov_base = BUF;
1097 iov[1].iov_len = __len;
1098
1099 msg.msg_iov = &iov[0];
1100 msg.msg_iovlen = nitems(iov);
1101
1102 recvmsg(sock[0], &msg, 0);
1103 #undef BUF
1104
1105 }
1106
1107 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_before_end);
ATF_TC_BODY(recvmsg_msg_iov_heap_before_end,tc)1108 ATF_TC_BODY(recvmsg_msg_iov_heap_before_end, tc)
1109 {
1110 #define BUF __stack.__buf
1111 struct {
1112 uint8_t padding_l;
1113 unsigned char * __buf;
1114 uint8_t padding_r;
1115 } __stack;
1116 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1117 const size_t __len = 42 - 1;
1118 const size_t __idx __unused = __len - 1;
1119 int sock[2] = { -1, -1 };
1120 struct msghdr msg;
1121 struct iovec iov[2];
1122
1123 __stack.__buf = malloc(__bufsz);
1124 memset(&msg, 0, sizeof(msg));
1125 memset(&iov[0], 0, sizeof(iov));
1126
1127 /*
1128 * We position the buffer second just so that we can confirm that the
1129 * fortification bits are traversing the iovec correctly.
1130 */
1131 iov[1].iov_base = BUF;
1132 iov[1].iov_len = __len;
1133
1134 msg.msg_iov = &iov[0];
1135 msg.msg_iovlen = nitems(iov);
1136
1137 recvmsg(sock[0], &msg, 0);
1138 #undef BUF
1139
1140 }
1141
1142 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_end);
ATF_TC_BODY(recvmsg_msg_iov_heap_end,tc)1143 ATF_TC_BODY(recvmsg_msg_iov_heap_end, tc)
1144 {
1145 #define BUF __stack.__buf
1146 struct {
1147 uint8_t padding_l;
1148 unsigned char * __buf;
1149 uint8_t padding_r;
1150 } __stack;
1151 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1152 const size_t __len = 42;
1153 const size_t __idx __unused = __len - 1;
1154 int sock[2] = { -1, -1 };
1155 struct msghdr msg;
1156 struct iovec iov[2];
1157
1158 __stack.__buf = malloc(__bufsz);
1159 memset(&msg, 0, sizeof(msg));
1160 memset(&iov[0], 0, sizeof(iov));
1161
1162 /*
1163 * We position the buffer second just so that we can confirm that the
1164 * fortification bits are traversing the iovec correctly.
1165 */
1166 iov[1].iov_base = BUF;
1167 iov[1].iov_len = __len;
1168
1169 msg.msg_iov = &iov[0];
1170 msg.msg_iovlen = nitems(iov);
1171
1172 recvmsg(sock[0], &msg, 0);
1173 #undef BUF
1174
1175 }
1176
1177 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_after_end);
ATF_TC_BODY(recvmsg_msg_iov_heap_after_end,tc)1178 ATF_TC_BODY(recvmsg_msg_iov_heap_after_end, tc)
1179 {
1180 #define BUF __stack.__buf
1181 struct {
1182 uint8_t padding_l;
1183 unsigned char * __buf;
1184 uint8_t padding_r;
1185 } __stack;
1186 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1187 const size_t __len = 42 + 1;
1188 const size_t __idx __unused = __len - 1;
1189 pid_t __child;
1190 int __status;
1191 int sock[2] = { -1, -1 };
1192 struct msghdr msg;
1193 struct iovec iov[2];
1194
1195 __child = fork();
1196 ATF_REQUIRE(__child >= 0);
1197 if (__child > 0)
1198 goto monitor;
1199
1200 /* Child */
1201 disable_coredumps();
1202 __stack.__buf = malloc(__bufsz);
1203 memset(&msg, 0, sizeof(msg));
1204 memset(&iov[0], 0, sizeof(iov));
1205
1206 /*
1207 * We position the buffer second just so that we can confirm that the
1208 * fortification bits are traversing the iovec correctly.
1209 */
1210 iov[1].iov_base = BUF;
1211 iov[1].iov_len = __len;
1212
1213 msg.msg_iov = &iov[0];
1214 msg.msg_iovlen = nitems(iov);
1215
1216 recvmsg(sock[0], &msg, 0);
1217 _exit(EX_SOFTWARE); /* Should have aborted. */
1218
1219 monitor:
1220 while (waitpid(__child, &__status, 0) != __child) {
1221 ATF_REQUIRE_EQ(EINTR, errno);
1222 }
1223
1224 if (!WIFSIGNALED(__status)) {
1225 switch (WEXITSTATUS(__status)) {
1226 case EX_SOFTWARE:
1227 atf_tc_fail("FORTIFY_SOURCE failed to abort");
1228 break;
1229 case EX_OSERR:
1230 atf_tc_fail("setrlimit(2) failed");
1231 break;
1232 default:
1233 atf_tc_fail("child exited with status %d",
1234 WEXITSTATUS(__status));
1235 }
1236 } else {
1237 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1238 }
1239 #undef BUF
1240
1241 }
1242
1243 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_before_end);
ATF_TC_BODY(recvmsg_msg_control_before_end,tc)1244 ATF_TC_BODY(recvmsg_msg_control_before_end, tc)
1245 {
1246 #define BUF &__stack.__buf
1247 struct {
1248 uint8_t padding_l;
1249 unsigned char __buf[CMSG_SPACE(sizeof(int))];
1250 uint8_t padding_r;
1251 } __stack;
1252 const size_t __bufsz __unused = sizeof(__stack.__buf);
1253 const size_t __len = CMSG_SPACE(sizeof(int)) - 1;
1254 const size_t __idx __unused = __len - 1;
1255 int sock[2] = { -1, -1 };
1256 struct msghdr msg;
1257
1258 memset(&msg, 0, sizeof(msg));
1259
1260 msg.msg_control = BUF;
1261 msg.msg_controllen = __len;
1262
1263 recvmsg(sock[0], &msg, 0);
1264 #undef BUF
1265
1266 }
1267
1268 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_end);
ATF_TC_BODY(recvmsg_msg_control_end,tc)1269 ATF_TC_BODY(recvmsg_msg_control_end, tc)
1270 {
1271 #define BUF &__stack.__buf
1272 struct {
1273 uint8_t padding_l;
1274 unsigned char __buf[CMSG_SPACE(sizeof(int))];
1275 uint8_t padding_r;
1276 } __stack;
1277 const size_t __bufsz __unused = sizeof(__stack.__buf);
1278 const size_t __len = CMSG_SPACE(sizeof(int));
1279 const size_t __idx __unused = __len - 1;
1280 int sock[2] = { -1, -1 };
1281 struct msghdr msg;
1282
1283 memset(&msg, 0, sizeof(msg));
1284
1285 msg.msg_control = BUF;
1286 msg.msg_controllen = __len;
1287
1288 recvmsg(sock[0], &msg, 0);
1289 #undef BUF
1290
1291 }
1292
1293 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_before_end);
ATF_TC_BODY(recvmsg_msg_control_heap_before_end,tc)1294 ATF_TC_BODY(recvmsg_msg_control_heap_before_end, tc)
1295 {
1296 #define BUF __stack.__buf
1297 struct {
1298 uint8_t padding_l;
1299 unsigned char * __buf;
1300 uint8_t padding_r;
1301 } __stack;
1302 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1303 const size_t __len = CMSG_SPACE(sizeof(int)) - 1;
1304 const size_t __idx __unused = __len - 1;
1305 int sock[2] = { -1, -1 };
1306 struct msghdr msg;
1307
1308 __stack.__buf = malloc(__bufsz);
1309 memset(&msg, 0, sizeof(msg));
1310
1311 msg.msg_control = BUF;
1312 msg.msg_controllen = __len;
1313
1314 recvmsg(sock[0], &msg, 0);
1315 #undef BUF
1316
1317 }
1318
1319 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_end);
ATF_TC_BODY(recvmsg_msg_control_heap_end,tc)1320 ATF_TC_BODY(recvmsg_msg_control_heap_end, tc)
1321 {
1322 #define BUF __stack.__buf
1323 struct {
1324 uint8_t padding_l;
1325 unsigned char * __buf;
1326 uint8_t padding_r;
1327 } __stack;
1328 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1329 const size_t __len = CMSG_SPACE(sizeof(int));
1330 const size_t __idx __unused = __len - 1;
1331 int sock[2] = { -1, -1 };
1332 struct msghdr msg;
1333
1334 __stack.__buf = malloc(__bufsz);
1335 memset(&msg, 0, sizeof(msg));
1336
1337 msg.msg_control = BUF;
1338 msg.msg_controllen = __len;
1339
1340 recvmsg(sock[0], &msg, 0);
1341 #undef BUF
1342
1343 }
1344
1345 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_after_end);
ATF_TC_BODY(recvmsg_msg_control_heap_after_end,tc)1346 ATF_TC_BODY(recvmsg_msg_control_heap_after_end, tc)
1347 {
1348 #define BUF __stack.__buf
1349 struct {
1350 uint8_t padding_l;
1351 unsigned char * __buf;
1352 uint8_t padding_r;
1353 } __stack;
1354 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1355 const size_t __len = CMSG_SPACE(sizeof(int)) + 1;
1356 const size_t __idx __unused = __len - 1;
1357 pid_t __child;
1358 int __status;
1359 int sock[2] = { -1, -1 };
1360 struct msghdr msg;
1361
1362 __child = fork();
1363 ATF_REQUIRE(__child >= 0);
1364 if (__child > 0)
1365 goto monitor;
1366
1367 /* Child */
1368 disable_coredumps();
1369 __stack.__buf = malloc(__bufsz);
1370 memset(&msg, 0, sizeof(msg));
1371
1372 msg.msg_control = BUF;
1373 msg.msg_controllen = __len;
1374
1375 recvmsg(sock[0], &msg, 0);
1376 _exit(EX_SOFTWARE); /* Should have aborted. */
1377
1378 monitor:
1379 while (waitpid(__child, &__status, 0) != __child) {
1380 ATF_REQUIRE_EQ(EINTR, errno);
1381 }
1382
1383 if (!WIFSIGNALED(__status)) {
1384 switch (WEXITSTATUS(__status)) {
1385 case EX_SOFTWARE:
1386 atf_tc_fail("FORTIFY_SOURCE failed to abort");
1387 break;
1388 case EX_OSERR:
1389 atf_tc_fail("setrlimit(2) failed");
1390 break;
1391 default:
1392 atf_tc_fail("child exited with status %d",
1393 WEXITSTATUS(__status));
1394 }
1395 } else {
1396 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1397 }
1398 #undef BUF
1399
1400 }
1401
1402 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_before_end);
ATF_TC_BODY(recvmmsg_msgvec_before_end,tc)1403 ATF_TC_BODY(recvmmsg_msgvec_before_end, tc)
1404 {
1405 #define BUF &__stack.__buf
1406 struct {
1407 uint8_t padding_l;
1408 struct mmsghdr __buf[2];
1409 uint8_t padding_r;
1410 } __stack;
1411 const size_t __bufsz __unused = sizeof(__stack.__buf);
1412 const size_t __len = 2 - 1;
1413 const size_t __idx __unused = __len - 1;
1414 int sock[2] = { -1, -1 };
1415
1416 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1417 #undef BUF
1418
1419 }
1420
1421 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_end);
ATF_TC_BODY(recvmmsg_msgvec_end,tc)1422 ATF_TC_BODY(recvmmsg_msgvec_end, tc)
1423 {
1424 #define BUF &__stack.__buf
1425 struct {
1426 uint8_t padding_l;
1427 struct mmsghdr __buf[2];
1428 uint8_t padding_r;
1429 } __stack;
1430 const size_t __bufsz __unused = sizeof(__stack.__buf);
1431 const size_t __len = 2;
1432 const size_t __idx __unused = __len - 1;
1433 int sock[2] = { -1, -1 };
1434
1435 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1436 #undef BUF
1437
1438 }
1439
1440 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_after_end);
ATF_TC_BODY(recvmmsg_msgvec_after_end,tc)1441 ATF_TC_BODY(recvmmsg_msgvec_after_end, tc)
1442 {
1443 #define BUF &__stack.__buf
1444 struct {
1445 uint8_t padding_l;
1446 struct mmsghdr __buf[2];
1447 uint8_t padding_r;
1448 } __stack;
1449 const size_t __bufsz __unused = sizeof(__stack.__buf);
1450 const size_t __len = 2 + 1;
1451 const size_t __idx __unused = __len - 1;
1452 pid_t __child;
1453 int __status;
1454 int sock[2] = { -1, -1 };
1455
1456 __child = fork();
1457 ATF_REQUIRE(__child >= 0);
1458 if (__child > 0)
1459 goto monitor;
1460
1461 /* Child */
1462 disable_coredumps();
1463 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1464 _exit(EX_SOFTWARE); /* Should have aborted. */
1465
1466 monitor:
1467 while (waitpid(__child, &__status, 0) != __child) {
1468 ATF_REQUIRE_EQ(EINTR, errno);
1469 }
1470
1471 if (!WIFSIGNALED(__status)) {
1472 switch (WEXITSTATUS(__status)) {
1473 case EX_SOFTWARE:
1474 atf_tc_fail("FORTIFY_SOURCE failed to abort");
1475 break;
1476 case EX_OSERR:
1477 atf_tc_fail("setrlimit(2) failed");
1478 break;
1479 default:
1480 atf_tc_fail("child exited with status %d",
1481 WEXITSTATUS(__status));
1482 }
1483 } else {
1484 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1485 }
1486 #undef BUF
1487
1488 }
1489
1490 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_before_end);
ATF_TC_BODY(recvmmsg_msgvec_heap_before_end,tc)1491 ATF_TC_BODY(recvmmsg_msgvec_heap_before_end, tc)
1492 {
1493 #define BUF __stack.__buf
1494 struct {
1495 uint8_t padding_l;
1496 struct mmsghdr * __buf;
1497 uint8_t padding_r;
1498 } __stack;
1499 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1500 const size_t __len = 2 - 1;
1501 const size_t __idx __unused = __len - 1;
1502 int sock[2] = { -1, -1 };
1503
1504 __stack.__buf = malloc(__bufsz);
1505
1506 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1507 #undef BUF
1508
1509 }
1510
1511 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_end);
ATF_TC_BODY(recvmmsg_msgvec_heap_end,tc)1512 ATF_TC_BODY(recvmmsg_msgvec_heap_end, tc)
1513 {
1514 #define BUF __stack.__buf
1515 struct {
1516 uint8_t padding_l;
1517 struct mmsghdr * __buf;
1518 uint8_t padding_r;
1519 } __stack;
1520 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1521 const size_t __len = 2;
1522 const size_t __idx __unused = __len - 1;
1523 int sock[2] = { -1, -1 };
1524
1525 __stack.__buf = malloc(__bufsz);
1526
1527 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1528 #undef BUF
1529
1530 }
1531
1532 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_after_end);
ATF_TC_BODY(recvmmsg_msgvec_heap_after_end,tc)1533 ATF_TC_BODY(recvmmsg_msgvec_heap_after_end, tc)
1534 {
1535 #define BUF __stack.__buf
1536 struct {
1537 uint8_t padding_l;
1538 struct mmsghdr * __buf;
1539 uint8_t padding_r;
1540 } __stack;
1541 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1542 const size_t __len = 2 + 1;
1543 const size_t __idx __unused = __len - 1;
1544 pid_t __child;
1545 int __status;
1546 int sock[2] = { -1, -1 };
1547
1548 __child = fork();
1549 ATF_REQUIRE(__child >= 0);
1550 if (__child > 0)
1551 goto monitor;
1552
1553 /* Child */
1554 disable_coredumps();
1555 __stack.__buf = malloc(__bufsz);
1556
1557 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1558 _exit(EX_SOFTWARE); /* Should have aborted. */
1559
1560 monitor:
1561 while (waitpid(__child, &__status, 0) != __child) {
1562 ATF_REQUIRE_EQ(EINTR, errno);
1563 }
1564
1565 if (!WIFSIGNALED(__status)) {
1566 switch (WEXITSTATUS(__status)) {
1567 case EX_SOFTWARE:
1568 atf_tc_fail("FORTIFY_SOURCE failed to abort");
1569 break;
1570 case EX_OSERR:
1571 atf_tc_fail("setrlimit(2) failed");
1572 break;
1573 default:
1574 atf_tc_fail("child exited with status %d",
1575 WEXITSTATUS(__status));
1576 }
1577 } else {
1578 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1579 }
1580 #undef BUF
1581
1582 }
1583
1584 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_before_end);
ATF_TC_BODY(recvmmsg_msghdr_before_end,tc)1585 ATF_TC_BODY(recvmmsg_msghdr_before_end, tc)
1586 {
1587 #define BUF &__stack.__buf
1588 struct {
1589 uint8_t padding_l;
1590 unsigned char __buf[42];
1591 uint8_t padding_r;
1592 } __stack;
1593 const size_t __bufsz __unused = sizeof(__stack.__buf);
1594 const size_t __len = 42 - 1;
1595 const size_t __idx __unused = __len - 1;
1596 int sock[2] = { -1, -1 };
1597 struct mmsghdr msgvec[2];
1598
1599 memset(&msgvec[0], 0, sizeof(msgvec));
1600
1601 /*
1602 * Same as above, make sure fortification isn't ignoring n > 1 elements
1603 * of the msgvec.
1604 */
1605 msgvec[1].msg_hdr.msg_control = BUF;
1606 msgvec[1].msg_hdr.msg_controllen = __len;
1607
1608 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1609 #undef BUF
1610
1611 }
1612
1613 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_end);
ATF_TC_BODY(recvmmsg_msghdr_end,tc)1614 ATF_TC_BODY(recvmmsg_msghdr_end, tc)
1615 {
1616 #define BUF &__stack.__buf
1617 struct {
1618 uint8_t padding_l;
1619 unsigned char __buf[42];
1620 uint8_t padding_r;
1621 } __stack;
1622 const size_t __bufsz __unused = sizeof(__stack.__buf);
1623 const size_t __len = 42;
1624 const size_t __idx __unused = __len - 1;
1625 int sock[2] = { -1, -1 };
1626 struct mmsghdr msgvec[2];
1627
1628 memset(&msgvec[0], 0, sizeof(msgvec));
1629
1630 /*
1631 * Same as above, make sure fortification isn't ignoring n > 1 elements
1632 * of the msgvec.
1633 */
1634 msgvec[1].msg_hdr.msg_control = BUF;
1635 msgvec[1].msg_hdr.msg_controllen = __len;
1636
1637 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1638 #undef BUF
1639
1640 }
1641
1642 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_before_end);
ATF_TC_BODY(recvmmsg_msghdr_heap_before_end,tc)1643 ATF_TC_BODY(recvmmsg_msghdr_heap_before_end, tc)
1644 {
1645 #define BUF __stack.__buf
1646 struct {
1647 uint8_t padding_l;
1648 unsigned char * __buf;
1649 uint8_t padding_r;
1650 } __stack;
1651 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1652 const size_t __len = 42 - 1;
1653 const size_t __idx __unused = __len - 1;
1654 int sock[2] = { -1, -1 };
1655 struct mmsghdr msgvec[2];
1656
1657 __stack.__buf = malloc(__bufsz);
1658 memset(&msgvec[0], 0, sizeof(msgvec));
1659
1660 /*
1661 * Same as above, make sure fortification isn't ignoring n > 1 elements
1662 * of the msgvec.
1663 */
1664 msgvec[1].msg_hdr.msg_control = BUF;
1665 msgvec[1].msg_hdr.msg_controllen = __len;
1666
1667 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1668 #undef BUF
1669
1670 }
1671
1672 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_end);
ATF_TC_BODY(recvmmsg_msghdr_heap_end,tc)1673 ATF_TC_BODY(recvmmsg_msghdr_heap_end, tc)
1674 {
1675 #define BUF __stack.__buf
1676 struct {
1677 uint8_t padding_l;
1678 unsigned char * __buf;
1679 uint8_t padding_r;
1680 } __stack;
1681 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1682 const size_t __len = 42;
1683 const size_t __idx __unused = __len - 1;
1684 int sock[2] = { -1, -1 };
1685 struct mmsghdr msgvec[2];
1686
1687 __stack.__buf = malloc(__bufsz);
1688 memset(&msgvec[0], 0, sizeof(msgvec));
1689
1690 /*
1691 * Same as above, make sure fortification isn't ignoring n > 1 elements
1692 * of the msgvec.
1693 */
1694 msgvec[1].msg_hdr.msg_control = BUF;
1695 msgvec[1].msg_hdr.msg_controllen = __len;
1696
1697 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1698 #undef BUF
1699
1700 }
1701
1702 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_after_end);
ATF_TC_BODY(recvmmsg_msghdr_heap_after_end,tc)1703 ATF_TC_BODY(recvmmsg_msghdr_heap_after_end, tc)
1704 {
1705 #define BUF __stack.__buf
1706 struct {
1707 uint8_t padding_l;
1708 unsigned char * __buf;
1709 uint8_t padding_r;
1710 } __stack;
1711 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1712 const size_t __len = 42 + 1;
1713 const size_t __idx __unused = __len - 1;
1714 pid_t __child;
1715 int __status;
1716 int sock[2] = { -1, -1 };
1717 struct mmsghdr msgvec[2];
1718
1719 __child = fork();
1720 ATF_REQUIRE(__child >= 0);
1721 if (__child > 0)
1722 goto monitor;
1723
1724 /* Child */
1725 disable_coredumps();
1726 __stack.__buf = malloc(__bufsz);
1727 memset(&msgvec[0], 0, sizeof(msgvec));
1728
1729 /*
1730 * Same as above, make sure fortification isn't ignoring n > 1 elements
1731 * of the msgvec.
1732 */
1733 msgvec[1].msg_hdr.msg_control = BUF;
1734 msgvec[1].msg_hdr.msg_controllen = __len;
1735
1736 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1737 _exit(EX_SOFTWARE); /* Should have aborted. */
1738
1739 monitor:
1740 while (waitpid(__child, &__status, 0) != __child) {
1741 ATF_REQUIRE_EQ(EINTR, errno);
1742 }
1743
1744 if (!WIFSIGNALED(__status)) {
1745 switch (WEXITSTATUS(__status)) {
1746 case EX_SOFTWARE:
1747 atf_tc_fail("FORTIFY_SOURCE failed to abort");
1748 break;
1749 case EX_OSERR:
1750 atf_tc_fail("setrlimit(2) failed");
1751 break;
1752 default:
1753 atf_tc_fail("child exited with status %d",
1754 WEXITSTATUS(__status));
1755 }
1756 } else {
1757 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1758 }
1759 #undef BUF
1760
1761 }
1762
ATF_TP_ADD_TCS(tp)1763 ATF_TP_ADD_TCS(tp)
1764 {
1765 ATF_TP_ADD_TC(tp, getpeername_before_end);
1766 ATF_TP_ADD_TC(tp, getpeername_end);
1767 ATF_TP_ADD_TC(tp, getpeername_heap_before_end);
1768 ATF_TP_ADD_TC(tp, getpeername_heap_end);
1769 ATF_TP_ADD_TC(tp, getpeername_heap_after_end);
1770 ATF_TP_ADD_TC(tp, getsockname_before_end);
1771 ATF_TP_ADD_TC(tp, getsockname_end);
1772 ATF_TP_ADD_TC(tp, getsockname_heap_before_end);
1773 ATF_TP_ADD_TC(tp, getsockname_heap_end);
1774 ATF_TP_ADD_TC(tp, getsockname_heap_after_end);
1775 ATF_TP_ADD_TC(tp, recv_before_end);
1776 ATF_TP_ADD_TC(tp, recv_end);
1777 ATF_TP_ADD_TC(tp, recv_heap_before_end);
1778 ATF_TP_ADD_TC(tp, recv_heap_end);
1779 ATF_TP_ADD_TC(tp, recv_heap_after_end);
1780 ATF_TP_ADD_TC(tp, recvfrom_before_end);
1781 ATF_TP_ADD_TC(tp, recvfrom_end);
1782 ATF_TP_ADD_TC(tp, recvfrom_heap_before_end);
1783 ATF_TP_ADD_TC(tp, recvfrom_heap_end);
1784 ATF_TP_ADD_TC(tp, recvfrom_heap_after_end);
1785 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_before_end);
1786 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_end);
1787 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_before_end);
1788 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_end);
1789 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_after_end);
1790 ATF_TP_ADD_TC(tp, recvmsg_msg_name_before_end);
1791 ATF_TP_ADD_TC(tp, recvmsg_msg_name_end);
1792 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_before_end);
1793 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_end);
1794 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_after_end);
1795 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_before_end);
1796 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_end);
1797 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_before_end);
1798 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_end);
1799 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_after_end);
1800 ATF_TP_ADD_TC(tp, recvmsg_msg_control_before_end);
1801 ATF_TP_ADD_TC(tp, recvmsg_msg_control_end);
1802 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_before_end);
1803 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_end);
1804 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_after_end);
1805 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_before_end);
1806 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_end);
1807 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_after_end);
1808 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_before_end);
1809 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_end);
1810 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_after_end);
1811 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_before_end);
1812 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_end);
1813 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_before_end);
1814 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_end);
1815 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_after_end);
1816 return (atf_no_error());
1817 }
1818