xref: /freebsd/lib/libc/tests/secure/fortify_socket_test.c (revision 1f155d48f878495d31592c59cab82f975c210ad8)
1 /* @generated by `generate-fortify-tests.lua "socket"` */
2 
3 #define	_FORTIFY_SOURCE	2
4 #define	TMPFILE_SIZE	(1024 * 32)
5 
6 #include <sys/param.h>
7 #include <sys/random.h>
8 #include <sys/resource.h>
9 #include <sys/select.h>
10 #include <sys/socket.h>
11 #include <sys/time.h>
12 #include <sys/uio.h>
13 #include <sys/wait.h>
14 #include <dirent.h>
15 #include <errno.h>
16 #include <fcntl.h>
17 #include <limits.h>
18 #include <poll.h>
19 #include <signal.h>
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <strings.h>
24 #include <sysexits.h>
25 #include <unistd.h>
26 #include <wchar.h>
27 #include <atf-c.h>
28 
29 static FILE * __unused
new_fp(size_t __len)30 new_fp(size_t __len)
31 {
32 	static char fpbuf[LINE_MAX];
33 	FILE *fp;
34 
35 	ATF_REQUIRE(__len <= sizeof(fpbuf));
36 
37 	memset(fpbuf, 'A', sizeof(fpbuf) - 1);
38 	fpbuf[sizeof(fpbuf) - 1] = '\0';
39 
40 	fp = fmemopen(fpbuf, sizeof(fpbuf), "rb");
41 	ATF_REQUIRE(fp != NULL);
42 
43 	return (fp);
44 }
45 
46 /*
47  * Create a new symlink to use for readlink(2) style tests, we'll just use a
48  * random target name to have something interesting to look at.
49  */
50 static const char * __unused
new_symlink(size_t __len)51 new_symlink(size_t __len)
52 {
53 	static const char linkname[] = "link";
54 	char target[MAXNAMLEN];
55 	int error;
56 
57 	ATF_REQUIRE(__len <= sizeof(target));
58 
59 	arc4random_buf(target, sizeof(target));
60 
61 	error = unlink(linkname);
62 	ATF_REQUIRE(error == 0 || errno == ENOENT);
63 
64 	error = symlink(target, linkname);
65 	ATF_REQUIRE(error == 0);
66 
67 	return (linkname);
68 }
69 
70 /*
71  * For our purposes, first descriptor will be the reader; we'll send both
72  * raw data and a control message over it so that the result can be used for
73  * any of our recv*() tests.
74  */
75 static void __unused
new_socket(int sock[2])76 new_socket(int sock[2])
77 {
78 	unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 };
79 	static char sockbuf[256];
80 	ssize_t rv;
81 	size_t total = 0;
82 	struct msghdr hdr = { 0 };
83 	struct cmsghdr *cmsg;
84 	int error, fd;
85 
86 	error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock);
87 	ATF_REQUIRE(error == 0);
88 
89 	while (total != sizeof(sockbuf)) {
90 		rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0);
91 
92 		ATF_REQUIRE_MSG(rv > 0,
93 		    "expected bytes sent, got %zd with %zu left (size %zu, total %zu)",
94 		    rv, sizeof(sockbuf) - total, sizeof(sockbuf), total);
95 		ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf),
96 		    "%zd exceeds total %zu", rv, sizeof(sockbuf));
97 		total += rv;
98 	}
99 
100 	hdr.msg_control = ctrl;
101 	hdr.msg_controllen = sizeof(ctrl);
102 
103 	cmsg = CMSG_FIRSTHDR(&hdr);
104 	cmsg->cmsg_level = SOL_SOCKET;
105 	cmsg->cmsg_type = SCM_RIGHTS;
106 	cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
107 	fd = STDIN_FILENO;
108 	memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd));
109 
110 	error = sendmsg(sock[1], &hdr, 0);
111 	ATF_REQUIRE(error != -1);
112 }
113 
114 /*
115  * Constructs a tmpfile that we can use for testing read(2) and friends.
116  */
117 static int __unused
new_tmpfile(void)118 new_tmpfile(void)
119 {
120 	char buf[1024];
121 	ssize_t rv;
122 	size_t written;
123 	int fd;
124 
125 	fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644);
126 	ATF_REQUIRE(fd >= 0);
127 
128 	written = 0;
129 	while (written < TMPFILE_SIZE) {
130 		rv = write(fd, buf, sizeof(buf));
131 		ATF_REQUIRE(rv > 0);
132 
133 		written += rv;
134 	}
135 
136 	ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET));
137 	return (fd);
138 }
139 
140 static void
disable_coredumps(void)141 disable_coredumps(void)
142 {
143 	struct rlimit rl = { 0 };
144 
145 	if (setrlimit(RLIMIT_CORE, &rl) == -1)
146 		_exit(EX_OSERR);
147 }
148 
149 /*
150  * Replaces stdin with a file that we can actually read from, for tests where
151  * we want a FILE * or fd that we can get data from.
152  */
153 static void __unused
replace_stdin(void)154 replace_stdin(void)
155 {
156 	int fd;
157 
158 	fd = new_tmpfile();
159 
160 	(void)dup2(fd, STDIN_FILENO);
161 	if (fd != STDIN_FILENO)
162 		close(fd);
163 }
164 
165 ATF_TC_WITHOUT_HEAD(getpeername_before_end);
ATF_TC_BODY(getpeername_before_end,tc)166 ATF_TC_BODY(getpeername_before_end, tc)
167 {
168 #define BUF &__stack.__buf
169 	struct {
170 		uint8_t padding_l;
171 		struct sockaddr __buf;
172 		uint8_t padding_r;
173 	} __stack;
174 	const size_t __bufsz __unused = sizeof(__stack.__buf);
175 	const size_t __len = sizeof(struct sockaddr) - 1;
176 	const size_t __idx __unused = __len - 1;
177 	int sock[2] = { -1, -1 };
178 	socklen_t socklen;
179 	new_socket(sock);
180 	socklen = __len;
181 
182 	getpeername(sock[0], &__stack.__buf, &socklen);
183 #undef BUF
184 
185 }
186 
187 ATF_TC_WITHOUT_HEAD(getpeername_end);
ATF_TC_BODY(getpeername_end,tc)188 ATF_TC_BODY(getpeername_end, tc)
189 {
190 #define BUF &__stack.__buf
191 	struct {
192 		uint8_t padding_l;
193 		struct sockaddr __buf;
194 		uint8_t padding_r;
195 	} __stack;
196 	const size_t __bufsz __unused = sizeof(__stack.__buf);
197 	const size_t __len = sizeof(struct sockaddr);
198 	const size_t __idx __unused = __len - 1;
199 	int sock[2] = { -1, -1 };
200 	socklen_t socklen;
201 	new_socket(sock);
202 	socklen = __len;
203 
204 	getpeername(sock[0], &__stack.__buf, &socklen);
205 #undef BUF
206 
207 }
208 
209 ATF_TC_WITHOUT_HEAD(getpeername_heap_before_end);
ATF_TC_BODY(getpeername_heap_before_end,tc)210 ATF_TC_BODY(getpeername_heap_before_end, tc)
211 {
212 #define BUF __stack.__buf
213 	struct {
214 		uint8_t padding_l;
215 		struct sockaddr * __buf;
216 		uint8_t padding_r;
217 	} __stack;
218 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
219 	const size_t __len = sizeof(struct sockaddr) - 1;
220 	const size_t __idx __unused = __len - 1;
221 	int sock[2] = { -1, -1 };
222 	socklen_t socklen;
223 	__stack.__buf = malloc(__bufsz);
224 	new_socket(sock);
225 	socklen = __len;
226 
227 	getpeername(sock[0], __stack.__buf, &socklen);
228 #undef BUF
229 
230 }
231 
232 ATF_TC_WITHOUT_HEAD(getpeername_heap_end);
ATF_TC_BODY(getpeername_heap_end,tc)233 ATF_TC_BODY(getpeername_heap_end, tc)
234 {
235 #define BUF __stack.__buf
236 	struct {
237 		uint8_t padding_l;
238 		struct sockaddr * __buf;
239 		uint8_t padding_r;
240 	} __stack;
241 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
242 	const size_t __len = sizeof(struct sockaddr);
243 	const size_t __idx __unused = __len - 1;
244 	int sock[2] = { -1, -1 };
245 	socklen_t socklen;
246 	__stack.__buf = malloc(__bufsz);
247 	new_socket(sock);
248 	socklen = __len;
249 
250 	getpeername(sock[0], __stack.__buf, &socklen);
251 #undef BUF
252 
253 }
254 
255 ATF_TC_WITHOUT_HEAD(getpeername_heap_after_end);
ATF_TC_BODY(getpeername_heap_after_end,tc)256 ATF_TC_BODY(getpeername_heap_after_end, tc)
257 {
258 #define BUF __stack.__buf
259 	struct {
260 		uint8_t padding_l;
261 		struct sockaddr * __buf;
262 		uint8_t padding_r;
263 	} __stack;
264 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
265 	const size_t __len = sizeof(struct sockaddr) + 1;
266 	const size_t __idx __unused = __len - 1;
267 	pid_t __child;
268 	int __status;
269 	int sock[2] = { -1, -1 };
270 	socklen_t socklen;
271 	__child = fork();
272 	ATF_REQUIRE(__child >= 0);
273 	if (__child > 0)
274 		goto monitor;
275 
276 	/* Child */
277 	disable_coredumps();
278 	__stack.__buf = malloc(__bufsz);
279 	new_socket(sock);
280 	socklen = __len;
281 
282 	getpeername(sock[0], __stack.__buf, &socklen);
283 	_exit(EX_SOFTWARE);	/* Should have aborted. */
284 
285 monitor:
286 	while (waitpid(__child, &__status, 0) != __child) {
287 		ATF_REQUIRE_EQ(EINTR, errno);
288 	}
289 
290 	if (!WIFSIGNALED(__status)) {
291 		switch (WEXITSTATUS(__status)) {
292 		case EX_SOFTWARE:
293 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
294 			break;
295 		case EX_OSERR:
296 			atf_tc_fail("setrlimit(2) failed");
297 			break;
298 		default:
299 			atf_tc_fail("child exited with status %d",
300 			    WEXITSTATUS(__status));
301 		}
302 	} else {
303 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
304 	}
305 #undef BUF
306 
307 }
308 
309 ATF_TC_WITHOUT_HEAD(getsockname_before_end);
ATF_TC_BODY(getsockname_before_end,tc)310 ATF_TC_BODY(getsockname_before_end, tc)
311 {
312 #define BUF &__stack.__buf
313 	struct {
314 		uint8_t padding_l;
315 		struct sockaddr __buf;
316 		uint8_t padding_r;
317 	} __stack;
318 	const size_t __bufsz __unused = sizeof(__stack.__buf);
319 	const size_t __len = sizeof(struct sockaddr) - 1;
320 	const size_t __idx __unused = __len - 1;
321 	int sock[2] = { -1, -1 };
322 	socklen_t socklen;
323 	new_socket(sock);
324 	socklen = __len;
325 
326 	getsockname(sock[0], &__stack.__buf, &socklen);
327 #undef BUF
328 
329 }
330 
331 ATF_TC_WITHOUT_HEAD(getsockname_end);
ATF_TC_BODY(getsockname_end,tc)332 ATF_TC_BODY(getsockname_end, tc)
333 {
334 #define BUF &__stack.__buf
335 	struct {
336 		uint8_t padding_l;
337 		struct sockaddr __buf;
338 		uint8_t padding_r;
339 	} __stack;
340 	const size_t __bufsz __unused = sizeof(__stack.__buf);
341 	const size_t __len = sizeof(struct sockaddr);
342 	const size_t __idx __unused = __len - 1;
343 	int sock[2] = { -1, -1 };
344 	socklen_t socklen;
345 	new_socket(sock);
346 	socklen = __len;
347 
348 	getsockname(sock[0], &__stack.__buf, &socklen);
349 #undef BUF
350 
351 }
352 
353 ATF_TC_WITHOUT_HEAD(getsockname_heap_before_end);
ATF_TC_BODY(getsockname_heap_before_end,tc)354 ATF_TC_BODY(getsockname_heap_before_end, tc)
355 {
356 #define BUF __stack.__buf
357 	struct {
358 		uint8_t padding_l;
359 		struct sockaddr * __buf;
360 		uint8_t padding_r;
361 	} __stack;
362 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
363 	const size_t __len = sizeof(struct sockaddr) - 1;
364 	const size_t __idx __unused = __len - 1;
365 	int sock[2] = { -1, -1 };
366 	socklen_t socklen;
367 	__stack.__buf = malloc(__bufsz);
368 	new_socket(sock);
369 	socklen = __len;
370 
371 	getsockname(sock[0], __stack.__buf, &socklen);
372 #undef BUF
373 
374 }
375 
376 ATF_TC_WITHOUT_HEAD(getsockname_heap_end);
ATF_TC_BODY(getsockname_heap_end,tc)377 ATF_TC_BODY(getsockname_heap_end, tc)
378 {
379 #define BUF __stack.__buf
380 	struct {
381 		uint8_t padding_l;
382 		struct sockaddr * __buf;
383 		uint8_t padding_r;
384 	} __stack;
385 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
386 	const size_t __len = sizeof(struct sockaddr);
387 	const size_t __idx __unused = __len - 1;
388 	int sock[2] = { -1, -1 };
389 	socklen_t socklen;
390 	__stack.__buf = malloc(__bufsz);
391 	new_socket(sock);
392 	socklen = __len;
393 
394 	getsockname(sock[0], __stack.__buf, &socklen);
395 #undef BUF
396 
397 }
398 
399 ATF_TC_WITHOUT_HEAD(getsockname_heap_after_end);
ATF_TC_BODY(getsockname_heap_after_end,tc)400 ATF_TC_BODY(getsockname_heap_after_end, tc)
401 {
402 #define BUF __stack.__buf
403 	struct {
404 		uint8_t padding_l;
405 		struct sockaddr * __buf;
406 		uint8_t padding_r;
407 	} __stack;
408 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
409 	const size_t __len = sizeof(struct sockaddr) + 1;
410 	const size_t __idx __unused = __len - 1;
411 	pid_t __child;
412 	int __status;
413 	int sock[2] = { -1, -1 };
414 	socklen_t socklen;
415 	__child = fork();
416 	ATF_REQUIRE(__child >= 0);
417 	if (__child > 0)
418 		goto monitor;
419 
420 	/* Child */
421 	disable_coredumps();
422 	__stack.__buf = malloc(__bufsz);
423 	new_socket(sock);
424 	socklen = __len;
425 
426 	getsockname(sock[0], __stack.__buf, &socklen);
427 	_exit(EX_SOFTWARE);	/* Should have aborted. */
428 
429 monitor:
430 	while (waitpid(__child, &__status, 0) != __child) {
431 		ATF_REQUIRE_EQ(EINTR, errno);
432 	}
433 
434 	if (!WIFSIGNALED(__status)) {
435 		switch (WEXITSTATUS(__status)) {
436 		case EX_SOFTWARE:
437 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
438 			break;
439 		case EX_OSERR:
440 			atf_tc_fail("setrlimit(2) failed");
441 			break;
442 		default:
443 			atf_tc_fail("child exited with status %d",
444 			    WEXITSTATUS(__status));
445 		}
446 	} else {
447 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
448 	}
449 #undef BUF
450 
451 }
452 
453 ATF_TC_WITHOUT_HEAD(recv_before_end);
ATF_TC_BODY(recv_before_end,tc)454 ATF_TC_BODY(recv_before_end, tc)
455 {
456 #define BUF &__stack.__buf
457 	struct {
458 		uint8_t padding_l;
459 		unsigned char __buf[42];
460 		uint8_t padding_r;
461 	} __stack;
462 	const size_t __bufsz __unused = sizeof(__stack.__buf);
463 	const size_t __len = 42 - 1;
464 	const size_t __idx __unused = __len - 1;
465 	int sock[2] = { -1, -1 };
466 
467 	new_socket(sock);
468 
469 	recv(sock[0], __stack.__buf, __len, 0);
470 #undef BUF
471 
472 }
473 
474 ATF_TC_WITHOUT_HEAD(recv_end);
ATF_TC_BODY(recv_end,tc)475 ATF_TC_BODY(recv_end, tc)
476 {
477 #define BUF &__stack.__buf
478 	struct {
479 		uint8_t padding_l;
480 		unsigned char __buf[42];
481 		uint8_t padding_r;
482 	} __stack;
483 	const size_t __bufsz __unused = sizeof(__stack.__buf);
484 	const size_t __len = 42;
485 	const size_t __idx __unused = __len - 1;
486 	int sock[2] = { -1, -1 };
487 
488 	new_socket(sock);
489 
490 	recv(sock[0], __stack.__buf, __len, 0);
491 #undef BUF
492 
493 }
494 
495 ATF_TC_WITHOUT_HEAD(recv_heap_before_end);
ATF_TC_BODY(recv_heap_before_end,tc)496 ATF_TC_BODY(recv_heap_before_end, tc)
497 {
498 #define BUF __stack.__buf
499 	struct {
500 		uint8_t padding_l;
501 		unsigned char * __buf;
502 		uint8_t padding_r;
503 	} __stack;
504 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
505 	const size_t __len = 42 - 1;
506 	const size_t __idx __unused = __len - 1;
507 	int sock[2] = { -1, -1 };
508 
509 	__stack.__buf = malloc(__bufsz);
510 	new_socket(sock);
511 
512 	recv(sock[0], __stack.__buf, __len, 0);
513 #undef BUF
514 
515 }
516 
517 ATF_TC_WITHOUT_HEAD(recv_heap_end);
ATF_TC_BODY(recv_heap_end,tc)518 ATF_TC_BODY(recv_heap_end, tc)
519 {
520 #define BUF __stack.__buf
521 	struct {
522 		uint8_t padding_l;
523 		unsigned char * __buf;
524 		uint8_t padding_r;
525 	} __stack;
526 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
527 	const size_t __len = 42;
528 	const size_t __idx __unused = __len - 1;
529 	int sock[2] = { -1, -1 };
530 
531 	__stack.__buf = malloc(__bufsz);
532 	new_socket(sock);
533 
534 	recv(sock[0], __stack.__buf, __len, 0);
535 #undef BUF
536 
537 }
538 
539 ATF_TC_WITHOUT_HEAD(recv_heap_after_end);
ATF_TC_BODY(recv_heap_after_end,tc)540 ATF_TC_BODY(recv_heap_after_end, tc)
541 {
542 #define BUF __stack.__buf
543 	struct {
544 		uint8_t padding_l;
545 		unsigned char * __buf;
546 		uint8_t padding_r;
547 	} __stack;
548 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
549 	const size_t __len = 42 + 1;
550 	const size_t __idx __unused = __len - 1;
551 	pid_t __child;
552 	int __status;
553 	int sock[2] = { -1, -1 };
554 
555 	__child = fork();
556 	ATF_REQUIRE(__child >= 0);
557 	if (__child > 0)
558 		goto monitor;
559 
560 	/* Child */
561 	disable_coredumps();
562 	__stack.__buf = malloc(__bufsz);
563 	new_socket(sock);
564 
565 	recv(sock[0], __stack.__buf, __len, 0);
566 	_exit(EX_SOFTWARE);	/* Should have aborted. */
567 
568 monitor:
569 	while (waitpid(__child, &__status, 0) != __child) {
570 		ATF_REQUIRE_EQ(EINTR, errno);
571 	}
572 
573 	if (!WIFSIGNALED(__status)) {
574 		switch (WEXITSTATUS(__status)) {
575 		case EX_SOFTWARE:
576 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
577 			break;
578 		case EX_OSERR:
579 			atf_tc_fail("setrlimit(2) failed");
580 			break;
581 		default:
582 			atf_tc_fail("child exited with status %d",
583 			    WEXITSTATUS(__status));
584 		}
585 	} else {
586 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
587 	}
588 #undef BUF
589 
590 }
591 
592 ATF_TC_WITHOUT_HEAD(recvfrom_before_end);
ATF_TC_BODY(recvfrom_before_end,tc)593 ATF_TC_BODY(recvfrom_before_end, tc)
594 {
595 #define BUF &__stack.__buf
596 	struct {
597 		uint8_t padding_l;
598 		unsigned char __buf[42];
599 		uint8_t padding_r;
600 	} __stack;
601 	const size_t __bufsz __unused = sizeof(__stack.__buf);
602 	const size_t __len = 42 - 1;
603 	const size_t __idx __unused = __len - 1;
604 	int sock[2] = { -1, -1 };
605 
606 	new_socket(sock);
607 
608 	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
609 #undef BUF
610 
611 }
612 
613 ATF_TC_WITHOUT_HEAD(recvfrom_end);
ATF_TC_BODY(recvfrom_end,tc)614 ATF_TC_BODY(recvfrom_end, tc)
615 {
616 #define BUF &__stack.__buf
617 	struct {
618 		uint8_t padding_l;
619 		unsigned char __buf[42];
620 		uint8_t padding_r;
621 	} __stack;
622 	const size_t __bufsz __unused = sizeof(__stack.__buf);
623 	const size_t __len = 42;
624 	const size_t __idx __unused = __len - 1;
625 	int sock[2] = { -1, -1 };
626 
627 	new_socket(sock);
628 
629 	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
630 #undef BUF
631 
632 }
633 
634 ATF_TC_WITHOUT_HEAD(recvfrom_heap_before_end);
ATF_TC_BODY(recvfrom_heap_before_end,tc)635 ATF_TC_BODY(recvfrom_heap_before_end, tc)
636 {
637 #define BUF __stack.__buf
638 	struct {
639 		uint8_t padding_l;
640 		unsigned char * __buf;
641 		uint8_t padding_r;
642 	} __stack;
643 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
644 	const size_t __len = 42 - 1;
645 	const size_t __idx __unused = __len - 1;
646 	int sock[2] = { -1, -1 };
647 
648 	__stack.__buf = malloc(__bufsz);
649 	new_socket(sock);
650 
651 	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
652 #undef BUF
653 
654 }
655 
656 ATF_TC_WITHOUT_HEAD(recvfrom_heap_end);
ATF_TC_BODY(recvfrom_heap_end,tc)657 ATF_TC_BODY(recvfrom_heap_end, tc)
658 {
659 #define BUF __stack.__buf
660 	struct {
661 		uint8_t padding_l;
662 		unsigned char * __buf;
663 		uint8_t padding_r;
664 	} __stack;
665 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
666 	const size_t __len = 42;
667 	const size_t __idx __unused = __len - 1;
668 	int sock[2] = { -1, -1 };
669 
670 	__stack.__buf = malloc(__bufsz);
671 	new_socket(sock);
672 
673 	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
674 #undef BUF
675 
676 }
677 
678 ATF_TC_WITHOUT_HEAD(recvfrom_heap_after_end);
ATF_TC_BODY(recvfrom_heap_after_end,tc)679 ATF_TC_BODY(recvfrom_heap_after_end, tc)
680 {
681 #define BUF __stack.__buf
682 	struct {
683 		uint8_t padding_l;
684 		unsigned char * __buf;
685 		uint8_t padding_r;
686 	} __stack;
687 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
688 	const size_t __len = 42 + 1;
689 	const size_t __idx __unused = __len - 1;
690 	pid_t __child;
691 	int __status;
692 	int sock[2] = { -1, -1 };
693 
694 	__child = fork();
695 	ATF_REQUIRE(__child >= 0);
696 	if (__child > 0)
697 		goto monitor;
698 
699 	/* Child */
700 	disable_coredumps();
701 	__stack.__buf = malloc(__bufsz);
702 	new_socket(sock);
703 
704 	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
705 	_exit(EX_SOFTWARE);	/* Should have aborted. */
706 
707 monitor:
708 	while (waitpid(__child, &__status, 0) != __child) {
709 		ATF_REQUIRE_EQ(EINTR, errno);
710 	}
711 
712 	if (!WIFSIGNALED(__status)) {
713 		switch (WEXITSTATUS(__status)) {
714 		case EX_SOFTWARE:
715 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
716 			break;
717 		case EX_OSERR:
718 			atf_tc_fail("setrlimit(2) failed");
719 			break;
720 		default:
721 			atf_tc_fail("child exited with status %d",
722 			    WEXITSTATUS(__status));
723 		}
724 	} else {
725 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
726 	}
727 #undef BUF
728 
729 }
730 
731 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_before_end);
ATF_TC_BODY(recvfrom_sockaddr_before_end,tc)732 ATF_TC_BODY(recvfrom_sockaddr_before_end, tc)
733 {
734 #define BUF &__stack.__buf
735 	struct {
736 		uint8_t padding_l;
737 		struct sockaddr __buf;
738 		uint8_t padding_r;
739 	} __stack;
740 	const size_t __bufsz __unused = sizeof(__stack.__buf);
741 	const size_t __len = sizeof(struct sockaddr) - 1;
742 	const size_t __idx __unused = __len - 1;
743 	int sock[2] = { -1, -1 };
744 	char data[16];
745 	socklen_t socklen;
746 
747 	new_socket(sock);
748 	socklen = __len;
749 
750 	recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen);
751 #undef BUF
752 
753 }
754 
755 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_end);
ATF_TC_BODY(recvfrom_sockaddr_end,tc)756 ATF_TC_BODY(recvfrom_sockaddr_end, tc)
757 {
758 #define BUF &__stack.__buf
759 	struct {
760 		uint8_t padding_l;
761 		struct sockaddr __buf;
762 		uint8_t padding_r;
763 	} __stack;
764 	const size_t __bufsz __unused = sizeof(__stack.__buf);
765 	const size_t __len = sizeof(struct sockaddr);
766 	const size_t __idx __unused = __len - 1;
767 	int sock[2] = { -1, -1 };
768 	char data[16];
769 	socklen_t socklen;
770 
771 	new_socket(sock);
772 	socklen = __len;
773 
774 	recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen);
775 #undef BUF
776 
777 }
778 
779 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_before_end);
ATF_TC_BODY(recvfrom_sockaddr_heap_before_end,tc)780 ATF_TC_BODY(recvfrom_sockaddr_heap_before_end, tc)
781 {
782 #define BUF __stack.__buf
783 	struct {
784 		uint8_t padding_l;
785 		struct sockaddr * __buf;
786 		uint8_t padding_r;
787 	} __stack;
788 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
789 	const size_t __len = sizeof(struct sockaddr) - 1;
790 	const size_t __idx __unused = __len - 1;
791 	int sock[2] = { -1, -1 };
792 	char data[16];
793 	socklen_t socklen;
794 
795 	__stack.__buf = malloc(__bufsz);
796 	new_socket(sock);
797 	socklen = __len;
798 
799 	recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
800 #undef BUF
801 
802 }
803 
804 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_end);
ATF_TC_BODY(recvfrom_sockaddr_heap_end,tc)805 ATF_TC_BODY(recvfrom_sockaddr_heap_end, tc)
806 {
807 #define BUF __stack.__buf
808 	struct {
809 		uint8_t padding_l;
810 		struct sockaddr * __buf;
811 		uint8_t padding_r;
812 	} __stack;
813 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
814 	const size_t __len = sizeof(struct sockaddr);
815 	const size_t __idx __unused = __len - 1;
816 	int sock[2] = { -1, -1 };
817 	char data[16];
818 	socklen_t socklen;
819 
820 	__stack.__buf = malloc(__bufsz);
821 	new_socket(sock);
822 	socklen = __len;
823 
824 	recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
825 #undef BUF
826 
827 }
828 
829 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_after_end);
ATF_TC_BODY(recvfrom_sockaddr_heap_after_end,tc)830 ATF_TC_BODY(recvfrom_sockaddr_heap_after_end, tc)
831 {
832 #define BUF __stack.__buf
833 	struct {
834 		uint8_t padding_l;
835 		struct sockaddr * __buf;
836 		uint8_t padding_r;
837 	} __stack;
838 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
839 	const size_t __len = sizeof(struct sockaddr) + 1;
840 	const size_t __idx __unused = __len - 1;
841 	pid_t __child;
842 	int __status;
843 	int sock[2] = { -1, -1 };
844 	char data[16];
845 	socklen_t socklen;
846 
847 	__child = fork();
848 	ATF_REQUIRE(__child >= 0);
849 	if (__child > 0)
850 		goto monitor;
851 
852 	/* Child */
853 	disable_coredumps();
854 	__stack.__buf = malloc(__bufsz);
855 	new_socket(sock);
856 	socklen = __len;
857 
858 	recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
859 	_exit(EX_SOFTWARE);	/* Should have aborted. */
860 
861 monitor:
862 	while (waitpid(__child, &__status, 0) != __child) {
863 		ATF_REQUIRE_EQ(EINTR, errno);
864 	}
865 
866 	if (!WIFSIGNALED(__status)) {
867 		switch (WEXITSTATUS(__status)) {
868 		case EX_SOFTWARE:
869 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
870 			break;
871 		case EX_OSERR:
872 			atf_tc_fail("setrlimit(2) failed");
873 			break;
874 		default:
875 			atf_tc_fail("child exited with status %d",
876 			    WEXITSTATUS(__status));
877 		}
878 	} else {
879 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
880 	}
881 #undef BUF
882 
883 }
884 
885 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_before_end);
ATF_TC_BODY(recvmsg_msg_name_before_end,tc)886 ATF_TC_BODY(recvmsg_msg_name_before_end, tc)
887 {
888 #define BUF &__stack.__buf
889 	struct {
890 		uint8_t padding_l;
891 		struct sockaddr __buf;
892 		uint8_t padding_r;
893 	} __stack;
894 	const size_t __bufsz __unused = sizeof(__stack.__buf);
895 	const size_t __len = sizeof(struct sockaddr) - 1;
896 	const size_t __idx __unused = __len - 1;
897 	int sock[2] = { -1, -1 };
898 	struct msghdr msg;
899 
900 	memset(&msg, 0, sizeof(msg));
901 	msg.msg_name = BUF;
902 	msg.msg_namelen = __len;
903 
904 	recvmsg(sock[0], &msg, 0);
905 #undef BUF
906 
907 }
908 
909 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_end);
ATF_TC_BODY(recvmsg_msg_name_end,tc)910 ATF_TC_BODY(recvmsg_msg_name_end, tc)
911 {
912 #define BUF &__stack.__buf
913 	struct {
914 		uint8_t padding_l;
915 		struct sockaddr __buf;
916 		uint8_t padding_r;
917 	} __stack;
918 	const size_t __bufsz __unused = sizeof(__stack.__buf);
919 	const size_t __len = sizeof(struct sockaddr);
920 	const size_t __idx __unused = __len - 1;
921 	int sock[2] = { -1, -1 };
922 	struct msghdr msg;
923 
924 	memset(&msg, 0, sizeof(msg));
925 	msg.msg_name = BUF;
926 	msg.msg_namelen = __len;
927 
928 	recvmsg(sock[0], &msg, 0);
929 #undef BUF
930 
931 }
932 
933 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_before_end);
ATF_TC_BODY(recvmsg_msg_name_heap_before_end,tc)934 ATF_TC_BODY(recvmsg_msg_name_heap_before_end, tc)
935 {
936 #define BUF __stack.__buf
937 	struct {
938 		uint8_t padding_l;
939 		struct sockaddr * __buf;
940 		uint8_t padding_r;
941 	} __stack;
942 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
943 	const size_t __len = sizeof(struct sockaddr) - 1;
944 	const size_t __idx __unused = __len - 1;
945 	int sock[2] = { -1, -1 };
946 	struct msghdr msg;
947 
948 	__stack.__buf = malloc(__bufsz);
949 	memset(&msg, 0, sizeof(msg));
950 	msg.msg_name = BUF;
951 	msg.msg_namelen = __len;
952 
953 	recvmsg(sock[0], &msg, 0);
954 #undef BUF
955 
956 }
957 
958 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_end);
ATF_TC_BODY(recvmsg_msg_name_heap_end,tc)959 ATF_TC_BODY(recvmsg_msg_name_heap_end, tc)
960 {
961 #define BUF __stack.__buf
962 	struct {
963 		uint8_t padding_l;
964 		struct sockaddr * __buf;
965 		uint8_t padding_r;
966 	} __stack;
967 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
968 	const size_t __len = sizeof(struct sockaddr);
969 	const size_t __idx __unused = __len - 1;
970 	int sock[2] = { -1, -1 };
971 	struct msghdr msg;
972 
973 	__stack.__buf = malloc(__bufsz);
974 	memset(&msg, 0, sizeof(msg));
975 	msg.msg_name = BUF;
976 	msg.msg_namelen = __len;
977 
978 	recvmsg(sock[0], &msg, 0);
979 #undef BUF
980 
981 }
982 
983 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_after_end);
ATF_TC_BODY(recvmsg_msg_name_heap_after_end,tc)984 ATF_TC_BODY(recvmsg_msg_name_heap_after_end, tc)
985 {
986 #define BUF __stack.__buf
987 	struct {
988 		uint8_t padding_l;
989 		struct sockaddr * __buf;
990 		uint8_t padding_r;
991 	} __stack;
992 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
993 	const size_t __len = sizeof(struct sockaddr) + 1;
994 	const size_t __idx __unused = __len - 1;
995 	pid_t __child;
996 	int __status;
997 	int sock[2] = { -1, -1 };
998 	struct msghdr msg;
999 
1000 	__child = fork();
1001 	ATF_REQUIRE(__child >= 0);
1002 	if (__child > 0)
1003 		goto monitor;
1004 
1005 	/* Child */
1006 	disable_coredumps();
1007 	__stack.__buf = malloc(__bufsz);
1008 	memset(&msg, 0, sizeof(msg));
1009 	msg.msg_name = BUF;
1010 	msg.msg_namelen = __len;
1011 
1012 	recvmsg(sock[0], &msg, 0);
1013 	_exit(EX_SOFTWARE);	/* Should have aborted. */
1014 
1015 monitor:
1016 	while (waitpid(__child, &__status, 0) != __child) {
1017 		ATF_REQUIRE_EQ(EINTR, errno);
1018 	}
1019 
1020 	if (!WIFSIGNALED(__status)) {
1021 		switch (WEXITSTATUS(__status)) {
1022 		case EX_SOFTWARE:
1023 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1024 			break;
1025 		case EX_OSERR:
1026 			atf_tc_fail("setrlimit(2) failed");
1027 			break;
1028 		default:
1029 			atf_tc_fail("child exited with status %d",
1030 			    WEXITSTATUS(__status));
1031 		}
1032 	} else {
1033 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1034 	}
1035 #undef BUF
1036 
1037 }
1038 
1039 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_before_end);
ATF_TC_BODY(recvmsg_msg_iov_before_end,tc)1040 ATF_TC_BODY(recvmsg_msg_iov_before_end, tc)
1041 {
1042 #define BUF &__stack.__buf
1043 	struct {
1044 		uint8_t padding_l;
1045 		unsigned char __buf[42];
1046 		uint8_t padding_r;
1047 	} __stack;
1048 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1049 	const size_t __len = 42 - 1;
1050 	const size_t __idx __unused = __len - 1;
1051 	int sock[2] = { -1, -1 };
1052 	struct msghdr msg;
1053 	struct iovec iov[2];
1054 
1055 	memset(&msg, 0, sizeof(msg));
1056 	memset(&iov[0], 0, sizeof(iov));
1057 
1058 	/*
1059 	 * We position the buffer second just so that we can confirm that the
1060 	 * fortification bits are traversing the iovec correctly.
1061 	 */
1062 	iov[1].iov_base = BUF;
1063 	iov[1].iov_len = __len;
1064 
1065 	msg.msg_iov = &iov[0];
1066 	msg.msg_iovlen = nitems(iov);
1067 
1068 	recvmsg(sock[0], &msg, 0);
1069 #undef BUF
1070 
1071 }
1072 
1073 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_end);
ATF_TC_BODY(recvmsg_msg_iov_end,tc)1074 ATF_TC_BODY(recvmsg_msg_iov_end, tc)
1075 {
1076 #define BUF &__stack.__buf
1077 	struct {
1078 		uint8_t padding_l;
1079 		unsigned char __buf[42];
1080 		uint8_t padding_r;
1081 	} __stack;
1082 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1083 	const size_t __len = 42;
1084 	const size_t __idx __unused = __len - 1;
1085 	int sock[2] = { -1, -1 };
1086 	struct msghdr msg;
1087 	struct iovec iov[2];
1088 
1089 	memset(&msg, 0, sizeof(msg));
1090 	memset(&iov[0], 0, sizeof(iov));
1091 
1092 	/*
1093 	 * We position the buffer second just so that we can confirm that the
1094 	 * fortification bits are traversing the iovec correctly.
1095 	 */
1096 	iov[1].iov_base = BUF;
1097 	iov[1].iov_len = __len;
1098 
1099 	msg.msg_iov = &iov[0];
1100 	msg.msg_iovlen = nitems(iov);
1101 
1102 	recvmsg(sock[0], &msg, 0);
1103 #undef BUF
1104 
1105 }
1106 
1107 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_before_end);
ATF_TC_BODY(recvmsg_msg_iov_heap_before_end,tc)1108 ATF_TC_BODY(recvmsg_msg_iov_heap_before_end, tc)
1109 {
1110 #define BUF __stack.__buf
1111 	struct {
1112 		uint8_t padding_l;
1113 		unsigned char * __buf;
1114 		uint8_t padding_r;
1115 	} __stack;
1116 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1117 	const size_t __len = 42 - 1;
1118 	const size_t __idx __unused = __len - 1;
1119 	int sock[2] = { -1, -1 };
1120 	struct msghdr msg;
1121 	struct iovec iov[2];
1122 
1123 	__stack.__buf = malloc(__bufsz);
1124 	memset(&msg, 0, sizeof(msg));
1125 	memset(&iov[0], 0, sizeof(iov));
1126 
1127 	/*
1128 	 * We position the buffer second just so that we can confirm that the
1129 	 * fortification bits are traversing the iovec correctly.
1130 	 */
1131 	iov[1].iov_base = BUF;
1132 	iov[1].iov_len = __len;
1133 
1134 	msg.msg_iov = &iov[0];
1135 	msg.msg_iovlen = nitems(iov);
1136 
1137 	recvmsg(sock[0], &msg, 0);
1138 #undef BUF
1139 
1140 }
1141 
1142 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_end);
ATF_TC_BODY(recvmsg_msg_iov_heap_end,tc)1143 ATF_TC_BODY(recvmsg_msg_iov_heap_end, tc)
1144 {
1145 #define BUF __stack.__buf
1146 	struct {
1147 		uint8_t padding_l;
1148 		unsigned char * __buf;
1149 		uint8_t padding_r;
1150 	} __stack;
1151 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1152 	const size_t __len = 42;
1153 	const size_t __idx __unused = __len - 1;
1154 	int sock[2] = { -1, -1 };
1155 	struct msghdr msg;
1156 	struct iovec iov[2];
1157 
1158 	__stack.__buf = malloc(__bufsz);
1159 	memset(&msg, 0, sizeof(msg));
1160 	memset(&iov[0], 0, sizeof(iov));
1161 
1162 	/*
1163 	 * We position the buffer second just so that we can confirm that the
1164 	 * fortification bits are traversing the iovec correctly.
1165 	 */
1166 	iov[1].iov_base = BUF;
1167 	iov[1].iov_len = __len;
1168 
1169 	msg.msg_iov = &iov[0];
1170 	msg.msg_iovlen = nitems(iov);
1171 
1172 	recvmsg(sock[0], &msg, 0);
1173 #undef BUF
1174 
1175 }
1176 
1177 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_after_end);
ATF_TC_BODY(recvmsg_msg_iov_heap_after_end,tc)1178 ATF_TC_BODY(recvmsg_msg_iov_heap_after_end, tc)
1179 {
1180 #define BUF __stack.__buf
1181 	struct {
1182 		uint8_t padding_l;
1183 		unsigned char * __buf;
1184 		uint8_t padding_r;
1185 	} __stack;
1186 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1187 	const size_t __len = 42 + 1;
1188 	const size_t __idx __unused = __len - 1;
1189 	pid_t __child;
1190 	int __status;
1191 	int sock[2] = { -1, -1 };
1192 	struct msghdr msg;
1193 	struct iovec iov[2];
1194 
1195 	__child = fork();
1196 	ATF_REQUIRE(__child >= 0);
1197 	if (__child > 0)
1198 		goto monitor;
1199 
1200 	/* Child */
1201 	disable_coredumps();
1202 	__stack.__buf = malloc(__bufsz);
1203 	memset(&msg, 0, sizeof(msg));
1204 	memset(&iov[0], 0, sizeof(iov));
1205 
1206 	/*
1207 	 * We position the buffer second just so that we can confirm that the
1208 	 * fortification bits are traversing the iovec correctly.
1209 	 */
1210 	iov[1].iov_base = BUF;
1211 	iov[1].iov_len = __len;
1212 
1213 	msg.msg_iov = &iov[0];
1214 	msg.msg_iovlen = nitems(iov);
1215 
1216 	recvmsg(sock[0], &msg, 0);
1217 	_exit(EX_SOFTWARE);	/* Should have aborted. */
1218 
1219 monitor:
1220 	while (waitpid(__child, &__status, 0) != __child) {
1221 		ATF_REQUIRE_EQ(EINTR, errno);
1222 	}
1223 
1224 	if (!WIFSIGNALED(__status)) {
1225 		switch (WEXITSTATUS(__status)) {
1226 		case EX_SOFTWARE:
1227 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1228 			break;
1229 		case EX_OSERR:
1230 			atf_tc_fail("setrlimit(2) failed");
1231 			break;
1232 		default:
1233 			atf_tc_fail("child exited with status %d",
1234 			    WEXITSTATUS(__status));
1235 		}
1236 	} else {
1237 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1238 	}
1239 #undef BUF
1240 
1241 }
1242 
1243 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_before_end);
ATF_TC_BODY(recvmsg_msg_control_before_end,tc)1244 ATF_TC_BODY(recvmsg_msg_control_before_end, tc)
1245 {
1246 #define BUF &__stack.__buf
1247 	struct {
1248 		uint8_t padding_l;
1249 		unsigned char __buf[CMSG_SPACE(sizeof(int))];
1250 		uint8_t padding_r;
1251 	} __stack;
1252 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1253 	const size_t __len = CMSG_SPACE(sizeof(int)) - 1;
1254 	const size_t __idx __unused = __len - 1;
1255 	int sock[2] = { -1, -1 };
1256 	struct msghdr msg;
1257 
1258 	memset(&msg, 0, sizeof(msg));
1259 
1260 	msg.msg_control = BUF;
1261 	msg.msg_controllen = __len;
1262 
1263 	recvmsg(sock[0], &msg, 0);
1264 #undef BUF
1265 
1266 }
1267 
1268 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_end);
ATF_TC_BODY(recvmsg_msg_control_end,tc)1269 ATF_TC_BODY(recvmsg_msg_control_end, tc)
1270 {
1271 #define BUF &__stack.__buf
1272 	struct {
1273 		uint8_t padding_l;
1274 		unsigned char __buf[CMSG_SPACE(sizeof(int))];
1275 		uint8_t padding_r;
1276 	} __stack;
1277 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1278 	const size_t __len = CMSG_SPACE(sizeof(int));
1279 	const size_t __idx __unused = __len - 1;
1280 	int sock[2] = { -1, -1 };
1281 	struct msghdr msg;
1282 
1283 	memset(&msg, 0, sizeof(msg));
1284 
1285 	msg.msg_control = BUF;
1286 	msg.msg_controllen = __len;
1287 
1288 	recvmsg(sock[0], &msg, 0);
1289 #undef BUF
1290 
1291 }
1292 
1293 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_before_end);
ATF_TC_BODY(recvmsg_msg_control_heap_before_end,tc)1294 ATF_TC_BODY(recvmsg_msg_control_heap_before_end, tc)
1295 {
1296 #define BUF __stack.__buf
1297 	struct {
1298 		uint8_t padding_l;
1299 		unsigned char * __buf;
1300 		uint8_t padding_r;
1301 	} __stack;
1302 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1303 	const size_t __len = CMSG_SPACE(sizeof(int)) - 1;
1304 	const size_t __idx __unused = __len - 1;
1305 	int sock[2] = { -1, -1 };
1306 	struct msghdr msg;
1307 
1308 	__stack.__buf = malloc(__bufsz);
1309 	memset(&msg, 0, sizeof(msg));
1310 
1311 	msg.msg_control = BUF;
1312 	msg.msg_controllen = __len;
1313 
1314 	recvmsg(sock[0], &msg, 0);
1315 #undef BUF
1316 
1317 }
1318 
1319 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_end);
ATF_TC_BODY(recvmsg_msg_control_heap_end,tc)1320 ATF_TC_BODY(recvmsg_msg_control_heap_end, tc)
1321 {
1322 #define BUF __stack.__buf
1323 	struct {
1324 		uint8_t padding_l;
1325 		unsigned char * __buf;
1326 		uint8_t padding_r;
1327 	} __stack;
1328 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1329 	const size_t __len = CMSG_SPACE(sizeof(int));
1330 	const size_t __idx __unused = __len - 1;
1331 	int sock[2] = { -1, -1 };
1332 	struct msghdr msg;
1333 
1334 	__stack.__buf = malloc(__bufsz);
1335 	memset(&msg, 0, sizeof(msg));
1336 
1337 	msg.msg_control = BUF;
1338 	msg.msg_controllen = __len;
1339 
1340 	recvmsg(sock[0], &msg, 0);
1341 #undef BUF
1342 
1343 }
1344 
1345 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_after_end);
ATF_TC_BODY(recvmsg_msg_control_heap_after_end,tc)1346 ATF_TC_BODY(recvmsg_msg_control_heap_after_end, tc)
1347 {
1348 #define BUF __stack.__buf
1349 	struct {
1350 		uint8_t padding_l;
1351 		unsigned char * __buf;
1352 		uint8_t padding_r;
1353 	} __stack;
1354 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1355 	const size_t __len = CMSG_SPACE(sizeof(int)) + 1;
1356 	const size_t __idx __unused = __len - 1;
1357 	pid_t __child;
1358 	int __status;
1359 	int sock[2] = { -1, -1 };
1360 	struct msghdr msg;
1361 
1362 	__child = fork();
1363 	ATF_REQUIRE(__child >= 0);
1364 	if (__child > 0)
1365 		goto monitor;
1366 
1367 	/* Child */
1368 	disable_coredumps();
1369 	__stack.__buf = malloc(__bufsz);
1370 	memset(&msg, 0, sizeof(msg));
1371 
1372 	msg.msg_control = BUF;
1373 	msg.msg_controllen = __len;
1374 
1375 	recvmsg(sock[0], &msg, 0);
1376 	_exit(EX_SOFTWARE);	/* Should have aborted. */
1377 
1378 monitor:
1379 	while (waitpid(__child, &__status, 0) != __child) {
1380 		ATF_REQUIRE_EQ(EINTR, errno);
1381 	}
1382 
1383 	if (!WIFSIGNALED(__status)) {
1384 		switch (WEXITSTATUS(__status)) {
1385 		case EX_SOFTWARE:
1386 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1387 			break;
1388 		case EX_OSERR:
1389 			atf_tc_fail("setrlimit(2) failed");
1390 			break;
1391 		default:
1392 			atf_tc_fail("child exited with status %d",
1393 			    WEXITSTATUS(__status));
1394 		}
1395 	} else {
1396 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1397 	}
1398 #undef BUF
1399 
1400 }
1401 
1402 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_before_end);
ATF_TC_BODY(recvmmsg_msgvec_before_end,tc)1403 ATF_TC_BODY(recvmmsg_msgvec_before_end, tc)
1404 {
1405 #define BUF &__stack.__buf
1406 	struct {
1407 		uint8_t padding_l;
1408 		struct mmsghdr __buf[2];
1409 		uint8_t padding_r;
1410 	} __stack;
1411 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1412 	const size_t __len = 2 - 1;
1413 	const size_t __idx __unused = __len - 1;
1414 	int sock[2] = { -1, -1 };
1415 
1416 	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1417 #undef BUF
1418 
1419 }
1420 
1421 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_end);
ATF_TC_BODY(recvmmsg_msgvec_end,tc)1422 ATF_TC_BODY(recvmmsg_msgvec_end, tc)
1423 {
1424 #define BUF &__stack.__buf
1425 	struct {
1426 		uint8_t padding_l;
1427 		struct mmsghdr __buf[2];
1428 		uint8_t padding_r;
1429 	} __stack;
1430 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1431 	const size_t __len = 2;
1432 	const size_t __idx __unused = __len - 1;
1433 	int sock[2] = { -1, -1 };
1434 
1435 	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1436 #undef BUF
1437 
1438 }
1439 
1440 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_after_end);
ATF_TC_BODY(recvmmsg_msgvec_after_end,tc)1441 ATF_TC_BODY(recvmmsg_msgvec_after_end, tc)
1442 {
1443 #define BUF &__stack.__buf
1444 	struct {
1445 		uint8_t padding_l;
1446 		struct mmsghdr __buf[2];
1447 		uint8_t padding_r;
1448 	} __stack;
1449 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1450 	const size_t __len = 2 + 1;
1451 	const size_t __idx __unused = __len - 1;
1452 	pid_t __child;
1453 	int __status;
1454 	int sock[2] = { -1, -1 };
1455 
1456 	__child = fork();
1457 	ATF_REQUIRE(__child >= 0);
1458 	if (__child > 0)
1459 		goto monitor;
1460 
1461 	/* Child */
1462 	disable_coredumps();
1463 	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1464 	_exit(EX_SOFTWARE);	/* Should have aborted. */
1465 
1466 monitor:
1467 	while (waitpid(__child, &__status, 0) != __child) {
1468 		ATF_REQUIRE_EQ(EINTR, errno);
1469 	}
1470 
1471 	if (!WIFSIGNALED(__status)) {
1472 		switch (WEXITSTATUS(__status)) {
1473 		case EX_SOFTWARE:
1474 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1475 			break;
1476 		case EX_OSERR:
1477 			atf_tc_fail("setrlimit(2) failed");
1478 			break;
1479 		default:
1480 			atf_tc_fail("child exited with status %d",
1481 			    WEXITSTATUS(__status));
1482 		}
1483 	} else {
1484 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1485 	}
1486 #undef BUF
1487 
1488 }
1489 
1490 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_before_end);
ATF_TC_BODY(recvmmsg_msgvec_heap_before_end,tc)1491 ATF_TC_BODY(recvmmsg_msgvec_heap_before_end, tc)
1492 {
1493 #define BUF __stack.__buf
1494 	struct {
1495 		uint8_t padding_l;
1496 		struct mmsghdr * __buf;
1497 		uint8_t padding_r;
1498 	} __stack;
1499 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1500 	const size_t __len = 2 - 1;
1501 	const size_t __idx __unused = __len - 1;
1502 	int sock[2] = { -1, -1 };
1503 
1504 	__stack.__buf = malloc(__bufsz);
1505 
1506 	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1507 #undef BUF
1508 
1509 }
1510 
1511 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_end);
ATF_TC_BODY(recvmmsg_msgvec_heap_end,tc)1512 ATF_TC_BODY(recvmmsg_msgvec_heap_end, tc)
1513 {
1514 #define BUF __stack.__buf
1515 	struct {
1516 		uint8_t padding_l;
1517 		struct mmsghdr * __buf;
1518 		uint8_t padding_r;
1519 	} __stack;
1520 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1521 	const size_t __len = 2;
1522 	const size_t __idx __unused = __len - 1;
1523 	int sock[2] = { -1, -1 };
1524 
1525 	__stack.__buf = malloc(__bufsz);
1526 
1527 	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1528 #undef BUF
1529 
1530 }
1531 
1532 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_after_end);
ATF_TC_BODY(recvmmsg_msgvec_heap_after_end,tc)1533 ATF_TC_BODY(recvmmsg_msgvec_heap_after_end, tc)
1534 {
1535 #define BUF __stack.__buf
1536 	struct {
1537 		uint8_t padding_l;
1538 		struct mmsghdr * __buf;
1539 		uint8_t padding_r;
1540 	} __stack;
1541 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1542 	const size_t __len = 2 + 1;
1543 	const size_t __idx __unused = __len - 1;
1544 	pid_t __child;
1545 	int __status;
1546 	int sock[2] = { -1, -1 };
1547 
1548 	__child = fork();
1549 	ATF_REQUIRE(__child >= 0);
1550 	if (__child > 0)
1551 		goto monitor;
1552 
1553 	/* Child */
1554 	disable_coredumps();
1555 	__stack.__buf = malloc(__bufsz);
1556 
1557 	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1558 	_exit(EX_SOFTWARE);	/* Should have aborted. */
1559 
1560 monitor:
1561 	while (waitpid(__child, &__status, 0) != __child) {
1562 		ATF_REQUIRE_EQ(EINTR, errno);
1563 	}
1564 
1565 	if (!WIFSIGNALED(__status)) {
1566 		switch (WEXITSTATUS(__status)) {
1567 		case EX_SOFTWARE:
1568 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1569 			break;
1570 		case EX_OSERR:
1571 			atf_tc_fail("setrlimit(2) failed");
1572 			break;
1573 		default:
1574 			atf_tc_fail("child exited with status %d",
1575 			    WEXITSTATUS(__status));
1576 		}
1577 	} else {
1578 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1579 	}
1580 #undef BUF
1581 
1582 }
1583 
1584 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_before_end);
ATF_TC_BODY(recvmmsg_msghdr_before_end,tc)1585 ATF_TC_BODY(recvmmsg_msghdr_before_end, tc)
1586 {
1587 #define BUF &__stack.__buf
1588 	struct {
1589 		uint8_t padding_l;
1590 		unsigned char __buf[42];
1591 		uint8_t padding_r;
1592 	} __stack;
1593 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1594 	const size_t __len = 42 - 1;
1595 	const size_t __idx __unused = __len - 1;
1596 	int sock[2] = { -1, -1 };
1597 	struct mmsghdr msgvec[2];
1598 
1599 	memset(&msgvec[0], 0, sizeof(msgvec));
1600 
1601 	/*
1602 	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1603 	 * of the msgvec.
1604 	 */
1605 	msgvec[1].msg_hdr.msg_control = BUF;
1606 	msgvec[1].msg_hdr.msg_controllen = __len;
1607 
1608 	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1609 #undef BUF
1610 
1611 }
1612 
1613 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_end);
ATF_TC_BODY(recvmmsg_msghdr_end,tc)1614 ATF_TC_BODY(recvmmsg_msghdr_end, tc)
1615 {
1616 #define BUF &__stack.__buf
1617 	struct {
1618 		uint8_t padding_l;
1619 		unsigned char __buf[42];
1620 		uint8_t padding_r;
1621 	} __stack;
1622 	const size_t __bufsz __unused = sizeof(__stack.__buf);
1623 	const size_t __len = 42;
1624 	const size_t __idx __unused = __len - 1;
1625 	int sock[2] = { -1, -1 };
1626 	struct mmsghdr msgvec[2];
1627 
1628 	memset(&msgvec[0], 0, sizeof(msgvec));
1629 
1630 	/*
1631 	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1632 	 * of the msgvec.
1633 	 */
1634 	msgvec[1].msg_hdr.msg_control = BUF;
1635 	msgvec[1].msg_hdr.msg_controllen = __len;
1636 
1637 	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1638 #undef BUF
1639 
1640 }
1641 
1642 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_before_end);
ATF_TC_BODY(recvmmsg_msghdr_heap_before_end,tc)1643 ATF_TC_BODY(recvmmsg_msghdr_heap_before_end, tc)
1644 {
1645 #define BUF __stack.__buf
1646 	struct {
1647 		uint8_t padding_l;
1648 		unsigned char * __buf;
1649 		uint8_t padding_r;
1650 	} __stack;
1651 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1652 	const size_t __len = 42 - 1;
1653 	const size_t __idx __unused = __len - 1;
1654 	int sock[2] = { -1, -1 };
1655 	struct mmsghdr msgvec[2];
1656 
1657 	__stack.__buf = malloc(__bufsz);
1658 	memset(&msgvec[0], 0, sizeof(msgvec));
1659 
1660 	/*
1661 	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1662 	 * of the msgvec.
1663 	 */
1664 	msgvec[1].msg_hdr.msg_control = BUF;
1665 	msgvec[1].msg_hdr.msg_controllen = __len;
1666 
1667 	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1668 #undef BUF
1669 
1670 }
1671 
1672 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_end);
ATF_TC_BODY(recvmmsg_msghdr_heap_end,tc)1673 ATF_TC_BODY(recvmmsg_msghdr_heap_end, tc)
1674 {
1675 #define BUF __stack.__buf
1676 	struct {
1677 		uint8_t padding_l;
1678 		unsigned char * __buf;
1679 		uint8_t padding_r;
1680 	} __stack;
1681 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1682 	const size_t __len = 42;
1683 	const size_t __idx __unused = __len - 1;
1684 	int sock[2] = { -1, -1 };
1685 	struct mmsghdr msgvec[2];
1686 
1687 	__stack.__buf = malloc(__bufsz);
1688 	memset(&msgvec[0], 0, sizeof(msgvec));
1689 
1690 	/*
1691 	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1692 	 * of the msgvec.
1693 	 */
1694 	msgvec[1].msg_hdr.msg_control = BUF;
1695 	msgvec[1].msg_hdr.msg_controllen = __len;
1696 
1697 	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1698 #undef BUF
1699 
1700 }
1701 
1702 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_after_end);
ATF_TC_BODY(recvmmsg_msghdr_heap_after_end,tc)1703 ATF_TC_BODY(recvmmsg_msghdr_heap_after_end, tc)
1704 {
1705 #define BUF __stack.__buf
1706 	struct {
1707 		uint8_t padding_l;
1708 		unsigned char * __buf;
1709 		uint8_t padding_r;
1710 	} __stack;
1711 	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1712 	const size_t __len = 42 + 1;
1713 	const size_t __idx __unused = __len - 1;
1714 	pid_t __child;
1715 	int __status;
1716 	int sock[2] = { -1, -1 };
1717 	struct mmsghdr msgvec[2];
1718 
1719 	__child = fork();
1720 	ATF_REQUIRE(__child >= 0);
1721 	if (__child > 0)
1722 		goto monitor;
1723 
1724 	/* Child */
1725 	disable_coredumps();
1726 	__stack.__buf = malloc(__bufsz);
1727 	memset(&msgvec[0], 0, sizeof(msgvec));
1728 
1729 	/*
1730 	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1731 	 * of the msgvec.
1732 	 */
1733 	msgvec[1].msg_hdr.msg_control = BUF;
1734 	msgvec[1].msg_hdr.msg_controllen = __len;
1735 
1736 	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1737 	_exit(EX_SOFTWARE);	/* Should have aborted. */
1738 
1739 monitor:
1740 	while (waitpid(__child, &__status, 0) != __child) {
1741 		ATF_REQUIRE_EQ(EINTR, errno);
1742 	}
1743 
1744 	if (!WIFSIGNALED(__status)) {
1745 		switch (WEXITSTATUS(__status)) {
1746 		case EX_SOFTWARE:
1747 			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1748 			break;
1749 		case EX_OSERR:
1750 			atf_tc_fail("setrlimit(2) failed");
1751 			break;
1752 		default:
1753 			atf_tc_fail("child exited with status %d",
1754 			    WEXITSTATUS(__status));
1755 		}
1756 	} else {
1757 		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1758 	}
1759 #undef BUF
1760 
1761 }
1762 
ATF_TP_ADD_TCS(tp)1763 ATF_TP_ADD_TCS(tp)
1764 {
1765 	ATF_TP_ADD_TC(tp, getpeername_before_end);
1766 	ATF_TP_ADD_TC(tp, getpeername_end);
1767 	ATF_TP_ADD_TC(tp, getpeername_heap_before_end);
1768 	ATF_TP_ADD_TC(tp, getpeername_heap_end);
1769 	ATF_TP_ADD_TC(tp, getpeername_heap_after_end);
1770 	ATF_TP_ADD_TC(tp, getsockname_before_end);
1771 	ATF_TP_ADD_TC(tp, getsockname_end);
1772 	ATF_TP_ADD_TC(tp, getsockname_heap_before_end);
1773 	ATF_TP_ADD_TC(tp, getsockname_heap_end);
1774 	ATF_TP_ADD_TC(tp, getsockname_heap_after_end);
1775 	ATF_TP_ADD_TC(tp, recv_before_end);
1776 	ATF_TP_ADD_TC(tp, recv_end);
1777 	ATF_TP_ADD_TC(tp, recv_heap_before_end);
1778 	ATF_TP_ADD_TC(tp, recv_heap_end);
1779 	ATF_TP_ADD_TC(tp, recv_heap_after_end);
1780 	ATF_TP_ADD_TC(tp, recvfrom_before_end);
1781 	ATF_TP_ADD_TC(tp, recvfrom_end);
1782 	ATF_TP_ADD_TC(tp, recvfrom_heap_before_end);
1783 	ATF_TP_ADD_TC(tp, recvfrom_heap_end);
1784 	ATF_TP_ADD_TC(tp, recvfrom_heap_after_end);
1785 	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_before_end);
1786 	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_end);
1787 	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_before_end);
1788 	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_end);
1789 	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_after_end);
1790 	ATF_TP_ADD_TC(tp, recvmsg_msg_name_before_end);
1791 	ATF_TP_ADD_TC(tp, recvmsg_msg_name_end);
1792 	ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_before_end);
1793 	ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_end);
1794 	ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_after_end);
1795 	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_before_end);
1796 	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_end);
1797 	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_before_end);
1798 	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_end);
1799 	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_after_end);
1800 	ATF_TP_ADD_TC(tp, recvmsg_msg_control_before_end);
1801 	ATF_TP_ADD_TC(tp, recvmsg_msg_control_end);
1802 	ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_before_end);
1803 	ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_end);
1804 	ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_after_end);
1805 	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_before_end);
1806 	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_end);
1807 	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_after_end);
1808 	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_before_end);
1809 	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_end);
1810 	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_after_end);
1811 	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_before_end);
1812 	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_end);
1813 	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_before_end);
1814 	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_end);
1815 	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_after_end);
1816 	return (atf_no_error());
1817 }
1818