1 /* @generated by `generate-fortify-tests.lua "socket"` */ 2 3 #define _FORTIFY_SOURCE 2 4 #define TMPFILE_SIZE (1024 * 32) 5 6 #include <sys/param.h> 7 #include <sys/random.h> 8 #include <sys/resource.h> 9 #include <sys/select.h> 10 #include <sys/socket.h> 11 #include <sys/time.h> 12 #include <sys/uio.h> 13 #include <sys/wait.h> 14 #include <dirent.h> 15 #include <errno.h> 16 #include <fcntl.h> 17 #include <limits.h> 18 #include <poll.h> 19 #include <signal.h> 20 #include <stdio.h> 21 #include <stdlib.h> 22 #include <string.h> 23 #include <strings.h> 24 #include <sysexits.h> 25 #include <unistd.h> 26 #include <wchar.h> 27 #include <atf-c.h> 28 29 static FILE * __unused 30 new_fp(size_t __len) 31 { 32 static char fpbuf[LINE_MAX]; 33 FILE *fp; 34 35 ATF_REQUIRE(__len <= sizeof(fpbuf)); 36 37 memset(fpbuf, 'A', sizeof(fpbuf) - 1); 38 fpbuf[sizeof(fpbuf) - 1] = '\0'; 39 40 fp = fmemopen(fpbuf, sizeof(fpbuf), "rb"); 41 ATF_REQUIRE(fp != NULL); 42 43 return (fp); 44 } 45 46 /* 47 * Create a new symlink to use for readlink(2) style tests, we'll just use a 48 * random target name to have something interesting to look at. 49 */ 50 static const char * __unused 51 new_symlink(size_t __len) 52 { 53 static const char linkname[] = "link"; 54 char target[MAXNAMLEN]; 55 int error; 56 57 ATF_REQUIRE(__len <= sizeof(target)); 58 59 arc4random_buf(target, sizeof(target)); 60 61 error = unlink(linkname); 62 ATF_REQUIRE(error == 0 || errno == ENOENT); 63 64 error = symlink(target, linkname); 65 ATF_REQUIRE(error == 0); 66 67 return (linkname); 68 } 69 70 /* 71 * For our purposes, first descriptor will be the reader; we'll send both 72 * raw data and a control message over it so that the result can be used for 73 * any of our recv*() tests. 74 */ 75 static void __unused 76 new_socket(int sock[2]) 77 { 78 unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 }; 79 static char sockbuf[256]; 80 ssize_t rv; 81 size_t total = 0; 82 struct msghdr hdr = { 0 }; 83 struct cmsghdr *cmsg; 84 int error, fd; 85 86 error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock); 87 ATF_REQUIRE(error == 0); 88 89 while (total != sizeof(sockbuf)) { 90 rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0); 91 92 ATF_REQUIRE_MSG(rv > 0, 93 "expected bytes sent, got %zd with %zu left (size %zu, total %zu)", 94 rv, sizeof(sockbuf) - total, sizeof(sockbuf), total); 95 ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf), 96 "%zd exceeds total %zu", rv, sizeof(sockbuf)); 97 total += rv; 98 } 99 100 hdr.msg_control = ctrl; 101 hdr.msg_controllen = sizeof(ctrl); 102 103 cmsg = CMSG_FIRSTHDR(&hdr); 104 cmsg->cmsg_level = SOL_SOCKET; 105 cmsg->cmsg_type = SCM_RIGHTS; 106 cmsg->cmsg_len = CMSG_LEN(sizeof(fd)); 107 fd = STDIN_FILENO; 108 memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd)); 109 110 error = sendmsg(sock[1], &hdr, 0); 111 ATF_REQUIRE(error != -1); 112 } 113 114 /* 115 * Constructs a tmpfile that we can use for testing read(2) and friends. 116 */ 117 static int __unused 118 new_tmpfile(void) 119 { 120 char buf[1024]; 121 ssize_t rv; 122 size_t written; 123 int fd; 124 125 fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644); 126 ATF_REQUIRE(fd >= 0); 127 128 written = 0; 129 while (written < TMPFILE_SIZE) { 130 rv = write(fd, buf, sizeof(buf)); 131 ATF_REQUIRE(rv > 0); 132 133 written += rv; 134 } 135 136 ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET)); 137 return (fd); 138 } 139 140 static void 141 disable_coredumps(void) 142 { 143 struct rlimit rl = { 0 }; 144 145 if (setrlimit(RLIMIT_CORE, &rl) == -1) 146 _exit(EX_OSERR); 147 } 148 149 /* 150 * Replaces stdin with a file that we can actually read from, for tests where 151 * we want a FILE * or fd that we can get data from. 152 */ 153 static void __unused 154 replace_stdin(void) 155 { 156 int fd; 157 158 fd = new_tmpfile(); 159 160 (void)dup2(fd, STDIN_FILENO); 161 if (fd != STDIN_FILENO) 162 close(fd); 163 } 164 165 ATF_TC_WITHOUT_HEAD(getpeername_before_end); 166 ATF_TC_BODY(getpeername_before_end, tc) 167 { 168 #define BUF &__stack.__buf 169 struct { 170 uint8_t padding_l; 171 struct sockaddr __buf; 172 uint8_t padding_r; 173 } __stack; 174 const size_t __bufsz __unused = sizeof(__stack.__buf); 175 const size_t __len = sizeof(struct sockaddr) - 1; 176 const size_t __idx __unused = __len - 1; 177 int sock[2] = { -1, -1 }; 178 socklen_t socklen; 179 new_socket(sock); 180 socklen = __len; 181 182 getpeername(sock[0], &__stack.__buf, &socklen); 183 #undef BUF 184 185 } 186 187 ATF_TC_WITHOUT_HEAD(getpeername_end); 188 ATF_TC_BODY(getpeername_end, tc) 189 { 190 #define BUF &__stack.__buf 191 struct { 192 uint8_t padding_l; 193 struct sockaddr __buf; 194 uint8_t padding_r; 195 } __stack; 196 const size_t __bufsz __unused = sizeof(__stack.__buf); 197 const size_t __len = sizeof(struct sockaddr); 198 const size_t __idx __unused = __len - 1; 199 int sock[2] = { -1, -1 }; 200 socklen_t socklen; 201 new_socket(sock); 202 socklen = __len; 203 204 getpeername(sock[0], &__stack.__buf, &socklen); 205 #undef BUF 206 207 } 208 209 ATF_TC_WITHOUT_HEAD(getpeername_heap_before_end); 210 ATF_TC_BODY(getpeername_heap_before_end, tc) 211 { 212 #define BUF __stack.__buf 213 struct { 214 uint8_t padding_l; 215 struct sockaddr * __buf; 216 uint8_t padding_r; 217 } __stack; 218 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 219 const size_t __len = sizeof(struct sockaddr) - 1; 220 const size_t __idx __unused = __len - 1; 221 int sock[2] = { -1, -1 }; 222 socklen_t socklen; 223 __stack.__buf = malloc(__bufsz); 224 new_socket(sock); 225 socklen = __len; 226 227 getpeername(sock[0], __stack.__buf, &socklen); 228 #undef BUF 229 230 } 231 232 ATF_TC_WITHOUT_HEAD(getpeername_heap_end); 233 ATF_TC_BODY(getpeername_heap_end, tc) 234 { 235 #define BUF __stack.__buf 236 struct { 237 uint8_t padding_l; 238 struct sockaddr * __buf; 239 uint8_t padding_r; 240 } __stack; 241 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 242 const size_t __len = sizeof(struct sockaddr); 243 const size_t __idx __unused = __len - 1; 244 int sock[2] = { -1, -1 }; 245 socklen_t socklen; 246 __stack.__buf = malloc(__bufsz); 247 new_socket(sock); 248 socklen = __len; 249 250 getpeername(sock[0], __stack.__buf, &socklen); 251 #undef BUF 252 253 } 254 255 ATF_TC_WITHOUT_HEAD(getpeername_heap_after_end); 256 ATF_TC_BODY(getpeername_heap_after_end, tc) 257 { 258 #define BUF __stack.__buf 259 struct { 260 uint8_t padding_l; 261 struct sockaddr * __buf; 262 uint8_t padding_r; 263 } __stack; 264 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 265 const size_t __len = sizeof(struct sockaddr) + 1; 266 const size_t __idx __unused = __len - 1; 267 pid_t __child; 268 int __status; 269 int sock[2] = { -1, -1 }; 270 socklen_t socklen; 271 __child = fork(); 272 ATF_REQUIRE(__child >= 0); 273 if (__child > 0) 274 goto monitor; 275 276 /* Child */ 277 disable_coredumps(); 278 __stack.__buf = malloc(__bufsz); 279 new_socket(sock); 280 socklen = __len; 281 282 getpeername(sock[0], __stack.__buf, &socklen); 283 _exit(EX_SOFTWARE); /* Should have aborted. */ 284 285 monitor: 286 while (waitpid(__child, &__status, 0) != __child) { 287 ATF_REQUIRE_EQ(EINTR, errno); 288 } 289 290 if (!WIFSIGNALED(__status)) { 291 switch (WEXITSTATUS(__status)) { 292 case EX_SOFTWARE: 293 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 294 break; 295 case EX_OSERR: 296 atf_tc_fail("setrlimit(2) failed"); 297 break; 298 default: 299 atf_tc_fail("child exited with status %d", 300 WEXITSTATUS(__status)); 301 } 302 } else { 303 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 304 } 305 #undef BUF 306 307 } 308 309 ATF_TC_WITHOUT_HEAD(getsockname_before_end); 310 ATF_TC_BODY(getsockname_before_end, tc) 311 { 312 #define BUF &__stack.__buf 313 struct { 314 uint8_t padding_l; 315 struct sockaddr __buf; 316 uint8_t padding_r; 317 } __stack; 318 const size_t __bufsz __unused = sizeof(__stack.__buf); 319 const size_t __len = sizeof(struct sockaddr) - 1; 320 const size_t __idx __unused = __len - 1; 321 int sock[2] = { -1, -1 }; 322 socklen_t socklen; 323 new_socket(sock); 324 socklen = __len; 325 326 getsockname(sock[0], &__stack.__buf, &socklen); 327 #undef BUF 328 329 } 330 331 ATF_TC_WITHOUT_HEAD(getsockname_end); 332 ATF_TC_BODY(getsockname_end, tc) 333 { 334 #define BUF &__stack.__buf 335 struct { 336 uint8_t padding_l; 337 struct sockaddr __buf; 338 uint8_t padding_r; 339 } __stack; 340 const size_t __bufsz __unused = sizeof(__stack.__buf); 341 const size_t __len = sizeof(struct sockaddr); 342 const size_t __idx __unused = __len - 1; 343 int sock[2] = { -1, -1 }; 344 socklen_t socklen; 345 new_socket(sock); 346 socklen = __len; 347 348 getsockname(sock[0], &__stack.__buf, &socklen); 349 #undef BUF 350 351 } 352 353 ATF_TC_WITHOUT_HEAD(getsockname_heap_before_end); 354 ATF_TC_BODY(getsockname_heap_before_end, tc) 355 { 356 #define BUF __stack.__buf 357 struct { 358 uint8_t padding_l; 359 struct sockaddr * __buf; 360 uint8_t padding_r; 361 } __stack; 362 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 363 const size_t __len = sizeof(struct sockaddr) - 1; 364 const size_t __idx __unused = __len - 1; 365 int sock[2] = { -1, -1 }; 366 socklen_t socklen; 367 __stack.__buf = malloc(__bufsz); 368 new_socket(sock); 369 socklen = __len; 370 371 getsockname(sock[0], __stack.__buf, &socklen); 372 #undef BUF 373 374 } 375 376 ATF_TC_WITHOUT_HEAD(getsockname_heap_end); 377 ATF_TC_BODY(getsockname_heap_end, tc) 378 { 379 #define BUF __stack.__buf 380 struct { 381 uint8_t padding_l; 382 struct sockaddr * __buf; 383 uint8_t padding_r; 384 } __stack; 385 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 386 const size_t __len = sizeof(struct sockaddr); 387 const size_t __idx __unused = __len - 1; 388 int sock[2] = { -1, -1 }; 389 socklen_t socklen; 390 __stack.__buf = malloc(__bufsz); 391 new_socket(sock); 392 socklen = __len; 393 394 getsockname(sock[0], __stack.__buf, &socklen); 395 #undef BUF 396 397 } 398 399 ATF_TC_WITHOUT_HEAD(getsockname_heap_after_end); 400 ATF_TC_BODY(getsockname_heap_after_end, tc) 401 { 402 #define BUF __stack.__buf 403 struct { 404 uint8_t padding_l; 405 struct sockaddr * __buf; 406 uint8_t padding_r; 407 } __stack; 408 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 409 const size_t __len = sizeof(struct sockaddr) + 1; 410 const size_t __idx __unused = __len - 1; 411 pid_t __child; 412 int __status; 413 int sock[2] = { -1, -1 }; 414 socklen_t socklen; 415 __child = fork(); 416 ATF_REQUIRE(__child >= 0); 417 if (__child > 0) 418 goto monitor; 419 420 /* Child */ 421 disable_coredumps(); 422 __stack.__buf = malloc(__bufsz); 423 new_socket(sock); 424 socklen = __len; 425 426 getsockname(sock[0], __stack.__buf, &socklen); 427 _exit(EX_SOFTWARE); /* Should have aborted. */ 428 429 monitor: 430 while (waitpid(__child, &__status, 0) != __child) { 431 ATF_REQUIRE_EQ(EINTR, errno); 432 } 433 434 if (!WIFSIGNALED(__status)) { 435 switch (WEXITSTATUS(__status)) { 436 case EX_SOFTWARE: 437 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 438 break; 439 case EX_OSERR: 440 atf_tc_fail("setrlimit(2) failed"); 441 break; 442 default: 443 atf_tc_fail("child exited with status %d", 444 WEXITSTATUS(__status)); 445 } 446 } else { 447 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 448 } 449 #undef BUF 450 451 } 452 453 ATF_TC_WITHOUT_HEAD(recv_before_end); 454 ATF_TC_BODY(recv_before_end, tc) 455 { 456 #define BUF &__stack.__buf 457 struct { 458 uint8_t padding_l; 459 unsigned char __buf[42]; 460 uint8_t padding_r; 461 } __stack; 462 const size_t __bufsz __unused = sizeof(__stack.__buf); 463 const size_t __len = 42 - 1; 464 const size_t __idx __unused = __len - 1; 465 int sock[2] = { -1, -1 }; 466 467 new_socket(sock); 468 469 recv(sock[0], __stack.__buf, __len, 0); 470 #undef BUF 471 472 } 473 474 ATF_TC_WITHOUT_HEAD(recv_end); 475 ATF_TC_BODY(recv_end, tc) 476 { 477 #define BUF &__stack.__buf 478 struct { 479 uint8_t padding_l; 480 unsigned char __buf[42]; 481 uint8_t padding_r; 482 } __stack; 483 const size_t __bufsz __unused = sizeof(__stack.__buf); 484 const size_t __len = 42; 485 const size_t __idx __unused = __len - 1; 486 int sock[2] = { -1, -1 }; 487 488 new_socket(sock); 489 490 recv(sock[0], __stack.__buf, __len, 0); 491 #undef BUF 492 493 } 494 495 ATF_TC_WITHOUT_HEAD(recv_heap_before_end); 496 ATF_TC_BODY(recv_heap_before_end, tc) 497 { 498 #define BUF __stack.__buf 499 struct { 500 uint8_t padding_l; 501 unsigned char * __buf; 502 uint8_t padding_r; 503 } __stack; 504 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 505 const size_t __len = 42 - 1; 506 const size_t __idx __unused = __len - 1; 507 int sock[2] = { -1, -1 }; 508 509 __stack.__buf = malloc(__bufsz); 510 new_socket(sock); 511 512 recv(sock[0], __stack.__buf, __len, 0); 513 #undef BUF 514 515 } 516 517 ATF_TC_WITHOUT_HEAD(recv_heap_end); 518 ATF_TC_BODY(recv_heap_end, tc) 519 { 520 #define BUF __stack.__buf 521 struct { 522 uint8_t padding_l; 523 unsigned char * __buf; 524 uint8_t padding_r; 525 } __stack; 526 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 527 const size_t __len = 42; 528 const size_t __idx __unused = __len - 1; 529 int sock[2] = { -1, -1 }; 530 531 __stack.__buf = malloc(__bufsz); 532 new_socket(sock); 533 534 recv(sock[0], __stack.__buf, __len, 0); 535 #undef BUF 536 537 } 538 539 ATF_TC_WITHOUT_HEAD(recv_heap_after_end); 540 ATF_TC_BODY(recv_heap_after_end, tc) 541 { 542 #define BUF __stack.__buf 543 struct { 544 uint8_t padding_l; 545 unsigned char * __buf; 546 uint8_t padding_r; 547 } __stack; 548 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 549 const size_t __len = 42 + 1; 550 const size_t __idx __unused = __len - 1; 551 pid_t __child; 552 int __status; 553 int sock[2] = { -1, -1 }; 554 555 __child = fork(); 556 ATF_REQUIRE(__child >= 0); 557 if (__child > 0) 558 goto monitor; 559 560 /* Child */ 561 disable_coredumps(); 562 __stack.__buf = malloc(__bufsz); 563 new_socket(sock); 564 565 recv(sock[0], __stack.__buf, __len, 0); 566 _exit(EX_SOFTWARE); /* Should have aborted. */ 567 568 monitor: 569 while (waitpid(__child, &__status, 0) != __child) { 570 ATF_REQUIRE_EQ(EINTR, errno); 571 } 572 573 if (!WIFSIGNALED(__status)) { 574 switch (WEXITSTATUS(__status)) { 575 case EX_SOFTWARE: 576 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 577 break; 578 case EX_OSERR: 579 atf_tc_fail("setrlimit(2) failed"); 580 break; 581 default: 582 atf_tc_fail("child exited with status %d", 583 WEXITSTATUS(__status)); 584 } 585 } else { 586 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 587 } 588 #undef BUF 589 590 } 591 592 ATF_TC_WITHOUT_HEAD(recvfrom_before_end); 593 ATF_TC_BODY(recvfrom_before_end, tc) 594 { 595 #define BUF &__stack.__buf 596 struct { 597 uint8_t padding_l; 598 unsigned char __buf[42]; 599 uint8_t padding_r; 600 } __stack; 601 const size_t __bufsz __unused = sizeof(__stack.__buf); 602 const size_t __len = 42 - 1; 603 const size_t __idx __unused = __len - 1; 604 int sock[2] = { -1, -1 }; 605 606 new_socket(sock); 607 608 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 609 #undef BUF 610 611 } 612 613 ATF_TC_WITHOUT_HEAD(recvfrom_end); 614 ATF_TC_BODY(recvfrom_end, tc) 615 { 616 #define BUF &__stack.__buf 617 struct { 618 uint8_t padding_l; 619 unsigned char __buf[42]; 620 uint8_t padding_r; 621 } __stack; 622 const size_t __bufsz __unused = sizeof(__stack.__buf); 623 const size_t __len = 42; 624 const size_t __idx __unused = __len - 1; 625 int sock[2] = { -1, -1 }; 626 627 new_socket(sock); 628 629 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 630 #undef BUF 631 632 } 633 634 ATF_TC_WITHOUT_HEAD(recvfrom_heap_before_end); 635 ATF_TC_BODY(recvfrom_heap_before_end, tc) 636 { 637 #define BUF __stack.__buf 638 struct { 639 uint8_t padding_l; 640 unsigned char * __buf; 641 uint8_t padding_r; 642 } __stack; 643 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 644 const size_t __len = 42 - 1; 645 const size_t __idx __unused = __len - 1; 646 int sock[2] = { -1, -1 }; 647 648 __stack.__buf = malloc(__bufsz); 649 new_socket(sock); 650 651 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 652 #undef BUF 653 654 } 655 656 ATF_TC_WITHOUT_HEAD(recvfrom_heap_end); 657 ATF_TC_BODY(recvfrom_heap_end, tc) 658 { 659 #define BUF __stack.__buf 660 struct { 661 uint8_t padding_l; 662 unsigned char * __buf; 663 uint8_t padding_r; 664 } __stack; 665 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 666 const size_t __len = 42; 667 const size_t __idx __unused = __len - 1; 668 int sock[2] = { -1, -1 }; 669 670 __stack.__buf = malloc(__bufsz); 671 new_socket(sock); 672 673 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 674 #undef BUF 675 676 } 677 678 ATF_TC_WITHOUT_HEAD(recvfrom_heap_after_end); 679 ATF_TC_BODY(recvfrom_heap_after_end, tc) 680 { 681 #define BUF __stack.__buf 682 struct { 683 uint8_t padding_l; 684 unsigned char * __buf; 685 uint8_t padding_r; 686 } __stack; 687 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 688 const size_t __len = 42 + 1; 689 const size_t __idx __unused = __len - 1; 690 pid_t __child; 691 int __status; 692 int sock[2] = { -1, -1 }; 693 694 __child = fork(); 695 ATF_REQUIRE(__child >= 0); 696 if (__child > 0) 697 goto monitor; 698 699 /* Child */ 700 disable_coredumps(); 701 __stack.__buf = malloc(__bufsz); 702 new_socket(sock); 703 704 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 705 _exit(EX_SOFTWARE); /* Should have aborted. */ 706 707 monitor: 708 while (waitpid(__child, &__status, 0) != __child) { 709 ATF_REQUIRE_EQ(EINTR, errno); 710 } 711 712 if (!WIFSIGNALED(__status)) { 713 switch (WEXITSTATUS(__status)) { 714 case EX_SOFTWARE: 715 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 716 break; 717 case EX_OSERR: 718 atf_tc_fail("setrlimit(2) failed"); 719 break; 720 default: 721 atf_tc_fail("child exited with status %d", 722 WEXITSTATUS(__status)); 723 } 724 } else { 725 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 726 } 727 #undef BUF 728 729 } 730 731 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_before_end); 732 ATF_TC_BODY(recvfrom_sockaddr_before_end, tc) 733 { 734 #define BUF &__stack.__buf 735 struct { 736 uint8_t padding_l; 737 struct sockaddr __buf; 738 uint8_t padding_r; 739 } __stack; 740 const size_t __bufsz __unused = sizeof(__stack.__buf); 741 const size_t __len = sizeof(struct sockaddr) - 1; 742 const size_t __idx __unused = __len - 1; 743 int sock[2] = { -1, -1 }; 744 char data[16]; 745 socklen_t socklen; 746 747 new_socket(sock); 748 socklen = __len; 749 750 recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen); 751 #undef BUF 752 753 } 754 755 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_end); 756 ATF_TC_BODY(recvfrom_sockaddr_end, tc) 757 { 758 #define BUF &__stack.__buf 759 struct { 760 uint8_t padding_l; 761 struct sockaddr __buf; 762 uint8_t padding_r; 763 } __stack; 764 const size_t __bufsz __unused = sizeof(__stack.__buf); 765 const size_t __len = sizeof(struct sockaddr); 766 const size_t __idx __unused = __len - 1; 767 int sock[2] = { -1, -1 }; 768 char data[16]; 769 socklen_t socklen; 770 771 new_socket(sock); 772 socklen = __len; 773 774 recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen); 775 #undef BUF 776 777 } 778 779 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_before_end); 780 ATF_TC_BODY(recvfrom_sockaddr_heap_before_end, tc) 781 { 782 #define BUF __stack.__buf 783 struct { 784 uint8_t padding_l; 785 struct sockaddr * __buf; 786 uint8_t padding_r; 787 } __stack; 788 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 789 const size_t __len = sizeof(struct sockaddr) - 1; 790 const size_t __idx __unused = __len - 1; 791 int sock[2] = { -1, -1 }; 792 char data[16]; 793 socklen_t socklen; 794 795 __stack.__buf = malloc(__bufsz); 796 new_socket(sock); 797 socklen = __len; 798 799 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen); 800 #undef BUF 801 802 } 803 804 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_end); 805 ATF_TC_BODY(recvfrom_sockaddr_heap_end, tc) 806 { 807 #define BUF __stack.__buf 808 struct { 809 uint8_t padding_l; 810 struct sockaddr * __buf; 811 uint8_t padding_r; 812 } __stack; 813 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 814 const size_t __len = sizeof(struct sockaddr); 815 const size_t __idx __unused = __len - 1; 816 int sock[2] = { -1, -1 }; 817 char data[16]; 818 socklen_t socklen; 819 820 __stack.__buf = malloc(__bufsz); 821 new_socket(sock); 822 socklen = __len; 823 824 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen); 825 #undef BUF 826 827 } 828 829 ATF_TC_WITHOUT_HEAD(recvfrom_sockaddr_heap_after_end); 830 ATF_TC_BODY(recvfrom_sockaddr_heap_after_end, tc) 831 { 832 #define BUF __stack.__buf 833 struct { 834 uint8_t padding_l; 835 struct sockaddr * __buf; 836 uint8_t padding_r; 837 } __stack; 838 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 839 const size_t __len = sizeof(struct sockaddr) + 1; 840 const size_t __idx __unused = __len - 1; 841 pid_t __child; 842 int __status; 843 int sock[2] = { -1, -1 }; 844 char data[16]; 845 socklen_t socklen; 846 847 __child = fork(); 848 ATF_REQUIRE(__child >= 0); 849 if (__child > 0) 850 goto monitor; 851 852 /* Child */ 853 disable_coredumps(); 854 __stack.__buf = malloc(__bufsz); 855 new_socket(sock); 856 socklen = __len; 857 858 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen); 859 _exit(EX_SOFTWARE); /* Should have aborted. */ 860 861 monitor: 862 while (waitpid(__child, &__status, 0) != __child) { 863 ATF_REQUIRE_EQ(EINTR, errno); 864 } 865 866 if (!WIFSIGNALED(__status)) { 867 switch (WEXITSTATUS(__status)) { 868 case EX_SOFTWARE: 869 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 870 break; 871 case EX_OSERR: 872 atf_tc_fail("setrlimit(2) failed"); 873 break; 874 default: 875 atf_tc_fail("child exited with status %d", 876 WEXITSTATUS(__status)); 877 } 878 } else { 879 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 880 } 881 #undef BUF 882 883 } 884 885 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_before_end); 886 ATF_TC_BODY(recvmsg_msg_name_before_end, tc) 887 { 888 #define BUF &__stack.__buf 889 struct { 890 uint8_t padding_l; 891 struct sockaddr __buf; 892 uint8_t padding_r; 893 } __stack; 894 const size_t __bufsz __unused = sizeof(__stack.__buf); 895 const size_t __len = sizeof(struct sockaddr) - 1; 896 const size_t __idx __unused = __len - 1; 897 int sock[2] = { -1, -1 }; 898 struct msghdr msg; 899 900 memset(&msg, 0, sizeof(msg)); 901 msg.msg_name = BUF; 902 msg.msg_namelen = __len; 903 904 recvmsg(sock[0], &msg, 0); 905 #undef BUF 906 907 } 908 909 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_end); 910 ATF_TC_BODY(recvmsg_msg_name_end, tc) 911 { 912 #define BUF &__stack.__buf 913 struct { 914 uint8_t padding_l; 915 struct sockaddr __buf; 916 uint8_t padding_r; 917 } __stack; 918 const size_t __bufsz __unused = sizeof(__stack.__buf); 919 const size_t __len = sizeof(struct sockaddr); 920 const size_t __idx __unused = __len - 1; 921 int sock[2] = { -1, -1 }; 922 struct msghdr msg; 923 924 memset(&msg, 0, sizeof(msg)); 925 msg.msg_name = BUF; 926 msg.msg_namelen = __len; 927 928 recvmsg(sock[0], &msg, 0); 929 #undef BUF 930 931 } 932 933 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_before_end); 934 ATF_TC_BODY(recvmsg_msg_name_heap_before_end, tc) 935 { 936 #define BUF __stack.__buf 937 struct { 938 uint8_t padding_l; 939 struct sockaddr * __buf; 940 uint8_t padding_r; 941 } __stack; 942 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 943 const size_t __len = sizeof(struct sockaddr) - 1; 944 const size_t __idx __unused = __len - 1; 945 int sock[2] = { -1, -1 }; 946 struct msghdr msg; 947 948 __stack.__buf = malloc(__bufsz); 949 memset(&msg, 0, sizeof(msg)); 950 msg.msg_name = BUF; 951 msg.msg_namelen = __len; 952 953 recvmsg(sock[0], &msg, 0); 954 #undef BUF 955 956 } 957 958 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_end); 959 ATF_TC_BODY(recvmsg_msg_name_heap_end, tc) 960 { 961 #define BUF __stack.__buf 962 struct { 963 uint8_t padding_l; 964 struct sockaddr * __buf; 965 uint8_t padding_r; 966 } __stack; 967 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 968 const size_t __len = sizeof(struct sockaddr); 969 const size_t __idx __unused = __len - 1; 970 int sock[2] = { -1, -1 }; 971 struct msghdr msg; 972 973 __stack.__buf = malloc(__bufsz); 974 memset(&msg, 0, sizeof(msg)); 975 msg.msg_name = BUF; 976 msg.msg_namelen = __len; 977 978 recvmsg(sock[0], &msg, 0); 979 #undef BUF 980 981 } 982 983 ATF_TC_WITHOUT_HEAD(recvmsg_msg_name_heap_after_end); 984 ATF_TC_BODY(recvmsg_msg_name_heap_after_end, tc) 985 { 986 #define BUF __stack.__buf 987 struct { 988 uint8_t padding_l; 989 struct sockaddr * __buf; 990 uint8_t padding_r; 991 } __stack; 992 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 993 const size_t __len = sizeof(struct sockaddr) + 1; 994 const size_t __idx __unused = __len - 1; 995 pid_t __child; 996 int __status; 997 int sock[2] = { -1, -1 }; 998 struct msghdr msg; 999 1000 __child = fork(); 1001 ATF_REQUIRE(__child >= 0); 1002 if (__child > 0) 1003 goto monitor; 1004 1005 /* Child */ 1006 disable_coredumps(); 1007 __stack.__buf = malloc(__bufsz); 1008 memset(&msg, 0, sizeof(msg)); 1009 msg.msg_name = BUF; 1010 msg.msg_namelen = __len; 1011 1012 recvmsg(sock[0], &msg, 0); 1013 _exit(EX_SOFTWARE); /* Should have aborted. */ 1014 1015 monitor: 1016 while (waitpid(__child, &__status, 0) != __child) { 1017 ATF_REQUIRE_EQ(EINTR, errno); 1018 } 1019 1020 if (!WIFSIGNALED(__status)) { 1021 switch (WEXITSTATUS(__status)) { 1022 case EX_SOFTWARE: 1023 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1024 break; 1025 case EX_OSERR: 1026 atf_tc_fail("setrlimit(2) failed"); 1027 break; 1028 default: 1029 atf_tc_fail("child exited with status %d", 1030 WEXITSTATUS(__status)); 1031 } 1032 } else { 1033 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1034 } 1035 #undef BUF 1036 1037 } 1038 1039 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_before_end); 1040 ATF_TC_BODY(recvmsg_msg_iov_before_end, tc) 1041 { 1042 #define BUF &__stack.__buf 1043 struct { 1044 uint8_t padding_l; 1045 unsigned char __buf[42]; 1046 uint8_t padding_r; 1047 } __stack; 1048 const size_t __bufsz __unused = sizeof(__stack.__buf); 1049 const size_t __len = 42 - 1; 1050 const size_t __idx __unused = __len - 1; 1051 int sock[2] = { -1, -1 }; 1052 struct msghdr msg; 1053 struct iovec iov[2]; 1054 1055 memset(&msg, 0, sizeof(msg)); 1056 memset(&iov[0], 0, sizeof(iov)); 1057 1058 /* 1059 * We position the buffer second just so that we can confirm that the 1060 * fortification bits are traversing the iovec correctly. 1061 */ 1062 iov[1].iov_base = BUF; 1063 iov[1].iov_len = __len; 1064 1065 msg.msg_iov = &iov[0]; 1066 msg.msg_iovlen = nitems(iov); 1067 1068 recvmsg(sock[0], &msg, 0); 1069 #undef BUF 1070 1071 } 1072 1073 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_end); 1074 ATF_TC_BODY(recvmsg_msg_iov_end, tc) 1075 { 1076 #define BUF &__stack.__buf 1077 struct { 1078 uint8_t padding_l; 1079 unsigned char __buf[42]; 1080 uint8_t padding_r; 1081 } __stack; 1082 const size_t __bufsz __unused = sizeof(__stack.__buf); 1083 const size_t __len = 42; 1084 const size_t __idx __unused = __len - 1; 1085 int sock[2] = { -1, -1 }; 1086 struct msghdr msg; 1087 struct iovec iov[2]; 1088 1089 memset(&msg, 0, sizeof(msg)); 1090 memset(&iov[0], 0, sizeof(iov)); 1091 1092 /* 1093 * We position the buffer second just so that we can confirm that the 1094 * fortification bits are traversing the iovec correctly. 1095 */ 1096 iov[1].iov_base = BUF; 1097 iov[1].iov_len = __len; 1098 1099 msg.msg_iov = &iov[0]; 1100 msg.msg_iovlen = nitems(iov); 1101 1102 recvmsg(sock[0], &msg, 0); 1103 #undef BUF 1104 1105 } 1106 1107 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_before_end); 1108 ATF_TC_BODY(recvmsg_msg_iov_heap_before_end, tc) 1109 { 1110 #define BUF __stack.__buf 1111 struct { 1112 uint8_t padding_l; 1113 unsigned char * __buf; 1114 uint8_t padding_r; 1115 } __stack; 1116 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1117 const size_t __len = 42 - 1; 1118 const size_t __idx __unused = __len - 1; 1119 int sock[2] = { -1, -1 }; 1120 struct msghdr msg; 1121 struct iovec iov[2]; 1122 1123 __stack.__buf = malloc(__bufsz); 1124 memset(&msg, 0, sizeof(msg)); 1125 memset(&iov[0], 0, sizeof(iov)); 1126 1127 /* 1128 * We position the buffer second just so that we can confirm that the 1129 * fortification bits are traversing the iovec correctly. 1130 */ 1131 iov[1].iov_base = BUF; 1132 iov[1].iov_len = __len; 1133 1134 msg.msg_iov = &iov[0]; 1135 msg.msg_iovlen = nitems(iov); 1136 1137 recvmsg(sock[0], &msg, 0); 1138 #undef BUF 1139 1140 } 1141 1142 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_end); 1143 ATF_TC_BODY(recvmsg_msg_iov_heap_end, tc) 1144 { 1145 #define BUF __stack.__buf 1146 struct { 1147 uint8_t padding_l; 1148 unsigned char * __buf; 1149 uint8_t padding_r; 1150 } __stack; 1151 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1152 const size_t __len = 42; 1153 const size_t __idx __unused = __len - 1; 1154 int sock[2] = { -1, -1 }; 1155 struct msghdr msg; 1156 struct iovec iov[2]; 1157 1158 __stack.__buf = malloc(__bufsz); 1159 memset(&msg, 0, sizeof(msg)); 1160 memset(&iov[0], 0, sizeof(iov)); 1161 1162 /* 1163 * We position the buffer second just so that we can confirm that the 1164 * fortification bits are traversing the iovec correctly. 1165 */ 1166 iov[1].iov_base = BUF; 1167 iov[1].iov_len = __len; 1168 1169 msg.msg_iov = &iov[0]; 1170 msg.msg_iovlen = nitems(iov); 1171 1172 recvmsg(sock[0], &msg, 0); 1173 #undef BUF 1174 1175 } 1176 1177 ATF_TC_WITHOUT_HEAD(recvmsg_msg_iov_heap_after_end); 1178 ATF_TC_BODY(recvmsg_msg_iov_heap_after_end, tc) 1179 { 1180 #define BUF __stack.__buf 1181 struct { 1182 uint8_t padding_l; 1183 unsigned char * __buf; 1184 uint8_t padding_r; 1185 } __stack; 1186 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1187 const size_t __len = 42 + 1; 1188 const size_t __idx __unused = __len - 1; 1189 pid_t __child; 1190 int __status; 1191 int sock[2] = { -1, -1 }; 1192 struct msghdr msg; 1193 struct iovec iov[2]; 1194 1195 __child = fork(); 1196 ATF_REQUIRE(__child >= 0); 1197 if (__child > 0) 1198 goto monitor; 1199 1200 /* Child */ 1201 disable_coredumps(); 1202 __stack.__buf = malloc(__bufsz); 1203 memset(&msg, 0, sizeof(msg)); 1204 memset(&iov[0], 0, sizeof(iov)); 1205 1206 /* 1207 * We position the buffer second just so that we can confirm that the 1208 * fortification bits are traversing the iovec correctly. 1209 */ 1210 iov[1].iov_base = BUF; 1211 iov[1].iov_len = __len; 1212 1213 msg.msg_iov = &iov[0]; 1214 msg.msg_iovlen = nitems(iov); 1215 1216 recvmsg(sock[0], &msg, 0); 1217 _exit(EX_SOFTWARE); /* Should have aborted. */ 1218 1219 monitor: 1220 while (waitpid(__child, &__status, 0) != __child) { 1221 ATF_REQUIRE_EQ(EINTR, errno); 1222 } 1223 1224 if (!WIFSIGNALED(__status)) { 1225 switch (WEXITSTATUS(__status)) { 1226 case EX_SOFTWARE: 1227 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1228 break; 1229 case EX_OSERR: 1230 atf_tc_fail("setrlimit(2) failed"); 1231 break; 1232 default: 1233 atf_tc_fail("child exited with status %d", 1234 WEXITSTATUS(__status)); 1235 } 1236 } else { 1237 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1238 } 1239 #undef BUF 1240 1241 } 1242 1243 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_before_end); 1244 ATF_TC_BODY(recvmsg_msg_control_before_end, tc) 1245 { 1246 #define BUF &__stack.__buf 1247 struct { 1248 uint8_t padding_l; 1249 unsigned char __buf[CMSG_SPACE(sizeof(int))]; 1250 uint8_t padding_r; 1251 } __stack; 1252 const size_t __bufsz __unused = sizeof(__stack.__buf); 1253 const size_t __len = CMSG_SPACE(sizeof(int)) - 1; 1254 const size_t __idx __unused = __len - 1; 1255 int sock[2] = { -1, -1 }; 1256 struct msghdr msg; 1257 1258 memset(&msg, 0, sizeof(msg)); 1259 1260 msg.msg_control = BUF; 1261 msg.msg_controllen = __len; 1262 1263 recvmsg(sock[0], &msg, 0); 1264 #undef BUF 1265 1266 } 1267 1268 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_end); 1269 ATF_TC_BODY(recvmsg_msg_control_end, tc) 1270 { 1271 #define BUF &__stack.__buf 1272 struct { 1273 uint8_t padding_l; 1274 unsigned char __buf[CMSG_SPACE(sizeof(int))]; 1275 uint8_t padding_r; 1276 } __stack; 1277 const size_t __bufsz __unused = sizeof(__stack.__buf); 1278 const size_t __len = CMSG_SPACE(sizeof(int)); 1279 const size_t __idx __unused = __len - 1; 1280 int sock[2] = { -1, -1 }; 1281 struct msghdr msg; 1282 1283 memset(&msg, 0, sizeof(msg)); 1284 1285 msg.msg_control = BUF; 1286 msg.msg_controllen = __len; 1287 1288 recvmsg(sock[0], &msg, 0); 1289 #undef BUF 1290 1291 } 1292 1293 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_before_end); 1294 ATF_TC_BODY(recvmsg_msg_control_heap_before_end, tc) 1295 { 1296 #define BUF __stack.__buf 1297 struct { 1298 uint8_t padding_l; 1299 unsigned char * __buf; 1300 uint8_t padding_r; 1301 } __stack; 1302 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int))); 1303 const size_t __len = CMSG_SPACE(sizeof(int)) - 1; 1304 const size_t __idx __unused = __len - 1; 1305 int sock[2] = { -1, -1 }; 1306 struct msghdr msg; 1307 1308 __stack.__buf = malloc(__bufsz); 1309 memset(&msg, 0, sizeof(msg)); 1310 1311 msg.msg_control = BUF; 1312 msg.msg_controllen = __len; 1313 1314 recvmsg(sock[0], &msg, 0); 1315 #undef BUF 1316 1317 } 1318 1319 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_end); 1320 ATF_TC_BODY(recvmsg_msg_control_heap_end, tc) 1321 { 1322 #define BUF __stack.__buf 1323 struct { 1324 uint8_t padding_l; 1325 unsigned char * __buf; 1326 uint8_t padding_r; 1327 } __stack; 1328 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int))); 1329 const size_t __len = CMSG_SPACE(sizeof(int)); 1330 const size_t __idx __unused = __len - 1; 1331 int sock[2] = { -1, -1 }; 1332 struct msghdr msg; 1333 1334 __stack.__buf = malloc(__bufsz); 1335 memset(&msg, 0, sizeof(msg)); 1336 1337 msg.msg_control = BUF; 1338 msg.msg_controllen = __len; 1339 1340 recvmsg(sock[0], &msg, 0); 1341 #undef BUF 1342 1343 } 1344 1345 ATF_TC_WITHOUT_HEAD(recvmsg_msg_control_heap_after_end); 1346 ATF_TC_BODY(recvmsg_msg_control_heap_after_end, tc) 1347 { 1348 #define BUF __stack.__buf 1349 struct { 1350 uint8_t padding_l; 1351 unsigned char * __buf; 1352 uint8_t padding_r; 1353 } __stack; 1354 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int))); 1355 const size_t __len = CMSG_SPACE(sizeof(int)) + 1; 1356 const size_t __idx __unused = __len - 1; 1357 pid_t __child; 1358 int __status; 1359 int sock[2] = { -1, -1 }; 1360 struct msghdr msg; 1361 1362 __child = fork(); 1363 ATF_REQUIRE(__child >= 0); 1364 if (__child > 0) 1365 goto monitor; 1366 1367 /* Child */ 1368 disable_coredumps(); 1369 __stack.__buf = malloc(__bufsz); 1370 memset(&msg, 0, sizeof(msg)); 1371 1372 msg.msg_control = BUF; 1373 msg.msg_controllen = __len; 1374 1375 recvmsg(sock[0], &msg, 0); 1376 _exit(EX_SOFTWARE); /* Should have aborted. */ 1377 1378 monitor: 1379 while (waitpid(__child, &__status, 0) != __child) { 1380 ATF_REQUIRE_EQ(EINTR, errno); 1381 } 1382 1383 if (!WIFSIGNALED(__status)) { 1384 switch (WEXITSTATUS(__status)) { 1385 case EX_SOFTWARE: 1386 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1387 break; 1388 case EX_OSERR: 1389 atf_tc_fail("setrlimit(2) failed"); 1390 break; 1391 default: 1392 atf_tc_fail("child exited with status %d", 1393 WEXITSTATUS(__status)); 1394 } 1395 } else { 1396 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1397 } 1398 #undef BUF 1399 1400 } 1401 1402 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_before_end); 1403 ATF_TC_BODY(recvmmsg_msgvec_before_end, tc) 1404 { 1405 #define BUF &__stack.__buf 1406 struct { 1407 uint8_t padding_l; 1408 struct mmsghdr __buf[2]; 1409 uint8_t padding_r; 1410 } __stack; 1411 const size_t __bufsz __unused = sizeof(__stack.__buf); 1412 const size_t __len = 2 - 1; 1413 const size_t __idx __unused = __len - 1; 1414 int sock[2] = { -1, -1 }; 1415 1416 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1417 #undef BUF 1418 1419 } 1420 1421 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_end); 1422 ATF_TC_BODY(recvmmsg_msgvec_end, tc) 1423 { 1424 #define BUF &__stack.__buf 1425 struct { 1426 uint8_t padding_l; 1427 struct mmsghdr __buf[2]; 1428 uint8_t padding_r; 1429 } __stack; 1430 const size_t __bufsz __unused = sizeof(__stack.__buf); 1431 const size_t __len = 2; 1432 const size_t __idx __unused = __len - 1; 1433 int sock[2] = { -1, -1 }; 1434 1435 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1436 #undef BUF 1437 1438 } 1439 1440 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_after_end); 1441 ATF_TC_BODY(recvmmsg_msgvec_after_end, tc) 1442 { 1443 #define BUF &__stack.__buf 1444 struct { 1445 uint8_t padding_l; 1446 struct mmsghdr __buf[2]; 1447 uint8_t padding_r; 1448 } __stack; 1449 const size_t __bufsz __unused = sizeof(__stack.__buf); 1450 const size_t __len = 2 + 1; 1451 const size_t __idx __unused = __len - 1; 1452 pid_t __child; 1453 int __status; 1454 int sock[2] = { -1, -1 }; 1455 1456 __child = fork(); 1457 ATF_REQUIRE(__child >= 0); 1458 if (__child > 0) 1459 goto monitor; 1460 1461 /* Child */ 1462 disable_coredumps(); 1463 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1464 _exit(EX_SOFTWARE); /* Should have aborted. */ 1465 1466 monitor: 1467 while (waitpid(__child, &__status, 0) != __child) { 1468 ATF_REQUIRE_EQ(EINTR, errno); 1469 } 1470 1471 if (!WIFSIGNALED(__status)) { 1472 switch (WEXITSTATUS(__status)) { 1473 case EX_SOFTWARE: 1474 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1475 break; 1476 case EX_OSERR: 1477 atf_tc_fail("setrlimit(2) failed"); 1478 break; 1479 default: 1480 atf_tc_fail("child exited with status %d", 1481 WEXITSTATUS(__status)); 1482 } 1483 } else { 1484 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1485 } 1486 #undef BUF 1487 1488 } 1489 1490 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_before_end); 1491 ATF_TC_BODY(recvmmsg_msgvec_heap_before_end, tc) 1492 { 1493 #define BUF __stack.__buf 1494 struct { 1495 uint8_t padding_l; 1496 struct mmsghdr * __buf; 1497 uint8_t padding_r; 1498 } __stack; 1499 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2); 1500 const size_t __len = 2 - 1; 1501 const size_t __idx __unused = __len - 1; 1502 int sock[2] = { -1, -1 }; 1503 1504 __stack.__buf = malloc(__bufsz); 1505 1506 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1507 #undef BUF 1508 1509 } 1510 1511 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_end); 1512 ATF_TC_BODY(recvmmsg_msgvec_heap_end, tc) 1513 { 1514 #define BUF __stack.__buf 1515 struct { 1516 uint8_t padding_l; 1517 struct mmsghdr * __buf; 1518 uint8_t padding_r; 1519 } __stack; 1520 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2); 1521 const size_t __len = 2; 1522 const size_t __idx __unused = __len - 1; 1523 int sock[2] = { -1, -1 }; 1524 1525 __stack.__buf = malloc(__bufsz); 1526 1527 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1528 #undef BUF 1529 1530 } 1531 1532 ATF_TC_WITHOUT_HEAD(recvmmsg_msgvec_heap_after_end); 1533 ATF_TC_BODY(recvmmsg_msgvec_heap_after_end, tc) 1534 { 1535 #define BUF __stack.__buf 1536 struct { 1537 uint8_t padding_l; 1538 struct mmsghdr * __buf; 1539 uint8_t padding_r; 1540 } __stack; 1541 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2); 1542 const size_t __len = 2 + 1; 1543 const size_t __idx __unused = __len - 1; 1544 pid_t __child; 1545 int __status; 1546 int sock[2] = { -1, -1 }; 1547 1548 __child = fork(); 1549 ATF_REQUIRE(__child >= 0); 1550 if (__child > 0) 1551 goto monitor; 1552 1553 /* Child */ 1554 disable_coredumps(); 1555 __stack.__buf = malloc(__bufsz); 1556 1557 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1558 _exit(EX_SOFTWARE); /* Should have aborted. */ 1559 1560 monitor: 1561 while (waitpid(__child, &__status, 0) != __child) { 1562 ATF_REQUIRE_EQ(EINTR, errno); 1563 } 1564 1565 if (!WIFSIGNALED(__status)) { 1566 switch (WEXITSTATUS(__status)) { 1567 case EX_SOFTWARE: 1568 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1569 break; 1570 case EX_OSERR: 1571 atf_tc_fail("setrlimit(2) failed"); 1572 break; 1573 default: 1574 atf_tc_fail("child exited with status %d", 1575 WEXITSTATUS(__status)); 1576 } 1577 } else { 1578 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1579 } 1580 #undef BUF 1581 1582 } 1583 1584 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_before_end); 1585 ATF_TC_BODY(recvmmsg_msghdr_before_end, tc) 1586 { 1587 #define BUF &__stack.__buf 1588 struct { 1589 uint8_t padding_l; 1590 unsigned char __buf[42]; 1591 uint8_t padding_r; 1592 } __stack; 1593 const size_t __bufsz __unused = sizeof(__stack.__buf); 1594 const size_t __len = 42 - 1; 1595 const size_t __idx __unused = __len - 1; 1596 int sock[2] = { -1, -1 }; 1597 struct mmsghdr msgvec[2]; 1598 1599 memset(&msgvec[0], 0, sizeof(msgvec)); 1600 1601 /* 1602 * Same as above, make sure fortification isn't ignoring n > 1 elements 1603 * of the msgvec. 1604 */ 1605 msgvec[1].msg_hdr.msg_control = BUF; 1606 msgvec[1].msg_hdr.msg_controllen = __len; 1607 1608 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1609 #undef BUF 1610 1611 } 1612 1613 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_end); 1614 ATF_TC_BODY(recvmmsg_msghdr_end, tc) 1615 { 1616 #define BUF &__stack.__buf 1617 struct { 1618 uint8_t padding_l; 1619 unsigned char __buf[42]; 1620 uint8_t padding_r; 1621 } __stack; 1622 const size_t __bufsz __unused = sizeof(__stack.__buf); 1623 const size_t __len = 42; 1624 const size_t __idx __unused = __len - 1; 1625 int sock[2] = { -1, -1 }; 1626 struct mmsghdr msgvec[2]; 1627 1628 memset(&msgvec[0], 0, sizeof(msgvec)); 1629 1630 /* 1631 * Same as above, make sure fortification isn't ignoring n > 1 elements 1632 * of the msgvec. 1633 */ 1634 msgvec[1].msg_hdr.msg_control = BUF; 1635 msgvec[1].msg_hdr.msg_controllen = __len; 1636 1637 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1638 #undef BUF 1639 1640 } 1641 1642 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_before_end); 1643 ATF_TC_BODY(recvmmsg_msghdr_heap_before_end, tc) 1644 { 1645 #define BUF __stack.__buf 1646 struct { 1647 uint8_t padding_l; 1648 unsigned char * __buf; 1649 uint8_t padding_r; 1650 } __stack; 1651 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1652 const size_t __len = 42 - 1; 1653 const size_t __idx __unused = __len - 1; 1654 int sock[2] = { -1, -1 }; 1655 struct mmsghdr msgvec[2]; 1656 1657 __stack.__buf = malloc(__bufsz); 1658 memset(&msgvec[0], 0, sizeof(msgvec)); 1659 1660 /* 1661 * Same as above, make sure fortification isn't ignoring n > 1 elements 1662 * of the msgvec. 1663 */ 1664 msgvec[1].msg_hdr.msg_control = BUF; 1665 msgvec[1].msg_hdr.msg_controllen = __len; 1666 1667 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1668 #undef BUF 1669 1670 } 1671 1672 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_end); 1673 ATF_TC_BODY(recvmmsg_msghdr_heap_end, tc) 1674 { 1675 #define BUF __stack.__buf 1676 struct { 1677 uint8_t padding_l; 1678 unsigned char * __buf; 1679 uint8_t padding_r; 1680 } __stack; 1681 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1682 const size_t __len = 42; 1683 const size_t __idx __unused = __len - 1; 1684 int sock[2] = { -1, -1 }; 1685 struct mmsghdr msgvec[2]; 1686 1687 __stack.__buf = malloc(__bufsz); 1688 memset(&msgvec[0], 0, sizeof(msgvec)); 1689 1690 /* 1691 * Same as above, make sure fortification isn't ignoring n > 1 elements 1692 * of the msgvec. 1693 */ 1694 msgvec[1].msg_hdr.msg_control = BUF; 1695 msgvec[1].msg_hdr.msg_controllen = __len; 1696 1697 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1698 #undef BUF 1699 1700 } 1701 1702 ATF_TC_WITHOUT_HEAD(recvmmsg_msghdr_heap_after_end); 1703 ATF_TC_BODY(recvmmsg_msghdr_heap_after_end, tc) 1704 { 1705 #define BUF __stack.__buf 1706 struct { 1707 uint8_t padding_l; 1708 unsigned char * __buf; 1709 uint8_t padding_r; 1710 } __stack; 1711 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1712 const size_t __len = 42 + 1; 1713 const size_t __idx __unused = __len - 1; 1714 pid_t __child; 1715 int __status; 1716 int sock[2] = { -1, -1 }; 1717 struct mmsghdr msgvec[2]; 1718 1719 __child = fork(); 1720 ATF_REQUIRE(__child >= 0); 1721 if (__child > 0) 1722 goto monitor; 1723 1724 /* Child */ 1725 disable_coredumps(); 1726 __stack.__buf = malloc(__bufsz); 1727 memset(&msgvec[0], 0, sizeof(msgvec)); 1728 1729 /* 1730 * Same as above, make sure fortification isn't ignoring n > 1 elements 1731 * of the msgvec. 1732 */ 1733 msgvec[1].msg_hdr.msg_control = BUF; 1734 msgvec[1].msg_hdr.msg_controllen = __len; 1735 1736 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1737 _exit(EX_SOFTWARE); /* Should have aborted. */ 1738 1739 monitor: 1740 while (waitpid(__child, &__status, 0) != __child) { 1741 ATF_REQUIRE_EQ(EINTR, errno); 1742 } 1743 1744 if (!WIFSIGNALED(__status)) { 1745 switch (WEXITSTATUS(__status)) { 1746 case EX_SOFTWARE: 1747 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1748 break; 1749 case EX_OSERR: 1750 atf_tc_fail("setrlimit(2) failed"); 1751 break; 1752 default: 1753 atf_tc_fail("child exited with status %d", 1754 WEXITSTATUS(__status)); 1755 } 1756 } else { 1757 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1758 } 1759 #undef BUF 1760 1761 } 1762 1763 ATF_TP_ADD_TCS(tp) 1764 { 1765 ATF_TP_ADD_TC(tp, getpeername_before_end); 1766 ATF_TP_ADD_TC(tp, getpeername_end); 1767 ATF_TP_ADD_TC(tp, getpeername_heap_before_end); 1768 ATF_TP_ADD_TC(tp, getpeername_heap_end); 1769 ATF_TP_ADD_TC(tp, getpeername_heap_after_end); 1770 ATF_TP_ADD_TC(tp, getsockname_before_end); 1771 ATF_TP_ADD_TC(tp, getsockname_end); 1772 ATF_TP_ADD_TC(tp, getsockname_heap_before_end); 1773 ATF_TP_ADD_TC(tp, getsockname_heap_end); 1774 ATF_TP_ADD_TC(tp, getsockname_heap_after_end); 1775 ATF_TP_ADD_TC(tp, recv_before_end); 1776 ATF_TP_ADD_TC(tp, recv_end); 1777 ATF_TP_ADD_TC(tp, recv_heap_before_end); 1778 ATF_TP_ADD_TC(tp, recv_heap_end); 1779 ATF_TP_ADD_TC(tp, recv_heap_after_end); 1780 ATF_TP_ADD_TC(tp, recvfrom_before_end); 1781 ATF_TP_ADD_TC(tp, recvfrom_end); 1782 ATF_TP_ADD_TC(tp, recvfrom_heap_before_end); 1783 ATF_TP_ADD_TC(tp, recvfrom_heap_end); 1784 ATF_TP_ADD_TC(tp, recvfrom_heap_after_end); 1785 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_before_end); 1786 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_end); 1787 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_before_end); 1788 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_end); 1789 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_after_end); 1790 ATF_TP_ADD_TC(tp, recvmsg_msg_name_before_end); 1791 ATF_TP_ADD_TC(tp, recvmsg_msg_name_end); 1792 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_before_end); 1793 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_end); 1794 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_after_end); 1795 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_before_end); 1796 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_end); 1797 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_before_end); 1798 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_end); 1799 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_after_end); 1800 ATF_TP_ADD_TC(tp, recvmsg_msg_control_before_end); 1801 ATF_TP_ADD_TC(tp, recvmsg_msg_control_end); 1802 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_before_end); 1803 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_end); 1804 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_after_end); 1805 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_before_end); 1806 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_end); 1807 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_after_end); 1808 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_before_end); 1809 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_end); 1810 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_after_end); 1811 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_before_end); 1812 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_end); 1813 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_before_end); 1814 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_end); 1815 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_after_end); 1816 return (atf_no_error()); 1817 } 1818