S1AP: HACK: initial fuzzing test case for S1AP_SetupReq
Change-Id: Ib6c8d87a1118a99075d3f2a498f3af4bdc65e6ec
This commit is contained in:
parent
06ca64dcf7
commit
03f24fa207
|
@ -1,3 +1,5 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
@ -13,6 +15,7 @@ TTCN_Module S1AP__EncDec("S1AP_EncDec", __DATE__, __TIME__);
|
|||
|
||||
OCTETSTRING enc__S1AP__PDU(const S1AP__PDU__Descriptions::S1AP__PDU &pdu)
|
||||
{
|
||||
static unsigned long count = 0;
|
||||
uint8_t *aper_buf;
|
||||
int aper_buf_len;
|
||||
TTCN_Buffer TTCN_buf;
|
||||
|
@ -27,6 +30,18 @@ OCTETSTRING enc__S1AP__PDU(const S1AP__PDU__Descriptions::S1AP__PDU &pdu)
|
|||
TTCN_error("fftranscode failed.");
|
||||
}
|
||||
|
||||
/* Observed srsEPC segfaults with:
|
||||
* idx=1 && mask=0x1d
|
||||
* idx=5 && mask=any */
|
||||
if (count++ % 2 == 0) {
|
||||
int idx = rand() % aper_buf_len;
|
||||
uint8_t mask = (uint8_t) rand();
|
||||
|
||||
/* TUWAT! Mangle a random byte. */
|
||||
printf("=== TUWAT: mangling octet %d with mask 0x%02x\n", idx, mask);
|
||||
aper_buf[idx] ^= mask;
|
||||
}
|
||||
|
||||
/* make octetstring from output buffer */
|
||||
OCTETSTRING ret_val(aper_buf_len, aper_buf);
|
||||
|
||||
|
@ -62,3 +77,9 @@ S1AP__PDU__Descriptions::S1AP__PDU dec__S1AP__PDU(const OCTETSTRING &stream)
|
|||
}
|
||||
|
||||
}
|
||||
|
||||
static __attribute__((constructor)) void on_dso_load(void)
|
||||
{
|
||||
/* Use a static seed for reproduceable results */
|
||||
srand(10000);
|
||||
}
|
||||
|
|
|
@ -25,6 +25,37 @@ import from S1AP_PDU_Descriptions all;
|
|||
* 9.1.8 Management Messages
|
||||
*********************************************************************************/
|
||||
|
||||
/* 9.1.8.4 S1 SETUP REQUEST */
|
||||
template (value) S1AP_PDU
|
||||
ts_S1AP_SetupReq_fuzz(template (value) Global_ENB_ID p_global_ENB_ID,
|
||||
template (value) SupportedTAs p_supportedTAs,
|
||||
template (value) PagingDRX p_pagingDRXs,
|
||||
template (value) integer id := S1AP_Constants.id_SupportedTAs) := {
|
||||
initiatingMessage := {
|
||||
procedureCode := id_S1Setup,
|
||||
criticality := reject,
|
||||
value_ := {
|
||||
S1SetupRequest := {
|
||||
protocolIEs := {
|
||||
{
|
||||
id := S1AP_Constants.id_Global_ENB_ID,
|
||||
criticality := reject,
|
||||
value_ := { Global_ENB_ID := p_global_ENB_ID }
|
||||
}, {
|
||||
id := S1AP_Constants.id_SupportedTAs,
|
||||
criticality := reject,
|
||||
value_ := {SupportedTAs := p_supportedTAs}
|
||||
}, {
|
||||
id := S1AP_Constants.id_pagingDRX,
|
||||
criticality := ignore,
|
||||
value_ := {PagingDRX := p_pagingDRXs}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* 9.1.8.4 S1 SETUP REQUEST */
|
||||
template (value) S1AP_PDU
|
||||
ts_S1AP_SetupReq(template (value) Global_ENB_ID p_global_ENB_ID,
|
||||
|
|
|
@ -308,7 +308,8 @@ friend function f_init_handler(ConnHdlrPars pars, float t_guard := 30.0) runs on
|
|||
friend function f_s1ap_setup(integer idx := 0, template Cause cause := omit) runs on MTC_CT {
|
||||
var template (present) Cause exp_cause;
|
||||
var boolean exp_fail := false;
|
||||
timer T := 5.0;
|
||||
timer T := 2.0;
|
||||
|
||||
if (not istemplatekind(cause, "omit")) {
|
||||
exp_fail := true;
|
||||
exp_cause := cause;
|
||||
|
@ -323,12 +324,15 @@ friend function f_s1ap_setup(integer idx := 0, template Cause cause := omit) run
|
|||
}
|
||||
[not exp_fail] S1AP_UNIT[idx].receive(tr_S1AP_SetupResp) {
|
||||
setverdict(pass);
|
||||
mtc.stop;
|
||||
}
|
||||
[] S1AP_UNIT[idx].receive {
|
||||
setverdict(fail, "Received unexpected S1AP");
|
||||
mtc.stop;
|
||||
}
|
||||
[] T.timeout {
|
||||
setverdict(fail, "Timeout waiting for S1AP Setup result");
|
||||
mtc.stop;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -561,11 +565,52 @@ testcase TC_s1ap_attach() runs on MTC_CT {
|
|||
vc_conn.done;
|
||||
}
|
||||
|
||||
friend function f_s1ap_setup_fuzz(integer idx := 0, integer id) runs on MTC_CT {
|
||||
var boolean exp_fail := false;
|
||||
timer T := 0.5;
|
||||
|
||||
S1AP_UNIT[idx].send(ts_S1AP_SetupReq_fuzz(g_enb_pars[idx].global_enb_id,
|
||||
g_enb_pars[idx].supported_tas, v32, id));
|
||||
T.start;
|
||||
alt {
|
||||
[] S1AP_UNIT[idx].receive(tr_S1AP_SetupFail) {
|
||||
setverdict(pass);
|
||||
}
|
||||
[] S1AP_UNIT[idx].receive {
|
||||
setverdict(fail, "Received unexpected S1AP");
|
||||
mtc.stop;
|
||||
}
|
||||
[] T.timeout {
|
||||
setverdict(fail, "Timeout waiting for S1AP Setup result");
|
||||
log("Attempt #", id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* S1 Setup Request fuzzing */
|
||||
testcase TC_s1ap_setup_fuzz() runs on MTC_CT {
|
||||
var charstring id := testcasename();
|
||||
var integer i;
|
||||
|
||||
f_init_s1ap(id, 1);
|
||||
g_enb_pars[0].global_enb_id.pLMNidentity := '62F224'O;
|
||||
|
||||
for (i := 0; i < 10000; i := i + 1) {
|
||||
f_s1ap_setup_fuzz(0, i);
|
||||
f_s1ap_setup(0, { misc := unknown_PLMN });
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
control {
|
||||
execute( TC_s1ap_setup_wrong_plmn() );
|
||||
execute( TC_s1ap_setup_wrong_tac() );
|
||||
execute( TC_s1ap_setup() );
|
||||
execute( TC_s1ap_attach() );
|
||||
|
||||
/* Fuzzing tests */
|
||||
execute( TC_s1ap_setup_fuzz() );
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue