CoCalc -- fortify_socket

GitHub Repository: freebsd/freebsd-src
Path: blob/main/lib/libc/tests/secure/fortify_socket_test.c
³⁹⁵⁵³ views
1
/* @generated by `generate-fortify-tests.lua "socket"` */
2

3
#define	_FORTIFY_SOURCE	2
4
#define	TMPFILE_SIZE	(1024 * 32)
5

6
#include <sys/param.h>
7
#include <sys/jail.h>
8
#include <sys/random.h>
9
#include <sys/resource.h>
10
#include <sys/select.h>
11
#include <sys/socket.h>
12
#include <sys/time.h>
13
#include <sys/uio.h>
14
#include <sys/wait.h>
15
#include <dirent.h>
16
#include <errno.h>
17
#include <fcntl.h>
18
#include <limits.h>
19
#include <poll.h>
20
#include <signal.h>
21
#include <stdio.h>
22
#include <stdlib.h>
23
#include <string.h>
24
#include <strings.h>
25
#include <sysexits.h>
26
#include <unistd.h>
27
#include <wchar.h>
28
#include <atf-c.h>
29

30
static FILE * __unused
31
new_fp(size_t __len)
32
{
33
	static char fpbuf[LINE_MAX];
34
	FILE *fp;
35

36
	ATF_REQUIRE(__len <= sizeof(fpbuf));
37

38
	memset(fpbuf, 'A', sizeof(fpbuf) - 1);
39
	fpbuf[sizeof(fpbuf) - 1] = '\0';
40

41
	fp = fmemopen(fpbuf, sizeof(fpbuf), "rb");
42
	ATF_REQUIRE(fp != NULL);
43

44
	return (fp);
45
}
46

47
/*
48
 * Create a new symlink to use for readlink(2) style tests, we'll just use a
49
 * random target name to have something interesting to look at.
50
 */
51
static const char * __unused
52
new_symlink(size_t __len)
53
{
54
	static const char linkname[] = "link";
55
	char target[MAXNAMLEN];
56
	int error;
57

58
	ATF_REQUIRE(__len <= sizeof(target));
59

60
	arc4random_buf(target, sizeof(target));
61

62
	error = unlink(linkname);
63
	ATF_REQUIRE(error == 0 || errno == ENOENT);
64

65
	error = symlink(target, linkname);
66
	ATF_REQUIRE(error == 0);
67

68
	return (linkname);
69
}
70

71
/*
72
 * For our purposes, first descriptor will be the reader; we'll send both
73
 * raw data and a control message over it so that the result can be used for
74
 * any of our recv*() tests.
75
 */
76
static void __unused
77
new_socket(int sock[2])
78
{
79
	unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 };
80
	static char sockbuf[256];
81
	ssize_t rv;
82
	size_t total = 0;
83
	struct msghdr hdr = { 0 };
84
	struct cmsghdr *cmsg;
85
	int error, fd;
86

87
	error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock);
88
	ATF_REQUIRE(error == 0);
89

90
	while (total != sizeof(sockbuf)) {
91
		rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0);
92

93
		ATF_REQUIRE_MSG(rv > 0,
94
		    "expected bytes sent, got %zd with %zu left (size %zu, total %zu)",
95
		    rv, sizeof(sockbuf) - total, sizeof(sockbuf), total);
96
		ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf),
97
		    "%zd exceeds total %zu", rv, sizeof(sockbuf));
98
		total += rv;
99
	}
100

101
	hdr.msg_control = ctrl;
102
	hdr.msg_controllen = sizeof(ctrl);
103

104
	cmsg = CMSG_FIRSTHDR(&hdr);
105
	cmsg->cmsg_level = SOL_SOCKET;
106
	cmsg->cmsg_type = SCM_RIGHTS;
107
	cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
108
	fd = STDIN_FILENO;
109
	memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd));
110

111
	error = sendmsg(sock[1], &hdr, 0);
112
	ATF_REQUIRE(error != -1);
113
}
114

115
/*
116
 * Constructs a tmpfile that we can use for testing read(2) and friends.
117
 */
118
static int __unused
119
new_tmpfile(void)
120
{
121
	char buf[1024];
122
	ssize_t rv;
123
	size_t written;
124
	int fd;
125

126
	fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644);
127
	ATF_REQUIRE(fd >= 0);
128

129
	written = 0;
130
	while (written < TMPFILE_SIZE) {
131
		rv = write(fd, buf, sizeof(buf));
132
		ATF_REQUIRE(rv > 0);
133

134
		written += rv;
135
	}
136

137
	ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET));
138
	return (fd);
139
}
140

141
static void
142
disable_coredumps(void)
143
{
144
	struct rlimit rl = { 0 };
145

146
	if (setrlimit(RLIMIT_CORE, &rl) == -1)
147
		_exit(EX_OSERR);
148
}
149

150
/*
151
 * Replaces stdin with a file that we can actually read from, for tests where
152
 * we want a FILE * or fd that we can get data from.
153
 */
154
static void __unused
155
replace_stdin(void)
156
{
157
	int fd;
158

159
	fd = new_tmpfile();
160

161
	(void)dup2(fd, STDIN_FILENO);
162
	if (fd != STDIN_FILENO)
163
		close(fd);
164
}
165

166
ATF_TC(getpeername_before_end);
167
ATF_TC_HEAD(getpeername_before_end, tc)
168
{
169
}
170
ATF_TC_BODY(getpeername_before_end, tc)
171
{
172
#define BUF &__stack.__buf
173
	struct {
174
		uint8_t padding_l;
175
		struct sockaddr __buf;
176
		uint8_t padding_r;
177
	} __stack;
178
	const size_t __bufsz __unused = sizeof(__stack.__buf);
179
	const size_t __len = sizeof(struct sockaddr) - 1;
180
	const size_t __idx __unused = __len - 1;
181
	int sock[2] = { -1, -1 };
182
	socklen_t socklen;
183
	new_socket(sock);
184
	socklen = __len;
185

186
	getpeername(sock[0], &__stack.__buf, &socklen);
187
#undef BUF
188

189
}
190

191
ATF_TC(getpeername_end);
192
ATF_TC_HEAD(getpeername_end, tc)
193
{
194
}
195
ATF_TC_BODY(getpeername_end, tc)
196
{
197
#define BUF &__stack.__buf
198
	struct {
199
		uint8_t padding_l;
200
		struct sockaddr __buf;
201
		uint8_t padding_r;
202
	} __stack;
203
	const size_t __bufsz __unused = sizeof(__stack.__buf);
204
	const size_t __len = sizeof(struct sockaddr);
205
	const size_t __idx __unused = __len - 1;
206
	int sock[2] = { -1, -1 };
207
	socklen_t socklen;
208
	new_socket(sock);
209
	socklen = __len;
210

211
	getpeername(sock[0], &__stack.__buf, &socklen);
212
#undef BUF
213

214
}
215

216
ATF_TC(getpeername_heap_before_end);
217
ATF_TC_HEAD(getpeername_heap_before_end, tc)
218
{
219
}
220
ATF_TC_BODY(getpeername_heap_before_end, tc)
221
{
222
#define BUF __stack.__buf
223
	struct {
224
		uint8_t padding_l;
225
		struct sockaddr * __buf;
226
		uint8_t padding_r;
227
	} __stack;
228
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
229
	const size_t __len = sizeof(struct sockaddr) - 1;
230
	const size_t __idx __unused = __len - 1;
231
	int sock[2] = { -1, -1 };
232
	socklen_t socklen;
233
	__stack.__buf = malloc(__bufsz);
234
	new_socket(sock);
235
	socklen = __len;
236

237
	getpeername(sock[0], __stack.__buf, &socklen);
238
#undef BUF
239

240
}
241

242
ATF_TC(getpeername_heap_end);
243
ATF_TC_HEAD(getpeername_heap_end, tc)
244
{
245
}
246
ATF_TC_BODY(getpeername_heap_end, tc)
247
{
248
#define BUF __stack.__buf
249
	struct {
250
		uint8_t padding_l;
251
		struct sockaddr * __buf;
252
		uint8_t padding_r;
253
	} __stack;
254
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
255
	const size_t __len = sizeof(struct sockaddr);
256
	const size_t __idx __unused = __len - 1;
257
	int sock[2] = { -1, -1 };
258
	socklen_t socklen;
259
	__stack.__buf = malloc(__bufsz);
260
	new_socket(sock);
261
	socklen = __len;
262

263
	getpeername(sock[0], __stack.__buf, &socklen);
264
#undef BUF
265

266
}
267

268
ATF_TC(getpeername_heap_after_end);
269
ATF_TC_HEAD(getpeername_heap_after_end, tc)
270
{
271
}
272
ATF_TC_BODY(getpeername_heap_after_end, tc)
273
{
274
#define BUF __stack.__buf
275
	struct {
276
		uint8_t padding_l;
277
		struct sockaddr * __buf;
278
		uint8_t padding_r;
279
	} __stack;
280
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
281
	const size_t __len = sizeof(struct sockaddr) + 1;
282
	const size_t __idx __unused = __len - 1;
283
	pid_t __child;
284
	int __status;
285
	int sock[2] = { -1, -1 };
286
	socklen_t socklen;
287
	__child = fork();
288
	ATF_REQUIRE(__child >= 0);
289
	if (__child > 0)
290
		goto monitor;
291

292
	/* Child */
293
	disable_coredumps();
294
	__stack.__buf = malloc(__bufsz);
295
	new_socket(sock);
296
	socklen = __len;
297

298
	getpeername(sock[0], __stack.__buf, &socklen);
299
	_exit(EX_SOFTWARE);	/* Should have aborted. */
300

301
monitor:
302
	while (waitpid(__child, &__status, 0) != __child) {
303
		ATF_REQUIRE_EQ(EINTR, errno);
304
	}
305

306
	if (!WIFSIGNALED(__status)) {
307
		switch (WEXITSTATUS(__status)) {
308
		case EX_SOFTWARE:
309
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
310
			break;
311
		case EX_OSERR:
312
			atf_tc_fail("setrlimit(2) failed");
313
			break;
314
		default:
315
			atf_tc_fail("child exited with status %d",
316
			    WEXITSTATUS(__status));
317
		}
318
	} else {
319
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
320
	}
321
#undef BUF
322

323
}
324

325
ATF_TC(getsockname_before_end);
326
ATF_TC_HEAD(getsockname_before_end, tc)
327
{
328
}
329
ATF_TC_BODY(getsockname_before_end, tc)
330
{
331
#define BUF &__stack.__buf
332
	struct {
333
		uint8_t padding_l;
334
		struct sockaddr __buf;
335
		uint8_t padding_r;
336
	} __stack;
337
	const size_t __bufsz __unused = sizeof(__stack.__buf);
338
	const size_t __len = sizeof(struct sockaddr) - 1;
339
	const size_t __idx __unused = __len - 1;
340
	int sock[2] = { -1, -1 };
341
	socklen_t socklen;
342
	new_socket(sock);
343
	socklen = __len;
344

345
	getsockname(sock[0], &__stack.__buf, &socklen);
346
#undef BUF
347

348
}
349

350
ATF_TC(getsockname_end);
351
ATF_TC_HEAD(getsockname_end, tc)
352
{
353
}
354
ATF_TC_BODY(getsockname_end, tc)
355
{
356
#define BUF &__stack.__buf
357
	struct {
358
		uint8_t padding_l;
359
		struct sockaddr __buf;
360
		uint8_t padding_r;
361
	} __stack;
362
	const size_t __bufsz __unused = sizeof(__stack.__buf);
363
	const size_t __len = sizeof(struct sockaddr);
364
	const size_t __idx __unused = __len - 1;
365
	int sock[2] = { -1, -1 };
366
	socklen_t socklen;
367
	new_socket(sock);
368
	socklen = __len;
369

370
	getsockname(sock[0], &__stack.__buf, &socklen);
371
#undef BUF
372

373
}
374

375
ATF_TC(getsockname_heap_before_end);
376
ATF_TC_HEAD(getsockname_heap_before_end, tc)
377
{
378
}
379
ATF_TC_BODY(getsockname_heap_before_end, tc)
380
{
381
#define BUF __stack.__buf
382
	struct {
383
		uint8_t padding_l;
384
		struct sockaddr * __buf;
385
		uint8_t padding_r;
386
	} __stack;
387
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
388
	const size_t __len = sizeof(struct sockaddr) - 1;
389
	const size_t __idx __unused = __len - 1;
390
	int sock[2] = { -1, -1 };
391
	socklen_t socklen;
392
	__stack.__buf = malloc(__bufsz);
393
	new_socket(sock);
394
	socklen = __len;
395

396
	getsockname(sock[0], __stack.__buf, &socklen);
397
#undef BUF
398

399
}
400

401
ATF_TC(getsockname_heap_end);
402
ATF_TC_HEAD(getsockname_heap_end, tc)
403
{
404
}
405
ATF_TC_BODY(getsockname_heap_end, tc)
406
{
407
#define BUF __stack.__buf
408
	struct {
409
		uint8_t padding_l;
410
		struct sockaddr * __buf;
411
		uint8_t padding_r;
412
	} __stack;
413
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
414
	const size_t __len = sizeof(struct sockaddr);
415
	const size_t __idx __unused = __len - 1;
416
	int sock[2] = { -1, -1 };
417
	socklen_t socklen;
418
	__stack.__buf = malloc(__bufsz);
419
	new_socket(sock);
420
	socklen = __len;
421

422
	getsockname(sock[0], __stack.__buf, &socklen);
423
#undef BUF
424

425
}
426

427
ATF_TC(getsockname_heap_after_end);
428
ATF_TC_HEAD(getsockname_heap_after_end, tc)
429
{
430
}
431
ATF_TC_BODY(getsockname_heap_after_end, tc)
432
{
433
#define BUF __stack.__buf
434
	struct {
435
		uint8_t padding_l;
436
		struct sockaddr * __buf;
437
		uint8_t padding_r;
438
	} __stack;
439
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
440
	const size_t __len = sizeof(struct sockaddr) + 1;
441
	const size_t __idx __unused = __len - 1;
442
	pid_t __child;
443
	int __status;
444
	int sock[2] = { -1, -1 };
445
	socklen_t socklen;
446
	__child = fork();
447
	ATF_REQUIRE(__child >= 0);
448
	if (__child > 0)
449
		goto monitor;
450

451
	/* Child */
452
	disable_coredumps();
453
	__stack.__buf = malloc(__bufsz);
454
	new_socket(sock);
455
	socklen = __len;
456

457
	getsockname(sock[0], __stack.__buf, &socklen);
458
	_exit(EX_SOFTWARE);	/* Should have aborted. */
459

460
monitor:
461
	while (waitpid(__child, &__status, 0) != __child) {
462
		ATF_REQUIRE_EQ(EINTR, errno);
463
	}
464

465
	if (!WIFSIGNALED(__status)) {
466
		switch (WEXITSTATUS(__status)) {
467
		case EX_SOFTWARE:
468
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
469
			break;
470
		case EX_OSERR:
471
			atf_tc_fail("setrlimit(2) failed");
472
			break;
473
		default:
474
			atf_tc_fail("child exited with status %d",
475
			    WEXITSTATUS(__status));
476
		}
477
	} else {
478
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
479
	}
480
#undef BUF
481

482
}
483

484
ATF_TC(recv_before_end);
485
ATF_TC_HEAD(recv_before_end, tc)
486
{
487
}
488
ATF_TC_BODY(recv_before_end, tc)
489
{
490
#define BUF &__stack.__buf
491
	struct {
492
		uint8_t padding_l;
493
		unsigned char __buf[42];
494
		uint8_t padding_r;
495
	} __stack;
496
	const size_t __bufsz __unused = sizeof(__stack.__buf);
497
	const size_t __len = 42 - 1;
498
	const size_t __idx __unused = __len - 1;
499
	int sock[2] = { -1, -1 };
500

501
	new_socket(sock);
502

503
	recv(sock[0], __stack.__buf, __len, 0);
504
#undef BUF
505

506
}
507

508
ATF_TC(recv_end);
509
ATF_TC_HEAD(recv_end, tc)
510
{
511
}
512
ATF_TC_BODY(recv_end, tc)
513
{
514
#define BUF &__stack.__buf
515
	struct {
516
		uint8_t padding_l;
517
		unsigned char __buf[42];
518
		uint8_t padding_r;
519
	} __stack;
520
	const size_t __bufsz __unused = sizeof(__stack.__buf);
521
	const size_t __len = 42;
522
	const size_t __idx __unused = __len - 1;
523
	int sock[2] = { -1, -1 };
524

525
	new_socket(sock);
526

527
	recv(sock[0], __stack.__buf, __len, 0);
528
#undef BUF
529

530
}
531

532
ATF_TC(recv_heap_before_end);
533
ATF_TC_HEAD(recv_heap_before_end, tc)
534
{
535
}
536
ATF_TC_BODY(recv_heap_before_end, tc)
537
{
538
#define BUF __stack.__buf
539
	struct {
540
		uint8_t padding_l;
541
		unsigned char * __buf;
542
		uint8_t padding_r;
543
	} __stack;
544
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
545
	const size_t __len = 42 - 1;
546
	const size_t __idx __unused = __len - 1;
547
	int sock[2] = { -1, -1 };
548

549
	__stack.__buf = malloc(__bufsz);
550
	new_socket(sock);
551

552
	recv(sock[0], __stack.__buf, __len, 0);
553
#undef BUF
554

555
}
556

557
ATF_TC(recv_heap_end);
558
ATF_TC_HEAD(recv_heap_end, tc)
559
{
560
}
561
ATF_TC_BODY(recv_heap_end, tc)
562
{
563
#define BUF __stack.__buf
564
	struct {
565
		uint8_t padding_l;
566
		unsigned char * __buf;
567
		uint8_t padding_r;
568
	} __stack;
569
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
570
	const size_t __len = 42;
571
	const size_t __idx __unused = __len - 1;
572
	int sock[2] = { -1, -1 };
573

574
	__stack.__buf = malloc(__bufsz);
575
	new_socket(sock);
576

577
	recv(sock[0], __stack.__buf, __len, 0);
578
#undef BUF
579

580
}
581

582
ATF_TC(recv_heap_after_end);
583
ATF_TC_HEAD(recv_heap_after_end, tc)
584
{
585
}
586
ATF_TC_BODY(recv_heap_after_end, tc)
587
{
588
#define BUF __stack.__buf
589
	struct {
590
		uint8_t padding_l;
591
		unsigned char * __buf;
592
		uint8_t padding_r;
593
	} __stack;
594
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
595
	const size_t __len = 42 + 1;
596
	const size_t __idx __unused = __len - 1;
597
	pid_t __child;
598
	int __status;
599
	int sock[2] = { -1, -1 };
600

601
	__child = fork();
602
	ATF_REQUIRE(__child >= 0);
603
	if (__child > 0)
604
		goto monitor;
605

606
	/* Child */
607
	disable_coredumps();
608
	__stack.__buf = malloc(__bufsz);
609
	new_socket(sock);
610

611
	recv(sock[0], __stack.__buf, __len, 0);
612
	_exit(EX_SOFTWARE);	/* Should have aborted. */
613

614
monitor:
615
	while (waitpid(__child, &__status, 0) != __child) {
616
		ATF_REQUIRE_EQ(EINTR, errno);
617
	}
618

619
	if (!WIFSIGNALED(__status)) {
620
		switch (WEXITSTATUS(__status)) {
621
		case EX_SOFTWARE:
622
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
623
			break;
624
		case EX_OSERR:
625
			atf_tc_fail("setrlimit(2) failed");
626
			break;
627
		default:
628
			atf_tc_fail("child exited with status %d",
629
			    WEXITSTATUS(__status));
630
		}
631
	} else {
632
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
633
	}
634
#undef BUF
635

636
}
637

638
ATF_TC(recvfrom_before_end);
639
ATF_TC_HEAD(recvfrom_before_end, tc)
640
{
641
}
642
ATF_TC_BODY(recvfrom_before_end, tc)
643
{
644
#define BUF &__stack.__buf
645
	struct {
646
		uint8_t padding_l;
647
		unsigned char __buf[42];
648
		uint8_t padding_r;
649
	} __stack;
650
	const size_t __bufsz __unused = sizeof(__stack.__buf);
651
	const size_t __len = 42 - 1;
652
	const size_t __idx __unused = __len - 1;
653
	int sock[2] = { -1, -1 };
654

655
	new_socket(sock);
656

657
	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
658
#undef BUF
659

660
}
661

662
ATF_TC(recvfrom_end);
663
ATF_TC_HEAD(recvfrom_end, tc)
664
{
665
}
666
ATF_TC_BODY(recvfrom_end, tc)
667
{
668
#define BUF &__stack.__buf
669
	struct {
670
		uint8_t padding_l;
671
		unsigned char __buf[42];
672
		uint8_t padding_r;
673
	} __stack;
674
	const size_t __bufsz __unused = sizeof(__stack.__buf);
675
	const size_t __len = 42;
676
	const size_t __idx __unused = __len - 1;
677
	int sock[2] = { -1, -1 };
678

679
	new_socket(sock);
680

681
	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
682
#undef BUF
683

684
}
685

686
ATF_TC(recvfrom_heap_before_end);
687
ATF_TC_HEAD(recvfrom_heap_before_end, tc)
688
{
689
}
690
ATF_TC_BODY(recvfrom_heap_before_end, tc)
691
{
692
#define BUF __stack.__buf
693
	struct {
694
		uint8_t padding_l;
695
		unsigned char * __buf;
696
		uint8_t padding_r;
697
	} __stack;
698
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
699
	const size_t __len = 42 - 1;
700
	const size_t __idx __unused = __len - 1;
701
	int sock[2] = { -1, -1 };
702

703
	__stack.__buf = malloc(__bufsz);
704
	new_socket(sock);
705

706
	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
707
#undef BUF
708

709
}
710

711
ATF_TC(recvfrom_heap_end);
712
ATF_TC_HEAD(recvfrom_heap_end, tc)
713
{
714
}
715
ATF_TC_BODY(recvfrom_heap_end, tc)
716
{
717
#define BUF __stack.__buf
718
	struct {
719
		uint8_t padding_l;
720
		unsigned char * __buf;
721
		uint8_t padding_r;
722
	} __stack;
723
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
724
	const size_t __len = 42;
725
	const size_t __idx __unused = __len - 1;
726
	int sock[2] = { -1, -1 };
727

728
	__stack.__buf = malloc(__bufsz);
729
	new_socket(sock);
730

731
	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
732
#undef BUF
733

734
}
735

736
ATF_TC(recvfrom_heap_after_end);
737
ATF_TC_HEAD(recvfrom_heap_after_end, tc)
738
{
739
}
740
ATF_TC_BODY(recvfrom_heap_after_end, tc)
741
{
742
#define BUF __stack.__buf
743
	struct {
744
		uint8_t padding_l;
745
		unsigned char * __buf;
746
		uint8_t padding_r;
747
	} __stack;
748
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
749
	const size_t __len = 42 + 1;
750
	const size_t __idx __unused = __len - 1;
751
	pid_t __child;
752
	int __status;
753
	int sock[2] = { -1, -1 };
754

755
	__child = fork();
756
	ATF_REQUIRE(__child >= 0);
757
	if (__child > 0)
758
		goto monitor;
759

760
	/* Child */
761
	disable_coredumps();
762
	__stack.__buf = malloc(__bufsz);
763
	new_socket(sock);
764

765
	recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL);
766
	_exit(EX_SOFTWARE);	/* Should have aborted. */
767

768
monitor:
769
	while (waitpid(__child, &__status, 0) != __child) {
770
		ATF_REQUIRE_EQ(EINTR, errno);
771
	}
772

773
	if (!WIFSIGNALED(__status)) {
774
		switch (WEXITSTATUS(__status)) {
775
		case EX_SOFTWARE:
776
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
777
			break;
778
		case EX_OSERR:
779
			atf_tc_fail("setrlimit(2) failed");
780
			break;
781
		default:
782
			atf_tc_fail("child exited with status %d",
783
			    WEXITSTATUS(__status));
784
		}
785
	} else {
786
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
787
	}
788
#undef BUF
789

790
}
791

792
ATF_TC(recvfrom_sockaddr_before_end);
793
ATF_TC_HEAD(recvfrom_sockaddr_before_end, tc)
794
{
795
}
796
ATF_TC_BODY(recvfrom_sockaddr_before_end, tc)
797
{
798
#define BUF &__stack.__buf
799
	struct {
800
		uint8_t padding_l;
801
		struct sockaddr __buf;
802
		uint8_t padding_r;
803
	} __stack;
804
	const size_t __bufsz __unused = sizeof(__stack.__buf);
805
	const size_t __len = sizeof(struct sockaddr) - 1;
806
	const size_t __idx __unused = __len - 1;
807
	int sock[2] = { -1, -1 };
808
	char data[16];
809
	socklen_t socklen;
810

811
	new_socket(sock);
812
	socklen = __len;
813

814
	recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen);
815
#undef BUF
816

817
}
818

819
ATF_TC(recvfrom_sockaddr_end);
820
ATF_TC_HEAD(recvfrom_sockaddr_end, tc)
821
{
822
}
823
ATF_TC_BODY(recvfrom_sockaddr_end, tc)
824
{
825
#define BUF &__stack.__buf
826
	struct {
827
		uint8_t padding_l;
828
		struct sockaddr __buf;
829
		uint8_t padding_r;
830
	} __stack;
831
	const size_t __bufsz __unused = sizeof(__stack.__buf);
832
	const size_t __len = sizeof(struct sockaddr);
833
	const size_t __idx __unused = __len - 1;
834
	int sock[2] = { -1, -1 };
835
	char data[16];
836
	socklen_t socklen;
837

838
	new_socket(sock);
839
	socklen = __len;
840

841
	recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen);
842
#undef BUF
843

844
}
845

846
ATF_TC(recvfrom_sockaddr_heap_before_end);
847
ATF_TC_HEAD(recvfrom_sockaddr_heap_before_end, tc)
848
{
849
}
850
ATF_TC_BODY(recvfrom_sockaddr_heap_before_end, tc)
851
{
852
#define BUF __stack.__buf
853
	struct {
854
		uint8_t padding_l;
855
		struct sockaddr * __buf;
856
		uint8_t padding_r;
857
	} __stack;
858
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
859
	const size_t __len = sizeof(struct sockaddr) - 1;
860
	const size_t __idx __unused = __len - 1;
861
	int sock[2] = { -1, -1 };
862
	char data[16];
863
	socklen_t socklen;
864

865
	__stack.__buf = malloc(__bufsz);
866
	new_socket(sock);
867
	socklen = __len;
868

869
	recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
870
#undef BUF
871

872
}
873

874
ATF_TC(recvfrom_sockaddr_heap_end);
875
ATF_TC_HEAD(recvfrom_sockaddr_heap_end, tc)
876
{
877
}
878
ATF_TC_BODY(recvfrom_sockaddr_heap_end, tc)
879
{
880
#define BUF __stack.__buf
881
	struct {
882
		uint8_t padding_l;
883
		struct sockaddr * __buf;
884
		uint8_t padding_r;
885
	} __stack;
886
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
887
	const size_t __len = sizeof(struct sockaddr);
888
	const size_t __idx __unused = __len - 1;
889
	int sock[2] = { -1, -1 };
890
	char data[16];
891
	socklen_t socklen;
892

893
	__stack.__buf = malloc(__bufsz);
894
	new_socket(sock);
895
	socklen = __len;
896

897
	recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
898
#undef BUF
899

900
}
901

902
ATF_TC(recvfrom_sockaddr_heap_after_end);
903
ATF_TC_HEAD(recvfrom_sockaddr_heap_after_end, tc)
904
{
905
}
906
ATF_TC_BODY(recvfrom_sockaddr_heap_after_end, tc)
907
{
908
#define BUF __stack.__buf
909
	struct {
910
		uint8_t padding_l;
911
		struct sockaddr * __buf;
912
		uint8_t padding_r;
913
	} __stack;
914
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
915
	const size_t __len = sizeof(struct sockaddr) + 1;
916
	const size_t __idx __unused = __len - 1;
917
	pid_t __child;
918
	int __status;
919
	int sock[2] = { -1, -1 };
920
	char data[16];
921
	socklen_t socklen;
922

923
	__child = fork();
924
	ATF_REQUIRE(__child >= 0);
925
	if (__child > 0)
926
		goto monitor;
927

928
	/* Child */
929
	disable_coredumps();
930
	__stack.__buf = malloc(__bufsz);
931
	new_socket(sock);
932
	socklen = __len;
933

934
	recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen);
935
	_exit(EX_SOFTWARE);	/* Should have aborted. */
936

937
monitor:
938
	while (waitpid(__child, &__status, 0) != __child) {
939
		ATF_REQUIRE_EQ(EINTR, errno);
940
	}
941

942
	if (!WIFSIGNALED(__status)) {
943
		switch (WEXITSTATUS(__status)) {
944
		case EX_SOFTWARE:
945
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
946
			break;
947
		case EX_OSERR:
948
			atf_tc_fail("setrlimit(2) failed");
949
			break;
950
		default:
951
			atf_tc_fail("child exited with status %d",
952
			    WEXITSTATUS(__status));
953
		}
954
	} else {
955
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
956
	}
957
#undef BUF
958

959
}
960

961
ATF_TC(recvmsg_msg_name_before_end);
962
ATF_TC_HEAD(recvmsg_msg_name_before_end, tc)
963
{
964
}
965
ATF_TC_BODY(recvmsg_msg_name_before_end, tc)
966
{
967
#define BUF &__stack.__buf
968
	struct {
969
		uint8_t padding_l;
970
		struct sockaddr __buf;
971
		uint8_t padding_r;
972
	} __stack;
973
	const size_t __bufsz __unused = sizeof(__stack.__buf);
974
	const size_t __len = sizeof(struct sockaddr) - 1;
975
	const size_t __idx __unused = __len - 1;
976
	int sock[2] = { -1, -1 };
977
	struct msghdr msg;
978

979
	memset(&msg, 0, sizeof(msg));
980
	msg.msg_name = BUF;
981
	msg.msg_namelen = __len;
982

983
	recvmsg(sock[0], &msg, 0);
984
#undef BUF
985

986
}
987

988
ATF_TC(recvmsg_msg_name_end);
989
ATF_TC_HEAD(recvmsg_msg_name_end, tc)
990
{
991
}
992
ATF_TC_BODY(recvmsg_msg_name_end, tc)
993
{
994
#define BUF &__stack.__buf
995
	struct {
996
		uint8_t padding_l;
997
		struct sockaddr __buf;
998
		uint8_t padding_r;
999
	} __stack;
1000
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1001
	const size_t __len = sizeof(struct sockaddr);
1002
	const size_t __idx __unused = __len - 1;
1003
	int sock[2] = { -1, -1 };
1004
	struct msghdr msg;
1005

1006
	memset(&msg, 0, sizeof(msg));
1007
	msg.msg_name = BUF;
1008
	msg.msg_namelen = __len;
1009

1010
	recvmsg(sock[0], &msg, 0);
1011
#undef BUF
1012

1013
}
1014

1015
ATF_TC(recvmsg_msg_name_heap_before_end);
1016
ATF_TC_HEAD(recvmsg_msg_name_heap_before_end, tc)
1017
{
1018
}
1019
ATF_TC_BODY(recvmsg_msg_name_heap_before_end, tc)
1020
{
1021
#define BUF __stack.__buf
1022
	struct {
1023
		uint8_t padding_l;
1024
		struct sockaddr * __buf;
1025
		uint8_t padding_r;
1026
	} __stack;
1027
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
1028
	const size_t __len = sizeof(struct sockaddr) - 1;
1029
	const size_t __idx __unused = __len - 1;
1030
	int sock[2] = { -1, -1 };
1031
	struct msghdr msg;
1032

1033
	__stack.__buf = malloc(__bufsz);
1034
	memset(&msg, 0, sizeof(msg));
1035
	msg.msg_name = BUF;
1036
	msg.msg_namelen = __len;
1037

1038
	recvmsg(sock[0], &msg, 0);
1039
#undef BUF
1040

1041
}
1042

1043
ATF_TC(recvmsg_msg_name_heap_end);
1044
ATF_TC_HEAD(recvmsg_msg_name_heap_end, tc)
1045
{
1046
}
1047
ATF_TC_BODY(recvmsg_msg_name_heap_end, tc)
1048
{
1049
#define BUF __stack.__buf
1050
	struct {
1051
		uint8_t padding_l;
1052
		struct sockaddr * __buf;
1053
		uint8_t padding_r;
1054
	} __stack;
1055
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
1056
	const size_t __len = sizeof(struct sockaddr);
1057
	const size_t __idx __unused = __len - 1;
1058
	int sock[2] = { -1, -1 };
1059
	struct msghdr msg;
1060

1061
	__stack.__buf = malloc(__bufsz);
1062
	memset(&msg, 0, sizeof(msg));
1063
	msg.msg_name = BUF;
1064
	msg.msg_namelen = __len;
1065

1066
	recvmsg(sock[0], &msg, 0);
1067
#undef BUF
1068

1069
}
1070

1071
ATF_TC(recvmsg_msg_name_heap_after_end);
1072
ATF_TC_HEAD(recvmsg_msg_name_heap_after_end, tc)
1073
{
1074
}
1075
ATF_TC_BODY(recvmsg_msg_name_heap_after_end, tc)
1076
{
1077
#define BUF __stack.__buf
1078
	struct {
1079
		uint8_t padding_l;
1080
		struct sockaddr * __buf;
1081
		uint8_t padding_r;
1082
	} __stack;
1083
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1);
1084
	const size_t __len = sizeof(struct sockaddr) + 1;
1085
	const size_t __idx __unused = __len - 1;
1086
	pid_t __child;
1087
	int __status;
1088
	int sock[2] = { -1, -1 };
1089
	struct msghdr msg;
1090

1091
	__child = fork();
1092
	ATF_REQUIRE(__child >= 0);
1093
	if (__child > 0)
1094
		goto monitor;
1095

1096
	/* Child */
1097
	disable_coredumps();
1098
	__stack.__buf = malloc(__bufsz);
1099
	memset(&msg, 0, sizeof(msg));
1100
	msg.msg_name = BUF;
1101
	msg.msg_namelen = __len;
1102

1103
	recvmsg(sock[0], &msg, 0);
1104
	_exit(EX_SOFTWARE);	/* Should have aborted. */
1105

1106
monitor:
1107
	while (waitpid(__child, &__status, 0) != __child) {
1108
		ATF_REQUIRE_EQ(EINTR, errno);
1109
	}
1110

1111
	if (!WIFSIGNALED(__status)) {
1112
		switch (WEXITSTATUS(__status)) {
1113
		case EX_SOFTWARE:
1114
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1115
			break;
1116
		case EX_OSERR:
1117
			atf_tc_fail("setrlimit(2) failed");
1118
			break;
1119
		default:
1120
			atf_tc_fail("child exited with status %d",
1121
			    WEXITSTATUS(__status));
1122
		}
1123
	} else {
1124
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1125
	}
1126
#undef BUF
1127

1128
}
1129

1130
ATF_TC(recvmsg_msg_iov_before_end);
1131
ATF_TC_HEAD(recvmsg_msg_iov_before_end, tc)
1132
{
1133
}
1134
ATF_TC_BODY(recvmsg_msg_iov_before_end, tc)
1135
{
1136
#define BUF &__stack.__buf
1137
	struct {
1138
		uint8_t padding_l;
1139
		unsigned char __buf[42];
1140
		uint8_t padding_r;
1141
	} __stack;
1142
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1143
	const size_t __len = 42 - 1;
1144
	const size_t __idx __unused = __len - 1;
1145
	int sock[2] = { -1, -1 };
1146
	struct msghdr msg;
1147
	struct iovec iov[2];
1148

1149
	memset(&msg, 0, sizeof(msg));
1150
	memset(&iov[0], 0, sizeof(iov));
1151

1152
	/*
1153
	 * We position the buffer second just so that we can confirm that the
1154
	 * fortification bits are traversing the iovec correctly.
1155
	 */
1156
	iov[1].iov_base = BUF;
1157
	iov[1].iov_len = __len;
1158

1159
	msg.msg_iov = &iov[0];
1160
	msg.msg_iovlen = nitems(iov);
1161

1162
	recvmsg(sock[0], &msg, 0);
1163
#undef BUF
1164

1165
}
1166

1167
ATF_TC(recvmsg_msg_iov_end);
1168
ATF_TC_HEAD(recvmsg_msg_iov_end, tc)
1169
{
1170
}
1171
ATF_TC_BODY(recvmsg_msg_iov_end, tc)
1172
{
1173
#define BUF &__stack.__buf
1174
	struct {
1175
		uint8_t padding_l;
1176
		unsigned char __buf[42];
1177
		uint8_t padding_r;
1178
	} __stack;
1179
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1180
	const size_t __len = 42;
1181
	const size_t __idx __unused = __len - 1;
1182
	int sock[2] = { -1, -1 };
1183
	struct msghdr msg;
1184
	struct iovec iov[2];
1185

1186
	memset(&msg, 0, sizeof(msg));
1187
	memset(&iov[0], 0, sizeof(iov));
1188

1189
	/*
1190
	 * We position the buffer second just so that we can confirm that the
1191
	 * fortification bits are traversing the iovec correctly.
1192
	 */
1193
	iov[1].iov_base = BUF;
1194
	iov[1].iov_len = __len;
1195

1196
	msg.msg_iov = &iov[0];
1197
	msg.msg_iovlen = nitems(iov);
1198

1199
	recvmsg(sock[0], &msg, 0);
1200
#undef BUF
1201

1202
}
1203

1204
ATF_TC(recvmsg_msg_iov_heap_before_end);
1205
ATF_TC_HEAD(recvmsg_msg_iov_heap_before_end, tc)
1206
{
1207
}
1208
ATF_TC_BODY(recvmsg_msg_iov_heap_before_end, tc)
1209
{
1210
#define BUF __stack.__buf
1211
	struct {
1212
		uint8_t padding_l;
1213
		unsigned char * __buf;
1214
		uint8_t padding_r;
1215
	} __stack;
1216
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1217
	const size_t __len = 42 - 1;
1218
	const size_t __idx __unused = __len - 1;
1219
	int sock[2] = { -1, -1 };
1220
	struct msghdr msg;
1221
	struct iovec iov[2];
1222

1223
	__stack.__buf = malloc(__bufsz);
1224
	memset(&msg, 0, sizeof(msg));
1225
	memset(&iov[0], 0, sizeof(iov));
1226

1227
	/*
1228
	 * We position the buffer second just so that we can confirm that the
1229
	 * fortification bits are traversing the iovec correctly.
1230
	 */
1231
	iov[1].iov_base = BUF;
1232
	iov[1].iov_len = __len;
1233

1234
	msg.msg_iov = &iov[0];
1235
	msg.msg_iovlen = nitems(iov);
1236

1237
	recvmsg(sock[0], &msg, 0);
1238
#undef BUF
1239

1240
}
1241

1242
ATF_TC(recvmsg_msg_iov_heap_end);
1243
ATF_TC_HEAD(recvmsg_msg_iov_heap_end, tc)
1244
{
1245
}
1246
ATF_TC_BODY(recvmsg_msg_iov_heap_end, tc)
1247
{
1248
#define BUF __stack.__buf
1249
	struct {
1250
		uint8_t padding_l;
1251
		unsigned char * __buf;
1252
		uint8_t padding_r;
1253
	} __stack;
1254
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1255
	const size_t __len = 42;
1256
	const size_t __idx __unused = __len - 1;
1257
	int sock[2] = { -1, -1 };
1258
	struct msghdr msg;
1259
	struct iovec iov[2];
1260

1261
	__stack.__buf = malloc(__bufsz);
1262
	memset(&msg, 0, sizeof(msg));
1263
	memset(&iov[0], 0, sizeof(iov));
1264

1265
	/*
1266
	 * We position the buffer second just so that we can confirm that the
1267
	 * fortification bits are traversing the iovec correctly.
1268
	 */
1269
	iov[1].iov_base = BUF;
1270
	iov[1].iov_len = __len;
1271

1272
	msg.msg_iov = &iov[0];
1273
	msg.msg_iovlen = nitems(iov);
1274

1275
	recvmsg(sock[0], &msg, 0);
1276
#undef BUF
1277

1278
}
1279

1280
ATF_TC(recvmsg_msg_iov_heap_after_end);
1281
ATF_TC_HEAD(recvmsg_msg_iov_heap_after_end, tc)
1282
{
1283
}
1284
ATF_TC_BODY(recvmsg_msg_iov_heap_after_end, tc)
1285
{
1286
#define BUF __stack.__buf
1287
	struct {
1288
		uint8_t padding_l;
1289
		unsigned char * __buf;
1290
		uint8_t padding_r;
1291
	} __stack;
1292
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1293
	const size_t __len = 42 + 1;
1294
	const size_t __idx __unused = __len - 1;
1295
	pid_t __child;
1296
	int __status;
1297
	int sock[2] = { -1, -1 };
1298
	struct msghdr msg;
1299
	struct iovec iov[2];
1300

1301
	__child = fork();
1302
	ATF_REQUIRE(__child >= 0);
1303
	if (__child > 0)
1304
		goto monitor;
1305

1306
	/* Child */
1307
	disable_coredumps();
1308
	__stack.__buf = malloc(__bufsz);
1309
	memset(&msg, 0, sizeof(msg));
1310
	memset(&iov[0], 0, sizeof(iov));
1311

1312
	/*
1313
	 * We position the buffer second just so that we can confirm that the
1314
	 * fortification bits are traversing the iovec correctly.
1315
	 */
1316
	iov[1].iov_base = BUF;
1317
	iov[1].iov_len = __len;
1318

1319
	msg.msg_iov = &iov[0];
1320
	msg.msg_iovlen = nitems(iov);
1321

1322
	recvmsg(sock[0], &msg, 0);
1323
	_exit(EX_SOFTWARE);	/* Should have aborted. */
1324

1325
monitor:
1326
	while (waitpid(__child, &__status, 0) != __child) {
1327
		ATF_REQUIRE_EQ(EINTR, errno);
1328
	}
1329

1330
	if (!WIFSIGNALED(__status)) {
1331
		switch (WEXITSTATUS(__status)) {
1332
		case EX_SOFTWARE:
1333
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1334
			break;
1335
		case EX_OSERR:
1336
			atf_tc_fail("setrlimit(2) failed");
1337
			break;
1338
		default:
1339
			atf_tc_fail("child exited with status %d",
1340
			    WEXITSTATUS(__status));
1341
		}
1342
	} else {
1343
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1344
	}
1345
#undef BUF
1346

1347
}
1348

1349
ATF_TC(recvmsg_msg_control_before_end);
1350
ATF_TC_HEAD(recvmsg_msg_control_before_end, tc)
1351
{
1352
}
1353
ATF_TC_BODY(recvmsg_msg_control_before_end, tc)
1354
{
1355
#define BUF &__stack.__buf
1356
	struct {
1357
		uint8_t padding_l;
1358
		unsigned char __buf[CMSG_SPACE(sizeof(int))];
1359
		uint8_t padding_r;
1360
	} __stack;
1361
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1362
	const size_t __len = CMSG_SPACE(sizeof(int)) - 1;
1363
	const size_t __idx __unused = __len - 1;
1364
	int sock[2] = { -1, -1 };
1365
	struct msghdr msg;
1366

1367
	memset(&msg, 0, sizeof(msg));
1368

1369
	msg.msg_control = BUF;
1370
	msg.msg_controllen = __len;
1371

1372
	recvmsg(sock[0], &msg, 0);
1373
#undef BUF
1374

1375
}
1376

1377
ATF_TC(recvmsg_msg_control_end);
1378
ATF_TC_HEAD(recvmsg_msg_control_end, tc)
1379
{
1380
}
1381
ATF_TC_BODY(recvmsg_msg_control_end, tc)
1382
{
1383
#define BUF &__stack.__buf
1384
	struct {
1385
		uint8_t padding_l;
1386
		unsigned char __buf[CMSG_SPACE(sizeof(int))];
1387
		uint8_t padding_r;
1388
	} __stack;
1389
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1390
	const size_t __len = CMSG_SPACE(sizeof(int));
1391
	const size_t __idx __unused = __len - 1;
1392
	int sock[2] = { -1, -1 };
1393
	struct msghdr msg;
1394

1395
	memset(&msg, 0, sizeof(msg));
1396

1397
	msg.msg_control = BUF;
1398
	msg.msg_controllen = __len;
1399

1400
	recvmsg(sock[0], &msg, 0);
1401
#undef BUF
1402

1403
}
1404

1405
ATF_TC(recvmsg_msg_control_heap_before_end);
1406
ATF_TC_HEAD(recvmsg_msg_control_heap_before_end, tc)
1407
{
1408
}
1409
ATF_TC_BODY(recvmsg_msg_control_heap_before_end, tc)
1410
{
1411
#define BUF __stack.__buf
1412
	struct {
1413
		uint8_t padding_l;
1414
		unsigned char * __buf;
1415
		uint8_t padding_r;
1416
	} __stack;
1417
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1418
	const size_t __len = CMSG_SPACE(sizeof(int)) - 1;
1419
	const size_t __idx __unused = __len - 1;
1420
	int sock[2] = { -1, -1 };
1421
	struct msghdr msg;
1422

1423
	__stack.__buf = malloc(__bufsz);
1424
	memset(&msg, 0, sizeof(msg));
1425

1426
	msg.msg_control = BUF;
1427
	msg.msg_controllen = __len;
1428

1429
	recvmsg(sock[0], &msg, 0);
1430
#undef BUF
1431

1432
}
1433

1434
ATF_TC(recvmsg_msg_control_heap_end);
1435
ATF_TC_HEAD(recvmsg_msg_control_heap_end, tc)
1436
{
1437
}
1438
ATF_TC_BODY(recvmsg_msg_control_heap_end, tc)
1439
{
1440
#define BUF __stack.__buf
1441
	struct {
1442
		uint8_t padding_l;
1443
		unsigned char * __buf;
1444
		uint8_t padding_r;
1445
	} __stack;
1446
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1447
	const size_t __len = CMSG_SPACE(sizeof(int));
1448
	const size_t __idx __unused = __len - 1;
1449
	int sock[2] = { -1, -1 };
1450
	struct msghdr msg;
1451

1452
	__stack.__buf = malloc(__bufsz);
1453
	memset(&msg, 0, sizeof(msg));
1454

1455
	msg.msg_control = BUF;
1456
	msg.msg_controllen = __len;
1457

1458
	recvmsg(sock[0], &msg, 0);
1459
#undef BUF
1460

1461
}
1462

1463
ATF_TC(recvmsg_msg_control_heap_after_end);
1464
ATF_TC_HEAD(recvmsg_msg_control_heap_after_end, tc)
1465
{
1466
}
1467
ATF_TC_BODY(recvmsg_msg_control_heap_after_end, tc)
1468
{
1469
#define BUF __stack.__buf
1470
	struct {
1471
		uint8_t padding_l;
1472
		unsigned char * __buf;
1473
		uint8_t padding_r;
1474
	} __stack;
1475
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int)));
1476
	const size_t __len = CMSG_SPACE(sizeof(int)) + 1;
1477
	const size_t __idx __unused = __len - 1;
1478
	pid_t __child;
1479
	int __status;
1480
	int sock[2] = { -1, -1 };
1481
	struct msghdr msg;
1482

1483
	__child = fork();
1484
	ATF_REQUIRE(__child >= 0);
1485
	if (__child > 0)
1486
		goto monitor;
1487

1488
	/* Child */
1489
	disable_coredumps();
1490
	__stack.__buf = malloc(__bufsz);
1491
	memset(&msg, 0, sizeof(msg));
1492

1493
	msg.msg_control = BUF;
1494
	msg.msg_controllen = __len;
1495

1496
	recvmsg(sock[0], &msg, 0);
1497
	_exit(EX_SOFTWARE);	/* Should have aborted. */
1498

1499
monitor:
1500
	while (waitpid(__child, &__status, 0) != __child) {
1501
		ATF_REQUIRE_EQ(EINTR, errno);
1502
	}
1503

1504
	if (!WIFSIGNALED(__status)) {
1505
		switch (WEXITSTATUS(__status)) {
1506
		case EX_SOFTWARE:
1507
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1508
			break;
1509
		case EX_OSERR:
1510
			atf_tc_fail("setrlimit(2) failed");
1511
			break;
1512
		default:
1513
			atf_tc_fail("child exited with status %d",
1514
			    WEXITSTATUS(__status));
1515
		}
1516
	} else {
1517
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1518
	}
1519
#undef BUF
1520

1521
}
1522

1523
ATF_TC(recvmmsg_msgvec_before_end);
1524
ATF_TC_HEAD(recvmmsg_msgvec_before_end, tc)
1525
{
1526
}
1527
ATF_TC_BODY(recvmmsg_msgvec_before_end, tc)
1528
{
1529
#define BUF &__stack.__buf
1530
	struct {
1531
		uint8_t padding_l;
1532
		struct mmsghdr __buf[2];
1533
		uint8_t padding_r;
1534
	} __stack;
1535
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1536
	const size_t __len = 2 - 1;
1537
	const size_t __idx __unused = __len - 1;
1538
	int sock[2] = { -1, -1 };
1539

1540
	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1541
#undef BUF
1542

1543
}
1544

1545
ATF_TC(recvmmsg_msgvec_end);
1546
ATF_TC_HEAD(recvmmsg_msgvec_end, tc)
1547
{
1548
}
1549
ATF_TC_BODY(recvmmsg_msgvec_end, tc)
1550
{
1551
#define BUF &__stack.__buf
1552
	struct {
1553
		uint8_t padding_l;
1554
		struct mmsghdr __buf[2];
1555
		uint8_t padding_r;
1556
	} __stack;
1557
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1558
	const size_t __len = 2;
1559
	const size_t __idx __unused = __len - 1;
1560
	int sock[2] = { -1, -1 };
1561

1562
	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1563
#undef BUF
1564

1565
}
1566

1567
ATF_TC(recvmmsg_msgvec_after_end);
1568
ATF_TC_HEAD(recvmmsg_msgvec_after_end, tc)
1569
{
1570
}
1571
ATF_TC_BODY(recvmmsg_msgvec_after_end, tc)
1572
{
1573
#define BUF &__stack.__buf
1574
	struct {
1575
		uint8_t padding_l;
1576
		struct mmsghdr __buf[2];
1577
		uint8_t padding_r;
1578
	} __stack;
1579
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1580
	const size_t __len = 2 + 1;
1581
	const size_t __idx __unused = __len - 1;
1582
	pid_t __child;
1583
	int __status;
1584
	int sock[2] = { -1, -1 };
1585

1586
	__child = fork();
1587
	ATF_REQUIRE(__child >= 0);
1588
	if (__child > 0)
1589
		goto monitor;
1590

1591
	/* Child */
1592
	disable_coredumps();
1593
	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1594
	_exit(EX_SOFTWARE);	/* Should have aborted. */
1595

1596
monitor:
1597
	while (waitpid(__child, &__status, 0) != __child) {
1598
		ATF_REQUIRE_EQ(EINTR, errno);
1599
	}
1600

1601
	if (!WIFSIGNALED(__status)) {
1602
		switch (WEXITSTATUS(__status)) {
1603
		case EX_SOFTWARE:
1604
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1605
			break;
1606
		case EX_OSERR:
1607
			atf_tc_fail("setrlimit(2) failed");
1608
			break;
1609
		default:
1610
			atf_tc_fail("child exited with status %d",
1611
			    WEXITSTATUS(__status));
1612
		}
1613
	} else {
1614
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1615
	}
1616
#undef BUF
1617

1618
}
1619

1620
ATF_TC(recvmmsg_msgvec_heap_before_end);
1621
ATF_TC_HEAD(recvmmsg_msgvec_heap_before_end, tc)
1622
{
1623
}
1624
ATF_TC_BODY(recvmmsg_msgvec_heap_before_end, tc)
1625
{
1626
#define BUF __stack.__buf
1627
	struct {
1628
		uint8_t padding_l;
1629
		struct mmsghdr * __buf;
1630
		uint8_t padding_r;
1631
	} __stack;
1632
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1633
	const size_t __len = 2 - 1;
1634
	const size_t __idx __unused = __len - 1;
1635
	int sock[2] = { -1, -1 };
1636

1637
	__stack.__buf = malloc(__bufsz);
1638

1639
	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1640
#undef BUF
1641

1642
}
1643

1644
ATF_TC(recvmmsg_msgvec_heap_end);
1645
ATF_TC_HEAD(recvmmsg_msgvec_heap_end, tc)
1646
{
1647
}
1648
ATF_TC_BODY(recvmmsg_msgvec_heap_end, tc)
1649
{
1650
#define BUF __stack.__buf
1651
	struct {
1652
		uint8_t padding_l;
1653
		struct mmsghdr * __buf;
1654
		uint8_t padding_r;
1655
	} __stack;
1656
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1657
	const size_t __len = 2;
1658
	const size_t __idx __unused = __len - 1;
1659
	int sock[2] = { -1, -1 };
1660

1661
	__stack.__buf = malloc(__bufsz);
1662

1663
	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1664
#undef BUF
1665

1666
}
1667

1668
ATF_TC(recvmmsg_msgvec_heap_after_end);
1669
ATF_TC_HEAD(recvmmsg_msgvec_heap_after_end, tc)
1670
{
1671
}
1672
ATF_TC_BODY(recvmmsg_msgvec_heap_after_end, tc)
1673
{
1674
#define BUF __stack.__buf
1675
	struct {
1676
		uint8_t padding_l;
1677
		struct mmsghdr * __buf;
1678
		uint8_t padding_r;
1679
	} __stack;
1680
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2);
1681
	const size_t __len = 2 + 1;
1682
	const size_t __idx __unused = __len - 1;
1683
	pid_t __child;
1684
	int __status;
1685
	int sock[2] = { -1, -1 };
1686

1687
	__child = fork();
1688
	ATF_REQUIRE(__child >= 0);
1689
	if (__child > 0)
1690
		goto monitor;
1691

1692
	/* Child */
1693
	disable_coredumps();
1694
	__stack.__buf = malloc(__bufsz);
1695

1696
	recvmmsg(sock[0], __stack.__buf, __len, 0, NULL);
1697
	_exit(EX_SOFTWARE);	/* Should have aborted. */
1698

1699
monitor:
1700
	while (waitpid(__child, &__status, 0) != __child) {
1701
		ATF_REQUIRE_EQ(EINTR, errno);
1702
	}
1703

1704
	if (!WIFSIGNALED(__status)) {
1705
		switch (WEXITSTATUS(__status)) {
1706
		case EX_SOFTWARE:
1707
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1708
			break;
1709
		case EX_OSERR:
1710
			atf_tc_fail("setrlimit(2) failed");
1711
			break;
1712
		default:
1713
			atf_tc_fail("child exited with status %d",
1714
			    WEXITSTATUS(__status));
1715
		}
1716
	} else {
1717
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1718
	}
1719
#undef BUF
1720

1721
}
1722

1723
ATF_TC(recvmmsg_msghdr_before_end);
1724
ATF_TC_HEAD(recvmmsg_msghdr_before_end, tc)
1725
{
1726
}
1727
ATF_TC_BODY(recvmmsg_msghdr_before_end, tc)
1728
{
1729
#define BUF &__stack.__buf
1730
	struct {
1731
		uint8_t padding_l;
1732
		unsigned char __buf[42];
1733
		uint8_t padding_r;
1734
	} __stack;
1735
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1736
	const size_t __len = 42 - 1;
1737
	const size_t __idx __unused = __len - 1;
1738
	int sock[2] = { -1, -1 };
1739
	struct mmsghdr msgvec[2];
1740

1741
	memset(&msgvec[0], 0, sizeof(msgvec));
1742

1743
	/*
1744
	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1745
	 * of the msgvec.
1746
	 */
1747
	msgvec[1].msg_hdr.msg_control = BUF;
1748
	msgvec[1].msg_hdr.msg_controllen = __len;
1749

1750
	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1751
#undef BUF
1752

1753
}
1754

1755
ATF_TC(recvmmsg_msghdr_end);
1756
ATF_TC_HEAD(recvmmsg_msghdr_end, tc)
1757
{
1758
}
1759
ATF_TC_BODY(recvmmsg_msghdr_end, tc)
1760
{
1761
#define BUF &__stack.__buf
1762
	struct {
1763
		uint8_t padding_l;
1764
		unsigned char __buf[42];
1765
		uint8_t padding_r;
1766
	} __stack;
1767
	const size_t __bufsz __unused = sizeof(__stack.__buf);
1768
	const size_t __len = 42;
1769
	const size_t __idx __unused = __len - 1;
1770
	int sock[2] = { -1, -1 };
1771
	struct mmsghdr msgvec[2];
1772

1773
	memset(&msgvec[0], 0, sizeof(msgvec));
1774

1775
	/*
1776
	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1777
	 * of the msgvec.
1778
	 */
1779
	msgvec[1].msg_hdr.msg_control = BUF;
1780
	msgvec[1].msg_hdr.msg_controllen = __len;
1781

1782
	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1783
#undef BUF
1784

1785
}
1786

1787
ATF_TC(recvmmsg_msghdr_heap_before_end);
1788
ATF_TC_HEAD(recvmmsg_msghdr_heap_before_end, tc)
1789
{
1790
}
1791
ATF_TC_BODY(recvmmsg_msghdr_heap_before_end, tc)
1792
{
1793
#define BUF __stack.__buf
1794
	struct {
1795
		uint8_t padding_l;
1796
		unsigned char * __buf;
1797
		uint8_t padding_r;
1798
	} __stack;
1799
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1800
	const size_t __len = 42 - 1;
1801
	const size_t __idx __unused = __len - 1;
1802
	int sock[2] = { -1, -1 };
1803
	struct mmsghdr msgvec[2];
1804

1805
	__stack.__buf = malloc(__bufsz);
1806
	memset(&msgvec[0], 0, sizeof(msgvec));
1807

1808
	/*
1809
	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1810
	 * of the msgvec.
1811
	 */
1812
	msgvec[1].msg_hdr.msg_control = BUF;
1813
	msgvec[1].msg_hdr.msg_controllen = __len;
1814

1815
	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1816
#undef BUF
1817

1818
}
1819

1820
ATF_TC(recvmmsg_msghdr_heap_end);
1821
ATF_TC_HEAD(recvmmsg_msghdr_heap_end, tc)
1822
{
1823
}
1824
ATF_TC_BODY(recvmmsg_msghdr_heap_end, tc)
1825
{
1826
#define BUF __stack.__buf
1827
	struct {
1828
		uint8_t padding_l;
1829
		unsigned char * __buf;
1830
		uint8_t padding_r;
1831
	} __stack;
1832
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1833
	const size_t __len = 42;
1834
	const size_t __idx __unused = __len - 1;
1835
	int sock[2] = { -1, -1 };
1836
	struct mmsghdr msgvec[2];
1837

1838
	__stack.__buf = malloc(__bufsz);
1839
	memset(&msgvec[0], 0, sizeof(msgvec));
1840

1841
	/*
1842
	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1843
	 * of the msgvec.
1844
	 */
1845
	msgvec[1].msg_hdr.msg_control = BUF;
1846
	msgvec[1].msg_hdr.msg_controllen = __len;
1847

1848
	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1849
#undef BUF
1850

1851
}
1852

1853
ATF_TC(recvmmsg_msghdr_heap_after_end);
1854
ATF_TC_HEAD(recvmmsg_msghdr_heap_after_end, tc)
1855
{
1856
}
1857
ATF_TC_BODY(recvmmsg_msghdr_heap_after_end, tc)
1858
{
1859
#define BUF __stack.__buf
1860
	struct {
1861
		uint8_t padding_l;
1862
		unsigned char * __buf;
1863
		uint8_t padding_r;
1864
	} __stack;
1865
	const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42);
1866
	const size_t __len = 42 + 1;
1867
	const size_t __idx __unused = __len - 1;
1868
	pid_t __child;
1869
	int __status;
1870
	int sock[2] = { -1, -1 };
1871
	struct mmsghdr msgvec[2];
1872

1873
	__child = fork();
1874
	ATF_REQUIRE(__child >= 0);
1875
	if (__child > 0)
1876
		goto monitor;
1877

1878
	/* Child */
1879
	disable_coredumps();
1880
	__stack.__buf = malloc(__bufsz);
1881
	memset(&msgvec[0], 0, sizeof(msgvec));
1882

1883
	/*
1884
	 * Same as above, make sure fortification isn't ignoring n > 1 elements
1885
	 * of the msgvec.
1886
	 */
1887
	msgvec[1].msg_hdr.msg_control = BUF;
1888
	msgvec[1].msg_hdr.msg_controllen = __len;
1889

1890
	recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL);
1891
	_exit(EX_SOFTWARE);	/* Should have aborted. */
1892

1893
monitor:
1894
	while (waitpid(__child, &__status, 0) != __child) {
1895
		ATF_REQUIRE_EQ(EINTR, errno);
1896
	}
1897

1898
	if (!WIFSIGNALED(__status)) {
1899
		switch (WEXITSTATUS(__status)) {
1900
		case EX_SOFTWARE:
1901
			atf_tc_fail("FORTIFY_SOURCE failed to abort");
1902
			break;
1903
		case EX_OSERR:
1904
			atf_tc_fail("setrlimit(2) failed");
1905
			break;
1906
		default:
1907
			atf_tc_fail("child exited with status %d",
1908
			    WEXITSTATUS(__status));
1909
		}
1910
	} else {
1911
		ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status));
1912
	}
1913
#undef BUF
1914

1915
}
1916

1917
ATF_TP_ADD_TCS(tp)
1918
{
1919
	ATF_TP_ADD_TC(tp, getpeername_before_end);
1920
	ATF_TP_ADD_TC(tp, getpeername_end);
1921
	ATF_TP_ADD_TC(tp, getpeername_heap_before_end);
1922
	ATF_TP_ADD_TC(tp, getpeername_heap_end);
1923
	ATF_TP_ADD_TC(tp, getpeername_heap_after_end);
1924
	ATF_TP_ADD_TC(tp, getsockname_before_end);
1925
	ATF_TP_ADD_TC(tp, getsockname_end);
1926
	ATF_TP_ADD_TC(tp, getsockname_heap_before_end);
1927
	ATF_TP_ADD_TC(tp, getsockname_heap_end);
1928
	ATF_TP_ADD_TC(tp, getsockname_heap_after_end);
1929
	ATF_TP_ADD_TC(tp, recv_before_end);
1930
	ATF_TP_ADD_TC(tp, recv_end);
1931
	ATF_TP_ADD_TC(tp, recv_heap_before_end);
1932
	ATF_TP_ADD_TC(tp, recv_heap_end);
1933
	ATF_TP_ADD_TC(tp, recv_heap_after_end);
1934
	ATF_TP_ADD_TC(tp, recvfrom_before_end);
1935
	ATF_TP_ADD_TC(tp, recvfrom_end);
1936
	ATF_TP_ADD_TC(tp, recvfrom_heap_before_end);
1937
	ATF_TP_ADD_TC(tp, recvfrom_heap_end);
1938
	ATF_TP_ADD_TC(tp, recvfrom_heap_after_end);
1939
	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_before_end);
1940
	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_end);
1941
	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_before_end);
1942
	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_end);
1943
	ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_after_end);
1944
	ATF_TP_ADD_TC(tp, recvmsg_msg_name_before_end);
1945
	ATF_TP_ADD_TC(tp, recvmsg_msg_name_end);
1946
	ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_before_end);
1947
	ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_end);
1948
	ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_after_end);
1949
	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_before_end);
1950
	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_end);
1951
	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_before_end);
1952
	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_end);
1953
	ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_after_end);
1954
	ATF_TP_ADD_TC(tp, recvmsg_msg_control_before_end);
1955
	ATF_TP_ADD_TC(tp, recvmsg_msg_control_end);
1956
	ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_before_end);
1957
	ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_end);
1958
	ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_after_end);
1959
	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_before_end);
1960
	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_end);
1961
	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_after_end);
1962
	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_before_end);
1963
	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_end);
1964
	ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_after_end);
1965
	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_before_end);
1966
	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_end);
1967
	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_before_end);
1968
	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_end);
1969
	ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_after_end);
1970
	return (atf_no_error());
1971
}
1972

1973
Product

Resources

Company
