frr-cli-fuzzer 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 378f404d19c9beb961473414202aa8f24e5faad8
+  data.tar.gz: 5a5aff0028114fc40add71aba2a389e555c3c0e1
+SHA512:
+  metadata.gz: 55459c77035f9d77cbe35218e20c9594bb53bb8424885329e2c89f394ca72dc105f5085c26b136255a4926120a847764dabc94e044848b30d689f75788db9c14
+  data.tar.gz: 513b03ec3aa21574310abd7663d5c2d9536d6254df5ef3c616febdb1b86b624a28664634ccfae9a7a45f474c3e80a02e7812ee07168d22cabfbd0a4d5a786f21

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frr-cli-fuzzer.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Renato Westphal
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,28 @@
+# FrrCliFuzzer
+
+## Installation
+
+After checking out the repo, run `bin/setup` to install the dependencies (currently, only the _ffi_ gem).
+
+## Usage
+
+Edit _config.yml_ as desired. Run the CLI fuzzer using the following command:
+```sh
+./bin/frr-cli-fuzzer config.yml
+```
+
+Once the tests complete, the results are displayed in the standard output like this:
+```
+Results:
+- Non-filtered commands: 465
+- Whitelist filtered commands: 0
+- Blacklist filtered commands: 20
+- Tested commands: 465
+- Segfaults detected: 6
+```
+
+More details about which commands caused which segmentation faults are available in the _output.txt_ file.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/rwestphal/frr-cli-fuzzer.

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/frr-cli-fuzzer

@@ -0,0 +1,45 @@
+#!/usr/bin/env ruby
+$VERBOSE = true
+
+require 'yaml'
+require_relative '../lib/frr-cli-fuzzer.rb'
+
+# Signal handler.
+trap('INT') do
+  FrrCliFuzzer.print_results
+  exit(0)
+end
+
+# Parse command-line options.
+if ARGV.size != 1
+  puts "Usage: #{File.basename(__FILE__)} config.yml"
+  exit(1)
+end
+config_file = ARGV[0]
+
+# Read configuration file.
+begin
+  config = YAML.load_file(config_file)
+rescue SystemCallError, Psych::SyntaxError, ArgumentError => e
+  warn e.message
+  warn e.backtrace
+  exit(1)
+end
+
+FrrCliFuzzer::LibC.prctl(FrrCliFuzzer::LibC::PR_SET_CHILD_SUBREAPER, 1, 0, 0, 0)
+
+# Start fuzzer and print the results when we're done.
+FrrCliFuzzer.init(iterations: config.dig('fuzzer', 'iterations'),
+                  random_order: config.dig('fuzzer', 'random-order'),
+                  runstatedir: config.dig('fuzzer', 'runstatedir'),
+                  frr_build_parameters: config['frr-build-parameters'],
+                  daemons: config['daemons'],
+                  configs: config['configs'],
+                  nodes: config['nodes'],
+                  regexps: config['regexps'],
+                  whitelist: config['whitelist'],
+                  blacklist: config['blacklist'])
+FrrCliFuzzer.gen_configs
+FrrCliFuzzer.start_daemons
+FrrCliFuzzer.test_fuzzing
+FrrCliFuzzer.print_results

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/config.yml

@@ -0,0 +1,215 @@
+---
+
+fuzzer:
+  iterations: 0
+  random-order: true
+  runstatedir: "/tmp/frr-cli-fuzzer"
+
+frr-build-parameters:
+  # FRR's sysconfdir (--sysconfdir).
+  sysconfdir: "/etc/frr"
+
+  # FRR's localstatedir (--localstatedir).
+  localstatedir: "/var/run/frr"
+
+  # FRR's user (--enable-user).
+  user: "frr"
+
+  # FRR's group (--enable-group).
+  group: "frr"
+
+daemons:
+  - zebra
+  #- bgpd
+  - ospfd
+  - ospf6d
+  - isisd
+  - fabricd
+  - ripd
+  - ripngd
+  - eigrpd
+  - pimd
+  - ldpd
+  - nhrpd
+  - babeld
+  #- bfdd
+  - pbrd
+  - staticd
+  - sharpd
+
+regexps:
+  A.B.C.D/M: "1.1.1.1/32"
+  A.B.C.D: "1.1.1.1"
+  X:X::X:X/M: "2001:db8::1/128"
+  X:X::X:X: "2001:db8::1"
+  INTERFACE: "eth99"
+  IFNAME: "eth99"
+  AA:BB:CC...: "1:1:1 2:2:2"
+  AA:BB:CC: "1:1:1"
+  AA:NN...: "1:1 2:2"
+  AA:NN: "1:1"
+  ASN:nn_or_IP-address:nn: "1:1"
+  ASN:NN_OR_IP-ADDRESS:NN: "1:1"
+  RTLIST...: "1:1 2:2"
+  YY:YY:YY:YY:YY:YY: "11:11:11:11:11:11"
+  MAC: "11:11:11:11:11:11"
+  M:A:C: "11:11:11:11:11:11"
+  M:A:C/M: "11:11:11:11:11:11/48"
+  HH:MM:SS: "10:10:10"
+  MONTH: "January"
+  BANDWIDTH: "1000"
+  PERCENTAGE: "50"
+
+whitelist:
+  #- ^show (ip|ipv6)
+  #- redistribute
+
+blacklist:
+  - output file
+  - ^write
+  - ^copy
+  - ^list
+  - ^find
+  - ^exit
+  - ^quit
+  - ^end
+  - ^(no )?(ip|ipv6) route
+  - ^show (ip|ipv6) (route|fib)
+  - ^no router bgp
+  - ^no neighbor (A.B.C.D|X:X::X:X|WORD)$
+  - ^no neighbor (A.B.C.D|X:X::X:X|WORD) remote-as
+  #- ospf
+  #- ^(no )?debug
+
+nodes:
+  #- ""
+  - -c "configure terminal"
+  - -c "configure terminal" -c "interface eth99"
+  - -c "configure terminal" -c "interface eth99" -c "link-params"
+  - -c "configure terminal" -c "route-map RMAP permit 1"
+  #- -c "configure terminal" -c "router bgp 1"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 unicast"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 multicast"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 vpn"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 labeled-unicast"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 flowspec"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 unicast"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 multicast"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 vpn"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 labeled-unicast"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 flowspec"
+  #- -c "configure terminal" -c "router bgp 1" -c "address-family l2vpn evpn"
+  #- -c "configure terminal" -c "router bgp 1" -c "vnc defaults"
+  #- -c "configure terminal" -c "router bgp 1" -c "vnc nve-group NAME"
+  #- -c "configure terminal" -c "router bgp 1" -c "vnc l2-group NAME"
+  #- -c "configure terminal" -c "router bgp 1" -c "vrf-policy NAME"
+  - -c "configure terminal" -c "key chain WORD"
+  - -c "configure terminal" -c "key chain WORD" -c "key 255"
+  - -c "configure terminal" -c "router babel"
+  - -c "configure terminal" -c "router ospf"
+  - -c "configure terminal" -c "router ospf6"
+  - -c "configure terminal" -c "router isis 1"
+  - -c "configure terminal" -c "router openfabric 1"
+  - -c "configure terminal" -c "router rip"
+  - -c "configure terminal" -c "router ripng"
+  - -c "configure terminal" -c "router eigrp 1"
+  - -c "configure terminal" -c "mpls ldp"
+  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv4"
+  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv4" -c "interface eth99"
+  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv6"
+  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv6" -c "interface eth99"
+  - -c "configure terminal" -c "l2vpn WORD type vpls"
+  - -c "configure terminal" -c "l2vpn WORD type vpls" -c "member pseudowire mpw0"
+  - -c "configure terminal" -c "line vty"
+  - -c "configure terminal" -c "logical-router 1 ns /var/run/netns/ns1"
+  - -c "configure terminal" -c "vrf RED"
+  - -c "configure terminal" -c "nexthop-group NHGROUP"
+  - -c "configure terminal" -c "pbr-map WORD seq 100"
+  #- -c "configure terminal" -c "bfd"
+  #- -c "configure terminal" -c "bfd" -c "peer 1.1.1.1"
+
+configs:
+  all: |
+    hostname %(daemon)
+    log file %(runstatedir)/%(daemon).log
+    log commands
+    !
+    debug northbound
+    !
+  zebra: |
+    route-map WORD permit 10
+    vrf WORD
+    !
+  bgpd: |
+    route-map WORD permit 10
+    ip prefix-list WORD permit any
+    access-list WORD permit any
+    !
+    router bgp 1
+     neighbor 1.1.1.1 remote-as 1
+     neighbor 2001:db8::1 remote-as 1
+     neighbor WORD peer-group
+     neighbor WORD remote-as 1
+     !
+     address-family ipv6 unicast
+      neighbor 1.1.1.1 activate
+      neighbor 2001:db8::1 activate
+      neighbor WORD activate
+     exit-address-family
+     !
+    !
+    router bgp 2 view VIEWVRFNAME
+    !
+  ospfd: |
+    route-map WORD permit 10
+    !
+    router ospf
+    !
+  ospf6d: |
+    route-map WORD permit 10
+    !
+    router ospf6
+    !
+  isisd: |
+    route-map WORD permit 10
+    !
+  fabricd: |
+    route-map WORD permit 10
+    !
+  ripd: |
+    route-map WORD permit 10
+    ip prefix-list WORD permit any
+    access-list WORD permit any
+    !
+    !key chain WORD
+    ! key 2147483647
+    !
+    router rip
+     distribute-list WORD in eth99
+    !
+  ripngd: |
+    route-map WORD permit 10
+    ipv6 prefix-list WORD permit any
+    ipv6 access-list WORD permit any
+    !
+    router ripng
+     distribute-list WORD in eth99
+    !
+  eigrpd: |
+    route-map WORD permit 10
+    !
+  pimd: |
+    route-map WORD permit 10
+    vrf WORD
+    !
+  ldpd: |
+  nhrpd: |
+  babeld: |
+  bfdd: |
+  pbrd: |
+  staticd: |
+    vrf WORD
+    !
+  sharpd: |
+    route-map WORD permit 10
+    !

data/frr-cli-fuzzer.gemspec

@@ -0,0 +1,23 @@
+# coding: utf-8
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require 'frr-cli-fuzzer/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "frr-cli-fuzzer"
+  spec.version       = FrrCliFuzzer::VERSION
+  spec.authors       = ["Renato Westphal"]
+  spec.email         = ["renato@opensourcerouting.org"]
+
+  spec.summary       = %q{FRR CLI fuzzer.}
+  spec.homepage      = "https://github.com/rwestphal/frr-cli-fuzzer"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "bin"
+  spec.executables   = "frr-cli-fuzzer"
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.11"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_dependency "ffi"
+end

data/lib/frr-cli-fuzzer/libc.rb

@@ -0,0 +1,29 @@
+require 'ffi'
+
+module FrrCliFuzzer
+  # Bindings for a few libc's functions.
+  class LibC
+    extend FFI::Library
+    ffi_lib 'c'
+
+    attach_function :unshare, [:int], :int
+    attach_function :mount, [:string, :string, :string, :ulong, :pointer], :int
+    attach_function :prctl, [:int, :long, :long, :long, :long], :int
+
+    # include/uapi/linux/sched.h
+    CLONE_NEWNS  = 0x00020000
+    CLONE_NEWPID = 0x20000000
+    CLONE_NEWNET = 0x40000000
+
+    # include/uapi/linux/fs.h
+    MS_NOSUID    = (1 << 1)
+    MS_NODEV     = (1 << 2)
+    MS_NOEXEC    = (1 << 3)
+    MS_REC       = (1 << 14)
+    MS_PRIVATE   = (1 << 18)
+
+    # include/uapi/linux/prctl.h
+    PR_SET_PDEATHSIG       = 1
+    PR_SET_CHILD_SUBREAPER = 36
+  end
+end

data/lib/frr-cli-fuzzer/linux_namespace.rb

@@ -0,0 +1,69 @@
+module FrrCliFuzzer
+  class LinuxNamespace
+    attr_accessor :pid
+
+    # Create a child process running on a separate network and mount namespace.
+    def fork_and_unshare
+      begin
+        io_in, io_out = IO.pipe
+
+        pid = Kernel.fork do
+          unshare(LibC::CLONE_NEWNS | LibC::CLONE_NEWPID | LibC::CLONE_NEWNET)
+
+          # Fork again to use the new PID namespace.
+          # Need to supress a warning that is irrelevant for us.
+          warn_level = $VERBOSE
+          $VERBOSE = nil
+          pid = Kernel.fork do
+            # HACK: kill when parent dies.
+            trap(:SIGUSR1) do
+              LibC.prctl(LibC::PR_SET_PDEATHSIG, 15, 0, 0, 0)
+              trap(:SIGUSR1, :IGNORE)
+            end
+            LibC.prctl(LibC::PR_SET_PDEATHSIG, 10, 0, 0, 0)
+
+            mount_propagation(LibC::MS_REC | LibC::MS_PRIVATE)
+            mount_proc
+            yield
+          end
+          $VERBOSE = warn_level
+          io_out.puts "#{pid}"
+          exit(0)
+        end
+
+        @pid = io_in.gets.to_i
+        Process.waitpid(pid)
+      rescue SystemCallError => e
+        $stderr.puts "System call error:: #{e.message}"
+        $stderr.puts e.backtrace
+        exit(1)
+      end
+    end
+
+    # Set the mount propagation of the process.
+    def mount_propagation(flags)
+      mount('none', '/', nil, flags, nil)
+    end
+
+    # Mount the proc filesystem (useful after creating a new PID namespace).
+    def mount_proc
+      mount('none', '/proc', nil, LibC::MS_REC | LibC::MS_PRIVATE, nil)
+      mount('proc', '/proc', 'proc',
+            LibC::MS_NOSUID | LibC::MS_NOEXEC | LibC::MS_NODEV, nil)
+    end
+
+    # Wrapper for mount(2).
+    def mount(source, target, fs_type, flags, data)
+      if LibC.mount(source, target, fs_type, flags, data) < 0
+        raise SystemCallError.new('mount failed', FFI::LastError.error)
+      end
+    end
+
+    # Wrapper for unshare(2).
+    def unshare(flags)
+      if LibC.unshare(flags) < 0
+        raise SystemCallError.new('unshare failed', FFI::LastError.error)
+      end
+    end
+  end
+end

data/lib/frr-cli-fuzzer/version.rb

@@ -0,0 +1,3 @@
+module FrrCliFuzzer
+  VERSION = "0.1.0"
+end

data/lib/frr-cli-fuzzer.rb

@@ -0,0 +1,275 @@
+require 'fileutils'
+require 'scanf'
+require_relative 'frr-cli-fuzzer/libc'
+require_relative 'frr-cli-fuzzer/linux_namespace'
+require_relative 'frr-cli-fuzzer/version'
+
+module FrrCliFuzzer
+  DFLT_ITERATIONS = 1
+  DFLT_RUNSTATEDIR = '/tmp/frr-cli-fuzzer'
+  DFLT_FRR_SYSCONFDIR = '/etc/frr'
+  DFLT_FRR_LOCALSTATE_DIR = '/var/run/frr'
+  DFLT_FRR_USER = 'frr'
+  DFLT_FRR_GROUP = 'frr'
+
+  class << self
+    def init(iterations: nil,
+             random_order: nil,
+             runstatedir: nil,
+             frr_build_parameters: nil,
+             daemons: nil,
+             configs: nil,
+             nodes: nil,
+             regexps: nil,
+             whitelist: nil,
+             blacklist: nil)
+      # Load configuration and default values if necessary.
+      @iterations = iterations || DFLT_ITERATIONS
+      @random_order = random_order || false
+      @runstatedir = runstatedir || DFLT_RUNSTATEDIR
+      @frr = frr_build_parameters || []
+      @frr['sysconfdir'] ||= DFLT_FRR_SYSCONFDIR
+      @frr['localstatedir'] ||= DFLT_FRR_LOCALSTATE_DIR
+      @frr['user'] ||= DFLT_FRR_USER
+      @frr['group'] ||= DFLT_FRR_GROUP
+      @daemons = daemons || []
+      @configs = configs || []
+      @nodes = nodes || []
+      @regexps = regexps || []
+      @whitelist = whitelist || []
+      @blacklist = blacklist || []
+
+      # Initialize counters.
+      @counters = {}
+      @counters['non-filtered-cmds'] = 0
+      @counters['filtered-blacklist'] = 0
+      @counters['filtered-whitelist'] = 0
+      @counters['tested-cmds'] = 0
+      @counters['segfaults'] = 0
+      @segfaults = {}
+
+      # Security check to prevent accidental deletion of data.
+      unless @runstatedir.include?('frr-cli-fuzzer')
+        abort("The runstatedir configuration parameter must contain "\
+              "'frr-cli-fuzzer' somewhere in the path.")
+      end
+      FileUtils.rm_rf(@runstatedir)
+      FileUtils.mkdir_p(@runstatedir)
+      FileUtils.chown_R(@frr['user'], @frr['group'], @runstatedir)
+
+      # Create a new process on a new pid, mount and network namespace.
+      @ns = LinuxNamespace.new
+      @ns.fork_and_unshare do
+        # This is the init process of this fuzzer. We need to reap the zombies.
+        trap(:CHLD) { Process.wait }
+        trap(:INT, :IGNORE)
+        sleep
+      end
+
+      # Bind mount FRR directories.
+      mount(@frr['sysconfdir'], @frr['user'], @frr['group'])
+      mount(@frr['localstatedir'], @frr['user'], @frr['group'])
+    end
+
+    # nsenter(1) is a standard tool from the util-linux package. It can be used
+    # to run a program with namespaces of other processes.
+    def nsenter
+      "nsenter -t #{@ns.pid} --mount --pid --net"
+    end
+
+    # Bind mount a path under the configured runstatedir.
+    def mount(path, user, group)
+      source = "#{@runstatedir}/#{path}"
+      FileUtils.mkdir_p(path)
+      FileUtils.mkdir_p(source)
+      FileUtils.chown_R(user, group, source)
+      system("#{nsenter} mount --bind #{source} #{path}")
+    end
+
+    # Save configuration in the file system.
+    def save_config(daemon, config)
+      path = "#{@runstatedir}/#{@frr['sysconfdir']}/#{daemon}.conf"
+      File.open(path, 'w') { |file| file.write(config) }
+    end
+
+    # Generate FRR configuration file.
+    def gen_config(daemon)
+      config = @configs['all'] || ''
+      config += @configs[daemon] || ''
+
+      # Replace variables.
+      config.gsub!('%(daemon)', daemon)
+      config.gsub!('%(runstatedir)', @runstatedir)
+
+      save_config(daemon, config)
+    end
+
+    # Generate FRR configuration files.
+    def gen_configs
+      save_config('vtysh', '')
+      @daemons.each do |daemon|
+        gen_config(daemon)
+      end
+    end
+
+    # Start a FRR daemon.
+    def start_daemon(daemon)
+      # Remove old pid file if it exists.
+      FileUtils.rm_f("#{@runstatedir}/#{@frr['localstatedir']}/#{daemon}.pid")
+
+      # Spawn new process.
+      pid = Process.spawn("#{nsenter} #{daemon} -d --log=stdout "\
+                          ">> #{@runstatedir}/#{daemon}.stdout "\
+                          "2>> #{@runstatedir}/#{daemon}.stderr")
+      Process.detach(pid)
+    end
+
+    # Start all FRR daemons.
+    def start_daemons
+      @daemons.each do |daemon|
+        start_daemon(daemon)
+      end
+    end
+
+    # Check if a FRR daemon is still alive.
+    def daemon_alive?(daemon)
+      `#{nsenter} ps aux | grep #{daemon} | grep -E -v "defunct|grep"` != ''
+    end
+
+    # Check if a command should be white-list filtered.
+    def filter_whitelist(command)
+      return false if @whitelist.empty?
+
+      @whitelist.each do |regexp|
+        return false if command =~ /#{regexp}/
+      end
+      true
+    end
+
+    # Check if a command should be black-list filtered.
+    def filter_blacklist(command)
+      @blacklist.each do |regexp|
+        return true if command =~ /#{regexp}/
+      end
+      false
+    end
+
+    # Prepare command to be used by the CLI fuzzing tester.
+    def prepare_command(command)
+      new_command = ''
+
+      command.split.each do |word|
+        # Custom regexps.
+        @regexps.each_pair do |input, option|
+          word.sub!(input, option)
+        end
+
+        # Handle intervals.
+        if word =~ /(\d+\-\d+)/
+          interval = word.scanf('(%d-%d)')
+          new_command << interval[1].to_s
+        else
+          new_command << word
+        end
+
+        # Append whitespace after each word.
+        new_command << ' '
+      end
+
+      new_command.rstrip
+    end
+
+    # Obtain array of the commands we want to test.
+    def prepare_commmands
+      commands = []
+
+      @nodes.each do |hierarchy|
+        permutations = `#{nsenter} vtysh #{hierarchy} -c \"list permutations\"`
+        permutations.each_line do |command|
+          command = command.strip
+
+          # Check whitelist and blacklist.
+          if filter_whitelist(command)
+            puts "filtering (whitelist): #{command}"
+            @counters['filtered-whitelist'] += 1
+            next
+          end
+          if filter_blacklist(command)
+            puts "filtering (blacklist): #{command}"
+            @counters['filtered-blacklist'] += 1
+            next
+          end
+
+          @counters['non-filtered-cmds'] += 1
+
+          commands.push("vtysh #{hierarchy} -c \"#{prepare_command(command)}\"")
+        end
+      end
+      puts "non-filtered commands: #{@counters['non-filtered-cmds']}"
+
+      commands
+    end
+
+    # Send command to all running FRR daemons.
+    def send_command(command)
+      puts "testing: #{command}"
+
+      vtysh_log = "#{@runstatedir}/vtysh.txt"
+      File.open(vtysh_log, 'a') { |f| f.puts command }
+      system("#{nsenter} #{command} >> #{vtysh_log} 2>&1")
+    end
+
+    # Print the results of the fuzzing tests.
+    def print_results
+      puts "\nresults:"
+      puts "- non-filtered commands: #{@counters['non-filtered-cmds']}"
+      puts "- whitelist filtered commands: #{@counters['filtered-whitelist']}"
+      puts "- blacklist filtered commands: #{@counters['filtered-blacklist']}"
+      puts "- tested commands: #{@counters['tested-cmds']}"
+      puts "- segfaults detected: #{@counters['segfaults']}"
+      @segfaults.each_pair do |msg, count|
+        puts "    (x#{count}) #{msg}"
+      end
+    end
+
+    # Log a segfault to both the standard output and to the fuzzer output file.
+    def log_segfault(daemon, command)
+      msg = "#{daemon} aborted: #{command}"
+      puts msg
+      File.open("#{@runstatedir}/output.txt", 'a') { |f| f.puts msg }
+
+      @counters['segfaults'] += 1
+      @segfaults[msg] = @segfaults[msg].to_i + 1
+    end
+
+    # Start fuzzing tests.
+    def test_fuzzing
+      iteration = 0
+      commands = prepare_commmands
+      return if commands.empty?
+
+      loop do
+        iteration += 1
+        puts "\nfuzz iteration: ##{iteration}"
+        commands.shuffle! if @random_order
+
+        # Iterate over all commands.
+        commands.each do |command|
+          @counters['tested-cmds'] += 1
+          send_command(command)
+
+          # Check if all daemons are still alive.
+          @daemons.each do |daemon|
+            next if daemon_alive?(daemon)
+
+            log_segfault(daemon, command)
+            start_daemon(daemon)
+          end
+        end
+
+        # Check if this is the last iteration.
+        break if @iterations > 0 && iteration == @iterations
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: frr-cli-fuzzer
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Renato Westphal
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-10-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- renato@opensourcerouting.org
+executables:
+- frr-cli-fuzzer
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/frr-cli-fuzzer
+- bin/setup
+- config.yml
+- frr-cli-fuzzer.gemspec
+- lib/frr-cli-fuzzer.rb
+- lib/frr-cli-fuzzer/libc.rb
+- lib/frr-cli-fuzzer/linux_namespace.rb
+- lib/frr-cli-fuzzer/version.rb
+homepage: https://github.com/rwestphal/frr-cli-fuzzer
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2.1
+signing_key: 
+specification_version: 4
+summary: FRR CLI fuzzer.
+test_files: []