- SIGABRT in case of Host_Error calls (these would normally "safely"
exit the dedicated server, so remote exploits calling this are
interesting).
- SIGXCPU in case NetConn_ServerFrame is hit again after the injected
packet (shouldn't ever happen - just in case, as it also would
indicate a remote exploitable problem as remaining sockets in the list
were skipped then).
- Facility "net_dump" to dump all incoming network packets to files.
Allows to easily choose an "interesting" one.
- Facility "net_inject" to replace a specific packet by the content of a
file. Includes a flag net_inject_index, which causes the engine to
exit successfully after the injected packet was processed.
Note that successful injection requires the following engine flags:
-nosound +sys_usenoclockbutbenchmark 1 +cl_maxfps 30 +sv_random_seed 0
to remove any nondeterministic influence (including external timing
sources).
- After injecting, the loop is executed that crashes in Xonotic bug
report https://gitlab.com/xonotic/darkplaces/issues/24 - this helps to figure
out said bug report.
- afl-fuzz instrumentation (and thus afl-fuzz's fork server) is started
only just before injection. This keeps afl-fuzz runs fast (about
70/sec), skipping the otherwise unavoidable loading time of 20
seconds.
- Disable vid_glx's signal handler, so afl-fuzz will actually see
crashes as crashes (and as fast as possible - in my testing crashes
were sometimes misdetcted as hangs as the signal handler, which tries
a clean exit, will acquire mutexes held during the crash).
projects / xonotic / darkplaces.git / commit