int validate(char *buf, int N) {
int i;
for (i=0; i<N; i++) {
if (buf[i]==0) {
klee_merge();
return 0;
}
}
klee_merge();
return 1;
}
long
find_value (char *start, long int length)
{
while (length != 0L)
{
if (isdigit (*start))
return atol (start);
klee_merge();
length--;
start++;
}
klee_merge();
return 0l;
}
long atol(register const char *nptr)
{
long total = 0;
int minus = 0;
while (isspace(*nptr)) nptr++;
if (*nptr == '+') nptr++;
else if (*nptr == '-') {
minus = 1;
nptr++;
}
klee_merge();
while (isdigit(*nptr)) {
total *= 10;
total += (*nptr++ - '0');
}
klee_merge();
return minus ? -total : total;
}
int main() {
char arg_buf[N];
unsigned char buffer_buf[100];
klee_make_symbolic(arg_buf, sizeof(arg_buf), "arg");
arg_buf[N-1] = '\0';
char *arg = arg_buf;
unsigned char *buffer = buffer_buf;
int i, ac;
while (*arg) {
if (*arg == '\\') {
arg++;
i = ac = 0;
if (*arg >= '0' && *arg <= '7') {
do {
ac = (ac << 3) + *arg++ - '0';
i++;
} while (i < 4 && *arg >= '0' && *arg <= '7');
*buffer++ = ac;
} else if (*arg != '\0')
*buffer++ = *arg++;
} else if (*arg == '[') {
arg++;
i = *arg++;
if (*arg++ != '-') {
*buffer++ = '[';
arg -= 2;
continue;
}
ac = *arg++;
while (i <= ac) *buffer++ = i++;
arg++; /* Skip ']' */
} else
*buffer++ = *arg++;
klee_merge();
}
}
int bpf_validate(struct bpf_insn *f, int len)
{
int i;
int from;
struct bpf_insn *p;
if (len < 1 || len > BPF_MAXINSNS)
return 0;
i = 0;
p = &f[i];
switch (BPF_CLASS(p->code)) {
/*
* Check that memory operations use valid addresses.
*/
case BPF_LD:
case BPF_LDX:
switch (BPF_MODE(p->code)) {
case BPF_IMM:
break;
case BPF_ABS:
case BPF_IND:
case BPF_MSH:
/*
* More strict check with actual packet length
* is done runtime.
*/
if (p->k >= bpf_maxbufsize)
return 0;
break;
case BPF_MEM:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_LEN:
break;
default:
return 0;
}
break;
case BPF_ST:
case BPF_STX:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_ALU:
switch (BPF_OP(p->code)) {
case BPF_ADD:
case BPF_SUB:
case BPF_OR:
case BPF_AND:
case BPF_LSH:
case BPF_RSH:
case BPF_NEG:
break;
case BPF_DIV:
/*
* Check for constant division by 0.
*/
if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
return 0;
break;
default:
return 0;
}
break;
case BPF_JMP:
/*
* Check that jumps are forward, and within
* the code block.
*/
from = i + 1;
switch (BPF_OP(p->code)) {
case BPF_JA:
if (from + p->k < from || from + p->k >= len)
return 0;
break;
case BPF_JEQ:
case BPF_JGT:
case BPF_JGE:
case BPF_JSET:
if (from + p->jt >= len || from + p->jf >= len)
return 0;
break;
default:
return 0;
}
break;
case BPF_RET:
break;
case BPF_MISC:
break;
default:
return 0;
}
klee_merge();
i = 1;
p = &f[i];
switch (BPF_CLASS(p->code)) {
/*
* Check that memory operations use valid addresses.
*/
case BPF_LD:
case BPF_LDX:
switch (BPF_MODE(p->code)) {
case BPF_IMM:
break;
case BPF_ABS:
case BPF_IND:
case BPF_MSH:
/*
* More strict check with actual packet length
* is done runtime.
*/
if (p->k >= bpf_maxbufsize)
return 0;
break;
case BPF_MEM:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_LEN:
break;
default:
return 0;
}
break;
case BPF_ST:
case BPF_STX:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_ALU:
switch (BPF_OP(p->code)) {
case BPF_ADD:
case BPF_SUB:
case BPF_OR:
case BPF_AND:
case BPF_LSH:
case BPF_RSH:
case BPF_NEG:
break;
case BPF_DIV:
/*
* Check for constant division by 0.
*/
if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
return 0;
break;
default:
return 0;
}
break;
case BPF_JMP:
/*
* Check that jumps are forward, and within
* the code block.
*/
from = i + 1;
switch (BPF_OP(p->code)) {
case BPF_JA:
if (from + p->k < from || from + p->k >= len)
return 0;
break;
case BPF_JEQ:
case BPF_JGT:
case BPF_JGE:
case BPF_JSET:
if (from + p->jt >= len || from + p->jf >= len)
return 0;
break;
default:
return 0;
}
break;
case BPF_RET:
break;
case BPF_MISC:
break;
default:
return 0;
}
klee_merge();
i = 2;
p = &f[i];
switch (BPF_CLASS(p->code)) {
/*
* Check that memory operations use valid addresses.
*/
case BPF_LD:
case BPF_LDX:
switch (BPF_MODE(p->code)) {
case BPF_IMM:
break;
case BPF_ABS:
case BPF_IND:
case BPF_MSH:
/*
* More strict check with actual packet length
* is done runtime.
*/
if (p->k >= bpf_maxbufsize)
return 0;
break;
case BPF_MEM:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_LEN:
break;
default:
return 0;
}
break;
case BPF_ST:
case BPF_STX:
if (p->k >= BPF_MEMWORDS)
return 0;
break;
case BPF_ALU:
switch (BPF_OP(p->code)) {
case BPF_ADD:
case BPF_SUB:
case BPF_OR:
case BPF_AND:
case BPF_LSH:
case BPF_RSH:
case BPF_NEG:
break;
case BPF_DIV:
/*
* Check for constant division by 0.
*/
if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
return 0;
break;
default:
return 0;
}
break;
case BPF_JMP:
/*
* Check that jumps are forward, and within
* the code block.
*/
from = i + 1;
switch (BPF_OP(p->code)) {
case BPF_JA:
if (from + p->k < from || from + p->k >= len)
return 0;
break;
case BPF_JEQ:
case BPF_JGT:
case BPF_JGE:
case BPF_JSET:
if (from + p->jt >= len || from + p->jf >= len)
return 0;
break;
default:
return 0;
}
break;
case BPF_RET:
break;
case BPF_MISC:
break;
default:
return 0;
}
klee_merge();
return BPF_CLASS(f[len - 1].code) == BPF_RET;
}
int
main ()
{
struct keyfield keyfield[SIZE];
char start1[SIZE];
long int length1=SIZE;
long int pos1=0;
char start2[SIZE];
long int length2=SIZE;
long int pos2=0;
klee_make_symbolic(keyfield, sizeof(keyfield), "*keyfield");
klee_make_symbolic(start1, sizeof(start1), "*start1");
klee_make_symbolic(start2, sizeof(start2), "*start2");
int char_order[256];
int i;
for (i = 1; i < 256; i++)
char_order[i] = i;
for (i = '0'; i <= '9'; i++)
char_order[i] += 512;
for (i = 'a'; i <= 'z'; i++)
{
char_order[i] = 512 + i;
char_order[i + 'A' - 'a'] = 512 + i;
}
if (keyfield->positional)
{
if (pos1 > pos2)
return 1;
else
return -1;
klee_merge();
}
if (keyfield->numeric)
{
long value = find_value (start1, length1) - find_value (start2, length2);
if (value > 0)
return 1;
if (value < 0)
return -1;
return 0;
}
else
{
char *p1 = start1;
char *p2 = start2;
char *e1 = start1 + length1;
char *e2 = start2 + length2;
while (1)
{
int c1, c2;
if (p1 == e1)
c1 = 0;
else
c1 = *p1++;
klee_merge();
if (p2 == e2)
c2 = 0;
else
c2 = *p2++;
klee_merge();
if (char_order[c1] != char_order[c2])
return char_order[c1] - char_order[c2];
if (!c1)
break;
}
/* Strings are equal except possibly for case. */
p1 = start1;
p2 = start2;
while (1)
{
int c1, c2;
if (p1 == e1)
c1 = 0;
else
c1 = *p1++;
klee_merge();
if (p2 == e2)
c2 = 0;
else
c2 = *p2++;
klee_merge();
if (c1 != c2)
/* Reverse sign here so upper case comes out last. */
return c2 - c1;
if (!c1)
break;
}
return 0;
}
}