Help with ipv4 and udp descriptions
4 views
Skip to first unread message
Julia Keadey
Oct 28, 2025, 11:46:24 AM (13 days ago) Oct 28
to syzkaller
Hello,
I'm running into a few small issues with some descriptions I'm trying to get working.
First, none of the length fields seem to be populating correctly. The actual test program is getting 0 instead of the actual `len[parent, int16]` that I'm looking for. (I'm telling this by looking at the packets I'm sending, since I'm doing network fuzzing. The descriptions I'm using are included below... both `ihl` and `length` are affected). The program I'm running is essentially just `syz_send_aaa$udp4(&AUTO, AUTO)`. These descriptions below are basically exact copies of the ones in `vnet.txt`, but refactored some to hard code a few values.
```
# aaa.txt
...
# (this is a pseudo syscall that *basically* sends a packet)
syz_send_aaa$udp4(packet ptr[in, aaa[aaa_ipv4_packet_t[const[IPPROTO_UDP, int8], aaa_udp_packet]]], packet_len len[packet])
type aaa[ENCAP] {
# this field seems to be fine so I omitted the description
aaah aaahdr
encap ENCAP
}
...
type aaa_ipv4_header[PROTO] {
# BROKEN: this length does not work, always 0
ihl bytesize4[parent, int8:4]
version const[4, int8:4]
ecn int8:2
dscp int8:6
# this length does work for whatever reason,,,
total_len len[aaa_ipv4_packet_t, int16be]
id int16be[100:104]
frag_off int16be[0:0]
ttl const[255, int8]
protocol PROTO
csum csum[parent, inet, int16be]
src_ip const[CLIENT_ADDR, int32be]
dst_ip const[SERVER_ADDR, int32be]
options ipv4_options
} [packed]
type aaa_ipv4_packet_t[PROTO, PAYLOAD] {
header aaa_ipv4_header[PROTO]
payload PAYLOAD
} [packed]
aaa_udp_packet {
src_port const[CLIENT_PORT, int16be]
dst_port const[SERVER_PORT, int16be]
# BROKEN: this length does not work, always 0
length len[parent, int16be]
# TODO: change this so it can use csum with a different struct name
csum const[0, int16be]
payload aaa_udp_payload
} [packed]
aaa_udp_payload [
opaque array[int8]
] [varlen]
...
```
Second, when I call `syz_init_net_socket$aaa(AUTO, AUTO, AUTO)`, I get `syz_init_net_socket(0xffffffffffffff, 0x2, 0x11)`. Why? How? What? Specifying `syz_init_net_socket$aaa(0x2, 0x2, 0x11)` seems to make no difference.
```
# aaa.txt
...
resource sock_aaa[sock]
syz_init_net_socket$aaa(domain const[AF_INET], type const[SOCK_DGRAM], proto const[IPPROTO_UDP]) sock_aaa
...
```
```
# aaa.txt.const
...
AF_INET = amd64:2
IPPROTO_UDP = amd64:17
SOCK_DGRAM = amd64:2
...
```
Any help here would be appreciated. I'm not really sure how to tell *how* or *why* syzkaller picks certain arguments, so any general debugging advice there would also be useful.
Thanks so much,
Julia!
I'm running into a few small issues with some descriptions I'm trying to get working.
First, none of the length fields seem to be populating correctly. The actual test program is getting 0 instead of the actual `len[parent, int16]` that I'm looking for. (I'm telling this by looking at the packets I'm sending, since I'm doing network fuzzing. The descriptions I'm using are included below... both `ihl` and `length` are affected). The program I'm running is essentially just `syz_send_aaa$udp4(&AUTO, AUTO)`. These descriptions below are basically exact copies of the ones in `vnet.txt`, but refactored some to hard code a few values.
```
# aaa.txt
...
# (this is a pseudo syscall that *basically* sends a packet)
syz_send_aaa$udp4(packet ptr[in, aaa[aaa_ipv4_packet_t[const[IPPROTO_UDP, int8], aaa_udp_packet]]], packet_len len[packet])
type aaa[ENCAP] {
# this field seems to be fine so I omitted the description
aaah aaahdr
encap ENCAP
}
...
type aaa_ipv4_header[PROTO] {
# BROKEN: this length does not work, always 0
ihl bytesize4[parent, int8:4]
version const[4, int8:4]
ecn int8:2
dscp int8:6
# this length does work for whatever reason,,,
total_len len[aaa_ipv4_packet_t, int16be]
id int16be[100:104]
frag_off int16be[0:0]
ttl const[255, int8]
protocol PROTO
csum csum[parent, inet, int16be]
src_ip const[CLIENT_ADDR, int32be]
dst_ip const[SERVER_ADDR, int32be]
options ipv4_options
} [packed]
type aaa_ipv4_packet_t[PROTO, PAYLOAD] {
header aaa_ipv4_header[PROTO]
payload PAYLOAD
} [packed]
aaa_udp_packet {
src_port const[CLIENT_PORT, int16be]
dst_port const[SERVER_PORT, int16be]
# BROKEN: this length does not work, always 0
length len[parent, int16be]
# TODO: change this so it can use csum with a different struct name
csum const[0, int16be]
payload aaa_udp_payload
} [packed]
aaa_udp_payload [
opaque array[int8]
] [varlen]
...
```
Second, when I call `syz_init_net_socket$aaa(AUTO, AUTO, AUTO)`, I get `syz_init_net_socket(0xffffffffffffff, 0x2, 0x11)`. Why? How? What? Specifying `syz_init_net_socket$aaa(0x2, 0x2, 0x11)` seems to make no difference.
```
# aaa.txt
...
resource sock_aaa[sock]
syz_init_net_socket$aaa(domain const[AF_INET], type const[SOCK_DGRAM], proto const[IPPROTO_UDP]) sock_aaa
...
```
```
# aaa.txt.const
...
AF_INET = amd64:2
IPPROTO_UDP = amd64:17
SOCK_DGRAM = amd64:2
...
```
Any help here would be appreciated. I'm not really sure how to tell *how* or *why* syzkaller picks certain arguments, so any general debugging advice there would also be useful.
Thanks so much,
Julia!
Reply all
Reply to author
Forward
0 new messages