Added experiment 5

experiment5/IE/fuzzSSID.c

@@ -0,0 +1,134 @@
+/*
+Fuzzes SSID Information element
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <math.h>
+#include "../frameDefinitions.h"
+
+//Indecates whether the ssidFuzzer is running
+int ssidRunningState = 0;
+
+//Number of fuzzing states
+const int ssidStates =  1;
+//Steps of fuzzers for each fuzzing state
+const int ssidSteps[] =   {256};
+
+//Current state and step of the ssidFuzzer
+int fuzzState;
+int fuzzStep;
+
+void ssidPrintCurrentState()
+{
+    switch (fuzzState)
+    {
+        case 0: 
+        {
+            printf("\e[33mFuzzing SSID IE\e[39m\n");
+            printf("SSID name counter\n");
+            break;
+        }
+        case 1:
+        {
+            printf("\e[33mDone with SSID IE\e[39m\n");
+            break;
+        }
+    }
+}
+
+//Updates ssidFuzzer
+//Status 0 indicates start
+//Status 1 indicates increaseStep
+//Status 2 indicates stop
+//Returns -1 if done with fuzzing
+int ssidFuzzUpdate(int status)
+{
+    switch (status)
+    {
+        case 0: //start fuzzer
+        {
+            ssidRunningState    = 1;
+            fuzzState       = 0;
+            fuzzStep        = 0;
+            ssidPrintCurrentState();
+            break;
+        }
+        case 1: //update fuzzer
+        {
+            if (ssidRunningState == 1) //sanity check
+            {
+                //increase steps until all steps are done
+                if (fuzzStep < ssidSteps[fuzzState]-1)
+                    fuzzStep = fuzzStep + 1;
+                //then increase state and notify
+                else
+                {
+                    fuzzStep = 0;
+                    fuzzState = fuzzState + 1;
+                    ssidPrintCurrentState();
+                }
+                //when all states are done, stop
+                if (fuzzState == ssidStates)
+                {
+                    ssidRunningState = 0;
+                    return -1;
+                }
+            }
+            break;
+        }
+        case 2: //stop fuzzer
+        {
+            ssidRunningState = 0;
+            break;
+        }
+    }
+    return 0;
+}
+
+//Returns an SSID information element
+infoElem ssidFuzz()
+{
+    infoElem ssid;
+
+    //What to return when not fuzzed
+    //We do not return an SSID, because of the experiment
+    if (ssidRunningState == 0)
+    {
+        ssid.id = 0;
+        ssid.len = 4;
+        ssid.len_data = -1;
+        ssid.data = "\x46\x55\x5a\x5a";
+    }
+    else
+    {
+        switch (fuzzState)
+        {
+            case 0: //SSID incorrect length with data
+            {
+                int i;
+                if (fuzzStep == 0)
+                    i = 1;
+                else
+                    i = floor(log10(abs(fuzzStep))) + 1;
+
+                //printf("SSID := %d\n", fuzzStep);
+
+                ssid.id = 0;
+                ssid.len = i;
+                ssid.len_data = i;
+
+                u_char *buffer = malloc(32);
+                sprintf(buffer,"%d", fuzzStep);
+
+                ssid.data = buffer;
+                break;
+            }
+        }
+
+    }
+    
+
+    return ssid;
+}

experiment5/IE/fuzzSSID.h

@@ -0,0 +1,10 @@
+#ifndef FUZZSSID_H_
+#define FUZZSSID_H_
+
+#include "../frameDefinitions.h"
+
+int ssidFuzzUpdate(int status);
+
+infoElem ssidFuzz();
+
+#endif

experiment5/Makefile

@@ -0,0 +1,9 @@
+default: all
+
+all: Cfuzz
+
+Cfuzz:
+	gcc -o cfuzz -IIE *.c IE/*.c -lpcap -lm
+
+clean:
+	rm -f cfuzz

experiment5/cfuzz.c

@@ -0,0 +1,381 @@
+/*
+This is the main file. It handles sending, receiving, but also monitoring of frames.
+*/
+#include <stdio.h>
+#include <pcap.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/time.h>
+#include "cfuzz.h"
+#include "frameCreator.h"
+#include "frameDefinitions.h"
+#include "fuzzer.h"
+
+#define DEBUG (0)
+#define SUTTIMEOUTMS (30000) //30s
+
+//Used for timing
+struct timeval tm1;
+struct timeval longtm;
+
+//Number of acked frames in current step
+int ackedFrames             = 0;
+
+//Copied from Wireshark
+u_char radioTapHeader[36]   =   "\x00\x00\x24\x00\x2f\x40\x00\xa0\x20\x08\x00\x00\x00\x00\x00\x00" \
+                                "\x9d\x5c\xa0\x15\x01\x00\x00\x00\x10\x02\x6c\x09\xa0\x00\xa7\x00" \
+                                "\x00\x00\xa7\x00";
+
+//Mac address of Atheros Wi-Fi dongle
+//Dongle will only ACK frames to its own MAC address
+u_char myMAC[6]            =  "\x00\x0a\xeb\x2d\x72\x55";
+
+//Mac address of SUT
+//Is needed to ignore frames from other devices
+
+//Comment out the SUT
+u_char sutMAC[6]            =  "\x12\x42\x2a\x7e\xd4\xe8"; //Orange Pi Zero
+//u_char sutMAC[6]            =  "\xcc\xfa\x00\xc9\xfc\xad"; //LG Optimus G
+
+
+//Returns filter for libpcap
+//we want to use as many filters here as possible, since libpcap is closer to the hardware than this user-level program
+//we only want to receive Probe requests, Authentication frames and Association requests, all to only our own MAC address or broadcast address in case of Probe requests
+//furthermore, all frames except ACK frames (have no send address) should be sent from the SUT MAC address
+//also, it is important not to compile and set the filter between each pcap_next. Otherwise ACK frames will be missed
+//when changing the filterString, the strncpy() locations should also be changed!
+const char *getFilterString()
+{
+    //xx:xx:xx:xx:xx:xx will become myMAC, yy:yy:yy:yy:yy:yy will become sutMAC
+    static char filterString[] = "(wlan subtype probe-req and (wlan addr1 xx:xx:xx:xx:xx:xx or wlan addr1 ff:ff:ff:ff:ff:ff) and wlan addr2 yy:yy:yy:yy:yy:yy)" \
+    " or ( wlan addr1 xx:xx:xx:xx:xx:xx and wlan addr2 yy:yy:yy:yy:yy:yy and ( wlan subtype auth or wlan subtype assoc-req))" \
+    " or ( wlan addr1 xx:xx:xx:xx:xx:xx and wlan subtype ack)";
+
+    //convert myMAC and sutMAC to strings
+    char myMacStr[18];
+    char sutMacStr[18];
+
+    snprintf(myMacStr, sizeof(myMacStr), "%02x:%02x:%02x:%02x:%02x:%02x",
+             myMAC[0], myMAC[1], myMAC[2], myMAC[3], myMAC[4], myMAC[5]);
+
+    snprintf(sutMacStr, sizeof(sutMacStr), "%02x:%02x:%02x:%02x:%02x:%02x",
+             sutMAC[0], sutMAC[1], sutMAC[2], sutMAC[3], sutMAC[4], sutMAC[5]);
+
+    //replace placeholder MACs in filterString with correct MACstring (hardcoded positions!)
+    strncpy(filterString+40, myMacStr,17);
+    strncpy(filterString+106, sutMacStr,17);
+    strncpy(filterString+141, myMacStr,17);
+    strncpy(filterString+174, sutMacStr,17);
+    strncpy(filterString+260, myMacStr,17);
+
+    return filterString;
+}
+
+//Starts timer by setting current (starting) time to tm1
+void startTimer()
+{
+    gettimeofday(&tm1, NULL);
+}
+
+//Stops timer by setting current (ending) time to tm2
+//Then compares difference in time and returns it in milliseconds
+unsigned long long stopTimer()
+{
+    struct timeval tm2;
+    gettimeofday(&tm2, NULL);
+
+    unsigned long long t = 1000 * (tm2.tv_sec - tm1.tv_sec) + (tm2.tv_usec - tm1.tv_usec) / 1000;
+    return t;
+}
+
+//Starts timer by setting current (starting) time to longtm
+//Longtimer is used to determine if it was more than X seconds since the SUT sent out frames
+void startLongTimer()
+{
+    gettimeofday(&longtm, NULL);
+}
+
+//Stops timer by setting current (ending) time to longtm2
+//Then compares difference in time and returns it in milliseconds
+unsigned long long stopLongTimer()
+{
+    struct timeval longtm2;
+    gettimeofday(&longtm2, NULL);
+
+    unsigned long long t = 1000 * (longtm2.tv_sec - longtm.tv_sec) + (longtm2.tv_usec - longtm.tv_usec) / 1000;
+    return t;
+}
+
+//Returns source address pointer location in packet
+u_char *getSourceAddrOfPacket(const u_char *packet)
+{
+    //get header length
+    u_char headerLength;
+    headerLength = packet[2];
+
+    //calculate offset to address
+    const u_char *addr;
+    int offset = headerLength;
+    offset = offset + 10;
+
+    //get pointer to address
+    addr = packet + offset;
+
+    return (u_char*) addr;
+}
+
+//Returns Version, Type and Subtype (one byte)
+u_char getFrameTypeOfPacket(const u_char *packet)
+{
+    //get header length
+    u_char headerLength;
+    headerLength = packet[2];
+
+    //calculate offset to frame type
+    const u_char *frameType;
+    int offset = headerLength;
+    offset = offset + 0;
+
+    //get pointer to frameType
+    frameType = packet + offset;
+
+    return *frameType;
+}
+
+//Sends packet using pcap. Returns status
+int sendPacket(pcap_t *pcap_h, u_char *packet, int size)
+{
+    int sendStatus = pcap_sendpacket(pcap_h, packet, size);
+
+    //when frame failed to send
+    if (sendStatus == 1)
+    {
+        printf("Failed to send frame:\n");
+        //print failed frame
+        int printCounter = 0;
+        for(int i = 0; i < size; i++)
+        {
+            printf("%02X ", packet[i]);
+            printCounter = printCounter + 1;
+            if (printCounter == 16)
+            {
+                printCounter = 0;
+                printf("\n");
+            }
+        }
+        printf("\n");
+    }
+    
+    return sendStatus;
+}
+
+int main(int argc, char *argv[])
+{
+    pcap_t  *pcap_h;
+    struct  bpf_program fp;
+    struct  pcap_pkthdr header;
+    char    *dev;
+    char    errbuf[PCAP_ERRBUF_SIZE];
+
+    //check argument number
+    if(argc != 2)
+    {
+        printf("Usage: %s device\n", argv[0]);
+        exit(EXIT_FAILURE);
+    }
+
+    dev = argv[1];
+
+    //initialize libpcap
+    if((pcap_h = pcap_create(dev, errbuf)) == NULL)
+    {
+         printf("pcap_create() failed: %s\n", errbuf);
+         exit(EXIT_FAILURE);
+    }
+
+    if(pcap_can_set_rfmon(pcap_h) == 0)
+    {
+        printf("Monitor mode can not be set.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if(pcap_set_rfmon(pcap_h, 1) != 0)
+    {
+        printf("Failed to set monitor mode.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if(pcap_activate(pcap_h) != 0)
+    {
+        printf("pcap_activate() failed\n");
+        exit(EXIT_FAILURE);
+    }
+
+    //compile filter for incoming packets
+    if(pcap_compile(pcap_h, &fp, getFilterString() , 0, PCAP_NETMASK_UNKNOWN) == -1)
+    {
+        printf("failed pcap_compile() with error: %s\n", pcap_geterr(pcap_h));
+        exit(EXIT_FAILURE);
+    }
+
+    //apply filter
+    if(pcap_setfilter(pcap_h, &fp) == -1)
+    {
+        printf("failed pcap_setfilter() with error: %s\n", pcap_geterr(pcap_h));
+        exit(EXIT_FAILURE);
+    }
+
+    //free memory allocated by pcap_compile()
+    pcap_freecode(&fp);
+
+    //flag to indicate if we have to listen for ACK verification
+    int waitForACK = 0;
+
+    //counter for continuous ACK fail
+    int noACKcounter = 0;
+
+    //start long timer
+    startLongTimer();
+
+    increaseFuzzer();
+
+    //infinite listen-respond loop
+    while (1)
+    {
+        //receive packet
+        const u_char *packet = pcap_next(pcap_h, &header);
+
+        unsigned long long LongtimeSincePrevPacket = stopLongTimer();
+
+        if (LongtimeSincePrevPacket > SUTTIMEOUTMS)
+        {
+            printf("\e[31mIt took %llu ms to receive any frame from the SUT. Possible crash?\e[39m\n", LongtimeSincePrevPacket);
+        }
+
+        startLongTimer();
+
+        unsigned long long timeSincePrevPacket = stopTimer();
+
+        u_char frameType = getFrameTypeOfPacket(packet);
+
+        u_char* sourceAddr;
+
+
+        if (frameType != 0xd4) //ACK frames have no source address
+            sourceAddr = getSourceAddrOfPacket(packet);
+
+        //if we had to wait for an ACK, verify if current frame is an ACK
+        if (waitForACK != 0)
+        {
+            if (stopTimer() <= 10)
+            {
+                if (frameType == 0xd4)
+                {
+                    if (DEBUG)
+                    {
+                        switch (waitForACK)
+                        {
+                            case 1:
+                            {
+                                printf("Association response ACKed\n");
+                                break;
+                            }
+                            case 2:
+                            {
+                                printf("Authentication frame ACKed\n");
+                                break;
+                            }
+                            case 3:
+                            {
+                                printf("Probe response ACKed\n");
+                                break;
+                            }
+                            default:
+                            {
+                                printf("Frame ACKed\n");
+                                break;
+                            }
+                        }
+                    }
+                    ackedFrames = ackedFrames + 1;  //the frame is acked, so increase counter
+                    waitForACK = 0;                 //we should stop waiting for ack and move on
+                    noACKcounter = 0;               //reset counter
+
+                    increaseFuzzer();               //fuzz next thing
+                    if (DEBUG)
+                    {
+                        printf("Frame ACKed\n");
+                    }
+                    
+                }
+                else //received other frame. Ignore and keep listening
+                {
+                    if (DEBUG)
+                    {
+                        printf("Got other frame. Will be ignored\n");   
+                    }
+                }    
+            }
+            else //waited more than 10 ms for ack. failed
+            {
+                noACKcounter = noACKcounter + 1;
+                if (noACKcounter == 10)
+                {
+                    printf("\e[31mFrame not ACKed after 10 retries, moving on\e[39m\n");
+                    noACKcounter = 0;
+                    increaseFuzzer();
+                }
+                if (DEBUG)
+                {
+                    printf("Not sure if frame was ACKed\n");
+                }
+                waitForACK = 0;
+            }
+        }
+        else //Process frame depending on type
+        {
+            switch(frameType)
+            {
+                case 0x40:
+                {
+                    int packetSize;
+                    u_char *packet = createProbeResponse(sourceAddr, &packetSize, radioTapHeader, myMAC);
+                    sendPacket(pcap_h, packet, packetSize);
+                    free(packet);      //free allocated memory
+                    waitForACK = 3;
+                    startTimer();
+                    break;
+                } 
+                case 0xb0:
+                {
+                    //int packetSize;
+                    //u_char *packet = createAuthResponse(sourceAddr, &packetSize, radioTapHeader, myMAC);
+                    //sendPacket(pcap_h, packet, packetSize);
+                    //free(packet);      //free allocated memory
+                    //waitForACK = 2;
+                    //startTimer();
+                    break;
+                }
+                case 0x00:
+                {
+                    //int packetSize;
+                    //u_char *packet = createAssResponse(sourceAddr, &packetSize, radioTapHeader, myMAC);
+                    //sendPacket(pcap_h, packet, packetSize);
+                    //free(packet);      //free allocated memory
+                    //waitForACK = 1;
+                    //startTimer();
+                    break;
+                }
+                case 0xd4:
+                {
+                    break;
+                }
+                default: break;
+            }
+        }
+        
+    }
+
+    return 0;
+}

experiment5/cfuzz.h

@@ -0,0 +1,8 @@
+#ifndef CFUZZ_H_
+#define CFUZZ_H_
+
+
+
+
+
+#endif

experiment5/frameCreator.c

@@ -0,0 +1,150 @@
+/*
+Creates frames.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include "frameCreator.h"
+#include "fuzzer.h"
+#include "frameDefinitions.h"
+#include "fuzzSSID.h"
+
+//Creates Probe response frame
+u_char *createProbeResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
+{
+    #define numberOfProbeInfoElems (3)   //number of information elements
+
+    //definition of all info elements 
+    infoElem ssid = ssidFuzz();
+
+    infoElem suppRates = {
+        1,         //id
+        7,         //len
+        7,         //real length of data
+        "\x96\x18\x24\x30\x48\x60\x6c" //data
+    };
+
+    infoElem dsParam = {
+        3,         //id
+        1,         //len
+        1,         //real length of data
+        "\x01" //data
+    };
+
+    //create array of information elements
+    infoElem taggedParams[numberOfProbeInfoElems] = {ssid, suppRates, dsParam};
+
+    //length of all info elements, including id and len field
+    int len_taggedParams = 0;
+    for(int i = 0; i < numberOfProbeInfoElems; i++)
+    {
+        if (taggedParams[i].len_data != -1) //do not include when len_data == -1
+        {
+            //+2 to include id and len field size
+            len_taggedParams = len_taggedParams + taggedParams[i].len_data+2; 
+        }
+    }
+
+    //fill in struct
+    probeResponse probeResp = { 
+        36, radioTapHeader,                //RadioTap hdr
+        1, "\x50",                         //Type
+        1, "\x00",                         //Flags
+        2, "\x3a\x01",                     //Duration
+        6, dstAddress,                     //DST addr
+        6, myMAC,                          //Source addr
+        6, myMAC,                          //BSS addr
+        2, "\x00\x00",                     //Seq nr         (overwritten by firmware)
+        8, "\x00\x00\x00\x00\x00\x00\x00\x00", //Timestamp  (overwritten by firmware)
+        2, "\x64\x00",                     //Beacon interval
+        2, "\x01\x00",                     //Capab info
+        
+        len_taggedParams,
+        taggedParams,                      //Information elements
+
+        4, "\x00\x00\x00\x00"              //FSC            (overwritten by firmware)
+    };
+
+    //calculate size of final packet
+    *packetSize = probeResp.len_radioTapHdr 
+                + probeResp.len_type
+                + probeResp.len_flags
+                + probeResp.len_duration
+                + probeResp.len_destAddr
+                + probeResp.len_sourceAddr
+                + probeResp.len_bssAddr
+                + probeResp.len_seqNr
+                + probeResp.len_timeStamp
+                + probeResp.len_beaconInterval
+                + probeResp.len_capabInfo
+                + probeResp.len_taggedParams
+                + probeResp.len_fsc;
+    
+    //define packet
+    u_char *probeRespPacket = malloc(*packetSize);
+    if(!probeRespPacket)
+    {
+        printf("Memory allocation error!\n");
+        exit(-1);
+    }
+
+    //copy all struct fields into packet
+    int copyOffset = 0;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.radioTapHdr, probeResp.len_radioTapHdr);
+    copyOffset = copyOffset + probeResp.len_radioTapHdr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.type, probeResp.len_type);
+    copyOffset = copyOffset + probeResp.len_type;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.flags, probeResp.len_flags);
+    copyOffset = copyOffset + probeResp.len_flags;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.duration, probeResp.len_duration);
+    copyOffset = copyOffset + probeResp.len_duration;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.destAddr, probeResp.len_destAddr);
+    copyOffset = copyOffset + probeResp.len_destAddr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.sourceAddr, probeResp.len_sourceAddr);
+    copyOffset = copyOffset + probeResp.len_sourceAddr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.bssAddr, probeResp.len_bssAddr);
+    copyOffset = copyOffset + probeResp.len_bssAddr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.seqNr, probeResp.len_seqNr);
+    copyOffset = copyOffset + probeResp.len_seqNr;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.timeStamp, probeResp.len_timeStamp);
+    copyOffset = copyOffset + probeResp.len_timeStamp;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.beaconInterval, probeResp.len_beaconInterval);
+    copyOffset = copyOffset + probeResp.len_beaconInterval;
+
+    memcpy(probeRespPacket + copyOffset, probeResp.capabInfo, probeResp.len_capabInfo);
+    copyOffset = copyOffset + probeResp.len_capabInfo;
+
+    //copy all information elements
+    for(int i = 0; i < numberOfProbeInfoElems; i++)
+    {
+        if (taggedParams[i].len_data != -1)  //if id == -1, we do not want to include the information element
+        {
+            memcpy(probeRespPacket + copyOffset, &taggedParams[i].id, 1);
+            copyOffset = copyOffset + 1;
+
+            memcpy(probeRespPacket + copyOffset, &taggedParams[i].len, 1);
+            copyOffset = copyOffset + 1;
+
+            memcpy(probeRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
+            copyOffset = copyOffset + taggedParams[i].len_data;
+        }
+    }
+        
+
+    memcpy(probeRespPacket + copyOffset, probeResp.fsc, probeResp.len_fsc);
+    copyOffset = copyOffset + probeResp.len_fsc;
+
+    //return packet
+    return probeRespPacket;    
+}

experiment5/frameCreator.h

@@ -0,0 +1,8 @@
+#ifndef FRAMECREATOR_H_
+#define FRAMECREATOR_H_
+
+//Creates Probe response frame
+u_char *createProbeResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC);
+
+
+#endif

experiment5/frameDefinitions.h

@@ -0,0 +1,61 @@
+/*
+Defines structs for frame types.
+*/
+#ifndef FRAMEDEFINITIONS_H_
+#define FRAMEDEFINITIONS_H_
+
+//the int len_* fields are only used for copying the data to a packet,
+//so no fuzzing on those fields! Fuzzing should only be done on u_char datatypes
+
+//Information element
+typedef struct {
+    u_char id;
+    u_char len;
+    int len_data;
+    u_char *data;
+} infoElem;
+
+//Probe response frame
+typedef struct {
+    int len_radioTapHdr; 	//usually 32 bytes
+    u_char *radioTapHdr;
+
+    int len_type;			//1 byte
+    u_char *type; 			//Protocol version, type and subtype
+
+    int len_flags;			//1 byte
+    u_char *flags;			//to DS, from DS, more Frag, Retry, Pwr Mgt, more Data, WEP, Order
+
+    int len_duration;		//2 bytes
+    u_char *duration;
+
+    int len_destAddr;		//6 bytes
+    u_char *destAddr;
+
+    int len_sourceAddr;		//6 bytes
+    u_char *sourceAddr;
+
+    int len_bssAddr;		//6 bytes
+    u_char *bssAddr;
+
+    int len_seqNr;			//2 bytes 
+    u_char *seqNr;
+
+    int len_timeStamp; 		//8 bytes 
+    u_char *timeStamp;
+
+    int len_beaconInterval;	//2 bytes 
+    u_char *beaconInterval;
+
+    int len_capabInfo;		//2 bytes 
+    u_char *capabInfo;
+
+    int len_taggedParams; 	//variable size
+    infoElem *taggedParams; 
+
+    int len_fsc;			//4 bytes 
+    u_char *fsc;
+
+} probeResponse;
+
+#endif

experiment5/fuzzer.c

@@ -0,0 +1,65 @@
+/*
+Manages what to fuzz when.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include "frameDefinitions.h"
+#include "fuzzSSID.h"
+
+//Number of subfuzzers
+#define SUBFUZZERS (1)
+
+//CHANGE WHEN NEW SUBFUZZER
+//Array of pointers to subfuzzers update functions
+int (*p[SUBFUZZERS]) (int i) = {ssidFuzzUpdate};
+
+//State of sub-fuzzer
+//-1 = Done
+//0  = In progress
+int subFuzzState = -1;
+
+//Current sub-fuzzer
+//Starts with -1 to prevent skipping the first sub-fuzzer
+int subFuzzerIdx = -1;
+
+//Flag to indicate if the done with all subfuzzers notification has been sent
+int notifyDone = 0;
+
+int frameCounter = 0;
+
+//Controls state of fuzzer, and therefore what to fuzz next
+void increaseFuzzer()
+{
+    frameCounter = frameCounter + 1;
+    //while we still have sub-fuzzers to go
+    if (subFuzzerIdx < SUBFUZZERS)
+    {
+        if (subFuzzState == -1)
+        {
+            subFuzzerIdx = subFuzzerIdx + 1;
+            if (subFuzzerIdx < SUBFUZZERS)
+            {
+                subFuzzState = (*p[subFuzzerIdx]) (0);
+            }
+        }
+        else
+        {
+            subFuzzState = (*p[subFuzzerIdx]) (1);
+        }
+    }
+    //Done with all sub-fuzzers
+    else
+    {
+        //Only do first time
+        if (notifyDone == 0)
+        {
+            notifyDone = 1;
+            printf("Done with all subfuzzers\n");
+            printf("Sent %d different frames in total\n", frameCounter);
+            //Optional exit
+            exit(1);
+        }
+    }
+}

experiment5/fuzzer.h

@@ -0,0 +1,6 @@
+#ifndef FUZZER_H_
+#define FUZZER_H_
+
+void increaseFuzzer();
+
+#endif