1 /* 2 * FreeRTOS memory safety proofs with CBMC. 3 * Copyright (C) 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 * 5 * Permission is hereby granted, free of charge, to any person 6 * obtaining a copy of this software and associated documentation 7 * files (the "Software"), to deal in the Software without 8 * restriction, including without limitation the rights to use, copy, 9 * modify, merge, publish, distribute, sublicense, and/or sell copies 10 * of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be 14 * included in all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 19 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 20 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 21 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 * SOFTWARE. 24 * 25 * http://aws.amazon.com/freertos 26 * http://www.FreeRTOS.org 27 */ 28 29 /* FreeRTOS includes. */ 30 #include "FreeRTOS.h" 31 #include "queue.h" 32 33 /* FreeRTOS+TCP includes. */ 34 #include "FreeRTOS_IP.h" 35 #include "FreeRTOS_IP_Private.h" 36 #include "FreeRTOS_TCP_IP.h" 37 #include "FreeRTOS_ND.h" 38 39 /* CBMC includes. */ 40 #include "../../utility/memory_assignments.c" 41 #include "cbmc.h" 42 43 extern NDCacheRow_t xNDCache[ ipconfigND_CACHE_ENTRIES ]; 44 45 /* The checksum generation is stubbed out since the actual checksum 46 * does not matter. The stub will return an indeterminate value each time. */ usGenerateProtocolChecksum(const uint8_t * const pucEthernetBuffer,size_t uxBufferLength,BaseType_t xOutgoingPacket)47uint16_t usGenerateProtocolChecksum( const uint8_t * const pucEthernetBuffer, 48 size_t uxBufferLength, 49 BaseType_t xOutgoingPacket ) 50 { 51 uint16_t usReturn; 52 53 __CPROVER_assert( pucEthernetBuffer != NULL, "The ethernet buffer cannot be NULL" ); 54 __CPROVER_assert( __CPROVER_r_ok( pucEthernetBuffer, uxBufferLength ), "pucEthernetBuffer should be readable." ); 55 56 /* Return an indeterminate value. */ 57 return usReturn; 58 } 59 60 /* This function has been tested separately. Therefore, we assume that the implementation is correct. */ vReturnEthernetFrame(NetworkBufferDescriptor_t * pxNetworkBuffer,BaseType_t xReleaseAfterSend)61void vReturnEthernetFrame( NetworkBufferDescriptor_t * pxNetworkBuffer, 62 BaseType_t xReleaseAfterSend ) 63 { 64 __CPROVER_assert( pxNetworkBuffer != NULL, "The network buffer descriptor cannot be NULL." ); 65 } 66 67 /* This function has been tested separately. Therefore, we assume that the implementation is correct. */ vReceiveNA(const NetworkBufferDescriptor_t * pxNetworkBuffer)68void vReceiveNA( const NetworkBufferDescriptor_t * pxNetworkBuffer ) 69 { 70 __CPROVER_assert( pxNetworkBuffer != NULL, "The network buffer descriptor cannot be NULL." ); 71 } 72 73 /* This function has been tested separately. Therefore, we assume that the implementation is correct. */ xSendEventStructToIPTask(const IPStackEvent_t * pxEvent,TickType_t uxTimeout)74BaseType_t xSendEventStructToIPTask( const IPStackEvent_t * pxEvent, 75 TickType_t uxTimeout ) 76 { 77 BaseType_t xReturn; 78 79 __CPROVER_assume( xReturn == pdPASS || xReturn == pdFAIL ); 80 81 return xReturn; 82 } 83 84 /* This is an output function implemented by a third party and 85 * need not be tested with this proof. */ NetworkInterfaceOutputFunction_Stub(struct xNetworkInterface * pxDescriptor,NetworkBufferDescriptor_t * const pxNetworkBuffer,BaseType_t xReleaseAfterSend)86BaseType_t NetworkInterfaceOutputFunction_Stub( struct xNetworkInterface * pxDescriptor, 87 NetworkBufferDescriptor_t * const pxNetworkBuffer, 88 BaseType_t xReleaseAfterSend ) 89 { 90 __CPROVER_assert( pxDescriptor != NULL, "The network interface cannot be NULL." ); 91 __CPROVER_assert( pxNetworkBuffer != NULL, "The network buffer descriptor cannot be NULL." ); 92 __CPROVER_assert( pxNetworkBuffer->pucEthernetBuffer != NULL, "The Ethernet buffer cannot be NULL." ); 93 return 0; 94 } 95 96 /* Abstraction of this functions creates and return an endpoint, real endpoint doesn't matter in this test. */ FreeRTOS_FindEndPointOnIP_IPv6(const IPv6_Address_t * pxIPAddress)97NetworkEndPoint_t * FreeRTOS_FindEndPointOnIP_IPv6( const IPv6_Address_t * pxIPAddress ) 98 { 99 NetworkEndPoint_t * pxEndPoints = NULL; 100 101 __CPROVER_assert( pxIPAddress != NULL, "The pxIPAddress cannot be NULL." ); 102 103 pxEndPoints = ( NetworkEndPoint_t * ) safeMalloc( sizeof( NetworkEndPoint_t ) ); 104 105 if( ensure_memory_is_valid( pxEndPoints, sizeof( NetworkEndPoint_t ) ) ) 106 { 107 /* Interface init. */ 108 pxEndPoints->pxNetworkInterface = ( NetworkInterface_t * ) safeMalloc( sizeof( NetworkInterface_t ) ); 109 __CPROVER_assume( pxEndPoints->pxNetworkInterface != NULL ); 110 111 pxEndPoints->pxNext = NULL; 112 pxEndPoints->pxNetworkInterface->pfOutput = NetworkInterfaceOutputFunction_Stub; 113 } 114 115 return pxEndPoints; 116 } 117 harness()118void harness() 119 { 120 NetworkBufferDescriptor_t * pxNetworkBuffer = ensure_FreeRTOS_NetworkBuffer_is_allocated(); 121 uint32_t ulLen; 122 uint16_t usEthernetBufferSize; 123 NetworkBufferDescriptor_t xLocalBuffer; 124 125 /* The code does not expect pxNetworkBuffer to be NULL. */ 126 __CPROVER_assume( pxNetworkBuffer != NULL ); 127 128 __CPROVER_assume( ( ulLen >= sizeof( ICMPPacket_IPv6_t ) ) && ( ulLen < ipconfigNETWORK_MTU ) ); 129 130 pxNetworkBuffer->xDataLength = ulLen; 131 pxNetworkBuffer->pucEthernetBuffer = safeMalloc( ulLen ); 132 __CPROVER_assume( pxNetworkBuffer->pucEthernetBuffer != NULL ); 133 134 /* Add an end point to the network buffer present. Its assumed that the 135 * network interface layer correctly assigns the end point to the generated buffer. */ 136 pxNetworkBuffer->pxEndPoint = ( NetworkEndPoint_t * ) safeMalloc( sizeof( NetworkEndPoint_t ) ); 137 138 /* This assumption is made because the function is validating IPv6 related functionality 139 * which is validated only when bIPv6 is set*/ 140 __CPROVER_assume( ( pxNetworkBuffer->pxEndPoint != NULL ) && ( pxNetworkBuffer->pxEndPoint->bits.bIPv6 == pdTRUE_UNSIGNED ) ); 141 142 /* Non deterministically determine whether the pxARPWaitingNetworkBuffer will 143 * point to some valid data or will it be NULL. */ 144 if( nondet_bool() ) 145 { 146 /* The packet must at least be as big as an IPv6 Packet. The size is not 147 * checked in the function as the pointer is stored by the IP-task itself 148 * and therefore it will always be of the required size. */ 149 __CPROVER_assume( usEthernetBufferSize >= sizeof( IPPacket_IPv6_t ) ); 150 151 /* Add matching data length to the network buffer descriptor. */ 152 __CPROVER_assume( xLocalBuffer.xDataLength == usEthernetBufferSize ); 153 154 xLocalBuffer.pucEthernetBuffer = safeMalloc( usEthernetBufferSize ); 155 156 /* Since this pointer is maintained by the IP-task, either the pointer 157 * pxARPWaitingNetworkBuffer will be NULL or xLocalBuffer.pucEthernetBuffer 158 * will be non-NULL. */ 159 __CPROVER_assume( xLocalBuffer.pucEthernetBuffer != NULL ); 160 161 pxARPWaitingNetworkBuffer = &xLocalBuffer; 162 } 163 else 164 { 165 pxARPWaitingNetworkBuffer = NULL; 166 } 167 168 prvProcessICMPMessage_IPv6( pxNetworkBuffer ); 169 } 170
xref:
/FreeRTOS-Plus-TCP-v4.0.0/test/cbmc/proofs/ND/prvProcessICMPMessage_IPv6/ProcessICMPMessage_IPv6_harness.c
(revision 2d3f4daa567ffe71aeda2e0f6d0bc02850db0627)