Add CBMC proof for DHCPProcess IPv4 (#918)

* renaming DHCPProcess to DHCPProcessEndPoint

* adding CBMC proof for DHCP process v4

* fix DHCP issues

* fix issues and improve coverage

* fix formatting

* removing unsused code

* removing copyright from *.json files

* adding changes as per revieew comments

Author: tony-josi-aws

source/FreeRTOS_DHCP.c

@@ -222,7 +222,7 @@
             /* No need to initialise 'pucUDPPayload', it just looks nicer. */
             uint8_t * pucUDPPayload = NULL;
             const DHCPMessage_IPv4_t * pxDHCPMessage;
-            BaseType_t lBytes;
+            int32_t lBytes;
 
             while( xDHCPv4Socket != NULL )
             {
@@ -232,7 +232,7 @@
                 /* Peek the next UDP message. */
                 lBytes = FreeRTOS_recvfrom( xDHCPv4Socket, &( pucUDPPayload ), 0, xRecvFlags, NULL, NULL );
 
-                if( lBytes <= 0 )
+                if( lBytes < ( ( int32_t ) sizeof( DHCPMessage_IPv4_t ) ) )
                 {
                     if( ( lBytes < 0 ) && ( lBytes != -pdFREERTOS_ERRNO_EAGAIN ) )
                     {

test/cbmc/proofs/DHCP/DHCPProcess/DHCPProcess_harness.c

@@ -51,20 +51,24 @@ extern DHCPData_t xDHCPData;
 extern Socket_t xDHCPv4Socket;
 void prvCreateDHCPSocket( NetworkEndPoint_t * pxEndPoint );
 
-/* Static member defined in freertos_api.c */
-#ifdef CBMC_GETNETWORKBUFFER_FAILURE_BOUND
-    extern uint32_t GetNetworkBuffer_failure_count;
-#endif
+uint32_t uxSocketCloseCnt = 0;
 
+DHCPMessage_IPv4_t xDHCPMessage;
 
 
+void __CPROVER_file_local_FreeRTOS_DHCP_c_prvCloseDHCPSocket( const NetworkEndPoint_t * pxEndPoint );
+
 /****************************************************************
-* The signature of the function under test.
+* vDHCPProcessEndPoint() is proved separately
 ****************************************************************/
 
 void __CPROVER_file_local_FreeRTOS_DHCP_c_vDHCPProcessEndPoint( BaseType_t xReset,
                                                                 BaseType_t xDoCheck,
-                                                                NetworkEndPoint_t * pxEndPoint );
+                                                                NetworkEndPoint_t * pxEndPoint )
+{
+    __CPROVER_assert( pxEndPoint != NULL,
+                      "FreeRTOS precondition: pxEndPoint != NULL" );
+}
 
 /****************************************************************
 * Abstract prvProcessDHCPReplies proved memory safe in ProcessDHCPReplies.
@@ -111,25 +115,55 @@ BaseType_t vSocketBind( FreeRTOS_Socket_t * pxSocket,
 NetworkBufferDescriptor_t * pxGetNetworkBufferWithDescriptor( size_t xRequestedSizeBytes,
                                                               TickType_t xBlockTimeTicks )
 {
-    NetworkBufferDescriptor_t * pxNetworkBuffer = ( NetworkBufferDescriptor_t * ) malloc( sizeof( NetworkBufferDescriptor_t ) );
+    NetworkBufferDescriptor_t * pxNetworkBuffer = ( NetworkBufferDescriptor_t * ) safeMalloc( sizeof( NetworkBufferDescriptor_t ) );
 
     __CPROVER_assume( pxNetworkBuffer != NULL );
     __CPROVER_assume( xRequestedSizeBytes > ( dhcpFIRST_OPTION_BYTE_OFFSET + sizeof( MACAddress_t ) + ipIP_TYPE_OFFSET ) );
 
-    pxNetworkBuffer->pucEthernetBuffer = ( ( uint8_t * ) malloc( xRequestedSizeBytes + ( ipIP_TYPE_OFFSET ) ) ) + ipIP_TYPE_OFFSET;
+    pxNetworkBuffer->pucEthernetBuffer = ( ( uint8_t * ) safeMalloc( xRequestedSizeBytes + ( ipIP_TYPE_OFFSET ) ) );
     __CPROVER_assume( pxNetworkBuffer->pucEthernetBuffer != NULL );
 
+    /* Increment with expected buffer padding */
+    pxNetworkBuffer->pucEthernetBuffer += ipIP_TYPE_OFFSET;
+
     pxNetworkBuffer->xDataLength = xRequestedSizeBytes;
     return pxNetworkBuffer;
 }
 
+/* FreeRTOS_ReleaseUDPPayloadBuffer is mocked here and the memory
+ * is not freed as the buffer allocated by the FreeRTOS_recvfrom is static
+ * memory */
 void FreeRTOS_ReleaseUDPPayloadBuffer( void * pvBuffer )
 {
     __CPROVER_assert( pvBuffer != NULL,
                       "FreeRTOS precondition: pvBuffer != NULL" );
+}
 
-    /* Free buffer after adjusting offsets. */
-    free( ( ( ( uint8_t * ) pvBuffer ) - ( ipUDP_PAYLOAD_OFFSET_IPv4 + ipIP_TYPE_OFFSET ) ) );
+/* For the DHCP process loop to be fully covered, we expect FreeRTOS_recvfrom
+ * to fail after few iterations. This is because vDHCPProcessEndPoint is proved
+ * separately and is stubbed out for this proof, which ideally is supposed to close
+ * the socket and end the loop. */
+int32_t FreeRTOS_recvfrom( Socket_t xSocket,
+                           void * pvBuffer,
+                           size_t uxBufferLength,
+                           BaseType_t xFlags,
+                           struct freertos_sockaddr * pxSourceAddress,
+                           socklen_t * pxSourceAddressLength )
+
+{
+    static uint32_t recvRespCnt = 0;
+    int32_t retVal = -1;
+
+    __CPROVER_assert( pvBuffer != NULL,
+                      "FreeRTOS precondition: pvBuffer != NULL" );
+
+    if( ++recvRespCnt < ( FR_RECV_FROM_SUCCESS_COUNT - 1 ) )
+    {
+        *( ( void ** ) pvBuffer ) = ( void * ) &xDHCPMessage;
+        retVal = sizeof( xDHCPMessage );
+    }
+
+    return retVal;
 }
 
 /****************************************************************
@@ -139,18 +173,18 @@ void FreeRTOS_ReleaseUDPPayloadBuffer( void * pvBuffer )
 void harness()
 {
     BaseType_t xReset;
-    BaseType_t xDoCheck;
+    eDHCPState_t eExpectedState;
 
-    pxNetworkEndPoints = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) );
+    pxNetworkEndPoints = ( NetworkEndPoint_t * ) safeMalloc( sizeof( NetworkEndPoint_t ) );
     __CPROVER_assume( pxNetworkEndPoints != NULL );
 
     /* Interface init. */
-    pxNetworkEndPoints->pxNetworkInterface = ( NetworkInterface_t * ) malloc( sizeof( NetworkInterface_t ) );
+    pxNetworkEndPoints->pxNetworkInterface = ( NetworkInterface_t * ) safeMalloc( sizeof( NetworkInterface_t ) );
     __CPROVER_assume( pxNetworkEndPoints->pxNetworkInterface != NULL );
 
     if( nondet_bool() )
     {
-        pxNetworkEndPoints->pxNext = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) );
+        pxNetworkEndPoints->pxNext = ( NetworkEndPoint_t * ) safeMalloc( sizeof( NetworkEndPoint_t ) );
         __CPROVER_assume( pxNetworkEndPoints->pxNext != NULL );
         pxNetworkEndPoints->pxNext->pxNext = NULL;
         pxNetworkEndPoints->pxNext->pxNetworkInterface = pxNetworkEndPoints->pxNetworkInterface;
@@ -160,33 +194,17 @@ void harness()
         pxNetworkEndPoints->pxNext = NULL;
     }
 
-    NetworkEndPoint_t * pxNetworkEndPoint_Temp = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) );
-    __CPROVER_assume( pxNetworkEndPoint_Temp != NULL );
-    pxNetworkEndPoint_Temp->pxNext = NULL;
-
-    /****************************************************************
-    * Initialize the counter used to bound the number of times
-    * GetNetworkBufferWithDescriptor can fail.
-    ****************************************************************/
-
-    #ifdef CBMC_GETNETWORKBUFFER_FAILURE_BOUND
-        GetNetworkBuffer_failure_count = 0;
-    #endif
-
-    /****************************************************************
-    * Assume a valid socket in most states of the DHCP state machine.
-    *
-    * The socket is created in the eWaitingSendFirstDiscover state.
-    * xReset==True resets the state to eWaitingSendFirstDiscover.
-    ****************************************************************/
-
-    if( !( ( pxNetworkEndPoint_Temp->xDHCPData.eDHCPState == eInitialWait ) ||
+    if( !( ( pxNetworkEndPoints->xDHCPData.eDHCPState == eInitialWait ) ||
            ( xReset != pdFALSE ) ) )
     {
-        prvCreateDHCPSocket( pxNetworkEndPoint_Temp );
+        prvCreateDHCPSocket( pxNetworkEndPoints );
     }
 
-    xDHCPv4Socket = FreeRTOS_socket( FREERTOS_AF_INET, FREERTOS_SOCK_DGRAM, FREERTOS_IPPROTO_UDP );
+    /* Assume vDHCPProcess is only called on IPv4 endpoints which is
+     * validated before the call to vDHCPProcess */
+    __CPROVER_assume( pxNetworkEndPoints->bits.bIPv6 == 0 );
+
+    vDHCPProcess( xReset, pxNetworkEndPoints );
 
-    __CPROVER_file_local_FreeRTOS_DHCP_c_vDHCPProcessEndPoint( xReset, xDoCheck, pxNetworkEndPoint_Temp );
+    __CPROVER_file_local_FreeRTOS_DHCP_c_prvCloseDHCPSocket( pxNetworkEndPoints );
 }

test/cbmc/proofs/DHCP/DHCPProcess/Makefile.json

@@ -1,31 +1,3 @@
-#
-# FreeRTOS memory safety proofs with CBMC.
-# Copyright (C) 2022 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
-#
-# Permission is hereby granted, free of charge, to any person
-# obtaining a copy of this software and associated documentation
-# files (the "Software"), to deal in the Software without
-# restriction, including without limitation the rights to use, copy,
-# modify, merge, publish, distribute, sublicense, and/or sell copies
-# of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
-# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
-# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-#
-# http://aws.amazon.com/freertos
-# http://www.FreeRTOS.org
-#
-
 {
   "ENTRY": "DHCPProcess",
 
@@ -36,10 +8,10 @@
   # The number of times GetNetworkBufferWithDescriptor can be allowed to fail
   # (plus 1).
   "FAILURE_BOUND": 2,
+  "LOOP_UNWIND_COUNT": 4,
 
   "CBMCFLAGS": [
-    "--unwind 4",
-    "--unwindset strlen.0:11,memcmp.0:7",
+    "--unwind {LOOP_UNWIND_COUNT}",
     "--nondet-static --flush"
   ],
   "OPT":
@@ -50,13 +22,13 @@
   [
     "$(ENTRY)_harness.goto",
     "$(FREERTOS_PLUS_TCP)/test/cbmc/stubs/cbmc.goto",
-    "$(FREERTOS_PLUS_TCP)/test/cbmc/stubs/freertos_api.goto",
     "$(FREERTOS_PLUS_TCP)/source/FreeRTOS_DHCP.goto",
     "$(FREERTOS_PLUS_TCP)/source/FreeRTOS_IP.goto",
     "$(FREERTOS_PLUS_TCP)/source/FreeRTOS_ARP.goto"
   ],
   "DEF":
   [
+    "FR_RECV_FROM_SUCCESS_COUNT={LOOP_UNWIND_COUNT}",
     "BUFFER_SIZE={BUFFER_SIZE}",
     "ipconfigDHCP_REGISTER_HOSTNAME=1",
     "CBMC_REQUIRE_NETWORKBUFFER_ETHERNETBUFFER_NONNULL=1",