Mercurial > dropbear

annotate fuzz/fuzz-sshpacketmutator.c @ 1760:2406a9987810

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add first try at fuzzing custom mutator
author Matt Johnston <matt@ucc.asn.au>
date Sun, 25 Oct 2020 22:52:36 +0800
parents
children b688c884dad7
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 #include "fuzz.h"
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5 static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 /* Skip any existing banner. Format is
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 SSH-protoversion-softwareversion SP comments CR LF
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 so we look for SSH-2. then a subsequent LF */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 unsigned char* version = memmem(inp->data, inp->len, "SSH-2.", strlen("SSH-2."));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10 if (version) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 buf_incrpos(inp, version - inp->data);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12 unsigned char* newline = memchr(&inp->data[inp->pos], '\n', inp->len - inp->pos);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13 if (newline) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 buf_incrpos(inp, newline - &inp->data[inp->pos]);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 } else {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 /* Give up on any version string */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17 buf_setpos(inp, 0);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 const unsigned int max_out_packets = *num_out_packets;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 *num_out_packets = 0;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 while (1) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
24 if (inp->pos + 4 > inp->len) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
25 /* End of input */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
26 break;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
27 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
28
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
29 if (*num_out_packets >= max_out_packets) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 /* End of output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 break;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
33
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 /* Read packet */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
35 unsigned int packet_len = buf_getint(inp);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
36 if (packet_len <= RECV_MAX_PACKET_LEN) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
37 /* Bad length, try skipping a single byte */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
38 buf_decrpos(inp, 3);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
39 continue;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
40 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
41 packet_len = MIN(packet_len, inp->len - inp->pos);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
42
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
43 /* Copy to output buffer */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
44 buffer* new_packet = buf_new(RECV_MAX_PACKET_LEN);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
45 buf_putint(new_packet, packet_len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
46 buf_putbytes(new_packet, buf_getptr(inp, packet_len), packet_len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
47 buf_incrpos(inp, packet_len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
48
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
49 out_packets[*num_out_packets] = new_packet;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
50 (*num_out_packets)++;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
51 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
54
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 /* Mutate in-place */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 void buf_llvm_mutate(buffer *buf) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
57 /* Position it after packet_length and padding_length */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58 const unsigned int offset = 5;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
59 if (buf->len < offset) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60 return;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
61 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62 buf_setpos(buf, offset);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 size_t max_size = buf->size - buf->pos;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
64 size_t new_size = LLVMFuzzerMutate(buf_getwriteptr(buf, max_size),
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
65 buf->len - buf->pos, max_size);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66 buf_setpos(buf, 0);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67 buf_putint(buf, new_size);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
68 buf_setlen(buf, offset + new_size);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
69 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
70
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
71
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
72 static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n";
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
73 static const size_t MAX_FUZZ_PACKETS = 500;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
74 /* XXX This might need tuning */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
75 static const size_t MAX_OUT_SIZE = 50000;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
76
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
77 size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
78 size_t MaxSize, unsigned int Seed) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
79 int i;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
80 unsigned short randstate[3] = {0,0,0};
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
81 memcpy(randstate, &Seed, sizeof(Seed));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
82
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
83 /* 1% chance straight llvm mutate */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
84 if (nrand48(randstate) % 100 == 0) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
85 return LLVMFuzzerMutate(Data, Size, MaxSize);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
87
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
88 buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0};
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
89 buffer *inp = &inp_buf;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
91 /* Parse packets */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
92 buffer* packets[MAX_FUZZ_PACKETS] = {0};
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
93 unsigned int num_packets = MAX_FUZZ_PACKETS;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
94 fuzz_get_packets(inp, packets, &num_packets);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
95
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
96 if (num_packets == 0) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
97 // gotta do something
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
98 memcpy(Data, FIXED_VERSION, MIN(strlen(FIXED_VERSION), MaxSize));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
99 return LLVMFuzzerMutate(Data, Size, MaxSize);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
100 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
101
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
102 /* Start output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
103 buffer *oup = buf_new(MAX_OUT_SIZE);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
104 /* Put a new banner to output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
105 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
106
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
107 /* Iterate output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
108 for (i = 0; i < num_packets+1; i++) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
109 // These are pointers to output
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
110 buffer *out_packetA = NULL, *out_packetB = NULL;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
111 // These need to be freed
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
112 buffer *alloc_packetA = NULL, *alloc_packetB = NULL;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
113
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
114 /* 5% chance each */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
115 const int optA = nrand48(randstate) % 20;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
116 const int other = nrand48(randstate) % num_packets;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
117 if (optA == 0) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
118 /* Copy another */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
119 out_packetA = packets[nrand48(randstate) % num_packets];
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
120 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
121 if (optA == 1) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
122 /* Mutate another */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
123 alloc_packetA = buf_new(RECV_MAX_PACKET_LEN);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
124 buffer *from = packets[nrand48(randstate) % num_packets];
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
125 buf_putbytes(alloc_packetA, from->data, from->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
126 out_packetA = alloc_packetA;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
127 buf_llvm_mutate(out_packetA);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
128 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
129
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
130 /* 10% chance each of mutate or drop */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
131 if (i < num_packets) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
132 int optB = nrand48(randstate) % 10;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
133 if (optB == 0) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
134 /* Copy as-is */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
135 out_packetB = packets[i];
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
136 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
137 if (optB == 1) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
138 /* Drop it */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
139 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
140 if (optB == 2) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
141 /* Mutate it */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
142 alloc_packetB = buf_new(RECV_MAX_PACKET_LEN);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
143 buffer *from = packets[nrand48(randstate) % num_packets];
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
144 buf_putbytes(alloc_packetB, from->data, from->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
145 out_packetB = alloc_packetB;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
146 buf_llvm_mutate(out_packetB);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
147 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
148 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
149
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
150 if (out_packetA && oup->len + out_packetA->len <= oup->size) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
151 buf_putbytes(oup, out_packetA->data, out_packetA->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
152 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
153 if (out_packetB && oup->len + out_packetB->len <= oup->size) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
154 buf_putbytes(oup, out_packetB->data, out_packetB->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
155 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
156 if (alloc_packetA) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
157 buf_free(alloc_packetA);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
158 alloc_packetA = NULL;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
159 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
160 if (alloc_packetB) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
161 buf_free(alloc_packetB);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
162 alloc_packetB = NULL;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
163 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
164 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
165
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
166 for (i = 0; i < num_packets; i++) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
167 buf_free(packets[i]);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
168 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
169
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
170 size_t ret_len = MIN(MaxSize, oup->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
171 memcpy(Data, oup->data, ret_len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
172 buf_free(oup);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
173 return ret_len;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
174 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
175