Mercurial > dropbear
comparison fuzz/fuzz-sshpacketmutator.c @ 1766:b14e0a19bcbe
crossover works
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Mon, 26 Oct 2020 23:06:41 +0800 |
| parents | b688c884dad7 |
| children | 3e1e1f82eba6 |
comparison
equal
deleted
inserted
replaced
| 1765:b688c884dad7 | 1766:b14e0a19bcbe |
|---|---|
| 199 memcpy(Data, oup->data, ret_len); | 199 memcpy(Data, oup->data, ret_len); |
| 200 // printhex("mutator done", Data, ret_len); | 200 // printhex("mutator done", Data, ret_len); |
| 201 return ret_len; | 201 return ret_len; |
| 202 } | 202 } |
| 203 | 203 |
| 204 | 204 size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1, |
| 205 const uint8_t *Data2, size_t Size2, | |
| 206 uint8_t *Out, size_t MaxOutSize, | |
| 207 unsigned int Seed) { | |
| 208 unsigned short randstate[3] = {0,0,0}; | |
| 209 memcpy(randstate, &Seed, sizeof(Seed)); | |
| 210 | |
| 211 unsigned int i; | |
| 212 buffer inp_buf1 = {.data = (void*)Data1, .size = Size1, .len = Size1, .pos = 0}; | |
| 213 buffer *inp1 = &inp_buf1; | |
| 214 buffer inp_buf2 = {.data = (void*)Data2, .size = Size2, .len = Size2, .pos = 0}; | |
| 215 buffer *inp2 = &inp_buf2; | |
| 216 | |
| 217 buffer* packets1[MAX_FUZZ_PACKETS]; | |
| 218 unsigned int num_packets1 = MAX_FUZZ_PACKETS; | |
| 219 fuzz_get_packets(inp1, packets1, &num_packets1); | |
| 220 buffer* packets2[MAX_FUZZ_PACKETS]; | |
| 221 unsigned int num_packets2 = MAX_FUZZ_PACKETS; | |
| 222 fuzz_get_packets(inp2, packets2, &num_packets2); | |
| 223 | |
| 224 buffer *oup = buf_new(MAX_OUT_SIZE); | |
| 225 /* Put a new banner to output */ | |
| 226 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION)); | |
| 227 | |
| 228 for (i = 0; i < num_packets1+1; i++) { | |
| 229 if (num_packets2 > 0 && nrand48(randstate) % 10 == 0) { | |
| 230 /* 10% chance of taking another packet at each position */ | |
| 231 int other = nrand48(randstate) % num_packets2; | |
| 232 buffer *otherp = packets2[other]; | |
| 233 if (oup->len + otherp->len <= oup->size) { | |
| 234 buf_putbytes(oup, otherp->data, otherp->len); | |
| 235 } | |
| 236 } | |
| 237 if (i < num_packets1) { | |
| 238 buffer *thisp = packets1[i]; | |
| 239 if (oup->len + thisp->len <= oup->size) { | |
| 240 buf_putbytes(oup, thisp->data, thisp->len); | |
| 241 } | |
| 242 } | |
| 243 } | |
| 244 | |
| 245 for (i = 0; i < num_packets1; i++) { | |
| 246 buf_free(packets1[i]); | |
| 247 } | |
| 248 for (i = 0; i < num_packets2; i++) { | |
| 249 buf_free(packets2[i]); | |
| 250 } | |
| 251 | |
| 252 size_t ret_len = MIN(MaxOutSize, oup->len); | |
| 253 memcpy(Out, oup->data, ret_len); | |
| 254 buf_free(oup); | |
| 255 return ret_len; | |
| 256 } | |
| 257 |