Chiebot-Mirror
/
c-ares
mirror of https://github.com/c-ares/c-ares.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

test: fuzzer mode for AFL's persistent mode

Browse Source 
When fuzzing with AFL, if the LLVM-based instrumentation is
used (via the afl-clang-fast wrapper), then it is possible to
have a single execution of the fuzzer program iterate multiple
times over the fuzzing entrypoint (similar to libFuzzer's normal
mode of execution) with different data.  This is much (e.g. 10x)
faster.

Add code to support this, by checking whether __AFL_LOOP is
defined at compile-time.

Also, shift the code to effectively be C rather than C++.
pull/62/head
David Drysdale 9 years ago
parent 9556ddf7af
commit 5a1ae0bc7a
1 changed files with 31 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 43
      test/ares-fuzz.cc

43
test/ares-fuzz.cc
Unescape View File

@ -1,36 +1,53 @@
// General driver to allow command-line fuzzer (i.e. afl) to /*
// fuzz the libfuzzer entrypoint. * General driver to allow command-line fuzzer (i.e. afl) to
* exercise the libFuzzer entrypoint.
*/
#include <sys/types.h> #include <sys/types.h>
#include <fcntl.h> #include <fcntl.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h> #include <unistd.h>
#include <iostream> static const int kMaxAflInputSize = 1 << 20;
static unsigned char afl_buffer[kMaxAflInputSize];
#include <vector> #ifdef __AFL_LOOP
/* If we are built with afl-clang-fast, use persistent mode */
#define KEEP_FUZZING(count) __AFL_LOOP(1000)
#else
/* If we are built with afl-clang, execute each input once */
#define KEEP_FUZZING(count) ((count) < 1)
#endif
/* In ares-test-fuzz.cc: */
extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data,
unsigned long size); unsigned long size);
static void ProcessFile(int fd) { static void ProcessFile(int fd) {
std::vector<unsigned char> input; ssize_t count = read(fd, afl_buffer, kMaxAflInputSize);
while (true) { /*
unsigned char buffer[1024]; * Make a copy of the data so that it's not part of a larger
int len = read(fd, buffer, sizeof(buffer)); * buffer (where buffer overflows would go unnoticed).
if (len <= 0) break; */
input.insert(input.end(), buffer, buffer + len); unsigned char *copied_data = (unsigned char *)malloc(count);
} LLVMFuzzerTestOneInput(copied_data, count);
LLVMFuzzerTestOneInput(input.data(), input.size()); free(copied_data);
} }
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
if (argc == 1) { if (argc == 1) {
int count = 0;
while (KEEP_FUZZING(count)) {
ProcessFile(fileno(stdin)); ProcessFile(fileno(stdin));
count++;
}
} else { } else {
for (int ii = 1; ii < argc; ++ii) { for (int ii = 1; ii < argc; ++ii) {
int fd = open(argv[ii], O_RDONLY); int fd = open(argv[ii], O_RDONLY);
if (fd < 0) { if (fd < 0) {
std::cerr << "Failed to open '" << argv[ii] << "'" << std::endl; fprintf(stderr, "Failed to open '%s'\n", argv[ii]);
continue; continue;
} }
ProcessFile(fd); ProcessFile(fd);

Write Preview
Loading…
Cancel
Save