Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Adjust minor fuzzing documentation

Browse source
This commit is contained in:
Jon Siwek 2020-04-27 15:46:28 -07:00
parent 91eff92335
commit 0623539d80
2 changed files with 31 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/fuzzers/FuzzBuffer.h
View file

@ -4,19 +4,47 @@
namespace zeek { namespace zeek {
struct FuzzBuffer { /**
* This structure helps chunk/simulate protocol conversions from arbitrary
* input strings (like those produced by fuzzing engines). A fuzzing engine
* passes in some input string, and we chunk it into originator/responder
* messages according to any PKT_MAGIC delimiting bytestrings found in that
* input (originator vs. responder is determined by inspecting low-bit of
* the byte immediately following PKT_MAGIC and then the remaining bytes up
* to the next PKT_MAGIC delimiter are considered to be the next buffer to
* send along to an analyzers Deliver method.
*/
class FuzzBuffer {
static constexpr int PKT_MAGIC_LEN = 4; static constexpr int PKT_MAGIC_LEN = 4;
static constexpr unsigned char PKT_MAGIC[PKT_MAGIC_LEN + 1] = "\1PKT"; static constexpr unsigned char PKT_MAGIC[PKT_MAGIC_LEN + 1] = "\1PKT";
/**
* Initialize fuzz buffer.
* @param data pointer to start of fuzzing buffer produced by fuzz engine.
* @param size size of the fuzzing buffer pointed to by *data*.
*/
FuzzBuffer(const unsigned char* data, size_t size) FuzzBuffer(const unsigned char* data, size_t size)
: begin(data), end(data + size) : begin(data), end(data + size)
{ } { }
/**
* @return whether the fuzz buffer object is valid -- has enough bytes
* to Deliver to an analyzer and starts with a *PKT_MAGIC* bytestring.
*/
bool Valid() const; bool Valid() const;
/**
* Finds the next chunk of data to pass along to an analyzer.
* @param chunk the data chunk to return
* @param len the size of the chunk returned in *chunk*
* @param is_orig whether returned chunk is from originator or responder
* @return a value less than zero if a chunk could not be extracted
*/
int Next(const unsigned char** chunk, size_t* len, bool* is_orig); int Next(const unsigned char** chunk, size_t* len, bool* is_orig);
private:
const unsigned char* begin; const unsigned char* begin;
const unsigned char* end; const unsigned char* end;
}; };

5
src/fuzzers/README
View file

@ -13,7 +13,7 @@ First configure and build for fuzzing (with libFuzzer) and code coverage::
$ LIB_FUZZING_ENGINE="" CC=clang CXX=clang++ \ $ LIB_FUZZING_ENGINE="" CC=clang CXX=clang++ \
CFLAGS="-fprofile-instr-generate -fcoverage-mapping" \ CFLAGS="-fprofile-instr-generate -fcoverage-mapping" \
CXXFLAGS="-fprofile-instr-generate -fcoverage-mapping" \ CXXFLAGS="-fprofile-instr-generate -fcoverage-mapping" \
./configure --build-type=RelWithDebInfo --build-dir=./build-fuzz-cov \ ./configure --build-type=debug --build-dir=./build-fuzz-cov \
--sanitizers=fuzzer-no-link --enable-fuzzers --sanitizers=fuzzer-no-link --enable-fuzzers
$ cd build-fuzz-cov && make -j $(nproc) $ cd build-fuzz-cov && make -j $(nproc)
@ -65,8 +65,7 @@ standalone mode, they'll process all input files provided as arguments
First configure and build:: First configure and build::
$ CC=clang CXX=clang++ \ $ ./configure --build-type=debug --build-dir=./build-fuzz-check \
./configure --build-type=debug --build-dir=./build-fuzz-check \
--sanitizers=address --enable-fuzzers --sanitizers=address --enable-fuzzers
$ cd build-fuzz-check && make -j $(nproc) $ cd build-fuzz-check && make -j $(nproc)