diff --git a/src/fuzzers/FuzzBuffer.cc b/src/fuzzers/FuzzBuffer.cc index ebae1a1db1..0eb166c786 100644 --- a/src/fuzzers/FuzzBuffer.cc +++ b/src/fuzzers/FuzzBuffer.cc @@ -6,7 +6,7 @@ #include "FuzzBuffer.h" -bool zeek::detail::FuzzBuffer::Valid() const +bool zeek::detail::FuzzBuffer::Valid(int chunk_count_limit) const { if ( end - begin < PKT_MAGIC_LEN + 2 ) return false; @@ -14,9 +14,31 @@ bool zeek::detail::FuzzBuffer::Valid() const if ( memcmp(begin, PKT_MAGIC, PKT_MAGIC_LEN) != 0) return false; + if ( ChunkCount() > chunk_count_limit ) + return false; + return true; } +int zeek::detail::FuzzBuffer::ChunkCount() const + { + auto pos = begin; + int chunks = 0; + + while ( pos < end ) + { + pos = (const unsigned char*)memmem(pos, end - pos, + PKT_MAGIC, PKT_MAGIC_LEN); + if ( ! pos ) + break; + + pos += PKT_MAGIC_LEN + 1; + chunks++; + } + + return chunks; + } + std::optional zeek::detail::FuzzBuffer::Next() { if ( begin == end ) diff --git a/src/fuzzers/FuzzBuffer.h b/src/fuzzers/FuzzBuffer.h index 1b9cdb58a3..1959e6f18b 100644 --- a/src/fuzzers/FuzzBuffer.h +++ b/src/fuzzers/FuzzBuffer.h @@ -27,6 +27,7 @@ public: static constexpr int PKT_MAGIC_LEN = 4; static constexpr unsigned char PKT_MAGIC[PKT_MAGIC_LEN + 1] = "\1PKT"; + static constexpr int MAX_CHUNK_COUNT = 64; /** * Initialize fuzz buffer. @@ -39,9 +40,16 @@ public: /** * @return whether the fuzz buffer object is valid -- has enough bytes - * to Deliver to an analyzer and starts with a *PKT_MAGIC* bytestring. + * to Deliver to an analyzer, starts with a *PKT_MAGIC* bytestring, and + * contains less than the limiting number of chunk. + * . */ - bool Valid() const; + bool Valid(int chunk_count_limit = MAX_CHUNK_COUNT) const; + + /** + * @return the number of chunks in the fuzz buffer object + */ + int ChunkCount() const; /** * @return the next chunk to deliver, if one could be extracted