1 /*
2 american fuzzy lop++ - sample argv fuzzing wrapper
3 ------------------------------------------------
4
5 Originally written by Michal Zalewski
6
7 Copyright 2015 Google Inc. All rights reserved.
8
9 Licensed under the Apache License, Version 2.0 (the "License");
10 you may not use this file except in compliance with the License.
11 You may obtain a copy of the License at:
12
13 http://www.apache.org/licenses/LICENSE-2.0
14
15 This file shows a simple way to fuzz command-line parameters with stock
16 afl-fuzz. To use, add:
17
18 #include "/path/to/argv-fuzz-inl.h"
19
20 ...to the file containing main(), ideally placing it after all the
21 standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of
22 main().
23
24 This will cause the program to read NUL-delimited input from stdin and
25 put it in argv[]. Two subsequent NULs terminate the array. Empty
26 params are encoded as a lone 0x02. Lone 0x02 can't be generated, but
27 that shouldn't matter in real life.
28
29 If you would like to always preserve argv[0], use this instead:
30 AFL_INIT_SET0("prog_name");
31
32 To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with
33 buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf)
34 to preserver argv[0]. buf is a pointer to a buffer containing
35 the input data for the current test case being processed defined as:
36 unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF;
37 */
38
39 #ifndef _HAVE_ARGV_FUZZ_INL
40 #define _HAVE_ARGV_FUZZ_INL
41
42 #include <stdlib.h>
43 #include <unistd.h>
44
45 #define AFL_INIT_ARGV() \
46 do { \
47 \
48 argv = afl_init_argv(&argc); \
49 \
50 } while (0)
51
52 #define AFL_INIT_SET0(_p) \
53 do { \
54 \
55 argv = afl_init_argv(&argc); \
56 argv[0] = (_p); \
57 if (!argc) argc = 1; \
58 \
59 } while (0)
60
61 #define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \
62 do { \
63 \
64 argv = afl_init_argv_persistent(&argc, persistent_buff); \
65 \
66 } while (0)
67
68 #define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \
69 do { \
70 \
71 argv = afl_init_argv_persistent(&argc, persistent_buff); \
72 argv[0] = (_p); \
73 if (!argc) argc = 1; \
74 \
75 } while (0)
76
77 #define MAX_CMDLINE_LEN 100000
78 #define MAX_CMDLINE_PAR 50000
79
afl_init_argv(int * argc)80 static char **afl_init_argv(int *argc) {
81
82 static char in_buf[MAX_CMDLINE_LEN];
83 static char *ret[MAX_CMDLINE_PAR];
84
85 char *ptr = in_buf;
86 int rc = 0;
87
88 ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2);
89 if (num < 1) { _exit(1); }
90 in_buf[num] = '\0';
91 in_buf[num + 1] = '\0';
92
93 while (*ptr && rc < MAX_CMDLINE_PAR) {
94
95 ret[rc] = ptr;
96 if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
97 rc++;
98
99 while (*ptr)
100 ptr++;
101 ptr++;
102
103 }
104
105 *argc = rc;
106
107 return ret;
108
109 }
110
afl_init_argv_persistent(int * argc,unsigned char * persistent_buff)111 static char **afl_init_argv_persistent(int *argc,
112 unsigned char *persistent_buff) {
113
114 static char *ret[MAX_CMDLINE_PAR];
115
116 unsigned char *ptr = persistent_buff;
117 int rc = 0;
118
119 while (*ptr && rc < MAX_CMDLINE_PAR) {
120
121 ret[rc] = (char *)ptr;
122 if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
123 rc++;
124
125 while (*ptr)
126 ptr++;
127 ptr++;
128
129 }
130
131 *argc = rc;
132
133 return ret;
134
135 }
136
137 #undef MAX_CMDLINE_LEN
138 #undef MAX_CMDLINE_PAR
139
140 #endif /* !_HAVE_ARGV_FUZZ_INL */
141
142