|
|
899b161 |
From 683e2c13f8f63012e87b2572f1cd228c8fad0c53 Mon Sep 17 00:00:00 2001
|
|
|
899b161 |
From: Aaron Conole <aconole@redhat.com>
|
|
|
899b161 |
Date: Fri, 17 Feb 2017 16:27:01 -0500
|
|
|
899b161 |
Subject: [PATCH] sfuzz: cleanup snprintfs
|
|
|
899b161 |
|
|
|
899b161 |
This was weird code... maybe it's old enough that I can rewrite a good chunk
|
|
|
899b161 |
of this, but for now, it works and isn't worth changing.
|
|
|
899b161 |
|
|
|
899b161 |
Signed-off-by: Aaron Conole <aconole@redhat.com>
|
|
|
899b161 |
---
|
|
|
899b161 |
sfuzz.c | 103 ++++++++++++++++++++++++++--------------------------------------
|
|
|
899b161 |
1 file changed, 41 insertions(+), 62 deletions(-)
|
|
|
899b161 |
|
|
|
899b161 |
diff --git a/sfuzz.c b/sfuzz.c
|
|
|
899b161 |
index c8978c9..4e8b1ad 100644
|
|
|
899b161 |
--- a/sfuzz.c
|
|
|
899b161 |
+++ b/sfuzz.c
|
|
|
899b161 |
@@ -848,20 +848,24 @@ int in_array_execute_fuzz(option_block *opts)
|
|
|
899b161 |
{
|
|
|
899b161 |
unsigned int ilen = reqsize;
|
|
|
899b161 |
array_t *current_array = opts->arrays[tsze];
|
|
|
899b161 |
+ char sizeval[80] = {0};
|
|
|
899b161 |
+ char sizerepl[sizeof(current_array->array_name) + 2] = {0};
|
|
|
899b161 |
+ char ssizerepl[sizeof(current_array->array_name) + 1] = {0};
|
|
|
899b161 |
+
|
|
|
899b161 |
+ snprintf(sizerepl, sizeof(sizerepl), "%%%%%s",
|
|
|
899b161 |
+ current_array->array_name);
|
|
|
899b161 |
+ snprintf(ssizerepl, sizeof(sizerepl), "%%%s",
|
|
|
899b161 |
+ current_array->array_name);
|
|
|
899b161 |
|
|
|
899b161 |
if(!current_array->value_array[current_array->value_ctr].bin)
|
|
|
899b161 |
{
|
|
|
899b161 |
size_t bsizeval = strlen
|
|
|
899b161 |
(current_array->value_array
|
|
|
899b161 |
[current_array->value_ctr].sym_val);
|
|
|
899b161 |
- char sizeval[80] = {0};
|
|
|
899b161 |
- char sizerepl[80] = {0};
|
|
|
899b161 |
- char ssizerepl[80] = {0};
|
|
|
899b161 |
+
|
|
|
899b161 |
snprintf(sizeval, 80, "%zu", bsizeval);
|
|
|
899b161 |
- snprintf(sizerepl, 80, "%%%%%s", current_array->array_name);
|
|
|
899b161 |
- snprintf(ssizerepl, 80, "%%%s", current_array->array_name);
|
|
|
899b161 |
- ilen = smemrepl(req, reqsize, opts->mseql + 16384, sizerepl, (char *)
|
|
|
899b161 |
- &bsizeval, sizeof bsizeval);
|
|
|
899b161 |
+ ilen = smemrepl(req, reqsize, opts->mseql + 16384, sizerepl,
|
|
|
899b161 |
+ (char *) &bsizeval, sizeof bsizeval);
|
|
|
899b161 |
ilen = smemrepl(req, ilen, opts->mseql + 16384, ssizerepl, sizeval,
|
|
|
899b161 |
strlen(sizeval));
|
|
|
899b161 |
ilen = smemrepl(req, ilen, opts->mseql + 16384, current_array->array_name,
|
|
|
899b161 |
@@ -874,14 +878,8 @@ int in_array_execute_fuzz(option_block *opts)
|
|
|
899b161 |
{
|
|
|
899b161 |
char *blit = current_array->value_array[current_array->value_ctr].sym_val;
|
|
|
899b161 |
size_t blit_len = current_array->value_array[current_array->value_ctr].is_len;
|
|
|
899b161 |
- char sizeval[80] = {0};
|
|
|
899b161 |
- char sizerepl[80] = {0};
|
|
|
899b161 |
- char ssizerepl[80] = {0};
|
|
|
899b161 |
-
|
|
|
899b161 |
- snprintf(sizeval, 80, "%zu", blit_len);
|
|
|
899b161 |
- snprintf(ssizerepl, 80, "%%%s", current_array->array_name);
|
|
|
899b161 |
- snprintf(sizerepl, 80, "%%%%%s", current_array->array_name);
|
|
|
899b161 |
|
|
|
899b161 |
+ snprintf(sizeval, 80, "%zu", blit_len);
|
|
|
899b161 |
ilen = smemrepl(req, reqsize, opts->mseql + 16384, sizerepl, (char *)
|
|
|
899b161 |
&blit_len, sizeof blit_len);
|
|
|
899b161 |
|
|
|
899b161 |
@@ -898,54 +896,39 @@ int in_array_execute_fuzz(option_block *opts)
|
|
|
899b161 |
/*loaded a request.*/
|
|
|
899b161 |
p = memmem(req, reqsize, "FUZZ", 4);
|
|
|
899b161 |
|
|
|
899b161 |
- if(!p)
|
|
|
899b161 |
- {
|
|
|
899b161 |
- if(fuzz(opts, req, reqsize) < 0)
|
|
|
899b161 |
- {
|
|
|
899b161 |
- goto done;
|
|
|
899b161 |
- }
|
|
|
899b161 |
- memcpy(preq, req, reqsize);
|
|
|
899b161 |
- preqsize = reqsize;
|
|
|
899b161 |
- }
|
|
|
899b161 |
- else /* we have to FUZZ for reals*/
|
|
|
899b161 |
- {
|
|
|
899b161 |
- /*do the literals*/
|
|
|
899b161 |
- if(opts->no_literal_fuzz == 0)
|
|
|
899b161 |
- {
|
|
|
899b161 |
- for(tsze = 0; tsze < opts->num_litr; ++tsze)
|
|
|
899b161 |
- {
|
|
|
899b161 |
+ if (!p) {
|
|
|
899b161 |
+ if (fuzz(opts, req, reqsize) < 0) {
|
|
|
899b161 |
+ goto done;
|
|
|
899b161 |
+ }
|
|
|
899b161 |
+ memcpy(preq, req, reqsize);
|
|
|
899b161 |
+ preqsize = reqsize;
|
|
|
899b161 |
+ } else {
|
|
|
899b161 |
+ /* we have to FUZZ for real. do the literals. */
|
|
|
899b161 |
+ if (opts->no_literal_fuzz == 0) {
|
|
|
899b161 |
+ for (tsze = 0; tsze < opts->num_litr; ++tsze) {
|
|
|
899b161 |
char litr_is_bin = 0;
|
|
|
899b161 |
i = 0;
|
|
|
899b161 |
-
|
|
|
899b161 |
+
|
|
|
899b161 |
/*first, do the literals, which are filled in as-is*/
|
|
|
899b161 |
strcpy(req2, req);
|
|
|
899b161 |
- c = *(
|
|
|
899b161 |
- (opts->litr[tsze]) +
|
|
|
899b161 |
- strspn(opts->litr[tsze], " "));
|
|
|
899b161 |
+ c = *((opts->litr[tsze]) +
|
|
|
899b161 |
+ strspn(opts->litr[tsze], " "));
|
|
|
899b161 |
|
|
|
899b161 |
- b = *(1+
|
|
|
899b161 |
- (opts->litr[tsze]) +
|
|
|
899b161 |
- strspn(opts->litr[tsze], " "));
|
|
|
899b161 |
+ b = *(1 + (opts->litr[tsze]) +
|
|
|
899b161 |
+ strspn(opts->litr[tsze], " "));
|
|
|
899b161 |
|
|
|
899b161 |
- f = *(2 +
|
|
|
899b161 |
- (opts->litr[tsze])+
|
|
|
899b161 |
- strspn(opts->litr[tsze], " "));
|
|
|
899b161 |
+ f = *(2 + (opts->litr[tsze])+
|
|
|
899b161 |
+ strspn(opts->litr[tsze], " "));
|
|
|
899b161 |
|
|
|
899b161 |
- if((c == '0') ||
|
|
|
899b161 |
- (c == '\\'))
|
|
|
899b161 |
- {
|
|
|
899b161 |
- if((b == 'x') &&
|
|
|
899b161 |
- ((f >= '0') &&
|
|
|
899b161 |
- (f <= '9')))
|
|
|
899b161 |
- litr_is_bin = 1;
|
|
|
899b161 |
+ if ((c == '0') || (c == '\\')) {
|
|
|
899b161 |
+ if (b == 'x' && f >= '0' && f <= '9')
|
|
|
899b161 |
+ litr_is_bin = 1;
|
|
|
899b161 |
}
|
|
|
899b161 |
|
|
|
899b161 |
- if(c == 'x')
|
|
|
899b161 |
- if((f >= '0') && (f <= '9'))
|
|
|
899b161 |
- litr_is_bin = 1;
|
|
|
899b161 |
+ if (c == 'x' && ((f >= '0') && (f <= '9')))
|
|
|
899b161 |
+ litr_is_bin = 1;
|
|
|
899b161 |
|
|
|
899b161 |
- if(!litr_is_bin)
|
|
|
899b161 |
- {
|
|
|
899b161 |
+ if (!litr_is_bin) {
|
|
|
899b161 |
size_t bsizeval = strlen(opts->litr[tsze]);
|
|
|
899b161 |
char sizeval[80] = {0};
|
|
|
899b161 |
snprintf(sizeval, 80, "%zu", bsizeval);
|
|
|
899b161 |
@@ -955,9 +938,7 @@ int in_array_execute_fuzz(option_block *opts)
|
|
|
899b161 |
strlen(sizeval));
|
|
|
899b161 |
i = smemrepl(req2, i, opts->mseql + 16384, "FUZZ", opts->litr[tsze],
|
|
|
899b161 |
strlen(opts->litr[tsze]));
|
|
|
899b161 |
- }
|
|
|
899b161 |
- else
|
|
|
899b161 |
- {
|
|
|
899b161 |
+ } else {
|
|
|
899b161 |
char *blit = malloc(8192);
|
|
|
899b161 |
int blit_len = 0;
|
|
|
899b161 |
char sizeval[80] = {0};
|
|
|
899b161 |
@@ -978,21 +959,19 @@ int in_array_execute_fuzz(option_block *opts)
|
|
|
899b161 |
free( blit );
|
|
|
899b161 |
}
|
|
|
899b161 |
|
|
|
899b161 |
- if(opts->send_initial_nonfuzz_again)
|
|
|
899b161 |
+ if (opts->send_initial_nonfuzz_again)
|
|
|
899b161 |
if(fuzz(opts, preq, preqsize) < 0)
|
|
|
899b161 |
goto done;
|
|
|
899b161 |
|
|
|
899b161 |
- if(fuzz(opts, req2, i)<0)
|
|
|
899b161 |
+ if (fuzz(opts, req2, i)<0)
|
|
|
899b161 |
goto done;
|
|
|
899b161 |
}
|
|
|
899b161 |
}
|
|
|
899b161 |
-
|
|
|
899b161 |
- if(opts->no_sequence_fuzz == 0)
|
|
|
899b161 |
- {
|
|
|
899b161 |
+
|
|
|
899b161 |
+ if(opts->no_sequence_fuzz == 0) {
|
|
|
899b161 |
/*do the sequences*/
|
|
|
899b161 |
char *sequence_hold = NULL;
|
|
|
899b161 |
- for(tsze = 0; tsze < opts->num_seq; ++tsze)
|
|
|
899b161 |
- {
|
|
|
899b161 |
+ for (tsze = 0; tsze < opts->num_seq; ++tsze) {
|
|
|
899b161 |
size_t bsizeval = 0;
|
|
|
899b161 |
char sizeval[80] = {0};
|
|
|
899b161 |
char seq_buf[5] = {0};
|
|
|
899b161 |
--
|
|
|
899b161 |
2.9.3
|
|
|
899b161 |
|