Improve fuzzing_harness

This enables the faster "clang-fast" compiler as well as better resting server state between runs.
stephane · Sep 24, 2017 · 0d5e6b1 · 0d5e6b1
1 parent 6cc13d9
commit 0d5e6b1
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 44 deletions.
diff --git a/tests/README.fuzzing.md b/tests/README.fuzzing.md
@@ -47,4 +47,5 @@ AFL has a tool to minimise the number of seeds by removing duplicate or "uninter
 ```
 
 # Notes
-* AFL does not like to be on the PATH during configure/make
+* AFL does not like to be on the PATH during configure/make
+* Try with ```afl-clang-fast``` and ```afl-clang-fast++``` compilers for speed up
diff --git a/tests/fuzzing_harness.c b/tests/fuzzing_harness.c
@@ -19,63 +19,73 @@
 
 #include <modbus.h>
 
+#define MAX_FUZZ_INPUT_SIZE 5120
+
 int main(int argc, char * argv [])
 {
-    int s = -1;
+    // general
+    int e;
+
+    // server
+    int socket_of_server = -1;
     modbus_t *ctx;
-    modbus_mapping_t *mb_mapping;
+    modbus_mapping_t *mb_mapping = NULL;
 
-    // fuzz
+    // fuzz and client
     size_t insize;
-    #define FUZZ_BUFF_SIZE 5120
-    char buf[FUZZ_BUFF_SIZE];
-    int sockfd = 0;
+    char buf[MAX_FUZZ_INPUT_SIZE];
+    int socket_to_server;
     struct sockaddr_in serv_addr;
     socklen_t sizeof_serv_addr = sizeof(serv_addr);
-    // fuzz
 
+    // init server
     ctx = modbus_new_tcp("127.0.0.1", 0);
-    /* modbus_set_debug(ctx, TRUE); */
-
-    mb_mapping = modbus_mapping_new(500, 500, 500, 500);
-    if (mb_mapping == NULL) {
-        fprintf(stderr, "Failed to allocate the mapping: %s\n",
-                modbus_strerror(errno));
-        modbus_free(ctx);
-        return -1;
-    }
-
-    s = modbus_tcp_listen(ctx, 1);
-    if (s < 0) {
-        error(1, 1, "\nError : Failed to start server\n");
+    socket_of_server = modbus_tcp_listen(ctx, 1);
+    if (socket_of_server < 0) {
+        error(-1, 1, "Failed to start server: %s", modbus_strerror(errno));
     }
 
-    int getsockname_result = getsockname(s, &serv_addr, &sizeof_serv_addr);
+    // get the port of the server
+    int getsockname_result = getsockname(socket_of_server, &serv_addr, &sizeof_serv_addr);
     if ( getsockname_result < 0 ) {
-        error(1, getsockname_result, "Failed to get server port number");
+        error(-1, getsockname_result, "Failed to get server port number");
     }
 
-    for (;;) {
+    #ifdef __AFL_LOOP
+    while (__AFL_LOOP(1000)) {
+    #else
+    do {
+    #endif
         uint8_t query[MODBUS_TCP_MAX_ADU_LENGTH];
         int rc;
 
-        // fuzz
-        memset(buf, 0, FUZZ_BUFF_SIZE);
+        // Reset state from last fuzz
+        modbus_mapping_free(mb_mapping);
+        mb_mapping = modbus_mapping_new(500, 500, 500, 500);
+        if (mb_mapping == NULL) {
+            error(-1, -1, "Failed to allocate the mapping: %s", modbus_strerror(errno));
+        }
+
+        // Read fizzing data to send to server
+        memset(buf, 0, sizeof(buf));
         insize = fread(buf, 1, sizeof(buf), stdin);
-        //if ( !feof(0) ) {
-        //    error(1, 1, "ERROR not all read");
-        //}
-        sockfd = socket(AF_INET, SOCK_STREAM, 0);
-        if (sockfd < 0) {
-            error(1, 1, "ERROR opening socket");
+        // TODO: Confirm whole test case was read
+
+        // Connect to server
+        socket_to_server = socket(AF_INET, SOCK_STREAM, 0);
+        if (socket_to_server < 0) {
+            error(1, socket_to_server, "ERROR opening socket");
         }
-        if( connect(sockfd, (struct sockaddr *) &serv_addr, sizeof_serv_addr) < 0) {
-            error(1, 1, "\nError : Connect Failed\n");
+        e = connect(socket_to_server, (struct sockaddr *) &serv_addr, sizeof_serv_addr);
+        if(e < 0) {
+            error(1, e, "\nError : Connect to server Failed\n");
         } 
-        modbus_tcp_accept(ctx, &s);
-        sendto(sockfd, buf, insize, 0, NULL, -1);
-        // fuzz
 
+        // Send fuzzing data to server
+        sendto(socket_to_server, buf, insize, 0, NULL, -1);
+
+        // Run a general ModBus server logic
+        modbus_tcp_accept(ctx, &socket_of_server);
         rc = modbus_receive(ctx, query);
         if (rc > 0) {
             /* rc is the query size */
@@ -85,15 +95,27 @@ int main(int argc, char * argv [])
             break;
         }
 
-        // fuzz
-        break;
-        // fuzz
-    }
+        // Read response from server and close connection
+        e = read(socket_to_server, buf, sizeof(buf));
+        if (e < 0) {
+            error(1, e, "Failed to read response from server");
+        }
+        e = close(socket_to_server);
+        if (e < 0) {
+            error(1, e, "Failed to close socket to server");
+        }
 
-    printf("Quit the loop: %s\n", modbus_strerror(errno));
+    #ifdef __AFL_LOOP
+    }
+    #else
+    } while (0);
+    #endif
 
-    if (s != -1) {
-        close(s);
+    if (socket_of_server >= 0) {
+        close(socket_of_server);
+    }
+    if (socket_to_server >= 0) {
+        close(socket_to_server);
     }
     modbus_mapping_free(mb_mapping);
     modbus_close(ctx);