Bug 1385203 - Rework fragmentation for fuzzer, r=ttaubert NSS_TLS13_DRAFT19_BRANCH
authorMartin Thomson <martin.thomson@gmail.com>
Thu, 10 Aug 2017 14:02:40 +1000
branchNSS_TLS13_DRAFT19_BRANCH
changeset 13525 b5d2871052447cb738b89055c8079bb2be9ef16a
parent 13524 e8f0e4ee2c8ca0e381ee9a79ac59d2e4d1c64df4
child 13532 0f34fb88edaab713e44977f5c33ff69a742c8da2
push id2318
push usermartin.thomson@gmail.com
push dateThu, 10 Aug 2017 10:19:48 +0000
reviewersttaubert
bugs1385203
Bug 1385203 - Rework fragmentation for fuzzer, r=ttaubert
fuzz/tls_mutators.cc
--- a/fuzz/tls_mutators.cc
+++ b/fuzz/tls_mutators.cc
@@ -36,17 +36,19 @@ class Record {
     memmove(dest + size_, other->data(), other->size() + other->remaining());
     // Insert the record.
     memcpy(dest, buf, size_);
   }
 
   void truncate(size_t length) {
     assert(length >= 5 + gExtraHeaderBytes);
     uint8_t *dest = const_cast<uint8_t *>(data_);
-    (void)ssl_EncodeUintX(length - 5 - gExtraHeaderBytes, 2, &dest[3]);
+    size_t l = length - (5 + gExtraHeaderBytes);
+    dest[3] = (l >> 8) & 0xff;
+    dest[4] = l & 0xff;
     memmove(dest + length, data_ + size_, remaining_);
   }
 
   void drop() {
     uint8_t *dest = const_cast<uint8_t *>(data_);
     memmove(dest, data_ + size_, remaining_);
   }
 
@@ -219,38 +221,42 @@ size_t FragmentRecord(uint8_t *data, siz
 
   // Find TLS records in the corpus.
   const auto records = ParseRecords(data, size);
   if (records.empty()) {
     return 0;
   }
 
   // Pick a record to fragment at random.
-  std::uniform_int_distribution<size_t> dist(0, records.size() - 1);
-  auto &rec = records.at(dist(rng));
+  std::uniform_int_distribution<size_t> rand_record(0, records.size() - 1);
+  auto &rec = records.at(rand_record(rng));
   uint8_t *rdata = const_cast<uint8_t *>(rec->data());
   size_t length = rec->size();
   size_t content_length = length - 5;
 
   if (content_length < 2) {
     return 0;
   }
 
   // Assign a new length to the first fragment.
-  size_t new_length = content_length / 2;
-  uint8_t *content = ssl_EncodeUintX(new_length, 2, &rdata[3]);
+  std::uniform_int_distribution<size_t> rand_size(1, content_length - 1);
+  size_t first_length = rand_size(rng);
+  size_t second_length = content_length - first_length;
+  rdata[3] = (first_length >> 8) & 0xff;
+  rdata[4] = first_length & 0xff;
+  uint8_t *second_record = rdata + 5 + first_length;
 
-  // Make room for one more header.
-  memmove(content + new_length + 5, content + new_length,
-          rec->remaining() + content_length - new_length);
+  // Make room for the header of the second record.
+  memmove(second_record + 5, second_record,
+          rec->remaining() + content_length - first_length);
 
   // Write second header.
-  memcpy(content + new_length, rdata, 3);
-  (void)ssl_EncodeUintX(content_length - new_length, 2,
-                        &content[new_length + 3]);
+  memcpy(second_record, rdata, 3);
+  second_record[3] = (second_length >> 8) & 0xff;
+  second_record[4] = second_length & 0xff;
 
   return size + 5;
 }
 
 // Cross-over function that merges and shuffles two transcripts.
 size_t CrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2,
                  size_t size2, uint8_t *out, size_t max_out_size,
                  unsigned int seed) {