3e38862837
* forkserver: Add an API to setup the shared memory region for edge coverage This is inspired from and meant to be similar to afl-cc's instrumentation. Remove ! return type from __afl_start_forkserver as it returns in several cases. * Add example fuzzer using LibAFL's forkserver The fuzzer is instrumented with libafl_cc as well. Co-authored-by: ergrelet <ergrelet@users.noreply.github.com>
37 lines
858 B
C
37 lines
858 B
C
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
// The following line is needed for shared memory testcase fuzzing
|
|
__AFL_FUZZ_INIT();
|
|
|
|
void vuln(char *buf) {
|
|
if (strcmp(buf, "vuln") == 0) { abort(); }
|
|
}
|
|
|
|
int main(int argc, char **argv) {
|
|
// Start the forkserver at this point (i.e., forks will happen here)
|
|
__AFL_INIT();
|
|
|
|
// The following five lines are for normal fuzzing.
|
|
/*
|
|
FILE *file = stdin;
|
|
if (argc > 1) { file = fopen(argv[1], "rb"); }
|
|
char buf[16];
|
|
char *p = fgets(buf, 16, file);
|
|
buf[15] = 0;
|
|
*/
|
|
|
|
// The following line is also needed for shared memory testcase fuzzing
|
|
unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; // must be after __AFL_INIT
|
|
|
|
// printf("input: %s\n", buf);
|
|
if (buf[0] == 'b') {
|
|
if (buf[1] == 'a') {
|
|
if (buf[2] == 'd') { abort(); }
|
|
}
|
|
}
|
|
vuln((char *)buf);
|
|
|
|
return 0;
|
|
} |