fuzzy.c

/* Returns true if the byte should be randomized based on a probability calculated with the fuzz-factor f.
 *
 * f is a value between 0 and 100, where 100 means the byte is guaranteed to be randomized.
 * The value will change every clock tick (based on the f we supply), but will remain constant during
 * the creation of a single packet so that entire packets may be fuzzed with the same f. This is used in
 * favour of a constant value in order to test the largest possible range in a single session.
 */
static bool fuzz_this_byte(unsigned short f)
{
    return random_int_range(101) <= f;
}

/* Fuzzes a group packet and adds num_extra random bytes to the end.
 *
 * Fuzzing will begin after the hash id (offset of HASH_ID_BYTES) as all packets will fail the initial
 * integrity check otherwise, which would give us no better code coverage than level 1.
 *
 * Returns length of fuzzed packet or 0 if packet is too small to be fuzzed.
 */
static uint32_t fuzz_gc_packet(uint8_t *packet, uint32_t length, uint32_t num_extra, size_t max_size)
{
    if (length <= HASH_ID_BYTES)
        return 0;

    unsigned short f = unix_time() % 101;
    uint32_t i, real_len = length;

    for (i = HASH_ID_BYTES; i < length; ++i) {
        if (fuzz_this_byte(f))
            packet[i] = rand();
    }

    /* occasionally truncate a few bytes to test boundaries */
    if (random_int_range(10) == 0)
        return length - 1 - random_int_range(3);

    for (i = length; i < num_extra && i < max_size; ++i) {
        packet[i] = rand();
        ++real_len;
    }

    return real_len;
}