Skip to content

Instantly share code, notes, and snippets.

Last active Sep 12, 2015
What would you like to do?
/* Returns true if the byte should be randomized based on a probability calculated with the fuzz-factor f.
* f is a value between 0 and 100, where 100 means the byte is guaranteed to be randomized.
* The value will change every clock tick (based on the f we supply), but will remain constant during
* the creation of a single packet so that entire packets may be fuzzed with the same f. This is used in
* favour of a constant value in order to test the largest possible range in a single session.
static bool fuzz_this_byte(unsigned short f)
return random_int_range(101) <= f;
/* Fuzzes a group packet and adds num_extra random bytes to the end.
* Fuzzing will begin after the hash id (offset of HASH_ID_BYTES) as all packets will fail the initial
* integrity check otherwise, which would give us no better code coverage than level 1.
* Returns length of fuzzed packet or 0 if packet is too small to be fuzzed.
static uint32_t fuzz_gc_packet(uint8_t *packet, uint32_t length, uint32_t num_extra, size_t max_size)
if (length <= HASH_ID_BYTES)
return 0;
unsigned short f = unix_time() % 101;
uint32_t i, real_len = length;
for (i = HASH_ID_BYTES; i < length; ++i) {
if (fuzz_this_byte(f))
packet[i] = rand();
/* occasionally truncate a few bytes to test boundaries */
if (random_int_range(10) == 0)
return length - 1 - random_int_range(3);
for (i = length; i < num_extra && i < max_size; ++i) {
packet[i] = rand();
return real_len;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment