/**
* Given a buffer of fixed length, randomly pick a way to corrupt the data (or not.)
*/
void FuzzBuffer(uint8_t* buf, uint32_t len)
{
size_t offset;
uint8_t test = rand() % 32;
PacketStart* ps = (PacketStart*)buf;
PacketHeader* ph = (PacketHeader*)buf;
uint16_t packetLen = (ps->len[0] << 8) | ps->len[1];
AJ_AlwaysPrintf(("FuzzBuffer: Before case %i Tag:%c%c%c%c Ack:%i Seq:%i Type:%X Len:%i\n"
, test, ph->tag[0], ph->tag[1], ph->tag[2], ph->tag[3],
ps->ack, ps->seq, ps->type, packetLen));
switch (test) {
case 0:
case 1:
/*
* Protect fixed header from fuzzing
*/
offset = sizeof(PacketStart);
RandFuzzing(buf + offset, len - offset, 5);
break;
case 2:
/*
* fuzz the payload
*/
offset = sizeof(PacketStart);
RandFuzzing(buf + offset, packetLen, 10);
break;
case 3:
/*
* change the sequence number
*/
ps->seq = rand() % 16;
break;
case 4:
/*
* change the ack number
*/
ps->ack = rand() % 16;
break;
case 5:
/*
* change the type field of the packet
*/
ps->type = rand() % 16;
break;
case 6:
/*
* change the length field of the packet
*/
ps->len[0] = rand() % 256;
ps->len[1] = rand() % 256;
packetLen = (ps->len[0] << 8) | ps->len[1];
break;
case 7:
/*
* Fuzz the entire message
*/
RandFuzzing(buf, len, 1 + (rand() % 10));
break;
// case 8: // not ready yet.
// /*
// * Protect Negotiate packet header from fuzzing
// */
// offset = sizeof(PacketNegotiate);
// RandFuzzing(buf + offset, len - offset, 5);
// break;
default:
/*
* don't fuzz anything
*/
break;
}
AJ_AlwaysPrintf(("FuzzBuffer: After case %i Tag:%c%c%c%c Ack:%i Seq:%i Type:%X Len:%i\n"
, test, ph->tag[0], ph->tag[1], ph->tag[2], ph->tag[3],
ps->ack, ps->seq, ps->type, packetLen));
AJ_DebugDumpSerialTX("FuzzBuffer", buf, len);
__AJ_TX(buf, len);
}
AJ_Status AJ_UART_Tx(uint8_t* buffer, uint16_t len)
{
AJ_DebugDumpSerialTX("AJ_UART_Tx", buffer, len);
write(g_fdRead, buffer, len);
return AJ_OK;
}
