/** * Given a buffer of fixed length, randomly pick a way to corrupt the data (or not.) */ void FuzzBuffer(uint8_t* buf, uint32_t len) { size_t offset; uint8_t test = rand() % 32; PacketStart* ps = (PacketStart*)buf; PacketHeader* ph = (PacketHeader*)buf; uint16_t packetLen = (ps->len[0] << 8) | ps->len[1]; AJ_AlwaysPrintf(("FuzzBuffer: Before case %i Tag:%c%c%c%c Ack:%i Seq:%i Type:%X Len:%i\n" , test, ph->tag[0], ph->tag[1], ph->tag[2], ph->tag[3], ps->ack, ps->seq, ps->type, packetLen)); switch (test) { case 0: case 1: /* * Protect fixed header from fuzzing */ offset = sizeof(PacketStart); RandFuzzing(buf + offset, len - offset, 5); break; case 2: /* * fuzz the payload */ offset = sizeof(PacketStart); RandFuzzing(buf + offset, packetLen, 10); break; case 3: /* * change the sequence number */ ps->seq = rand() % 16; break; case 4: /* * change the ack number */ ps->ack = rand() % 16; break; case 5: /* * change the type field of the packet */ ps->type = rand() % 16; break; case 6: /* * change the length field of the packet */ ps->len[0] = rand() % 256; ps->len[1] = rand() % 256; packetLen = (ps->len[0] << 8) | ps->len[1]; break; case 7: /* * Fuzz the entire message */ RandFuzzing(buf, len, 1 + (rand() % 10)); break; // case 8: // not ready yet. // /* // * Protect Negotiate packet header from fuzzing // */ // offset = sizeof(PacketNegotiate); // RandFuzzing(buf + offset, len - offset, 5); // break; default: /* * don't fuzz anything */ break; } AJ_AlwaysPrintf(("FuzzBuffer: After case %i Tag:%c%c%c%c Ack:%i Seq:%i Type:%X Len:%i\n" , test, ph->tag[0], ph->tag[1], ph->tag[2], ph->tag[3], ps->ack, ps->seq, ps->type, packetLen)); AJ_DebugDumpSerialTX("FuzzBuffer", buf, len); __AJ_TX(buf, len); }
AJ_Status AJ_UART_Tx(uint8_t* buffer, uint16_t len) { AJ_DebugDumpSerialTX("AJ_UART_Tx", buffer, len); write(g_fdRead, buffer, len); return AJ_OK; }