static void initialize_ants(gcp_t *problem) {/*{{{*/
int i;
ant = malloc_(sizeof(gcp_solution_t) * problem->nants);
for (i = 0; i < problem->nants; i++) {
ant[i] = malloc_(sizeof(gcp_solution_t));
//ant[i]->nodes_color = malloc_(sizeof(int) * problem->ncolors);
//ant[i]->color = malloc_(sizeof(int) * problem->size);
}
}/*}}}*/
fs_node_t *install_initrd(u32 location)
{
initrd_header = (initrd_header_t *)location;
file_headers = (initrd_file_header_t *) (location+sizeof(initrd_header_t));
initrd_root = (fs_node_t*)malloc_(sizeof(fs_node_t));
strcpy(initrd_root->name, "initrd");
initrd_root->flags = FS_DIRECTORY;
initrd_root->readdir = &initrd_readdir;
initrd_root->finddir = &initrd_finddir;
initrd_dev = (fs_node_t*)malloc_(sizeof(fs_node_t));
strcpy(initrd_dev->name, "dev");
initrd_dev->flags = FS_DIRECTORY;
initrd_dev->readdir = &initrd_readdir;
initrd_dev->finddir = &initrd_finddir;
root_nodes = (fs_node_t*)malloc_(sizeof(fs_node_t) * initrd_header->nfiles);
nroot_nodes = initrd_header->nfiles;
int i;
for (i = 0; i < (int)initrd_header->nfiles; i++)
{
file_headers[i].offset += location;
strcpy(root_nodes[i].name, (char*)&file_headers[i].name);
root_nodes[i].mask = root_nodes[i].uid = root_nodes[i].gid = 0;
root_nodes[i].length = file_headers[i].length;
root_nodes[i].inode = i;
root_nodes[i].flags = FS_FILE;
root_nodes[i].read = &initrd_read;
root_nodes[i].write = 0;
root_nodes[i].readdir = 0;
root_nodes[i].finddir = 0;
root_nodes[i].open = 0;
root_nodes[i].close = 0;
root_nodes[i].impl = 0;
}
return initrd_root;
}
static void initialize_data(gcp_t *problem) {/*{{{*/
int i;
pheromone = malloc_(sizeof(double) * problem->size);
for (i = 0; i < problem->size; i++) {
pheromone[i] = malloc(sizeof(double) * problem->size);
}
best_ant = malloc_(sizeof(gcp_solution_t));
initialize_pheromone(problem);
initialize_ants(problem);
}/*}}}*/
static double* calculate_probbs(int v, int size, int color, int *degree, /*{{{*/
int **adj, int* color_of, double alpha, double beta) {
int i, j, size_color, neighbors;
double sum, trail, totalsum;
static double *probb = NULL;
if (!probb) {
probb = malloc_(sizeof(double) * size+1);
}
totalsum = 0;
for (i = 0; i < size; i++) {
probb[i] = 0;
if ((degree[i] != OUT) && (i!=v) && (!adj[i][v])) {
size_color = 0;
sum = 0;
neighbors = 0;
for (j = 0; j < size; j++) {
if (color_of[j] == color) {
sum += pheromone[j][i];
size_color++;
}
if ((degree[j] != OUT) && adj[j][v] && adj[j][i]) {
neighbors++;
}
}
if (size_color == 0) trail = 1;
else trail = sum/size_color;
probb[i] = pow(trail, alpha) * pow(neighbors, beta);
totalsum += probb[i];
}
}
probb[i] = totalsum;
///////////////////////////////////////////
/*
if (totalsum == 0) {
for (i = 0; i < size; i++) {
if ((degree[i] != OUT) && (i!=v) && (!adj[i][v])) {
probb[i] = 1;
totalsum++;
}
}
probb[i] = totalsum;
}
*/
return probb;
}/*}}}*/
/* ----------------------------------------------------------------------- */
void *kalloc (size_t size)
{
void *addr = malloc_(size);
assert_msg(addr != NULL, "The kernel run out of memory.");
// kSYS.objMemory_ += size;
memset(addr, 0, size);
return addr;
}
static void create_game(int fd, char* nick)
{
struct game * g = malloc_(sizeof(struct game));
g->players_number = 1;
g->players_conn[0] = fd;
g->players_nick[0] = nick;
g->status = GAME_STATUS_OPEN;
games = g_list_append(games, g);
open_players = g_list_remove(open_players, GINT_TO_POINTER(fd));
calculate_list_games();
}
/*---------------------------------------------------------------------------*
* NAME: push_hash
* DESC: add a hash in the linked list hash structure
*---------------------------------------------------------------------------*/
void push_hash(config *conf, unsigned int id, unsigned int type) {
struct struct_hash *hash;
struct struct_hash *prev = NULL;
/* dummy hash values equal to zero for the hash computation */
unsigned int dummy_int = 0x00000000;
/* debug */
debug(1, "<-----------------------[enter]\n");
/* go to the last hash */
for(hash = conf->hash;hash;hash = hash->next) {
debug(3, "current struct hash of block[%d]\n", hash->id);
prev = hash; /* save the preview */
}
debug(3," add hash structure\n");
/* create a hash entry in the linked list */
hash = malloc_(sizeof(struct struct_hash));
/* update the previous block's field next */
if (prev)
prev->next = hash;
/* fill the other fields */
hash->id = id; /* used next to find the struct_block */
hash->block = NULL; /* init the struct_block pointer */
hash->offset = conf->buf_fuzz_size; /* current size of the buffer */
hash->next = NULL; /* init the next pointer */
hash->type = type; /* put the correct hash type */
/* update if it's the first hash */
if (!conf->hash)
conf->hash = hash;
/* add the correct number of byte in the fuzz buffer */
switch(type) {
case HF_BLOCK_CRC32_B : /* big-endian 32 bits */
push_data(conf, (unsigned char *) &dummy_int, sizeof(int));
break;
case HF_BLOCK_CRC32_L : /* little-endian 32 bits */
push_data(conf, (unsigned char *) &dummy_int, sizeof(int));
break;
default: /* should never happen */
break;
}
/* debug */
debug(1, "<-----------------------[quit]\n");
}
void* malloc(size_t size)
{
if (!size) return ZERO_SIZE_POINTER;
void* ret=malloc_(size);
if (!ret) abort();
memset(ret, 0, size);
if (ignore==0)
{
ignore++;
cb.malloc(ret, size);
ignore--;
}
return ret;
}
/*!
*************************************************************************************
* \brief
* NALU_t *GeneratePic_parameter_set_NALU ();
*
* \note
* Uses the global variables through FillParameterSetStructures()
*
* \return
* A NALU containing the Picture Parameter Set
*
*************************************************************************************
*/
NALU_t *GeneratePic_parameter_set_NALU(pic_parameter_set_rbsp_t *active_pps)
{
NALU_t *n = AllocNALU(64000);
t_sint32 RBSPlen = 0;
byte *rbsp = (byte*)NULL;
void * vfm_memory_ctxt = my_vfm_memory_ctxt;
/*byte rbsp[MAXRBSPSIZE]; */
rbsp = (byte *)malloc_(MAXRBSPSIZE * sizeof(char));
// rbsp = (byte *)alloca(MAXRBSPSIZE * sizeof(char));
RBSPlen = GeneratePic_parameter_set_rbsp (active_pps, (char *)rbsp);
RBSPtoNALU ((char *)rbsp, n, RBSPlen, NALU_TYPE_PPS, NALU_PRIORITY_HIGHEST, 0, 1);
n->startcodeprefix_len = 4;
free(rbsp);
return n;
}
char * load_initrd_app(char *name, char **argv, char **env)
{
int argc = 0;
while (argv[argc]) { ++argc; }
struct dirent* node = 0;
for (size_t i = 0; (node = readdir_fs(fs_root_initrd, i)) != 0; ++i)
{
fs_node_t * fsnode = finddir_fs(fs_root_initrd, node->name);
if ((fsnode->flags & 0x7) == FS_DIRECTORY)
{
}
else
{
char * argv_[] = {
name,
NULL,
NULL,
NULL
};
int argc_ = 0;
while (argv_[argc_]) {
argc_++;
}
printk("\nSearching!\n");
char* buf = malloc_( fsnode->length);
printk("%d\n",fsnode->length);
u32 sz = read_fs(fsnode, 0, fsnode->length, buf);
printk("Size: %d bytes\t Name: %s\n", fsnode->length, node->name);
if(strcmp(node->name, name) == 0)
{
return buf;
elf_exec__(buf, sz, name,argc,argv);
memset(buf,0,400000);
}
}
}
return 0;
}
/*---------------------------------------------------------------------------*
* NAME: main
* DESC: Main Entry Point
*---------------------------------------------------------------------------*/
int main(int argc, char **argv) {
config *conf;
unsigned int first_arg;
/* create the configuration structure */
conf = malloc_(sizeof(config));
/* init the configuration structure */
init_configuration(conf);
/* parse the arguments */
first_arg = parsing_args(argc, argv, conf);
conf->xml_filename = argv[first_arg];
/* copy the name of the .ad file */
conf->output_name = argv[first_arg+1];
/* basic check */
if ((conf->output_name == NULL) || (conf->xml_filename == NULL)) {
usage(argv, conf);
}
/* open the output_name file */
output_desc = fopen(conf->output_name, "w");
if (!output_desc) {
error_("cannot write the file: \"%s\": ", conf->output_name);
perror("");
error_("QUITTING!\n");
free(conf);
exit(-1);
}
/* xml parsing of the file */
xml_parsing(conf);
/* free the configuration structure */
free(conf);
return 0;
}
/*---------------------------------------------------------------------------*
* NAME: main
* DESC: Main Entry Point
*---------------------------------------------------------------------------*/
int main(int argc, char **argv) {
config *conf;
unsigned int first_arg;
/* create the configuration structure */
conf = malloc_(sizeof(config));
/* create the adc structure */
conf->adc = malloc_(sizeof(struct struct_adc));
/* initialize the configuration structure */
init_configuration(conf);
/* parse the arguments */
first_arg = parsing_args(argc, argv, conf);
/* check if selected mode is well defined (dirty) */
if (
/* client mode -> port AND host */
((conf->mode == 0) && ((conf->port == 0) ||
(conf->host == NULL)))
||
/* server mode -> port */
((conf->mode == 1) && (conf->port == 0))
||
/* no file.ad defined */
(argv[first_arg] == NULL)
||
/* debugger and file */
((conf->type == 2) && (conf->dbg_mode))
||
/* fuzz udp or tcp or file */
((conf->fuzz_file_dir != NULL) && ((conf->host != NULL) ||
(conf->port != 0) ||
(conf->type != 2)))
) {
usage(argv, conf);
}
/* verbose messages */
/* autodafe's debugger */
if (conf->dbg_mode) {
verbose_("[*] Autodafe's debugger mode activated.\n");
}
/* file mode */
if (conf->type == 2) {
verbose_("[*] mode *file* - all fuzzed files will be in %s\n", conf->fuzz_file_dir);
}
/* network mode */
else {
if (conf->mode) {
if (!conf->type) /* tcp */
verbose_("[*] mode *server* - listening on port: %d (tcp)\n", conf->port);
else /* udp */
verbose_("[*] mode *server* - listening on port: %d (udp)\n", conf->port);
}
else {
if (!conf->type) /* tcp */
verbose_("[*] mode *client* - connection to %s on port: %d (tcp)\n", conf->host, conf->port);
else /* udp */
verbose_("[*] mode *client* - connection to %s on port: %d (udp)\n", conf->host, conf->port);
}
}
/* read the file */
if(read_adc_file(conf, argv[first_arg])) goto fuzzer_end;
/* ignore the SIGPIPE signal (ie. "Connection closed by foreign host") */
signal(SIGPIPE, sigpipe_handler);
/* start the connection with the debugger */
if (conf->dbg_mode)
if (dbg_connection(conf)) goto fuzzer_end;
/* start the fuzz engine */
fuzz_engine(conf);
if (conf->buf_fuzz) free(conf->buf_fuzz); /* free the fuzz buffer (in case of error) */
fuzzer_end:
if (conf->adc->buffer) free(conf->adc->buffer); /* free the memory-copy of adc file */
if (conf->adc) free(conf->adc); /* free the adc structure */
if (conf) free(conf); /* free the configuration structure */
return 0;
}
/*---------------------------------------------------------------------------*
* NAME: fuzz_core
* DESC: the heart of the fuzzing function.
*
* id is the id of the fuzz
* filename is the file used to fuzz
* weight is the default weight of the fuzz
*
* RETURN 0 -> don't fuzz.
* RETURN struct struct_fuzz *fuzz of the fuzzed value
*---------------------------------------------------------------------------*/
struct struct_fuzz *fuzz_core(config *conf, unsigned int id, unsigned char *filename, unsigned int weight) {
struct struct_fuzz *fuzz;
struct struct_fuzz *prev = NULL;
struct struct_source *source;
FILE *file;
unsigned char *file_content;
/* debug */
debug(1, "<-----------------------[enter]\n");
/* check if there is a fuzz structure for this id */
debug(3, "value of conf->fuzz: %p\n", conf->fuzz);
for (fuzz=conf->fuzz;fuzz;fuzz=fuzz->next) {
prev = fuzz;
if (fuzz->id == id) break;
}
/* there is no entry, we add a new one */
if (!fuzz) {
debug(2, "Adding a new fuzz entry\n");
/* malloc_ */
fuzz = malloc_(sizeof(struct struct_fuzz));
/* init the structure */
fuzz->next = NULL;
fuzz->source = NULL;
fuzz->id = id;
fuzz->current = 0;
fuzz->weight = weight;
/* update previous entry */
if (prev) prev->next = fuzz;
/* update if it's the first entry */
if (!conf->fuzz) conf->fuzz = fuzz;
/* init total + parse the source files */
fuzz->total = fill_source(fuzz, filename);
/* bad (memory leak, but who cares?) */
if (fuzz->total == -1) {
exit(-31339);
}
}
/* there is an entry */
else {
debug(2, "fuzz[%d] found\n", fuzz->id);
/* we are currently fuzzing this structure */
if (conf->fuzz_current == fuzz->id) {
/* check if we use the debugger mode, if yes, check if we
don't use the bruteforce mode, if yes, check if the
weight is > 0, if not fuzz->current = fuzz->total i.e.
we don't fuzz this entry */
if ((conf->dbg_mode) && (!conf->bruteforce) && (fuzz->weight <= 0)) {
fuzz->current = fuzz->total;
verbose_("[!] this fuzz is *NOT* relevant, we don't fuzz id: %d\n", fuzz->id);
}
/* there is something to fuzz */
if (fuzz->current < fuzz->total) {
debug(1, "fuzzing: %d/%d\n", fuzz->current+1, fuzz->total);
/* open the file pointed by fuzz->source->filename where id == fuzz->current */
for (source = fuzz->source; source; source = source->next) {
debug(3, "source: %p source->id: %d fuzz->current: %d\n", source, source->id, fuzz->current);
if (source->id == fuzz->current) {
break;
}
}
debug(3,"we catch the source->id: %d and fuzz->current: %d\n", source->id, fuzz->current);
debug(3,"try to open the file: \"%s\"\n", source->filename);
/* open the file */
file = fopen(source->filename, "r");
/* should never happen */
if (!file) {
error_(" ??? cannot read another time this file: \"%s\" ???: ", source->filename);
perror("");
error_("QUITTING!\n");
exit(-31337);
}
/* allocate buffer */
file_content = malloc_(source->size);
/* copy the content of the file in the buffer */
if (fread(file_content, source->size, 1, file) <= 0) {
error_(" ??? cannot read the content of this file: \"%s\" ???: ", source->filename);
perror("");
error_("QUITTING!\n");
exit(-31338);
}
/* close the file */
fclose(file);
/* copy the content in the fuzz buffer */
push_data(conf, file_content, source->size);
/* free file_content */
free(file_content);
/* update the fuzzer counter */
fuzz->current++;
/* debug */
debug(1, "<-----------------------[quit]\n");
return fuzz;
}
/* we can fuzz the next structure */
conf->fuzz_current++;
debug(2, "we have fuzzed all the data for this function...\n");
return 0;
}
}
/* debug */
debug(1, "<-----------------------[quit]\n");
/* we are not currently fuzzing this structure */
return 0;
}
static void ant_rlf(gcp_solution_t *sol, gcp_t *problem) {/*{{{*/
int i, j;
int colornumber = 0; /* number of colors used */
int colored = 0; /* number of colored vertex */
int v, new_v; /* vertex to be colored */
int nn; /* keep number of non-neighbors of v */
double *probb; /* probabilities for choosing a vertex */
/*{{{*/
static int *degree = NULL;
static int **adj = NULL;
static int *ctr = NULL;
if (!ctr) {
degree = malloc_(sizeof(int) * problem->size);
adj = malloc_(sizeof(int*) * problem->size);
}
for (i = 0; i < problem->size; i++) {
degree[i] = problem->degree[i];
if (!ctr) {
adj[i] = malloc(sizeof(int) * problem->size);
}
for (j = 0; j < problem->size; j++) {
adj[i][j] = problem->adj[i][j];
// adj[j][i] = problem->adj[j][i];
}
}
ctr = degree;
/*}}}*/
while (colored < problem->size) {
v = first_vertex(degree, problem->size);
sol->color[v] = colornumber;
sol->nodes_color[colornumber]++;
colored++;
nn = problem->size - degree[v] - 1;
for (i = 0; i < problem->size; i++) {
if (!adj[v][i] && (degree[i] == OUT)) {
nn--;
}
}
while (nn > 0) {
/* choose new_v, non neighbor of v that is not OUT with probability p */
/*
probb = calculate_probbs(v, problem->size, colornumber, degree,
adj, sol->color, problem->alpha, problem->beta);
new_v = choose_vertex(probb, problem->size);
*/
new_v = 0;
while (v==new_v || (degree[new_v]==OUT) || adj[new_v][v]) new_v++;
for (i = new_v; i < problem->size; i++) {
if ((i != v) && !adj[v][i] && (degree[i] != OUT) && (degree[i] > degree[new_v]))
new_v = i;
}
sol->color[new_v] = colornumber;
sol->nodes_color[colornumber]++;
colored++;
contract(v, new_v, degree, adj, problem->size, &nn);
nn--;
}
remove_(v, degree, adj, problem->size);
colornumber++;
}
sol->spent_time = current_usertime_secs();
sol->ncolors = colornumber;
}/*}}}*/
/*---------------------------------------------------------------------------*
* NAME: push_length
* DESC: add a length in the linked list length structure
*---------------------------------------------------------------------------*/
void push_length(config *conf, unsigned int id, unsigned int type) {
struct struct_length *length;
struct struct_length *prev = NULL;
/* dummy length values */
unsigned int dummy_int = 0xffffffff;
unsigned short dummy_short = 0xffff;
unsigned char dummy_char = 0xff;
/* debug */
debug(1, "<-----------------------[enter]\n");
debug(3," entering push_length\n");
/* go to the last length */
for(length = conf->length;length;length = length->next) {
debug(3, "current struct length of block[%d]\n", length->id);
prev = length; /* save the preview */
}
debug(3," add length structure\n");
/* create a length entry in the linked list */
length = malloc_(sizeof(struct struct_length));
/* update the previous block's field next */
if (prev)
prev->next = length;
/* fill the other fields */
length->id = id; /* used next to find the struct_block */
length->block = NULL; /* init the struct_block pointer */
length->offset = conf->buf_fuzz_size; /* current size of the buffer */
length->next = NULL; /* init the next pointer */
length->type = type; /* put the correct length type */
/* update if it's the first length */
if (!conf->length)
conf->length = length;
/* add the correct number of byte in the fuzz buffer */
switch(type) {
case HF_BLOCK_SIZE_B_32 : /* big-endian 32bits */
push_data(conf, (unsigned char *) &dummy_int, sizeof(int));
break;
case HF_BLOCK_SIZE_L_32 : /* little-endian 32bits */
push_data(conf, (unsigned char *) &dummy_int, sizeof(int));
break;
case HF_BLOCK_SIZE_B_16 : /* big-endian 16bits */
push_data(conf, (unsigned char *) &dummy_short, sizeof(short));
break;
case HF_BLOCK_SIZE_L_16 : /* little-endian 16bits */
push_data(conf, (unsigned char *) &dummy_short, sizeof(short));
break;
case HF_BLOCK_SIZE_8 : /* 8bits */
push_data(conf, &dummy_char, sizeof(char));
break;
case HF_BLOCK_SIZE_S_16 : /* string in hexadecimal */
/* don't add bytes in buffer now. See after */
break;
case HF_BLOCK_SIZE_S_10 : /* string in decimal */
/* don't add bytes in buffer now. See after */
break;
default: /* should never happen */
break;
}
/* debug */
debug(1, "<-----------------------[quit]\n");
}
void * memdup(void *src, size_t size)
{
void * r = malloc_(size);
memcpy(r, src, size);
return r;
}
int
read_llb(h2fmi_read_boot_page_t read_page, int offset, int size, unsigned char *buf)
{
int rv = 0;
int page = div(offset, LLB_PAGE_SIZE); /*offset / LLB_PAGE_SIZE*/
int start = offset - page * LLB_PAGE_SIZE; /*offset % LLB_PAGE_SIZE*/
#if 0
unsigned char *tmp = malloc_(4096);
if (!tmp) {
return -1;
}
for (page += 2; size > 0; page++) {
int chunk = size;
if (chunk > LLB_PAGE_SIZE - start) {
chunk = LLB_PAGE_SIZE - start;
}
rv = read_page(0, page, tmp);
if (rv) {
break;
}
memcpy(buf, tmp + start, chunk);
start = 0;
buf += chunk;
size -= chunk;
}
#else /* XXX more efficient, but should be used ONLY if read_page reads exactly LLB_PAGE_SIZE bytes */
unsigned char *tmp = NULL;
page += 2;
if (start) {
int chunk = LLB_PAGE_SIZE - start;
if (!(tmp = malloc_(LLB_PAGE_SIZE))) return -1;
rv = read_page(0, page, tmp);
if (rv) {
goto err;
}
memcpy(buf, tmp + start, chunk);
buf += chunk;
size -= chunk;
page++;
}
for (; size >= LLB_PAGE_SIZE; page++) {
rv = read_page(0, page, buf);
if (rv) {
goto err;
}
buf += LLB_PAGE_SIZE;
size -= LLB_PAGE_SIZE;
}
if (size) {
if (!tmp && !(tmp = malloc_(LLB_PAGE_SIZE))) return -1;
rv = read_page(0, page, tmp);
if (rv == 0) {
memcpy(buf, tmp, size);
}
}
err:
#endif
free_(tmp);
return rv;
}
