On 03/28/2017 02:52 PM, Shaleen wrote: > Hey! I'm a student taking part in the GSoC 2017 > and I'd like to work on the fuzzing framework for wget2 > > I see there are around 461 WGETAPI's defined in wget.h, which API's do you > think should be fuzz tested?
We leave this to you :-) Whatever looks the most promising to find flaws. As a suggestion, take a look into the test code coverage and start with something that is hardly (or not) covered by our tests. That is 'make check-coverage' and then view lcov/index.html with your browser. Keep in mind that we want (parts of) the fuzzer output being transferred into our test suite to test corner cases. Part of your work will be to create these tests as well. For your proposal, select a bunch of functions that seem most relevant to you (e.g. complex code that works with arbitrary external input and is used in Wget2, e.g. xml.c (xml and html parsing), the css parsing, the HTTP parsing. Make a plan about how you want to deal with your findings (and be prepared to find many flaws !). Maybe you would like to dive into the process of CVE reports. Regards, Tim
signature.asc
Description: OpenPGP digital signature
