---
fuzzing/libnbd-fuzz-wrapper.c | 43 +++++++++++++++++++++++++++------
fuzzing/libnbd-libfuzzer-test.c | 4 +++
2 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c
index 338adc0..fbff095 100644
--- a/fuzzing/libnbd-fuzz-wrapper.c
+++ b/fuzzing/libnbd-fuzz-wrapper.c
@@ -17,10 +17,25 @@
*/
/* This is a wrapper allowing libnbd to be tested using common fuzzers
- * such as afl. It takes the fuzzer test case as a filename on the
- * command line. This is fed to the libnbd socket. Any output to the
- * socket from libnbd is sent to /dev/null. This is basically the
- * same way we fuzz nbdkit, but in reverse (see nbdkit.git/fuzzing).
+ * such as AFL++. It takes the fuzzer test case as a filename on the
+ * command line.
+ *
+ * It uses fuzzed-data-provider.h to parse the input allowing a choice
+ * of APIs to be called in any order under control of the fuzzer. The
+ * test cases therefore do not correspond very closely to raw NBD
+ * protocol.
+ *
+ * The fuzzer input is parsed as a series of commands, directing this
+ * program to execute different libnbd APIs. When the input is
+ * exhausted we stop the test. Each command is structured as:
+ *
+ * <enum of API to call>
+ * <offset>
+ * <flags>
+ * <data buffer> (includes implicit length)
+ *
+ * The data buffer field is only used by nbd_aio_pwrite. For other
+ * APIs only the length is used and the content is ignored.
*/
#include <config.h>
@@ -146,10 +161,20 @@ extent64_callback (void *user_data,
return 0;
}
+enum call_type {
+ PREAD,
+ PWRITE,
+ FLUSH,
+ TRIM,
+ ZERO,
+ CACHE,
+ PREAD_STRUCTURED,
+ BLOCK_STATUS,
+ BLOCK_STATUS_64,
+ CALL_TYPE_MAX_PLUS_1 /* must be last entry */
+};
+
/* This is the client (parent process) running libnbd. */
-static char buf[512];
-static char prbuf[65536];
-
static void
client (int sock)
{
@@ -180,6 +205,10 @@ client (int sock)
length = nbd_get_size (nbd);
+ /* Main loop: Consume fuzzer data to decide which calls we will make. */
+ while (more_fuzzed_data
+
+
/* Test common asynchronous I/O calls. */
nbd_aio_pread (nbd, buf, sizeof buf, 0, NBD_NULL_COMPLETION, 0);
nbd_aio_pwrite (nbd, buf, sizeof buf, 0, NBD_NULL_COMPLETION, 0);
diff --git a/fuzzing/libnbd-libfuzzer-test.c b/fuzzing/libnbd-libfuzzer-test.c
index 1721b74..cf6c1cf 100644
--- a/fuzzing/libnbd-libfuzzer-test.c
+++ b/fuzzing/libnbd-libfuzzer-test.c
@@ -22,6 +22,10 @@
*
* - This case is mostly unmaintained. The maintainers use AFL++ for
* fuzzing (see libnbd-fuzz-wrapper.c).
+ *
+ * - This test needs to be updated to use the new method of reading
+ * input via the fuzzed data provider (see again
+ * libnbd-fuzz-wrapper.c).
*/
#include <config.h>
--
2.43.1
_______________________________________________
Libguestfs mailing list -- guestfs@lists.libguestfs.org
To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
