about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--custom_mutators/examples/custom_send.c56
-rw-r--r--docs/custom_mutators.md1
-rw-r--r--include/afl-fuzz.h2
-rw-r--r--src/afl-fuzz-mutators.c58
-rw-r--r--src/afl-fuzz-python.c16
5 files changed, 117 insertions, 16 deletions
diff --git a/custom_mutators/examples/custom_send.c b/custom_mutators/examples/custom_send.c
new file mode 100644
index 00000000..ffea927e
--- /dev/null
+++ b/custom_mutators/examples/custom_send.c
@@ -0,0 +1,56 @@
+// cc -O3 -fPIC -shared -g -o custom_send.so -I../../include custom_send.c
+// cd ../..
+// afl-cc -o test-instr test-instr.c
+// afl-fuzz -i in -o out -- ./test-instr -f /tmp/foo
+
+#include "custom_mutator_helpers.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+typedef struct my_mutator {
+
+  afl_t *afl;
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) {
+
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  data->afl = afl;
+
+  return data;
+
+}
+
+void afl_custom_fuzz_send(my_mutator_t *data, uint8_t *buf, size_t buf_size) {
+
+  int fd = open("/tmp/foo", O_CREAT | O_NOFOLLOW | O_TRUNC | O_RDWR, 0644);
+
+  if (fd >= 0) {
+
+    (void)write(fd, buf, buf_size);
+    close(fd);
+
+  }
+
+  return;
+
+}
+
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data);
+
+}
+
diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md
index ecc004e2..4ffeda7a 100644
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@@ -177,6 +177,7 @@ def deinit():  # optional for Python
     This method can be used if you want to send data to the target yourself,
     e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
     that you start the target with afl-fuzz.
+    Example: [custom_mutators/examples/custom_send.c](custom_mutators/examples/custom_send.c)
 
 - `queue_new_entry` (optional):
 
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 76d7f3f9..88646db3 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -333,6 +333,7 @@ enum {
   /* 11 */ PY_FUNC_QUEUE_NEW_ENTRY,
   /* 12 */ PY_FUNC_INTROSPECTION,
   /* 13 */ PY_FUNC_DESCRIBE,
+  /* 14 */ PY_FUNC_FUZZ_SEND,
   PY_FUNC_COUNT
 
 };
@@ -1035,6 +1036,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *);
 void                   finalize_py_module(void *);
 
 u32         fuzz_count_py(void *, const u8 *, size_t);
+void        fuzz_send_py(void *, const u8 *, size_t);
 size_t      post_process_py(void *, u8 *, size_t, u8 **);
 s32         init_trim_py(void *, u8 *, size_t);
 s32         post_trim_py(void *, u8);
diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c
index f3d0bc96..ef30b993 100644
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@@ -211,8 +211,16 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
       WARNF("Symbol 'afl_custom_mutator' not found.");
 
+    } else {
+
+      OKF("Found 'afl_custom_mutator'.");
+
     }
 
+  } else {
+
+    OKF("Found 'afl_custom_mutator'.");
+
   }
 
   /* "afl_custom_introspection", optional */
@@ -222,6 +230,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_introspection' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_introspection'.");
+
   }
 
 #endif
@@ -232,6 +244,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_fuzz_count' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_fuzz_count'.");
+
   }
 
   /* "afl_custom_deinit", optional for backward compatibility */
@@ -248,6 +264,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_post_process' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_post_process'.");
+
   }
 
   u8 notrim = 0;
@@ -258,6 +278,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
     notrim = 1;
     ACTF("optional symbol 'afl_custom_init_trim' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_init_trim'.");
+
   }
 
   /* "afl_custom_trim", optional */
@@ -267,6 +291,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
     notrim = 1;
     ACTF("optional symbol 'afl_custom_trim' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_trim'.");
+
   }
 
   /* "afl_custom_post_trim", optional */
@@ -276,6 +304,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
     notrim = 1;
     ACTF("optional symbol 'afl_custom_post_trim' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_post_trim'.");
+
   }
 
   if (notrim) {
@@ -295,6 +327,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_havoc_mutation' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_havoc_mutation'.");
+
   }
 
   /* "afl_custom_havoc_mutation", optional */
@@ -304,6 +340,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_havoc_mutation_probability' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_havoc_mutation_probability'.");
+
   }
 
   /* "afl_custom_queue_get", optional */
@@ -312,6 +352,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_queue_get' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_queue_get'.");
+
   }
 
   /* "afl_custom_fuzz_send", optional */
@@ -320,6 +364,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_fuzz_send' not found.");
 
+  } else {
+
+    OKF("Found 'afl_custom_fuzz_send'.");
+
   }
 
   /* "afl_custom_queue_new_entry", optional */
@@ -328,13 +376,21 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
     ACTF("optional symbol 'afl_custom_queue_new_entry' not found");
 
+  } else {
+
+    OKF("Found 'afl_custom_queue_new_entry'.");
+
   }
 
   /* "afl_custom_describe", optional */
   mutator->afl_custom_describe = dlsym(dh, "afl_custom_describe");
   if (!mutator->afl_custom_describe) {
 
-    ACTF("Symbol 'afl_custom_describe' not found.");
+    ACTF("optional symbol 'afl_custom_describe' not found.");
+
+  } else {
+
+    OKF("Found 'afl_custom_describe'.");
 
   }
 
diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c
index 54b05978..d8aed8c6 100644
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@@ -920,21 +920,7 @@ void fuzz_send_py(void *py_mutator, const u8 *buf, size_t buf_size) {
       ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_FUZZ_SEND], py_args);
   Py_DECREF(py_args);
 
-  if (py_value != NULL) {
-
-  #if PY_MAJOR_VERSION >= 3
-    u32 retcnt = (u32)PyLong_AsLong(py_value);
-  #else
-    u32 retcnt = PyInt_AsLong(py_value);
-  #endif
-    Py_DECREF(py_value);
-
-  } else {
-
-    PyErr_Print();
-    FATAL("Call failed");
-
-  }
+  if (py_value != NULL) { Py_DECREF(py_value); }
 
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-16 13:32:39 +0000