diff options
| -rw-r--r-- | docs/env_variables.md | 4 | ||||
| -rw-r--r-- | include/envs.h | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 14 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 43 |
4 files changed, 34 insertions, 29 deletions
diff --git a/docs/env_variables.md b/docs/env_variables.md index 2a8fbcb7..f7ad4ff9 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -400,6 +400,10 @@ checks or alter some of the more exotic semantics of the tool: This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. + - Setting `AFL_INPUT_LEN_MIN` and `AFL_INPUT_LEN_MAX` are an alternative to + the afl-fuzz -g/-G command line option to control the minimum/maximum + of fuzzing input generated. + - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout. Unless you implement your own targets or instrumentation, you likely don't have to set it. By default, on timeout and on exit, `SIGKILL` diff --git a/include/envs.h b/include/envs.h index 3bacc380..538ea3a8 100644 --- a/include/envs.h +++ b/include/envs.h @@ -98,6 +98,8 @@ static char *afl_environment_variables[] = { "AFL_IGNORE_PROBLEMS", "AFL_IGNORE_UNKNOWN_ENVS", "AFL_IMPORT_FIRST", + "AFL_INPUT_LEN_MIN", + "AFL_INPUT_LEN_MAX", "AFL_INST_LIBS", "AFL_INST_RATIO", "AFL_KILL_SIGNAL", diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 24bd28dd..115e62de 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -482,6 +482,20 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_target_env = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_INPUT_LEN_MIN", + + afl_environment_variable_len)) { + + afl->min_length = atoi( + (u8 *)get_afl_env(afl_environment_variables[i])); + + } else if (!strncmp(env, "AFL_INPUT_LEN_MAX", + + afl_environment_variable_len)) { + + afl->max_length = atoi( + (u8 *)get_afl_env(afl_environment_variables[i])); + } } else { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6ca9be33..ffa991ae 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -155,9 +155,9 @@ static void usage(u8 *argv0, int more_help) { "\n" "Mutator settings:\n" - " -y [min-]max - set minimum and maximum length of generated fuzzing " - "input.\n" - " default: 1-%lu\n" + " -g minlength - set min length of generated fuzz input (default: 1)\n" + " -G minlength - set max length of generated fuzz input (default: " + "%lu)\n" " -D - enable deterministic fuzzing (once per queue entry)\n" " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" @@ -256,6 +256,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" + "AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" " the target was compiled for\n" @@ -530,37 +531,21 @@ int main(int argc, char **argv_orig, char **envp) { afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing - while ((opt = getopt( - argc, argv, - "+Ab:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:Yy:Z")) > - 0) { + while ( + (opt = getopt( + argc, argv, + "+Ab:B:c:CdDe:E:hi:I:f:F:g:G:l:L:m:M:nNOo:p:RQs:S:t:T:UV:WXx:YZ")) > + 0) { switch (opt) { - case 'y': { - - u8 *sep; - if (!(sep = strchr(optarg, '-')) && !(sep = strchr(optarg, ':'))) { - - afl->max_length = atoi(optarg); - - } else { - - afl->min_length = atoi(optarg); - afl->max_length = atoi(sep + 1); - - } - - if (afl->min_length < 1 || afl->max_length > MAX_FILE || - afl->min_length > afl->max_length) { - - FATAL("Illegal min/max length values: %s", optarg); - - } - + case 'g': + afl->min_length = atoi(optarg); break; - } + case 'G': + afl->max_length = atoi(optarg); + break; case 'Z': afl->old_seed_selection = 1; |