fuzz: Simplify TCP checksum code
diff --git a/fuzzing/helper.h b/fuzzing/helper.h
index efcbd3f..5a571a2 100644
--- a/fuzzing/helper.h
+++ b/fuzzing/helper.h
@@ -1,3 +1,6 @@
+#ifndef _HELPER_H
+#define _HELPER_H
+
#ifdef _WIN32
/* as defined in sdkddkver.h */
#ifndef _WIN32_WINNT
@@ -10,4 +13,8 @@
#include <stdint.h>
#include <netinet/in.h>
+#define PSEUDO_IP_SIZE (4*2 + 4)
+
uint16_t compute_checksum(uint8_t *Data, size_t Size);
+
+#endif /* _HELPER_H */
diff --git a/fuzzing/slirp_fuzz_tcp.c b/fuzzing/slirp_fuzz_tcp.c
index 50e480e..461d430 100644
--- a/fuzzing/slirp_fuzz_tcp.c
+++ b/fuzzing/slirp_fuzz_tcp.c
@@ -14,7 +14,7 @@
extern size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
size_t MaxSize, unsigned int Seed)
{
- size_t i, current_size = Size;
+ size_t current_size = Size;
uint8_t *Data_ptr = Data;
uint8_t *ip_data;
uint32_t ipsource;
@@ -69,7 +69,7 @@
// Allocate a bit more than needed, this is useful for
// checksum calculation.
- uint8_t Data_to_mutate[MaxSize + 12];
+ uint8_t Data_to_mutate[MaxSize + PSEUDO_IP_SIZE];
uint8_t ip_hl = (ip_data[0] & 0xF);
uint8_t ip_hl_in_bytes = ip_hl * 4; /* ip header length */
@@ -93,7 +93,7 @@
// Copy interesting data to the `Data_to_mutate` array
// here we want to fuzz everything in the tcp packet
- memset(Data_to_mutate, 0, MaxSize + 12);
+ memset(Data_to_mutate, 0, MaxSize + PSEUDO_IP_SIZE);
memcpy(Data_to_mutate, start_of_tcp, tcp_size);
// Call to libfuzzer's mutation function.
@@ -113,12 +113,7 @@
// Copy the source and destination IP addresses, the tcp length and
// protocol number at the end of the `Data_to_mutate` array to calculate
// the new checksum.
- for (i = 0; i < 4; i++) {
- *(Data_to_mutate + tcp_size + i) = *(ip_data + 12 + i);
- }
- for (i = 0; i < 4; i++) {
- *(Data_to_mutate + tcp_size + 4 + i) = *(ip_data + 16 + i);
- }
+ memcpy(Data_to_mutate + tcp_size, ip_data + 12, 4*2);
*(Data_to_mutate + tcp_size + 9) = IPPROTO_TCP;
@@ -126,7 +121,7 @@
*(Data_to_mutate + tcp_size + 11) = (uint8_t)(tcp_size % 256);
uint16_t new_checksum =
- compute_checksum(Data_to_mutate, tcp_size + 12);
+ compute_checksum(Data_to_mutate, tcp_size + PSEUDO_IP_SIZE);
*(uint16_t *)(Data_to_mutate + 16) = htons(new_checksum);
// Copy the mutated data back to the `Data` array
diff --git a/fuzzing/slirp_fuzz_tcp_data.c b/fuzzing/slirp_fuzz_tcp_data.c
index 7d8bdc0..03d56da 100644
--- a/fuzzing/slirp_fuzz_tcp_data.c
+++ b/fuzzing/slirp_fuzz_tcp_data.c
@@ -14,7 +14,7 @@
extern size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
size_t MaxSize, unsigned int Seed)
{
- size_t i, current_size = Size;
+ size_t current_size = Size;
uint8_t *Data_ptr = Data;
uint8_t *ip_data;
uint32_t ipsource;
@@ -69,7 +69,7 @@
// Allocate a bit more than needed, this is useful for
// checksum calculation.
- uint8_t Data_to_mutate[MaxSize + 12];
+ uint8_t Data_to_mutate[MaxSize + PSEUDO_IP_SIZE];
uint8_t ip_hl = (ip_data[0] & 0xF);
uint8_t ip_hl_in_bytes = ip_hl * 4; /* ip header length */
@@ -96,7 +96,7 @@
// Copy interesting data to the `Data_to_mutate` array
// here we want to fuzz everything in the tcp packet
- memset(Data_to_mutate, 0, MaxSize + 12);
+ memset(Data_to_mutate, 0, MaxSize + PSEUDO_IP_SIZE);
memcpy(Data_to_mutate, start_of_tcp, tcp_size);
// Call to libfuzzer's mutation function.
@@ -116,12 +116,7 @@
// Copy the source and destination IP addresses, the tcp length and
// protocol number at the end of the `Data_to_mutate` array to calculate
// the new checksum.
- for (i = 0; i < 4; i++) {
- *(Data_to_mutate + tcp_size + i) = *(ip_data + 12 + i);
- }
- for (i = 0; i < 4; i++) {
- *(Data_to_mutate + tcp_size + 4 + i) = *(ip_data + 16 + i);
- }
+ memcpy(Data_to_mutate + tcp_size, ip_data + 12, 4*2);
*(Data_to_mutate + tcp_size + 9) = IPPROTO_TCP;
@@ -129,7 +124,7 @@
*(Data_to_mutate + tcp_size + 11) = (uint8_t)(tcp_size % 256);
uint16_t new_checksum =
- compute_checksum(Data_to_mutate, tcp_size + 12);
+ compute_checksum(Data_to_mutate, tcp_size + PSEUDO_IP_SIZE);
*(uint16_t *)(Data_to_mutate + 16) = htons(new_checksum);
// Copy the mutated data back to the `Data` array
diff --git a/fuzzing/slirp_fuzz_tcp_header.c b/fuzzing/slirp_fuzz_tcp_header.c
index 109e463..7fc7b4e 100644
--- a/fuzzing/slirp_fuzz_tcp_header.c
+++ b/fuzzing/slirp_fuzz_tcp_header.c
@@ -14,7 +14,7 @@
extern size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
size_t MaxSize, unsigned int Seed)
{
- size_t i, current_size = Size;
+ size_t current_size = Size;
uint8_t *Data_ptr = Data;
uint8_t *ip_data;
uint32_t ipsource;
@@ -69,7 +69,7 @@
// Allocate a bit more than needed, this is useful for
// checksum calculation.
- uint8_t Data_to_mutate[MaxSize + 12];
+ uint8_t Data_to_mutate[MaxSize + PSEUDO_IP_SIZE];
uint8_t ip_hl = (ip_data[0] & 0xF);
uint8_t ip_hl_in_bytes = ip_hl * 4; /* ip header length */
@@ -95,7 +95,7 @@
// Copy interesting data to the `Data_to_mutate` array
// here we want to fuzz everything in the tcp packet
- memset(Data_to_mutate, 0, MaxSize + 12);
+ memset(Data_to_mutate, 0, MaxSize + PSEUDO_IP_SIZE);
memcpy(Data_to_mutate, start_of_tcp, tcp_size);
// Call to libfuzzer's mutation function.
@@ -115,12 +115,7 @@
// Copy the source and destination IP addresses, the tcp length and
// protocol number at the end of the `Data_to_mutate` array to calculate
// the new checksum.
- for (i = 0; i < 4; i++) {
- *(Data_to_mutate + tcp_size + i) = *(ip_data + 12 + i);
- }
- for (i = 0; i < 4; i++) {
- *(Data_to_mutate + tcp_size + 4 + i) = *(ip_data + 16 + i);
- }
+ memcpy(Data_to_mutate + tcp_size, ip_data + 12, 4*2);
*(Data_to_mutate + tcp_size + 9) = IPPROTO_TCP;
@@ -128,7 +123,7 @@
*(Data_to_mutate + tcp_size + 11) = (uint8_t)(tcp_size % 256);
uint16_t new_checksum =
- compute_checksum(Data_to_mutate, tcp_size + 12);
+ compute_checksum(Data_to_mutate, tcp_size + PSEUDO_IP_SIZE);
*(uint16_t *)(Data_to_mutate + 16) = htons(new_checksum);
// Copy the mutated data back to the `Data` array
