diff --git a/include/config.h b/include/config.h index c791431b..d00f1709 100644 --- a/include/config.h +++ b/include/config.h @@ -339,6 +339,10 @@ #define AVG_SMOOTHING 16 +/* Max length of sync id (the id after -M and -S) */ + +#define SYNC_ID_MAX_LEN 50 + /* Sync interval (every n havoc cycles): */ #define SYNC_INTERVAL 8 diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index f0bebc3c..d6dee352 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2791,9 +2791,9 @@ void fix_up_sync(afl_state_t *afl) { } - if (strlen(afl->sync_id) > 50) { + if (strlen(afl->sync_id) > SYNC_ID_MAX_LEN) { - FATAL("sync_id max length is 50 characters"); + FATAL("sync_id max length is %d characters", SYNC_ID_MAX_LEN); } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 091753c7..4c789670 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -701,15 +701,25 @@ abort_calibration: bool is_known_case(afl_state_t *afl, u8 *name, void *mem, u32 len) { - int sync_id_pos; - u32 id, src_id; - if (sscanf(name, "id:%06u,sync:%n%*[^,],src:%06u", &id, &sync_id_pos, - &src_id) != 2) - return false; + static char coming_from_me_str[16 + SYNC_ID_MAX_LEN]; + static int coming_from_me_len = 0; + if (!coming_from_me_len) { - if (strncmp(name + sync_id_pos, afl->sync_id, strlen(afl->sync_id)) != 0) - return false; - if (name[sync_id_pos + strlen(afl->sync_id)] != ',') return false; + snprintf(coming_from_me_str, sizeof(coming_from_me_str), + ",sync:%s,src:", afl->sync_id); + coming_from_me_len = strlen(coming_from_me_str); + + } + + // 9 = strlen("id:000000"), 6 = strlen("000000") + if (strlen(name) < 9 + coming_from_me_len + 6) return false; + char *p = name + 9; + while ('0' <= *p && *p <= '9') + p++; + + if (strncmp(p, coming_from_me_str, coming_from_me_len) != 0) return false; + + int src_id = atoi(p + coming_from_me_len); if (src_id < 0 || src_id >= afl->queued_items) return false; struct queue_entry *q = afl->queue_buf[src_id];