microsoft · Knight-Ops · Aug 30, 2019 · Sep 6, 2019 · Sep 7, 2019 · Sep 7, 2019
diff --git a/examples/example_fuzzer/Cargo.toml b/examples/example_fuzzer/Cargo.toml
@@ -7,3 +7,5 @@ edition = "2018"
 [dependencies]
 lain = { version = "0.2", path = "../../lain" }
 ctrlc = "3.1"
+env_logger = "0.6.2"
+log = "0.4"
diff --git a/examples/example_fuzzer/src/main.rs b/examples/example_fuzzer/src/main.rs
@@ -1,7 +1,6 @@
 #![feature(specialization)]
 
-extern crate lain;
-extern crate ctrlc;
+use env_logger;
 
 use lain::prelude::*;
 use lain::rand::Rng;
@@ -25,7 +24,7 @@ struct FuzzerThreadContext {
 #[derive(Default)]
 struct GlobalContext {
     // unused, but you could put an iteration
-    // counter per operation here or whatever you'd like
+// counter per operation here or whatever you'd like
 }
 
 #[derive(Debug, Default, Clone, NewFuzzed, Mutatable, VariableSizeObject, BinarySerialize)]
@@ -60,6 +59,9 @@ impl Default for PacketType {
 }
 
 fn main() {
+    // env_logger::builder()
+    //     .filter_level(log::LevelFilter::Info)
+    //     .init();
     let mut driver = FuzzerDriver::<GlobalContext>::new(THREAD_COUNT);
 
     driver.set_global_context(Default::default());
@@ -69,7 +71,8 @@ fn main() {
 
     ctrlc::set_handler(move || {
         ctrlc_driver.signal_exit();
-    }).expect("couldn't set CTRL-C handler");
+    })
+    .expect("couldn't set CTRL-C handler");
 
     start_fuzzer(driver.clone(), fuzzer_routine);
 
@@ -78,7 +81,11 @@ fn main() {
     println!("Finished in {} iterations", driver.num_iterations());
 }
 
-fn fuzzer_routine<R: Rng>(mutator: &mut Mutator<R>, thread_context: &mut FuzzerThreadContext, _global_context: Option<Arc<RwLock<GlobalContext>>>) -> Result<(), ()> {
+fn fuzzer_routine<R: Rng>(
+    mutator: &mut Mutator<R>,
+    thread_context: &mut FuzzerThreadContext,
+    _global_context: Option<Arc<RwLock<GlobalContext>>>,
+) -> Result<(), ()> {
     // TODO: we have overhead here of re-estabilishing the connection every time
     let mut stream = TcpStream::connect("127.0.0.1:8080").expect("server isn't running. possible crash?");
 

diff --git a/lain/src/mutatable.rs b/lain/src/mutatable.rs
@@ -164,7 +164,7 @@ fn shrink_vec<T, R: Rng>(vec: &mut Vec<T>, mutator: &mut Mutator<R>) {
         VecResizeCount::Quarter => vec.len() / 4,
         VecResizeCount::Half => vec.len() / 2,
         VecResizeCount::ThreeQuarters => vec.len() - (vec.len() / 4),
-        VecResizeCount::FixedBytes => mutator.gen_range(1, 9),
+        VecResizeCount::FixedBytes => min(mutator.gen_range(1, 9), vec.len()),
         VecResizeCount::AllBytes => vec.len(),
     };
 

diff --git a/lain/src/mutator.rs b/lain/src/mutator.rs
@@ -2,6 +2,7 @@ use rand::seq::SliceRandom;
 use rand::Rng;
 
 use crate::rand::distributions::uniform::{SampleBorrow, SampleUniform};
+use crate::rand;
 use crate::traits::*;
 use crate::types::*;
 use num::{Bounded, NumCast};
@@ -118,6 +119,10 @@ impl<R: Rng> Mutator<R> {
         self.corpus_state = state;
     }
 
+    pub fn set_total_fields(&mut self, count: usize) {
+        self.corpus_state.target_total_fields += count;
+    }
+
     /// Generates a random choice of the given type
     pub fn gen<T: 'static>(&mut self) -> T
     where
@@ -143,7 +148,7 @@ impl<R: Rng> Mutator<R> {
     {
         // info!("{:?}", self.mode());
         // info!("num is: {}", mn);
-        // info!("{}, {}, {}, {}", self.corpus_state.fields_fuzzed, self.corpus_state.targeted_field_idx, self.corpus_state.target_total_fields, self.corpus_state.target_total_passes);
+        // info!("Fields Fuzzed: {}, Targeted Field Index:  {}, Target Total Fields: {}, Total Passe: {}", self.corpus_state.fields_fuzzed, self.corpus_state.targeted_field_idx, self.corpus_state.target_total_fields, self.corpus_state.target_total_passes);
         self.corpus_state.fields_fuzzed += 1;
 
         if self.mode() != MutatorMode::Havoc && self.corpus_state.finished_iteration
@@ -224,6 +229,7 @@ impl<R: Rng> Mutator<R> {
             }
             MutatorMode::Havoc => {
                 // stay in havoc mode since we've exhausted all other states
+                self.corpus_state.targeted_field_idx = rand::thread_rng().gen_range(0, self.corpus_state.target_total_fields + 1);
             }
         }
 

diff --git a/lain_derive/src/mutations.rs b/lain_derive/src/mutations.rs
@@ -344,6 +344,8 @@ fn new_fuzzed_struct (
         let mut uninit_struct = std::mem::MaybeUninit::<#cont_ident>::uninit();
         let uninit_struct_ptr = uninit_struct.as_mut_ptr();
 
+        mutator.set_total_fields(#len - 1);
+
         if Self::is_variable_size() {
             // this makes for ugly code generation, but better perf
             for i in sample(&mut mutator.rng, #len, #len).iter() {