From 2c22eb644cdf65a4d9dcbe12fd5eb9a593d2181f Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Fri, 16 Aug 2019 13:06:55 +0700
Subject: [PATCH] fuzz the header parsing

---
 codecov.yml                    |   1 +
 fuzzing/header/corpus/header-0 | Bin 0 -> 223 bytes
 fuzzing/header/corpus/header-1 | Bin 0 -> 936 bytes
 fuzzing/header/corpus/header-2 | Bin 0 -> 416 bytes
 fuzzing/header/corpus/header-3 | Bin 0 -> 689 bytes
 fuzzing/header/corpus/header-4 | Bin 0 -> 56 bytes
 fuzzing/header/corpus/header-5 | Bin 0 -> 780 bytes
 fuzzing/header/corpus/header-6 |   2 +
 fuzzing/header/corpus/header-7 | Bin 0 -> 1026 bytes
 fuzzing/header/corpus/header-8 | Bin 0 -> 1027 bytes
 fuzzing/header/corpus/header-9 |   1 +
 fuzzing/header/corpus/vnp-0    | Bin 0 -> 46 bytes
 fuzzing/header/corpus/vnp-1    | Bin 0 -> 27 bytes
 fuzzing/header/corpus/vnp-2    | Bin 0 -> 434 bytes
 fuzzing/header/corpus/vnp-3    | Bin 0 -> 95 bytes
 fuzzing/header/corpus/vnp-4    | Bin 0 -> 42 bytes
 fuzzing/header/fuzz.go         |  64 ++++++++++++
 fuzzing/header/main.go         | 181 +++++++++++++++++++++++++++++++++
 18 files changed, 249 insertions(+)
 create mode 100644 fuzzing/header/corpus/header-0
 create mode 100644 fuzzing/header/corpus/header-1
 create mode 100644 fuzzing/header/corpus/header-2
 create mode 100644 fuzzing/header/corpus/header-3
 create mode 100644 fuzzing/header/corpus/header-4
 create mode 100644 fuzzing/header/corpus/header-5
 create mode 100644 fuzzing/header/corpus/header-6
 create mode 100644 fuzzing/header/corpus/header-7
 create mode 100644 fuzzing/header/corpus/header-8
 create mode 100644 fuzzing/header/corpus/header-9
 create mode 100644 fuzzing/header/corpus/vnp-0
 create mode 100644 fuzzing/header/corpus/vnp-1
 create mode 100644 fuzzing/header/corpus/vnp-2
 create mode 100644 fuzzing/header/corpus/vnp-3
 create mode 100644 fuzzing/header/corpus/vnp-4
 create mode 100644 fuzzing/header/fuzz.go
 create mode 100644 fuzzing/header/main.go

diff --git a/codecov.yml b/codecov.yml
index e3384e33e..c1fa03934 100644
--- a/codecov.yml
+++ b/codecov.yml
@@ -11,6 +11,7 @@ coverage:
     - internal/utils/packetinterval_linkedlist.go
     - internal/utils/linkedlist/linkedlist.go
     - quictrace/
+    - fuzzing/
   status:
     project:
       default:
diff --git a/fuzzing/header/corpus/header-0 b/fuzzing/header/corpus/header-0
new file mode 100644
index 0000000000000000000000000000000000000000..9bf45bc0d7a0ecc39c4e7fa385f8e2dd756df998
GIT binary patch
literal 223
jcmX?pFwouqKZk@?W0lia*VD{uN0%@-9M@jJFgySNmDvhk

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-1 b/fuzzing/header/corpus/header-1
new file mode 100644
index 0000000000000000000000000000000000000000..f553487eedb500fc6313cef8c0b8243fbb993d64
GIT binary patch
literal 936
ncmZ2=Akf|aKgY3+XPZCu+IurFI8S-bFbYOPU^D~<RR{n8-g61(

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-2 b/fuzzing/header/corpus/header-2
new file mode 100644
index 0000000000000000000000000000000000000000..178c6b6ced208b1234a10b341d1efc8b6ff03419
GIT binary patch
literal 416
zcmXRp80hZ*UszH<ChoWud)gCrL)}~xFV&gbH*oR3(LH{XIfp?mNb-n7eDM5RFTS)Z
e*QzIdQV98QX=VM^&%!e69b**|7)Al@LI40*r5tYn

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-3 b/fuzzing/header/corpus/header-3
new file mode 100644
index 0000000000000000000000000000000000000000..b544ea2a123dff4960defd810b044e87d9fb70e0
GIT binary patch
literal 689
qcmccgAkf|aKi5Rd<}ZEgCpS<1&f2dY)IP~+dOX7@7!85J7XkpiT@4`s

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-4 b/fuzzing/header/corpus/header-4
new file mode 100644
index 0000000000000000000000000000000000000000..9a5db557937e999524527548fb4be026beb6e039
GIT binary patch
literal 56
icmdn-DA3*iKaW?L&-Sw!i>f?wS+_7KxVc<nAOHa1i3*DV

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-5 b/fuzzing/header/corpus/header-5
new file mode 100644
index 0000000000000000000000000000000000000000..d13e69ab687ee19614f367cb1f46102eddb06217
GIT binary patch
literal 780
scmeCZ5a{mzpHtW6)}{Z4W>y7rBm{0hZ1t;pt<#5YhEXsY0wX8{0DMOd-2eap

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-6 b/fuzzing/header/corpus/header-6
new file mode 100644
index 000000000..aa8d1dca1
--- /dev/null
+++ b/fuzzing/header/corpus/header-6
@@ -0,0 +1,2 @@
+ÉðQGOÿ	aF­'jaeÙñý&�aïT*l
+Þ÷~Øfò	»¡E!U‘sÓG x
\ No newline at end of file
diff --git a/fuzzing/header/corpus/header-7 b/fuzzing/header/corpus/header-7
new file mode 100644
index 0000000000000000000000000000000000000000..cd11f832ca513b34cc45a5b5f5431613d41caef9
GIT binary patch
literal 1026
zcmV+d1pWKu@KHxk{|Wwv2Py;_^mV5Q9<|Vz7X+xI0Bh+;4!c_Ik(30iuJNd{=mFjE
zz$^#DG|xBXh}<WH8j!`6loa=vYCQX1JSlgd428Y~V@)2URlGDLdg!xNph@s|=*Ha^
zS`}cv<?~bgEJv^NAhscT6&tsU{Px><K>@L1?b!oZkgI!xbt@e};Y|`*xP0wcMCq5@
z9^1Nwz4LM0HmDWWJb*W8S0W|LQ2P#<->1~&nZj|`3fQ>~t$n0P7NFFxv1bW#<3Q0g
z(lfrwmKi;q)gP4|f@g#|P3LI*DQyD+BB=sXGQKQ@<EA0aI0HQl6p{7WiZPR<x4_bR
zsNGV&Htxk}fxm{9NpngmrzJ#3p~^egd&QR;SR@R;dBp~#lKSw})=Ar=A>tI4bzKjp
zX%@)I#`o4<Ac9NV!b%^tGv!lssVw5?4onT`HLIh%cgj1&jTny_k1m%>mmCoccTV26
z8Xk5H{OK<JaV}``tFf!ZlD)Q!UKP-1_EL9Y0z&SC15P4CQFs2z@XmFcX4ZMa>jq?G
z+#((E4_oe*$&j>xeP4YTfo^vqlAturgtkUDv=xd^LCwWL-1J3xke@g5ANc8|?83v*
zZb$$L_wzI@9oR%;vJ}uH)hAa<WYv9)q&Mm#$94lKmFb)aLUd(rqDj9Y=>EDNt11-u
z&F5O=_b~!Rdc0mmbD|5}d!MEb^xE@dYl1f}Oupu81FX9mXO-y5l*e~+7?4I_c#JXb
zLtO}6ayCoSNW6sV2kqqj8c`#!1(Ued;U?w&h3<VrYsK#oB=n#eG3h-bNq^li)GG}<
zBLZpvvZzO*tIWqfnqNTvZ^w68F$)gOK_ZqAx4P|q+-EajOqCPK`<d@w979^oW);-R
zMZ{4eX)Jxg=f?rC1Ty&Oi4KyxQc{XBo7wX0;lYU_ppty$tr_Sgj^HAs0do#IG~9*&
z!Y^#2)BbAc!CXJL_9S_M3Z3MsCyd_De=j3_2xUP_KiGYdgDpp=7sYD%Ejj)}D{H6a
z9YGDluDl#Cyq;ey^M-o+!EN_#b}{#qJn3vw6y0OG+3aN`n)U6R7(<{>PkEa@Ale4I
zsNeby)n0ytX-AJCTvn&W8%LbXxy+g5ldEg4)I=WZw52}|a5F=ul-oOB|5AE;tn^s?
zvB|f`{Y|rF>=_0s>}5rtA8lgJFItKobcmR%N6xT%&iw8=uc1s`jP5Rfh}r>w1uV4N
zhw^`V^WIHH#3b|d9PilOD{UW&y2Fdx96Mx9Y-@nvtIyUL;;!MDVX0qWUXv!>#$vsZ
wX+sM_BWl|_H%bLtxjew0(GDHeENJDBU5&ZYpd6|-N1BdkW9gC+@qWt*9gl(ncK`qY

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-8 b/fuzzing/header/corpus/header-8
new file mode 100644
index 0000000000000000000000000000000000000000..fc5983eddc96401262c92f7270f2599e53f2f592
GIT binary patch
literal 1027
zcmV+e1pNC`@KHxk{{RTFB?q2_J1^S`0<v4(y=x87f)T9+4+LoPIFVP8C2+4*zG+wM
zD`urdPLlMx45aOM?wa4dt8(d<>b{StgW&c$f&s<(9(ePdXf$mqXg={Oa7E0tBFe;Q
z?<0#=jRkAr2)TshxfjS3vWf_BrUvkr#rxSRLDoHZkfCAJb__VA^#uz#uF)GS59_D8
z&eNMGR`yNIJSyeH&d0%fkV!n?S5o=A;5o+dTmmvyW1rH~Tv^BLtP<ndY6+8<cP-h&
z1JOzj@HUqFHoA3p+cJxQzJo4*j(y%|i^w^N-6}ZD_~6R+uj@v=-NtPm-r%FmPXfIs
za*}Y8|8j@DCNTS%wX%X6uu`W2$RA)j&bjOxsm4mb@#^?eG@nw_X%c4+I+>1arID4~
z;m7VxD#<U=jCYw!=(i37)0Mg+cASP@mqTNFQx;%nfY;&);rMw86c<=!BBcQ9Lm1R?
z*)+^InR578)L0?xEuDVEmIxOo#!8{~tvO~;)8hG0(g*W{@^VbqECOrf&{#@?Iz+mF
z7g7}TFZB7S4|Cy&mzO#gS-HJo#AyVnyM|#=B7co{VNjqXwG``qTUhTcv;?&!xxEGs
z&q5^{rcJnXRF-3~`!Cyj_zg84AoI)GNkHyZE3=uR7p}$6;U*C6qG!U~p>p@?cz^=T
zhO)o!WwYIf35Ti>C8n|VzHBR5nRN_q&$>`><0Bzqtevk+n3yzD>6g2twKKP)tY*tw
zTbQ$(V{5VW&_U;l{xBwr6f(^&dTSvVtSoyiGBw;ytdcFEYNlNnx3hC8hyw(|Qi1P*
zibq$Zk@uKrP)`}5wpwDkiBJV+S*EF6I|p}bA_c*GyYsD}tZq($hZcSn8EdzSwd;)z
zC!r}%FoIHk(8E(r9WW9KZ=8>}?FfjXbl5Ie_mvX(P+5TGC}2+MLQU0JVF;ZcF=B}^
zG~*X_fqz)-6t>qo&^~N2X4XFDJ8py`zP6;G?E*WHjTsvpxytoBfSTN(ZELMuW!fif
zTjwATt;VNRtdrmcN9p_Oz_tTfLF)0x9L}MXS)a#4jFRqT`pD0V{10s8GK8jqP3iro
z^Rq@xF&TxHgc2AAMs(972HC<WHT`Nz8PB_a%9}^q5M2bn#D3_XNSe?FwT}SLu>M|+
z(U@r(8j3~0kW~f^AIT<sv(!Gkt%2yk?uzZqjn<jTebnF0)ZdEk1;$+eMbjGX-$HJz
z({f!k#q+CF%dk_4U&C=}MWlPz<UI?B8!aY6?4vz0*jLYGJ8KCeb1mo^TV)c21~7y7
xPa?6aH9H1*X>50W@P72ZLFL)JI*T@cERb{Jp3U>oApJwbzApI}I2v=g<%j&K1b+Yk

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/header-9 b/fuzzing/header/corpus/header-9
new file mode 100644
index 000000000..dfaa9ab8f
--- /dev/null
+++ b/fuzzing/header/corpus/header-9
@@ -0,0 +1 @@
+E@ð1tQí£�ÿ‡
\ No newline at end of file
diff --git a/fuzzing/header/corpus/vnp-0 b/fuzzing/header/corpus/vnp-0
new file mode 100644
index 0000000000000000000000000000000000000000..a34a522c62b87b6c08c2f9f2c07e0469f1b4a30c
GIT binary patch
literal 46
zcmY$o!T<yue8*hpT9(ch;|jg(t#VZMjNOWqr>8Q-cjb87Dqnwper5PGv8bq7zW{(w
B6NUf)

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/vnp-1 b/fuzzing/header/corpus/vnp-1
new file mode 100644
index 0000000000000000000000000000000000000000..472eb346084eda8a13408c617b022b0e152aa4f0
GIT binary patch
literal 27
icmeBs%K!vi3@eVVW@DapTxTKc#GLQ^T&q^issaFj0SZq5

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/vnp-2 b/fuzzing/header/corpus/vnp-2
new file mode 100644
index 0000000000000000000000000000000000000000..c829a42174f203d4e81e8d69f9ba2d286a5c1d5b
GIT binary patch
literal 434
zcmV;j0Zsm(^8f$<00a6OI1_{%%m9`4V^S~ClT7mik~3|NcZFYSNA7?nJxP|5IAo26
zRQy%uun=~Na`*hTOik$@!ik@96&_~{;l9t(k>i&NWZuElP_sj$VJ;bN8c~Rh-W}kA
zZSJJO=xl3KrV9*>huKxJ-uPX?oOg`0e|)b+m{ZGh&)yFdJrOq3Q~yg`ApCG4f9Gf&
zYuw8p8+0SQRV@Vw8aHh9yI8x*Vo_!%8K*tW;X?;@(lP3`JVHejLrNwn6aO+Mn!80f
z+`5XIN<^!lNZW#Qeb#fi*9XBcq>S<a_+%5;U*e~7gR7-`!vqVPsNIgPyg=9&F?9aO
zmT^!#Z~@C(R?DvnX-2-tG5W@DSKh2tpDIEHh;IWGNijx6+l5HyV&*5h;Ma}&TcEs4
zWVF9kz(xpqjQ|4iH)guj(a;r<dt)B2c6K)VxXaNJBGM{p>5FXuKP$Zn>6kQJD*04u
zals|7xS^z8VkPDKfZdgN?IfyC0W)P~{K4<R4nv~il@C*7M-_d{qSH>GXKtWczE-r0
c1?wkuI|Y^rpY9hSO5jjQ{jD?SV3cw7@LQ76WB>pF

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/vnp-3 b/fuzzing/header/corpus/vnp-3
new file mode 100644
index 0000000000000000000000000000000000000000..e89bd6e9c314cf68d1fb71ce1c1e2c746eb46f5e
GIT binary patch
literal 95
zcmV-l0HFU7`v3p{00RzCvjA-01mO~<^LB13u^bHi`V<NZ8XB9fVu$;BD<71b_y!ft
zlu_##P<Ro4#ws`CqSqk{WrECo^mFQVtTVdF@k1#)6GG(4;%39HOd4VDo2}3jc^or&
BDn<YR

literal 0
HcmV?d00001

diff --git a/fuzzing/header/corpus/vnp-4 b/fuzzing/header/corpus/vnp-4
new file mode 100644
index 0000000000000000000000000000000000000000..339076bff0be27471dfdd2d0f480cd5bce7ef62c
GIT binary patch
literal 42
wcmb<;&j12kJ9!hQ)v`W&6Qs1PxV63P@cQEmx%Z@LzFt3_DP~vft*BF80AvOdumAu6

literal 0
HcmV?d00001

diff --git a/fuzzing/header/fuzz.go b/fuzzing/header/fuzz.go
new file mode 100644
index 000000000..7ce2d63c8
--- /dev/null
+++ b/fuzzing/header/fuzz.go
@@ -0,0 +1,64 @@
+// +build gofuzz
+
+package header
+
+import (
+	"bytes"
+	"fmt"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/wire"
+)
+
+const version = protocol.VersionTLS
+
+func Fuzz(data []byte) int {
+	if len(data) < 1 {
+		return 0
+	}
+	connIDLen := int(data[0] % 21)
+	data = data[1:]
+
+	isVNP := wire.IsVersionNegotiationPacket(data)
+	connID, err := wire.ParseConnectionID(data, connIDLen)
+	if err != nil {
+		return 0
+	}
+	hdr, _, _, err := wire.ParsePacket(data, connIDLen)
+	if err != nil {
+		return 0
+	}
+	if !hdr.DestConnectionID.Equal(connID) {
+		panic(fmt.Sprintf("Expected connection IDs to match: %s vs %s", hdr.DestConnectionID, connID))
+	}
+
+	var extHdr *wire.ExtendedHeader
+	// Parse the extended header, if this is not a Retry packet.
+	if hdr.Type == protocol.PacketTypeRetry {
+		extHdr = &wire.ExtendedHeader{Header: *hdr}
+	} else {
+		var err error
+		extHdr, err = hdr.ParseExtended(bytes.NewReader(data), version)
+		if err != nil {
+			return 0
+		}
+	}
+	b := &bytes.Buffer{}
+	if err := extHdr.Write(b, version); err != nil {
+		// We are able to parse packets with connection IDs longer than 20 bytes,
+		// but in QUIC version 1, we don't write headers with longer connection IDs.
+		if hdr.DestConnectionID.Len() <= protocol.MaxConnIDLen &&
+			hdr.SrcConnectionID.Len() <= protocol.MaxConnIDLen &&
+			hdr.OrigDestConnectionID.Len() <= protocol.MaxConnIDLen {
+			panic(err)
+		}
+		return 0
+	}
+	// GetLength is not implemented for Retry and Version Negotiation.
+	if !isVNP && hdr.Type != protocol.PacketTypeRetry {
+		if expLen := extHdr.GetLength(version); expLen != protocol.ByteCount(b.Len()) {
+			panic(fmt.Sprintf("inconsistent header length: %#v. Expected %d, got %d", extHdr, expLen, b.Len()))
+		}
+	}
+	return 0
+}
diff --git a/fuzzing/header/main.go b/fuzzing/header/main.go
new file mode 100644
index 000000000..41af5a000
--- /dev/null
+++ b/fuzzing/header/main.go
@@ -0,0 +1,181 @@
+// +build !gofuzz
+
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"math/rand"
+	"os"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/wire"
+)
+
+const version = protocol.VersionTLS
+
+func getRandomData(l int) []byte {
+	b := make([]byte, l)
+	rand.Read(b)
+	return b
+}
+
+func getVNP(src, dest protocol.ConnectionID, numVersions int) []byte {
+	versions := make([]protocol.VersionNumber, numVersions)
+	for i := 0; i < numVersions; i++ {
+		versions[i] = protocol.VersionNumber(rand.Uint32())
+	}
+	data, err := wire.ComposeVersionNegotiation(src, dest, versions)
+	if err != nil {
+		panic(err)
+	}
+	return data
+}
+
+func main() {
+	rand.Seed(1337)
+
+	headers := []wire.Header{
+		wire.Header{ // Initial without token
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(3)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(8)),
+			Type:             protocol.PacketTypeInitial,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Initial without token, with zero-length src conn id
+			IsLongHeader:     true,
+			DestConnectionID: protocol.ConnectionID(getRandomData(8)),
+			Type:             protocol.PacketTypeInitial,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Initial with Token
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(10)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(19)),
+			Type:             protocol.PacketTypeInitial,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+			Token:            getRandomData(25),
+		},
+		wire.Header{ // Handshake packet
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(5)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(10)),
+			Type:             protocol.PacketTypeHandshake,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Handshake packet, with zero-length src conn id
+			IsLongHeader:     true,
+			DestConnectionID: protocol.ConnectionID(getRandomData(12)),
+			Type:             protocol.PacketTypeHandshake,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // 0-RTT packet
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(8)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(9)),
+			Type:             protocol.PacketType0RTT,
+			Length:           protocol.ByteCount(rand.Intn(1000)),
+			Version:          version,
+		},
+		wire.Header{ // Retry Packet
+			IsLongHeader:         true,
+			SrcConnectionID:      protocol.ConnectionID(getRandomData(8)),
+			DestConnectionID:     protocol.ConnectionID(getRandomData(9)),
+			OrigDestConnectionID: protocol.ConnectionID(getRandomData(10)),
+			Type:                 protocol.PacketTypeRetry,
+			Token:                getRandomData(10),
+			Version:              version,
+		},
+		wire.Header{ // Retry Packet, with empty orig dest conn id
+			IsLongHeader:     true,
+			SrcConnectionID:  protocol.ConnectionID(getRandomData(8)),
+			DestConnectionID: protocol.ConnectionID(getRandomData(9)),
+			Type:             protocol.PacketTypeRetry,
+			Token:            getRandomData(1000),
+			Version:          version,
+		},
+		wire.Header{ // Retry Packet, with zero-length dest conn id
+			IsLongHeader:         true,
+			SrcConnectionID:      protocol.ConnectionID(getRandomData(8)),
+			OrigDestConnectionID: protocol.ConnectionID(getRandomData(10)),
+			Type:                 protocol.PacketTypeRetry,
+			Token:                getRandomData(1000),
+			Version:              version,
+		},
+		wire.Header{ // Short-Header
+			DestConnectionID: protocol.ConnectionID(getRandomData(8)),
+		},
+	}
+
+	for i, h := range headers {
+		extHdr := &wire.ExtendedHeader{
+			Header:          h,
+			PacketNumberLen: protocol.PacketNumberLen(rand.Intn(4) + 1),
+			PacketNumber:    protocol.PacketNumber(rand.Uint64()),
+		}
+		b := &bytes.Buffer{}
+		if err := extHdr.Write(b, version); err != nil {
+			panic(err)
+		}
+		if h.Length > 0 {
+			b.Write(make([]byte, h.Length))
+		}
+
+		if err := writeCorpusFile(fmt.Sprintf("header-%d", i), b.Bytes()); err != nil {
+			panic(err)
+		}
+	}
+
+	vnps := [][]byte{
+		getVNP(
+			protocol.ConnectionID(getRandomData(8)),
+			protocol.ConnectionID(getRandomData(10)),
+			4,
+		),
+		getVNP(
+			protocol.ConnectionID(getRandomData(10)),
+			protocol.ConnectionID(getRandomData(5)),
+			0,
+		),
+		getVNP(
+			protocol.ConnectionID(getRandomData(3)),
+			protocol.ConnectionID(getRandomData(19)),
+			100,
+		),
+		getVNP(
+			protocol.ConnectionID(getRandomData(3)),
+			nil,
+			20,
+		),
+		getVNP(
+			nil,
+			protocol.ConnectionID(getRandomData(10)),
+			5,
+		),
+	}
+
+	for i, vnp := range vnps {
+		if err := writeCorpusFile(fmt.Sprintf("vnp-%d", i), vnp); err != nil {
+			panic(err)
+		}
+	}
+
+}
+
+func writeCorpusFile(name string, data []byte) error {
+	file, err := os.Create("corpus/" + name)
+	if err != nil {
+		return err
+	}
+	data = append(getRandomData(1), data...)
+	if _, err := file.Write(data); err != nil {
+		return err
+	}
+	return file.Close()
+}