From a1c4daa212e217c2c8584fad5af2b8cb486f7bff Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Tue, 25 Aug 2020 13:16:03 +0700
Subject: [PATCH] use fuzzing helper functions to generate transport parameter
 seed corpus

---
 .../internal/helper/{export.go => helper.go}  |   8 ++++
 .../helper/{export_test.go => helper_test.go} |  12 ++++++
 fuzzing/transportparameters/cmd/corpus.go     |  35 ++++++++----------
 fuzzing/transportparameters/corpus/tp0        | Bin 180 -> 0 bytes
 fuzzing/transportparameters/corpus/tp1        | Bin 217 -> 0 bytes
 fuzzing/transportparameters/corpus/tp10       | Bin 69 -> 0 bytes
 fuzzing/transportparameters/corpus/tp11       | Bin 82 -> 0 bytes
 fuzzing/transportparameters/corpus/tp12       | Bin 152 -> 0 bytes
 fuzzing/transportparameters/corpus/tp13       | Bin 98 -> 0 bytes
 fuzzing/transportparameters/corpus/tp14       | Bin 54 -> 0 bytes
 fuzzing/transportparameters/corpus/tp15       | Bin 93 -> 0 bytes
 fuzzing/transportparameters/corpus/tp16       | Bin 127 -> 0 bytes
 fuzzing/transportparameters/corpus/tp17       | Bin 78 -> 0 bytes
 fuzzing/transportparameters/corpus/tp18       | Bin 73 -> 0 bytes
 fuzzing/transportparameters/corpus/tp19       | Bin 94 -> 0 bytes
 fuzzing/transportparameters/corpus/tp2        | Bin 77 -> 0 bytes
 fuzzing/transportparameters/corpus/tp3        | Bin 204 -> 0 bytes
 fuzzing/transportparameters/corpus/tp4        | Bin 82 -> 0 bytes
 fuzzing/transportparameters/corpus/tp5        | Bin 136 -> 0 bytes
 fuzzing/transportparameters/corpus/tp6        | Bin 76 -> 0 bytes
 fuzzing/transportparameters/corpus/tp7        | Bin 82 -> 0 bytes
 fuzzing/transportparameters/corpus/tp8        | Bin 111 -> 0 bytes
 fuzzing/transportparameters/corpus/tp9        | Bin 174 -> 0 bytes
 fuzzing/transportparameters/fuzz.go           |  20 ++++++----
 24 files changed, 48 insertions(+), 27 deletions(-)
 rename fuzzing/internal/helper/{export.go => helper.go} (83%)
 rename fuzzing/internal/helper/{export_test.go => helper_test.go} (82%)
 delete mode 100644 fuzzing/transportparameters/corpus/tp0
 delete mode 100644 fuzzing/transportparameters/corpus/tp1
 delete mode 100644 fuzzing/transportparameters/corpus/tp10
 delete mode 100644 fuzzing/transportparameters/corpus/tp11
 delete mode 100644 fuzzing/transportparameters/corpus/tp12
 delete mode 100644 fuzzing/transportparameters/corpus/tp13
 delete mode 100644 fuzzing/transportparameters/corpus/tp14
 delete mode 100644 fuzzing/transportparameters/corpus/tp15
 delete mode 100644 fuzzing/transportparameters/corpus/tp16
 delete mode 100644 fuzzing/transportparameters/corpus/tp17
 delete mode 100644 fuzzing/transportparameters/corpus/tp18
 delete mode 100644 fuzzing/transportparameters/corpus/tp19
 delete mode 100644 fuzzing/transportparameters/corpus/tp2
 delete mode 100644 fuzzing/transportparameters/corpus/tp3
 delete mode 100644 fuzzing/transportparameters/corpus/tp4
 delete mode 100644 fuzzing/transportparameters/corpus/tp5
 delete mode 100644 fuzzing/transportparameters/corpus/tp6
 delete mode 100644 fuzzing/transportparameters/corpus/tp7
 delete mode 100644 fuzzing/transportparameters/corpus/tp8
 delete mode 100644 fuzzing/transportparameters/corpus/tp9

diff --git a/fuzzing/internal/helper/export.go b/fuzzing/internal/helper/helper.go
similarity index 83%
rename from fuzzing/internal/helper/export.go
rename to fuzzing/internal/helper/helper.go
index db55fb9d..1513c3fa 100644
--- a/fuzzing/internal/helper/export.go
+++ b/fuzzing/internal/helper/helper.go
@@ -8,6 +8,14 @@ import (
 	"path/filepath"
 )
 
+// NthBit gets the n-th bit of a byte (counting starts at 0).
+func NthBit(val uint8, n int) bool {
+	if n < 0 || n > 7 {
+		panic("invalid value for n")
+	}
+	return val>>n&0x1 == 1
+}
+
 // WriteCorpusFile writes data to a corpus file in directory path.
 // The filename is calculated from the SHA1 sum of the file contents.
 func WriteCorpusFile(path string, data []byte) error {
diff --git a/fuzzing/internal/helper/export_test.go b/fuzzing/internal/helper/helper_test.go
similarity index 82%
rename from fuzzing/internal/helper/export_test.go
rename to fuzzing/internal/helper/helper_test.go
index 3f6adc48..6bee7d91 100644
--- a/fuzzing/internal/helper/export_test.go
+++ b/fuzzing/internal/helper/helper_test.go
@@ -57,4 +57,16 @@ var _ = Describe("exporting", func() {
 		Expect(WriteCorpusFile(subdir, []byte("lorem ipsum"))).To(Succeed())
 		Expect(subdir).To(BeADirectory())
 	})
+
+	It("gets the nth bit of a byte", func() {
+		const val = 0b10010001
+		Expect(NthBit(val, 0)).To(BeTrue())
+		Expect(NthBit(val, 1)).To(BeFalse())
+		Expect(NthBit(val, 2)).To(BeFalse())
+		Expect(NthBit(val, 3)).To(BeFalse())
+		Expect(NthBit(val, 4)).To(BeTrue())
+		Expect(NthBit(val, 5)).To(BeFalse())
+		Expect(NthBit(val, 6)).To(BeFalse())
+		Expect(NthBit(val, 7)).To(BeTrue())
+	})
 })
diff --git a/fuzzing/transportparameters/cmd/corpus.go b/fuzzing/transportparameters/cmd/corpus.go
index c9105aef..8c88a6a8 100644
--- a/fuzzing/transportparameters/cmd/corpus.go
+++ b/fuzzing/transportparameters/cmd/corpus.go
@@ -1,14 +1,15 @@
 package main
 
 import (
-	"fmt"
+	"bytes"
 	"log"
 	"math"
 	"math/rand"
 	"net"
-	"os"
 	"time"
 
+	"github.com/lucas-clemente/quic-go/fuzzing/internal/helper"
+	"github.com/lucas-clemente/quic-go/fuzzing/transportparameters"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 
 	"github.com/lucas-clemente/quic-go/internal/wire"
@@ -26,8 +27,7 @@ func getRandomValue() uint64 {
 }
 
 func main() {
-	rand.Seed(1337)
-	for i := 0; i < 20; i++ {
+	for i := 0; i < 30; i++ {
 		tp := &wire.TransportParameters{
 			InitialMaxStreamDataBidiLocal:  protocol.ByteCount(getRandomValue()),
 			InitialMaxStreamDataBidiRemote: protocol.ByteCount(getRandomValue()),
@@ -69,24 +69,21 @@ func main() {
 				StatelessResetToken: token,
 			}
 		}
-		pers := protocol.PerspectiveServer
+
+		var data []byte
 		if rand.Int()%2 == 0 {
-			pers = protocol.PerspectiveClient
+			pers := protocol.PerspectiveServer
+			if rand.Int()%2 == 0 {
+				pers = protocol.PerspectiveClient
+			}
+			data = tp.Marshal(pers)
+		} else {
+			b := &bytes.Buffer{}
+			tp.MarshalForSessionTicket(b)
+			data = b.Bytes()
 		}
-		if err := writeCorpusFile(fmt.Sprintf("tp%d", i), tp.Marshal(pers)); err != nil {
+		if err := helper.WriteCorpusFileWithPrefix("corpus", data, transportparameters.PrefixLen); err != nil {
 			log.Fatal(err)
 		}
 	}
 }
-
-func writeCorpusFile(name string, data []byte) error {
-	file, err := os.Create("corpus/" + name)
-	if err != nil {
-		return err
-	}
-	data = append(getRandomData(2), data...)
-	if _, err := file.Write(data); err != nil {
-		return err
-	}
-	return file.Close()
-}
diff --git a/fuzzing/transportparameters/corpus/tp0 b/fuzzing/transportparameters/corpus/tp0
deleted file mode 100644
index d3c244484ee2e42b3fe48e669f3fc2fdb020d666..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 180
zcmV;l089U%)JDV#71lg}4Xu5oNfreJx_rD}1_=7>4NE_b@`MKg4+I3cnHtdu2<m8!
zco;lgWC;k>ZAf~eXwA0)0RRI6MXU=5zyJgM{7Y(u3IP)U6bZYbMIlv@a|Y7{M<93}
zwa}Os1PwRn=)SMF8>CgdG$eXK0kLB3*#lURt3VwNdxLc=9^1Nwz4LM0HmJ{PJo{ce
iDR-X?g}wx1O&$&b1`hxb4ydm2sIuq*-SEIH2g5Wek4DJ=

diff --git a/fuzzing/transportparameters/corpus/tp1 b/fuzzing/transportparameters/corpus/tp1
deleted file mode 100644
index be6b122fa3f369984fb152fb322ad2fd081fe9f6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 217
zcmV;~04D!FnnBGC?tMc7Y5%gQN206D#{~%Ql^@ldJsFk;0$LRZ1f~_U$^-&`9S8vn
z2?VBY-<AOZ00RO=tP27_#0mjC00^(KX9;rSXZ8(0%|#2^zD&9wt11-u8fTU0$&|-;
zau_j;7LZ0@c<Kl3<oy~^Bd-OMxYgk%<^F}$D3$4)2tssaZlX!QA?W@N1i!=rF%KM4
zcVPlTX4ZMa>jq?G+#((E4_oe*$&j>xeP4YLCm4ZlcOu0=-1J3xke@g5ANc8|?83v*
TZb$$L_wzI@9oR%;vJ}uH&RJfG

diff --git a/fuzzing/transportparameters/corpus/tp10 b/fuzzing/transportparameters/corpus/tp10
deleted file mode 100644
index 9a8d202b9bcd64fb06f9d412522995d11cc31fcd..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 69
zcmV-L0J{IhtVpy1Qb+{|`(fAPqytxT1_;#k*US755&s7Si`3`}1O$<2S~Lg(V<rg#
bTs#2*00RO=tP24E3IafB3;+%SK_?FYpOqA!

diff --git a/fuzzing/transportparameters/corpus/tp11 b/fuzzing/transportparameters/corpus/tp11
deleted file mode 100644
index 561deb59e7f62b4779779349eba779b76cd435a2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 82
zcmV-Y0ImN}<Vr^g8=Ba)5jHc{*aZmsHL^wz*)bmm0W1dux9Zv*1OiWR2n4i67+nbn
o<%++&H=#B@0SLeV0i^<GYUu+4MXU<~L#he^3=9Ac0#pGH0GuKivj6}9

diff --git a/fuzzing/transportparameters/corpus/tp12 b/fuzzing/transportparameters/corpus/tp12
deleted file mode 100644
index 3d4ccd4d2a8e81f7924b6580b221b479b628fc48..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 152
zcmV;J0B8TYdqDI8t=|O!CI$%Hl^5*oLaS2;2-93t$H0v4I0OMB2n3|ImPZK)+yHt~
z29c?O0SLeV1L^~+^l$?LMXU<}015#F0uXC}VpmGhyDcv~gzAN;y{`ZO4K)|-d4T^#
z1K*DCu}eHOSgGYZ?uz{AUaAbI(xB}C7*{yZ^-*W;t+C!87w)o+j@q_}PB8Tj1dJhx
GS`PpSc|Ya=

diff --git a/fuzzing/transportparameters/corpus/tp13 b/fuzzing/transportparameters/corpus/tp13
deleted file mode 100644
index c43110c3b112f04eda5b20a9341ebdef84929643..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 98
zcmV-o0G<B?pFmj%wx`sQ)$lTY1p;;x1_EHt2Lzj&bQlBy7YGRdXKHg*-aXg}2>&NL
zH7&jx009920|G^?3jqKM0SycQ4gy&L4;#W$!z9kPi%T>*x*OTDTDF=%(7MvH_t!*B
E_$Blrp#T5?

diff --git a/fuzzing/transportparameters/corpus/tp14 b/fuzzing/transportparameters/corpus/tp14
deleted file mode 100644
index a9693444bc27ef0d90e309aaf53a2c942c7f9e8b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 54
zcmZoV<($CS#>!Oh!N$nV&eGhtubqXd?j;9PfiNedJR>6mGn4BYZbk+!CWlTQ20oT<
J9gD^M3;<=23uXWS

diff --git a/fuzzing/transportparameters/corpus/tp15 b/fuzzing/transportparameters/corpus/tp15
deleted file mode 100644
index e4da18fc49e1e4a94d4dbd61b9a03b107006ed3f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 93
zcmV-j0HXh1I6>?WnbCB56Ux(k)5Rm3H?Wfh1fA6A%?1HI2LUJq0U8JbbhZfunv#!N
z0RlqC0|G^?3jqKM0SN*Sm8n$F)RVEWkR*PbCfIwO00sf03A~`g4g{`w)&36vWcVU&

diff --git a/fuzzing/transportparameters/corpus/tp16 b/fuzzing/transportparameters/corpus/tp16
deleted file mode 100644
index 164fa983816c60f00f53447123afd62c0a466a01..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 127
zcmV-_0D%9tyg?HTvEXt&+4vcAeB~xo1qi^4!`X^c2WbWf)b^sho6Xf42LU|<1c?Jd
z-3SQbM$eL$0X<3y1iL3<`~e8S00DQKLw!^O0!6F~0zwxG0RRjD4gnz#B_}gnuDvQW
hM*7BBB`~vM3-PKi0@;9$lgeB?{{$rLRGeXe^n62sFev~4

diff --git a/fuzzing/transportparameters/corpus/tp17 b/fuzzing/transportparameters/corpus/tp17
deleted file mode 100644
index 8a9a11649cbbe8905e69222796de5e85d4bbbaf9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 78
zcmY$q=VHlp)RvW{-91c;jVbCpJ4=g5c{U4^M+*m|04Gbs(lZf^90wSfyz+`S)H5@=
huHgpq7!%F1y3@Fr947KG@NqnU{Y&%8mUEBz830sj7wZ53

diff --git a/fuzzing/transportparameters/corpus/tp18 b/fuzzing/transportparameters/corpus/tp18
deleted file mode 100644
index ec202f0a3ad769da21512251511c09686a023eb7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 73
zcmV-P0Ji`9Wk(?ksaZH#PCF?#JXv)G1f{s??FIoA2Lfve1OiHE2n3n?*yjlZy<M7o
f0RaF50!6F~0z%vh0SycQ4hZPeHwtyd#orGAR=F0+

diff --git a/fuzzing/transportparameters/corpus/tp19 b/fuzzing/transportparameters/corpus/tp19
deleted file mode 100644
index 6557eac3ff790849f2bcd83102c35379cf85cb5e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 94
zcmV-k0HOaobV-d00&<ALerPeH^w9+ZYlH>_oOp%~2LT=g2;?RdPZ(Hj_Xq(W2>}=Z
z0zmKs0!6F~0RRdDK++5V4g`=@YB~=YGVKf;b<V3HO@eY9D)3~p?^U=-!W$i+(mG)s
A=>Px#

diff --git a/fuzzing/transportparameters/corpus/tp2 b/fuzzing/transportparameters/corpus/tp2
deleted file mode 100644
index 0966dc257c58820f6b0d47a2e4b5d88b6c362897..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 77
zcmV-T0J8tiFH71ATvn&W8%3WVZDIuiO|1q9>hGER$rF`K2LfBj1PI2G4vFaaG6e_%
jW#b6~Wqkn%zyJaEdD6J`0|G^?3jqKM0UHhibh{4#k9!*&

diff --git a/fuzzing/transportparameters/corpus/tp3 b/fuzzing/transportparameters/corpus/tp3
deleted file mode 100644
index d93ffcefc822903765943a85046094bc2c2ccf93..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 204
zcmV;-05ktm(?^{SlK*lWsm4mb@#^?eG@k_l7zP4sMh66n8gdE*0$C>r2=d)qvI5&L
zI|&4sz~v_a0z$<D0!6F~2*3aV<c(`Zyb1vm0uXSf205<L8!Hd%r@GG5n<oGn>6Yrg
zkEny-_Bw(A#rYn1^PFfjZ7OI!@eMeitd~l4y6{{AGFD^0gD!uLecoq_$jmqoIf>mW
z-r%FmPXfIsa*}XX&d0%fkV!n?S5o=A;5o()2=qmzW-IGgY7Yx4a775Ygygvw$P^F*
GvWf_ZwpWh;

diff --git a/fuzzing/transportparameters/corpus/tp4 b/fuzzing/transportparameters/corpus/tp4
deleted file mode 100644
index 6802692adbdf957a4eaa05bdaa7768056276a4a9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 82
zcmV-Y0ImP5Za|j{f$wV~1;Ko~^R1u-0)7Mr0#Qr{0XhT%L_Y`wl(PlU2?V@<z;giz
ozyJZF4>!yK0|G^?3jqKM0SyiUaNG|KfF-7}_P%T@S($YVZdTG73;+NC

diff --git a/fuzzing/transportparameters/corpus/tp5 b/fuzzing/transportparameters/corpus/tp5
deleted file mode 100644
index 1091419e802ed26140f4375787bfb9ff5de4d6a6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 136
zcmV;30C)e08%rPr)ZdEk1qk^mp(hTF>$L_1o!NDs2LTxb0z_E|1fsNf&It(m;FGLW
zr^c-T2*3aX0GE|jP6Gl(tP27}7zzSFY777X01g2f4<=55hiXb0&%1xhn@8IaT?D_x
qe(0Y_n$QNdj{wiG{$7pIm}wds5D~nsf#|^QitWse)|ttD)Zfj88aUkm

diff --git a/fuzzing/transportparameters/corpus/tp6 b/fuzzing/transportparameters/corpus/tp6
deleted file mode 100644
index 1b087fb9c3d185cd76afb0e83aef58149c879fce..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 76
zcmV-S0JHyD97NOu=@C~22-zCwEpsCYYX$_i4<@Sz2;#ii<w3smegpwE2mvMu0#NG#
i0zvl!0!6F~0RRdC7YqOZ01g2m4*(DcEha+jqiXDnUKM8m

diff --git a/fuzzing/transportparameters/corpus/tp7 b/fuzzing/transportparameters/corpus/tp7
deleted file mode 100644
index 5e1e148e19b561269df63e2616007965b67fe018..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 82
zcmV-Y0ImPqen~J4mF~kvhG|Hw<L9~M1pyKU1h3M+g9ixG$C?8MtHr1U2;2b79E3O;
o`v?MIEC~X52mt{A0|G^?3kbjf08DXX_Mr*^1r7wTl2ED-09#2MumAu6

diff --git a/fuzzing/transportparameters/corpus/tp8 b/fuzzing/transportparameters/corpus/tp8
deleted file mode 100644
index 209384b573fc3341909bb59df4c5a06e3c3a13c2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 111
zcmV-#0FeKdNkR(^))-`8fU}fGv2&zoKLrAA6$S|Nv<|hRCGF@30!7;d0$ZL41eup!
zU<m||@I`I`0zk_H0!6F~0RRdC8~_9jyB>-T2=P<7LGPd(Y!3hs83$CsFmgB^s0W!Q
R2CJ>*sTaqYG=<j_9^FT5CO7~9

diff --git a/fuzzing/transportparameters/corpus/tp9 b/fuzzing/transportparameters/corpus/tp9
deleted file mode 100644
index 8775295de1758a4bce1b852f5d02a4c3b4776e8c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 174
zcmV;f08#%5mP8r`Pt){0j=Ti|QNjiRDF+DiU215&9)Jo20&_tK1dysxKM4YAMgaj6
z0|G^?3jqKM0UHbe0uVgMGNq6Us6XjS`1&~8zk>h(4L--w4@W`KeSTjowLlf)zi`yW
zy=&3&*4-5Yk~g0jRy#Ukn5v=pWUcn;SfPoXxNw4R91R9oj#w4RkueVn4g|5O{<9Am
caNQH9F$BPZMOxTl9_*dElL00ElFtOoN$Gz?IsgCw

diff --git a/fuzzing/transportparameters/fuzz.go b/fuzzing/transportparameters/fuzz.go
index 18b20eea..0b352953 100644
--- a/fuzzing/transportparameters/fuzz.go
+++ b/fuzzing/transportparameters/fuzz.go
@@ -4,28 +4,32 @@ import (
 	"bytes"
 	"fmt"
 
+	"github.com/lucas-clemente/quic-go/fuzzing/internal/helper"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
 	"github.com/lucas-clemente/quic-go/internal/wire"
 )
 
+// PrefixLen is the number of bytes used for configuration
+const PrefixLen = 1
+
+// Fuzz fuzzes the QUIC transport parameters.
 //go:generate go run ./cmd/corpus.go
 func Fuzz(data []byte) int {
-	if len(data) <= 1 {
+	if len(data) <= PrefixLen {
 		return 0
 	}
 
-	if data[0]%2 == 0 {
-		return fuzzTransportParametersForSessionTicket(data[1:])
+	if helper.NthBit(data[0], 0) {
+		return fuzzTransportParametersForSessionTicket(data[PrefixLen:])
 	}
-	return fuzzTransportParameters(data[1:])
+	return fuzzTransportParameters(data[PrefixLen:], helper.NthBit(data[0], 1))
 }
 
-func fuzzTransportParameters(data []byte) int {
-	perspective := protocol.PerspectiveServer
-	if data[0]%2 == 1 {
+func fuzzTransportParameters(data []byte, isServer bool) int {
+	perspective := protocol.PerspectiveClient
+	if isServer {
 		perspective = protocol.PerspectiveServer
 	}
-	data = data[1:]
 
 	tp := &wire.TransportParameters{}
 	if err := tp.Unmarshal(data, perspective); err != nil {