From 2ea634cd6169d2e4fe10aa9683b25e3dae43e6b3 Mon Sep 17 00:00:00 2001
From: Tim Taubert <ttaubert@mozilla.com>
Date: Sun, 17 Sep 2017 20:12:15 +0200
Subject: [PATCH] Bug 1400513 - u2f-hid-rs: fuzzers should use a deterministic
 cmd byte r=jcj

---
 .../3031b026f0eb80bc03d05be97b3cef550913a3d4      | Bin 0 -> 6 bytes
 .../3e28ec02ceb803efa105dc82fcfc9cb4014d7ced      | Bin 64 -> 0 bytes
 .../60c1a897bef5145eb977461d13f789e1ddfa4a69      | Bin 512 -> 0 bytes
 .../7dc504e4505d6b4d3465aeb7bdf59702676a54cd      | Bin 0 -> 142 bytes
 .../7f960b178bcf3adf082da7c632b4e1366ba22274      | Bin 512 -> 0 bytes
 .../a05810d808f44249ae8ecfeadc59e5d8f7e55fb8      | Bin 0 -> 267 bytes
 .../a22d2b1daa9483abc026fa2f75290aa51be59ca9      | Bin 226 -> 0 bytes
 .../62b74bc0ad2433f77a007b95eaf964ea719d21e2      | Bin 512 -> 0 bytes
 .../afcb12f9dddb1ed0bb06d6372e91b2707cd764d1      | Bin 0 -> 4 bytes
 fuzz/fuzz_targets/u2f_read.rs                     |  11 ++++++-----
 fuzz/fuzz_targets/u2f_read_write.rs               |  13 +++++++------
 11 files changed, 13 insertions(+), 11 deletions(-)
 create mode 100644 fuzz/corpus/u2f_read/3031b026f0eb80bc03d05be97b3cef550913a3d4
 delete mode 100644 fuzz/corpus/u2f_read/3e28ec02ceb803efa105dc82fcfc9cb4014d7ced
 delete mode 100644 fuzz/corpus/u2f_read/60c1a897bef5145eb977461d13f789e1ddfa4a69
 create mode 100644 fuzz/corpus/u2f_read/7dc504e4505d6b4d3465aeb7bdf59702676a54cd
 delete mode 100644 fuzz/corpus/u2f_read/7f960b178bcf3adf082da7c632b4e1366ba22274
 create mode 100644 fuzz/corpus/u2f_read/a05810d808f44249ae8ecfeadc59e5d8f7e55fb8
 delete mode 100644 fuzz/corpus/u2f_read/a22d2b1daa9483abc026fa2f75290aa51be59ca9
 delete mode 100644 fuzz/corpus/u2f_read_write/62b74bc0ad2433f77a007b95eaf964ea719d21e2
 create mode 100644 fuzz/corpus/u2f_read_write/afcb12f9dddb1ed0bb06d6372e91b2707cd764d1

diff --git a/fuzz/corpus/u2f_read/3031b026f0eb80bc03d05be97b3cef550913a3d4 b/fuzz/corpus/u2f_read/3031b026f0eb80bc03d05be97b3cef550913a3d4
new file mode 100644
index 0000000000000000000000000000000000000000..2dc3dd5fafa699e50ec3d593b12456fa7d148cf3
GIT binary patch
literal 6
NcmZShumAu5e*g=&1S|jm

literal 0
HcmV?d00001

diff --git a/fuzz/corpus/u2f_read/3e28ec02ceb803efa105dc82fcfc9cb4014d7ced b/fuzz/corpus/u2f_read/3e28ec02ceb803efa105dc82fcfc9cb4014d7ced
deleted file mode 100644
index cfaf37c1a656f666fa294abe13638d0cd1e21feb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 64
jcmezW|Ns9s2EnX-k~?lQ&YQ`g&#;M!g^7)kfk*%VAU6q+

diff --git a/fuzz/corpus/u2f_read/60c1a897bef5145eb977461d13f789e1ddfa4a69 b/fuzz/corpus/u2f_read/60c1a897bef5145eb977461d13f789e1ddfa4a69
deleted file mode 100644
index 3655d50ce7e463cb5785cd3bb0bee699f572fdb7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 512
zcmZQzKmz}Ppp8K=YoFwf+l=#OGUzjGVq#%pV?<Jdm#Iz&An68L1?7QkMF&U<QJFA>
osG`L1xIln`eEleP5NQndU?e?YQS1hBn9xN)4nh}0;^R~g06q6g+5i9m

diff --git a/fuzz/corpus/u2f_read/7dc504e4505d6b4d3465aeb7bdf59702676a54cd b/fuzz/corpus/u2f_read/7dc504e4505d6b4d3465aeb7bdf59702676a54cd
new file mode 100644
index 0000000000000000000000000000000000000000..0e9857320f51396c16d6385403b4c57755b85947
GIT binary patch
literal 142
pcmezW9|9N<;5&i|XCaAgfD1A}_5MeQAXwH2CIfbbe8?&wYybnm8qfd$

literal 0
HcmV?d00001

diff --git a/fuzz/corpus/u2f_read/7f960b178bcf3adf082da7c632b4e1366ba22274 b/fuzz/corpus/u2f_read/7f960b178bcf3adf082da7c632b4e1366ba22274
deleted file mode 100644
index cc0fd3ff81cfa5a77ad67ddfd9cb3b296686408c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 512
zcmezW9|9O~0S;^uT-XFj5#s^@QZ#_nHlS)i(~n{zOb$jP>4aJhr63YW%8-~ynyAG@
Yu@$$WU`Jqc2~a;yUASd%YGGgi0PFz?=>Px#

diff --git a/fuzz/corpus/u2f_read/a05810d808f44249ae8ecfeadc59e5d8f7e55fb8 b/fuzz/corpus/u2f_read/a05810d808f44249ae8ecfeadc59e5d8f7e55fb8
new file mode 100644
index 0000000000000000000000000000000000000000..e1208a43bfe1e5302dac9815826ff8169c788434
GIT binary patch
literal 267
ucmezW9|#x*5}?}u9g9<t#5N$LK@JB2gb0FVjbJh`K$M{=<U>{gVFLhi>Kf1h

literal 0
HcmV?d00001

diff --git a/fuzz/corpus/u2f_read/a22d2b1daa9483abc026fa2f75290aa51be59ca9 b/fuzz/corpus/u2f_read/a22d2b1daa9483abc026fa2f75290aa51be59ca9
deleted file mode 100644
index 57883a2b45edc9aaaefe2f1431d92b74b19a3a5e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 226
ocmezW|NnmmVgXPs0$|mIkjBQsss${FO*KLcyFQpac3HS60Nf5#tN;K2

diff --git a/fuzz/corpus/u2f_read_write/62b74bc0ad2433f77a007b95eaf964ea719d21e2 b/fuzz/corpus/u2f_read_write/62b74bc0ad2433f77a007b95eaf964ea719d21e2
deleted file mode 100644
index e1f9493e6dc1681e137e3e5be835c51187566fb6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 512
zcmZS3XV}cp%n{0<&#<YPfhn_<0XslfX0+99;R2%xzhSD;^)W&um|*e<nt(+Jg;Zq$
g-H*$Ac>PVHBM1c(vBu$XE{YKlx1&b}iW2-B0D?gzlmGw#

diff --git a/fuzz/corpus/u2f_read_write/afcb12f9dddb1ed0bb06d6372e91b2707cd764d1 b/fuzz/corpus/u2f_read_write/afcb12f9dddb1ed0bb06d6372e91b2707cd764d1
new file mode 100644
index 0000000000000000000000000000000000000000..d94081595e21020444d0b7a23ee3268c7b170b8e
GIT binary patch
literal 4
LcmZS3XJ7yT0FeMN

literal 0
HcmV?d00001

diff --git a/fuzz/fuzz_targets/u2f_read.rs b/fuzz/fuzz_targets/u2f_read.rs
index 8953962..e290caa 100644
--- a/fuzz/fuzz_targets/u2f_read.rs
+++ b/fuzz/fuzz_targets/u2f_read.rs
@@ -4,10 +4,8 @@
 
 #![no_main]
 #[macro_use] extern crate libfuzzer_sys;
-extern crate rand;
 extern crate u2fhid;
 
-use rand::{thread_rng, Rng};
 use std::{cmp, io};
 
 use u2fhid::{CID_BROADCAST, HID_RPT_SIZE};
@@ -59,7 +57,10 @@ impl<'a> U2FDevice for TestDevice<'a> {
 }
 
 fuzz_target!(|data: &[u8]| {
-    let mut dev = TestDevice::new(data);
-    let cmd = thread_rng().gen::<u8>();
-    let _ = sendrecv(&mut dev, cmd, data);
+    if data.len() > 0 {
+        let cmd = data[0];
+        let data = &data[1..];
+        let mut dev = TestDevice::new(data);
+        let _ = sendrecv(&mut dev, cmd, data);
+    }
 });
diff --git a/fuzz/fuzz_targets/u2f_read_write.rs b/fuzz/fuzz_targets/u2f_read_write.rs
index 86a802e..4de97f7 100644
--- a/fuzz/fuzz_targets/u2f_read_write.rs
+++ b/fuzz/fuzz_targets/u2f_read_write.rs
@@ -4,10 +4,8 @@
 
 #![no_main]
 #[macro_use] extern crate libfuzzer_sys;
-extern crate rand;
 extern crate u2fhid;
 
-use rand::{thread_rng, Rng};
 use std::{cmp, io};
 
 use u2fhid::{CID_BROADCAST, HID_RPT_SIZE};
@@ -60,8 +58,11 @@ impl U2FDevice for TestDevice {
 }
 
 fuzz_target!(|data: &[u8]| {
-    let mut dev = TestDevice::new();
-    let cmd = thread_rng().gen::<u8>();
-    let res = sendrecv(&mut dev, cmd, data);
-    assert_eq!(data, &res.unwrap()[..]);
+    if data.len() > 0 {
+        let cmd = data[0];
+        let data = &data[1..];
+        let mut dev = TestDevice::new();
+        let res = sendrecv(&mut dev, cmd, data);
+        assert_eq!(data, &res.unwrap()[..]);
+    }
 });