From a7fceda68bb62fe3d9060fcf52e33b2f64a2acf9 Mon Sep 17 00:00:00 2001
From: dergoegge <n.goeggi@gmail.com>
Date: Fri, 31 May 2024 12:49:13 +0100
Subject: [fuzz] Make peeking through FuzzedSock::Recv fuzzer friendly

FuzzedSock only supports peeking at one byte at a time, which is not
fuzzer friendly when trying to receive long data.

Fix this by supporting peek data of arbitrary length instead of only one
byte.
---
 src/test/fuzz/util/net.cpp | 14 +++++++++-----
 src/test/fuzz/util/net.h   |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/test/fuzz/util/net.cpp b/src/test/fuzz/util/net.cpp
index 167795e423..cbf549276c 100644
--- a/src/test/fuzz/util/net.cpp
+++ b/src/test/fuzz/util/net.cpp
@@ -193,16 +193,16 @@ ssize_t FuzzedSock::Recv(void* buf, size_t len, int flags) const
     bool pad_to_len_bytes{m_fuzzed_data_provider.ConsumeBool()};
     if (m_peek_data.has_value()) {
         // `MSG_PEEK` was used in the preceding `Recv()` call, return `m_peek_data`.
-        random_bytes.assign({m_peek_data.value()});
+        random_bytes = m_peek_data.value();
         if ((flags & MSG_PEEK) == 0) {
             m_peek_data.reset();
         }
         pad_to_len_bytes = false;
     } else if ((flags & MSG_PEEK) != 0) {
         // New call with `MSG_PEEK`.
-        random_bytes = m_fuzzed_data_provider.ConsumeBytes<uint8_t>(1);
+        random_bytes = ConsumeRandomLengthByteVector(m_fuzzed_data_provider, len);
         if (!random_bytes.empty()) {
-            m_peek_data = random_bytes[0];
+            m_peek_data = random_bytes;
             pad_to_len_bytes = false;
         }
     } else {
@@ -215,7 +215,11 @@ ssize_t FuzzedSock::Recv(void* buf, size_t len, int flags) const
         }
         return r;
     }
-    std::memcpy(buf, random_bytes.data(), random_bytes.size());
+    // `random_bytes` might exceed the size of `buf` if e.g. Recv is called with
+    // len=N and MSG_PEEK first and afterwards called with len=M (M < N) and
+    // without MSG_PEEK.
+    size_t recv_len{std::min(random_bytes.size(), len)};
+    std::memcpy(buf, random_bytes.data(), recv_len);
     if (pad_to_len_bytes) {
         if (len > random_bytes.size()) {
             std::memset((char*)buf + random_bytes.size(), 0, len - random_bytes.size());
@@ -225,7 +229,7 @@ ssize_t FuzzedSock::Recv(void* buf, size_t len, int flags) const
     if (m_fuzzed_data_provider.ConsumeBool() && std::getenv("FUZZED_SOCKET_FAKE_LATENCY") != nullptr) {
         std::this_thread::sleep_for(std::chrono::milliseconds{2});
     }
-    return random_bytes.size();
+    return recv_len;
 }
 
 int FuzzedSock::Connect(const sockaddr*, socklen_t) const
diff --git a/src/test/fuzz/util/net.h b/src/test/fuzz/util/net.h
index a6c9e23f2e..ed02680676 100644
--- a/src/test/fuzz/util/net.h
+++ b/src/test/fuzz/util/net.h
@@ -43,7 +43,7 @@ class FuzzedSock : public Sock
      * If `MSG_PEEK` is used, then our `Recv()` returns some random data as usual, but on the next
      * `Recv()` call we must return the same data, thus we remember it here.
      */
-    mutable std::optional<uint8_t> m_peek_data;
+    mutable std::optional<std::vector<uint8_t>> m_peek_data;
 
     /**
      * Whether to pretend that the socket is select(2)-able. This is randomly set in the
-- 
cgit v1.2.3