winafl icon indicating copy to clipboard operation
winafl copied to clipboard

Published 20 hours ago verified publisher icon googleprojectzero

network mode: custom_net_fuzzer.dll sendto() failed with error code 10040

Open hihijskim opened this issue 2 years ago • 2 comments

Hello Winafl team, I'm currently testing network mode with testing binary test_netmode.exe which is provided by winafl. It seems like it is working but I faced an error during testing. It stops after 16-18 mins after start with ASSERT FAILURE in winafl.c. But the error occurs inside the custom_net_fuzzer.dll with error code 10040 (WSAEMSGSIZE). What should I do to solve the problem?

The program has executed with following commands which is written inside the source code(test_netmode.cpp) afl-fuzz.exe -l custom_net_fuzzer.dll -i C:\host\in -o C:\host\test_netmode -D C:\dynamorio\DynamoRIO-Windows-8.0.18803\bin32 -t 20000+ -- -target_module test_netmode.exe -target_method ?recv_func@@YAXH@Z -coverage_module test_netmode.exe -fuzz_iterations 5000 -nargs 1 -- test_netmode.exe

The message and screen shot follows below.

[-] PROGRAM ABORT : sendto() failed with error code : 10040
         Location :  send_data_udp(), C:\host\winafl\custom_net_fuzzer.c:104

image

Thank you very much.

hihijskim avatar Mar 29 '22 01:03 hihijskim

It seems you are hitting WSAEMSGSIZE. From the message description

Message too long.
A message sent on a datagram socket was larger than the internal message buffer or some other network limit, or the buffer used to receive a datagram was smaller than the datagram itself

You can try adding the following line at https://github.com/googleprojectzero/winafl/blob/b291220d5f5fcd7c98e62927fbf104d911710fdf/custom_net_fuzzer.c#L84 ?

if(buf_len > 65507) buf_len = 65507;

ifratric avatar Mar 29 '22 10:03 ifratric

Thank you @ifratric

Since the buf_len is const, I have added the line in dll_run.(https://github.com/googleprojectzero/winafl/blob/b291220d5f5fcd7c98e62927fbf104d911710fdf/custom_net_fuzzer.c#L110)

...
CUSTOM_SERVER_API int APIENTRY dll_run(char *data, long size, int fuzz_iterations) {
    if (size > 65507) size = 65507;

    if (is_TCP)
        send_data_tcp(data, size, fuzz_iterations);
    else
        send_data_udp(data, size, fuzz_iterations);
    return 1;
}
...

After the patch, it seems like the winafl runs stable for about an hour and seems the problem is fixed.

Thank you very much.

hihijskim avatar Mar 30 '22 02:03 hihijskim