[thirdparty/xfsprogs-dev.git] / db / fuzz.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Copyright (c) 2000-2002,2005 Silicon Graphics, Inc.
 * All Rights Reserved.
 */

#include "libxfs.h"
#include <ctype.h>
#include <time.h>
#include "bit.h"
#include "block.h"
#include "command.h"
#include "type.h"
#include "faddr.h"
#include "fprint.h"
#include "field.h"
#include "flist.h"
#include "io.h"
#include "init.h"
#include "output.h"
#include "print.h"
#include "write.h"
#include "malloc.h"
#include "fuzz.h"

static int	fuzz_f(int argc, char **argv);
static void     fuzz_help(void);

static const cmdinfo_t	fuzz_cmd =
	{ "fuzz", NULL, fuzz_f, 0, -1, 0, N_("[-c] [-d] field fuzzcmd..."),
	  N_("fuzz values on disk"), fuzz_help };

void
fuzz_init(void)
{
	if (!expert_mode)
		return;

	add_command(&fuzz_cmd);
	srand48(clock());
}

static void
fuzz_help(void)
{
	dbprintf(_(
"\n"
" The 'fuzz' command fuzzes fields in any on-disk data structure.  For\n"
" block fuzzing, see the 'blocktrash' or 'write' commands."
"\n"
" Examples:\n"
"  Struct mode: 'fuzz core.uid zeroes'    - set an inode uid field to 0.\n"
"               'fuzz crc ones'           - set a crc filed to all ones.\n"
"               'fuzz bno[11] firstbit'   - set the high bit of a block array.\n"
"               'fuzz keys[5].startblock add'    - increase a btree key value.\n"
"               'fuzz uuid random'        - randomize the superblock uuid.\n"
"\n"
" Type 'fuzz' by itself for a list of specific commands.\n\n"
" Specifying the -c option will allow writes of invalid (corrupt) data with\n"
" an invalid CRC. Specifying the -d option will allow writes of invalid data,\n"
" but still recalculate the CRC so we are forced to check and detect the\n"
" invalid data appropriately.\n\n"
));

}

static int
fuzz_f(
	int		argc,
	char		**argv)
{
	pfunc_t	pf;
	extern char *progname;
	int c;
	bool corrupt = false;	/* Allow write of bad data w/ invalid CRC */
	bool invalid_data = false; /* Allow write of bad data w/ valid CRC */
	struct xfs_buf_ops local_ops;
	const struct xfs_buf_ops *stashed_ops = NULL;

	if (x.flags & LIBXFS_ISREADONLY) {
		dbprintf(_("%s started in read only mode, fuzzing disabled\n"),
			progname);
		return 0;
	}

	if (cur_typ == NULL) {
		dbprintf(_("no current type\n"));
		return 0;
	}

	pf = cur_typ->pfunc;
	if (pf == NULL) {
		dbprintf(_("no handler function for type %s, fuzz unsupported.\n"),
			 cur_typ->name);
		return 0;
	}

	while ((c = getopt(argc, argv, "cd")) != EOF) {
		switch (c) {
		case 'c':
			corrupt = true;
			break;
		case 'd':
			invalid_data = true;
			break;
		default:
			dbprintf(_("bad option for fuzz command\n"));
			return 0;
		}
	}

	if (corrupt && invalid_data) {
		dbprintf(_("Cannot specify both -c and -d options\n"));
		return 0;
	}

	if (invalid_data &&
	    iocur_top->typ->crc_off == TYP_F_NO_CRC_OFF &&
	    xfs_has_crc(mp)) {
		dbprintf(_("Cannot recalculate CRCs on this type of object\n"));
		return 0;
	}

	argc -= optind;
	argv += optind;

	/*
	 * If the buffer has no verifier or we are using standard verifier
	 * paths, then just fuzz it and return
	 */
	if (!iocur_top->bp->b_ops ||
	    !(corrupt || invalid_data)) {
		(*pf)(DB_FUZZ, cur_typ->fields, argc, argv);
		return 0;
	}


	/* Temporarily remove write verifier to write bad data */
	stashed_ops = iocur_top->bp->b_ops;
	local_ops.verify_read = stashed_ops->verify_read;
	iocur_top->bp->b_ops = &local_ops;

	if (!xfs_has_crc(mp)) {
		local_ops.verify_write = xfs_dummy_verify;
	} else if (corrupt) {
		local_ops.verify_write = xfs_dummy_verify;
		dbprintf(_("Allowing fuzz of corrupted data and bad CRC\n"));
	} else if (iocur_top->typ->crc_off == TYP_F_CRC_FUNC) {
		local_ops.verify_write = iocur_top->typ->set_crc;
		dbprintf(_("Allowing fuzz of corrupted data with good CRC\n"));
	} else { /* invalid data */
		local_ops.verify_write = xfs_verify_recalc_crc;
		dbprintf(_("Allowing fuzz of corrupted data with good CRC\n"));
	}

	(*pf)(DB_FUZZ, cur_typ->fields, argc, argv);

	iocur_top->bp->b_ops = stashed_ops;

	return 0;
}

/* Write zeroes to the field */
static bool
fuzz_zeroes(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	char		*out = buf;
	int		bit;

	if (bitoff % NBBY || nbits % NBBY) {
		for (bit = 0; bit < nbits; bit++)
			setbit_l(out, bit + bitoff, 0);
	} else
		memset(out + byteize(bitoff), 0, byteize(nbits));
	return true;
}

/* Write ones to the field */
static bool
fuzz_ones(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	char		*out = buf;
	int		bit;

	if (bitoff % NBBY || nbits % NBBY) {
		for (bit = 0; bit < nbits; bit++)
			setbit_l(out, bit + bitoff, 1);
	} else
		memset(out + byteize(bitoff), 0xFF, byteize(nbits));
	return true;
}

/* Flip the high bit in the (presumably big-endian) field */
static bool
fuzz_firstbit(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	setbit_l((char *)buf, bitoff, !getbit_l((char *)buf, bitoff));
	return true;
}

/* Flip the low bit in the (presumably big-endian) field */
static bool
fuzz_lastbit(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	setbit_l((char *)buf, bitoff + nbits - 1,
			!getbit_l((char *)buf, bitoff + nbits - 1));
	return true;
}

/* Flip the middle bit in the (presumably big-endian) field */
static bool
fuzz_middlebit(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	setbit_l((char *)buf, bitoff + nbits / 2,
			!getbit_l((char *)buf, bitoff + nbits / 2));
	return true;
}

/* Format and shift a number into a buffer for setbitval. */
static char *
format_number(
	uint64_t	val,
	__be64		*out,
	int		bit_length)
{
	int		offset;
	char		*rbuf = (char *)out;

	/*
	 * If the length of the field is not a multiple of a byte, push
	 * the bits up in the field, so the most signicant field bit is
	 * the most significant bit in the byte:
	 *
	 * before:
	 * val  |----|----|----|----|----|--MM|mmmm|llll|
	 * after
	 * val  |----|----|----|----|----|MMmm|mmll|ll00|
	 */
	offset = bit_length % NBBY;
	if (offset)
		val <<= (NBBY - offset);

	/*
	 * convert to big endian and copy into the array
	 * rbuf |----|----|----|----|----|MMmm|mmll|ll00|
	 */
	*out = cpu_to_be64(val);

	/*
	 * Align the array to point to the field in the array.
	 *  rbuf  = |MMmm|mmll|ll00|
	 */
	offset = sizeof(__be64) - 1 - ((bit_length - 1) / sizeof(__be64));
	return rbuf + offset;
}

/* Increase the value by some small prime number. */
static bool
fuzz_add(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	uint64_t	val;
	__be64		out;
	char		*b;

	if (nbits > 64)
		return false;

	val = getbitval(buf, bitoff, nbits, BVUNSIGNED);
	val += (nbits > 8 ? 2017 : 137);
	b = format_number(val, &out, nbits);
	setbitval(buf, bitoff, nbits, b);

	return true;
}

/* Decrease the value by some small prime number. */
static bool
fuzz_sub(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	uint64_t	val;
	__be64		out;
	char		*b;

	if (nbits > 64)
		return false;

	val = getbitval(buf, bitoff, nbits, BVUNSIGNED);
	val -= (nbits > 8 ? 2017 : 137);
	b = format_number(val, &out, nbits);
	setbitval(buf, bitoff, nbits, b);

	return true;
}

/* Randomize the field. */
static bool
fuzz_random(
	void		*buf,
	int		bitoff,
	int		nbits)
{
	int		i, bytes;
	char		*b, *rbuf;

	bytes = byteize_up(nbits);
	rbuf = b = malloc(bytes);
	if (!b) {
		perror("fuzz_random");
		return false;
	}

	for (i = 0; i < bytes; i++)
		*b++ = (char)lrand48();

	setbitval(buf, bitoff, nbits, rbuf);
	free(rbuf);

	return true;
}

struct fuzzcmd {
	const char	*verb;
	bool		(*fn)(void *buf, int bitoff, int nbits);
};

/* Keep these verbs in sync with enum fuzzcmds. */
static struct fuzzcmd fuzzverbs[] = {
	{"zeroes",		fuzz_zeroes},
	{"ones",		fuzz_ones},
	{"firstbit",		fuzz_firstbit},
	{"middlebit",		fuzz_middlebit},
	{"lastbit",		fuzz_lastbit},
	{"add",			fuzz_add},
	{"sub",			fuzz_sub},
	{"random",		fuzz_random},
	{NULL,			NULL},
};

/* ARGSUSED */
void
fuzz_struct(
	const field_t	*fields,
	int		argc,
	char		**argv)
{
	const ftattr_t	*fa;
	flist_t		*fl;
	flist_t		*sfl;
	int		bit_length;
	struct fuzzcmd	*fc;
	bool		success;
	int		parentoffset;

	if (argc != 2) {
		dbprintf(_("Usage: fuzz fieldname fuzzcmd\n"));
		dbprintf("Fuzz commands: %s", fuzzverbs->verb);
		for (fc = fuzzverbs + 1; fc->verb != NULL; fc++)
			dbprintf(", %s", fc->verb);
		dbprintf(".\n");
		return;
	}

	fl = flist_scan(argv[0]);
	if (!fl) {
		dbprintf(_("unable to parse '%s'.\n"), argv[0]);
		return;
	}

	/* Find our fuzz verb */
	for (fc = fuzzverbs; fc->verb != NULL; fc++)
		if (!strcmp(fc->verb, argv[1]))
			break;
	if (fc->fn == NULL) {
		dbprintf(_("Unknown fuzz command '%s'.\n"), argv[1]);
		goto out_free;
	}

	/* if we're a root field type, go down 1 layer to get field list */
	if (fields->name[0] == '\0') {
		fa = &ftattrtab[fields->ftyp];
		ASSERT(fa->ftyp == fields->ftyp);
		fields = fa->subfld;
	}

	/* run down the field list and set offsets into the data */
	if (!flist_parse(fields, fl, iocur_top->data, 0)) {
		dbprintf(_("parsing error\n"));
		goto out_free;
	}

	sfl = fl;
	parentoffset = 0;
	while (sfl->child) {
		parentoffset = sfl->offset;
		sfl = sfl->child;
	}

	/*
	 * For structures, fsize * fcount tells us the size of the region we are
	 * modifying, which is usually a single structure member and is pointed
	 * to by the last child in the list.
	 *
	 * However, if the base structure is an array and we have a direct index
	 * into the array (e.g. write bno[5]) then we are returned a single
	 * flist object with the offset pointing directly at the location we
	 * need to modify. The length of the object we are modifying is then
	 * determined by the size of the individual array entry (fsize) and the
	 * indexes defined in the object, not the overall size of the array
	 * (which is what fcount returns).
	 */
	bit_length = fsize(sfl->fld, iocur_top->data, parentoffset, 0);
	if (sfl->fld->flags & FLD_ARRAY)
		bit_length *= sfl->high - sfl->low + 1;
	else
		bit_length *= fcount(sfl->fld, iocur_top->data, parentoffset);

	/* Fuzz the value */
	success = fc->fn(iocur_top->data, sfl->offset, bit_length);
	if (!success) {
		dbprintf(_("unable to fuzz field '%s'\n"), argv[0]);
		goto out_free;
	}

	/* Write the fuzzed value back */
	write_cur();

	flist_print(fl);
	print_flist(fl);
out_free:
	flist_free(fl);
}
Commit	Line	Data
959ef981	1	// SPDX-License-Identifier: GPL-2.0
984af2e1 DW	2	/*
	3	* Copyright (c) 2000-2002,2005 Silicon Graphics, Inc.
	4	* All Rights Reserved.
984af2e1 DW	5	*/
	6
	7	#include "libxfs.h"
	8	#include <ctype.h>
	9	#include <time.h>
	10	#include "bit.h"
	11	#include "block.h"
	12	#include "command.h"
	13	#include "type.h"
	14	#include "faddr.h"
	15	#include "fprint.h"
	16	#include "field.h"
	17	#include "flist.h"
	18	#include "io.h"
	19	#include "init.h"
	20	#include "output.h"
	21	#include "print.h"
	22	#include "write.h"
	23	#include "malloc.h"
4a87b332	24	#include "fuzz.h"
984af2e1 DW	25
	26	static int fuzz_f(int argc, char **argv);
	27	static void fuzz_help(void);
	28
	29	static const cmdinfo_t fuzz_cmd =
	30	{ "fuzz", NULL, fuzz_f, 0, -1, 0, N_("[-c] [-d] field fuzzcmd..."),
	31	N_("fuzz values on disk"), fuzz_help };
	32
	33	void
	34	fuzz_init(void)
	35	{
	36	if (!expert_mode)
	37	return;
	38
	39	add_command(&fuzz_cmd);
	40	srand48(clock());
	41	}
	42
	43	static void
	44	fuzz_help(void)
	45	{
	46	dbprintf(_(
	47	"\n"
	48	" The 'fuzz' command fuzzes fields in any on-disk data structure. For\n"
	49	" block fuzzing, see the 'blocktrash' or 'write' commands."
	50	"\n"
	51	" Examples:\n"
	52	" Struct mode: 'fuzz core.uid zeroes' - set an inode uid field to 0.\n"
	53	" 'fuzz crc ones' - set a crc filed to all ones.\n"
	54	" 'fuzz bno[11] firstbit' - set the high bit of a block array.\n"
	55	" 'fuzz keys[5].startblock add' - increase a btree key value.\n"
	56	" 'fuzz uuid random' - randomize the superblock uuid.\n"
	57	"\n"
	58	" Type 'fuzz' by itself for a list of specific commands.\n\n"
	59	" Specifying the -c option will allow writes of invalid (corrupt) data with\n"
	60	" an invalid CRC. Specifying the -d option will allow writes of invalid data,\n"
	61	" but still recalculate the CRC so we are forced to check and detect the\n"
	62	" invalid data appropriately.\n\n"
	63	));
	64
	65	}
	66
	67	static int
	68	fuzz_f(
	69	int argc,
	70	char **argv)
	71	{
	72	pfunc_t pf;
	73	extern char *progname;
	74	int c;
	75	bool corrupt = false; /* Allow write of bad data w/ invalid CRC */
	76	bool invalid_data = false; /* Allow write of bad data w/ valid CRC */
	77	struct xfs_buf_ops local_ops;
	78	const struct xfs_buf_ops *stashed_ops = NULL;
	79
23d88955	80	if (x.flags & LIBXFS_ISREADONLY) {
984af2e1 DW	81	dbprintf(_("%s started in read only mode, fuzzing disabled\n"),
	82	progname);
	83	return 0;
	84	}
	85
	86	if (cur_typ == NULL) {
	87	dbprintf(_("no current type\n"));
	88	return 0;
	89	}
	90
	91	pf = cur_typ->pfunc;
	92	if (pf == NULL) {
	93	dbprintf(_("no handler function for type %s, fuzz unsupported.\n"),
	94	cur_typ->name);
	95	return 0;
	96	}
	97
	98	while ((c = getopt(argc, argv, "cd")) != EOF) {
	99	switch (c) {
	100	case 'c':
	101	corrupt = true;
	102	break;
	103	case 'd':
	104	invalid_data = true;
	105	break;
	106	default:
	107	dbprintf(_("bad option for fuzz command\n"));
	108	return 0;
	109	}
	110	}
	111
	112	if (corrupt && invalid_data) {
	113	dbprintf(_("Cannot specify both -c and -d options\n"));
	114	return 0;
	115	}
	116
ef209a96 DW	117	if (invalid_data &&
ef209a96 DW	118	iocur_top->typ->crc_off == TYP_F_NO_CRC_OFF &&
2660e653	119	xfs_has_crc(mp)) {
984af2e1 DW	120	dbprintf(_("Cannot recalculate CRCs on this type of object\n"));
	121	return 0;
	122	}
	123
	124	argc -= optind;
	125	argv += optind;
	126
	127	/*
	128	* If the buffer has no verifier or we are using standard verifier
	129	* paths, then just fuzz it and return
	130	*/
	131	if (!iocur_top->bp->b_ops \|\|
	132	!(corrupt \|\| invalid_data)) {
	133	(*pf)(DB_FUZZ, cur_typ->fields, argc, argv);
	134	return 0;
	135	}
	136
	137
	138	/* Temporarily remove write verifier to write bad data */
	139	stashed_ops = iocur_top->bp->b_ops;
	140	local_ops.verify_read = stashed_ops->verify_read;
	141	iocur_top->bp->b_ops = &local_ops;
	142
2660e653	143	if (!xfs_has_crc(mp)) {
ef209a96 DW	144	local_ops.verify_write = xfs_dummy_verify;
ef209a96 DW	145	} else if (corrupt) {
984af2e1 DW	146	local_ops.verify_write = xfs_dummy_verify;
984af2e1 DW	147	dbprintf(_("Allowing fuzz of corrupted data and bad CRC\n"));
984af2e1 DW	148	} else if (iocur_top->typ->crc_off == TYP_F_CRC_FUNC) {
	149	local_ops.verify_write = iocur_top->typ->set_crc;
	150	dbprintf(_("Allowing fuzz of corrupted data with good CRC\n"));
	151	} else { /* invalid data */
	152	local_ops.verify_write = xfs_verify_recalc_crc;
	153	dbprintf(_("Allowing fuzz of corrupted data with good CRC\n"));
	154	}
	155
	156	(*pf)(DB_FUZZ, cur_typ->fields, argc, argv);
	157
	158	iocur_top->bp->b_ops = stashed_ops;
	159
	160	return 0;
	161	}
	162
	163	/* Write zeroes to the field */
	164	static bool
	165	fuzz_zeroes(
	166	void *buf,
	167	int bitoff,
	168	int nbits)
	169	{
	170	char *out = buf;
	171	int bit;
	172
	173	if (bitoff % NBBY \|\| nbits % NBBY) {
	174	for (bit = 0; bit < nbits; bit++)
	175	setbit_l(out, bit + bitoff, 0);
	176	} else
	177	memset(out + byteize(bitoff), 0, byteize(nbits));
	178	return true;
	179	}
	180
	181	/* Write ones to the field */
	182	static bool
	183	fuzz_ones(
	184	void *buf,
	185	int bitoff,
	186	int nbits)
	187	{
	188	char *out = buf;
	189	int bit;
	190
	191	if (bitoff % NBBY \|\| nbits % NBBY) {
	192	for (bit = 0; bit < nbits; bit++)
	193	setbit_l(out, bit + bitoff, 1);
	194	} else
	195	memset(out + byteize(bitoff), 0xFF, byteize(nbits));
	196	return true;
	197	}
	198
	199	/* Flip the high bit in the (presumably big-endian) field */
	200	static bool
	201	fuzz_firstbit(
	202	void *buf,
	203	int bitoff,
	204	int nbits)
	205	{
	206	setbit_l((char )buf, bitoff, !getbit_l((char )buf, bitoff));
	207	return true;
	208	}
	209
	210	/* Flip the low bit in the (presumably big-endian) field */
	211	static bool
212	fuzz_lastbit(
213	void *buf,
214	int bitoff,
215	int nbits)
216	{
217	setbit_l((char *)buf, bitoff + nbits - 1,
592c1015	218	!getbit_l((char *)buf, bitoff + nbits - 1));
984af2e1 DW	219	return true;
	220	}
	221
	222	/* Flip the middle bit in the (presumably big-endian) field */
	223	static bool
	224	fuzz_middlebit(
	225	void *buf,
	226	int bitoff,
	227	int nbits)
	228	{
	229	setbit_l((char *)buf, bitoff + nbits / 2,
592c1015	230	!getbit_l((char *)buf, bitoff + nbits / 2));
984af2e1 DW	231	return true;
	232	}
	233
	234	/* Format and shift a number into a buffer for setbitval. */
	235	static char *
	236	format_number(
	237	uint64_t val,
	238	__be64 *out,
	239	int bit_length)
	240	{
	241	int offset;
	242	char rbuf = (char )out;
	243
	244	/*
	245	* If the length of the field is not a multiple of a byte, push
	246	* the bits up in the field, so the most signicant field bit is
	247	* the most significant bit in the byte:
	248	*
	249	* before:
	250	* val \|----\|----\|----\|----\|----\|--MM\|mmmm\|llll\|
	251	* after
	252	* val \|----\|----\|----\|----\|----\|MMmm\|mmll\|ll00\|
	253	*/
	254	offset = bit_length % NBBY;
	255	if (offset)
	256	val <<= (NBBY - offset);
	257
	258	/*
	259	* convert to big endian and copy into the array
	260	* rbuf \|----\|----\|----\|----\|----\|MMmm\|mmll\|ll00\|
	261	*/
	262	*out = cpu_to_be64(val);
	263
	264	/*
	265	* Align the array to point to the field in the array.
	266	* rbuf = \|MMmm\|mmll\|ll00\|
	267	*/
	268	offset = sizeof(__be64) - 1 - ((bit_length - 1) / sizeof(__be64));
	269	return rbuf + offset;
	270	}
	271
	272	/* Increase the value by some small prime number. */
	273	static bool
	274	fuzz_add(
	275	void *buf,
	276	int bitoff,
	277	int nbits)
	278	{
	279	uint64_t val;
	280	__be64 out;
	281	char *b;
	282
	283	if (nbits > 64)
	284	return false;
	285
	286	val = getbitval(buf, bitoff, nbits, BVUNSIGNED);
	287	val += (nbits > 8 ? 2017 : 137);
	288	b = format_number(val, &out, nbits);
	289	setbitval(buf, bitoff, nbits, b);
	290
	291	return true;
	292	}
	293
	294	/* Decrease the value by some small prime number. */
295	static bool
296	fuzz_sub(
297	void *buf,
298	int bitoff,
299	int nbits)
300	{
301	uint64_t val;
302	__be64 out;
303	char *b;
304
305	if (nbits > 64)
306	return false;
307
308	val = getbitval(buf, bitoff, nbits, BVUNSIGNED);
309	val -= (nbits > 8 ? 2017 : 137);
310	b = format_number(val, &out, nbits);
311	setbitval(buf, bitoff, nbits, b);
312
313	return true;
314	}
315
316	/* Randomize the field. */
317	static bool
318	fuzz_random(
319	void *buf,
320	int bitoff,
321	int nbits)
322	{
323	int i, bytes;
324	char b, rbuf;
325
326	bytes = byteize_up(nbits);
327	rbuf = b = malloc(bytes);
328	if (!b) {
329	perror("fuzz_random");
330	return false;
331	}
332
333	for (i = 0; i < bytes; i++)
334	*b++ = (char)lrand48();
335
336	setbitval(buf, bitoff, nbits, rbuf);
337	free(rbuf);
338
339	return true;
340	}
341
342	struct fuzzcmd {
343	const char *verb;
344	bool (fn)(void buf, int bitoff, int nbits);
345	};
346
347	/* Keep these verbs in sync with enum fuzzcmds. */
348	static struct fuzzcmd fuzzverbs[] = {
349	{"zeroes", fuzz_zeroes},
350	{"ones", fuzz_ones},
351	{"firstbit", fuzz_firstbit},
352	{"middlebit", fuzz_middlebit},
353	{"lastbit", fuzz_lastbit},
354	{"add", fuzz_add},
355	{"sub", fuzz_sub},
356	{"random", fuzz_random},
357	{NULL, NULL},
358	};
359
360	/* ARGSUSED */
361	void
362	fuzz_struct(
363	const field_t *fields,
364	int argc,
365	char **argv)
366	{
367	const ftattr_t *fa;
368	flist_t *fl;
369	flist_t *sfl;
370	int bit_length;
371	struct fuzzcmd *fc;
372	bool success;
373	int parentoffset;
374
375	if (argc != 2) {
376	dbprintf(_("Usage: fuzz fieldname fuzzcmd\n"));
377	dbprintf("Fuzz commands: %s", fuzzverbs->verb);
378	for (fc = fuzzverbs + 1; fc->verb != NULL; fc++)
379	dbprintf(", %s", fc->verb);
380	dbprintf(".\n");
381	return;
382	}
383
384	fl = flist_scan(argv[0]);
385	if (!fl) {
386	dbprintf(_("unable to parse '%s'.\n"), argv[0]);
387	return;
388	}
389
390	/* Find our fuzz verb */
391	for (fc = fuzzverbs; fc->verb != NULL; fc++)
392	if (!strcmp(fc->verb, argv[1]))
393	break;
394	if (fc->fn == NULL) {
395	dbprintf(_("Unknown fuzz command '%s'.\n"), argv[1]);
6a07c22c	396	goto out_free;
984af2e1 DW	397	}
	398
	399	/* if we're a root field type, go down 1 layer to get field list */
	400	if (fields->name[0] == '\0') {
	401	fa = &ftattrtab[fields->ftyp];
	402	ASSERT(fa->ftyp == fields->ftyp);
	403	fields = fa->subfld;
	404	}
	405
	406	/* run down the field list and set offsets into the data */
	407	if (!flist_parse(fields, fl, iocur_top->data, 0)) {
984af2e1	408	dbprintf(_("parsing error\n"));
6a07c22c	409	goto out_free;
984af2e1 DW	410	}
	411
	412	sfl = fl;
	413	parentoffset = 0;
	414	while (sfl->child) {
	415	parentoffset = sfl->offset;
	416	sfl = sfl->child;
	417	}
	418
	419	/*
	420	* For structures, fsize * fcount tells us the size of the region we are
	421	* modifying, which is usually a single structure member and is pointed
	422	* to by the last child in the list.
	423	*
	424	* However, if the base structure is an array and we have a direct index
	425	* into the array (e.g. write bno[5]) then we are returned a single
	426	* flist object with the offset pointing directly at the location we
	427	* need to modify. The length of the object we are modifying is then
	428	* determined by the size of the individual array entry (fsize) and the
	429	* indexes defined in the object, not the overall size of the array
	430	* (which is what fcount returns).
	431	*/
	432	bit_length = fsize(sfl->fld, iocur_top->data, parentoffset, 0);
	433	if (sfl->fld->flags & FLD_ARRAY)
	434	bit_length *= sfl->high - sfl->low + 1;
	435	else
	436	bit_length *= fcount(sfl->fld, iocur_top->data, parentoffset);
	437
	438	/* Fuzz the value */
	439	success = fc->fn(iocur_top->data, sfl->offset, bit_length);
	440	if (!success) {
	441	dbprintf(_("unable to fuzz field '%s'\n"), argv[0]);
6a07c22c	442	goto out_free;
984af2e1 DW	443	}
	444
	445	/* Write the fuzzed value back */
	446	write_cur();
	447
	448	flist_print(fl);
	449	print_flist(fl);
6a07c22c	450	out_free:
984af2e1 DW	451	flist_free(fl);
984af2e1 DW	452	}