On 2/10/20 9:11 AM, Johannes Berg wrote: > On Sun, 2020-02-09 at 17:58 +0100, Markus Theil wrote: >> this >> series fixes several bugs found while fuzzing the scan code of iw. > Nice, can you describe the setup you used for this? > > johannes > I used clang with its sanitizers (-fsanitize=address,fuzzer,undefined). A file named fuzz_scan.c is used to call print_ies() with random input. Some beacon frame TLVs were used as seed corpus for libfuzzer. I can also post my small patches doing this, but the current integration into the Makefile can be called "ad-hoc" at best :). Markus fuzz_scan.c: #include "iw.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { print_ies((unsigned char *)data, size, size % 2, PRINT_SCAN); return 0; }