I am trying to familiarize myself with the usage of afl++. I wrote a simple program that should crash due to buffer overflow if argv[1] is too long.
int main(int argc, char *argv[])
{
char buffer[4];
if(argc == 2)
{
strcpy(buffer, argv[1]);
}
return 0;
}
I would expect the crash to be found by afl++ soon but after running for quite sometime, maybe around 2 hours, I don't see any crashes being logged yet.
The command line I used was
afl-fuzz -i afl_inputs -o afl_outputs -- ./target_application
The program was compiled with
CC=afl-clang-fast++ AFL_HARDEN=1 make
Interestingly, when I was troubleshooting this issue, I put some ASCII characters in my input file such as just a character "Z" and modified the command line as such afl-fuzz -i afl_inputs -o afl_outputs -- ./target_application @@ and afl++ will terminate immediately, stating that one of the test cases caused a crash.
Furthermore, I tried to run the application itself with that input file ./target_application ./afl_inputs/input.txt and ./target_application < ./afl_inputs/z.txt but it does not crash in both scenarios.
Questions
- What am I doing wrong?
- Since afl++ fuzzes stdin, can I assume that argv[1] should be populated with random values if I did not specify "@@"? Although it does seems like my assumption is wrong.
- Does "@@" means it will read from my input files and place what it read into the command line (from what I read from the documentation, that seems to be the case)?
