[forkserver_libafl_cc] Adjust test fuzzer

rchildre3 · rchildre3 · commit be1251672d71 · 2026-05-14T22:09:46.000-04:00
* Remove 1 second per testcase timeout.  The crashes are taking longer
  and are erroneously treated as a timeout
* Add a max input length parameter akin to AFL++'s afl-fuzz CLI args so
  that the mutations are more likely to find the objective (crash)
  * Set the default test to length 10 as the two potential crashes can
    be found mutating the first 3 or 4 bytes
diff --git a/fuzzers/forkserver/forkserver_libafl_cc/Justfile b/fuzzers/forkserver/forkserver_libafl_cc/Justfile
@@ -56,7 +56,7 @@ run: fuzzer
 [macos]
 test: fuzzer
     #!/bin/bash
-    timeout 30s {{ FORKSERVER }} ./{{ FUZZER_NAME }} ./corpus/ -t 1000 | tee fuzz_stdout.log || true
+    timeout 30s {{ FORKSERVER }} -G 10 ./{{ FUZZER_NAME }} ./corpus/ | tee fuzz_stdout.log || true
     if grep -qa "objectives: 1" fuzz_stdout.log; then
         echo "Fuzzer is working"
     else
diff --git a/fuzzers/forkserver/forkserver_libafl_cc/src/main.rs b/fuzzers/forkserver/forkserver_libafl_cc/src/main.rs
@@ -5,7 +5,10 @@ use clap::Parser;
 use libafl::{
     corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
     events::SimpleEventManager,
-    executors::{forkserver::ForkserverExecutor, HasObservers, StdChildArgs},
+    executors::{
+        forkserver::{ForkserverExecutor, MAX_INPUT_SIZE_DEFAULT},
+        HasObservers, StdChildArgs,
+    },
     feedback_and_fast, feedback_or,
     feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
@@ -42,6 +45,14 @@ struct Opt {
     )]
     executable: String,
 
+    #[arg(
+        help = "set max length of generated fuzz input",
+        short = 'G',
+        long = "maxlen",
+        default_value_t = MAX_INPUT_SIZE_DEFAULT
+    )]
+    max_input_len: usize,
+
     #[arg(
         help = "The directory to read initial inputs from ('seeds')",
         name = "INPUT_DIR",
@@ -180,6 +191,7 @@ pub fn main() {
         .parse_afl_cmdline(args)
         .coverage_map_size(MAP_SIZE)
         .timeout(Duration::from_millis(opt.timeout))
+        .max_input_size(opt.max_input_len)
         .kill_signal(opt.signal)
         .build(tuple_list!(time_observer, edges_observer))
         .unwrap();
