annotate fuzz/fuzz-sshpacketmutator.c @ 1874:1c9215154d4a

Handle /proc/.../maps being reordered We now search for the first r-xp line in the file
author Matt Johnston <matt@ucc.asn.au>
date Thu, 03 Feb 2022 22:13:06 +0800
parents 8179eabe16c9
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
1 /* A mutator/crossover for SSH protocol streams.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
2 Attempts to mutate each SSH packet individually, keeping
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
3 lengths intact.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
4 It will prepend a SSH-2.0-dbfuzz\r\n version string.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
5
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
6 Linking this file to a binary will make libfuzzer pick up the custom mutator.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
7
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
8 Care is taken to avoid memory allocation which would otherwise
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
9 slow exec/s substantially */
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
10
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 #include "fuzz.h"
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
12 #include "dbutil.h"
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
16 static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n";
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
17 static const char* FIXED_IGNORE_MSG =
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
18 "\x00\x00\x00\x10\x06\x02\x00\x00\x00\x00\x11\x22\x33\x44\x55\x66";
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
19 static const unsigned int FIXED_IGNORE_MSG_LEN = 16;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
20 #define MAX_FUZZ_PACKETS 500
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
21 /* XXX This might need tuning */
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
22 static const size_t MAX_OUT_SIZE = 50000;
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
23
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
24 /* Splits packets from an input stream buffer "inp".
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
25 The initial SSH version identifier is discarded.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
26 If packets are not recognised it will increment until an uint32 of valid
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
27 packet length is found. */
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
28
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
29 /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 /* Skip any existing banner. Format is
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 SSH-protoversion-softwareversion SP comments CR LF
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
33 so we look for SSH-2. then a subsequent LF */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 unsigned char* version = memmem(inp->data, inp->len, "SSH-2.", strlen("SSH-2."));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
35 if (version) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
36 buf_incrpos(inp, version - inp->data);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
37 unsigned char* newline = memchr(&inp->data[inp->pos], '\n', inp->len - inp->pos);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
38 if (newline) {
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
39 buf_incrpos(inp, newline - &inp->data[inp->pos]+1);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
40 } else {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
41 /* Give up on any version string */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
42 buf_setpos(inp, 0);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
43 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
44 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
45
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
46 const unsigned int max_out_packets = *num_out_packets;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
47 *num_out_packets = 0;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
48 while (1) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
49 if (inp->pos + 4 > inp->len) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
50 /* End of input */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
51 break;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
54 if (*num_out_packets >= max_out_packets) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 /* End of output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 break;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
57 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
59 /* Read packet */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60 unsigned int packet_len = buf_getint(inp);
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
61 if (packet_len > RECV_MAX_PACKET_LEN-4) {
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62 /* Bad length, try skipping a single byte */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 buf_decrpos(inp, 3);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
64 continue;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
65 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66 packet_len = MIN(packet_len, inp->len - inp->pos);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
68 /* Check the packet length makes sense */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
69 if (packet_len >= MIN_PACKET_LEN-4) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
70 /* Copy to output buffer. We're reusing buffers */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
71 buffer* new_packet = out_packets[*num_out_packets];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
72 (*num_out_packets)++;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
73 buf_setlen(new_packet, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
74 // packet_len doesn't include itself
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
75 buf_putint(new_packet, packet_len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
76 buf_putbytes(new_packet, buf_getptr(inp, packet_len), packet_len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
77 }
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
78 buf_incrpos(inp, packet_len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
79 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
80 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
81
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
82 /* Mutate a packet buffer in-place.
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
83 Returns DROPBEAR_FAILURE if it's too short */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
84 static int buf_llvm_mutate(buffer *buf) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
85 int ret;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86 /* Position it after packet_length and padding_length */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
87 const unsigned int offset = 5;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
88 buf_setpos(buf, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
89 buf_incrwritepos(buf, offset);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90 size_t max_size = buf->size - buf->pos;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
91 size_t new_size = LLVMFuzzerMutate(buf_getwriteptr(buf, max_size),
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
92 buf->len - buf->pos, max_size);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
93 size_t new_total = new_size + 1 + 4;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
94 // Round down to a block size
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
95 new_total = new_total - (new_total % dropbear_nocipher.blocksize);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
96
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
97 if (new_total >= 16) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
98 buf_setlen(buf, new_total);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
99 // Fix up the length fields
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
100 buf_setpos(buf, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
101 // packet_length doesn't include itself, does include padding_length byte
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
102 buf_putint(buf, new_size+1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
103 // always just put minimum padding length = 4
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
104 buf_putbyte(buf, 4);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
105 ret = DROPBEAR_SUCCESS;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
106 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
107 // instead put a fake packet
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
108 buf_setlen(buf, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
109 buf_putbytes(buf, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
110 ret = DROPBEAR_FAILURE;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
111 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
112 return ret;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
113 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
114
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
115
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
116 /* Persistent buffers to avoid constant allocations */
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
117 static buffer *oup;
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
118 static buffer *alloc_packetA;
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
119 static buffer *alloc_packetB;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
120 static buffer* packets1[MAX_FUZZ_PACKETS];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
121 static buffer* packets2[MAX_FUZZ_PACKETS];
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
122
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
123 /* Allocate buffers once at startup.
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
124 'constructor' here so it runs before dbmalloc's interceptor */
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
125 static void alloc_static_buffers() __attribute__((constructor));
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
126 static void alloc_static_buffers() {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
127
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
128 int i;
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
129 oup = buf_new(MAX_OUT_SIZE);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
130 alloc_packetA = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
131 alloc_packetB = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
132
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
133 for (i = 0; i < MAX_FUZZ_PACKETS; i++) {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
134 packets1[i] = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
135 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
136 for (i = 0; i < MAX_FUZZ_PACKETS; i++) {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
137 packets2[i] = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
138 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
139 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
140
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
141 size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
142 size_t MaxSize, unsigned int Seed) {
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
143
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
144 buf_setlen(alloc_packetA, 0);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
145 buf_setlen(alloc_packetB, 0);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
146 buf_setlen(oup, 0);
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
147
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
148 unsigned int i;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
149 size_t ret_len;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
150 unsigned short randstate[3] = {0,0,0};
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
151 memcpy(randstate, &Seed, sizeof(Seed));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
152
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
153 // printhex("mutator input", Data, Size);
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
154
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
155 /* 0.1% chance straight llvm mutate */
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
156 // if (nrand48(randstate) % 1000 == 0) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
157 // ret_len = LLVMFuzzerMutate(Data, Size, MaxSize);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
158 // // printhex("mutator straight llvm", Data, ret_len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
159 // return ret_len;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
160 // }
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
161
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
162 buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0};
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
163 buffer *inp = &inp_buf;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
164
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
165 /* Parse packets */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
166 unsigned int num_packets = MAX_FUZZ_PACKETS;
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
167 buffer **packets = packets1;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
168 fuzz_get_packets(inp, packets, &num_packets);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
169
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
170 if (num_packets == 0) {
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
171 // Make up a packet, writing direct to the buffer
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
172 inp->size = MaxSize;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
173 buf_setlen(inp, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
174 buf_putbytes(inp, FIXED_VERSION, strlen(FIXED_VERSION));
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
175 buf_putbytes(inp, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
176 // printhex("mutator no input", Data, inp->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
177 return inp->len;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
179
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 /* Start output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 /* Put a new banner to output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
182 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 /* Iterate output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185 for (i = 0; i < num_packets+1; i++) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
186 // These are pointers to output
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
187 buffer *out_packetA = NULL, *out_packetB = NULL;
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
188 buf_setlen(alloc_packetA, 0);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
189 buf_setlen(alloc_packetB, 0);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
190
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
191 /* 2% chance each */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
192 const int optA = nrand48(randstate) % 50;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
193 if (optA == 0) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
194 /* Copy another */
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
195 unsigned int other = nrand48(randstate) % num_packets;
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
196 out_packetA = packets[other];
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
197 // printf("copy another %d / %d len %u\n", other, num_packets, out_packetA->len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
198 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
199 if (optA == 1) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
200 /* Mutate another */
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
201 unsigned int other = nrand48(randstate) % num_packets;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
202 out_packetA = alloc_packetA;
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
203 buffer *from = packets[other];
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
204 buf_putbytes(out_packetA, from->data, from->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
205 if (buf_llvm_mutate(out_packetA) == DROPBEAR_FAILURE) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
206 out_packetA = NULL;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
207 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
208 // printf("mutate another %d / %d len %u -> %u\n", other, num_packets, from->len, out_packetA->len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
209 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
210
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
211 if (i < num_packets) {
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
212 int optB = nrand48(randstate) % 100;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
213 if (optB == 1) {
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
214 /* small chance of drop */
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
215 /* Drop it */
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
216 //printf("%d drop\n", i);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
217 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
218 /* Odds of modification are proportional to packet position.
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
219 First packet has 20% chance, last has 100% chance */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
220 int optC = nrand48(randstate) % 1000;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
221 int mutate_cutoff = MAX(200, (1000 * (i+1) / num_packets));
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
222 if (optC < mutate_cutoff) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
223 // // printf("%d mutate\n", i);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
224 out_packetB = alloc_packetB;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
225 buffer *from = packets[i];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
226 buf_putbytes(out_packetB, from->data, from->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
227 if (buf_llvm_mutate(out_packetB) == DROPBEAR_FAILURE) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
228 out_packetB = from;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
229 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
230 // printf("mutate self %d / %d len %u -> %u\n", i, num_packets, from->len, out_packetB->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
231 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
232 /* Copy as-is */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
233 out_packetB = packets[i];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
234 // printf("%d as-is len %u\n", i, out_packetB->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
235 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
236 }
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
237 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
238
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
239 if (out_packetA && oup->len + out_packetA->len <= oup->size) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
240 buf_putbytes(oup, out_packetA->data, out_packetA->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
241 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
242 if (out_packetB && oup->len + out_packetB->len <= oup->size) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
243 buf_putbytes(oup, out_packetB->data, out_packetB->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
244 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
245 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
246
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
247 ret_len = MIN(MaxSize, oup->len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
248 memcpy(Data, oup->data, ret_len);
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
249 // printhex("mutator done", Data, ret_len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
250 return ret_len;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
251 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
252
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
253 size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
254 const uint8_t *Data2, size_t Size2,
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
255 uint8_t *Out, size_t MaxOutSize,
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
256 unsigned int Seed) {
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
257 unsigned short randstate[3] = {0,0,0};
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
258 memcpy(randstate, &Seed, sizeof(Seed));
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
259
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
260 unsigned int i;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
261 buffer inp_buf1 = {.data = (void*)Data1, .size = Size1, .len = Size1, .pos = 0};
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
262 buffer *inp1 = &inp_buf1;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
263 buffer inp_buf2 = {.data = (void*)Data2, .size = Size2, .len = Size2, .pos = 0};
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
264 buffer *inp2 = &inp_buf2;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
265
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
266 unsigned int num_packets1 = MAX_FUZZ_PACKETS;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
267 fuzz_get_packets(inp1, packets1, &num_packets1);
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
268 unsigned int num_packets2 = MAX_FUZZ_PACKETS;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
269 fuzz_get_packets(inp2, packets2, &num_packets2);
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
270
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
271 // fprintf(stderr, "input 1 %u packets\n", num_packets1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
272 // printhex("crossover input1", Data1, Size1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
273 // fprintf(stderr, "input 2 %u packets\n", num_packets2);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
274 // printhex("crossover input2", Data2, Size2);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
275
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
276 buf_setlen(oup, 0);
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
277 /* Put a new banner to output */
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
278 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION));
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
279
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
280 if (num_packets1 == 0 && num_packets2 == 0) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
281 buf_putbytes(oup, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
282 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
283 unsigned int min_out = MIN(num_packets1, num_packets2);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
284 unsigned int max_out = num_packets1 + num_packets2;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
285 unsigned int num_out = min_out + nrand48(randstate) % (max_out-min_out+1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
286
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
287 for (i = 0; i < num_out; i++) {
1775
8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents: 1774
diff changeset
288 unsigned int choose = nrand48(randstate) % (num_packets1 + num_packets2);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
289 buffer *p = NULL;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
290 if (choose < num_packets1) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
291 p = packets1[choose];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
292 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
293 p = packets2[choose-num_packets1];
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
294 }
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
295 if (oup->len + p->len <= oup->size) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
296 buf_putbytes(oup, p->data, p->len);
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
297 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
298 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
299 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
300
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
301 size_t ret_len = MIN(MaxOutSize, oup->len);
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
302 memcpy(Out, oup->data, ret_len);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
303 // printhex("crossover output", Out, ret_len);
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
304 return ret_len;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
305 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
306