annotate fuzz/fuzz-sshpacketmutator.c @ 1930:299f4f19ba19

Add /usr/sbin and /sbin to default root PATH When dropbear is used in a very restricted environment (such as in a initrd), the default user shell is often also very restricted and doesn't take care of setting the PATH so the user ends up with the PATH set by dropbear. Unfortunately, dropbear always sets "/usr/bin:/bin" as default PATH even for the root user which should have /usr/sbin and /sbin too. For a concrete instance of this problem, see the "Remote Unlocking" section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/ It speaks of a bug in the initramfs script because it's written "blkid" instead of "/sbin/blkid"... this is just because the scripts from the initramfs do not expect to have a PATH without the sbin directories and because dropbear is not setting the PATH appropriately for the root user. I'm thus suggesting to use the attached patch to fix this misbehaviour (I did not test it, but it's easy enough). It might seem anecdotic but multiple Kali users have been bitten by this. From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
author Raphael Hertzog <hertzog@debian.org>
date Mon, 09 Jul 2018 16:27:53 +0200
parents 8179eabe16c9
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
1 /* A mutator/crossover for SSH protocol streams.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
2 Attempts to mutate each SSH packet individually, keeping
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
3 lengths intact.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
4 It will prepend a SSH-2.0-dbfuzz\r\n version string.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
5
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
6 Linking this file to a binary will make libfuzzer pick up the custom mutator.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
7
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
8 Care is taken to avoid memory allocation which would otherwise
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
9 slow exec/s substantially */
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
10
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 #include "fuzz.h"
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
12 #include "dbutil.h"
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
16 static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n";
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
17 static const char* FIXED_IGNORE_MSG =
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
18 "\x00\x00\x00\x10\x06\x02\x00\x00\x00\x00\x11\x22\x33\x44\x55\x66";
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
19 static const unsigned int FIXED_IGNORE_MSG_LEN = 16;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
20 #define MAX_FUZZ_PACKETS 500
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
21 /* XXX This might need tuning */
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
22 static const size_t MAX_OUT_SIZE = 50000;
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
23
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
24 /* Splits packets from an input stream buffer "inp".
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
25 The initial SSH version identifier is discarded.
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
26 If packets are not recognised it will increment until an uint32 of valid
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
27 packet length is found. */
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
28
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
29 /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 /* Skip any existing banner. Format is
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 SSH-protoversion-softwareversion SP comments CR LF
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
33 so we look for SSH-2. then a subsequent LF */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 unsigned char* version = memmem(inp->data, inp->len, "SSH-2.", strlen("SSH-2."));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
35 if (version) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
36 buf_incrpos(inp, version - inp->data);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
37 unsigned char* newline = memchr(&inp->data[inp->pos], '\n', inp->len - inp->pos);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
38 if (newline) {
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
39 buf_incrpos(inp, newline - &inp->data[inp->pos]+1);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
40 } else {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
41 /* Give up on any version string */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
42 buf_setpos(inp, 0);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
43 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
44 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
45
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
46 const unsigned int max_out_packets = *num_out_packets;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
47 *num_out_packets = 0;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
48 while (1) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
49 if (inp->pos + 4 > inp->len) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
50 /* End of input */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
51 break;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
54 if (*num_out_packets >= max_out_packets) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 /* End of output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 break;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
57 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
59 /* Read packet */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60 unsigned int packet_len = buf_getint(inp);
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
61 if (packet_len > RECV_MAX_PACKET_LEN-4) {
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62 /* Bad length, try skipping a single byte */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 buf_decrpos(inp, 3);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
64 continue;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
65 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66 packet_len = MIN(packet_len, inp->len - inp->pos);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
68 /* Check the packet length makes sense */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
69 if (packet_len >= MIN_PACKET_LEN-4) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
70 /* Copy to output buffer. We're reusing buffers */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
71 buffer* new_packet = out_packets[*num_out_packets];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
72 (*num_out_packets)++;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
73 buf_setlen(new_packet, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
74 // packet_len doesn't include itself
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
75 buf_putint(new_packet, packet_len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
76 buf_putbytes(new_packet, buf_getptr(inp, packet_len), packet_len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
77 }
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
78 buf_incrpos(inp, packet_len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
79 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
80 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
81
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
82 /* Mutate a packet buffer in-place.
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
83 Returns DROPBEAR_FAILURE if it's too short */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
84 static int buf_llvm_mutate(buffer *buf) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
85 int ret;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86 /* Position it after packet_length and padding_length */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
87 const unsigned int offset = 5;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
88 buf_setpos(buf, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
89 buf_incrwritepos(buf, offset);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
90 size_t max_size = buf->size - buf->pos;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
91 size_t new_size = LLVMFuzzerMutate(buf_getwriteptr(buf, max_size),
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
92 buf->len - buf->pos, max_size);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
93 size_t new_total = new_size + 1 + 4;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
94 // Round down to a block size
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
95 new_total = new_total - (new_total % dropbear_nocipher.blocksize);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
96
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
97 if (new_total >= 16) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
98 buf_setlen(buf, new_total);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
99 // Fix up the length fields
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
100 buf_setpos(buf, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
101 // packet_length doesn't include itself, does include padding_length byte
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
102 buf_putint(buf, new_size+1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
103 // always just put minimum padding length = 4
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
104 buf_putbyte(buf, 4);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
105 ret = DROPBEAR_SUCCESS;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
106 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
107 // instead put a fake packet
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
108 buf_setlen(buf, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
109 buf_putbytes(buf, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
110 ret = DROPBEAR_FAILURE;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
111 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
112 return ret;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
113 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
114
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
115
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
116 /* Persistent buffers to avoid constant allocations */
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
117 static buffer *oup;
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
118 static buffer *alloc_packetA;
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
119 static buffer *alloc_packetB;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
120 static buffer* packets1[MAX_FUZZ_PACKETS];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
121 static buffer* packets2[MAX_FUZZ_PACKETS];
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
122
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
123 /* Allocate buffers once at startup.
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
124 'constructor' here so it runs before dbmalloc's interceptor */
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
125 static void alloc_static_buffers() __attribute__((constructor));
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
126 static void alloc_static_buffers() {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
127
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
128 int i;
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
129 oup = buf_new(MAX_OUT_SIZE);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
130 alloc_packetA = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
131 alloc_packetB = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
132
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
133 for (i = 0; i < MAX_FUZZ_PACKETS; i++) {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
134 packets1[i] = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
135 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
136 for (i = 0; i < MAX_FUZZ_PACKETS; i++) {
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
137 packets2[i] = buf_new(RECV_MAX_PACKET_LEN);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
138 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
139 }
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
140
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
141 size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
142 size_t MaxSize, unsigned int Seed) {
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
143
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
144 buf_setlen(alloc_packetA, 0);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
145 buf_setlen(alloc_packetB, 0);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
146 buf_setlen(oup, 0);
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
147
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
148 unsigned int i;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
149 size_t ret_len;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
150 unsigned short randstate[3] = {0,0,0};
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
151 memcpy(randstate, &Seed, sizeof(Seed));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
152
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
153 // printhex("mutator input", Data, Size);
1771
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
154
af9ed0815818 Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents: 1767
diff changeset
155 /* 0.1% chance straight llvm mutate */
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
156 // if (nrand48(randstate) % 1000 == 0) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
157 // ret_len = LLVMFuzzerMutate(Data, Size, MaxSize);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
158 // // printhex("mutator straight llvm", Data, ret_len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
159 // return ret_len;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
160 // }
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
161
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
162 buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0};
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
163 buffer *inp = &inp_buf;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
164
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
165 /* Parse packets */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
166 unsigned int num_packets = MAX_FUZZ_PACKETS;
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
167 buffer **packets = packets1;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
168 fuzz_get_packets(inp, packets, &num_packets);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
169
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
170 if (num_packets == 0) {
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
171 // Make up a packet, writing direct to the buffer
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
172 inp->size = MaxSize;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
173 buf_setlen(inp, 0);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
174 buf_putbytes(inp, FIXED_VERSION, strlen(FIXED_VERSION));
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
175 buf_putbytes(inp, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
176 // printhex("mutator no input", Data, inp->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
177 return inp->len;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
179
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 /* Start output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 /* Put a new banner to output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
182 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION));
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 /* Iterate output */
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185 for (i = 0; i < num_packets+1; i++) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
186 // These are pointers to output
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
187 buffer *out_packetA = NULL, *out_packetB = NULL;
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
188 buf_setlen(alloc_packetA, 0);
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
189 buf_setlen(alloc_packetB, 0);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
190
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
191 /* 2% chance each */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
192 const int optA = nrand48(randstate) % 50;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
193 if (optA == 0) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
194 /* Copy another */
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
195 unsigned int other = nrand48(randstate) % num_packets;
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
196 out_packetA = packets[other];
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
197 // printf("copy another %d / %d len %u\n", other, num_packets, out_packetA->len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
198 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
199 if (optA == 1) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
200 /* Mutate another */
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
201 unsigned int other = nrand48(randstate) % num_packets;
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
202 out_packetA = alloc_packetA;
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
203 buffer *from = packets[other];
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
204 buf_putbytes(out_packetA, from->data, from->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
205 if (buf_llvm_mutate(out_packetA) == DROPBEAR_FAILURE) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
206 out_packetA = NULL;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
207 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
208 // printf("mutate another %d / %d len %u -> %u\n", other, num_packets, from->len, out_packetA->len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
209 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
210
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
211 if (i < num_packets) {
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
212 int optB = nrand48(randstate) % 100;
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
213 if (optB == 1) {
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
214 /* small chance of drop */
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
215 /* Drop it */
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
216 //printf("%d drop\n", i);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
217 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
218 /* Odds of modification are proportional to packet position.
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
219 First packet has 20% chance, last has 100% chance */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
220 int optC = nrand48(randstate) % 1000;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
221 int mutate_cutoff = MAX(200, (1000 * (i+1) / num_packets));
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
222 if (optC < mutate_cutoff) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
223 // // printf("%d mutate\n", i);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
224 out_packetB = alloc_packetB;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
225 buffer *from = packets[i];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
226 buf_putbytes(out_packetB, from->data, from->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
227 if (buf_llvm_mutate(out_packetB) == DROPBEAR_FAILURE) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
228 out_packetB = from;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
229 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
230 // printf("mutate self %d / %d len %u -> %u\n", i, num_packets, from->len, out_packetB->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
231 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
232 /* Copy as-is */
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
233 out_packetB = packets[i];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
234 // printf("%d as-is len %u\n", i, out_packetB->len);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
235 }
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
236 }
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
237 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
238
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
239 if (out_packetA && oup->len + out_packetA->len <= oup->size) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
240 buf_putbytes(oup, out_packetA->data, out_packetA->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
241 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
242 if (out_packetB && oup->len + out_packetB->len <= oup->size) {
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
243 buf_putbytes(oup, out_packetB->data, out_packetB->len);
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
244 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
245 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
246
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
247 ret_len = MIN(MaxSize, oup->len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
248 memcpy(Data, oup->data, ret_len);
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
249 // printhex("mutator done", Data, ret_len);
1760
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
250 return ret_len;
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
251 }
2406a9987810 Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
252
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
253 size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
254 const uint8_t *Data2, size_t Size2,
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
255 uint8_t *Out, size_t MaxOutSize,
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
256 unsigned int Seed) {
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
257 unsigned short randstate[3] = {0,0,0};
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
258 memcpy(randstate, &Seed, sizeof(Seed));
1765
b688c884dad7 Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents: 1760
diff changeset
259
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
260 unsigned int i;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
261 buffer inp_buf1 = {.data = (void*)Data1, .size = Size1, .len = Size1, .pos = 0};
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
262 buffer *inp1 = &inp_buf1;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
263 buffer inp_buf2 = {.data = (void*)Data2, .size = Size2, .len = Size2, .pos = 0};
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
264 buffer *inp2 = &inp_buf2;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
265
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
266 unsigned int num_packets1 = MAX_FUZZ_PACKETS;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
267 fuzz_get_packets(inp1, packets1, &num_packets1);
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
268 unsigned int num_packets2 = MAX_FUZZ_PACKETS;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
269 fuzz_get_packets(inp2, packets2, &num_packets2);
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
270
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
271 // fprintf(stderr, "input 1 %u packets\n", num_packets1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
272 // printhex("crossover input1", Data1, Size1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
273 // fprintf(stderr, "input 2 %u packets\n", num_packets2);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
274 // printhex("crossover input2", Data2, Size2);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
275
1767
3e1e1f82eba6 Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1766
diff changeset
276 buf_setlen(oup, 0);
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
277 /* Put a new banner to output */
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
278 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION));
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
279
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
280 if (num_packets1 == 0 && num_packets2 == 0) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
281 buf_putbytes(oup, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
282 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
283 unsigned int min_out = MIN(num_packets1, num_packets2);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
284 unsigned int max_out = num_packets1 + num_packets2;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
285 unsigned int num_out = min_out + nrand48(randstate) % (max_out-min_out+1);
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
286
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
287 for (i = 0; i < num_out; i++) {
1775
8179eabe16c9 fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents: 1774
diff changeset
288 unsigned int choose = nrand48(randstate) % (num_packets1 + num_packets2);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
289 buffer *p = NULL;
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
290 if (choose < num_packets1) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
291 p = packets1[choose];
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
292 } else {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
293 p = packets2[choose-num_packets1];
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
294 }
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
295 if (oup->len + p->len <= oup->size) {
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
296 buf_putbytes(oup, p->data, p->len);
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
297 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
298 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
299 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
300
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
301 size_t ret_len = MIN(MaxOutSize, oup->len);
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
302 memcpy(Out, oup->data, ret_len);
1774
833bf9947603 Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents: 1771
diff changeset
303 // printhex("crossover output", Out, ret_len);
1766
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
304 return ret_len;
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
305 }
b14e0a19bcbe crossover works
Matt Johnston <matt@ucc.asn.au>
parents: 1765
diff changeset
306