Mercurial > dropbear
annotate fuzz/fuzz-sshpacketmutator.c @ 1792:2bf1e97ba3cd
Update INSTALL (#113)
Make Git/Mercurial instructions easier to understand
author | Xenhat <commits@xenh.at> |
---|---|
date | Thu, 17 Dec 2020 04:35:48 -0500 |
parents | 8179eabe16c9 |
children |
rev | line source |
---|---|
1771
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
1 /* A mutator/crossover for SSH protocol streams. |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
2 Attempts to mutate each SSH packet individually, keeping |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
3 lengths intact. |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
4 It will prepend a SSH-2.0-dbfuzz\r\n version string. |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
5 |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
6 Linking this file to a binary will make libfuzzer pick up the custom mutator. |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
7 |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
8 Care is taken to avoid memory allocation which would otherwise |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
9 slow exec/s substantially */ |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
10 |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 #include "fuzz.h" |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
12 #include "dbutil.h" |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 |
1771
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
16 static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
17 static const char* FIXED_IGNORE_MSG = |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
18 "\x00\x00\x00\x10\x06\x02\x00\x00\x00\x00\x11\x22\x33\x44\x55\x66"; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
19 static const unsigned int FIXED_IGNORE_MSG_LEN = 16; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
20 #define MAX_FUZZ_PACKETS 500 |
1771
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
21 /* XXX This might need tuning */ |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
22 static const size_t MAX_OUT_SIZE = 50000; |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
23 |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
24 /* Splits packets from an input stream buffer "inp". |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
25 The initial SSH version identifier is discarded. |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
26 If packets are not recognised it will increment until an uint32 of valid |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
27 packet length is found. */ |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
28 |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
29 /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */ |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 /* Skip any existing banner. Format is |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 SSH-protoversion-softwareversion SP comments CR LF |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 so we look for SSH-2. then a subsequent LF */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 unsigned char* version = memmem(inp->data, inp->len, "SSH-2.", strlen("SSH-2.")); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 if (version) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
36 buf_incrpos(inp, version - inp->data); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
37 unsigned char* newline = memchr(&inp->data[inp->pos], '\n', inp->len - inp->pos); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
38 if (newline) { |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
39 buf_incrpos(inp, newline - &inp->data[inp->pos]+1); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
40 } else { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
41 /* Give up on any version string */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
42 buf_setpos(inp, 0); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
43 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
44 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
45 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
46 const unsigned int max_out_packets = *num_out_packets; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
47 *num_out_packets = 0; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
48 while (1) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
49 if (inp->pos + 4 > inp->len) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
50 /* End of input */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 break; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
52 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
53 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
54 if (*num_out_packets >= max_out_packets) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 /* End of output */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
56 break; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
57 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
58 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 /* Read packet */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 unsigned int packet_len = buf_getint(inp); |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
61 if (packet_len > RECV_MAX_PACKET_LEN-4) { |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 /* Bad length, try skipping a single byte */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
63 buf_decrpos(inp, 3); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
64 continue; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
65 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 packet_len = MIN(packet_len, inp->len - inp->pos); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
68 /* Check the packet length makes sense */ |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
69 if (packet_len >= MIN_PACKET_LEN-4) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
70 /* Copy to output buffer. We're reusing buffers */ |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
71 buffer* new_packet = out_packets[*num_out_packets]; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
72 (*num_out_packets)++; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
73 buf_setlen(new_packet, 0); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
74 // packet_len doesn't include itself |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
75 buf_putint(new_packet, packet_len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
76 buf_putbytes(new_packet, buf_getptr(inp, packet_len), packet_len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
77 } |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
78 buf_incrpos(inp, packet_len); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
79 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
80 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
81 |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
82 /* Mutate a packet buffer in-place. |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
83 Returns DROPBEAR_FAILURE if it's too short */ |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
84 static int buf_llvm_mutate(buffer *buf) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
85 int ret; |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
86 /* Position it after packet_length and padding_length */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
87 const unsigned int offset = 5; |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
88 buf_setpos(buf, 0); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
89 buf_incrwritepos(buf, offset); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
90 size_t max_size = buf->size - buf->pos; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
91 size_t new_size = LLVMFuzzerMutate(buf_getwriteptr(buf, max_size), |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
92 buf->len - buf->pos, max_size); |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
93 size_t new_total = new_size + 1 + 4; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
94 // Round down to a block size |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
95 new_total = new_total - (new_total % dropbear_nocipher.blocksize); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
96 |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
97 if (new_total >= 16) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
98 buf_setlen(buf, new_total); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
99 // Fix up the length fields |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
100 buf_setpos(buf, 0); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
101 // packet_length doesn't include itself, does include padding_length byte |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
102 buf_putint(buf, new_size+1); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
103 // always just put minimum padding length = 4 |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
104 buf_putbyte(buf, 4); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
105 ret = DROPBEAR_SUCCESS; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
106 } else { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
107 // instead put a fake packet |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
108 buf_setlen(buf, 0); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
109 buf_putbytes(buf, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
110 ret = DROPBEAR_FAILURE; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
111 } |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
112 return ret; |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
113 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
114 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
115 |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
116 /* Persistent buffers to avoid constant allocations */ |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
117 static buffer *oup; |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
118 static buffer *alloc_packetA; |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
119 static buffer *alloc_packetB; |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
120 static buffer* packets1[MAX_FUZZ_PACKETS]; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
121 static buffer* packets2[MAX_FUZZ_PACKETS]; |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
122 |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
123 /* Allocate buffers once at startup. |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
124 'constructor' here so it runs before dbmalloc's interceptor */ |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
125 static void alloc_static_buffers() __attribute__((constructor)); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
126 static void alloc_static_buffers() { |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
127 |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
128 int i; |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
129 oup = buf_new(MAX_OUT_SIZE); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
130 alloc_packetA = buf_new(RECV_MAX_PACKET_LEN); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
131 alloc_packetB = buf_new(RECV_MAX_PACKET_LEN); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
132 |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
133 for (i = 0; i < MAX_FUZZ_PACKETS; i++) { |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
134 packets1[i] = buf_new(RECV_MAX_PACKET_LEN); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
135 } |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
136 for (i = 0; i < MAX_FUZZ_PACKETS; i++) { |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
137 packets2[i] = buf_new(RECV_MAX_PACKET_LEN); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
138 } |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
139 } |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
140 |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
141 size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
142 size_t MaxSize, unsigned int Seed) { |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
143 |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
144 buf_setlen(alloc_packetA, 0); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
145 buf_setlen(alloc_packetB, 0); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
146 buf_setlen(oup, 0); |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
147 |
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
148 unsigned int i; |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
149 size_t ret_len; |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
150 unsigned short randstate[3] = {0,0,0}; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
151 memcpy(randstate, &Seed, sizeof(Seed)); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
152 |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
153 // printhex("mutator input", Data, Size); |
1771
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
154 |
af9ed0815818
Use SSH packet mutator for preauth too
Matt Johnston <matt@ucc.asn.au>
parents:
1767
diff
changeset
|
155 /* 0.1% chance straight llvm mutate */ |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
156 // if (nrand48(randstate) % 1000 == 0) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
157 // ret_len = LLVMFuzzerMutate(Data, Size, MaxSize); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
158 // // printhex("mutator straight llvm", Data, ret_len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
159 // return ret_len; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
160 // } |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
161 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
162 buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0}; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
163 buffer *inp = &inp_buf; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
164 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
165 /* Parse packets */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
166 unsigned int num_packets = MAX_FUZZ_PACKETS; |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
167 buffer **packets = packets1; |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
168 fuzz_get_packets(inp, packets, &num_packets); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
169 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
170 if (num_packets == 0) { |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
171 // Make up a packet, writing direct to the buffer |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
172 inp->size = MaxSize; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
173 buf_setlen(inp, 0); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
174 buf_putbytes(inp, FIXED_VERSION, strlen(FIXED_VERSION)); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
175 buf_putbytes(inp, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
176 // printhex("mutator no input", Data, inp->len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
177 return inp->len; |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
178 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
179 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
180 /* Start output */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
181 /* Put a new banner to output */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
182 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION)); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
183 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
184 /* Iterate output */ |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
185 for (i = 0; i < num_packets+1; i++) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
186 // These are pointers to output |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
187 buffer *out_packetA = NULL, *out_packetB = NULL; |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
188 buf_setlen(alloc_packetA, 0); |
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
189 buf_setlen(alloc_packetB, 0); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
190 |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
191 /* 2% chance each */ |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
192 const int optA = nrand48(randstate) % 50; |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
193 if (optA == 0) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
194 /* Copy another */ |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
195 unsigned int other = nrand48(randstate) % num_packets; |
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
196 out_packetA = packets[other]; |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
197 // printf("copy another %d / %d len %u\n", other, num_packets, out_packetA->len); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
198 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
199 if (optA == 1) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
200 /* Mutate another */ |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
201 unsigned int other = nrand48(randstate) % num_packets; |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
202 out_packetA = alloc_packetA; |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
203 buffer *from = packets[other]; |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
204 buf_putbytes(out_packetA, from->data, from->len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
205 if (buf_llvm_mutate(out_packetA) == DROPBEAR_FAILURE) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
206 out_packetA = NULL; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
207 } |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
208 // printf("mutate another %d / %d len %u -> %u\n", other, num_packets, from->len, out_packetA->len); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
209 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
210 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
211 if (i < num_packets) { |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
212 int optB = nrand48(randstate) % 100; |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
213 if (optB == 1) { |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
214 /* small chance of drop */ |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
215 /* Drop it */ |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
216 //printf("%d drop\n", i); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
217 } else { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
218 /* Odds of modification are proportional to packet position. |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
219 First packet has 20% chance, last has 100% chance */ |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
220 int optC = nrand48(randstate) % 1000; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
221 int mutate_cutoff = MAX(200, (1000 * (i+1) / num_packets)); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
222 if (optC < mutate_cutoff) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
223 // // printf("%d mutate\n", i); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
224 out_packetB = alloc_packetB; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
225 buffer *from = packets[i]; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
226 buf_putbytes(out_packetB, from->data, from->len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
227 if (buf_llvm_mutate(out_packetB) == DROPBEAR_FAILURE) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
228 out_packetB = from; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
229 } |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
230 // printf("mutate self %d / %d len %u -> %u\n", i, num_packets, from->len, out_packetB->len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
231 } else { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
232 /* Copy as-is */ |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
233 out_packetB = packets[i]; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
234 // printf("%d as-is len %u\n", i, out_packetB->len); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
235 } |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
236 } |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
237 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
238 |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
239 if (out_packetA && oup->len + out_packetA->len <= oup->size) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
240 buf_putbytes(oup, out_packetA->data, out_packetA->len); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
241 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
242 if (out_packetB && oup->len + out_packetB->len <= oup->size) { |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
243 buf_putbytes(oup, out_packetB->data, out_packetB->len); |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
244 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
245 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
246 |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
247 ret_len = MIN(MaxSize, oup->len); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
248 memcpy(Data, oup->data, ret_len); |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
249 // printhex("mutator done", Data, ret_len); |
1760
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
250 return ret_len; |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
251 } |
2406a9987810
Add first try at fuzzing custom mutator
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
252 |
1766 | 253 size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1, |
254 const uint8_t *Data2, size_t Size2, | |
255 uint8_t *Out, size_t MaxOutSize, | |
256 unsigned int Seed) { | |
257 unsigned short randstate[3] = {0,0,0}; | |
258 memcpy(randstate, &Seed, sizeof(Seed)); | |
1765
b688c884dad7
Fix fuzz-sshpacketmutator to work
Matt Johnston <matt@ucc.asn.au>
parents:
1760
diff
changeset
|
259 |
1766 | 260 unsigned int i; |
261 buffer inp_buf1 = {.data = (void*)Data1, .size = Size1, .len = Size1, .pos = 0}; | |
262 buffer *inp1 = &inp_buf1; | |
263 buffer inp_buf2 = {.data = (void*)Data2, .size = Size2, .len = Size2, .pos = 0}; | |
264 buffer *inp2 = &inp_buf2; | |
265 | |
266 unsigned int num_packets1 = MAX_FUZZ_PACKETS; | |
267 fuzz_get_packets(inp1, packets1, &num_packets1); | |
268 unsigned int num_packets2 = MAX_FUZZ_PACKETS; | |
269 fuzz_get_packets(inp2, packets2, &num_packets2); | |
270 | |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
271 // fprintf(stderr, "input 1 %u packets\n", num_packets1); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
272 // printhex("crossover input1", Data1, Size1); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
273 // fprintf(stderr, "input 2 %u packets\n", num_packets2); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
274 // printhex("crossover input2", Data2, Size2); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
275 |
1767
3e1e1f82eba6
Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths
Matt Johnston <matt@ucc.asn.au>
parents:
1766
diff
changeset
|
276 buf_setlen(oup, 0); |
1766 | 277 /* Put a new banner to output */ |
278 buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION)); | |
279 | |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
280 if (num_packets1 == 0 && num_packets2 == 0) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
281 buf_putbytes(oup, FIXED_IGNORE_MSG, FIXED_IGNORE_MSG_LEN); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
282 } else { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
283 unsigned int min_out = MIN(num_packets1, num_packets2); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
284 unsigned int max_out = num_packets1 + num_packets2; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
285 unsigned int num_out = min_out + nrand48(randstate) % (max_out-min_out+1); |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
286 |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
287 for (i = 0; i < num_out; i++) { |
1775
8179eabe16c9
fuzzing - fix some wrong types and -lcrypt on macos
Matt Johnston <matt@ucc.asn.au>
parents:
1774
diff
changeset
|
288 unsigned int choose = nrand48(randstate) % (num_packets1 + num_packets2); |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
289 buffer *p = NULL; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
290 if (choose < num_packets1) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
291 p = packets1[choose]; |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
292 } else { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
293 p = packets2[choose-num_packets1]; |
1766 | 294 } |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
295 if (oup->len + p->len <= oup->size) { |
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
296 buf_putbytes(oup, p->data, p->len); |
1766 | 297 } |
298 } | |
299 } | |
300 | |
301 size_t ret_len = MIN(MaxOutSize, oup->len); | |
302 memcpy(Out, oup->data, ret_len); | |
1774
833bf9947603
Fuzzing - get rid of "prefix" for streams
Matt Johnston <matt@ucc.asn.au>
parents:
1771
diff
changeset
|
303 // printhex("crossover output", Out, ret_len); |
1766 | 304 return ret_len; |
305 } | |
306 |