annotate fuzz.h @ 1883:f54451afc046

use buf_getptr and m_free on every iteration before m_malloc to insure no memory leaks are happening
author HansH111 <hans@atbas.org>
date Tue, 15 Mar 2022 18:57:21 +0000
parents 4983a6bc1f51
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 #ifndef DROPBEAR_FUZZ_H
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 #define DROPBEAR_FUZZ_H
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
4 #include "config.h"
1559
92c93b4a3646 Fix to be able to compile normal(ish) binaries with --enable-fuzz
Matt Johnston <matt@ucc.asn.au>
parents: 1558
diff changeset
5
1558
2f64cb3d3007 - #if not #ifdef for DROPBEAR_FUZZ
Matt Johnston <matt@ucc.asn.au>
parents: 1456
diff changeset
6 #if DROPBEAR_FUZZ
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
7
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 #include "includes.h"
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 #include "buffer.h"
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
10 #include "algo.h"
1778
19cdeb3d2aac Fix fuzzing build
Matt Johnston <matt@ucc.asn.au>
parents: 1777
diff changeset
11 #include "netio.h"
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
12 #include "fuzz-wrapfd.h"
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1348
diff changeset
14 // once per process
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
15 void fuzz_common_setup(void);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
16 void fuzz_svr_setup(void);
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
17 void fuzz_cli_setup(void);
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
19 // constructor attribute so it runs before main(), including
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
20 // in non-fuzzing mode.
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
21 void fuzz_early_setup(void) __attribute__((constructor));
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
22
1377
d4cc85e6c569 rearrange, all fuzzers now call fuzzer_set_input()
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
23 // must be called once per fuzz iteration.
d4cc85e6c569 rearrange, all fuzzers now call fuzzer_set_input()
Matt Johnston <matt@ucc.asn.au>
parents: 1369
diff changeset
24 // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
25 int fuzz_set_input(const uint8_t *Data, size_t Size);
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
26
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1779
diff changeset
27 int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth);
1746
28ab2cdb84bf Fix fuzzer build
Matt Johnston <matt@ucc.asn.au>
parents: 1741
diff changeset
28 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths);
1589
35af85194268 Add kexdh and kexecdh fuzzers
Matt Johnston <matt@ucc.asn.au>
parents: 1561
diff changeset
29 const void* fuzz_get_algo(const algo_type *algos, const char* name);
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1348
diff changeset
30
1369
ddfcadca3c4c fuzzer-pubkey
Matt Johnston <matt@ucc.asn.au>
parents: 1358
diff changeset
31 // fuzzer functions that intrude into general code
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
32 void fuzz_kex_fakealgos(void);
1369
ddfcadca3c4c fuzzer-pubkey
Matt Johnston <matt@ucc.asn.au>
parents: 1358
diff changeset
33 int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename,
ddfcadca3c4c fuzzer-pubkey
Matt Johnston <matt@ucc.asn.au>
parents: 1358
diff changeset
34 const char* algo, unsigned int algolen,
ddfcadca3c4c fuzzer-pubkey
Matt Johnston <matt@ucc.asn.au>
parents: 1358
diff changeset
35 const unsigned char* keyblob, unsigned int keybloblen);
ddfcadca3c4c fuzzer-pubkey
Matt Johnston <matt@ucc.asn.au>
parents: 1358
diff changeset
36 extern const char * const * fuzz_signkey_names;
1757
517fb7b62438 Add some more variation to fuzzer random number generation
Matt Johnston <matt@ucc.asn.au>
parents: 1751
diff changeset
37 void fuzz_seed(const unsigned char* dat, unsigned int len);
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1779
diff changeset
38 void fuzz_svr_hook_preloop(void);
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
39
1786
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1782
diff changeset
40 int fuzz_dropbear_listen(const char* address, const char* port,
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1782
diff changeset
41 int *socks, unsigned int sockcount, char **errstring, int *maxfd);
a3b39df57c8b fuzz: add an always-failing dropbear_listen() replacement
Matt Johnston <matt@ucc.asn.au>
parents: 1782
diff changeset
42
1741
d1b279aa5ed1 Get client fuzzer building and starting (fails straight away)
Matt Johnston <matt@ucc.asn.au>
parents: 1740
diff changeset
43 // helpers
1383
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
44 void fuzz_get_socket_address(int fd, char **local_host, char **local_port,
f03cfe9c76ac Disable setnonblocking(), get_socket_address(), set_sock_priority()
Matt Johnston <matt@ucc.asn.au>
parents: 1377
diff changeset
45 char **remote_host, char **remote_port, int host_lookup);
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
46 void fuzz_fake_send_kexdh_reply(void);
1740
dfbe947bdf0d Make wrapfd share a common buffer for all FDs
Matt Johnston <matt@ucc.asn.au>
parents: 1589
diff changeset
47 int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid);
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1746
diff changeset
48 void fuzz_dump(const unsigned char* data, size_t len);
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
49
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
50 // fake IO wrappers
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
51 #ifndef FUZZ_SKIP_WRAP
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
52 #define select(nfds, readfds, writefds, exceptfds, timeout) \
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
53 wrapfd_select(nfds, readfds, writefds, exceptfds, timeout)
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
54 #define write(fd, buf, count) wrapfd_write(fd, buf, count)
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
55 #define read(fd, buf, count) wrapfd_read(fd, buf, count)
1358
6b89eb92f872 glaring wrapfd problems fixed
Matt Johnston <matt@ucc.asn.au>
parents: 1357
diff changeset
56 #define close(fd) wrapfd_close(fd)
1791
685b47d8faf7 fuzz: wrap kill()
Matt Johnston <matt@ucc.asn.au>
parents: 1786
diff changeset
57 #define kill(pid, sig) fuzz_kill(pid, sig)
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
58 #endif // FUZZ_SKIP_WRAP
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
59
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60 struct dropbear_fuzz_options {
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
61 int fuzzing;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 // fuzzing input
1356
3677a510f545 add wrapfd. improve fuzzer in makefile
Matt Johnston <matt@ucc.asn.au>
parents: 1348
diff changeset
64 buffer *input;
1357
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
65 struct dropbear_cipher recv_cipher;
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
66 struct dropbear_hash recv_mac;
08f4fa4dc6a0 closer to working
Matt Johnston <matt@ucc.asn.au>
parents: 1356
diff changeset
67 int wrapfds;
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
68
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
69 // whether to skip slow bignum maths
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
70 int skip_kexmaths;
1782
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1779
diff changeset
71 // whether is svr_postauth mode
a6da10ac64b5 fuzz: make postauth set authdone properly
Matt Johnston <matt@ucc.asn.au>
parents: 1779
diff changeset
72 int svr_postauth;
1456
a90fdd2d2ed8 add fuzzer-preauth_nomaths
Matt Johnston <matt@ucc.asn.au>
parents: 1385
diff changeset
73
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
74 // dropbear_exit() jumps back
1385
6c92e97553f1 Add a flag whether to longjmp, missed that last commit
Matt Johnston <matt@ucc.asn.au>
parents: 1383
diff changeset
75 int do_jmp;
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
76 sigjmp_buf jmp;
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1746
diff changeset
77
1798
8dc43b30c6bf Define _GNU_SOURCE properly, other header fixes
Matt Johnston <matt@ucc.asn.au>
parents: 1791
diff changeset
78 // write out decrypted session data to this FD if it is set
1751
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1746
diff changeset
79 // flag - this needs to be set manually in cli-main.c etc
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1746
diff changeset
80 int dumping;
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1746
diff changeset
81 // the file descriptor
3b9b427925a0 Load password and key for client fuzzer.
Matt Johnston <matt@ucc.asn.au>
parents: 1746
diff changeset
82 int recv_dumpfd;
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
83
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
84 // avoid filling fuzzing logs, this points to /dev/null
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
85 FILE *fake_stderr;
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86 };
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
87
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
88 extern struct dropbear_fuzz_options fuzz;
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
89
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
90 /* guard for when fuzz.h is included by fuzz-common.c */
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
91 #ifndef FUZZ_NO_REPLACE_STDERR
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
92
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
93 /* This is a bodge but seems to work.
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
94 glibc stdio.h has the comment
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
95 "C89/C99 say they're macros. Make them happy." */
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
96 /* OS X has it as a macro */
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
97 #ifdef stderr
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
98 #undef stderr
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
99 #endif
1768
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
100 #define stderr (fuzz.fake_stderr)
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
101
096a66e45212 Fix fuzzing stderr override on os x
Matt Johnston <matt@ucc.asn.au>
parents: 1758
diff changeset
102 #endif /* FUZZ_NO_REPLACE_STDERR */
1758
1365661f6be6 Disable stderr output for fuzzer by default
Matt Johnston <matt@ucc.asn.au>
parents: 1757
diff changeset
103
1779
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
104 struct passwd* fuzz_getpwuid(uid_t uid);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
105 struct passwd* fuzz_getpwnam(const char *login);
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
106 /* guard for when fuzz.h is included by fuzz-common.c */
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
107 #ifndef FUZZ_NO_REPLACE_GETPW
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
108 #define getpwnam(x) fuzz_getpwnam(x)
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
109 #define getpwuid(x) fuzz_getpwuid(x)
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
110 #endif // FUZZ_NO_REPLACE_GETPW
36d4c027cba7 fuzzing: add workaround getpwuid/getpwnam
Matt Johnston <matt@ucc.asn.au>
parents: 1778
diff changeset
111
1798
8dc43b30c6bf Define _GNU_SOURCE properly, other header fixes
Matt Johnston <matt@ucc.asn.au>
parents: 1791
diff changeset
112 #endif /* DROPBEAR_FUZZ */
1348
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
113
5c2899e35b63 fuzz harness
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
114 #endif /* DROPBEAR_FUZZ_H */