Mercurial > dropbear
comparison fuzz/fuzz-common.c @ 1801:4983a6bc1f51
fuzz: fix crash in newtcpdirect(), don't close the channel too early
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Fri, 05 Mar 2021 22:51:11 +0800 |
parents | 8df3d6aa5f23 |
children | 19b28d2fbe30 |
comparison
equal
deleted
inserted
replaced
1800:c584b5602bd8 | 1801:4983a6bc1f51 |
---|---|
233 *ret_pid = 999; | 233 *ret_pid = 999; |
234 return DROPBEAR_SUCCESS; | 234 return DROPBEAR_SUCCESS; |
235 } | 235 } |
236 | 236 |
237 | 237 |
238 struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport), | |
239 connect_callback cb, void* cb_data, | |
240 const char* UNUSED(bind_address), const char* UNUSED(bind_port)) { | |
241 /* This replacement for connect_remote() has slightly different semantics | |
242 to the real thing. It should probably be replaced with something more sophisticated. | |
243 It calls the callback cb() immediately rather than | |
244 in a future session loop iteration with set_connect_fds()/handle_connect_fds(). | |
245 This could cause problems depending on how connect_remote() is used. In particular | |
246 the callback can close a channel - that can cause use-after-free. */ | |
247 char r; | |
248 genrandom((void*)&r, 1); | |
249 if (r & 1) { | |
250 int sock = wrapfd_new_dummy(); | |
251 cb(DROPBEAR_SUCCESS, sock, cb_data, NULL); | |
252 } else { | |
253 cb(DROPBEAR_FAILURE, -1, cb_data, "errorstring"); | |
254 } | |
255 return NULL; | |
256 } | |
257 | |
258 /* Fake dropbear_listen, always returns failure for now. | 238 /* Fake dropbear_listen, always returns failure for now. |
259 TODO make it sometimes return success with wrapfd_new_dummy() sockets. | 239 TODO make it sometimes return success with wrapfd_new_dummy() sockets. |
260 Making the listeners fake a new incoming connection will be harder. */ | 240 Making the listeners fake a new incoming connection will be harder. */ |
261 /* Listen on address:port. | 241 /* Listen on address:port. |
262 * Special cases are address of "" listening on everything, | 242 * Special cases are address of "" listening on everything, |