Mercurial > dropbear

comparison fuzz/fuzz-common.c @ 1774:833bf9947603

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fuzzing - get rid of "prefix" for streams Improved packet generation with sshpacketmutator
author Matt Johnston <matt@ucc.asn.au>
date Sun, 01 Nov 2020 23:44:58 +0800
parents 66b29b054896
children 8179eabe16c9
comparison
equal deleted inserted replaced
1773:c3ca130d193a 1774:833bf9947603
62 62
63 memset(&ses, 0x0, sizeof(ses)); 63 memset(&ses, 0x0, sizeof(ses));
64 memset(&svr_ses, 0x0, sizeof(svr_ses)); 64 memset(&svr_ses, 0x0, sizeof(svr_ses));
65 memset(&cli_ses, 0x0, sizeof(cli_ses)); 65 memset(&cli_ses, 0x0, sizeof(cli_ses));
66 wrapfd_setup(fuzz.input); 66 wrapfd_setup(fuzz.input);
67 // printhex("input", fuzz.input->data, fuzz.input->len);
67 68
68 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16)); 69 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16));
69 70
70 return DROPBEAR_SUCCESS; 71 return DROPBEAR_SUCCESS;
71 } 72 }
185 buf_free(b); 186 buf_free(b);
186 } 187 }
187 188
188 void fuzz_kex_fakealgos(void) { 189 void fuzz_kex_fakealgos(void) {
189 ses.newkeys->recv.crypt_mode = &dropbear_mode_none; 190 ses.newkeys->recv.crypt_mode = &dropbear_mode_none;
191 ses.newkeys->recv.algo_mac = &dropbear_nohash;
190 } 192 }
191 193
192 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port, 194 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port,
193 char **remote_host, char **remote_port, int UNUSED(host_lookup)) { 195 char **remote_host, char **remote_port, int UNUSED(host_lookup)) {
194 if (local_host) { 196 if (local_host) {
234 236
235 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { 237 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
236 return 0; 238 return 0;
237 } 239 }
238 240
239 /* 241 uint32_t wrapseed;
240 get prefix, allowing for future extensibility. input format is 242 genrandom(&wrapseed, sizeof(wrapseed));
241 string prefix
242 uint32 wrapfd seed
243 ... to be extended later
244 [bytes] ssh input stream
245 */
246
247 /* be careful to avoid triggering buffer.c assertions */
248 if (fuzz.input->len < 8) {
249 return 0;
250 }
251 size_t prefix_size = buf_getint(fuzz.input);
252 if (prefix_size != 4) {
253 return 0;
254 }
255 uint32_t wrapseed = buf_getint(fuzz.input);
256 wrapfd_setseed(wrapseed); 243 wrapfd_setseed(wrapseed);
257 244
258 int fakesock = wrapfd_new(); 245 int fakesock = wrapfd_new();
259 246
260 m_malloc_set_epoch(1); 247 m_malloc_set_epoch(1);
282 269
283 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { 270 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
284 return 0; 271 return 0;
285 } 272 }
286 273
287 /* 274 // Allow to proceed sooner
288 get prefix, allowing for future extensibility. input format is 275 ses.kexstate.donefirstkex = 1;
289 string prefix 276
290 uint32 wrapfd seed 277 uint32_t wrapseed;
291 ... to be extended later 278 genrandom(&wrapseed, sizeof(wrapseed));
292 [bytes] ssh input stream
293 */
294
295 /* be careful to avoid triggering buffer.c assertions */
296 if (fuzz.input->len < 8) {
297 return 0;
298 }
299 size_t prefix_size = buf_getint(fuzz.input);
300 if (prefix_size != 4) {
301 return 0;
302 }
303 uint32_t wrapseed = buf_getint(fuzz.input);
304 wrapfd_setseed(wrapseed); 279 wrapfd_setseed(wrapseed);
305 280
306 int fakesock = wrapfd_new(); 281 int fakesock = wrapfd_new();
307 282
308 m_malloc_set_epoch(1); 283 m_malloc_set_epoch(1);