Mercurial > dropbear
comparison fuzz/fuzz-common.c @ 1774:833bf9947603
Fuzzing - get rid of "prefix" for streams
Improved packet generation with sshpacketmutator
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 01 Nov 2020 23:44:58 +0800 |
parents | 66b29b054896 |
children | 8179eabe16c9 |
comparison
equal
deleted
inserted
replaced
1773:c3ca130d193a | 1774:833bf9947603 |
---|---|
62 | 62 |
63 memset(&ses, 0x0, sizeof(ses)); | 63 memset(&ses, 0x0, sizeof(ses)); |
64 memset(&svr_ses, 0x0, sizeof(svr_ses)); | 64 memset(&svr_ses, 0x0, sizeof(svr_ses)); |
65 memset(&cli_ses, 0x0, sizeof(cli_ses)); | 65 memset(&cli_ses, 0x0, sizeof(cli_ses)); |
66 wrapfd_setup(fuzz.input); | 66 wrapfd_setup(fuzz.input); |
67 // printhex("input", fuzz.input->data, fuzz.input->len); | |
67 | 68 |
68 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16)); | 69 fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16)); |
69 | 70 |
70 return DROPBEAR_SUCCESS; | 71 return DROPBEAR_SUCCESS; |
71 } | 72 } |
185 buf_free(b); | 186 buf_free(b); |
186 } | 187 } |
187 | 188 |
188 void fuzz_kex_fakealgos(void) { | 189 void fuzz_kex_fakealgos(void) { |
189 ses.newkeys->recv.crypt_mode = &dropbear_mode_none; | 190 ses.newkeys->recv.crypt_mode = &dropbear_mode_none; |
191 ses.newkeys->recv.algo_mac = &dropbear_nohash; | |
190 } | 192 } |
191 | 193 |
192 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port, | 194 void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port, |
193 char **remote_host, char **remote_port, int UNUSED(host_lookup)) { | 195 char **remote_host, char **remote_port, int UNUSED(host_lookup)) { |
194 if (local_host) { | 196 if (local_host) { |
234 | 236 |
235 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { | 237 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { |
236 return 0; | 238 return 0; |
237 } | 239 } |
238 | 240 |
239 /* | 241 uint32_t wrapseed; |
240 get prefix, allowing for future extensibility. input format is | 242 genrandom(&wrapseed, sizeof(wrapseed)); |
241 string prefix | |
242 uint32 wrapfd seed | |
243 ... to be extended later | |
244 [bytes] ssh input stream | |
245 */ | |
246 | |
247 /* be careful to avoid triggering buffer.c assertions */ | |
248 if (fuzz.input->len < 8) { | |
249 return 0; | |
250 } | |
251 size_t prefix_size = buf_getint(fuzz.input); | |
252 if (prefix_size != 4) { | |
253 return 0; | |
254 } | |
255 uint32_t wrapseed = buf_getint(fuzz.input); | |
256 wrapfd_setseed(wrapseed); | 243 wrapfd_setseed(wrapseed); |
257 | 244 |
258 int fakesock = wrapfd_new(); | 245 int fakesock = wrapfd_new(); |
259 | 246 |
260 m_malloc_set_epoch(1); | 247 m_malloc_set_epoch(1); |
282 | 269 |
283 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { | 270 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { |
284 return 0; | 271 return 0; |
285 } | 272 } |
286 | 273 |
287 /* | 274 // Allow to proceed sooner |
288 get prefix, allowing for future extensibility. input format is | 275 ses.kexstate.donefirstkex = 1; |
289 string prefix | 276 |
290 uint32 wrapfd seed | 277 uint32_t wrapseed; |
291 ... to be extended later | 278 genrandom(&wrapseed, sizeof(wrapseed)); |
292 [bytes] ssh input stream | |
293 */ | |
294 | |
295 /* be careful to avoid triggering buffer.c assertions */ | |
296 if (fuzz.input->len < 8) { | |
297 return 0; | |
298 } | |
299 size_t prefix_size = buf_getint(fuzz.input); | |
300 if (prefix_size != 4) { | |
301 return 0; | |
302 } | |
303 uint32_t wrapseed = buf_getint(fuzz.input); | |
304 wrapfd_setseed(wrapseed); | 279 wrapfd_setseed(wrapseed); |
305 | 280 |
306 int fakesock = wrapfd_new(); | 281 int fakesock = wrapfd_new(); |
307 | 282 |
308 m_malloc_set_epoch(1); | 283 m_malloc_set_epoch(1); |