Mercurial > dropbear

comparison fuzz-common.c @ 1745:a6824c54962a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge fuzz branch
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Oct 2020 22:53:44 +0800
parents 6e71440b1e47
children 3b9b427925a0
comparison
equal deleted inserted replaced
1738:4f13df974cf4 1745:a6824c54962a
14 14
15 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); 15 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
16 static void load_fixed_hostkeys(void); 16 static void load_fixed_hostkeys(void);
17 17
18 void fuzz_common_setup(void) { 18 void fuzz_common_setup(void) {
19 disallow_core();
19 fuzz.fuzzing = 1; 20 fuzz.fuzzing = 1;
20 fuzz.wrapfds = 1; 21 fuzz.wrapfds = 1;
21 fuzz.do_jmp = 1; 22 fuzz.do_jmp = 1;
22 fuzz.input = m_malloc(sizeof(buffer)); 23 fuzz.input = m_malloc(sizeof(buffer));
23 _dropbear_log = fuzz_dropbear_log; 24 _dropbear_log = fuzz_dropbear_log;
34 fuzz.input->len = Size; 35 fuzz.input->len = Size;
35 fuzz.input->pos = 0; 36 fuzz.input->pos = 0;
36 37
37 memset(&ses, 0x0, sizeof(ses)); 38 memset(&ses, 0x0, sizeof(ses));
38 memset(&svr_ses, 0x0, sizeof(svr_ses)); 39 memset(&svr_ses, 0x0, sizeof(svr_ses));
39 wrapfd_setup(); 40 memset(&cli_ses, 0x0, sizeof(cli_ses));
41 wrapfd_setup(fuzz.input);
40 42
41 fuzz_seed(); 43 fuzz_seed();
42 44
43 return DROPBEAR_SUCCESS; 45 return DROPBEAR_SUCCESS;
44 } 46 }
61 fuzz_common_setup(); 63 fuzz_common_setup();
62 64
63 _dropbear_exit = svr_dropbear_exit; 65 _dropbear_exit = svr_dropbear_exit;
64 66
65 char *argv[] = { 67 char *argv[] = {
68 "dropbear",
66 "-E", 69 "-E",
67 }; 70 };
68 71
69 int argc = sizeof(argv) / sizeof(*argv); 72 int argc = sizeof(argv) / sizeof(*argv);
70 svr_getopts(argc, argv); 73 svr_getopts(argc, argv);
71 74
72 /* user lookups might be slow, cache it */
73 fuzz.pw_name = m_strdup("person");
74 fuzz.pw_dir = m_strdup("/tmp");
75 fuzz.pw_shell = m_strdup("/bin/zsh");
76 fuzz.pw_passwd = m_strdup("!!zzznope");
77
78 load_fixed_hostkeys(); 75 load_fixed_hostkeys();
76 }
77
78 void fuzz_cli_setup(void) {
79 fuzz_common_setup();
80
81 _dropbear_exit = cli_dropbear_exit;
82 _dropbear_log = cli_dropbear_log;
83
84 char *argv[] = {
85 "dbclient",
86 "-y",
87 "localhost",
88 };
89
90 int argc = sizeof(argv) / sizeof(*argv);
91 cli_getopts(argc, argv);
79 } 92 }
80 93
81 static void load_fixed_hostkeys(void) { 94 static void load_fixed_hostkeys(void) {
82 #include "fuzz-hostkeys.c" 95 #include "fuzz-hostkeys.c"
83 96
149 m_mp_alloc_init_multi(&ses.dh_K, NULL); 162 m_mp_alloc_init_multi(&ses.dh_K, NULL);
150 mp_set_ul(ses.dh_K, 12345678uL); 163 mp_set_ul(ses.dh_K, 12345678uL);
151 finish_kexhashbuf(); 164 finish_kexhashbuf();
152 } 165 }
153 166
167 /* fake version of spawn_command() */
168 int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) {
169 *ret_writefd = wrapfd_new();
170 *ret_readfd = wrapfd_new();
171 if (ret_errfd) {
172 *ret_errfd = wrapfd_new();
173 }
174 *ret_pid = 999;
175 return DROPBEAR_SUCCESS;
176 }
177
154 int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { 178 int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) {
155 static int once = 0; 179 static int once = 0;
156 if (!once) { 180 if (!once) {
157 fuzz_svr_setup(); 181 fuzz_svr_setup();
158 fuzz.skip_kexmaths = skip_kexmaths; 182 fuzz.skip_kexmaths = skip_kexmaths;
162 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { 186 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
163 return 0; 187 return 0;
164 } 188 }
165 189
166 /* 190 /*
167 get prefix. input format is 191 get prefix, allowing for future extensibility. input format is
168 string prefix 192 string prefix
169 uint32 wrapfd seed 193 uint32 wrapfd seed
170 ... to be extended later 194 ... to be extended later
171 [bytes] ssh input stream 195 [bytes] ssh input stream
172 */ 196 */
180 return 0; 204 return 0;
181 } 205 }
182 uint32_t wrapseed = buf_getint(fuzz.input); 206 uint32_t wrapseed = buf_getint(fuzz.input);
183 wrapfd_setseed(wrapseed); 207 wrapfd_setseed(wrapseed);
184 208
185 int fakesock = 20; 209 int fakesock = wrapfd_new();
186 wrapfd_add(fakesock, fuzz.input, PLAIN);
187 210
188 m_malloc_set_epoch(1); 211 m_malloc_set_epoch(1);
189 if (setjmp(fuzz.jmp) == 0) { 212 if (setjmp(fuzz.jmp) == 0) {
190 svr_session(fakesock, fakesock); 213 svr_session(fakesock, fakesock);
191 m_malloc_free_epoch(1, 0); 214 m_malloc_free_epoch(1, 0);
196 } 219 }
197 220
198 return 0; 221 return 0;
199 } 222 }
200 223
224 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) {
225 static int once = 0;
226 if (!once) {
227 fuzz_cli_setup();
228 fuzz.skip_kexmaths = skip_kexmaths;
229 once = 1;
230 }
231
232 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
233 return 0;
234 }
235
236 /*
237 get prefix, allowing for future extensibility. input format is
238 string prefix
239 uint32 wrapfd seed
240 ... to be extended later
241 [bytes] ssh input stream
242 */
243
244 /* be careful to avoid triggering buffer.c assertions */
245 if (fuzz.input->len < 8) {
246 return 0;
247 }
248 size_t prefix_size = buf_getint(fuzz.input);
249 if (prefix_size != 4) {
250 return 0;
251 }
252 uint32_t wrapseed = buf_getint(fuzz.input);
253 wrapfd_setseed(wrapseed);
254
255 int fakesock = wrapfd_new();
256
257 m_malloc_set_epoch(1);
258 if (setjmp(fuzz.jmp) == 0) {
259 cli_session(fakesock, fakesock, NULL, 0);
260 m_malloc_free_epoch(1, 0);
261 } else {
262 m_malloc_free_epoch(1, 1);
263 TRACE(("dropbear_exit longjmped"))
264 /* dropbear_exit jumped here */
265 }
266
267 return 0;
268 }
269
201 const void* fuzz_get_algo(const algo_type *algos, const char* name) { 270 const void* fuzz_get_algo(const algo_type *algos, const char* name) {
202 const algo_type *t; 271 const algo_type *t;
203 for (t = algos; t->name; t++) { 272 for (t = algos; t->name; t++) {
204 if (strcmp(t->name, name) == 0) { 273 if (strcmp(t->name, name) == 0) {
205 return t->data; 274 return t->data;