Mercurial > dropbear

comparison fuzz-common.c @ 1456:a90fdd2d2ed8 fuzz

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add fuzzer-preauth_nomaths
author Matt Johnston <matt@ucc.asn.au>
date Tue, 23 Jan 2018 23:05:47 +0800
parents f0990c284663
children 32f990cc96b1
comparison
equal deleted inserted replaced
1455:4afde04f0607 1456:a90fdd2d2ed8
12 struct dropbear_fuzz_options fuzz; 12 struct dropbear_fuzz_options fuzz;
13 13
14 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); 14 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
15 static void load_fixed_hostkeys(void); 15 static void load_fixed_hostkeys(void);
16 16
17 void common_setup_fuzzer(void) { 17 void fuzz_common_setup(void) {
18 fuzz.fuzzing = 1; 18 fuzz.fuzzing = 1;
19 fuzz.wrapfds = 1; 19 fuzz.wrapfds = 1;
20 fuzz.do_jmp = 1; 20 fuzz.do_jmp = 1;
21 fuzz.input = m_malloc(sizeof(buffer)); 21 fuzz.input = m_malloc(sizeof(buffer));
22 _dropbear_log = fuzz_dropbear_log; 22 _dropbear_log = fuzz_dropbear_log;
23 crypto_init(); 23 crypto_init();
24 } 24 }
25 25
26 int fuzzer_set_input(const uint8_t *Data, size_t Size) { 26 int fuzz_set_input(const uint8_t *Data, size_t Size) {
27 27
28 fuzz.input->data = (unsigned char*)Data; 28 fuzz.input->data = (unsigned char*)Data;
29 fuzz.input->size = Size; 29 fuzz.input->size = Size;
30 fuzz.input->len = Size; 30 fuzz.input->len = Size;
31 fuzz.input->pos = 0; 31 fuzz.input->pos = 0;
49 fprintf(stderr, "%s\n", printbuf); 49 fprintf(stderr, "%s\n", printbuf);
50 } 50 }
51 #endif 51 #endif
52 } 52 }
53 53
54 void svr_setup_fuzzer(void) { 54 void fuzz_svr_setup(void) {
55 struct passwd *pw; 55 struct passwd *pw;
56 56
57 common_setup_fuzzer(); 57 fuzz_common_setup();
58 58
59 _dropbear_exit = svr_dropbear_exit; 59 _dropbear_exit = svr_dropbear_exit;
60 60
61 char *argv[] = { 61 char *argv[] = {
62 "-E", 62 "-E",
128 } 128 }
129 if (remote_port) { 129 if (remote_port) {
130 *remote_port = m_strdup("9876"); 130 *remote_port = m_strdup("9876");
131 } 131 }
132 } 132 }
133
134 /* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */
135 void fuzz_fake_send_kexdh_reply(void) {
136 assert(!ses.dh_K);
137 m_mp_alloc_init_multi(&ses.dh_K, NULL);
138 mp_set_int(ses.dh_K, 12345678);
139 finish_kexhashbuf();
140 assert(!ses.dh_K);
141 }
142
143 int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) {
144 static int once = 0;
145 if (!once) {
146 fuzz_svr_setup();
147 fuzz.skip_kexmaths = skip_kexmaths;
148 once = 1;
149 }
150
151 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
152 return 0;
153 }
154
155 // get prefix. input format is
156 // string prefix
157 // uint32 wrapfd seed
158 // ... to be extended later
159 // [bytes] ssh input stream
160
161 // be careful to avoid triggering buffer.c assertions
162 if (fuzz.input->len < 8) {
163 return 0;
164 }
165 size_t prefix_size = buf_getint(fuzz.input);
166 if (prefix_size != 4) {
167 return 0;
168 }
169 uint32_t wrapseed = buf_getint(fuzz.input);
170 wrapfd_setseed(wrapseed);
171
172 int fakesock = 20;
173 wrapfd_add(fakesock, fuzz.input, PLAIN);
174
175 m_malloc_set_epoch(1);
176 if (setjmp(fuzz.jmp) == 0) {
177 svr_session(fakesock, fakesock);
178 m_malloc_free_epoch(1, 0);
179 } else {
180 m_malloc_free_epoch(1, 1);
181 TRACE(("dropbear_exit longjmped"))
182 // dropbear_exit jumped here
183 }
184
185 return 0;
186 }