Mercurial > dropbear
comparison fuzz-common.c @ 1456:a90fdd2d2ed8 fuzz
add fuzzer-preauth_nomaths
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 23 Jan 2018 23:05:47 +0800 |
parents | f0990c284663 |
children | 32f990cc96b1 |
comparison
equal
deleted
inserted
replaced
1455:4afde04f0607 | 1456:a90fdd2d2ed8 |
---|---|
12 struct dropbear_fuzz_options fuzz; | 12 struct dropbear_fuzz_options fuzz; |
13 | 13 |
14 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); | 14 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); |
15 static void load_fixed_hostkeys(void); | 15 static void load_fixed_hostkeys(void); |
16 | 16 |
17 void common_setup_fuzzer(void) { | 17 void fuzz_common_setup(void) { |
18 fuzz.fuzzing = 1; | 18 fuzz.fuzzing = 1; |
19 fuzz.wrapfds = 1; | 19 fuzz.wrapfds = 1; |
20 fuzz.do_jmp = 1; | 20 fuzz.do_jmp = 1; |
21 fuzz.input = m_malloc(sizeof(buffer)); | 21 fuzz.input = m_malloc(sizeof(buffer)); |
22 _dropbear_log = fuzz_dropbear_log; | 22 _dropbear_log = fuzz_dropbear_log; |
23 crypto_init(); | 23 crypto_init(); |
24 } | 24 } |
25 | 25 |
26 int fuzzer_set_input(const uint8_t *Data, size_t Size) { | 26 int fuzz_set_input(const uint8_t *Data, size_t Size) { |
27 | 27 |
28 fuzz.input->data = (unsigned char*)Data; | 28 fuzz.input->data = (unsigned char*)Data; |
29 fuzz.input->size = Size; | 29 fuzz.input->size = Size; |
30 fuzz.input->len = Size; | 30 fuzz.input->len = Size; |
31 fuzz.input->pos = 0; | 31 fuzz.input->pos = 0; |
49 fprintf(stderr, "%s\n", printbuf); | 49 fprintf(stderr, "%s\n", printbuf); |
50 } | 50 } |
51 #endif | 51 #endif |
52 } | 52 } |
53 | 53 |
54 void svr_setup_fuzzer(void) { | 54 void fuzz_svr_setup(void) { |
55 struct passwd *pw; | 55 struct passwd *pw; |
56 | 56 |
57 common_setup_fuzzer(); | 57 fuzz_common_setup(); |
58 | 58 |
59 _dropbear_exit = svr_dropbear_exit; | 59 _dropbear_exit = svr_dropbear_exit; |
60 | 60 |
61 char *argv[] = { | 61 char *argv[] = { |
62 "-E", | 62 "-E", |
128 } | 128 } |
129 if (remote_port) { | 129 if (remote_port) { |
130 *remote_port = m_strdup("9876"); | 130 *remote_port = m_strdup("9876"); |
131 } | 131 } |
132 } | 132 } |
133 | |
134 /* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */ | |
135 void fuzz_fake_send_kexdh_reply(void) { | |
136 assert(!ses.dh_K); | |
137 m_mp_alloc_init_multi(&ses.dh_K, NULL); | |
138 mp_set_int(ses.dh_K, 12345678); | |
139 finish_kexhashbuf(); | |
140 assert(!ses.dh_K); | |
141 } | |
142 | |
143 int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { | |
144 static int once = 0; | |
145 if (!once) { | |
146 fuzz_svr_setup(); | |
147 fuzz.skip_kexmaths = skip_kexmaths; | |
148 once = 1; | |
149 } | |
150 | |
151 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { | |
152 return 0; | |
153 } | |
154 | |
155 // get prefix. input format is | |
156 // string prefix | |
157 // uint32 wrapfd seed | |
158 // ... to be extended later | |
159 // [bytes] ssh input stream | |
160 | |
161 // be careful to avoid triggering buffer.c assertions | |
162 if (fuzz.input->len < 8) { | |
163 return 0; | |
164 } | |
165 size_t prefix_size = buf_getint(fuzz.input); | |
166 if (prefix_size != 4) { | |
167 return 0; | |
168 } | |
169 uint32_t wrapseed = buf_getint(fuzz.input); | |
170 wrapfd_setseed(wrapseed); | |
171 | |
172 int fakesock = 20; | |
173 wrapfd_add(fakesock, fuzz.input, PLAIN); | |
174 | |
175 m_malloc_set_epoch(1); | |
176 if (setjmp(fuzz.jmp) == 0) { | |
177 svr_session(fakesock, fakesock); | |
178 m_malloc_free_epoch(1, 0); | |
179 } else { | |
180 m_malloc_free_epoch(1, 1); | |
181 TRACE(("dropbear_exit longjmped")) | |
182 // dropbear_exit jumped here | |
183 } | |
184 | |
185 return 0; | |
186 } |