Mercurial > dropbear
comparison packet.c @ 1347:b28624698130 fuzz
copy over some fuzzing code from AFL branch
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Fri, 12 May 2017 23:14:54 +0800 |
| parents | 9169e4e7cbee |
| children | 5c2899e35b63 |
comparison
equal
deleted
inserted
replaced
| 1346:78b7e0634117 | 1347:b28624698130 |
|---|---|
| 33 #include "dbrandom.h" | 33 #include "dbrandom.h" |
| 34 #include "service.h" | 34 #include "service.h" |
| 35 #include "auth.h" | 35 #include "auth.h" |
| 36 #include "channel.h" | 36 #include "channel.h" |
| 37 #include "netio.h" | 37 #include "netio.h" |
| 38 #include "runopts.h" | |
| 38 | 39 |
| 39 static int read_packet_init(void); | 40 static int read_packet_init(void); |
| 40 static void make_mac(unsigned int seqno, const struct key_context_directional * key_state, | 41 static void make_mac(unsigned int seqno, const struct key_context_directional * key_state, |
| 41 buffer * clear_buf, unsigned int clear_len, | 42 buffer * clear_buf, unsigned int clear_len, |
| 42 unsigned char *output_mac); | 43 unsigned char *output_mac); |
| 74 | 75 |
| 75 packet_queue_to_iovec(&ses.writequeue, iov, &iov_count); | 76 packet_queue_to_iovec(&ses.writequeue, iov, &iov_count); |
| 76 /* This may return EAGAIN. The main loop sometimes | 77 /* This may return EAGAIN. The main loop sometimes |
| 77 calls write_packet() without bothering to test with select() since | 78 calls write_packet() without bothering to test with select() since |
| 78 it's likely to be necessary */ | 79 it's likely to be necessary */ |
| 80 #ifdef DROPBEAR_FUZZ | |
| 81 if (opts.fuzz.fuzzing) { | |
| 82 // pretend to write one packet at a time | |
| 83 // TODO(fuzz): randomise amount written based on the fuzz input | |
| 84 written = iov[0].iov_len; | |
| 85 } | |
| 86 else | |
| 87 #endif | |
| 88 { | |
| 79 written = writev(ses.sock_out, iov, iov_count); | 89 written = writev(ses.sock_out, iov, iov_count); |
| 80 if (written < 0) { | 90 if (written < 0) { |
| 81 if (errno == EINTR || errno == EAGAIN) { | 91 if (errno == EINTR || errno == EAGAIN) { |
| 82 TRACE2(("leave write_packet: EINTR")) | 92 TRACE2(("leave write_packet: EINTR")) |
| 83 return; | 93 return; |
| 84 } else { | 94 } else { |
| 85 dropbear_exit("Error writing: %s", strerror(errno)); | 95 dropbear_exit("Error writing: %s", strerror(errno)); |
| 86 } | 96 } |
| 87 } | 97 } |
| 98 } | |
| 88 | 99 |
| 89 packet_queue_consume(&ses.writequeue, written); | 100 packet_queue_consume(&ses.writequeue, written); |
| 90 ses.writequeue_len -= written; | 101 ses.writequeue_len -= written; |
| 91 | 102 |
| 92 if (written == 0) { | 103 if (written == 0) { |
| 93 ses.remoteclosed(); | 104 ses.remoteclosed(); |
| 94 } | 105 } |
| 95 | 106 |
| 96 #else /* No writev () */ | 107 #else /* No writev () */ |
| 108 #ifdef DROPBEAR_FUZZ | |
| 109 _Static_assert(0, "No fuzzing code for no-writev writes"); | |
| 110 #endif | |
| 97 /* Get the next buffer in the queue of encrypted packets to write*/ | 111 /* Get the next buffer in the queue of encrypted packets to write*/ |
| 98 writebuf = (buffer*)examine(&ses.writequeue); | 112 writebuf = (buffer*)examine(&ses.writequeue); |
| 99 | 113 |
| 100 /* The last byte of the buffer is not to be transmitted, but is | 114 /* The last byte of the buffer is not to be transmitted, but is |
| 101 * a cleartext packet_type indicator */ | 115 * a cleartext packet_type indicator */ |