Mercurial > dropbear
comparison fuzz-common.c @ 1741:d1b279aa5ed1 fuzz
Get client fuzzer building and starting (fails straight away)
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Sun, 18 Oct 2020 12:17:39 +0800 |
| parents | dfbe947bdf0d |
| children | 6e71440b1e47 |
comparison
equal
deleted
inserted
replaced
| 1740:dfbe947bdf0d | 1741:d1b279aa5ed1 |
|---|---|
| 14 | 14 |
| 15 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); | 15 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param); |
| 16 static void load_fixed_hostkeys(void); | 16 static void load_fixed_hostkeys(void); |
| 17 | 17 |
| 18 void fuzz_common_setup(void) { | 18 void fuzz_common_setup(void) { |
| 19 disallow_core(); | |
| 19 fuzz.fuzzing = 1; | 20 fuzz.fuzzing = 1; |
| 20 fuzz.wrapfds = 1; | 21 fuzz.wrapfds = 1; |
| 21 fuzz.do_jmp = 1; | 22 fuzz.do_jmp = 1; |
| 22 fuzz.input = m_malloc(sizeof(buffer)); | 23 fuzz.input = m_malloc(sizeof(buffer)); |
| 23 _dropbear_log = fuzz_dropbear_log; | 24 _dropbear_log = fuzz_dropbear_log; |
| 67 }; | 68 }; |
| 68 | 69 |
| 69 int argc = sizeof(argv) / sizeof(*argv); | 70 int argc = sizeof(argv) / sizeof(*argv); |
| 70 svr_getopts(argc, argv); | 71 svr_getopts(argc, argv); |
| 71 | 72 |
| 72 /* user lookups might be slow, cache it */ | |
| 73 fuzz.pw_name = m_strdup("person"); | |
| 74 fuzz.pw_dir = m_strdup("/tmp"); | |
| 75 fuzz.pw_shell = m_strdup("/bin/zsh"); | |
| 76 fuzz.pw_passwd = m_strdup("!!zzznope"); | |
| 77 | |
| 78 load_fixed_hostkeys(); | 73 load_fixed_hostkeys(); |
| 79 } | 74 } |
| 80 | 75 |
| 81 #if 0 | |
| 82 void fuzz_cli_setup(void) { | 76 void fuzz_cli_setup(void) { |
| 83 fuzz_common_setup(); | 77 fuzz_common_setup(); |
| 84 | 78 |
| 85 _dropbear_exit = cli_dropbear_exit; | 79 _dropbear_exit = cli_dropbear_exit; |
| 80 _dropbear_log = cli_dropbear_log; | |
| 86 | 81 |
| 87 char *argv[] = { | 82 char *argv[] = { |
| 88 "-E", | 83 "-y", |
| 84 "localhost", | |
| 89 }; | 85 }; |
| 90 | 86 |
| 91 int argc = sizeof(argv) / sizeof(*argv); | 87 int argc = sizeof(argv) / sizeof(*argv); |
| 92 cli_getopts(argc, argv); | 88 cli_getopts(argc, argv); |
| 93 | 89 } |
| 94 /* user lookups might be slow, cache it */ | |
| 95 fuzz.pw_name = m_strdup("person"); | |
| 96 fuzz.pw_dir = m_strdup("/tmp"); | |
| 97 fuzz.pw_shell = m_strdup("/bin/zsh"); | |
| 98 fuzz.pw_passwd = m_strdup("!!zzznope"); | |
| 99 | |
| 100 load_fixed_hostkeys(); | |
| 101 } | |
| 102 #endif | |
| 103 | 90 |
| 104 static void load_fixed_hostkeys(void) { | 91 static void load_fixed_hostkeys(void) { |
| 105 #include "fuzz-hostkeys.c" | 92 #include "fuzz-hostkeys.c" |
| 106 | 93 |
| 107 buffer *b = buf_new(3000); | 94 buffer *b = buf_new(3000); |
| 196 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { | 183 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { |
| 197 return 0; | 184 return 0; |
| 198 } | 185 } |
| 199 | 186 |
| 200 /* | 187 /* |
| 201 get prefix. input format is | 188 get prefix, allowing for future extensibility. input format is |
| 202 string prefix | 189 string prefix |
| 203 uint32 wrapfd seed | 190 uint32 wrapfd seed |
| 204 ... to be extended later | 191 ... to be extended later |
| 205 [bytes] ssh input stream | 192 [bytes] ssh input stream |
| 206 */ | 193 */ |
| 229 } | 216 } |
| 230 | 217 |
| 231 return 0; | 218 return 0; |
| 232 } | 219 } |
| 233 | 220 |
| 221 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) { | |
| 222 static int once = 0; | |
| 223 if (!once) { | |
| 224 fuzz_cli_setup(); | |
| 225 fuzz.skip_kexmaths = skip_kexmaths; | |
| 226 once = 1; | |
| 227 } | |
| 228 | |
| 229 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { | |
| 230 return 0; | |
| 231 } | |
| 232 | |
| 233 /* | |
| 234 get prefix, allowing for future extensibility. input format is | |
| 235 string prefix | |
| 236 uint32 wrapfd seed | |
| 237 ... to be extended later | |
| 238 [bytes] ssh input stream | |
| 239 */ | |
| 240 | |
| 241 /* be careful to avoid triggering buffer.c assertions */ | |
| 242 if (fuzz.input->len < 8) { | |
| 243 return 0; | |
| 244 } | |
| 245 size_t prefix_size = buf_getint(fuzz.input); | |
| 246 if (prefix_size != 4) { | |
| 247 return 0; | |
| 248 } | |
| 249 uint32_t wrapseed = buf_getint(fuzz.input); | |
| 250 wrapfd_setseed(wrapseed); | |
| 251 | |
| 252 int fakesock = wrapfd_new(); | |
| 253 | |
| 254 m_malloc_set_epoch(1); | |
| 255 if (setjmp(fuzz.jmp) == 0) { | |
| 256 cli_session(fakesock, fakesock, NULL, 0); | |
| 257 m_malloc_free_epoch(1, 0); | |
| 258 } else { | |
| 259 m_malloc_free_epoch(1, 1); | |
| 260 TRACE(("dropbear_exit longjmped")) | |
| 261 /* dropbear_exit jumped here */ | |
| 262 } | |
| 263 | |
| 264 return 0; | |
| 265 } | |
| 266 | |
| 234 const void* fuzz_get_algo(const algo_type *algos, const char* name) { | 267 const void* fuzz_get_algo(const algo_type *algos, const char* name) { |
| 235 const algo_type *t; | 268 const algo_type *t; |
| 236 for (t = algos; t->name; t++) { | 269 for (t = algos; t->name; t++) { |
| 237 if (strcmp(t->name, name) == 0) { | 270 if (strcmp(t->name, name) == 0) { |
| 238 return t->data; | 271 return t->data; |