Mercurial > dropbear
diff fuzz/fuzz-common.c @ 1774:833bf9947603
Fuzzing - get rid of "prefix" for streams
Improved packet generation with sshpacketmutator
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 01 Nov 2020 23:44:58 +0800 |
parents | 66b29b054896 |
children | 8179eabe16c9 |
line wrap: on
line diff
--- a/fuzz/fuzz-common.c Sun Nov 01 14:01:37 2020 +0800 +++ b/fuzz/fuzz-common.c Sun Nov 01 23:44:58 2020 +0800 @@ -64,6 +64,7 @@ memset(&svr_ses, 0x0, sizeof(svr_ses)); memset(&cli_ses, 0x0, sizeof(cli_ses)); wrapfd_setup(fuzz.input); + // printhex("input", fuzz.input->data, fuzz.input->len); fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16)); @@ -187,6 +188,7 @@ void fuzz_kex_fakealgos(void) { ses.newkeys->recv.crypt_mode = &dropbear_mode_none; + ses.newkeys->recv.algo_mac = &dropbear_nohash; } void fuzz_get_socket_address(int UNUSED(fd), char **local_host, char **local_port, @@ -236,23 +238,8 @@ return 0; } - /* - get prefix, allowing for future extensibility. input format is - string prefix - uint32 wrapfd seed - ... to be extended later - [bytes] ssh input stream - */ - - /* be careful to avoid triggering buffer.c assertions */ - if (fuzz.input->len < 8) { - return 0; - } - size_t prefix_size = buf_getint(fuzz.input); - if (prefix_size != 4) { - return 0; - } - uint32_t wrapseed = buf_getint(fuzz.input); + uint32_t wrapseed; + genrandom(&wrapseed, sizeof(wrapseed)); wrapfd_setseed(wrapseed); int fakesock = wrapfd_new(); @@ -284,23 +271,11 @@ return 0; } - /* - get prefix, allowing for future extensibility. input format is - string prefix - uint32 wrapfd seed - ... to be extended later - [bytes] ssh input stream - */ + // Allow to proceed sooner + ses.kexstate.donefirstkex = 1; - /* be careful to avoid triggering buffer.c assertions */ - if (fuzz.input->len < 8) { - return 0; - } - size_t prefix_size = buf_getint(fuzz.input); - if (prefix_size != 4) { - return 0; - } - uint32_t wrapseed = buf_getint(fuzz.input); + uint32_t wrapseed; + genrandom(&wrapseed, sizeof(wrapseed)); wrapfd_setseed(wrapseed); int fakesock = wrapfd_new();