Mercurial > dropbear

diff fuzz-common.c @ 1745:a6824c54962a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge fuzz branch
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Oct 2020 22:53:44 +0800
parents 6e71440b1e47
children 3b9b427925a0
line wrap: on
line diff
--- a/fuzz-common.c	Thu Oct 08 11:00:04 2020 +0800
+++ b/fuzz-common.c	Sun Oct 18 22:53:44 2020 +0800
@@ -16,6 +16,7 @@
 static void load_fixed_hostkeys(void);
 
 void fuzz_common_setup(void) {
+	disallow_core();
     fuzz.fuzzing = 1;
     fuzz.wrapfds = 1;
     fuzz.do_jmp = 1;
@@ -36,7 +37,8 @@
 
     memset(&ses, 0x0, sizeof(ses));
     memset(&svr_ses, 0x0, sizeof(svr_ses));
-    wrapfd_setup();
+    memset(&cli_ses, 0x0, sizeof(cli_ses));
+    wrapfd_setup(fuzz.input);
 
     fuzz_seed();
 
@@ -63,19 +65,30 @@
     _dropbear_exit = svr_dropbear_exit;
 
     char *argv[] = { 
+		"dropbear",
         "-E", 
     };
 
     int argc = sizeof(argv) / sizeof(*argv);
     svr_getopts(argc, argv);
 
-    /* user lookups might be slow, cache it */
-    fuzz.pw_name = m_strdup("person");
-    fuzz.pw_dir = m_strdup("/tmp");
-    fuzz.pw_shell = m_strdup("/bin/zsh");
-    fuzz.pw_passwd = m_strdup("!!zzznope");
+    load_fixed_hostkeys();
+}
+
+void fuzz_cli_setup(void) {
+    fuzz_common_setup();
+    
+	_dropbear_exit = cli_dropbear_exit;
+	_dropbear_log = cli_dropbear_log;
 
-    load_fixed_hostkeys();
+    char *argv[] = { 
+		"dbclient",
+		"-y",
+        "localhost",
+    };
+
+    int argc = sizeof(argv) / sizeof(*argv);
+    cli_getopts(argc, argv);
 }
 
 static void load_fixed_hostkeys(void) {
@@ -151,6 +164,17 @@
     finish_kexhashbuf();
 }
 
+/* fake version of spawn_command() */
+int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) {
+    *ret_writefd = wrapfd_new();
+    *ret_readfd = wrapfd_new();
+    if (ret_errfd) {
+        *ret_errfd = wrapfd_new();
+    }
+    *ret_pid = 999;
+    return DROPBEAR_SUCCESS;
+}
+
 int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) {
     static int once = 0;
     if (!once) {
@@ -164,7 +188,7 @@
     }
 
     /*
-      get prefix. input format is
+      get prefix, allowing for future extensibility. input format is
       string prefix
           uint32 wrapfd seed
           ... to be extended later
@@ -182,8 +206,7 @@
     uint32_t wrapseed = buf_getint(fuzz.input);
     wrapfd_setseed(wrapseed);
 
-    int fakesock = 20;
-    wrapfd_add(fakesock, fuzz.input, PLAIN);
+    int fakesock = wrapfd_new();
 
     m_malloc_set_epoch(1);
     if (setjmp(fuzz.jmp) == 0) {
@@ -198,6 +221,52 @@
     return 0;
 }
 
+int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) {
+    static int once = 0;
+    if (!once) {
+        fuzz_cli_setup();
+        fuzz.skip_kexmaths = skip_kexmaths;
+        once = 1;
+    }
+
+    if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
+        return 0;
+    }
+
+    /*
+      get prefix, allowing for future extensibility. input format is
+      string prefix
+          uint32 wrapfd seed
+          ... to be extended later
+      [bytes] ssh input stream
+    */
+
+    /* be careful to avoid triggering buffer.c assertions */
+    if (fuzz.input->len < 8) {
+        return 0;
+    }
+    size_t prefix_size = buf_getint(fuzz.input);
+    if (prefix_size != 4) {
+        return 0;
+    }
+    uint32_t wrapseed = buf_getint(fuzz.input);
+    wrapfd_setseed(wrapseed);
+
+    int fakesock = wrapfd_new();
+
+    m_malloc_set_epoch(1);
+    if (setjmp(fuzz.jmp) == 0) {
+        cli_session(fakesock, fakesock, NULL, 0);
+        m_malloc_free_epoch(1, 0);
+    } else {
+        m_malloc_free_epoch(1, 1);
+        TRACE(("dropbear_exit longjmped"))
+        /* dropbear_exit jumped here */
+    }
+
+    return 0;
+}
+
 const void* fuzz_get_algo(const algo_type *algos, const char* name) {
     const algo_type *t;
     for (t = algos; t->name; t++) {