Mercurial > dropbear

diff fuzz-common.c @ 1456:a90fdd2d2ed8 fuzz

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add fuzzer-preauth_nomaths
author Matt Johnston <matt@ucc.asn.au>
date Tue, 23 Jan 2018 23:05:47 +0800
parents f0990c284663
children 32f990cc96b1
line wrap: on
line diff
--- a/fuzz-common.c	Tue Jan 23 22:46:07 2018 +0800
+++ b/fuzz-common.c	Tue Jan 23 23:05:47 2018 +0800
@@ -14,7 +14,7 @@
 static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list param);
 static void load_fixed_hostkeys(void);
 
-void common_setup_fuzzer(void) {
+void fuzz_common_setup(void) {
     fuzz.fuzzing = 1;
     fuzz.wrapfds = 1;
     fuzz.do_jmp = 1;
@@ -23,7 +23,7 @@
     crypto_init();
 }
 
-int fuzzer_set_input(const uint8_t *Data, size_t Size) {
+int fuzz_set_input(const uint8_t *Data, size_t Size) {
 
     fuzz.input->data = (unsigned char*)Data;
     fuzz.input->size = Size;
@@ -51,10 +51,10 @@
 #endif
 }
 
-void svr_setup_fuzzer(void) {
+void fuzz_svr_setup(void) {
     struct passwd *pw;
 
-    common_setup_fuzzer();
+    fuzz_common_setup();
     
     _dropbear_exit = svr_dropbear_exit;
 
@@ -130,3 +130,57 @@
         *remote_port = m_strdup("9876");
     }
 }
+
+/* cut down version of svr_send_msg_kexdh_reply() that skips slow maths. Still populates structures */
+void fuzz_fake_send_kexdh_reply(void) {
+    assert(!ses.dh_K);
+    m_mp_alloc_init_multi(&ses.dh_K, NULL);
+    mp_set_int(ses.dh_K, 12345678);
+    finish_kexhashbuf();
+    assert(!ses.dh_K);
+}
+
+int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) {
+    static int once = 0;
+    if (!once) {
+        fuzz_svr_setup();
+        fuzz.skip_kexmaths = skip_kexmaths;
+        once = 1;
+    }
+
+    if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
+        return 0;
+    }
+
+    // get prefix. input format is
+    // string prefix
+    //     uint32 wrapfd seed
+    //     ... to be extended later
+    // [bytes] ssh input stream
+
+    // be careful to avoid triggering buffer.c assertions
+    if (fuzz.input->len < 8) {
+        return 0;
+    }
+    size_t prefix_size = buf_getint(fuzz.input);
+    if (prefix_size != 4) {
+        return 0;
+    }
+    uint32_t wrapseed = buf_getint(fuzz.input);
+    wrapfd_setseed(wrapseed);
+
+    int fakesock = 20;
+    wrapfd_add(fakesock, fuzz.input, PLAIN);
+
+    m_malloc_set_epoch(1);
+    if (setjmp(fuzz.jmp) == 0) {
+        svr_session(fakesock, fakesock);
+        m_malloc_free_epoch(1, 0);
+    } else {
+        m_malloc_free_epoch(1, 1);
+        TRACE(("dropbear_exit longjmped"))
+        // dropbear_exit jumped here
+    }
+
+    return 0;
+}