Mercurial > dropbear

diff packet.c @ 1347:b28624698130 fuzz

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
copy over some fuzzing code from AFL branch
author Matt Johnston <matt@ucc.asn.au>
date Fri, 12 May 2017 23:14:54 +0800
parents 9169e4e7cbee
children 5c2899e35b63
line wrap: on
line diff
--- a/packet.c	Fri May 12 22:14:49 2017 +0800
+++ b/packet.c	Fri May 12 23:14:54 2017 +0800
@@ -35,6 +35,7 @@
 #include "auth.h"
 #include "channel.h"
 #include "netio.h"
+#include "runopts.h"
 
 static int read_packet_init(void);
 static void make_mac(unsigned int seqno, const struct key_context_directional * key_state,
@@ -76,6 +77,15 @@
 	/* This may return EAGAIN. The main loop sometimes
 	calls write_packet() without bothering to test with select() since
 	it's likely to be necessary */
+#ifdef DROPBEAR_FUZZ
+	if (opts.fuzz.fuzzing) {
+		// pretend to write one packet at a time
+		// TODO(fuzz): randomise amount written based on the fuzz input
+		written = iov[0].iov_len;
+	}
+	else
+#endif
+	{
 	written = writev(ses.sock_out, iov, iov_count);
 	if (written < 0) {
 		if (errno == EINTR || errno == EAGAIN) {
@@ -85,6 +95,7 @@
 			dropbear_exit("Error writing: %s", strerror(errno));
 		}
 	}
+	}
 
 	packet_queue_consume(&ses.writequeue, written);
 	ses.writequeue_len -= written;
@@ -94,6 +105,9 @@
 	}
 
 #else /* No writev () */
+#ifdef DROPBEAR_FUZZ
+	_Static_assert(0, "No fuzzing code for no-writev writes");
+#endif
 	/* Get the next buffer in the queue of encrypted packets to write*/
 	writebuf = (buffer*)examine(&ses.writequeue);