Mercurial > dropbear

diff fuzz-common.c @ 1741:d1b279aa5ed1 fuzz

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Get client fuzzer building and starting (fails straight away)
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Oct 2020 12:17:39 +0800
parents dfbe947bdf0d
children 6e71440b1e47
line wrap: on
line diff
--- a/fuzz-common.c	Thu Oct 15 22:46:24 2020 +0800
+++ b/fuzz-common.c	Sun Oct 18 12:17:39 2020 +0800
@@ -16,6 +16,7 @@
 static void load_fixed_hostkeys(void);
 
 void fuzz_common_setup(void) {
+	disallow_core();
     fuzz.fuzzing = 1;
     fuzz.wrapfds = 1;
     fuzz.do_jmp = 1;
@@ -69,37 +70,23 @@
     int argc = sizeof(argv) / sizeof(*argv);
     svr_getopts(argc, argv);
 
-    /* user lookups might be slow, cache it */
-    fuzz.pw_name = m_strdup("person");
-    fuzz.pw_dir = m_strdup("/tmp");
-    fuzz.pw_shell = m_strdup("/bin/zsh");
-    fuzz.pw_passwd = m_strdup("!!zzznope");
-
     load_fixed_hostkeys();
 }
 
-#if 0
 void fuzz_cli_setup(void) {
     fuzz_common_setup();
     
-    _dropbear_exit = cli_dropbear_exit;
+	_dropbear_exit = cli_dropbear_exit;
+	_dropbear_log = cli_dropbear_log;
 
     char *argv[] = { 
-        "-E", 
+		"-y",
+        "localhost",
     };
 
     int argc = sizeof(argv) / sizeof(*argv);
     cli_getopts(argc, argv);
-
-    /* user lookups might be slow, cache it */
-    fuzz.pw_name = m_strdup("person");
-    fuzz.pw_dir = m_strdup("/tmp");
-    fuzz.pw_shell = m_strdup("/bin/zsh");
-    fuzz.pw_passwd = m_strdup("!!zzznope");
-
-    load_fixed_hostkeys();
 }
-#endif
 
 static void load_fixed_hostkeys(void) {
 #include "fuzz-hostkeys.c"   
@@ -198,7 +185,7 @@
     }
 
     /*
-      get prefix. input format is
+      get prefix, allowing for future extensibility. input format is
       string prefix
           uint32 wrapfd seed
           ... to be extended later
@@ -231,6 +218,52 @@
     return 0;
 }
 
+int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) {
+    static int once = 0;
+    if (!once) {
+        fuzz_cli_setup();
+        fuzz.skip_kexmaths = skip_kexmaths;
+        once = 1;
+    }
+
+    if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
+        return 0;
+    }
+
+    /*
+      get prefix, allowing for future extensibility. input format is
+      string prefix
+          uint32 wrapfd seed
+          ... to be extended later
+      [bytes] ssh input stream
+    */
+
+    /* be careful to avoid triggering buffer.c assertions */
+    if (fuzz.input->len < 8) {
+        return 0;
+    }
+    size_t prefix_size = buf_getint(fuzz.input);
+    if (prefix_size != 4) {
+        return 0;
+    }
+    uint32_t wrapseed = buf_getint(fuzz.input);
+    wrapfd_setseed(wrapseed);
+
+    int fakesock = wrapfd_new();
+
+    m_malloc_set_epoch(1);
+    if (setjmp(fuzz.jmp) == 0) {
+        cli_session(fakesock, fakesock, NULL, 0);
+        m_malloc_free_epoch(1, 0);
+    } else {
+        m_malloc_free_epoch(1, 1);
+        TRACE(("dropbear_exit longjmped"))
+        /* dropbear_exit jumped here */
+    }
+
+    return 0;
+}
+
 const void* fuzz_get_algo(const algo_type *algos, const char* name) {
     const algo_type *t;
     for (t = algos; t->name; t++) {