# HG changeset patch # User Matt Johnston # Date 1607261245 -28800 # Node ID 9026f976eee801e447e7cddc0b90ac781b7d04e1 # Parent 94323a20e572adef4fdeb7f698e2e3f7b882c37a fuzz: work around fuzz_connect_remote() limitations diff -r 94323a20e572 -r 9026f976eee8 cli-tcpfwd.c --- a/cli-tcpfwd.c Sat Dec 05 14:56:53 2020 +0800 +++ b/cli-tcpfwd.c Sun Dec 06 21:27:25 2020 +0800 @@ -273,11 +273,11 @@ origaddr, origport); goto out; } + + channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; snprintf(portstring, sizeof(portstring), "%u", fwd->connectport); channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel, NULL, NULL); - - channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; err = SSH_OPEN_IN_PROGRESS; diff -r 94323a20e572 -r 9026f976eee8 fuzz/fuzz-common.c --- a/fuzz/fuzz-common.c Sat Dec 05 14:56:53 2020 +0800 +++ b/fuzz/fuzz-common.c Sun Dec 06 21:27:25 2020 +0800 @@ -238,6 +238,12 @@ struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport), connect_callback cb, void* cb_data, const char* UNUSED(bind_address), const char* UNUSED(bind_port)) { + /* This replacement for connect_remote() has slightly different semantics + to the real thing. It should probably be replaced with something more sophisticated. + It calls the callback cb() immediately rather than + in a future session loop iteration with set_connect_fds()/handle_connect_fds(). + This could cause problems depending on how connect_remote() is used. In particular + the callback can close a channel - that can cause use-after-free. */ char r; genrandom((void*)&r, 1); if (r & 1) { diff -r 94323a20e572 -r 9026f976eee8 svr-tcpfwd.c --- a/svr-tcpfwd.c Sat Dec 05 14:56:53 2020 +0800 +++ b/svr-tcpfwd.c Sun Dec 06 21:27:25 2020 +0800 @@ -284,10 +284,10 @@ goto out; } + channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; + snprintf(portstring, sizeof(portstring), "%u", destport); channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel, NULL, NULL); - - channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; err = SSH_OPEN_IN_PROGRESS;