# HG changeset patch # User Matt Johnston # Date 1607005131 -28800 # Node ID a6da10ac64b5a9a447e6bc37ca33ae45cfbacd38 # Parent bf1912d2d6e9947fd4a728b6f7f756ae084a4b98 fuzz: make postauth set authdone properly diff -r bf1912d2d6e9 -r a6da10ac64b5 fuzz-wrapfd.h --- a/fuzz-wrapfd.h Thu Dec 03 21:19:19 2020 +0800 +++ b/fuzz-wrapfd.h Thu Dec 03 22:18:51 2020 +0800 @@ -12,8 +12,8 @@ // buf is a common buffer read by all wrapped FDs. doesn't take ownership of buf void wrapfd_setup(buffer *buf); void wrapfd_setseed(uint32_t seed); -int wrapfd_new_fuzzinput(); -int wrapfd_new_dummy(); +int wrapfd_new_fuzzinput(void); +int wrapfd_new_dummy(void); // called via #defines for read/write/select int wrapfd_read(int fd, void *out, size_t count); diff -r bf1912d2d6e9 -r a6da10ac64b5 fuzz.h --- a/fuzz.h Thu Dec 03 21:19:19 2020 +0800 +++ b/fuzz.h Thu Dec 03 22:18:51 2020 +0800 @@ -24,7 +24,7 @@ // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE int fuzz_set_input(const uint8_t *Data, size_t Size); -int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone); +int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth); int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths); const void* fuzz_get_algo(const algo_type *algos, const char* name); @@ -35,6 +35,7 @@ const unsigned char* keyblob, unsigned int keybloblen); extern const char * const * fuzz_signkey_names; void fuzz_seed(const unsigned char* dat, unsigned int len); +void fuzz_svr_hook_preloop(void); typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring); struct dropbear_progress_connection *fuzz_connect_remote(const char* remotehost, const char* remoteport, @@ -68,6 +69,8 @@ // whether to skip slow bignum maths int skip_kexmaths; + // whether is svr_postauth mode + int svr_postauth; // dropbear_exit() jumps back int do_jmp; diff -r bf1912d2d6e9 -r a6da10ac64b5 fuzz/fuzz-common.c --- a/fuzz/fuzz-common.c Thu Dec 03 21:19:19 2020 +0800 +++ b/fuzz/fuzz-common.c Thu Dec 03 22:18:51 2020 +0800 @@ -102,6 +102,13 @@ load_fixed_hostkeys(); } +void fuzz_svr_hook_preloop() { + if (fuzz.svr_postauth) { + ses.authstate.authdone = 1; + fill_passwd("root"); + } +} + void fuzz_cli_setup(void) { fuzz_common_setup(); @@ -242,7 +249,7 @@ return NULL; } -int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone) { +int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) { static int once = 0; if (!once) { fuzz_svr_setup(); @@ -250,6 +257,8 @@ once = 1; } + fuzz.svr_postauth = postauth; + if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { return 0; } @@ -260,11 +269,6 @@ int fakesock = wrapfd_new_fuzzinput(); - if (authdone) { - ses.authstate.authdone = 1; - fill_passwd("root"); - } - m_malloc_set_epoch(1); fuzz.do_jmp = 1; if (setjmp(fuzz.jmp) == 0) { diff -r bf1912d2d6e9 -r a6da10ac64b5 svr-session.c --- a/svr-session.c Thu Dec 03 21:19:19 2020 +0800 +++ b/svr-session.c Thu Dec 03 22:18:51 2020 +0800 @@ -195,6 +195,12 @@ /* start off with key exchange */ send_msg_kexinit(); +#if DROPBEAR_FUZZ + if (fuzz.fuzzing) { + fuzz_svr_hook_preloop(); + } +#endif + /* Run the main for loop. NULL is for the dispatcher - only the client * code makes use of it */ session_loop(svr_chansess_checksignal);