# HG changeset patch # User Matt Johnston # Date 1495722109 -28800 # Node ID d4cc85e6c569e34637e05ee85a176d4fba90f3d9 # Parent 9e9c8d37fd56f7ae79b91ddd01b6126037ecd816 rearrange, all fuzzers now call fuzzer_set_input() diff -r 9e9c8d37fd56 -r d4cc85e6c569 fuzz-common.c --- a/fuzz-common.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzz-common.c Thu May 25 22:21:49 2017 +0800 @@ -31,23 +31,7 @@ memset(&ses, 0x0, sizeof(ses)); memset(&svr_ses, 0x0, sizeof(svr_ses)); - - // get prefix. input format is - // string prefix - // uint32 wrapfd seed - // ... to be extended later - // [bytes] ssh input stream - - // be careful to avoid triggering buffer.c assertions - if (fuzz.input->len < 8) { - return DROPBEAR_FAILURE; - } - size_t prefix_size = buf_getint(fuzz.input); - if (prefix_size != 4) { - return DROPBEAR_FAILURE; - } - uint32_t wrapseed = buf_getint(fuzz.input); - wrapfd_setup(wrapseed); + wrapfd_setup(); fuzz_seed(); diff -r 9e9c8d37fd56 -r d4cc85e6c569 fuzz-wrapfd.c --- a/fuzz-wrapfd.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzz-wrapfd.c Thu May 25 22:21:49 2017 +0800 @@ -26,13 +26,17 @@ static unsigned int nused; static unsigned short rand_state[3]; -void wrapfd_setup(uint32_t seed) { +void wrapfd_setup() { TRACE(("wrapfd_setup %x", seed)) nused = 0; memset(wrap_fds, 0x0, sizeof(wrap_fds)); memset(wrap_used, 0x0, sizeof(wrap_used)); memset(rand_state, 0x0, sizeof(rand_state)); + wrapfd_setseed(50); +} + +void wrapfd_setseed(uint32_t seed) { *((uint32_t*)rand_state) = seed; nrand48(rand_state); } diff -r 9e9c8d37fd56 -r d4cc85e6c569 fuzz-wrapfd.h --- a/fuzz-wrapfd.h Thu May 25 22:21:23 2017 +0800 +++ b/fuzz-wrapfd.h Thu May 25 22:21:49 2017 +0800 @@ -10,7 +10,8 @@ RANDOMIN, }; -void wrapfd_setup(uint32_t wrapseed); +void wrapfd_setup(); +void wrapfd_setseed(uint32_t seed); // doesn't take ownership of buf. buf is optional. void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode); diff -r 9e9c8d37fd56 -r d4cc85e6c569 fuzz.h --- a/fuzz.h Thu May 25 22:21:23 2017 +0800 +++ b/fuzz.h Thu May 25 22:21:49 2017 +0800 @@ -13,7 +13,8 @@ void common_setup_fuzzer(void); void svr_setup_fuzzer(void); -// once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE +// must be called once per fuzz iteration. +// returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE int fuzzer_set_input(const uint8_t *Data, size_t Size); // fuzzer functions that intrude into general code diff -r 9e9c8d37fd56 -r d4cc85e6c569 fuzzer-preauth.c --- a/fuzzer-preauth.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzzer-preauth.c Thu May 25 22:21:49 2017 +0800 @@ -19,6 +19,23 @@ return 0; } + // get prefix. input format is + // string prefix + // uint32 wrapfd seed + // ... to be extended later + // [bytes] ssh input stream + + // be careful to avoid triggering buffer.c assertions + if (fuzz.input->len < 8) { + return 0; + } + size_t prefix_size = buf_getint(fuzz.input); + if (prefix_size != 4) { + return 0; + } + uint32_t wrapseed = buf_getint(fuzz.input); + wrapfd_setseed(wrapseed); + int fakesock = 1; wrapfd_add(fakesock, fuzz.input, PLAIN); diff -r 9e9c8d37fd56 -r d4cc85e6c569 fuzzer-pubkey.c --- a/fuzzer-pubkey.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzzer-pubkey.c Thu May 25 22:21:49 2017 +0800 @@ -14,26 +14,20 @@ once = 1; } + if (fuzzer_set_input(Data, Size) == DROPBEAR_FAILURE) { + return 0; + } + m_malloc_set_epoch(1); - fuzz_seed(); - fuzz.input->data = (unsigned char*)Data; - fuzz.input->len = Size; - fuzz.input->size = Size; - fuzz.input->pos = 0; - - if (Size < 4) { - return 0; - } - - // choose a keytype based on input - uint8_t b = 0; - size_t i; - for (i = 0; i < Size; i++) { - b ^= Data[i]; - } - const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED]; - const char* keyblob = "fakekeyblob"; + // choose a keytype based on input + uint8_t b = 0; + size_t i; + for (i = 0; i < Size; i++) { + b ^= Data[i]; + } + const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED]; + const char* keyblob = "blob"; // keep short if (setjmp(fuzz.jmp) == 0) { fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys",