changeset 1782:a6da10ac64b5 fuzz

fuzz: make postauth set authdone properly
author Matt Johnston <matt@ucc.asn.au>
date Thu, 03 Dec 2020 22:18:51 +0800
parents bf1912d2d6e9
children 918e49decafa
files fuzz-wrapfd.h fuzz.h fuzz/fuzz-common.c svr-session.c
diffstat 4 files changed, 22 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/fuzz-wrapfd.h	Thu Dec 03 21:19:19 2020 +0800
+++ b/fuzz-wrapfd.h	Thu Dec 03 22:18:51 2020 +0800
@@ -12,8 +12,8 @@
 // buf is a common buffer read by all wrapped FDs. doesn't take ownership of buf
 void wrapfd_setup(buffer *buf);
 void wrapfd_setseed(uint32_t seed);
-int wrapfd_new_fuzzinput();
-int wrapfd_new_dummy();
+int wrapfd_new_fuzzinput(void);
+int wrapfd_new_dummy(void);
 
 // called via #defines for read/write/select
 int wrapfd_read(int fd, void *out, size_t count);
--- a/fuzz.h	Thu Dec 03 21:19:19 2020 +0800
+++ b/fuzz.h	Thu Dec 03 22:18:51 2020 +0800
@@ -24,7 +24,7 @@
 // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
 int fuzz_set_input(const uint8_t *Data, size_t Size);
 
-int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone);
+int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth);
 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths);
 const void* fuzz_get_algo(const algo_type *algos, const char* name);
 
@@ -35,6 +35,7 @@
         const unsigned char* keyblob, unsigned int keybloblen);
 extern const char * const * fuzz_signkey_names;
 void fuzz_seed(const unsigned char* dat, unsigned int len);
+void fuzz_svr_hook_preloop(void);
 
 typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring);
 struct dropbear_progress_connection *fuzz_connect_remote(const char* remotehost, const char* remoteport,
@@ -68,6 +69,8 @@
 
     // whether to skip slow bignum maths
     int skip_kexmaths;
+    // whether is svr_postauth mode
+    int svr_postauth;
 
     // dropbear_exit() jumps back
     int do_jmp;
--- a/fuzz/fuzz-common.c	Thu Dec 03 21:19:19 2020 +0800
+++ b/fuzz/fuzz-common.c	Thu Dec 03 22:18:51 2020 +0800
@@ -102,6 +102,13 @@
     load_fixed_hostkeys();
 }
 
+void fuzz_svr_hook_preloop() {
+    if (fuzz.svr_postauth) {
+        ses.authstate.authdone = 1;
+        fill_passwd("root");
+    }
+}
+
 void fuzz_cli_setup(void) {
     fuzz_common_setup();
     
@@ -242,7 +249,7 @@
     return NULL;
 }
 
-int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone) {
+int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) {
     static int once = 0;
     if (!once) {
         fuzz_svr_setup();
@@ -250,6 +257,8 @@
         once = 1;
     }
 
+    fuzz.svr_postauth = postauth;
+
     if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
         return 0;
     }
@@ -260,11 +269,6 @@
 
     int fakesock = wrapfd_new_fuzzinput();
 
-    if (authdone) {
-        ses.authstate.authdone = 1;
-        fill_passwd("root");
-    }
-
     m_malloc_set_epoch(1);
     fuzz.do_jmp = 1;
     if (setjmp(fuzz.jmp) == 0) {
--- a/svr-session.c	Thu Dec 03 21:19:19 2020 +0800
+++ b/svr-session.c	Thu Dec 03 22:18:51 2020 +0800
@@ -195,6 +195,12 @@
 	/* start off with key exchange */
 	send_msg_kexinit();
 
+#if DROPBEAR_FUZZ
+    if (fuzz.fuzzing) {
+        fuzz_svr_hook_preloop();
+    }
+#endif
+
 	/* Run the main for loop. NULL is for the dispatcher - only the client
 	 * code makes use of it */
 	session_loop(svr_chansess_checksignal);