changeset 1377:d4cc85e6c569 fuzz

rearrange, all fuzzers now call fuzzer_set_input()
author Matt Johnston <matt@ucc.asn.au>
date Thu, 25 May 2017 22:21:49 +0800
parents 9e9c8d37fd56
children 7209a6e30932
files fuzz-common.c fuzz-wrapfd.c fuzz-wrapfd.h fuzz.h fuzzer-preauth.c fuzzer-pubkey.c
diffstat 6 files changed, 39 insertions(+), 38 deletions(-) [+]
line wrap: on
line diff
--- a/fuzz-common.c	Thu May 25 22:21:23 2017 +0800
+++ b/fuzz-common.c	Thu May 25 22:21:49 2017 +0800
@@ -31,23 +31,7 @@
 
     memset(&ses, 0x0, sizeof(ses));
     memset(&svr_ses, 0x0, sizeof(svr_ses));
-
-    // get prefix. input format is
-    // string prefix
-    //     uint32 wrapfd seed
-    //     ... to be extended later
-    // [bytes] ssh input stream
-
-    // be careful to avoid triggering buffer.c assertions
-    if (fuzz.input->len < 8) {
-        return DROPBEAR_FAILURE;
-    }
-    size_t prefix_size = buf_getint(fuzz.input);
-    if (prefix_size != 4) {
-        return DROPBEAR_FAILURE;
-    }
-    uint32_t wrapseed = buf_getint(fuzz.input);
-    wrapfd_setup(wrapseed);
+    wrapfd_setup();
 
     fuzz_seed();
 
--- a/fuzz-wrapfd.c	Thu May 25 22:21:23 2017 +0800
+++ b/fuzz-wrapfd.c	Thu May 25 22:21:49 2017 +0800
@@ -26,13 +26,17 @@
 static unsigned int nused;
 static unsigned short rand_state[3];
 
-void wrapfd_setup(uint32_t seed) {
+void wrapfd_setup() {
 	TRACE(("wrapfd_setup %x", seed))
 	nused = 0;
 	memset(wrap_fds, 0x0, sizeof(wrap_fds));
 	memset(wrap_used, 0x0, sizeof(wrap_used));
 
 	memset(rand_state, 0x0, sizeof(rand_state));
+	wrapfd_setseed(50);
+}
+
+void wrapfd_setseed(uint32_t seed) {
 	*((uint32_t*)rand_state) = seed;
 	nrand48(rand_state);
 }
--- a/fuzz-wrapfd.h	Thu May 25 22:21:23 2017 +0800
+++ b/fuzz-wrapfd.h	Thu May 25 22:21:49 2017 +0800
@@ -10,7 +10,8 @@
     RANDOMIN,
 };
 
-void wrapfd_setup(uint32_t wrapseed);
+void wrapfd_setup();
+void wrapfd_setseed(uint32_t seed);
 // doesn't take ownership of buf. buf is optional.
 void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode);
 
--- a/fuzz.h	Thu May 25 22:21:23 2017 +0800
+++ b/fuzz.h	Thu May 25 22:21:49 2017 +0800
@@ -13,7 +13,8 @@
 void common_setup_fuzzer(void);
 void svr_setup_fuzzer(void);
 
-// once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
+// must be called once per fuzz iteration. 
+// returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
 int fuzzer_set_input(const uint8_t *Data, size_t Size);
 
 // fuzzer functions that intrude into general code
--- a/fuzzer-preauth.c	Thu May 25 22:21:23 2017 +0800
+++ b/fuzzer-preauth.c	Thu May 25 22:21:49 2017 +0800
@@ -19,6 +19,23 @@
 		return 0;
 	}
 
+    // get prefix. input format is
+    // string prefix
+    //     uint32 wrapfd seed
+    //     ... to be extended later
+    // [bytes] ssh input stream
+
+    // be careful to avoid triggering buffer.c assertions
+    if (fuzz.input->len < 8) {
+        return 0;
+    }
+    size_t prefix_size = buf_getint(fuzz.input);
+    if (prefix_size != 4) {
+        return 0;
+    }
+    uint32_t wrapseed = buf_getint(fuzz.input);
+    wrapfd_setseed(wrapseed);
+
 	int fakesock = 1;
 	wrapfd_add(fakesock, fuzz.input, PLAIN);
 
--- a/fuzzer-pubkey.c	Thu May 25 22:21:23 2017 +0800
+++ b/fuzzer-pubkey.c	Thu May 25 22:21:49 2017 +0800
@@ -14,26 +14,20 @@
 		once = 1;
 	}
 
+	if (fuzzer_set_input(Data, Size) == DROPBEAR_FAILURE) {
+		return 0;
+	}
+
 	m_malloc_set_epoch(1);
 
-    fuzz_seed();
-    fuzz.input->data = (unsigned char*)Data;
-    fuzz.input->len = Size;
-    fuzz.input->size = Size;
-    fuzz.input->pos = 0;
-
-    if (Size < 4) {
-    	return 0;
-    }
-
-    // choose a keytype based on input
-    uint8_t b = 0;
-    size_t i;
-    for (i = 0; i < Size; i++) {
-    	b ^= Data[i];
-    }
-    const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED];
-    const char* keyblob = "fakekeyblob";
+	// choose a keytype based on input
+	uint8_t b = 0;
+	size_t i;
+	for (i = 0; i < Size; i++) {
+		b ^= Data[i];
+	}
+	const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED];
+	const char* keyblob = "blob"; // keep short
 
 	if (setjmp(fuzz.jmp) == 0) {
 		fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys",