Mercurial > dropbear
changeset 1377:d4cc85e6c569 fuzz
rearrange, all fuzzers now call fuzzer_set_input()
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 25 May 2017 22:21:49 +0800 |
| parents | 9e9c8d37fd56 |
| children | 7209a6e30932 |
| files | fuzz-common.c fuzz-wrapfd.c fuzz-wrapfd.h fuzz.h fuzzer-preauth.c fuzzer-pubkey.c |
| diffstat | 6 files changed, 39 insertions(+), 38 deletions(-) [+] |
line wrap: on
line diff
--- a/fuzz-common.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzz-common.c Thu May 25 22:21:49 2017 +0800 @@ -31,23 +31,7 @@ memset(&ses, 0x0, sizeof(ses)); memset(&svr_ses, 0x0, sizeof(svr_ses)); - - // get prefix. input format is - // string prefix - // uint32 wrapfd seed - // ... to be extended later - // [bytes] ssh input stream - - // be careful to avoid triggering buffer.c assertions - if (fuzz.input->len < 8) { - return DROPBEAR_FAILURE; - } - size_t prefix_size = buf_getint(fuzz.input); - if (prefix_size != 4) { - return DROPBEAR_FAILURE; - } - uint32_t wrapseed = buf_getint(fuzz.input); - wrapfd_setup(wrapseed); + wrapfd_setup(); fuzz_seed();
--- a/fuzz-wrapfd.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzz-wrapfd.c Thu May 25 22:21:49 2017 +0800 @@ -26,13 +26,17 @@ static unsigned int nused; static unsigned short rand_state[3]; -void wrapfd_setup(uint32_t seed) { +void wrapfd_setup() { TRACE(("wrapfd_setup %x", seed)) nused = 0; memset(wrap_fds, 0x0, sizeof(wrap_fds)); memset(wrap_used, 0x0, sizeof(wrap_used)); memset(rand_state, 0x0, sizeof(rand_state)); + wrapfd_setseed(50); +} + +void wrapfd_setseed(uint32_t seed) { *((uint32_t*)rand_state) = seed; nrand48(rand_state); }
--- a/fuzz-wrapfd.h Thu May 25 22:21:23 2017 +0800 +++ b/fuzz-wrapfd.h Thu May 25 22:21:49 2017 +0800 @@ -10,7 +10,8 @@ RANDOMIN, }; -void wrapfd_setup(uint32_t wrapseed); +void wrapfd_setup(); +void wrapfd_setseed(uint32_t seed); // doesn't take ownership of buf. buf is optional. void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode);
--- a/fuzz.h Thu May 25 22:21:23 2017 +0800 +++ b/fuzz.h Thu May 25 22:21:49 2017 +0800 @@ -13,7 +13,8 @@ void common_setup_fuzzer(void); void svr_setup_fuzzer(void); -// once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE +// must be called once per fuzz iteration. +// returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE int fuzzer_set_input(const uint8_t *Data, size_t Size); // fuzzer functions that intrude into general code
--- a/fuzzer-preauth.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzzer-preauth.c Thu May 25 22:21:49 2017 +0800 @@ -19,6 +19,23 @@ return 0; } + // get prefix. input format is + // string prefix + // uint32 wrapfd seed + // ... to be extended later + // [bytes] ssh input stream + + // be careful to avoid triggering buffer.c assertions + if (fuzz.input->len < 8) { + return 0; + } + size_t prefix_size = buf_getint(fuzz.input); + if (prefix_size != 4) { + return 0; + } + uint32_t wrapseed = buf_getint(fuzz.input); + wrapfd_setseed(wrapseed); + int fakesock = 1; wrapfd_add(fakesock, fuzz.input, PLAIN);
--- a/fuzzer-pubkey.c Thu May 25 22:21:23 2017 +0800 +++ b/fuzzer-pubkey.c Thu May 25 22:21:49 2017 +0800 @@ -14,26 +14,20 @@ once = 1; } + if (fuzzer_set_input(Data, Size) == DROPBEAR_FAILURE) { + return 0; + } + m_malloc_set_epoch(1); - fuzz_seed(); - fuzz.input->data = (unsigned char*)Data; - fuzz.input->len = Size; - fuzz.input->size = Size; - fuzz.input->pos = 0; - - if (Size < 4) { - return 0; - } - - // choose a keytype based on input - uint8_t b = 0; - size_t i; - for (i = 0; i < Size; i++) { - b ^= Data[i]; - } - const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED]; - const char* keyblob = "fakekeyblob"; + // choose a keytype based on input + uint8_t b = 0; + size_t i; + for (i = 0; i < Size; i++) { + b ^= Data[i]; + } + const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED]; + const char* keyblob = "blob"; // keep short if (setjmp(fuzz.jmp) == 0) { fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys",