diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2020-12-06 21:27:25 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2020-12-06 21:27:25 +0800 |
| commit | 007a5925dcdc63c9aa2550c902a8a0493465ba20 (patch) | |
| tree | 6d91fc70265737446850301b1997a0f130976512 | |
| parent | d439ed26e41895acbfea932c369babff8f1cbb3a (diff) | |
fuzz: work around fuzz_connect_remote() limitations
| -rw-r--r-- | cli-tcpfwd.c | 4 | ||||
| -rw-r--r-- | fuzz/fuzz-common.c | 6 | ||||
| -rw-r--r-- | svr-tcpfwd.c | 4 |
3 files changed, 10 insertions, 4 deletions
diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index e6387d9..4ab7748 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -273,11 +273,11 @@ static int newtcpforwarded(struct Channel * channel) { origaddr, origport); goto out; } + + channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; snprintf(portstring, sizeof(portstring), "%u", fwd->connectport); channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel, NULL, NULL); - - channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; err = SSH_OPEN_IN_PROGRESS; diff --git a/fuzz/fuzz-common.c b/fuzz/fuzz-common.c index b43ba9b..f251e81 100644 --- a/fuzz/fuzz-common.c +++ b/fuzz/fuzz-common.c @@ -238,6 +238,12 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport), connect_callback cb, void* cb_data, const char* UNUSED(bind_address), const char* UNUSED(bind_port)) { + /* This replacement for connect_remote() has slightly different semantics + to the real thing. It should probably be replaced with something more sophisticated. + It calls the callback cb() immediately rather than + in a future session loop iteration with set_connect_fds()/handle_connect_fds(). + This could cause problems depending on how connect_remote() is used. In particular + the callback can close a channel - that can cause use-after-free. */ char r; genrandom((void*)&r, 1); if (r & 1) { diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index 9a2310d..879de7e 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -284,10 +284,10 @@ static int newtcpdirect(struct Channel * channel) { goto out; } + channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; + snprintf(portstring, sizeof(portstring), "%u", destport); channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel, NULL, NULL); - - channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; err = SSH_OPEN_IN_PROGRESS; |