diff options
author | Matt Johnston <matt@ucc.asn.au> | 2021-03-05 22:51:11 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2021-03-05 22:51:11 +0800 |
commit | d0d1ede191cbc8dfa1748990a052ef90f000b55b (patch) | |
tree | 6d434414630167b873b9706a5401b14f6fb6e594 /fuzz/fuzz-common.c | |
parent | 3c2f113a783651aae7612dcffdc8e74a9db69702 (diff) |
fuzz: fix crash in newtcpdirect(), don't close the channel too early
Diffstat (limited to 'fuzz/fuzz-common.c')
-rw-r--r-- | fuzz/fuzz-common.c | 20 |
1 files changed, 0 insertions, 20 deletions
diff --git a/fuzz/fuzz-common.c b/fuzz/fuzz-common.c index 9cc6d75..c9a3391 100644 --- a/fuzz/fuzz-common.c +++ b/fuzz/fuzz-common.c @@ -235,26 +235,6 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t } -struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport), - connect_callback cb, void* cb_data, - const char* UNUSED(bind_address), const char* UNUSED(bind_port)) { - /* This replacement for connect_remote() has slightly different semantics - to the real thing. It should probably be replaced with something more sophisticated. - It calls the callback cb() immediately rather than - in a future session loop iteration with set_connect_fds()/handle_connect_fds(). - This could cause problems depending on how connect_remote() is used. In particular - the callback can close a channel - that can cause use-after-free. */ - char r; - genrandom((void*)&r, 1); - if (r & 1) { - int sock = wrapfd_new_dummy(); - cb(DROPBEAR_SUCCESS, sock, cb_data, NULL); - } else { - cb(DROPBEAR_FAILURE, -1, cb_data, "errorstring"); - } - return NULL; -} - /* Fake dropbear_listen, always returns failure for now. TODO make it sometimes return success with wrapfd_new_dummy() sockets. Making the listeners fake a new incoming connection will be harder. */ |