diff options
author | Matt Johnston <matt@ucc.asn.au> | 2020-10-29 22:41:37 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2020-10-29 22:41:37 +0800 |
commit | 6aa065b1b45610e7adc5b9760482d9d5f0c8211c (patch) | |
tree | 5b2a33f0680778df55f48b658040c96416cee454 /fuzz | |
parent | 6cf29061c2513ac9bff5c68da8b98744cde25f40 (diff) |
Use SSH packet mutator for preauth too
Get rid of separate client mutator.
Have 0.1% chance of llvm random mutation
Add comments
Diffstat (limited to 'fuzz')
-rw-r--r-- | fuzz/fuzz-sshpacketmutator.c | 36 | ||||
-rw-r--r-- | fuzz/fuzzer-client_mutator.c | 6 | ||||
-rw-r--r-- | fuzz/fuzzer-client_mutator_nomaths.c | 6 |
3 files changed, 25 insertions, 23 deletions
diff --git a/fuzz/fuzz-sshpacketmutator.c b/fuzz/fuzz-sshpacketmutator.c index d26089d..3a513b0 100644 --- a/fuzz/fuzz-sshpacketmutator.c +++ b/fuzz/fuzz-sshpacketmutator.c @@ -1,8 +1,28 @@ +/* A mutator/crossover for SSH protocol streams. + Attempts to mutate each SSH packet individually, keeping + lengths intact. + It will prepend a SSH-2.0-dbfuzz\r\n version string. + + Linking this file to a binary will make libfuzzer pick up the custom mutator. + + Care is taken to avoid memory allocation which would otherwise + slow exec/s substantially */ + #include "fuzz.h" #include "dbutil.h" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); +static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; +static const size_t MAX_FUZZ_PACKETS = 500; +/* XXX This might need tuning */ +static const size_t MAX_OUT_SIZE = 50000; + +/* Splits packets from an input stream buffer "inp". +The initial SSH version identifier is discarded. +If packets are not recognised it will increment until an uint32 of valid +packet length is found. */ + /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) { /* Skip any existing banner. Format is @@ -52,8 +72,8 @@ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *nu } } -/* Mutate in-place */ -void buf_llvm_mutate(buffer *buf) { +/* Mutate a packet buffer in-place */ +static void buf_llvm_mutate(buffer *buf) { /* Position it after packet_length and padding_length */ const unsigned int offset = 5; if (buf->len < offset) { @@ -69,11 +89,6 @@ void buf_llvm_mutate(buffer *buf) { } -static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; -static const size_t MAX_FUZZ_PACKETS = 500; -/* XXX This might need tuning */ -static const size_t MAX_OUT_SIZE = 50000; - /* Persistent buffers to avoid constant allocations */ static buffer *oup; static buffer *alloc_packetA; @@ -111,12 +126,11 @@ size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, memcpy(randstate, &Seed, sizeof(Seed)); // printhex("mutator input", Data, Size); - #if 0 - /* 1% chance straight llvm mutate */ - if (nrand48(randstate) % 100 == 0) { + + /* 0.1% chance straight llvm mutate */ + if (nrand48(randstate) % 1000 == 0) { return LLVMFuzzerMutate(Data, Size, MaxSize); } - #endif buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0}; buffer *inp = &inp_buf; diff --git a/fuzz/fuzzer-client_mutator.c b/fuzz/fuzzer-client_mutator.c deleted file mode 100644 index eb59f46..0000000 --- a/fuzz/fuzzer-client_mutator.c +++ /dev/null @@ -1,6 +0,0 @@ -#include "fuzz.h" - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_client(Data, Size, 0); -} - diff --git a/fuzz/fuzzer-client_mutator_nomaths.c b/fuzz/fuzzer-client_mutator_nomaths.c deleted file mode 100644 index eb59f46..0000000 --- a/fuzz/fuzzer-client_mutator_nomaths.c +++ /dev/null @@ -1,6 +0,0 @@ -#include "fuzz.h" - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_client(Data, Size, 0); -} - |