summaryrefslogtreecommitdiffhomepage
path: root/fuzz
diff options
context:
space:
mode:
authorMatt Johnston <matt@ucc.asn.au>2020-10-29 22:41:37 +0800
committerMatt Johnston <matt@ucc.asn.au>2020-10-29 22:41:37 +0800
commit6aa065b1b45610e7adc5b9760482d9d5f0c8211c (patch)
tree5b2a33f0680778df55f48b658040c96416cee454 /fuzz
parent6cf29061c2513ac9bff5c68da8b98744cde25f40 (diff)
Use SSH packet mutator for preauth too
Get rid of separate client mutator. Have 0.1% chance of llvm random mutation Add comments
Diffstat (limited to 'fuzz')
-rw-r--r--fuzz/fuzz-sshpacketmutator.c36
-rw-r--r--fuzz/fuzzer-client_mutator.c6
-rw-r--r--fuzz/fuzzer-client_mutator_nomaths.c6
3 files changed, 25 insertions, 23 deletions
diff --git a/fuzz/fuzz-sshpacketmutator.c b/fuzz/fuzz-sshpacketmutator.c
index d26089d..3a513b0 100644
--- a/fuzz/fuzz-sshpacketmutator.c
+++ b/fuzz/fuzz-sshpacketmutator.c
@@ -1,8 +1,28 @@
+/* A mutator/crossover for SSH protocol streams.
+ Attempts to mutate each SSH packet individually, keeping
+ lengths intact.
+ It will prepend a SSH-2.0-dbfuzz\r\n version string.
+
+ Linking this file to a binary will make libfuzzer pick up the custom mutator.
+
+ Care is taken to avoid memory allocation which would otherwise
+ slow exec/s substantially */
+
#include "fuzz.h"
#include "dbutil.h"
size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
+static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n";
+static const size_t MAX_FUZZ_PACKETS = 500;
+/* XXX This might need tuning */
+static const size_t MAX_OUT_SIZE = 50000;
+
+/* Splits packets from an input stream buffer "inp".
+The initial SSH version identifier is discarded.
+If packets are not recognised it will increment until an uint32 of valid
+packet length is found. */
+
/* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */
static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) {
/* Skip any existing banner. Format is
@@ -52,8 +72,8 @@ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *nu
}
}
-/* Mutate in-place */
-void buf_llvm_mutate(buffer *buf) {
+/* Mutate a packet buffer in-place */
+static void buf_llvm_mutate(buffer *buf) {
/* Position it after packet_length and padding_length */
const unsigned int offset = 5;
if (buf->len < offset) {
@@ -69,11 +89,6 @@ void buf_llvm_mutate(buffer *buf) {
}
-static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n";
-static const size_t MAX_FUZZ_PACKETS = 500;
-/* XXX This might need tuning */
-static const size_t MAX_OUT_SIZE = 50000;
-
/* Persistent buffers to avoid constant allocations */
static buffer *oup;
static buffer *alloc_packetA;
@@ -111,12 +126,11 @@ size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
memcpy(randstate, &Seed, sizeof(Seed));
// printhex("mutator input", Data, Size);
- #if 0
- /* 1% chance straight llvm mutate */
- if (nrand48(randstate) % 100 == 0) {
+
+ /* 0.1% chance straight llvm mutate */
+ if (nrand48(randstate) % 1000 == 0) {
return LLVMFuzzerMutate(Data, Size, MaxSize);
}
- #endif
buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0};
buffer *inp = &inp_buf;
diff --git a/fuzz/fuzzer-client_mutator.c b/fuzz/fuzzer-client_mutator.c
deleted file mode 100644
index eb59f46..0000000
--- a/fuzz/fuzzer-client_mutator.c
+++ /dev/null
@@ -1,6 +0,0 @@
-#include "fuzz.h"
-
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
- return fuzz_run_client(Data, Size, 0);
-}
-
diff --git a/fuzz/fuzzer-client_mutator_nomaths.c b/fuzz/fuzzer-client_mutator_nomaths.c
deleted file mode 100644
index eb59f46..0000000
--- a/fuzz/fuzzer-client_mutator_nomaths.c
+++ /dev/null
@@ -1,6 +0,0 @@
-#include "fuzz.h"
-
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
- return fuzz_run_client(Data, Size, 0);
-}
-