copy over some fuzzing code from AFL branch

--HG--
branch : fuzz

1 files changed, 14 insertions, 0 deletions

diff --git a/packet.c b/packet.c
index 924554d..f10e639 100644
--- a/packet.c
+++ b/packet.c
@@ -35,6 +35,7 @@
 #include "auth.h"
 #include "channel.h"
 #include "netio.h"
+#include "runopts.h"
 
 static int read_packet_init(void);
 static void make_mac(unsigned int seqno, const struct key_context_directional * key_state,
@@ -76,6 +77,15 @@ void write_packet() {
 	/* This may return EAGAIN. The main loop sometimes
 	calls write_packet() without bothering to test with select() since
 	it's likely to be necessary */
+#ifdef DROPBEAR_FUZZ
+	if (opts.fuzz.fuzzing) {
+		// pretend to write one packet at a time
+		// TODO(fuzz): randomise amount written based on the fuzz input
+		written = iov[0].iov_len;
+	}
+	else
+#endif
+	{
 	written = writev(ses.sock_out, iov, iov_count);
 	if (written < 0) {
 		if (errno == EINTR || errno == EAGAIN) {
@@ -85,6 +95,7 @@ void write_packet() {
 			dropbear_exit("Error writing: %s", strerror(errno));
 		}
 	}
+	}
 
 	packet_queue_consume(&ses.writequeue, written);
 	ses.writequeue_len -= written;
@@ -94,6 +105,9 @@ void write_packet() {
 	}
 
 #else /* No writev () */
+#ifdef DROPBEAR_FUZZ
+	_Static_assert(0, "No fuzzing code for no-writev writes");
+#endif
 	/* Get the next buffer in the queue of encrypted packets to write*/
 	writebuf = (buffer*)examine(&ses.writequeue);