diff options
| -rw-r--r-- | fuzz-wrapfd.h | 4 | ||||
| -rw-r--r-- | fuzz.h | 5 | ||||
| -rw-r--r-- | fuzz/fuzz-common.c | 16 | ||||
| -rw-r--r-- | svr-session.c | 6 |
4 files changed, 22 insertions, 9 deletions
diff --git a/fuzz-wrapfd.h b/fuzz-wrapfd.h index 56bbc6e..6677e62 100644 --- a/fuzz-wrapfd.h +++ b/fuzz-wrapfd.h @@ -12,8 +12,8 @@ enum wrapfd_mode { // buf is a common buffer read by all wrapped FDs. doesn't take ownership of buf void wrapfd_setup(buffer *buf); void wrapfd_setseed(uint32_t seed); -int wrapfd_new_fuzzinput(); -int wrapfd_new_dummy(); +int wrapfd_new_fuzzinput(void); +int wrapfd_new_dummy(void); // called via #defines for read/write/select int wrapfd_read(int fd, void *out, size_t count); @@ -24,7 +24,7 @@ void fuzz_early_setup(void) __attribute__((constructor)); // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE int fuzz_set_input(const uint8_t *Data, size_t Size); -int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone); +int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth); int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths); const void* fuzz_get_algo(const algo_type *algos, const char* name); @@ -35,6 +35,7 @@ int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename, const unsigned char* keyblob, unsigned int keybloblen); extern const char * const * fuzz_signkey_names; void fuzz_seed(const unsigned char* dat, unsigned int len); +void fuzz_svr_hook_preloop(void); typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring); struct dropbear_progress_connection *fuzz_connect_remote(const char* remotehost, const char* remoteport, @@ -68,6 +69,8 @@ struct dropbear_fuzz_options { // whether to skip slow bignum maths int skip_kexmaths; + // whether is svr_postauth mode + int svr_postauth; // dropbear_exit() jumps back int do_jmp; diff --git a/fuzz/fuzz-common.c b/fuzz/fuzz-common.c index 4a9634a..b43ba9b 100644 --- a/fuzz/fuzz-common.c +++ b/fuzz/fuzz-common.c @@ -102,6 +102,13 @@ void fuzz_svr_setup(void) { load_fixed_hostkeys(); } +void fuzz_svr_hook_preloop() { + if (fuzz.svr_postauth) { + ses.authstate.authdone = 1; + fill_passwd("root"); + } +} + void fuzz_cli_setup(void) { fuzz_common_setup(); @@ -242,7 +249,7 @@ struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remo return NULL; } -int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone) { +int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) { static int once = 0; if (!once) { fuzz_svr_setup(); @@ -250,6 +257,8 @@ int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int aut once = 1; } + fuzz.svr_postauth = postauth; + if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { return 0; } @@ -260,11 +269,6 @@ int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int aut int fakesock = wrapfd_new_fuzzinput(); - if (authdone) { - ses.authstate.authdone = 1; - fill_passwd("root"); - } - m_malloc_set_epoch(1); fuzz.do_jmp = 1; if (setjmp(fuzz.jmp) == 0) { diff --git a/svr-session.c b/svr-session.c index 6c3147f..63c675c 100644 --- a/svr-session.c +++ b/svr-session.c @@ -195,6 +195,12 @@ void svr_session(int sock, int childpipe) { /* start off with key exchange */ send_msg_kexinit(); +#if DROPBEAR_FUZZ + if (fuzz.fuzzing) { + fuzz_svr_hook_preloop(); + } +#endif + /* Run the main for loop. NULL is for the dispatcher - only the client * code makes use of it */ session_loop(svr_chansess_checksignal); |