diff options
| -rw-r--r-- | fuzz-common.c | 18 | ||||
| -rw-r--r-- | fuzz-wrapfd.c | 6 | ||||
| -rw-r--r-- | fuzz-wrapfd.h | 3 | ||||
| -rw-r--r-- | fuzz.h | 3 | ||||
| -rw-r--r-- | fuzzer-preauth.c | 17 | ||||
| -rw-r--r-- | fuzzer-pubkey.c | 30 |
6 files changed, 39 insertions, 38 deletions
diff --git a/fuzz-common.c b/fuzz-common.c index d5fc9db..4c5da70 100644 --- a/fuzz-common.c +++ b/fuzz-common.c @@ -31,23 +31,7 @@ int fuzzer_set_input(const uint8_t *Data, size_t Size) { memset(&ses, 0x0, sizeof(ses)); memset(&svr_ses, 0x0, sizeof(svr_ses)); - - // get prefix. input format is - // string prefix - // uint32 wrapfd seed - // ... to be extended later - // [bytes] ssh input stream - - // be careful to avoid triggering buffer.c assertions - if (fuzz.input->len < 8) { - return DROPBEAR_FAILURE; - } - size_t prefix_size = buf_getint(fuzz.input); - if (prefix_size != 4) { - return DROPBEAR_FAILURE; - } - uint32_t wrapseed = buf_getint(fuzz.input); - wrapfd_setup(wrapseed); + wrapfd_setup(); fuzz_seed(); diff --git a/fuzz-wrapfd.c b/fuzz-wrapfd.c index c65ed38..759ccba 100644 --- a/fuzz-wrapfd.c +++ b/fuzz-wrapfd.c @@ -26,13 +26,17 @@ static int wrap_used[IOWRAP_MAXFD+1]; static unsigned int nused; static unsigned short rand_state[3]; -void wrapfd_setup(uint32_t seed) { +void wrapfd_setup() { TRACE(("wrapfd_setup %x", seed)) nused = 0; memset(wrap_fds, 0x0, sizeof(wrap_fds)); memset(wrap_used, 0x0, sizeof(wrap_used)); memset(rand_state, 0x0, sizeof(rand_state)); + wrapfd_setseed(50); +} + +void wrapfd_setseed(uint32_t seed) { *((uint32_t*)rand_state) = seed; nrand48(rand_state); } diff --git a/fuzz-wrapfd.h b/fuzz-wrapfd.h index 9358c1a..04477b9 100644 --- a/fuzz-wrapfd.h +++ b/fuzz-wrapfd.h @@ -10,7 +10,8 @@ enum wrapfd_mode { RANDOMIN, }; -void wrapfd_setup(uint32_t wrapseed); +void wrapfd_setup(); +void wrapfd_setseed(uint32_t seed); // doesn't take ownership of buf. buf is optional. void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode); @@ -13,7 +13,8 @@ void common_setup_fuzzer(void); void svr_setup_fuzzer(void); -// once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE +// must be called once per fuzz iteration. +// returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE int fuzzer_set_input(const uint8_t *Data, size_t Size); // fuzzer functions that intrude into general code diff --git a/fuzzer-preauth.c b/fuzzer-preauth.c index e1340da..110624e 100644 --- a/fuzzer-preauth.c +++ b/fuzzer-preauth.c @@ -19,6 +19,23 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; } + // get prefix. input format is + // string prefix + // uint32 wrapfd seed + // ... to be extended later + // [bytes] ssh input stream + + // be careful to avoid triggering buffer.c assertions + if (fuzz.input->len < 8) { + return 0; + } + size_t prefix_size = buf_getint(fuzz.input); + if (prefix_size != 4) { + return 0; + } + uint32_t wrapseed = buf_getint(fuzz.input); + wrapfd_setseed(wrapseed); + int fakesock = 1; wrapfd_add(fakesock, fuzz.input, PLAIN); diff --git a/fuzzer-pubkey.c b/fuzzer-pubkey.c index bed0798..a5ec96e 100644 --- a/fuzzer-pubkey.c +++ b/fuzzer-pubkey.c @@ -14,26 +14,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { once = 1; } - m_malloc_set_epoch(1); - - fuzz_seed(); - fuzz.input->data = (unsigned char*)Data; - fuzz.input->len = Size; - fuzz.input->size = Size; - fuzz.input->pos = 0; + if (fuzzer_set_input(Data, Size) == DROPBEAR_FAILURE) { + return 0; + } - if (Size < 4) { - return 0; - } + m_malloc_set_epoch(1); - // choose a keytype based on input - uint8_t b = 0; - size_t i; - for (i = 0; i < Size; i++) { - b ^= Data[i]; - } - const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED]; - const char* keyblob = "fakekeyblob"; + // choose a keytype based on input + uint8_t b = 0; + size_t i; + for (i = 0; i < Size; i++) { + b ^= Data[i]; + } + const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED]; + const char* keyblob = "blob"; // keep short if (setjmp(fuzz.jmp) == 0) { fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys", |