diff options
Diffstat (limited to 'fuzz-common.c')
| -rw-r--r-- | fuzz-common.c | 89 |
1 files changed, 79 insertions, 10 deletions
diff --git a/fuzz-common.c b/fuzz-common.c index c14fa66..95b3937 100644 --- a/fuzz-common.c +++ b/fuzz-common.c @@ -16,6 +16,7 @@ static void fuzz_dropbear_log(int UNUSED(priority), const char* format, va_list static void load_fixed_hostkeys(void); void fuzz_common_setup(void) { + disallow_core(); fuzz.fuzzing = 1; fuzz.wrapfds = 1; fuzz.do_jmp = 1; @@ -36,7 +37,8 @@ int fuzz_set_input(const uint8_t *Data, size_t Size) { memset(&ses, 0x0, sizeof(ses)); memset(&svr_ses, 0x0, sizeof(svr_ses)); - wrapfd_setup(); + memset(&cli_ses, 0x0, sizeof(cli_ses)); + wrapfd_setup(fuzz.input); fuzz_seed(); @@ -63,21 +65,32 @@ void fuzz_svr_setup(void) { _dropbear_exit = svr_dropbear_exit; char *argv[] = { + "dropbear", "-E", }; int argc = sizeof(argv) / sizeof(*argv); svr_getopts(argc, argv); - /* user lookups might be slow, cache it */ - fuzz.pw_name = m_strdup("person"); - fuzz.pw_dir = m_strdup("/tmp"); - fuzz.pw_shell = m_strdup("/bin/zsh"); - fuzz.pw_passwd = m_strdup("!!zzznope"); - load_fixed_hostkeys(); } +void fuzz_cli_setup(void) { + fuzz_common_setup(); + + _dropbear_exit = cli_dropbear_exit; + _dropbear_log = cli_dropbear_log; + + char *argv[] = { + "dbclient", + "-y", + "localhost", + }; + + int argc = sizeof(argv) / sizeof(*argv); + cli_getopts(argc, argv); +} + static void load_fixed_hostkeys(void) { #include "fuzz-hostkeys.c" @@ -151,6 +164,17 @@ void fuzz_fake_send_kexdh_reply(void) { finish_kexhashbuf(); } +/* fake version of spawn_command() */ +int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) { + *ret_writefd = wrapfd_new(); + *ret_readfd = wrapfd_new(); + if (ret_errfd) { + *ret_errfd = wrapfd_new(); + } + *ret_pid = 999; + return DROPBEAR_SUCCESS; +} + int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { static int once = 0; if (!once) { @@ -164,7 +188,7 @@ int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { } /* - get prefix. input format is + get prefix, allowing for future extensibility. input format is string prefix uint32 wrapfd seed ... to be extended later @@ -182,8 +206,7 @@ int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { uint32_t wrapseed = buf_getint(fuzz.input); wrapfd_setseed(wrapseed); - int fakesock = 20; - wrapfd_add(fakesock, fuzz.input, PLAIN); + int fakesock = wrapfd_new(); m_malloc_set_epoch(1); if (setjmp(fuzz.jmp) == 0) { @@ -198,6 +221,52 @@ int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { return 0; } +int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) { + static int once = 0; + if (!once) { + fuzz_cli_setup(); + fuzz.skip_kexmaths = skip_kexmaths; + once = 1; + } + + if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { + return 0; + } + + /* + get prefix, allowing for future extensibility. input format is + string prefix + uint32 wrapfd seed + ... to be extended later + [bytes] ssh input stream + */ + + /* be careful to avoid triggering buffer.c assertions */ + if (fuzz.input->len < 8) { + return 0; + } + size_t prefix_size = buf_getint(fuzz.input); + if (prefix_size != 4) { + return 0; + } + uint32_t wrapseed = buf_getint(fuzz.input); + wrapfd_setseed(wrapseed); + + int fakesock = wrapfd_new(); + + m_malloc_set_epoch(1); + if (setjmp(fuzz.jmp) == 0) { + cli_session(fakesock, fakesock, NULL, 0); + m_malloc_free_epoch(1, 0); + } else { + m_malloc_free_epoch(1, 1); + TRACE(("dropbear_exit longjmped")) + /* dropbear_exit jumped here */ + } + + return 0; +} + const void* fuzz_get_algo(const algo_type *algos, const char* name) { const algo_type *t; for (t = algos; t->name; t++) { |