ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-01-31 02:46:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fuzz: work around fuzz_connect_remote() limitations

Browse Source
This commit is contained in:
Matt Johnston 2020-12-06 21:27:25 +08:00
parent d439ed26e4
commit 007a5925dc
3 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cli-tcpfwd.c
View File

@ -274,11 +274,11 @@ static int newtcpforwarded(struct Channel * channel) {
goto out; goto out;
} }
channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
snprintf(portstring, sizeof(portstring), "%u", fwd->connectport); snprintf(portstring, sizeof(portstring), "%u", fwd->connectport);
channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel, NULL, NULL); channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel, NULL, NULL);
channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
err = SSH_OPEN_IN_PROGRESS; err = SSH_OPEN_IN_PROGRESS;
out: out:

6
fuzz/fuzz-common.c
View File

@ -238,6 +238,12 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t
struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport), struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport),
connect_callback cb, void* cb_data, connect_callback cb, void* cb_data,
const char* UNUSED(bind_address), const char* UNUSED(bind_port)) { const char* UNUSED(bind_address), const char* UNUSED(bind_port)) {
/* This replacement for connect_remote() has slightly different semantics
to the real thing. It should probably be replaced with something more sophisticated.
It calls the callback cb() immediately rather than
in a future session loop iteration with set_connect_fds()/handle_connect_fds().
This could cause problems depending on how connect_remote() is used. In particular
the callback can close a channel - that can cause use-after-free. */
char r; char r;
genrandom((void*)&r, 1); genrandom((void*)&r, 1);
if (r & 1) { if (r & 1) {

4
svr-tcpfwd.c
View File

@ -284,11 +284,11 @@ static int newtcpdirect(struct Channel * channel) {
goto out; goto out;
} }
channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
snprintf(portstring, sizeof(portstring), "%u", destport); snprintf(portstring, sizeof(portstring), "%u", destport);
channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel, NULL, NULL); channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel, NULL, NULL);
channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
err = SSH_OPEN_IN_PROGRESS; err = SSH_OPEN_IN_PROGRESS;
out: out: