fuzz: make postauth set authdone properly

2025-04-22 23:24:52 +00:00 · 2020-12-03 22:18:51 +08:00 · 2020-12-03 22:18:51 +08:00 · 2c64335d9c
commit 2c64335d9c
parent 286b6b9f80
4 changed files with 22 additions and 9 deletions
--- a/fuzz-wrapfd.h
+++ b/fuzz-wrapfd.h
@ -12,8 +12,8 @@ enum wrapfd_mode {
 // buf is a common buffer read by all wrapped FDs. doesn't take ownership of buf
 void wrapfd_setup(buffer *buf);
 void wrapfd_setseed(uint32_t seed);
-int wrapfd_new_fuzzinput();
+int wrapfd_new_fuzzinput(void);
-int wrapfd_new_dummy();
+int wrapfd_new_dummy(void);
 // called via #defines for read/write/select
 int wrapfd_read(int fd, void *out, size_t count);
--- a/fuzz.h
+++ b/fuzz.h
@ -24,7 +24,7 @@ void fuzz_early_setup(void) __attribute__((constructor));
 // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
 int fuzz_set_input(const uint8_t *Data, size_t Size);
-int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone);
+int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth);
 int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths);
 const void* fuzz_get_algo(const algo_type *algos, const char* name);
@ -35,6 +35,7 @@ int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename,
        const unsigned char* keyblob, unsigned int keybloblen);
 extern const char * const * fuzz_signkey_names;
 void fuzz_seed(const unsigned char* dat, unsigned int len);
 void fuzz_svr_hook_preloop(void);
 typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring);
 struct dropbear_progress_connection *fuzz_connect_remote(const char* remotehost, const char* remoteport,
@ -68,6 +69,8 @@ struct dropbear_fuzz_options {
    // whether to skip slow bignum maths
    int skip_kexmaths;
    // whether is svr_postauth mode
    int svr_postauth;
    // dropbear_exit() jumps back
    int do_jmp;
--- a/fuzz/fuzz-common.c
+++ b/fuzz/fuzz-common.c
@ -102,6 +102,13 @@ void fuzz_svr_setup(void) {
    load_fixed_hostkeys();
 }
 void fuzz_svr_hook_preloop() {
    if (fuzz.svr_postauth) {
        ses.authstate.authdone = 1;
        fill_passwd("root");
    }
 }
 void fuzz_cli_setup(void) {
    fuzz_common_setup();
@ -242,7 +249,7 @@ struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remo
    return NULL;
 }
-int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone) {
+int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int postauth) {
    static int once = 0;
    if (!once) {
        fuzz_svr_setup();
@ -250,6 +257,8 @@ int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int aut
        once = 1;
    }
    fuzz.svr_postauth = postauth;
    if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
        return 0;
    }
@ -260,11 +269,6 @@ int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int aut
    int fakesock = wrapfd_new_fuzzinput();
    if (authdone) {
        ses.authstate.authdone = 1;
        fill_passwd("root");
    }
    m_malloc_set_epoch(1);
    fuzz.do_jmp = 1;
    if (setjmp(fuzz.jmp) == 0) {
--- a/svr-session.c
+++ b/svr-session.c
@ -195,6 +195,12 @@ void svr_session(int sock, int childpipe) {
 	/* start off with key exchange */
 	send_msg_kexinit();
 #if DROPBEAR_FUZZ
    if (fuzz.fuzzing) {
        fuzz_svr_hook_preloop();
    }
 #endif
 	/* Run the main for loop. NULL is for the dispatcher - only the client
 	 * code makes use of it */
 	session_loop(svr_chansess_checksignal);