Add fuzzer-client_nomaths, fix client fuzzer

--HG-- branch : fuzz
2025-04-02 20:10:50 +00:00 · 2020-10-18 15:08:54 +08:00 · 2020-10-18 15:08:54 +08:00 · 33eba22966
commit 33eba22966
parent 282fc81981
5 changed files with 38 additions and 7 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -269,7 +269,7 @@ lint:

 # list of fuzz targets
 FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \
-	fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client
+	fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths

 FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS))

@ -311,6 +311,9 @@ fuzzer-kexcurve25519: fuzzer-kexcurve25519.o fuzz-harness.o
 fuzzer-client: fuzzer-client.o fuzz-harness.o
 	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@

+fuzzer-client_nomaths: fuzzer-client_nomaths.o fuzz-harness.o
+	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
+
 fuzzer-%.options: Makefile
 	echo "[libfuzzer]"               > $@
 	echo "max_len = 50000"          >> $@
--- a/cli-kex.c
+++ b/cli-kex.c
@ -46,6 +46,13 @@ void send_msg_kexdh_init() {
 	TRACE(("send_msg_kexdh_init()"))	

 	CHECKCLEARTOWRITE();
+
+#if DROPBEAR_FUZZ
+	if (fuzz.fuzzing && fuzz.skip_kexmaths) {
+		return;
+	}
+#endif
+
 	buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT);
 	switch (ses.newkeys->algo_kex->mode) {
 #if DROPBEAR_NORMAL_DH
@ -98,6 +105,12 @@ void recv_msg_kexdh_reply() {
 	unsigned char* keyblob = NULL;

 	TRACE(("enter recv_msg_kexdh_reply"))
+	
+#if DROPBEAR_FUZZ
+	if (fuzz.fuzzing && fuzz.skip_kexmaths) {
+		return;
+	}
+#endif

 	if (cli_ses.kex_state != KEXDH_INIT_SENT) {
 		dropbear_exit("Received out-of-order kexdhreply");
--- a/cli-session.c
+++ b/cli-session.c
@ -352,6 +352,11 @@ static void cli_session_cleanup(void) {
 	(void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags);
 	(void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags);

+	/* Don't leak */
+	m_close(cli_ses.stdincopy);
+	m_close(cli_ses.stdoutcopy);
+	m_close(cli_ses.stderrcopy);
+
 	cli_tty_cleanup();
 	if (cli_ses.server_sig_algs) {
 		buf_free(cli_ses.server_sig_algs);
@ -430,17 +435,18 @@ void cli_dropbear_exit(int exitcode, const char* format, va_list param) {

 	/* Do the cleanup first, since then the terminal will be reset */
 	session_cleanup();
-	/* Avoid printing onwards from terminal cruft */
-	fprintf(stderr, "\n");
-
-	dropbear_log(LOG_INFO, "%s", fullmsg);
-
+	
 #if DROPBEAR_FUZZ
    if (fuzz.do_jmp) {
        longjmp(fuzz.jmp, 1);
    }
 #endif

+	/* Avoid printing onwards from terminal cruft */
+	fprintf(stderr, "\n");
+
+	dropbear_log(LOG_INFO, "%s", fullmsg);
+
 	exit(exitcode);
 }

--- a/fuzz-common.c
+++ b/fuzz-common.c
@ -37,6 +37,7 @@ int fuzz_set_input(const uint8_t *Data, size_t Size) {

    memset(&ses, 0x0, sizeof(ses));
    memset(&svr_ses, 0x0, sizeof(svr_ses));
+    memset(&cli_ses, 0x0, sizeof(cli_ses));
    wrapfd_setup(fuzz.input);

    fuzz_seed();
@ -64,6 +65,7 @@ void fuzz_svr_setup(void) {
    _dropbear_exit = svr_dropbear_exit;

    char *argv[] = { 
+		"dropbear",
        "-E", 
    };

@ -80,6 +82,7 @@ void fuzz_cli_setup(void) {
 	_dropbear_log = cli_dropbear_log;

    char *argv[] = { 
+		"dbclient",
 		"-y",
        "localhost",
    };
@ -168,7 +171,7 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t
    if (ret_errfd) {
        *ret_errfd = wrapfd_new();
    }
-    ret_pid = 999;
+    *ret_pid = 999;
    return DROPBEAR_SUCCESS;
 }

--- a/fuzzer-client_nomaths.c
+++ b/fuzzer-client_nomaths.c
@ -0,0 +1,6 @@
+#include "fuzz.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	return fuzz_run_client(Data, Size, 1);
+}
+