rearrange, all fuzzers now call fuzzer_set_input()

--HG-- branch : fuzz
2025-04-20 14:14:36 +00:00 · 2017-05-25 22:21:49 +08:00 · 2017-05-25 22:21:49 +08:00 · b8fa712847
commit b8fa712847
parent 095b067857
6 changed files with 39 additions and 38 deletions
--- a/fuzz-common.c
+++ b/fuzz-common.c
@ -31,23 +31,7 @@ int fuzzer_set_input(const uint8_t *Data, size_t Size) {

    memset(&ses, 0x0, sizeof(ses));
    memset(&svr_ses, 0x0, sizeof(svr_ses));
-
-    // get prefix. input format is
-    // string prefix
-    //     uint32 wrapfd seed
-    //     ... to be extended later
-    // [bytes] ssh input stream
-
-    // be careful to avoid triggering buffer.c assertions
-    if (fuzz.input->len < 8) {
-        return DROPBEAR_FAILURE;
-    }
-    size_t prefix_size = buf_getint(fuzz.input);
-    if (prefix_size != 4) {
-        return DROPBEAR_FAILURE;
-    }
-    uint32_t wrapseed = buf_getint(fuzz.input);
-    wrapfd_setup(wrapseed);
+    wrapfd_setup();

    fuzz_seed();

--- a/fuzz-wrapfd.c
+++ b/fuzz-wrapfd.c
@ -26,13 +26,17 @@ static int wrap_used[IOWRAP_MAXFD+1];
 static unsigned int nused;
 static unsigned short rand_state[3];

-void wrapfd_setup(uint32_t seed) {
+void wrapfd_setup() {
 	TRACE(("wrapfd_setup %x", seed))
 	nused = 0;
 	memset(wrap_fds, 0x0, sizeof(wrap_fds));
 	memset(wrap_used, 0x0, sizeof(wrap_used));

 	memset(rand_state, 0x0, sizeof(rand_state));
+	wrapfd_setseed(50);
+}
+
+void wrapfd_setseed(uint32_t seed) {
 	*((uint32_t*)rand_state) = seed;
 	nrand48(rand_state);
 }
--- a/fuzz-wrapfd.h
+++ b/fuzz-wrapfd.h
@ -10,7 +10,8 @@ enum wrapfd_mode {
    RANDOMIN,
 };

-void wrapfd_setup(uint32_t wrapseed);
+void wrapfd_setup();
+void wrapfd_setseed(uint32_t seed);
 // doesn't take ownership of buf. buf is optional.
 void wrapfd_add(int fd, buffer *buf, enum wrapfd_mode mode);

--- a/fuzz.h
+++ b/fuzz.h
@ -13,7 +13,8 @@
 void common_setup_fuzzer(void);
 void svr_setup_fuzzer(void);

-// once per input. returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
+// must be called once per fuzz iteration. 
+// returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
 int fuzzer_set_input(const uint8_t *Data, size_t Size);

 // fuzzer functions that intrude into general code
--- a/fuzzer-preauth.c
+++ b/fuzzer-preauth.c
@ -19,6 +19,23 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 		return 0;
 	}

+    // get prefix. input format is
+    // string prefix
+    //     uint32 wrapfd seed
+    //     ... to be extended later
+    // [bytes] ssh input stream
+
+    // be careful to avoid triggering buffer.c assertions
+    if (fuzz.input->len < 8) {
+        return 0;
+    }
+    size_t prefix_size = buf_getint(fuzz.input);
+    if (prefix_size != 4) {
+        return 0;
+    }
+    uint32_t wrapseed = buf_getint(fuzz.input);
+    wrapfd_setseed(wrapseed);
+
 	int fakesock = 1;
 	wrapfd_add(fakesock, fuzz.input, PLAIN);

--- a/fuzzer-pubkey.c
+++ b/fuzzer-pubkey.c
@ -14,18 +14,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 		once = 1;
 	}

-	m_malloc_set_epoch(1);
-
-    fuzz_seed();
-    fuzz.input->data = (unsigned char*)Data;
-    fuzz.input->len = Size;
-    fuzz.input->size = Size;
-    fuzz.input->pos = 0;
-
-    if (Size < 4) {
+	if (fuzzer_set_input(Data, Size) == DROPBEAR_FAILURE) {
 		return 0;
 	}

+	m_malloc_set_epoch(1);
+
 	// choose a keytype based on input
 	uint8_t b = 0;
 	size_t i;
@ -33,7 +27,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 		b ^= Data[i];
 	}
 	const char* algoname = fuzz_signkey_names[b%DROPBEAR_SIGNKEY_NUM_NAMED];
-    const char* keyblob = "fakekeyblob";
+	const char* keyblob = "blob"; // keep short

 	if (setjmp(fuzz.jmp) == 0) {
 		fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys",