ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-14 23:58:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fuzz: fix crash in newtcpdirect(), don't close the channel too early

Browse Source
This commit is contained in:
Matt Johnston 2021-03-05 22:51:11 +08:00
parent 3c2f113a78
commit d0d1ede191
3 changed files with 7 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
fuzz.h
View File

@ -37,11 +37,6 @@ extern const char * const * fuzz_signkey_names;
void fuzz_seed(const unsigned char* dat, unsigned int len); void fuzz_seed(const unsigned char* dat, unsigned int len);
void fuzz_svr_hook_preloop(void); void fuzz_svr_hook_preloop(void);
typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring);
struct dropbear_progress_connection *fuzz_connect_remote(const char* remotehost, const char* remoteport,
connect_callback cb, void* cb_data,
const char* bind_address, const char* bind_port);
int fuzz_dropbear_listen(const char* address, const char* port, int fuzz_dropbear_listen(const char* address, const char* port,
int *socks, unsigned int sockcount, char **errstring, int *maxfd); int *socks, unsigned int sockcount, char **errstring, int *maxfd);

20
fuzz/fuzz-common.c
View File

@ -235,26 +235,6 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t
} }
struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport),
connect_callback cb, void* cb_data,
const char* UNUSED(bind_address), const char* UNUSED(bind_port)) {
/* This replacement for connect_remote() has slightly different semantics
to the real thing. It should probably be replaced with something more sophisticated.
It calls the callback cb() immediately rather than
in a future session loop iteration with set_connect_fds()/handle_connect_fds().
This could cause problems depending on how connect_remote() is used. In particular
the callback can close a channel - that can cause use-after-free. */
char r;
genrandom((void*)&r, 1);
if (r & 1) {
int sock = wrapfd_new_dummy();
cb(DROPBEAR_SUCCESS, sock, cb_data, NULL);
} else {
cb(DROPBEAR_FAILURE, -1, cb_data, "errorstring");
}
return NULL;
}
/* Fake dropbear_listen, always returns failure for now. /* Fake dropbear_listen, always returns failure for now.
TODO make it sometimes return success with wrapfd_new_dummy() sockets. TODO make it sometimes return success with wrapfd_new_dummy() sockets.
Making the listeners fake a new incoming connection will be harder. */ Making the listeners fake a new incoming connection will be harder. */

13
netio.c
View File

@ -179,12 +179,6 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons
int err; int err;
struct addrinfo hints; struct addrinfo hints;
#if DROPBEAR_FUZZ
if (fuzz.fuzzing) {
return fuzz_connect_remote(remotehost, remoteport, cb, cb_data, bind_address, bind_port);
}
#endif
c = m_malloc(sizeof(*c)); c = m_malloc(sizeof(*c));
c->remotehost = m_strdup(remotehost); c->remotehost = m_strdup(remotehost);
c->remoteport = m_strdup(remoteport); c->remoteport = m_strdup(remoteport);
@ -194,6 +188,13 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons
list_append(&ses.conn_pending, c); list_append(&ses.conn_pending, c);
#if DROPBEAR_FUZZ
if (fuzz.fuzzing) {
c->errstring = m_strdup("fuzzing connect_remote always fails");
return c;
}
#endif
memset(&hints, 0, sizeof(hints)); memset(&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_STREAM; hints.ai_socktype = SOCK_STREAM;
hints.ai_family = AF_UNSPEC; hints.ai_family = AF_UNSPEC;