Add fuzzer-client_nomaths, fix client fuzzer

5 files changed, 38 insertions, 7 deletions

diff --git a/Makefile.in b/Makefile.in
index 894925b..fae4cf3 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -269,7 +269,7 @@ lint:
 
 # list of fuzz targets
 FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \
-	fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client
+	fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths
 
 FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS))
 
@@ -311,6 +311,9 @@ fuzzer-kexcurve25519: fuzzer-kexcurve25519.o fuzz-harness.o
 fuzzer-client: fuzzer-client.o fuzz-harness.o
 	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
 
+fuzzer-client_nomaths: fuzzer-client_nomaths.o fuzz-harness.o
+	$(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
+
 fuzzer-%.options: Makefile
 	echo "[libfuzzer]"               > $@
 	echo "max_len = 50000"          >> $@
diff --git a/cli-kex.c b/cli-kex.c
index af1cfcf..4f2a884 100644
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -46,6 +46,13 @@ void send_msg_kexdh_init() {
 	TRACE(("send_msg_kexdh_init()"))	
 
 	CHECKCLEARTOWRITE();
+
+#if DROPBEAR_FUZZ
+	if (fuzz.fuzzing && fuzz.skip_kexmaths) {
+		return;
+	}
+#endif
+
 	buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT);
 	switch (ses.newkeys->algo_kex->mode) {
 #if DROPBEAR_NORMAL_DH
@@ -98,6 +105,12 @@ void recv_msg_kexdh_reply() {
 	unsigned char* keyblob = NULL;
 
 	TRACE(("enter recv_msg_kexdh_reply"))
+	
+#if DROPBEAR_FUZZ
+	if (fuzz.fuzzing && fuzz.skip_kexmaths) {
+		return;
+	}
+#endif
 
 	if (cli_ses.kex_state != KEXDH_INIT_SENT) {
 		dropbear_exit("Received out-of-order kexdhreply");
diff --git a/cli-session.c b/cli-session.c
index bc83564..5e5af22 100644
--- a/cli-session.c
+++ b/cli-session.c
@@ -352,6 +352,11 @@ static void cli_session_cleanup(void) {
 	(void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags);
 	(void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags);
 
+	/* Don't leak */
+	m_close(cli_ses.stdincopy);
+	m_close(cli_ses.stdoutcopy);
+	m_close(cli_ses.stderrcopy);
+
 	cli_tty_cleanup();
 	if (cli_ses.server_sig_algs) {
 		buf_free(cli_ses.server_sig_algs);
@@ -430,17 +435,18 @@ void cli_dropbear_exit(int exitcode, const char* format, va_list param) {
 
 	/* Do the cleanup first, since then the terminal will be reset */
 	session_cleanup();
-	/* Avoid printing onwards from terminal cruft */
-	fprintf(stderr, "\n");
-
-	dropbear_log(LOG_INFO, "%s", fullmsg);
-
+	
 #if DROPBEAR_FUZZ
     if (fuzz.do_jmp) {
         longjmp(fuzz.jmp, 1);
     }
 #endif
 
+	/* Avoid printing onwards from terminal cruft */
+	fprintf(stderr, "\n");
+
+	dropbear_log(LOG_INFO, "%s", fullmsg);
+
 	exit(exitcode);
 }
 
diff --git a/fuzz-common.c b/fuzz-common.c
index 742e606..95b3937 100644
--- a/fuzz-common.c
+++ b/fuzz-common.c
@@ -37,6 +37,7 @@ int fuzz_set_input(const uint8_t *Data, size_t Size) {
 
     memset(&ses, 0x0, sizeof(ses));
     memset(&svr_ses, 0x0, sizeof(svr_ses));
+    memset(&cli_ses, 0x0, sizeof(cli_ses));
     wrapfd_setup(fuzz.input);
 
     fuzz_seed();
@@ -64,6 +65,7 @@ void fuzz_svr_setup(void) {
     _dropbear_exit = svr_dropbear_exit;
 
     char *argv[] = { 
+		"dropbear",
         "-E", 
     };
 
@@ -80,6 +82,7 @@ void fuzz_cli_setup(void) {
 	_dropbear_log = cli_dropbear_log;
 
     char *argv[] = { 
+		"dbclient",
 		"-y",
         "localhost",
     };
@@ -168,7 +171,7 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t
     if (ret_errfd) {
         *ret_errfd = wrapfd_new();
     }
-    ret_pid = 999;
+    *ret_pid = 999;
     return DROPBEAR_SUCCESS;
 }
 
diff --git a/fuzzer-client_nomaths.c b/fuzzer-client_nomaths.c
new file mode 100644
index 0000000..e0910a7
--- /dev/null
+++ b/fuzzer-client_nomaths.c
@@ -0,0 +1,6 @@
+#include "fuzz.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	return fuzz_run_client(Data, Size, 1);
+}
+