diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2020-10-29 22:41:37 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2020-10-29 22:41:37 +0800 |
| commit | a47d02b32793b6fcc1a7602b468a67e5a97e2292 (patch) | |
| tree | 671c5935e5eed3056e8332df1bba44d51a81d159 /fuzz/fuzz-sshpacketmutator.c | |
| parent | 5ac288af3938a1285b7c85c4e64df241d52a67da (diff) | |
| download | dropbear-a47d02b32793b6fcc1a7602b468a67e5a97e2292.tar.gz | |
Use SSH packet mutator for preauth too
Get rid of separate client mutator.
Have 0.1% chance of llvm random mutation
Add comments
Diffstat (limited to 'fuzz/fuzz-sshpacketmutator.c')
| -rw-r--r-- | fuzz/fuzz-sshpacketmutator.c | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/fuzz/fuzz-sshpacketmutator.c b/fuzz/fuzz-sshpacketmutator.c index d26089d..3a513b0 100644 --- a/fuzz/fuzz-sshpacketmutator.c +++ b/fuzz/fuzz-sshpacketmutator.c @@ -1,8 +1,28 @@ +/* A mutator/crossover for SSH protocol streams. + Attempts to mutate each SSH packet individually, keeping + lengths intact. + It will prepend a SSH-2.0-dbfuzz\r\n version string. + + Linking this file to a binary will make libfuzzer pick up the custom mutator. + + Care is taken to avoid memory allocation which would otherwise + slow exec/s substantially */ + #include "fuzz.h" #include "dbutil.h" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); +static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; +static const size_t MAX_FUZZ_PACKETS = 500; +/* XXX This might need tuning */ +static const size_t MAX_OUT_SIZE = 50000; + +/* Splits packets from an input stream buffer "inp". +The initial SSH version identifier is discarded. +If packets are not recognised it will increment until an uint32 of valid +packet length is found. */ + /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) { /* Skip any existing banner. Format is @@ -52,8 +72,8 @@ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *nu } } -/* Mutate in-place */ -void buf_llvm_mutate(buffer *buf) { +/* Mutate a packet buffer in-place */ +static void buf_llvm_mutate(buffer *buf) { /* Position it after packet_length and padding_length */ const unsigned int offset = 5; if (buf->len < offset) { @@ -69,11 +89,6 @@ void buf_llvm_mutate(buffer *buf) { } -static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; -static const size_t MAX_FUZZ_PACKETS = 500; -/* XXX This might need tuning */ -static const size_t MAX_OUT_SIZE = 50000; - /* Persistent buffers to avoid constant allocations */ static buffer *oup; static buffer *alloc_packetA; @@ -111,12 +126,11 @@ size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, memcpy(randstate, &Seed, sizeof(Seed)); // printhex("mutator input", Data, Size); - #if 0 - /* 1% chance straight llvm mutate */ - if (nrand48(randstate) % 100 == 0) { + + /* 0.1% chance straight llvm mutate */ + if (nrand48(randstate) % 1000 == 0) { return LLVMFuzzerMutate(Data, Size, MaxSize); } - #endif buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0}; buffer *inp = &inp_buf; |