/src/dropbear/fuzz/fuzzer-kexdh.c

Source (jump to first uncovered line)
#include "fuzz.h"
#include "session.h"
#include "fuzz-wrapfd.h"
#include "debug.h"
#include "runopts.h"
#include "algo.h"
#include "bignum.h"

static struct key_context* keep_newkeys = NULL;
#define NUM_PARAMS 80
static struct kex_dh_param *dh_params[NUM_PARAMS];

static void setup() __attribute__((constructor));
// Perform initial setup here to avoid hitting timeouts on first run
static void setup() {
  fuzz_common_setup();
  fuzz_svr_setup();

  keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
  keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "diffie-hellman-group14-sha256");
  keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
  ses.newkeys = keep_newkeys;

  /* Pre-generate parameters */
  int i;
  for (i = 0; i < NUM_PARAMS; i++) {
    dh_params[i] = gen_kexdh_param();
  }
}

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
    return 0;
  }

  m_malloc_set_epoch(1);

  if (setjmp(fuzz.jmp) == 0) {
    /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply() 
    with DROPBEAR_KEX_NORMAL_DH */
    ses.newkeys = keep_newkeys;

    /* Choose from the collection of ecdh params */
    unsigned int e = buf_getint(fuzz.input);
    struct kex_dh_param * dh_param = dh_params[e % NUM_PARAMS];

    DEF_MP_INT(dh_e);
    m_mp_init(&dh_e);
    if (buf_getmpint(fuzz.input, &dh_e) != DROPBEAR_SUCCESS) {
      dropbear_exit("Bad kex value");
    }

    ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS);
    kexdh_comb_key(dh_param, &dh_e, svr_opts.hostkey);

    mp_clear(ses.dh_K);
    m_free(ses.dh_K);
    mp_clear(&dh_e);

    buf_free(ses.hash);
    buf_free(ses.session_id);
    /* kexhashbuf is freed in kexdh_comb_key */

    m_malloc_free_epoch(1, 0);
  } else {
    m_malloc_free_epoch(1, 1);
    TRACE(("dropbear_exit longjmped"))
    /* dropbear_exit jumped here */
  }

  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		#include "fuzz.h"
2		#include "session.h"
3		#include "fuzz-wrapfd.h"
4		#include "debug.h"
5		#include "runopts.h"
6		#include "algo.h"
7		#include "bignum.h"
8
9		static struct key_context* keep_newkeys = NULL;
10	798	#define NUM_PARAMS 80
11		static struct kex_dh_param *dh_params[NUM_PARAMS];
12
13		static void setup() __attribute__((constructor));
14		// Perform initial setup here to avoid hitting timeouts on first run
15	2	static void setup() {
16	2	fuzz_common_setup();
17	2	fuzz_svr_setup();
18
19	2	keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
20	2	keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "diffie-hellman-group14-sha256");
21	2	keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
22	2	ses.newkeys = keep_newkeys;
23
24		/* Pre-generate parameters */
25	2	int i;
26	162	for (i = 0; i < NUM_PARAMS; i++) {
27	160	dh_params[i] = gen_kexdh_param();
28	160	}
29	2	}
30
31	636	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
32	636	if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
33	0	return 0;
34	0	}
35
36	636	m_malloc_set_epoch(1);
37
38	636	if (setjmp(fuzz.jmp) == 0) {
39		/* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply()
40		with DROPBEAR_KEX_NORMAL_DH */
41	636	ses.newkeys = keep_newkeys;
42
43		/* Choose from the collection of ecdh params */
44	636	unsigned int e = buf_getint(fuzz.input);
45	636	struct kex_dh_param * dh_param = dh_params[e % NUM_PARAMS];
46
47	636	DEF_MP_INT(dh_e);
48	636	m_mp_init(&dh_e);
49	636	if (buf_getmpint(fuzz.input, &dh_e) != DROPBEAR_SUCCESS) {
50	64	dropbear_exit("Bad kex value");
51	64	}
52
53	572	ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS);
54	572	kexdh_comb_key(dh_param, &dh_e, svr_opts.hostkey);
55
56	572	mp_clear(ses.dh_K);
57	572	m_free(ses.dh_K);
58	572	mp_clear(&dh_e);
59
60	572	buf_free(ses.hash);
61	572	buf_free(ses.session_id);
62		/* kexhashbuf is freed in kexdh_comb_key */
63
64	572	m_malloc_free_epoch(1, 0);
65	572	} else {
66	0	m_malloc_free_epoch(1, 1);
67	0	TRACE(("dropbear_exit longjmped"))
68		/* dropbear_exit jumped here */
69	0	}
70
71	572	return 0;
72	636	}

Coverage Report

Created: 2025-07-11 06:12