/src/dropbear/fuzz/fuzzer-cliconf.c

Source (jump to first uncovered line)
/* fuzz target for cli-readconf.c */

#include "fuzz.h"
#include "fuzz-wrapfd.h"
#include "debug.h"
#include "runopts.h"

static void setup_fuzzer(void) {
  fuzz_common_setup();
  /* Set up commandline args */
  char* args[2] = { "dbclient", "far" };
  cli_getopts(2, args);
}

// Needs to be outside so it doesn't get optimised away for the setjmp().
// volatile doesn't seem to work, unsure why.
static FILE *conf_file = NULL;

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  static int once = 0;
  if (!once) {
    setup_fuzzer();
    once = 1;
  }

  if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
    return 0;
  }

  m_malloc_set_epoch(1);

  if (setjmp(fuzz.jmp) == 0) {

    /* remotehost most be set before config parsing */
    m_free(cli_opts.remotehost);
    cli_opts.remotehost = m_strdup("far");
    /* optional arguments */
    if (buf_getbool(fuzz.input)) {
      m_free(cli_opts.username);
      cli_opts.username = m_strdup("someone");
    }
    if (buf_getbool(fuzz.input)) {
      m_free(cli_opts.remoteport);
      cli_opts.remoteport = m_strdup("999");
    }

    buffer *conf_buf = buf_getstringbuf(fuzz.input);
    if (conf_buf->len > 0)
    {
      conf_file = fmemopen(conf_buf->data, conf_buf->len, "r");
      read_config_file("fuzz", conf_file, &cli_opts);
      fclose(conf_file);
      conf_file = NULL;
    }
    buf_free(conf_buf);

    m_free(cli_opts.remotehost);
    m_free(cli_opts.remoteport);
    m_free(cli_opts.username);

    m_malloc_free_epoch(1, 0);
  } else {
    // Cleanup
    if (conf_file) {
      fclose(conf_file);
      conf_file = NULL;
    }

    m_free(cli_opts.remotehost);
    m_free(cli_opts.remoteport);
    m_free(cli_opts.username);

    m_malloc_free_epoch(1, 1);
    TRACE(("dropbear_exit longjmped"))
    /* dropbear_exit jumped here */
  }

  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/* fuzz target for cli-readconf.c */
2
3		#include "fuzz.h"
4		#include "fuzz-wrapfd.h"
5		#include "debug.h"
6		#include "runopts.h"
7
8	1	static void setup_fuzzer(void) {
9	1	fuzz_common_setup();
10		/* Set up commandline args */
11	1	char* args[2] = { "dbclient", "far" };
12	1	cli_getopts(2, args);
13	1	}
14
15		// Needs to be outside so it doesn't get optimised away for the setjmp().
16		// volatile doesn't seem to work, unsure why.
17		static FILE *conf_file = NULL;
18
19	482	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
20	482	static int once = 0;
21	482	if (!once) {
22	1	setup_fuzzer();
23	1	once = 1;
24	1	}
25
26	482	if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
27	0	return 0;
28	0	}
29
30	482	m_malloc_set_epoch(1);
31
32	482	if (setjmp(fuzz.jmp) == 0) {
33
34		/* remotehost most be set before config parsing */
35	482	m_free(cli_opts.remotehost);
36	482	cli_opts.remotehost = m_strdup("far");
37		/* optional arguments */
38	482	if (buf_getbool(fuzz.input)) {
39	461	m_free(cli_opts.username);
40	461	cli_opts.username = m_strdup("someone");
41	461	}
42	482	if (buf_getbool(fuzz.input)) {
43	412	m_free(cli_opts.remoteport);
44	412	cli_opts.remoteport = m_strdup("999");
45	412	}
46
47	482	buffer *conf_buf = buf_getstringbuf(fuzz.input);
48	482	if (conf_buf->len > 0)
49	380	{
50	380	conf_file = fmemopen(conf_buf->data, conf_buf->len, "r");
51	380	read_config_file("fuzz", conf_file, &cli_opts);
52	380	fclose(conf_file);
53	380	conf_file = NULL;
54	380	}
55	482	buf_free(conf_buf);
56
57	482	m_free(cli_opts.remotehost);
58	482	m_free(cli_opts.remoteport);
59	482	m_free(cli_opts.username);
60
61	482	m_malloc_free_epoch(1, 0);
62	482	} else {
63		// Cleanup
64	211	if (conf_file) {
65	211	fclose(conf_file);
66	211	conf_file = NULL;
67	211	}
68
69	0	m_free(cli_opts.remotehost);
70	0	m_free(cli_opts.remoteport);
71	0	m_free(cli_opts.username);
72
73	0	m_malloc_free_epoch(1, 1);
74	0	TRACE(("dropbear_exit longjmped"))
75		/* dropbear_exit jumped here */
76	0	}
77
78	482	return 0;
79	482	}

Coverage Report

Created: 2025-08-26 06:44