/src/dropbear/fuzz/fuzzer-cliconf.c

Source
/* fuzz target for cli-readconf.c */

#include "fuzz.h"
#include "fuzz-wrapfd.h"
#include "debug.h"
#include "runopts.h"

static void setup_fuzzer(void) {
  fuzz_common_setup();
  /* Set up commandline args */
  char* args[2] = { "dbclient", "far" };
  cli_getopts(2, args);
}

// Needs to be outside so it doesn't get optimised away for the setjmp().
// volatile doesn't seem to work, unsure why.
static FILE *conf_file = NULL;

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  static int once = 0;
  if (!once) {
    setup_fuzzer();
    once = 1;
  }

  if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
    return 0;
  }

  m_malloc_set_epoch(1);

  if (setjmp(fuzz.jmp) == 0) {

    /* remotehost most be set before config parsing */
    m_free(cli_opts.remotehost);
    cli_opts.remotehost = m_strdup("far");
    /* optional arguments */
    if (buf_getbool(fuzz.input)) {
      m_free(cli_opts.username);
      cli_opts.username = m_strdup("someone");
    }
    if (buf_getbool(fuzz.input)) {
      m_free(cli_opts.remoteport);
      cli_opts.remoteport = m_strdup("999");
    }

    buffer *conf_buf = buf_getstringbuf(fuzz.input);
    if (conf_buf->len > 0)
    {
      conf_file = fmemopen(conf_buf->data, conf_buf->len, "r");
      read_config_file("fuzz", conf_file, &cli_opts);
      fclose(conf_file);
      conf_file = NULL;
    }
    buf_free(conf_buf);

    m_free(cli_opts.remotehost);
    m_free(cli_opts.remoteport);
    m_free(cli_opts.username);

    m_malloc_free_epoch(1, 0);
  } else {
    // Cleanup
    if (conf_file) {
      fclose(conf_file);
      conf_file = NULL;
    }

    m_free(cli_opts.remotehost);
    m_free(cli_opts.remoteport);
    m_free(cli_opts.username);

    m_malloc_free_epoch(1, 1);
    TRACE(("dropbear_exit longjmped"))
    /* dropbear_exit jumped here */
  }

  return 0;
}

Line	Count	Source
1		/* fuzz target for cli-readconf.c */
2
3		#include "fuzz.h"
4		#include "fuzz-wrapfd.h"
5		#include "debug.h"
6		#include "runopts.h"
7
8	1	static void setup_fuzzer(void) {
9	1	fuzz_common_setup();
10		/* Set up commandline args */
11	1	char* args[2] = { "dbclient", "far" };
12	1	cli_getopts(2, args);
13	1	}
14
15		// Needs to be outside so it doesn't get optimised away for the setjmp().
16		// volatile doesn't seem to work, unsure why.
17		static FILE *conf_file = NULL;
18
19	450	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
20	450	static int once = 0;
21	450	if (!once) {
22	1	setup_fuzzer();
23	1	once = 1;
24	1	}
25
26	450	if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
27	0	return 0;
28	0	}
29
30	450	m_malloc_set_epoch(1);
31
32	450	if (setjmp(fuzz.jmp) == 0) {
33
34		/* remotehost most be set before config parsing */
35	450	m_free(cli_opts.remotehost);
36	450	cli_opts.remotehost = m_strdup("far");
37		/* optional arguments */
38	450	if (buf_getbool(fuzz.input)) {
39	430	m_free(cli_opts.username);
40	430	cli_opts.username = m_strdup("someone");
41	430	}
42	450	if (buf_getbool(fuzz.input)) {
43	381	m_free(cli_opts.remoteport);
44	381	cli_opts.remoteport = m_strdup("999");
45	381	}
46
47	450	buffer *conf_buf = buf_getstringbuf(fuzz.input);
48	450	if (conf_buf->len > 0)
49	357	{
50	357	conf_file = fmemopen(conf_buf->data, conf_buf->len, "r");
51	357	read_config_file("fuzz", conf_file, &cli_opts);
52	357	fclose(conf_file);
53	357	conf_file = NULL;
54	357	}
55	450	buf_free(conf_buf);
56
57	450	m_free(cli_opts.remotehost);
58	450	m_free(cli_opts.remoteport);
59	450	m_free(cli_opts.username);
60
61	450	m_malloc_free_epoch(1, 0);
62	450	} else {
63		// Cleanup
64	193	if (conf_file) {
65	193	fclose(conf_file);
66	193	conf_file = NULL;
67	193	}
68
69	0	m_free(cli_opts.remotehost);
70	0	m_free(cli_opts.remoteport);
71	0	m_free(cli_opts.username);
72
73	0	m_malloc_free_epoch(1, 1);
74	0	TRACE(("dropbear_exit longjmped"))
75		/* dropbear_exit jumped here */
76	0	}
77
78	450	return 0;
79	450	}

Coverage Report

Created: 2025-10-28 06:27