/src/libssh/tests/fuzz/ssh_known_hosts_fuzzer.c

Source
/*
 * Copyright 2022 Jakub Jelen <jjelen@redhat.com>
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define LIBSSH_STATIC 1
#include "libssh/libssh.h"
#include "knownhosts.c"

#include "nallocinc.c"

static void _fuzz_finalize(void)
{
    ssh_finalize();
}

int LLVMFuzzerInitialize(int *argc, char ***argv)
{
    (void)argc;

    nalloc_init(*argv[0]);

    ssh_init();

    atexit(_fuzz_finalize);

    return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    char *hostname = NULL;
    const uint8_t *hostname_end = NULL;
    size_t hostname_len = 0;
    char filename[256];
    struct ssh_list *entries = NULL;
    struct ssh_iterator *it = NULL;
    FILE *fp = NULL;

    /* Interpret the first part of the string (until the first NULL byte)
     * as a hostname we are searching for in the file */
    hostname_end = memchr(data, '\0', size);
    if (hostname_end == NULL) {
        return 1;
    }
    hostname_len = hostname_end - data + 1;
    if (hostname_len > 253) {
        /* This is the maximum valid length of a hostname */
        return 1;
    }
    hostname = malloc(hostname_len);
    if (hostname == NULL) {
        return 1;
    }
    memcpy(hostname, data, hostname_len);

    snprintf(filename, sizeof(filename), "/tmp/libfuzzer.%d", getpid());
    fp = fopen(filename, "wb");
    if (!fp) {
        free(hostname);
        return 1;
    }
    fwrite(data + hostname_len, size - hostname_len, 1, fp);
    fclose(fp);

    assert(nalloc_start(data, size) > 0);

    ssh_known_hosts_read_entries(hostname, filename, &entries);
    for (it = ssh_list_get_iterator(entries);
         it != NULL;
         it = ssh_list_get_iterator(entries)) {
        struct ssh_knownhosts_entry *entry = NULL;

        entry = ssh_iterator_value(struct ssh_knownhosts_entry *, it);
        ssh_knownhosts_entry_free(entry);
        ssh_list_remove(entries, it);
    }
    ssh_list_free(entries);

    ssh_finalize();

    free(hostname);
    unlink(filename);

    nalloc_end();
    return 0;
}

Line	Count	Source
1		/*
2		* Copyright 2022 Jakub Jelen <jjelen@redhat.com>
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16
17		#include <assert.h>
18		#include <stdio.h>
19		#include <stdlib.h>
20		#include <string.h>
21
22		#define LIBSSH_STATIC 1
23		#include "libssh/libssh.h"
24		#include "knownhosts.c"
25
26		#include "nallocinc.c"
27
28		static void _fuzz_finalize(void)
29	4	{
30	4	ssh_finalize();
31	4	}
32
33		int LLVMFuzzerInitialize(int argc, char **argv)
34	32	{
35	32	(void)argc;
36
37	32	nalloc_init(*argv[0]);
38
39	32	ssh_init();
40
41	32	atexit(_fuzz_finalize);
42
43	32	return 0;
44	32	}
45
46		int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
47	2.95k	{
48	2.95k	char *hostname = NULL;
49	2.95k	const uint8_t *hostname_end = NULL;
50	2.95k	size_t hostname_len = 0;
51	2.95k	char filename[256];
52	2.95k	struct ssh_list *entries = NULL;
53	2.95k	struct ssh_iterator *it = NULL;
54	2.95k	FILE *fp = NULL;
55
56		/* Interpret the first part of the string (until the first NULL byte)
57		* as a hostname we are searching for in the file */
58	2.95k	hostname_end = memchr(data, '\0', size);
59	2.95k	if (hostname_end == NULL) {
60	4	return 1;
61	4	}
62	2.94k	hostname_len = hostname_end - data + 1;
63	2.94k	if (hostname_len > 253) {
64		/* This is the maximum valid length of a hostname */
65	23	return 1;
66	23	}
67	2.92k	hostname = malloc(hostname_len);
68	2.92k	if (hostname == NULL) {
69	0	return 1;
70	0	}
71	2.92k	memcpy(hostname, data, hostname_len);
72
73	2.92k	snprintf(filename, sizeof(filename), "/tmp/libfuzzer.%d", getpid());
74	2.92k	fp = fopen(filename, "wb");
75	2.92k	if (!fp) {
76	0	free(hostname);
77	0	return 1;
78	0	}
79	2.92k	fwrite(data + hostname_len, size - hostname_len, 1, fp);
80	2.92k	fclose(fp);
81
82	2.92k	assert(nalloc_start(data, size) > 0);
83
84	2.92k	ssh_known_hosts_read_entries(hostname, filename, &entries);
85	2.92k	for (it = ssh_list_get_iterator(entries);
86	5.13k	it != NULL;
87	2.92k	it = ssh_list_get_iterator(entries)) {
88	2.20k	struct ssh_knownhosts_entry *entry = NULL;
89
90	2.20k	entry = ssh_iterator_value(struct ssh_knownhosts_entry *, it);
91	2.20k	ssh_knownhosts_entry_free(entry);
92	2.20k	ssh_list_remove(entries, it);
93	2.20k	}
94	2.92k	ssh_list_free(entries);
95
96	2.92k	ssh_finalize();
97
98	2.92k	free(hostname);
99	2.92k	unlink(filename);
100
101	2.92k	nalloc_end();
102	2.92k	return 0;
103	2.92k	}

Coverage Report

Created: 2025-10-10 07:38