1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
/* $OpenBSD: test_sshbuf_fuzz.c,v 1.4 2021/12/18 06:53:59 anton Exp $ */
/*
* Regress test for sshbuf.h buffer API
*
* Placed in the public domain
*/
#include "includes.h"
#include <sys/types.h>
#include <stdio.h>
#ifdef HAVE_STDINT_H
# include <stdint.h>
#endif
#include <stdlib.h>
#include <string.h>
#include "../test_helper/test_helper.h"
#include "ssherr.h"
#include "sshbuf.h"
#define NUM_FUZZ_TESTS (1 << 18)
void sshbuf_fuzz_tests(void);
void
sshbuf_fuzz_tests(void)
{
struct sshbuf *p1;
u_char *dp;
size_t sz, sz2, i, ntests = NUM_FUZZ_TESTS;
u_int32_t r;
int ret;
if (test_is_fast())
ntests >>= 2;
if (test_is_slow())
ntests <<= 2;
/* NB. uses sshbuf internals */
TEST_START("fuzz alloc/dealloc");
p1 = sshbuf_new();
ASSERT_INT_EQ(sshbuf_set_max_size(p1, 16 * 1024), 0);
ASSERT_PTR_NE(p1, NULL);
ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
ASSERT_MEM_ZERO_NE(sshbuf_ptr(p1), sshbuf_len(p1));
for (i = 0; i < ntests; i++) {
r = arc4random_uniform(10);
if (r == 0) {
/* 10% chance: small reserve */
r = arc4random_uniform(10);
fuzz_reserve:
sz = sshbuf_avail(p1);
sz2 = sshbuf_len(p1);
ret = sshbuf_reserve(p1, r, &dp);
if (ret < 0) {
ASSERT_PTR_EQ(dp, NULL);
ASSERT_SIZE_T_LT(sz, r);
ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2);
} else {
ASSERT_PTR_NE(dp, NULL);
ASSERT_SIZE_T_GE(sz, r);
ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz - r);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2 + r);
memset(dp, arc4random_uniform(255) + 1, r);
}
} else if (r < 3) {
/* 20% chance: big reserve */
r = arc4random_uniform(8 * 1024);
goto fuzz_reserve;
} else if (r == 3) {
/* 10% chance: small consume */
r = arc4random_uniform(10);
fuzz_consume:
sz = sshbuf_avail(p1);
sz2 = sshbuf_len(p1);
/* 50% change consume from end, otherwise start */
ret = ((arc4random() & 1) ?
sshbuf_consume : sshbuf_consume_end)(p1, r);
if (ret < 0) {
ASSERT_SIZE_T_LT(sz2, r);
ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2);
} else {
ASSERT_SIZE_T_GE(sz2, r);
ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz + r);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2 - r);
}
} else if (r < 8) {
/* 40% chance: big consume */
r = arc4random_uniform(2 * 1024);
goto fuzz_consume;
} else if (r == 8) {
/* 10% chance: reset max size */
r = arc4random_uniform(16 * 1024);
sz = sshbuf_max_size(p1);
if (sshbuf_set_max_size(p1, r) < 0)
ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), sz);
else
ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), r);
} else {
if (arc4random_uniform(8192) == 0) {
/* tiny chance: new buffer */
ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
ASSERT_MEM_ZERO_NE(sshbuf_ptr(p1), sshbuf_len(p1));
sshbuf_free(p1);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1,
16 * 1024), 0);
} else {
/* Almost 10%: giant reserve */
/* use arc4random_buf for r > 2^32 on 64 bit */
arc4random_buf(&r, sizeof(r));
while (r < SSHBUF_SIZE_MAX / 2) {
r <<= 1;
r |= arc4random() & 1;
}
goto fuzz_reserve;
}
}
ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
ASSERT_SIZE_T_LE(sshbuf_max_size(p1), 16 * 1024);
}
ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
ASSERT_MEM_ZERO_NE(sshbuf_ptr(p1), sshbuf_len(p1));
sshbuf_free(p1);
TEST_DONE();
}
|