From ce26b56e13d813800ad1fe97cec26d2830f6ed7a Mon Sep 17 00:00:00 2001 From: Stanislav Zidek Date: Mon, 25 Oct 2021 20:28:41 +0200 Subject: [PATCH] client configuration fuzzing and fixes Signed-off-by: Stanislav Zidek Reviewed-by: Andreas Schneider Reviewed-by: Jakub Jelen --- src/misc.c | 30 ++++++++++++-- tests/fuzz/CMakeLists.txt | 1 + tests/fuzz/ssh_client_config_fuzzer.cpp | 55 +++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 tests/fuzz/ssh_client_config_fuzzer.cpp diff --git a/src/misc.c b/src/misc.c index 6472d583..97c3a0ef 100644 --- a/src/misc.c +++ b/src/misc.c @@ -1156,7 +1156,15 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { case '%': goto escape; case 'd': - x = strdup(session->opts.sshdir); + if (session->opts.sshdir) { + x = strdup(session->opts.sshdir); + } else { + ssh_set_error(session, SSH_FATAL, + "Cannot expand sshdir"); + free(buf); + free(r); + return NULL; + } break; case 'u': x = ssh_get_local_username(); @@ -1167,10 +1175,26 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { } break; case 'h': - x = strdup(session->opts.host); + if (session->opts.host) { + x = strdup(session->opts.host); + } else { + ssh_set_error(session, SSH_FATAL, + "Cannot expand host"); + free(buf); + free(r); + return NULL; + } break; case 'r': - x = strdup(session->opts.username); + if (session->opts.username) { + x = strdup(session->opts.username); + } else { + ssh_set_error(session, SSH_FATAL, + "Cannot expand username"); + free(buf); + free(r); + return NULL; + } break; case 'p': if (session->opts.port < 65536) { diff --git a/tests/fuzz/CMakeLists.txt b/tests/fuzz/CMakeLists.txt index 5982e81c..dcdfd808 100644 --- a/tests/fuzz/CMakeLists.txt +++ b/tests/fuzz/CMakeLists.txt @@ -21,3 +21,4 @@ endmacro() fuzzer(ssh_client_fuzzer) fuzzer(ssh_server_fuzzer) +fuzzer(ssh_client_config_fuzzer) diff --git a/tests/fuzz/ssh_client_config_fuzzer.cpp b/tests/fuzz/ssh_client_config_fuzzer.cpp new file mode 100644 index 00000000..47fd4222 --- /dev/null +++ b/tests/fuzz/ssh_client_config_fuzzer.cpp @@ -0,0 +1,55 @@ +/* + * Copyright 2021 Stanislav Zidek + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +extern "C" { + +#include +#include +#include +#include + +#define LIBSSH_STATIC 1 +#include "libssh/libssh.h" +#include "libssh/options.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + ssh_session session = NULL; + char *input = NULL; + + input = (char *)malloc(size+1); + if (!input) { + return 1; + } + strncpy(input, (const char *)data, size); + input[size] = '\0'; + + ssh_init(); + + session = ssh_new(); + assert(session != NULL); + + ssh_config_parse_string(session, input); + + ssh_free(session); + ssh_finalize(); + + free(input); + + return 0; +} + +}