Add a per-packet input hook that is called with the decrypted packet

contents. This will be used for fuzzing; ok markus@

1 files changed, 16 insertions, 1 deletions

diff --git a/usr.bin/ssh/packet.c b/usr.bin/ssh/packet.c
index 587b0b9f4cc..9007fb87b97 100644
--- a/usr.bin/ssh/packet.c
+++ b/usr.bin/ssh/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.242 2016/09/30 09:19:13 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.243 2016/10/11 21:47:45 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -213,6 +213,10 @@ struct session_state {
 	/* SSH1 CRC compensation attack detector */
 	struct deattack_ctx deattack;
 
+	/* Hook for fuzzing inbound packets */
+	ssh_packet_hook_fn *hook_in;
+	void *hook_in_ctx;
+
 	TAILQ_HEAD(, packet) outgoing;
 };
 
@@ -257,6 +261,13 @@ ssh_alloc_session_state(void)
 	return NULL;
 }
 
+void
+ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx)
+{
+	ssh->state->hook_in = hook;
+	ssh->state->hook_in_ctx = ctx;
+}
+
 /* Returns nonzero if rekeying is in progress */
 int
 ssh_packet_is_rekeying(struct ssh *ssh)
@@ -1872,6 +1883,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 			return r;
 		return SSH_ERR_PROTOCOL_ERROR;
 	}
+	if (state->hook_in != NULL &&
+	    (r = state->hook_in(ssh, state->incoming_packet, typep,
+	    state->hook_in_ctx)) != 0)
+		return r;
 	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
 		r = ssh_packet_enable_delayed_compress(ssh);
 	else