From: Damien Miller <djm@mindrot.org>
Date: Sat, 30 Jan 2021 05:32:29 +0000 (+1100)
Subject: allow a fuzz case to contain more than one request
X-Git-Tag: V_8_5_P1~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5dfc5bae8c16e2a7caf564758d812c7672480b5;p=thirdparty%2Fopenssh-portable.git

allow a fuzz case to contain more than one request

loop until input buffer empty, no message consumed or 256 messages
processed
---

diff --git a/regress/misc/fuzz-harness/agent_fuzz_helper.c b/regress/misc/fuzz-harness/agent_fuzz_helper.c
index 1ea157637..1d419820c 100644
--- a/regress/misc/fuzz-harness/agent_fuzz_helper.c
+++ b/regress/misc/fuzz-harness/agent_fuzz_helper.c
@@ -147,10 +147,12 @@ reset_sockettab(int devnull)
 	assert(sockets[0].fd == fd);
 }
 
+#define MAX_MESSAGES 256
 void
 test_one(const uint8_t* s, size_t slen)
 {
 	static int devnull = -1;
+	size_t i, olen, nlen;
 
 	if (devnull == -1) {
 		log_init(__progname, SYSLOG_LEVEL_DEBUG3,
@@ -163,7 +165,13 @@ test_one(const uint8_t* s, size_t slen)
 	reset_idtab();
 	reset_sockettab(devnull);
 	(void)sshbuf_put(sockets[0].input, s, slen);
-	process_message(0);
+	for (i = 0; i < MAX_MESSAGES; i++) {
+		olen = sshbuf_len(sockets[0].input);
+		process_message(0);
+		nlen = sshbuf_len(sockets[0].input);
+		if (nlen == 0 || nlen == olen)
+			break;
+	}
 	cleanup_idtab();
 	cleanup_sockettab();
 }