OSS-Fuzz Add fuzzer and corpora for sftp attr parsing

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

examples/ssh_client.c

@@ -337,6 +337,7 @@ static void batch_shell(ssh_session session)
 static int client(ssh_session session)
 {
     int auth = 0;
+    int authenticated = 0;
     char *banner = NULL;
     int state;
 
@@ -369,16 +370,28 @@ static int client(ssh_session session)
         return -1;
     }
 
-    ssh_userauth_none(session, NULL);
     banner = ssh_get_issue_banner(session);
     if (banner) {
         printf("%s\n", banner);
         free(banner);
     }
+    auth = ssh_userauth_none(session, NULL);
+    if (auth == SSH_AUTH_SUCCESS) {
+        authenticated = 1;
+    } else if (auth == SSH_AUTH_ERROR) {
+        fprintf(stderr,
+                "Authentication error during none auth: %s\n",
+                ssh_get_error(session));
+        return -1;
+    }
+
+    if (!authenticated) {
         auth = authenticate_console(session);
         if (auth != SSH_AUTH_SUCCESS) {
             return -1;
         }
+    }
+
     if (cmds[0] == NULL) {
         shell(session);
     } else {

tests/CMakeLists.txt

@@ -419,6 +419,9 @@ if (CLIENT_TESTING OR SERVER_TESTING)
     file(READ keys/pkcs11/id_pkcs11_ecdsa_256_openssh.pub CONTENTS)
     file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/home/charlie/.ssh/authorized_keys "${CONTENTS}")
 
+    # Create home directory for noneuser (for "none" authentication test)
+    file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/home/noneuser/.ssh)
+
     file(READ keys/pkcs11/id_pkcs11_ecdsa_384_openssh.pub CONTENTS)
     file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/home/charlie/.ssh/authorized_keys "${CONTENTS}")
 

tests/client/torture_auth.c

@@ -228,6 +228,44 @@ static void torture_auth_none_max_tries(void **state) {
     torture_update_sshd_config(state, "");
 }
 
+static void torture_auth_none_success(void **state)
+{
+    struct torture_state *s = *state;
+    const char *additional_config = "PermitEmptyPasswords yes\n"
+                                    "PasswordAuthentication yes\n"
+                                    "KbdInteractiveAuthentication no\n"
+                                    "PubkeyAuthentication no\n"
+                                    "AuthenticationMethods none\n";
+
+    ssh_session session = s->ssh.session;
+    int rc;
+
+    torture_update_sshd_config(state, additional_config);
+
+    /* Use noneuser which has an empty password set in shadow.in
+     * When PermitEmptyPasswords is yes and PasswordAuthentication is yes,
+     * OpenSSH's userauth_none() internally calls mm_auth_password() with
+     * an empty password, which succeeds for users with empty passwords.
+     */
+    rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_NONEUSER);
+    if (rc != SSH_OK) {
+        goto cleanup;
+    }
+
+    rc = ssh_connect(session);
+    if (rc != SSH_OK) {
+        goto cleanup;
+    }
+
+    rc = ssh_userauth_none(session, NULL);
+    assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
+cleanup:
+    torture_update_sshd_config(state, "");
+    if (rc != SSH_OK && rc != SSH_AUTH_SUCCESS) {
+        assert_int_equal(rc, SSH_OK);
+    }
+}
 
 static void torture_auth_pubkey(void **state) {
     struct torture_state *s = *state;
@@ -1373,6 +1411,9 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_auth_none_nonblocking,
                                         session_setup,
                                         session_teardown),
+        cmocka_unit_test_setup_teardown(torture_auth_none_success,
+                                        session_setup,
+                                        session_teardown),
         cmocka_unit_test_setup_teardown(torture_auth_none_max_tries,
                                         session_setup,
                                         session_teardown),
@@ -1424,7 +1465,8 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_auth_agent_identities_only,
                                         agent_setup,
                                         agent_teardown),
-        cmocka_unit_test_setup_teardown(torture_auth_agent_identities_only_protected,
+        cmocka_unit_test_setup_teardown(
+            torture_auth_agent_identities_only_protected,
             agent_setup,
             agent_teardown),
         cmocka_unit_test_setup_teardown(torture_auth_pubkey_types,
@@ -1436,13 +1478,15 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ecdsa,
                                         pubkey_setup,
                                         session_teardown),
-        cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ecdsa_nonblocking,
+        cmocka_unit_test_setup_teardown(
+            torture_auth_pubkey_types_ecdsa_nonblocking,
             pubkey_setup,
             session_teardown),
         cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ed25519,
                                         pubkey_setup,
                                         session_teardown),
-        cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ed25519_nonblocking,
+        cmocka_unit_test_setup_teardown(
+            torture_auth_pubkey_types_ed25519_nonblocking,
             pubkey_setup,
             session_teardown),
 #ifdef WITH_FIDO2
@@ -1456,7 +1500,8 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_auth_pubkey_rsa_key_size,
                                         pubkey_setup,
                                         session_teardown),
-        cmocka_unit_test_setup_teardown(torture_auth_pubkey_rsa_key_size_nonblocking,
+        cmocka_unit_test_setup_teardown(
+            torture_auth_pubkey_rsa_key_size_nonblocking,
             pubkey_setup,
             session_teardown),
         cmocka_unit_test_setup_teardown(torture_auth_pubkey_skip_none,

tests/etc/pam_matrix_passdb.in

@@ -2,3 +2,4 @@ bob:secret:sshd
 alice:secret:sshd
 charlie:secret:sshd
 doe:secret:sshd
+noneuser::sshd

tests/etc/passwd.in

@@ -3,6 +3,7 @@ alice:x:5001:9000:alice gecos:@HOMEDIR@/alice:/bin/sh
 charlie:x:5002:9000:charlie gecos:@HOMEDIR@/charlie:/bin/sh
 doe:x:5003:9000:doe gecos:@HOMEDIR@/doe:/bin/sh
 frank:x:5003:9000:doe gecos:@HOMEDIR@/frank:/bin/sh
+noneuser:x:5004:9000:noneuser gecos:@HOMEDIR@/noneuser:/bin/sh
 sshd:x:65530:65531:sshd:@HOMEDIR@:/sbin/nologin
 nobody:x:65533:65534:nobody gecos:@HOMEDIR@:/bin/false
 root:x:0:0:root gecos:@HOMEDIR@:/bin/false

tests/etc/shadow.in

@@ -2,3 +2,4 @@ alice:$6$0jWkA8VP$MvBUvtGy38jWCZ5KtqnZEKQWXvvImDkDhDQII1kTqtAp3/xH31b71c.AjGkBFl
 bob:$6$0jWkA8VP$MvBUvtGy38jWCZ5KtqnZEKQWXvvImDkDhDQII1kTqtAp3/xH31b71c.AjGkBFle.2QwCJQH7OzB/NXiMprusr/::0:::::
 charlie:$6$0jWkA8VP$MvBUvtGy38jWCZ5KtqnZEKQWXvvImDkDhDQII1kTqtAp3/xH31b71c.AjGkBFle.2QwCJQH7OzB/NXiMprusr/::0:::::
 doe:$6$0jWkA8VP$MvBUvtGy38jWCZ5KtqnZEKQWXvvImDkDhDQII1kTqtAp3/xH31b71c.AjGkBFle.2QwCJQH7OzB/NXiMprusr/::0:::::
+noneuser:::0:::::

tests/fuzz/CMakeLists.txt

@@ -33,6 +33,7 @@ fuzzer(ssh_client_config_fuzzer)
 fuzzer(ssh_known_hosts_fuzzer)
 fuzzer(ssh_privkey_fuzzer)
 fuzzer(ssh_pubkey_fuzzer)
+fuzzer(ssh_sftp_attr_fuzzer)
 fuzzer(ssh_sshsig_fuzzer)
 if (WITH_SERVER)
     fuzzer(ssh_server_fuzzer)

tests/fuzz/ssh_sftp_attr_fuzzer.c

@@ -0,0 +1,131 @@
+/*
+ * Copyright 2026 libssh authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define LIBSSH_STATIC 1
+#include "libssh/libssh.h"
+#include "libssh/sftp.h"
+#include "libssh/sftp_priv.h"
+
+#include "nallocinc.c"
+
+/* SFTP protocol version constants */
+#define SFTP_PROTOCOL_VERSION_3 3
+#define SFTP_PROTOCOL_VERSION_4 4
+
+/* Flags for sftp_parse_attr expectname parameter */
+#define SFTP_EXPECT_NAME 1
+#define SFTP_NO_NAME 0
+
+/*
+ * Helper to create a minimal sftp_session for fuzzing.
+ * We don't use sftp_new() as it requires a real SSH connection.
+ */
+static sftp_session create_minimal_sftp_session(ssh_session session)
+{
+    sftp_session sftp;
+    
+    sftp = calloc(1, sizeof(struct sftp_session_struct));
+    if (sftp == NULL) {
+        return NULL;
+    }
+    sftp->session = session;
+    
+    return sftp;
+}
+
+static void _fuzz_finalize(void)
+{
+    ssh_finalize();
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    (void)argc;
+
+    nalloc_init(*argv[0]);
+
+    ssh_init();
+
+    atexit(_fuzz_finalize);
+
+    return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    ssh_session session = NULL;
+    sftp_session sftp = NULL;
+    ssh_buffer buffer = NULL;
+    sftp_attributes attr = NULL;
+    int versions[] = {
+        SFTP_PROTOCOL_VERSION_3, SFTP_PROTOCOL_VERSION_3,
+        SFTP_PROTOCOL_VERSION_4, SFTP_PROTOCOL_VERSION_4
+    };
+    int expectnames[] = {SFTP_NO_NAME, SFTP_EXPECT_NAME, SFTP_NO_NAME, SFTP_EXPECT_NAME};
+    size_t i;
+
+    /* Minimum bytes for a valid SFTP message */
+    if (size == 0) {
+        return 0;
+    }
+
+    assert(nalloc_start(data, size) > 0);
+
+    /* Allocate shared resources once for all test iterations */
+    session = ssh_new();
+    if (session == NULL) {
+        goto cleanup;
+    }
+
+    sftp = create_minimal_sftp_session(session);
+    if (sftp == NULL) {
+        goto cleanup;
+    }
+
+    buffer = ssh_buffer_new();
+    if (buffer == NULL) {
+        goto cleanup;
+    }
+
+    /* Main fuzzing target: sftp_parse_attr */
+    /* Parses untrusted SFTP messages from client */
+    /* Test all combinations (v3/v4, with/without name) */
+    for (i = 0; i < (sizeof(versions) / sizeof(versions[0])); i++) {
+        sftp->version = versions[i];
+
+        /* Reset and repopulate buffer for each iteration */
+        ssh_buffer_reinit(buffer);
+        if (ssh_buffer_add_data(buffer, data, size) == SSH_OK) {
+            attr = sftp_parse_attr(sftp, buffer, expectnames[i]);
+            sftp_attributes_free(attr);
+            attr = NULL;
+        }
+    }
+
+cleanup:
+    ssh_buffer_free(buffer);
+    free(sftp);
+    ssh_free(session);
+    nalloc_end();
+
+    return 0;
+}

tests/torture.h

@@ -51,6 +51,7 @@
 
 #define TORTURE_SSH_USER_ALICE "alice"
 #define TORTURE_SSH_USER_CHARLIE "charlie"
+#define TORTURE_SSH_USER_NONEUSER "noneuser"
 
 /* Used by main to communicate with parse_opt. */
 struct argument_s {