Hello Yevgeny, Thanks for getting in touch. We were included in the oss-fuzz repository, but I'm not sure anybody ever actually did the work of integrating Mosh or fuzzing it. (People have separately fuzzed the terminal emulator and found some overcautious assertions that we ended up removing; see https://github.com/mobile-shell/mosh/issues/667 ). We certainly never heard anything from them -- if we were supposed to do something on our end beyond submitting the initial pull request to be included, we didn't do it.
If you want to fuzz Mosh, we'd love to help you. I think you probably want to fuzz Mosh at several different layers, e.g.: - raw datagram input - network input after removing encryption and validation of the integrity check - network input after removing encryption, integrity validation, and compression - network input to the terminal emulator (e.g. arbitrary actions on the CompleteTerminal object) - user keyboard input Best regards, Keith On Sun, Jun 23, 2019 at 8:16 PM Yevgeny Pats <y...@fuzzit.dev> wrote: > Hi Keith, > > I'm Yevgeny Pats, founder of Fuzzit <https://fuzzit.dev/> - a continuous > fuzzing as a service platform. > > We are providing free continuous fuzzing + PR sanity tests to OSS > projects. I know you are using OSS-fuzz so I wanted to know what the > current status of the integration and if you need additional resources or > features. > > I'll be happy to help create an integration with Fuzzit. We provide > continuous fuzzing for projects like systemd, radare, apache. > > You can read about systemd-fuzzit case study here > <https://fuzzit.dev/2019/06/20/continuous-fuzzing-systemd-case-study/> where > they use our platform in addition to OSS-fuzz. > > Also, will be happy to discuss fuzzing in general and share ideas. > > Looking forward to hearing from you, > > Yevgeny Pats, > Founder & CEO, Fuzzit >
_______________________________________________ mosh-devel mailing list mosh-devel@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-devel