Skip to content

Commit

Permalink
fixup: add response fuzzer
Browse files Browse the repository at this point in the history
  • Loading branch information
kgiusti committed Dec 18, 2024
1 parent 6d4d2dd commit fe0dda6
Show file tree
Hide file tree
Showing 6 changed files with 140 additions and 4 deletions.
1 change: 1 addition & 0 deletions tests/fuzz/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,4 @@ endmacro(add_fuzz_test test)

add_fuzz_test(fuzz_http2_decoder fuzz_http2_decoder.c)
add_fuzz_test(fuzz_http1_request_decoder fuzz_http1_request_decoder.c)
add_fuzz_test(fuzz_http1_response_decoder fuzz_http1_response_decoder.c)
10 changes: 6 additions & 4 deletions tests/fuzz/Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ WORKDIR /src/qpid-proton
RUN mkdir build && cd build && cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INTERPROCEDURAL_OPTIMIZATION=OFF -DENABLE_LINKTIME_OPTIMIZATION=OFF -DBUILD_TLS=ON -DSSL_IMPL=openssl -DBUILD_TOOLS=OFF -DBUILD_EXAMPLES=OFF -DBUILD_TESTING=OFF && make install

WORKDIR /src
RUN git clone --depth 1 https://github.com/skupperproject/skupper-router.git
# RUN git clone --depth 1 https://github.com/skupperproject/skupper-router.git
# DO NOT MERGE!
RUN git clone --depth 1 --branch ISSUE-1702 https://github.com/kgiusti/skupper-router.git

WORKDIR /src/skupper-router

Expand All @@ -60,9 +62,9 @@ RUN make -k install
# because http1 message formats are different for request and response
# messages.

#LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http1_request_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http1_request_decoder; fi
#LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http1_response_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http1_response_decoder; fi
#LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http2_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http2_decoder; fi
#LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http1_request_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http1_request_decoder
#LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http1_response_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http1_response_decoder
#LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http2_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http2_decoder

CMD ["/bin/bash"]

117 changes: 117 additions & 0 deletions tests/fuzz/fuzz_http1_response_decoder.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

#include <qpid/dispatch/alloc_pool.h>

#include "decoders/http1/http1_decoder.h"
#include "qpid/dispatch/ctools.h"

#include "libFuzzingEngine.h"

void qd_log_initialize(void);
void qd_error_initialize(void);
void qd_router_id_finalize(void);
void qd_log_finalize(void);

/**
* This function is processed on exit
*/
void call_on_exit(void)
{
qd_log_finalize();
qd_alloc_finalize();
qd_router_id_finalize();
}

int LLVMFuzzerInitialize(int *argc, char ***argv)
{
atexit(call_on_exit);

qd_alloc_initialize();
qd_log_initialize();
qd_error_initialize();
return 0;
}

//
// Dummy callbacks for the decoder.
//

static int _rx_request(qd_http1_decoder_connection_t *hconn,
const char *method,
const char *target,
uint32_t version_major,
uint32_t version_minor,
uintptr_t *request_context)
{
*request_context = 1;
return 0;
}

static int _rx_response(qd_http1_decoder_connection_t *hconn, uintptr_t request_context,
int status_code,
const char *reason_phrase,
uint32_t version_major,
uint32_t version_minor)
{ return 0; }

static int _rx_header(qd_http1_decoder_connection_t *hconn, uintptr_t request_context, bool from_client,
const char *key, const char *value)
{ return 0; }

static int _rx_headers_done(qd_http1_decoder_connection_t *hconn, uintptr_t request_context, bool from_client)
{ return 0; }

static int _rx_body(qd_http1_decoder_connection_t *hconn, uintptr_t request_context, bool from_client, const unsigned char *body, size_t length)
{ return 0; }

static int _message_done(qd_http1_decoder_connection_t *hconn, uintptr_t request_context, bool from_client)
{ return 0; }

static int _transaction_complete(qd_http1_decoder_connection_t *hconn, uintptr_t request_context)
{ return 0; }

static void _protocol_error(qd_http1_decoder_connection_t *hconn, const char *reason)
{ }


const struct qd_http1_decoder_config_t test_config = {
.rx_request = _rx_request,
.rx_response = _rx_response,
.rx_header = _rx_header,
.rx_headers_done = _rx_headers_done,
.rx_body = _rx_body,
.message_done = _message_done,
.transaction_complete = _transaction_complete,
.protocol_error = _protocol_error
};


// The decoder expects a request to start decoding. Use a simple GET request
const char *request = "GET / HTTP/1.1\r\nContent-length: 0\r\n\r\n";

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
qd_http1_decoder_connection_t *conn_state = qd_http1_decoder_connection(&test_config, 1);
qd_http1_decoder_connection_rx_data(conn_state, true, (const unsigned char *) request, strlen(request));
qd_http1_decoder_connection_rx_data(conn_state, false, (const unsigned char *) data, size);
qd_http1_decoder_connection_free(conn_state);
return 0;
}

2 changes: 2 additions & 0 deletions tests/fuzz/fuzz_http1_response_decoder/corpus/seed1
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
HTTP/1.0 200 OK

5 changes: 5 additions & 0 deletions tests/fuzz/fuzz_http1_response_decoder/corpus/seed2
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
HTTP/1.1 200 OK
header: foo
content-length: 10

ABCDEFGHIJ
9 changes: 9 additions & 0 deletions tests/fuzz/fuzz_http1_response_decoder/corpus/seed3
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
HTTP/1.1 200 OK
transfer-encoding: yes,no, chunked
hdr: value

B;joe=bob
01234567891
0000
trailer: field

0 comments on commit fe0dda6

Please sign in to comment.