Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuzz: More like a C++ source #312

Merged
merged 1 commit into from
Jan 8, 2025
Merged

fuzz: More like a C++ source #312

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 82 additions & 51 deletions fuzz/fuzz_http3serverreq.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,93 +15,110 @@ extern "C" {
}
#endif // defined(__cplusplus)

static int acked_stream_data(nghttp3_conn *conn, int64_t stream_id,
uint64_t datalen, void *conn_user_data,
void *stream_user_data) {
namespace {
int acked_stream_data(nghttp3_conn *conn, int64_t stream_id, uint64_t datalen,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
} // namespace

static int stream_close(nghttp3_conn *conn, int64_t stream_id,
uint64_t app_error_code, void *conn_user_data,
void *stream_user_data) {
namespace {
int stream_close(nghttp3_conn *conn, int64_t stream_id, uint64_t app_error_code,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int recv_data(nghttp3_conn *conn, int64_t stream_id, const uint8_t *data,
size_t datalen, void *conn_user_data,
void *stream_user_data) {
namespace {
int recv_data(nghttp3_conn *conn, int64_t stream_id, const uint8_t *data,
size_t datalen, void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int deferred_consume(nghttp3_conn *conn, int64_t stream_id,
size_t consumed, void *conn_user_data,
void *stream_user_data) {
namespace {
int deferred_consume(nghttp3_conn *conn, int64_t stream_id, size_t consumed,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int begin_headers(nghttp3_conn *conn, int64_t stream_id,
void *conn_user_data, void *stream_user_data) {
namespace {
int begin_headers(nghttp3_conn *conn, int64_t stream_id, void *conn_user_data,
void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int recv_header(nghttp3_conn *conn, int64_t stream_id, int32_t token,
nghttp3_rcbuf *name, nghttp3_rcbuf *value, uint8_t flags,
void *conn_user_data, void *stream_user_data) {
namespace {
int recv_header(nghttp3_conn *conn, int64_t stream_id, int32_t token,
nghttp3_rcbuf *name, nghttp3_rcbuf *value, uint8_t flags,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int end_headers(nghttp3_conn *conn, int64_t stream_id, int fin,
void *conn_user_data, void *stream_user_data) {
namespace {
int end_headers(nghttp3_conn *conn, int64_t stream_id, int fin,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int begin_trailers(nghttp3_conn *conn, int64_t stream_id,
void *conn_user_data, void *stream_user_data) {
namespace {
int begin_trailers(nghttp3_conn *conn, int64_t stream_id, void *conn_user_data,
void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int recv_trailer(nghttp3_conn *conn, int64_t stream_id, int32_t token,
nghttp3_rcbuf *name, nghttp3_rcbuf *value,
uint8_t flags, void *conn_user_data,
void *stream_user_data) {
namespace {
int recv_trailer(nghttp3_conn *conn, int64_t stream_id, int32_t token,
nghttp3_rcbuf *name, nghttp3_rcbuf *value, uint8_t flags,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int end_trailers(nghttp3_conn *conn, int64_t stream_id, int fin,
void *conn_user_data, void *stream_user_data) {
namespace {
int end_trailers(nghttp3_conn *conn, int64_t stream_id, int fin,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int stop_sending(nghttp3_conn *conn, int64_t stream_id,
uint64_t app_error_code, void *conn_user_data,
void *stream_user_data) {
namespace {
int stop_sending(nghttp3_conn *conn, int64_t stream_id, uint64_t app_error_code,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int end_stream(nghttp3_conn *conn, int64_t stream_id,
void *conn_user_data, void *stream_user_data) {
namespace {
int end_stream(nghttp3_conn *conn, int64_t stream_id, void *conn_user_data,
void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

if (fuzzed_data_provider->ConsumeBool()) {
Expand All @@ -117,8 +134,8 @@ static int end_stream(nghttp3_conn *conn, int64_t stream_id,

const nghttp3_nv nva[] = {
{
.name = (uint8_t *)name.c_str(),
.value = (uint8_t *)value.c_str(),
.name = reinterpret_cast<uint8_t *>(const_cast<char *>(name.c_str())),
.value = reinterpret_cast<uint8_t *>(const_cast<char *>(value.c_str())),
.namelen = name.size(),
.valuelen = value.size(),
},
Expand All @@ -127,47 +144,60 @@ static int end_stream(nghttp3_conn *conn, int64_t stream_id,
return nghttp3_conn_submit_response(conn, stream_id, nva,
nghttp3_arraylen(nva), nullptr);
}
}; // namespace

static int reset_stream(nghttp3_conn *conn, int64_t stream_id,
uint64_t app_error_code, void *conn_user_data,
void *stream_user_data) {
namespace {
int reset_stream(nghttp3_conn *conn, int64_t stream_id, uint64_t app_error_code,
void *conn_user_data, void *stream_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int shutdown(nghttp3_conn *conn, int64_t id, void *conn_user_data) {
namespace {
int shutdown(nghttp3_conn *conn, int64_t id, void *conn_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static int recv_settings(nghttp3_conn *conn, const nghttp3_settings *settings,
void *conn_user_data) {
namespace {
int recv_settings(nghttp3_conn *conn, const nghttp3_settings *settings,
void *conn_user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(conn_user_data);

return fuzzed_data_provider->ConsumeBool() ? NGHTTP3_ERR_CALLBACK_FAILURE : 0;
}
}; // namespace

static void *fuzzed_malloc(size_t size, void *user_data) {
namespace {
void *fuzzed_malloc(size_t size, void *user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(user_data);

return fuzzed_data_provider->ConsumeBool() ? nullptr : malloc(size);
}
}; // namespace

static void *fuzzed_calloc(size_t nmemb, size_t size, void *user_data) {
namespace {
void *fuzzed_calloc(size_t nmemb, size_t size, void *user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(user_data);

return fuzzed_data_provider->ConsumeBool() ? nullptr : calloc(nmemb, size);
}
}; // namespace

static void *fuzzed_realloc(void *ptr, size_t size, void *user_data) {
namespace {
void *fuzzed_realloc(void *ptr, size_t size, void *user_data) {
auto fuzzed_data_provider = static_cast<FuzzedDataProvider *>(user_data);

return fuzzed_data_provider->ConsumeBool() ? nullptr : realloc(ptr, size);
}
}; // namespace

static int send_data(nghttp3_conn *conn) {
namespace {
int send_data(nghttp3_conn *conn) {
std::array<nghttp3_vec, 16> vec;
int64_t stream_id;
int fin;
Expand All @@ -194,9 +224,11 @@ static int send_data(nghttp3_conn *conn) {
}
}
}
}; // namespace

static int set_stream_priorities(nghttp3_conn *conn,
FuzzedDataProvider *fuzzed_data_provider) {
namespace {
int set_stream_priorities(nghttp3_conn *conn,
FuzzedDataProvider *fuzzed_data_provider) {
for (; fuzzed_data_provider->ConsumeBool();) {
auto stream_id = fuzzed_data_provider->ConsumeIntegralInRange<int64_t>(
0, NGHTTP3_MAX_VARINT);
Expand All @@ -215,6 +247,7 @@ static int set_stream_priorities(nghttp3_conn *conn,

return 0;
}
}; // namespace

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
FuzzedDataProvider fuzzed_data_provider(data, size);
Expand Down Expand Up @@ -252,7 +285,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
fuzzed_data_provider.ConsumeIntegral<uint8_t>();
settings.h3_datagram = fuzzed_data_provider.ConsumeIntegral<uint8_t>();

nghttp3_mem mem = *nghttp3_mem_default();
auto mem = *nghttp3_mem_default();
mem.user_data = &fuzzed_data_provider;
mem.malloc = fuzzed_malloc;
mem.calloc = fuzzed_calloc;
Expand All @@ -273,8 +306,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
goto fin;
}

nghttp3_ssize nread;

if (send_data(conn) != 0) {
goto fin;
}
Expand All @@ -292,8 +323,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
auto chunk = fuzzed_data_provider.ConsumeBytes<uint8_t>(chunk_size);
auto fin = fuzzed_data_provider.ConsumeBool();

nread = nghttp3_conn_read_stream(conn, stream_id, chunk.data(),
chunk.size(), fin);
auto nread = nghttp3_conn_read_stream(conn, stream_id, chunk.data(),
chunk.size(), fin);
if (nread < 0) {
goto fin;
}
Expand Down
Loading