129 lines
5.0 KiB
C++
129 lines
5.0 KiB
C++
// Copyright 2019 The Chromium OS Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
|
|
#include <base/files/file_path.h>
|
|
#include <base/files/file_util.h>
|
|
#include <base/files/scoped_temp_dir.h>
|
|
#include <base/logging.h>
|
|
#include <brillo/http/http_form_data.h>
|
|
#include <brillo/streams/memory_stream.h>
|
|
#include <fuzzer/FuzzedDataProvider.h>
|
|
|
|
namespace {
|
|
constexpr int kRandomDataMaxLength = 64;
|
|
constexpr int kMaxRecursionDepth = 256;
|
|
|
|
std::unique_ptr<brillo::http::TextFormField> CreateTextFormField(
|
|
FuzzedDataProvider* data_provider) {
|
|
return std::make_unique<brillo::http::TextFormField>(
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength));
|
|
}
|
|
|
|
std::unique_ptr<brillo::http::FileFormField> CreateFileFormField(
|
|
FuzzedDataProvider* data_provider) {
|
|
brillo::StreamPtr mem_stream = brillo::MemoryStream::OpenCopyOf(
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), nullptr);
|
|
return std::make_unique<brillo::http::FileFormField>(
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
std::move(mem_stream),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength));
|
|
}
|
|
|
|
std::unique_ptr<brillo::http::MultiPartFormField> CreateMultipartFormField(
|
|
FuzzedDataProvider* data_provider, int depth) {
|
|
std::unique_ptr<brillo::http::MultiPartFormField> multipart_field =
|
|
std::make_unique<brillo::http::MultiPartFormField>(
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength),
|
|
data_provider->ConsumeRandomLengthString(kRandomDataMaxLength));
|
|
|
|
// Randomly add fields to this like we do the base FormData, but don't loop
|
|
// forever.
|
|
while (data_provider->ConsumeBool()) {
|
|
if (data_provider->ConsumeBool()) {
|
|
// Add a random text field to the form.
|
|
multipart_field->AddCustomField(CreateTextFormField(data_provider));
|
|
}
|
|
if (data_provider->ConsumeBool()) {
|
|
// Add a random file field to the form.
|
|
multipart_field->AddCustomField(CreateFileFormField(data_provider));
|
|
}
|
|
// Limit our recursion depth. We could make this part of our code iterative,
|
|
// but that won't help because in libbrillo we use recursion to generate the
|
|
// stream so we would hit a stack depth limit there as well.
|
|
if (depth < kMaxRecursionDepth && data_provider->ConsumeBool()) {
|
|
// Add a random multipart form field to the form.
|
|
multipart_field->AddCustomField(
|
|
CreateMultipartFormField(data_provider, depth + 1));
|
|
}
|
|
}
|
|
|
|
return multipart_field;
|
|
}
|
|
|
|
} // namespace
|
|
|
|
bool IgnoreLogging(int, const char*, int, size_t, const std::string&) {
|
|
return true;
|
|
}
|
|
|
|
class Environment {
|
|
public:
|
|
Environment() {
|
|
// Disable logging. Normally this would be done with logging::SetMinLogLevel
|
|
// but that doesn't work for brillo::Error for because it's not using the
|
|
// LOG(ERROR) macro which is where the actual log level check occurs.
|
|
logging::SetLogMessageHandler(&IgnoreLogging);
|
|
}
|
|
};
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
static Environment env;
|
|
FuzzedDataProvider data_provider(data, size);
|
|
// Randomly add a bunch of fields to the FormData and then when done extract
|
|
// and consume the data stream.
|
|
brillo::http::FormData form_data(
|
|
data_provider.ConsumeRandomLengthString(kRandomDataMaxLength));
|
|
while (data_provider.remaining_bytes() > 0) {
|
|
if (data_provider.ConsumeBool()) {
|
|
// Add a random text field to the form.
|
|
form_data.AddCustomField(CreateTextFormField(&data_provider));
|
|
}
|
|
if (data_provider.ConsumeBool()) {
|
|
// Add a random file field to the form.
|
|
form_data.AddCustomField(CreateFileFormField(&data_provider));
|
|
}
|
|
if (data_provider.ConsumeBool()) {
|
|
// Add a random multipart form field to the form.
|
|
form_data.AddCustomField(CreateMultipartFormField(&data_provider, 0));
|
|
}
|
|
}
|
|
|
|
brillo::StreamPtr form_stream = form_data.ExtractDataStream();
|
|
if (!form_stream)
|
|
return 0;
|
|
|
|
// We need to use a decent sized buffer and call ReadAllBlocking to avoid
|
|
// excess overhead with reading here that can make the fuzzer timeout.
|
|
uint8_t buffer[32768];
|
|
while (form_stream->GetRemainingSize() > 0) {
|
|
if (!form_stream->ReadAllBlocking(buffer, sizeof(buffer), nullptr)) {
|
|
// If there's an error reading from the stream, then bail since we'd
|
|
// likely just see repeated errors and never exit.
|
|
break;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|