rc_tagdetect_client: curl_fuzzer.cc Source File

Go to the documentation of this file.
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
  *                             / __| | | | |_) | |
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
  * Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
  * are also available at https://curl.haxx.se/docs/copyright.html.
  *
  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  * copies of the Software, and permit persons to whom the Software is
  * furnished to do so, under the terms of the COPYING file.
  *
  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  * KIND, either express or implied.
  *
  ***************************************************************************/
 
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <curl/curl.h>
 #include "curl_fuzzer.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
   int rc = 0;
   int tlv_rc;
   FUZZ_DATA fuzz;
   TLV tlv;
 
   /* Have to set all fields to zero before getting to the terminate function */
   memset(&fuzz, 0, sizeof(FUZZ_DATA));
 
   if(size < sizeof(TLV_RAW)) {
     /* Not enough data for a single TLV - don't continue */
     goto EXIT_LABEL;
   }
 
   /* Try to initialize the fuzz data */
   FTRY(fuzz_initialize_fuzz_data(&fuzz, data, size));
 
   for(tlv_rc = fuzz_get_first_tlv(&fuzz, &tlv);
       tlv_rc == 0;
       tlv_rc = fuzz_get_next_tlv(&fuzz, &tlv)) {
 
     /* Have the TLV in hand. Parse the TLV. */
     rc = fuzz_parse_tlv(&fuzz, &tlv);
 
     if(rc != 0) {
       /* Failed to parse the TLV. Can't continue. */
       goto EXIT_LABEL;
     }
   }
 
   if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
     /* A TLV call failed. Can't continue. */
     goto EXIT_LABEL;
   }
 
   /* Do the CURL stuff! */
   if(fuzz.header_list != NULL) {
     curl_easy_setopt(fuzz.easy, CURLOPT_HTTPHEADER, fuzz.header_list);
   }
 
   if(fuzz.mail_recipients_list != NULL) {
     curl_easy_setopt(fuzz.easy, CURLOPT_MAIL_RCPT, fuzz.mail_recipients_list);
   }
 
   curl_easy_perform(fuzz.easy);
 
 EXIT_LABEL:
 
   fuzz_terminate_fuzz_data(&fuzz);
 
   /* This function must always return 0. Non-zero codes are reserved. */
   return 0;
 }
 
 uint32_t to_u32(uint8_t b[4])
 {
   uint32_t u;
   u = (b[0] << 24) + (b[1] << 16) + (b[2] << 8) + b[3];
   return u;
 }
 
 uint16_t to_u16(uint8_t b[2])
 {
   uint16_t u;
   u = (b[0] << 8) + b[1];
   return u;
 }
 
 int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz,
                               const uint8_t *data,
                               size_t data_len)
 {
   int rc = 0;
 
   /* Initialize the fuzz data. */
   memset(fuzz, 0, sizeof(FUZZ_DATA));
 
   /* Create an easy handle. This will have all of the settings configured on
      it. */
   fuzz->easy = curl_easy_init();
   FCHECK(fuzz->easy != NULL);
 
   /* Set some standard options on the CURL easy handle. We need to override the
      socket function so that we create our own sockets to present to CURL. */
   FTRY(curl_easy_setopt(fuzz->easy,
                         CURLOPT_OPENSOCKETFUNCTION,
                         fuzz_open_socket));
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_OPENSOCKETDATA, fuzz));
 
   /* In case something tries to set a socket option, intercept this. */
   FTRY(curl_easy_setopt(fuzz->easy,
                         CURLOPT_SOCKOPTFUNCTION,
                         fuzz_sockopt_callback));
 
   /* Set the standard read function callback. */
   FTRY(curl_easy_setopt(fuzz->easy,
                         CURLOPT_READFUNCTION,
                         fuzz_read_callback));
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_READDATA, fuzz));
 
   /* Set the standard write function callback. */
   FTRY(curl_easy_setopt(fuzz->easy,
                         CURLOPT_WRITEFUNCTION,
                         fuzz_write_callback));
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_WRITEDATA, fuzz));
 
   /* Can enable verbose mode by changing 0L to 1L */
   FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_VERBOSE, 0L));
 
   /* Set up the state parser */
   fuzz->state.data = data;
   fuzz->state.data_len = data_len;
 
 EXIT_LABEL:
 
   return rc;
 }
 
 void fuzz_terminate_fuzz_data(FUZZ_DATA *fuzz)
 {
   fuzz_free((void **)&fuzz->url);
   fuzz_free((void **)&fuzz->username);
   fuzz_free((void **)&fuzz->password);
   fuzz_free((void **)&fuzz->postfields);
   fuzz_free((void **)&fuzz->cookie);
   fuzz_free((void **)&fuzz->range);
   fuzz_free((void **)&fuzz->customrequest);
   fuzz_free((void **)&fuzz->mail_from);
 
   if(fuzz->header_list != NULL) {
     curl_slist_free_all(fuzz->header_list);
     fuzz->header_list = NULL;
   }
 
   if(fuzz->mail_recipients_list != NULL) {
     curl_slist_free_all(fuzz->mail_recipients_list);
     fuzz->mail_recipients_list = NULL;
   }
 
   if(fuzz->easy != NULL) {
     curl_easy_cleanup(fuzz->easy);
     fuzz->easy = NULL;
   }
 }
 
 void fuzz_free(void **ptr)
 {
   if(*ptr != NULL) {
     free(*ptr);
     *ptr = NULL;
   }
 }
 
 static curl_socket_t fuzz_open_socket(void *ptr,
                                       curlsocktype purpose,
                                       struct curl_sockaddr *address)
 {
   FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
   int fds[2];
   curl_socket_t server_fd;
   curl_socket_t client_fd;
 
   /* Handle unused parameters */
   (void)purpose;
   (void)address;
 
   if(socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) {
     /* Failed to create a pair of sockets. */
     return CURL_SOCKET_BAD;
   }
 
   server_fd = fds[0];
   client_fd = fds[1];
 
   /* Try and write the response data to the server file descriptor so the
      client can read it. */
   if(write(server_fd,
            fuzz->rsp1_data,
            fuzz->rsp1_data_len) != (ssize_t)fuzz->rsp1_data_len) {
     /* Failed to write the data. */
     return CURL_SOCKET_BAD;
   }
 
   if(shutdown(server_fd, SHUT_WR)) {
     return CURL_SOCKET_BAD;
   }
 
   return client_fd;
 }
 
 static int fuzz_sockopt_callback(void *ptr,
                                  curl_socket_t curlfd,
                                  curlsocktype purpose)
 {
   (void)ptr;
   (void)curlfd;
   (void)purpose;
 
   return CURL_SOCKOPT_ALREADY_CONNECTED;
 }
 
 static size_t fuzz_read_callback(char *buffer,
                                  size_t size,
                                  size_t nitems,
                                  void *ptr)
 {
   FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
   curl_off_t nread;
 
   /* If no upload data has been specified, then return an error code. */
   if(fuzz->upload1_data_len == 0) {
     /* No data to upload */
     return CURL_READFUNC_ABORT;
   }
 
   /* Send the upload data. */
   memcpy(buffer,
          fuzz->upload1_data,
          fuzz->upload1_data_len);
 
   return fuzz->upload1_data_len;
 }
 
 static size_t fuzz_write_callback(void *contents,
                                   size_t size,
                                   size_t nmemb,
                                   void *ptr)
 {
   size_t total = size * nmemb;
   FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
   size_t copy_len = total;
 
   /* Restrict copy_len to at most TEMP_WRITE_ARRAY_SIZE. */
   if(copy_len > TEMP_WRITE_ARRAY_SIZE) {
     copy_len = TEMP_WRITE_ARRAY_SIZE;
   }
 
   /* Copy bytes to the temp store just to ensure the parameters are
      exercised. */
   memcpy(fuzz->write_array, contents, copy_len);
 
   return total;
 }
 
 int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
                        TLV *tlv)
 {
   /* Reset the cursor. */
   fuzz->state.data_pos = 0;
   return fuzz_get_tlv_comn(fuzz, tlv);
 }
 
 int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
                       TLV *tlv)
 {
   /* Advance the cursor by the full length of the previous TLV. */
   fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;
 
   /* Work out if there's a TLV's worth of data to read */
   if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
     /* No more TLVs to parse */
     return TLV_RC_NO_MORE_TLVS;
   }
 
   return fuzz_get_tlv_comn(fuzz, tlv);
 }
 
 int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
                       TLV *tlv)
 {
   int rc = 0;
   size_t data_offset;
   TLV_RAW *raw;
 
   /* Start by casting the data stream to a TLV. */
   raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
   data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);
 
   /* Set the TLV values. */
   tlv->type = to_u16(raw->raw_type);
   tlv->length = to_u32(raw->raw_length);
   tlv->value = &fuzz->state.data[data_offset];
 
   /* Sanity check that the TLV length is ok. */
   if(data_offset + tlv->length > fuzz->state.data_len) {
     rc = TLV_RC_SIZE_ERROR;
   }
 
   return rc;
 }
 
 int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
 {
   int rc;
   char *tmp;
 
   switch(tlv->type) {
     case TLV_TYPE_RESPONSE1:
       /* The pointers in the TLV will always be valid as long as the fuzz data
          is in scope, which is the entirety of this file. */
       fuzz->rsp1_data = tlv->value;
       fuzz->rsp1_data_len = tlv->length;
       break;
 
     case TLV_TYPE_UPLOAD1:
       /* The pointers in the TLV will always be valid as long as the fuzz data
          is in scope, which is the entirety of this file. */
       fuzz->upload1_data = tlv->value;
       fuzz->upload1_data_len = tlv->length;
 
       curl_easy_setopt(fuzz->easy, CURLOPT_UPLOAD, 1L);
       curl_easy_setopt(fuzz->easy,
                        CURLOPT_INFILESIZE_LARGE,
                        (curl_off_t)fuzz->upload1_data_len);
       break;
 
     case TLV_TYPE_HEADER:
       tmp = fuzz_tlv_to_string(tlv);
       fuzz->header_list = curl_slist_append(fuzz->header_list, tmp);
       fuzz_free((void **)&tmp);
       break;
 
     case TLV_TYPE_MAIL_RECIPIENT:
       tmp = fuzz_tlv_to_string(tlv);
       fuzz->mail_recipients_list =
                              curl_slist_append(fuzz->mail_recipients_list, tmp);
       fuzz_free((void **)&tmp);
       break;
 
     /* Define a set of singleton TLVs - they can only have their value set once
        and all follow the same pattern. */
     FSINGLETONTLV(TLV_TYPE_URL, url, CURLOPT_URL);
     FSINGLETONTLV(TLV_TYPE_USERNAME, username, CURLOPT_USERNAME);
     FSINGLETONTLV(TLV_TYPE_PASSWORD, password, CURLOPT_PASSWORD);
     FSINGLETONTLV(TLV_TYPE_POSTFIELDS, postfields, CURLOPT_POSTFIELDS);
     FSINGLETONTLV(TLV_TYPE_COOKIE, cookie, CURLOPT_COOKIE);
     FSINGLETONTLV(TLV_TYPE_RANGE, range, CURLOPT_RANGE);
     FSINGLETONTLV(TLV_TYPE_CUSTOMREQUEST, customrequest, CURLOPT_CUSTOMREQUEST);
     FSINGLETONTLV(TLV_TYPE_MAIL_FROM, mail_from, CURLOPT_MAIL_FROM);
 
     default:
       /* The fuzzer generates lots of unknown TLVs - we don't want these in the
          corpus so we reject any unknown TLVs. */
       rc = 255;
       goto EXIT_LABEL;
       break;
   }
 
   rc = 0;
 
 EXIT_LABEL:
 
   return rc;
 }
 
 char *fuzz_tlv_to_string(TLV *tlv)
 {
   char *tlvstr;
 
   /* Allocate enough space, plus a null terminator */
   tlvstr = (char *)malloc(tlv->length + 1);
 
   if(tlvstr != NULL) {
     memcpy(tlvstr, tlv->value, tlv->length);
     tlvstr[tlv->length] = 0;
   }
 
   return tlvstr;
 }