Line | Count | Source |
1 | | /* Copyright 2021 Google LLC |
2 | | Licensed under the Apache License, Version 2.0 (the "License"); |
3 | | you may not use this file except in compliance with the License. |
4 | | You may obtain a copy of the License at |
5 | | http://www.apache.org/licenses/LICENSE-2.0 |
6 | | Unless required by applicable law or agreed to in writing, software |
7 | | distributed under the License is distributed on an "AS IS" BASIS, |
8 | | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
9 | | See the License for the specific language governing permissions and |
10 | | limitations under the License. |
11 | | */ |
12 | | #include "apr.h" |
13 | | #include "apr_file_io.h" |
14 | | #include "apr_poll.h" |
15 | | #include "apr_portable.h" |
16 | | #include "apr_proc_mutex.h" |
17 | | #include "apr_signal.h" |
18 | | #include "apr_strings.h" |
19 | | #include "apr_thread_mutex.h" |
20 | | #include "apr_thread_proc.h" |
21 | | #include "http_core.h" |
22 | | |
23 | | #define APR_WANT_STRFUNC |
24 | | #include "apr_file_io.h" |
25 | | #include "apr_fnmatch.h" |
26 | | #include "apr_want.h" |
27 | | |
28 | | #include "apr_poll.h" |
29 | | #include "apr_want.h" |
30 | | |
31 | | #include "ap_config.h" |
32 | | #include "ap_expr.h" |
33 | | #include "ap_listen.h" |
34 | | #include "ap_provider.h" |
35 | | #include "ap_regex.h" |
36 | | |
37 | | #include "ada_fuzz_header.h" |
38 | | |
39 | 183 | static const char *http_scheme2(const request_rec *r) { |
40 | | /* |
41 | | * The http module shouldn't return anything other than |
42 | | * "http" (the default) or "https". |
43 | | */ |
44 | 183 | if (r->server->server_scheme && |
45 | 183 | (strcmp(r->server->server_scheme, "https") == 0)) |
46 | 2 | return "https"; |
47 | | |
48 | 181 | return "http"; |
49 | 183 | } |
50 | | |
51 | | extern request_rec *ap_create_request(conn_rec *conn); |
52 | | extern int read_request_line(request_rec *r, apr_bucket_brigade *bb); |
53 | | |
54 | 2 | int LLVMFuzzerInitialize(int *argc, char ***argv) { |
55 | 2 | apr_pool_create(&apr_hook_global_pool, NULL); |
56 | 2 | ap_open_stderr_log(apr_hook_global_pool); |
57 | 2 | ap_hook_http_scheme(http_scheme2, NULL, NULL, APR_HOOK_REALLY_LAST); |
58 | 2 | return 0; |
59 | 2 | } |
60 | | |
61 | 555 | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
62 | 555 | af_gb_init(); |
63 | | |
64 | 555 | const uint8_t *data2 = data; |
65 | 555 | size_t size2 = size; |
66 | | |
67 | | /* get random data for the fuzzer */ |
68 | 555 | char *new_str = af_gb_get_null_terminated(&data2, &size2); |
69 | 555 | char *new_str2 = af_gb_get_null_terminated(&data2, &size2); |
70 | 555 | char *new_str3 = af_gb_get_null_terminated(&data2, &size2); |
71 | 555 | char *new_str4 = af_gb_get_null_terminated(&data2, &size2); |
72 | 555 | char *new_str5 = af_gb_get_null_terminated(&data2, &size2); |
73 | 555 | if (new_str != NULL && |
74 | 555 | new_str2 != NULL && |
75 | 555 | new_str3 != NULL && |
76 | 555 | new_str4 != NULL && |
77 | 555 | new_str5 != NULL) { |
78 | | |
79 | | /* this is the main fuzzing logic */ |
80 | | |
81 | 531 | apr_pool_initialize(); |
82 | 531 | apr_pool_t *v = NULL; |
83 | 531 | apr_pool_create(&v, NULL); |
84 | | |
85 | 531 | conn_rec conn; |
86 | 531 | conn.pool = v; |
87 | 531 | server_rec base_server; |
88 | 531 | conn.base_server = &base_server; |
89 | 531 | conn.bucket_alloc = apr_bucket_alloc_create(conn.pool); |
90 | 531 | ap_method_registry_init(conn.pool); |
91 | | |
92 | | //server_rec server; |
93 | | |
94 | | /* Simulate ap_read_request */ |
95 | 531 | request_rec *r = NULL; |
96 | 531 | r = ap_create_request(&conn); |
97 | | |
98 | | /* create a logs array for the request */ |
99 | 531 | struct ap_logconf logs = {}; |
100 | 531 | char *log_levels = calloc(1000, 1); |
101 | 531 | memset(log_levels, 0, 1000); |
102 | 531 | logs.module_levels = log_levels; |
103 | 531 | r->log = &logs; |
104 | 531 | if (r != NULL) { |
105 | 531 | apr_bucket_brigade *tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); |
106 | 531 | conn.keepalive = AP_CONN_UNKNOWN; |
107 | | |
108 | 531 | ap_run_pre_read_request(r, conn); |
109 | | |
110 | 531 | core_server_config conf_mod; |
111 | 531 | conf_mod.http_conformance = (char)af_get_short(&data2, &size2); |
112 | 531 | conf_mod.http09_enable = (char)af_get_short(&data2, &size2); |
113 | 531 | conf_mod.http_methods = (char)af_get_short(&data2, &size2); |
114 | 531 | void **module_config_arr = malloc(1000); |
115 | 531 | module_config_arr[0] = &conf_mod; |
116 | | |
117 | 531 | r->server->module_config = module_config_arr; |
118 | 531 | ap_set_core_module_config(r->server->module_config, &conf_mod); |
119 | | |
120 | | /* randomise content of request */ |
121 | 531 | r->unparsed_uri = new_str; |
122 | 531 | r->uri = new_str2; |
123 | 531 | r->server->server_scheme = new_str3; |
124 | 531 | r->method = new_str4; |
125 | 531 | r->the_request = new_str5; |
126 | | |
127 | | /* main target */ |
128 | 531 | ap_parse_request_line(r); |
129 | | |
130 | 531 | free(module_config_arr); |
131 | 531 | } |
132 | 531 | free(log_levels); |
133 | 531 | apr_pool_terminate(); |
134 | 531 | } |
135 | | |
136 | 555 | af_gb_cleanup(); |
137 | 555 | return 0; |
138 | 555 | } |