Coverage Report

Created: 2023-03-26 06:28

/src/fuzz_request.c
Line
Count
Source
1
/* Copyright 2021 Google LLC
2
Licensed under the Apache License, Version 2.0 (the "License");
3
you may not use this file except in compliance with the License.
4
You may obtain a copy of the License at
5
      http://www.apache.org/licenses/LICENSE-2.0
6
Unless required by applicable law or agreed to in writing, software
7
distributed under the License is distributed on an "AS IS" BASIS,
8
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9
See the License for the specific language governing permissions and
10
limitations under the License.
11
*/
12
#include "apr.h"
13
#include "apr_file_io.h"
14
#include "apr_poll.h"
15
#include "apr_portable.h"
16
#include "apr_proc_mutex.h"
17
#include "apr_signal.h"
18
#include "apr_strings.h"
19
#include "apr_thread_mutex.h"
20
#include "apr_thread_proc.h"
21
#include "http_core.h"
22
23
#define APR_WANT_STRFUNC
24
#include "apr_file_io.h"
25
#include "apr_fnmatch.h"
26
#include "apr_want.h"
27
28
#include "apr_poll.h"
29
#include "apr_want.h"
30
31
#include "ap_config.h"
32
#include "ap_expr.h"
33
#include "ap_listen.h"
34
#include "ap_provider.h"
35
#include "ap_regex.h"
36
37
#include "ada_fuzz_header.h"
38
39
183
static const char *http_scheme2(const request_rec *r) {
40
  /*
41
   * The http module shouldn't return anything other than
42
   * "http" (the default) or "https".
43
   */
44
183
  if (r->server->server_scheme &&
45
183
      (strcmp(r->server->server_scheme, "https") == 0))
46
2
    return "https";
47
48
181
  return "http";
49
183
}
50
51
extern request_rec *ap_create_request(conn_rec *conn);
52
extern int read_request_line(request_rec *r, apr_bucket_brigade *bb);
53
54
2
int LLVMFuzzerInitialize(int *argc, char ***argv) {
55
2
  apr_pool_create(&apr_hook_global_pool, NULL);
56
2
  ap_open_stderr_log(apr_hook_global_pool);
57
2
  ap_hook_http_scheme(http_scheme2, NULL, NULL, APR_HOOK_REALLY_LAST);
58
2
  return 0;
59
2
}
60
61
555
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
62
555
  af_gb_init();
63
64
555
  const uint8_t *data2 = data;
65
555
  size_t size2 = size;
66
67
  /* get random data for the fuzzer */
68
555
  char *new_str = af_gb_get_null_terminated(&data2, &size2);
69
555
  char *new_str2 = af_gb_get_null_terminated(&data2, &size2);
70
555
  char *new_str3 = af_gb_get_null_terminated(&data2, &size2);
71
555
  char *new_str4 = af_gb_get_null_terminated(&data2, &size2);
72
555
  char *new_str5 = af_gb_get_null_terminated(&data2, &size2);
73
555
  if (new_str != NULL && 
74
555
      new_str2 != NULL && 
75
555
      new_str3 != NULL &&
76
555
      new_str4 != NULL && 
77
555
      new_str5 != NULL) {
78
79
    /* this is the main fuzzing logic */
80
81
531
    apr_pool_initialize();
82
531
    apr_pool_t *v = NULL;
83
531
    apr_pool_create(&v, NULL);
84
85
531
    conn_rec conn;
86
531
    conn.pool = v;
87
531
    server_rec base_server;
88
531
    conn.base_server = &base_server;
89
531
    conn.bucket_alloc = apr_bucket_alloc_create(conn.pool);
90
531
    ap_method_registry_init(conn.pool);
91
92
    //server_rec server;
93
94
    /* Simulate ap_read_request */
95
531
    request_rec *r = NULL;
96
531
    r = ap_create_request(&conn);
97
98
    /* create a logs array for the request */
99
531
    struct ap_logconf logs = {};
100
531
    char *log_levels = calloc(1000, 1);
101
531
    memset(log_levels, 0, 1000);
102
531
    logs.module_levels = log_levels;
103
531
    r->log = &logs;
104
531
    if (r != NULL) {
105
531
      apr_bucket_brigade *tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
106
531
      conn.keepalive = AP_CONN_UNKNOWN;
107
108
531
      ap_run_pre_read_request(r, conn);
109
110
531
      core_server_config conf_mod;
111
531
      conf_mod.http_conformance   = (char)af_get_short(&data2, &size2);
112
531
      conf_mod.http09_enable      = (char)af_get_short(&data2, &size2);
113
531
      conf_mod.http_methods       = (char)af_get_short(&data2, &size2);
114
531
      void **module_config_arr = malloc(1000);
115
531
      module_config_arr[0] = &conf_mod;
116
117
531
      r->server->module_config = module_config_arr;
118
531
      ap_set_core_module_config(r->server->module_config, &conf_mod);
119
120
      /* randomise content of request */
121
531
      r->unparsed_uri           = new_str;
122
531
      r->uri                    = new_str2;
123
531
      r->server->server_scheme  = new_str3;
124
531
      r->method                 = new_str4;
125
531
      r->the_request            = new_str5;
126
127
      /* main target */
128
531
      ap_parse_request_line(r);
129
130
531
      free(module_config_arr);
131
531
    }
132
531
    free(log_levels);
133
531
    apr_pool_terminate();
134
531
  }
135
136
555
  af_gb_cleanup();
137
555
  return 0;
138
555
}