Line | Count | Source |
1 | | /* Copyright 2021 Google LLC |
2 | | Licensed under the Apache License, Version 2.0 (the "License"); |
3 | | you may not use this file except in compliance with the License. |
4 | | You may obtain a copy of the License at |
5 | | http://www.apache.org/licenses/LICENSE-2.0 |
6 | | Unless required by applicable law or agreed to in writing, software |
7 | | distributed under the License is distributed on an "AS IS" BASIS, |
8 | | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
9 | | See the License for the specific language governing permissions and |
10 | | limitations under the License. |
11 | | */ |
12 | | #include "apr.h" |
13 | | #include "apr_file_io.h" |
14 | | #include "apr_poll.h" |
15 | | #include "apr_portable.h" |
16 | | #include "apr_proc_mutex.h" |
17 | | #include "apr_signal.h" |
18 | | #include "apr_strings.h" |
19 | | #include "apr_thread_mutex.h" |
20 | | #include "apr_thread_proc.h" |
21 | | |
22 | | #define APR_WANT_STRFUNC |
23 | | #include "apr_file_io.h" |
24 | | #include "apr_fnmatch.h" |
25 | | #include "apr_want.h" |
26 | | |
27 | | #include "apr_poll.h" |
28 | | #include "apr_want.h" |
29 | | |
30 | | #include "ap_config.h" |
31 | | #include "ap_expr.h" |
32 | | #include "ap_listen.h" |
33 | | #include "ap_provider.h" |
34 | | #include "ap_regex.h" |
35 | | |
36 | | #include <string.h> |
37 | | #include <unistd.h> |
38 | | |
39 | | #include "ada_fuzz_header.h" |
40 | | |
41 | | |
42 | 1.28k | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
43 | | // Initialize fuzzing garbage collector. We use this to easily |
44 | | // get data types seeded with random input from the fuzzer. |
45 | 1.28k | af_gb_init(); |
46 | | |
47 | 1.28k | const uint8_t *data2 = data; |
48 | 1.28k | size_t size2 = size; |
49 | | |
50 | 1.28k | char *new_str = af_gb_get_null_terminated(&data2, &size2); |
51 | 1.28k | char *new_dst = af_gb_get_null_terminated(&data2, &size2); |
52 | 1.28k | if (new_str != NULL && new_dst != NULL) { |
53 | 1.26k | size_t new_str_len = strlen(new_str); |
54 | | |
55 | | // Targets that do not require a pool |
56 | | |
57 | 1.26k | ap_cstr_casecmp(new_str, new_dst); |
58 | 1.26k | if (new_str_len > 2) { |
59 | 1.22k | ap_cstr_casecmpn(new_str, new_str + 2, new_str_len - 2); |
60 | 1.22k | } |
61 | 1.26k | ap_strcmp_match(new_str, new_dst); |
62 | 1.26k | ap_strcasecmp_match(new_str, new_dst); |
63 | 1.26k | ap_strcasestr(new_str, new_dst); |
64 | | |
65 | 1.26k | apr_interval_time_t timeout; |
66 | 1.26k | ap_timeout_parameter_parse(new_str, &timeout, "ms"); |
67 | | |
68 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
69 | 1.26k | if (new_dst != NULL) { |
70 | 397 | ap_getparents(new_dst); |
71 | 397 | } |
72 | | |
73 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
74 | 1.26k | if (new_dst != NULL) { |
75 | 320 | ap_no2slash(new_dst); |
76 | 320 | } |
77 | | |
78 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
79 | 1.26k | if (new_dst != NULL) { |
80 | 301 | ap_unescape_url(new_dst); |
81 | 301 | } |
82 | | |
83 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
84 | 1.26k | if (new_dst != NULL) { |
85 | 260 | ap_unescape_urlencoded(new_dst); |
86 | 260 | } |
87 | | |
88 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
89 | 1.26k | if (new_dst != NULL) { |
90 | 224 | ap_content_type_tolower(new_dst); |
91 | 224 | } |
92 | | |
93 | 1.26k | new_dst = malloc(new_str_len*3+1); // big enough for worst-case URL-escaped (%nn) |
94 | 1.26k | ap_escape_path_segment_buffer(new_dst, new_str); |
95 | 1.26k | free(new_dst); |
96 | | |
97 | 1.26k | new_dst = malloc(new_str_len*4+1); // big enough for worst-case log-escaped (\xnn) |
98 | 1.26k | ap_escape_errorlog_item(new_dst, new_str, new_str_len*4+1); |
99 | 1.26k | free(new_dst); |
100 | | |
101 | | // Pool initialisation |
102 | 1.26k | if (apr_pool_initialize() == APR_SUCCESS) { |
103 | 1.26k | apr_pool_t *pool = NULL; |
104 | 1.26k | apr_pool_create(&pool, NULL); |
105 | | |
106 | | // Targets that require a pool |
107 | | |
108 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
109 | 1.26k | if (new_dst != NULL) { |
110 | 208 | ap_make_dirstr_parent(pool, new_dst); |
111 | 208 | } |
112 | | |
113 | 1.26k | ap_field_noparam(pool, new_str); |
114 | | |
115 | 1.26k | ap_escape_shell_cmd(pool, new_str); |
116 | 1.26k | ap_os_escape_path(pool, new_str, 0); |
117 | 1.26k | ap_escape_html2(pool, new_str, 0); |
118 | 1.26k | ap_escape_logitem(pool, new_str); |
119 | | |
120 | | // This line causes some issues if something bad is allocated |
121 | 1.26k | ap_escape_quotes(pool, new_str); |
122 | | |
123 | | // base64 |
124 | 1.26k | ap_pbase64decode(pool, new_str); |
125 | 1.26k | ap_pbase64encode(pool, new_str); |
126 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
127 | 1.26k | if (new_dst != NULL) { |
128 | 202 | char *d; |
129 | 202 | apr_size_t dlen; |
130 | 202 | ap_pbase64decode_strict(pool, new_dst, &d, &dlen); |
131 | 202 | } |
132 | | |
133 | | // List functions |
134 | 1.26k | const char *tmp_s = new_str; |
135 | 1.26k | ap_get_list_item(pool, &tmp_s); |
136 | 1.26k | ap_find_list_item(pool, new_str, "kjahsdfkj"); |
137 | 1.26k | ap_find_token(pool, new_str, "klsjdfk"); |
138 | 1.26k | ap_find_last_token(pool, new_str, "sdadf"); |
139 | 1.26k | apr_array_header_t *offers = NULL; |
140 | 1.26k | ap_parse_token_list_strict(pool, new_str, &offers, 0); |
141 | | |
142 | 1.26k | tmp_s = new_str; |
143 | 1.26k | ap_get_token(pool, &tmp_s, 1); |
144 | | |
145 | 1.26k | tmp_s = NULL; |
146 | 1.26k | ap_pstr2_alnum(pool, new_str, &tmp_s); |
147 | | |
148 | 1.26k | ap_is_chunked(pool, new_str); |
149 | | |
150 | | // Word functions |
151 | 1.26k | tmp_s = new_str; |
152 | 1.26k | ap_getword(pool, &tmp_s, 0); |
153 | 1.26k | tmp_s = new_str; |
154 | 1.26k | ap_getword_conf2(pool, &tmp_s); |
155 | 1.26k | new_dst = af_gb_get_null_terminated(&data2, &size2); |
156 | 1.26k | if (new_dst != NULL) { |
157 | 167 | char *d = new_dst; |
158 | 167 | ap_getword_white_nc(pool, &d); |
159 | 167 | } |
160 | | |
161 | 1.26k | ap_escape_urlencoded(pool, new_str); |
162 | | |
163 | | |
164 | 1.26k | char filename[256]; |
165 | 1.26k | sprintf(filename, "/tmp/libfuzzer.%d", getpid()); |
166 | 1.26k | FILE *fp = fopen(filename, "wb"); |
167 | 1.26k | fwrite(data, size, 1, fp); |
168 | 1.26k | fclose(fp); |
169 | | |
170 | | // Fuzzer logic here |
171 | 1.26k | ap_configfile_t *cfg; |
172 | 1.26k | ap_pcfg_openfile(&cfg, pool, filename); |
173 | 1.26k | char tmp_line[100]; |
174 | 1.26k | if ((af_get_short(&data2, &size2) % 2) == 0) { |
175 | 1.16k | ap_cfg_getline(tmp_line, 100, cfg); |
176 | 1.16k | } |
177 | 104 | else { |
178 | 104 | cfg->getstr = NULL; |
179 | 104 | ap_cfg_getline(tmp_line, 100, cfg); |
180 | 104 | } |
181 | | // Fuzzer logic end |
182 | | |
183 | 1.26k | unlink(filename); |
184 | | |
185 | | // Cleanup |
186 | 1.26k | apr_pool_terminate(); |
187 | 1.26k | } |
188 | 1.26k | } |
189 | | |
190 | | // Cleanup all of the memory allocated by the fuzz headers. |
191 | 1.28k | af_gb_cleanup(); |
192 | 1.28k | return 0; |
193 | 1.28k | } |