Line | Count | Source |
1 | | /* Copyright 2021 Google LLC |
2 | | Licensed under the Apache License, Version 2.0 (the "License"); |
3 | | you may not use this file except in compliance with the License. |
4 | | You may obtain a copy of the License at |
5 | | http://www.apache.org/licenses/LICENSE-2.0 |
6 | | Unless required by applicable law or agreed to in writing, software |
7 | | distributed under the License is distributed on an "AS IS" BASIS, |
8 | | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
9 | | See the License for the specific language governing permissions and |
10 | | limitations under the License. |
11 | | */ |
12 | | #include "apr.h" |
13 | | #include "apr_file_io.h" |
14 | | #include "apr_poll.h" |
15 | | #include "apr_portable.h" |
16 | | #include "apr_proc_mutex.h" |
17 | | #include "apr_signal.h" |
18 | | #include "apr_strings.h" |
19 | | #include "apr_thread_mutex.h" |
20 | | #include "apr_thread_proc.h" |
21 | | #include "http_core.h" |
22 | | |
23 | | #define APR_WANT_STRFUNC |
24 | | #include "apr_file_io.h" |
25 | | #include "apr_fnmatch.h" |
26 | | #include "apr_want.h" |
27 | | |
28 | | #include "apr_poll.h" |
29 | | #include "apr_want.h" |
30 | | |
31 | | #include "ap_config.h" |
32 | | #include "ap_expr.h" |
33 | | #include "ap_listen.h" |
34 | | #include "ap_provider.h" |
35 | | #include "ap_regex.h" |
36 | | |
37 | | #include "http_log.h" |
38 | | #include "http_protocol.h" |
39 | | |
40 | | #include "ada_fuzz_header.h" |
41 | | |
42 | 148 | static const char *http_scheme2(const request_rec *r) { |
43 | | /* |
44 | | * The http module shouldn't return anything other than |
45 | | * "http" (the default) or "https". |
46 | | */ |
47 | 148 | if (r->server->server_scheme && |
48 | 148 | (strcmp(r->server->server_scheme, "https") == 0)) |
49 | 4 | return "https"; |
50 | | |
51 | 144 | return "http"; |
52 | 148 | } |
53 | | |
54 | | extern request_rec *ap_create_request(conn_rec *conn); |
55 | | extern int read_request_line(request_rec *r, apr_bucket_brigade *bb); |
56 | | |
57 | 2 | int LLVMFuzzerInitialize(int *argc, char ***argv) { |
58 | 2 | apr_pool_create(&apr_hook_global_pool, NULL); |
59 | 2 | ap_open_stderr_log(apr_hook_global_pool); |
60 | 2 | ap_hook_http_scheme(http_scheme2, NULL, NULL, APR_HOOK_REALLY_LAST); |
61 | 2 | return 0; |
62 | 2 | } |
63 | | |
64 | 412 | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
65 | 412 | af_gb_init(); |
66 | | |
67 | 412 | const uint8_t *data2 = data; |
68 | 412 | size_t size2 = size; |
69 | | |
70 | | /* get random data for the fuzzer */ |
71 | 412 | char *new_str = af_gb_get_null_terminated(&data2, &size2); |
72 | 412 | char *new_str2 = af_gb_get_null_terminated(&data2, &size2); |
73 | 412 | char *new_str3 = af_gb_get_null_terminated(&data2, &size2); |
74 | 412 | char *new_str4 = af_gb_get_null_terminated(&data2, &size2); |
75 | 412 | char *new_str5 = af_gb_get_null_terminated(&data2, &size2); |
76 | 412 | if (new_str != NULL && |
77 | 412 | new_str2 != NULL && |
78 | 412 | new_str3 != NULL && |
79 | 412 | new_str4 != NULL && |
80 | 412 | new_str5 != NULL) { |
81 | | |
82 | | /* this is the main fuzzing logic */ |
83 | | |
84 | 392 | apr_pool_initialize(); |
85 | 392 | apr_pool_t *v = NULL; |
86 | 392 | apr_pool_create(&v, NULL); |
87 | | |
88 | 392 | conn_rec conn; |
89 | 392 | conn.pool = v; |
90 | 392 | server_rec base_server; |
91 | 392 | conn.base_server = &base_server; |
92 | 392 | conn.bucket_alloc = apr_bucket_alloc_create(conn.pool); |
93 | 392 | ap_method_registry_init(conn.pool); |
94 | | |
95 | | //server_rec server; |
96 | | |
97 | | /* Simulate ap_read_request */ |
98 | 392 | request_rec *r = NULL; |
99 | 392 | r = ap_create_request(&conn); |
100 | | |
101 | | /* create a logs array for the request */ |
102 | 392 | struct ap_logconf logs = {}; |
103 | 392 | char *log_levels = calloc(1000, 1); |
104 | 392 | memset(log_levels, 0, 1000); |
105 | 392 | logs.module_levels = log_levels; |
106 | 392 | r->log = &logs; |
107 | 392 | if (r != NULL) { |
108 | 392 | apr_bucket_brigade *tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); |
109 | 392 | conn.keepalive = AP_CONN_UNKNOWN; |
110 | | |
111 | 392 | ap_run_pre_read_request(r, &conn); |
112 | | |
113 | 392 | core_server_config conf_mod; |
114 | 392 | conf_mod.http_conformance = (char)af_get_short(&data2, &size2); |
115 | 392 | conf_mod.http09_enable = (char)af_get_short(&data2, &size2); |
116 | 392 | conf_mod.http_methods = (char)af_get_short(&data2, &size2); |
117 | 392 | void **module_config_arr = malloc(1000); |
118 | 392 | module_config_arr[0] = &conf_mod; |
119 | | |
120 | 392 | r->server->module_config = module_config_arr; |
121 | 392 | ap_set_core_module_config(r->server->module_config, &conf_mod); |
122 | | |
123 | | /* randomise content of request */ |
124 | 392 | r->unparsed_uri = new_str; |
125 | 392 | r->uri = new_str2; |
126 | 392 | r->server->server_scheme = new_str3; |
127 | 392 | r->method = new_str4; |
128 | 392 | r->the_request = new_str5; |
129 | | |
130 | | /* main target */ |
131 | 392 | ap_parse_request_line(r); |
132 | | |
133 | 392 | free(module_config_arr); |
134 | 392 | } |
135 | 392 | free(log_levels); |
136 | 392 | apr_pool_terminate(); |
137 | 392 | } |
138 | | |
139 | 412 | af_gb_cleanup(); |
140 | 412 | return 0; |
141 | 412 | } |