Coverage Report

Created: 2023-03-26 06:28

/src/fuzz_utils.c
Line
Count
Source
1
/* Copyright 2021 Google LLC
2
Licensed under the Apache License, Version 2.0 (the "License");
3
you may not use this file except in compliance with the License.
4
You may obtain a copy of the License at
5
      http://www.apache.org/licenses/LICENSE-2.0
6
Unless required by applicable law or agreed to in writing, software
7
distributed under the License is distributed on an "AS IS" BASIS,
8
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9
See the License for the specific language governing permissions and
10
limitations under the License.
11
*/
12
#include "apr.h"
13
#include "apr_file_io.h"
14
#include "apr_poll.h"
15
#include "apr_portable.h"
16
#include "apr_proc_mutex.h"
17
#include "apr_signal.h"
18
#include "apr_strings.h"
19
#include "apr_thread_mutex.h"
20
#include "apr_thread_proc.h"
21
22
#define APR_WANT_STRFUNC
23
#include "apr_file_io.h"
24
#include "apr_fnmatch.h"
25
#include "apr_want.h"
26
27
#include "apr_poll.h"
28
#include "apr_want.h"
29
30
#include "ap_config.h"
31
#include "ap_expr.h"
32
#include "ap_listen.h"
33
#include "ap_provider.h"
34
#include "ap_regex.h"
35
36
#include <string.h>
37
#include <unistd.h>
38
39
#include "ada_fuzz_header.h"
40
41
42
1.28k
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
43
  // Initialize fuzzing garbage collector. We use this to easily
44
  // get data types seeded with random input from the fuzzer.
45
1.28k
  af_gb_init();
46
47
1.28k
  const uint8_t *data2 = data;
48
1.28k
  size_t size2 = size;
49
50
1.28k
  char *new_str = af_gb_get_null_terminated(&data2, &size2);
51
1.28k
  char *new_dst = af_gb_get_null_terminated(&data2, &size2);
52
1.28k
  if (new_str != NULL && new_dst != NULL) {
53
1.26k
    size_t new_str_len = strlen(new_str);
54
55
    // Targets that do not require a pool
56
57
1.26k
    ap_cstr_casecmp(new_str, new_dst);
58
1.26k
    if (new_str_len > 2) {
59
1.22k
      ap_cstr_casecmpn(new_str, new_str + 2, new_str_len - 2);
60
1.22k
    }
61
1.26k
    ap_strcmp_match(new_str, new_dst);
62
1.26k
    ap_strcasecmp_match(new_str, new_dst);
63
1.26k
    ap_strcasestr(new_str, new_dst);
64
65
1.26k
    apr_interval_time_t timeout;
66
1.26k
    ap_timeout_parameter_parse(new_str, &timeout, "ms");
67
68
1.26k
    new_dst = af_gb_get_null_terminated(&data2, &size2);
69
1.26k
    if (new_dst != NULL) {
70
397
      ap_getparents(new_dst);
71
397
    }
72
73
1.26k
    new_dst = af_gb_get_null_terminated(&data2, &size2);
74
1.26k
    if (new_dst != NULL) {
75
320
      ap_no2slash(new_dst);
76
320
    }
77
78
1.26k
    new_dst = af_gb_get_null_terminated(&data2, &size2);
79
1.26k
    if (new_dst != NULL) {
80
301
      ap_unescape_url(new_dst);
81
301
    }
82
83
1.26k
    new_dst = af_gb_get_null_terminated(&data2, &size2);
84
1.26k
    if (new_dst != NULL) {
85
260
      ap_unescape_urlencoded(new_dst);
86
260
    }
87
88
1.26k
    new_dst = af_gb_get_null_terminated(&data2, &size2);
89
1.26k
    if (new_dst != NULL) {
90
224
      ap_content_type_tolower(new_dst);
91
224
    }
92
93
1.26k
    new_dst = malloc(new_str_len*3+1); // big enough for worst-case URL-escaped (%nn)
94
1.26k
    ap_escape_path_segment_buffer(new_dst, new_str);
95
1.26k
    free(new_dst);
96
97
1.26k
    new_dst = malloc(new_str_len*4+1); // big enough for worst-case log-escaped (\xnn)
98
1.26k
    ap_escape_errorlog_item(new_dst, new_str, new_str_len*4+1);
99
1.26k
    free(new_dst);
100
101
    // Pool initialisation
102
1.26k
    if (apr_pool_initialize() == APR_SUCCESS) {
103
1.26k
      apr_pool_t *pool = NULL;
104
1.26k
      apr_pool_create(&pool, NULL);
105
106
      // Targets that require a pool
107
108
1.26k
      new_dst = af_gb_get_null_terminated(&data2, &size2);
109
1.26k
      if (new_dst != NULL) {
110
208
        ap_make_dirstr_parent(pool, new_dst);
111
208
      }
112
113
1.26k
      ap_field_noparam(pool, new_str);
114
115
1.26k
      ap_escape_shell_cmd(pool, new_str);
116
1.26k
      ap_os_escape_path(pool, new_str, 0);
117
1.26k
      ap_escape_html2(pool, new_str, 0);
118
1.26k
      ap_escape_logitem(pool, new_str);
119
120
      // This line causes some issues if something bad is allocated
121
1.26k
      ap_escape_quotes(pool, new_str);
122
123
      // base64
124
1.26k
      ap_pbase64decode(pool, new_str);
125
1.26k
      ap_pbase64encode(pool, new_str);
126
1.26k
      new_dst = af_gb_get_null_terminated(&data2, &size2);
127
1.26k
      if (new_dst != NULL) {
128
202
        char *d;
129
202
        apr_size_t dlen;
130
202
        ap_pbase64decode_strict(pool, new_dst, &d, &dlen);
131
202
      }
132
133
      // List functions
134
1.26k
      const char *tmp_s = new_str;
135
1.26k
      ap_get_list_item(pool, &tmp_s);
136
1.26k
      ap_find_list_item(pool, new_str, "kjahsdfkj");
137
1.26k
      ap_find_token(pool, new_str, "klsjdfk");
138
1.26k
      ap_find_last_token(pool, new_str, "sdadf");
139
1.26k
      apr_array_header_t *offers = NULL;
140
1.26k
      ap_parse_token_list_strict(pool, new_str, &offers, 0);
141
142
1.26k
      tmp_s = new_str;
143
1.26k
      ap_get_token(pool, &tmp_s, 1);
144
145
1.26k
      tmp_s = NULL;
146
1.26k
      ap_pstr2_alnum(pool, new_str, &tmp_s);
147
148
1.26k
      ap_is_chunked(pool, new_str);
149
150
      // Word functions
151
1.26k
      tmp_s = new_str;
152
1.26k
      ap_getword(pool, &tmp_s, 0);
153
1.26k
      tmp_s = new_str;
154
1.26k
      ap_getword_conf2(pool, &tmp_s);
155
1.26k
      new_dst = af_gb_get_null_terminated(&data2, &size2);
156
1.26k
      if (new_dst != NULL) {
157
167
        char *d = new_dst;
158
167
        ap_getword_white_nc(pool, &d);
159
167
      }
160
161
1.26k
      ap_escape_urlencoded(pool, new_str);
162
163
164
1.26k
      char filename[256];
165
1.26k
      sprintf(filename, "/tmp/libfuzzer.%d", getpid());
166
1.26k
      FILE *fp = fopen(filename, "wb");
167
1.26k
      fwrite(data, size, 1, fp);
168
1.26k
      fclose(fp);
169
170
      // Fuzzer logic here
171
1.26k
      ap_configfile_t *cfg;
172
1.26k
      ap_pcfg_openfile(&cfg, pool, filename);
173
1.26k
      char tmp_line[100];
174
1.26k
      if ((af_get_short(&data2, &size2) % 2) == 0) {
175
1.16k
        ap_cfg_getline(tmp_line, 100, cfg);
176
1.16k
      }
177
104
      else {
178
104
        cfg->getstr = NULL;
179
104
        ap_cfg_getline(tmp_line, 100, cfg);
180
104
      }
181
      // Fuzzer logic end
182
183
1.26k
      unlink(filename);
184
185
      // Cleanup
186
1.26k
      apr_pool_terminate();
187
1.26k
    }
188
1.26k
  }
189
190
  // Cleanup all of the memory allocated by the fuzz headers.
191
1.28k
  af_gb_cleanup();
192
1.28k
  return 0;
193
1.28k
}