/src/curl_fuzzer/curl_fuzzer_tlv.cc
Line | Count | Source (jump to first uncovered line) |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | ***************************************************************************/ |
22 | | #include <stdlib.h> |
23 | | #include <string.h> |
24 | | #include <curl/curl.h> |
25 | | #include "curl_fuzzer.h" |
26 | | |
27 | | /** |
28 | | * TLV access function - gets the first TLV from a data stream. |
29 | | */ |
30 | | int fuzz_get_first_tlv(FUZZ_DATA *fuzz, |
31 | | TLV *tlv) |
32 | 7.16k | { |
33 | | /* Reset the cursor. */ |
34 | 7.16k | fuzz->state.data_pos = 0; |
35 | 7.16k | return fuzz_get_tlv_comn(fuzz, tlv); |
36 | 7.16k | } |
37 | | |
38 | | /** |
39 | | * TLV access function - gets the next TLV from a data stream. |
40 | | */ |
41 | | int fuzz_get_next_tlv(FUZZ_DATA *fuzz, |
42 | | TLV *tlv) |
43 | 19.4k | { |
44 | | /* Advance the cursor by the full length of the previous TLV. */ |
45 | 19.4k | fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length; |
46 | | |
47 | | /* Work out if there's a TLV's worth of data to read */ |
48 | 19.4k | if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) { |
49 | | /* No more TLVs to parse */ |
50 | 4.20k | return TLV_RC_NO_MORE_TLVS; |
51 | 4.20k | } |
52 | | |
53 | 15.2k | return fuzz_get_tlv_comn(fuzz, tlv); |
54 | 19.4k | } |
55 | | |
56 | | /** |
57 | | * Common TLV function for accessing TLVs in a data stream. |
58 | | */ |
59 | | int fuzz_get_tlv_comn(FUZZ_DATA *fuzz, |
60 | | TLV *tlv) |
61 | 22.4k | { |
62 | 22.4k | int rc = 0; |
63 | 22.4k | size_t data_offset; |
64 | 22.4k | TLV_RAW *raw; |
65 | | |
66 | | /* Start by casting the data stream to a TLV. */ |
67 | 22.4k | raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos]; |
68 | 22.4k | data_offset = fuzz->state.data_pos + sizeof(TLV_RAW); |
69 | | |
70 | | /* Set the TLV values. */ |
71 | 22.4k | tlv->type = to_u16(raw->raw_type); |
72 | 22.4k | tlv->length = to_u32(raw->raw_length); |
73 | 22.4k | tlv->value = &fuzz->state.data[data_offset]; |
74 | | |
75 | 22.4k | FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length); |
76 | | |
77 | | /* Use uint64s to verify lengths of TLVs so that overflow problems don't |
78 | | matter. */ |
79 | 22.4k | uint64_t check_length = data_offset; |
80 | 22.4k | check_length += tlv->length; |
81 | | |
82 | 22.4k | uint64_t remaining_len = fuzz->state.data_len; |
83 | 22.4k | FV_PRINTF(fuzz, "Check length of data: %" PRIu64 " \n", check_length); |
84 | 22.4k | FV_PRINTF(fuzz, "Remaining length of data: %" PRIu64 " \n", remaining_len); |
85 | | |
86 | | /* Sanity check that the TLV length is ok. */ |
87 | 22.4k | if(check_length > remaining_len) { |
88 | 584 | FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n"); |
89 | 584 | rc = TLV_RC_SIZE_ERROR; |
90 | 584 | } |
91 | | |
92 | 22.4k | return rc; |
93 | 22.4k | } |
94 | | |
95 | | /** |
96 | | * Do different actions on the CURL handle for different received TLVs. |
97 | | */ |
98 | | int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv) |
99 | 20.7k | { |
100 | 20.7k | int rc; |
101 | 20.7k | char *tmp = NULL; |
102 | 20.7k | uint32_t tmp_u32; |
103 | 20.7k | curl_slist *new_list; |
104 | | |
105 | 20.7k | switch(tlv->type) { |
106 | | /* The pointers in response TLVs will always be valid as long as the fuzz |
107 | | data is in scope, which is the entirety of this file. */ |
108 | 205 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0); |
109 | 206 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1); |
110 | 196 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2); |
111 | 204 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3); |
112 | 195 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4); |
113 | 201 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5); |
114 | 232 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6); |
115 | 205 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7); |
116 | 203 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8); |
117 | 197 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9); |
118 | 208 | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10); |
119 | | |
120 | 206 | FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0); |
121 | 194 | FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1); |
122 | | |
123 | 25 | case TLV_TYPE_UPLOAD1: |
124 | | /* The pointers in the TLV will always be valid as long as the fuzz data |
125 | | is in scope, which is the entirety of this file. */ |
126 | | |
127 | 25 | FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD); |
128 | | |
129 | 24 | fuzz->upload1_data = tlv->value; |
130 | 24 | fuzz->upload1_data_len = tlv->length; |
131 | | |
132 | 24 | FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L); |
133 | 24 | FSET_OPTION(fuzz, |
134 | 24 | CURLOPT_INFILESIZE_LARGE, |
135 | 24 | (curl_off_t)fuzz->upload1_data_len); |
136 | 24 | break; |
137 | | |
138 | 1.68k | case TLV_TYPE_HEADER: |
139 | | /* Limit the number of headers that can be added to a message to prevent |
140 | | timeouts. */ |
141 | 1.68k | if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) { |
142 | 0 | rc = 255; |
143 | 0 | goto EXIT_LABEL; |
144 | 0 | } |
145 | | |
146 | 1.68k | tmp = fuzz_tlv_to_string(tlv); |
147 | 1.68k | if (tmp == NULL) { |
148 | | // keep on despite allocation failure |
149 | 0 | break; |
150 | 0 | } |
151 | 1.68k | new_list = curl_slist_append(fuzz->header_list, tmp); |
152 | 1.68k | if (new_list == NULL) { |
153 | 0 | break; |
154 | 0 | } |
155 | 1.68k | fuzz->header_list = new_list; |
156 | 1.68k | fuzz->header_list_count++; |
157 | 1.68k | break; |
158 | | |
159 | 6.39k | case TLV_TYPE_MAIL_RECIPIENT: |
160 | | /* Limit the number of headers that can be added to a message to prevent |
161 | | timeouts. */ |
162 | 6.39k | if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) { |
163 | 0 | rc = 255; |
164 | 0 | goto EXIT_LABEL; |
165 | 0 | } |
166 | 6.39k | tmp = fuzz_tlv_to_string(tlv); |
167 | 6.39k | if (tmp == NULL) { |
168 | | // keep on despite allocation failure |
169 | 0 | break; |
170 | 0 | } |
171 | 6.39k | new_list = curl_slist_append(fuzz->mail_recipients_list, tmp); |
172 | 6.39k | if (new_list != NULL) { |
173 | 6.39k | fuzz->mail_recipients_list = new_list; |
174 | 6.39k | fuzz->header_list_count++; |
175 | 6.39k | } |
176 | 6.39k | break; |
177 | | |
178 | 3.84k | case TLV_TYPE_MIME_PART: |
179 | 3.84k | if(fuzz->mime == NULL) { |
180 | 282 | fuzz->mime = curl_mime_init(fuzz->easy); |
181 | 282 | } |
182 | | |
183 | 3.84k | fuzz->part = curl_mime_addpart(fuzz->mime); |
184 | | |
185 | | /* This TLV may have sub TLVs. */ |
186 | 3.84k | fuzz_add_mime_part(tlv, fuzz->part); |
187 | | |
188 | 3.84k | break; |
189 | | |
190 | 8 | case TLV_TYPE_POSTFIELDS: |
191 | 8 | FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS); |
192 | 7 | fuzz->postfields = fuzz_tlv_to_string(tlv); |
193 | 7 | FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields); |
194 | 7 | break; |
195 | | |
196 | 18 | case TLV_TYPE_HTTPPOSTBODY: |
197 | 18 | FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST); |
198 | 17 | fuzz_setup_http_post(fuzz, tlv); |
199 | 17 | FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost); |
200 | 17 | break; |
201 | | |
202 | | /* Define a set of u32 options. */ |
203 | 82 | FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH); |
204 | 15 | FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER); |
205 | 21 | FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY); |
206 | 101 | FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION); |
207 | 17 | FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH); |
208 | 99 | FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST); |
209 | 26 | FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ); |
210 | 149 | FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION); |
211 | 121 | FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC); |
212 | 21 | FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS); |
213 | 93 | FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY); |
214 | 18 | FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST); |
215 | 57 | FU32TLV(fuzz, TLV_TYPE_PROXYTYPE, CURLOPT_PROXYTYPE); |
216 | 157 | FU32TLV(fuzz, TLV_TYPE_PORT, CURLOPT_PORT); |
217 | 99 | FU32TLV(fuzz, TLV_TYPE_LOW_SPEED_LIMIT, CURLOPT_LOW_SPEED_LIMIT); |
218 | 43 | FU32TLV(fuzz, TLV_TYPE_LOW_SPEED_TIME, CURLOPT_LOW_SPEED_TIME); |
219 | 113 | FU32TLV(fuzz, TLV_TYPE_RESUME_FROM, CURLOPT_RESUME_FROM); |
220 | 11 | FU32TLV(fuzz, TLV_TYPE_TIMEVALUE, CURLOPT_TIMEVALUE); |
221 | 15 | FU32TLV(fuzz, TLV_TYPE_NOPROGRESS, CURLOPT_NOPROGRESS); |
222 | 11 | FU32TLV(fuzz, TLV_TYPE_FAILONERROR, CURLOPT_FAILONERROR); |
223 | 19 | FU32TLV(fuzz, TLV_TYPE_DIRLISTONLY, CURLOPT_DIRLISTONLY); |
224 | 36 | FU32TLV(fuzz, TLV_TYPE_APPEND, CURLOPT_APPEND); |
225 | 18 | FU32TLV(fuzz, TLV_TYPE_TRANSFERTEXT, CURLOPT_TRANSFERTEXT); |
226 | 11 | FU32TLV(fuzz, TLV_TYPE_AUTOREFERER, CURLOPT_AUTOREFERER); |
227 | 94 | FU32TLV(fuzz, TLV_TYPE_PROXYPORT, CURLOPT_PROXYPORT); |
228 | | // too easy for API misuse FU32TLV(fuzz, TLV_TYPE_POSTFIELDSIZE, CURLOPT_POSTFIELDSIZE); |
229 | 15 | FU32TLV(fuzz, TLV_TYPE_HTTPPROXYTUNNEL, CURLOPT_HTTPPROXYTUNNEL); |
230 | 21 | FU32TLV(fuzz, TLV_TYPE_SSL_VERIFYPEER, CURLOPT_SSL_VERIFYPEER); |
231 | 113 | FU32TLV(fuzz, TLV_TYPE_MAXREDIRS, CURLOPT_MAXREDIRS); |
232 | 16 | FU32TLV(fuzz, TLV_TYPE_FILETIME, CURLOPT_FILETIME); |
233 | 140 | FU32TLV(fuzz, TLV_TYPE_MAXCONNECTS, CURLOPT_MAXCONNECTS); |
234 | 21 | FU32TLV(fuzz, TLV_TYPE_FRESH_CONNECT, CURLOPT_FRESH_CONNECT); |
235 | 22 | FU32TLV(fuzz, TLV_TYPE_FORBID_REUSE, CURLOPT_FORBID_REUSE); |
236 | 160 | FU32TLV(fuzz, TLV_TYPE_CONNECTTIMEOUT, CURLOPT_CONNECTTIMEOUT); |
237 | 24 | FU32TLV(fuzz, TLV_TYPE_HTTPGET, CURLOPT_HTTPGET); |
238 | 16 | FU32TLV(fuzz, TLV_TYPE_SSL_VERIFYHOST, CURLOPT_SSL_VERIFYHOST); |
239 | 19 | FU32TLV(fuzz, TLV_TYPE_FTP_USE_EPSV, CURLOPT_FTP_USE_EPSV); |
240 | 26 | FU32TLV(fuzz, TLV_TYPE_SSLENGINE_DEFAULT, CURLOPT_SSLENGINE_DEFAULT); |
241 | 140 | FU32TLV(fuzz, TLV_TYPE_DNS_CACHE_TIMEOUT, CURLOPT_DNS_CACHE_TIMEOUT); |
242 | 13 | FU32TLV(fuzz, TLV_TYPE_COOKIESESSION, CURLOPT_COOKIESESSION); |
243 | 129 | FU32TLV(fuzz, TLV_TYPE_BUFFERSIZE, CURLOPT_BUFFERSIZE); |
244 | 10 | FU32TLV(fuzz, TLV_TYPE_NOSIGNAL, CURLOPT_NOSIGNAL); |
245 | 21 | FU32TLV(fuzz, TLV_TYPE_UNRESTRICTED_AUTH, CURLOPT_UNRESTRICTED_AUTH); |
246 | 24 | FU32TLV(fuzz, TLV_TYPE_FTP_USE_EPRT, CURLOPT_FTP_USE_EPRT); |
247 | 124 | FU32TLV(fuzz, TLV_TYPE_FTP_CREATE_MISSING_DIRS, CURLOPT_FTP_CREATE_MISSING_DIRS); |
248 | 97 | FU32TLV(fuzz, TLV_TYPE_MAXFILESIZE, CURLOPT_MAXFILESIZE); |
249 | 16 | FU32TLV(fuzz, TLV_TYPE_TCP_NODELAY, CURLOPT_TCP_NODELAY); |
250 | 10 | FU32TLV(fuzz, TLV_TYPE_IGNORE_CONTENT_LENGTH, CURLOPT_IGNORE_CONTENT_LENGTH); |
251 | 18 | FU32TLV(fuzz, TLV_TYPE_FTP_SKIP_PASV_IP, CURLOPT_FTP_SKIP_PASV_IP); |
252 | 166 | FU32TLV(fuzz, TLV_TYPE_LOCALPORT, CURLOPT_LOCALPORT); |
253 | 146 | FU32TLV(fuzz, TLV_TYPE_LOCALPORTRANGE, CURLOPT_LOCALPORTRANGE); |
254 | 16 | FU32TLV(fuzz, TLV_TYPE_SSL_SESSIONID_CACHE, CURLOPT_SSL_SESSIONID_CACHE); |
255 | 121 | FU32TLV(fuzz, TLV_TYPE_FTP_SSL_CCC, CURLOPT_FTP_SSL_CCC); |
256 | 110 | FU32TLV(fuzz, TLV_TYPE_CONNECTTIMEOUT_MS, CURLOPT_CONNECTTIMEOUT_MS); |
257 | 21 | FU32TLV(fuzz, TLV_TYPE_HTTP_TRANSFER_DECODING, CURLOPT_HTTP_TRANSFER_DECODING); |
258 | 11 | FU32TLV(fuzz, TLV_TYPE_HTTP_CONTENT_DECODING, CURLOPT_HTTP_CONTENT_DECODING); |
259 | 149 | FU32TLV(fuzz, TLV_TYPE_NEW_FILE_PERMS, CURLOPT_NEW_FILE_PERMS); |
260 | 15 | FU32TLV(fuzz, TLV_TYPE_NEW_DIRECTORY_PERMS, CURLOPT_NEW_DIRECTORY_PERMS); |
261 | 104 | FU32TLV(fuzz, TLV_TYPE_PROXY_TRANSFER_MODE, CURLOPT_PROXY_TRANSFER_MODE); |
262 | 133 | FU32TLV(fuzz, TLV_TYPE_ADDRESS_SCOPE, CURLOPT_ADDRESS_SCOPE); |
263 | 20 | FU32TLV(fuzz, TLV_TYPE_CERTINFO, CURLOPT_CERTINFO); |
264 | 171 | FU32TLV(fuzz, TLV_TYPE_TFTP_BLKSIZE, CURLOPT_TFTP_BLKSIZE); |
265 | 5 | FU32TLV(fuzz, TLV_TYPE_SOCKS5_GSSAPI_NEC, CURLOPT_SOCKS5_GSSAPI_NEC); |
266 | 14 | FU32TLV(fuzz, TLV_TYPE_FTP_USE_PRET, CURLOPT_FTP_USE_PRET); |
267 | 21 | FU32TLV(fuzz, TLV_TYPE_RTSP_SERVER_CSEQ, CURLOPT_RTSP_SERVER_CSEQ); |
268 | 22 | FU32TLV(fuzz, TLV_TYPE_TRANSFER_ENCODING, CURLOPT_TRANSFER_ENCODING); |
269 | 96 | FU32TLV(fuzz, TLV_TYPE_ACCEPTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS); |
270 | 14 | FU32TLV(fuzz, TLV_TYPE_TCP_KEEPALIVE, CURLOPT_TCP_KEEPALIVE); |
271 | 149 | FU32TLV(fuzz, TLV_TYPE_TCP_KEEPIDLE, CURLOPT_TCP_KEEPIDLE); |
272 | 174 | FU32TLV(fuzz, TLV_TYPE_TCP_KEEPINTVL, CURLOPT_TCP_KEEPINTVL); |
273 | 20 | FU32TLV(fuzz, TLV_TYPE_SASL_IR, CURLOPT_SASL_IR); |
274 | 21 | FU32TLV(fuzz, TLV_TYPE_SSL_ENABLE_ALPN, CURLOPT_SSL_ENABLE_ALPN); |
275 | 107 | FU32TLV(fuzz, TLV_TYPE_EXPECT_100_TIMEOUT_MS, CURLOPT_EXPECT_100_TIMEOUT_MS); |
276 | 28 | FU32TLV(fuzz, TLV_TYPE_SSL_VERIFYSTATUS, CURLOPT_SSL_VERIFYSTATUS); |
277 | 6 | FU32TLV(fuzz, TLV_TYPE_SSL_FALSESTART, CURLOPT_SSL_FALSESTART); |
278 | 13 | FU32TLV(fuzz, TLV_TYPE_PATH_AS_IS, CURLOPT_PATH_AS_IS); |
279 | 22 | FU32TLV(fuzz, TLV_TYPE_PIPEWAIT, CURLOPT_PIPEWAIT); |
280 | 145 | FU32TLV(fuzz, TLV_TYPE_STREAM_WEIGHT, CURLOPT_STREAM_WEIGHT); |
281 | 18 | FU32TLV(fuzz, TLV_TYPE_TFTP_NO_OPTIONS, CURLOPT_TFTP_NO_OPTIONS); |
282 | 12 | FU32TLV(fuzz, TLV_TYPE_TCP_FASTOPEN, CURLOPT_TCP_FASTOPEN); |
283 | 21 | FU32TLV(fuzz, TLV_TYPE_KEEP_SENDING_ON_ERROR, CURLOPT_KEEP_SENDING_ON_ERROR); |
284 | 22 | FU32TLV(fuzz, TLV_TYPE_PROXY_SSL_VERIFYPEER, CURLOPT_PROXY_SSL_VERIFYPEER); |
285 | 34 | FU32TLV(fuzz, TLV_TYPE_PROXY_SSL_VERIFYHOST, CURLOPT_PROXY_SSL_VERIFYHOST); |
286 | 10 | FU32TLV(fuzz, TLV_TYPE_PROXY_SSL_OPTIONS, CURLOPT_PROXY_SSL_OPTIONS); |
287 | 15 | FU32TLV(fuzz, TLV_TYPE_SUPPRESS_CONNECT_HEADERS, CURLOPT_SUPPRESS_CONNECT_HEADERS); |
288 | 70 | FU32TLV(fuzz, TLV_TYPE_SOCKS5_AUTH, CURLOPT_SOCKS5_AUTH); |
289 | 8 | FU32TLV(fuzz, TLV_TYPE_SSH_COMPRESSION, CURLOPT_SSH_COMPRESSION); |
290 | 93 | FU32TLV(fuzz, TLV_TYPE_HAPPY_EYEBALLS_TIMEOUT_MS, CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS); |
291 | 10 | FU32TLV(fuzz, TLV_TYPE_HAPROXYPROTOCOL, CURLOPT_HAPROXYPROTOCOL); |
292 | 23 | FU32TLV(fuzz, TLV_TYPE_DNS_SHUFFLE_ADDRESSES, CURLOPT_DNS_SHUFFLE_ADDRESSES); |
293 | 12 | FU32TLV(fuzz, TLV_TYPE_DISALLOW_USERNAME_IN_URL, CURLOPT_DISALLOW_USERNAME_IN_URL); |
294 | 181 | FU32TLV(fuzz, TLV_TYPE_UPLOAD_BUFFERSIZE, CURLOPT_UPLOAD_BUFFERSIZE); |
295 | 97 | FU32TLV(fuzz, TLV_TYPE_UPKEEP_INTERVAL_MS, CURLOPT_UPKEEP_INTERVAL_MS); |
296 | 20 | FU32TLV(fuzz, TLV_TYPE_HTTP09_ALLOWED, CURLOPT_HTTP09_ALLOWED); |
297 | 19 | FU32TLV(fuzz, TLV_TYPE_ALTSVC_CTRL, CURLOPT_ALTSVC_CTRL); |
298 | 153 | FU32TLV(fuzz, TLV_TYPE_MAXAGE_CONN, CURLOPT_MAXAGE_CONN); |
299 | 19 | FU32TLV(fuzz, TLV_TYPE_MAIL_RCPT_ALLOWFAILS, CURLOPT_MAIL_RCPT_ALLOWFAILS); |
300 | 26 | FU32TLV(fuzz, TLV_TYPE_HSTS_CTRL, CURLOPT_HSTS_CTRL); |
301 | 20 | FU32TLV(fuzz, TLV_TYPE_DOH_SSL_VERIFYPEER, CURLOPT_DOH_SSL_VERIFYPEER); |
302 | 15 | FU32TLV(fuzz, TLV_TYPE_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYHOST); |
303 | 16 | FU32TLV(fuzz, TLV_TYPE_DOH_SSL_VERIFYSTATUS, CURLOPT_DOH_SSL_VERIFYSTATUS); |
304 | 166 | FU32TLV(fuzz, TLV_TYPE_MAXLIFETIME_CONN, CURLOPT_MAXLIFETIME_CONN); |
305 | 19 | FU32TLV(fuzz, TLV_TYPE_MIME_OPTIONS, CURLOPT_MIME_OPTIONS); |
306 | 180 | FU32TLV(fuzz, TLV_TYPE_CA_CACHE_TIMEOUT, CURLOPT_CA_CACHE_TIMEOUT); |
307 | 34 | FU32TLV(fuzz, TLV_TYPE_QUICK_EXIT, CURLOPT_QUICK_EXIT); |
308 | 107 | FU32TLV(fuzz, TLV_TYPE_SERVER_RESPONSE_TIMEOUT_MS, CURLOPT_SERVER_RESPONSE_TIMEOUT_MS); |
309 | 173 | FU32TLV(fuzz, TLV_TYPE_TCP_KEEPCNT, CURLOPT_TCP_KEEPCNT); |
310 | 70 | FU32TLV(fuzz, TLV_TYPE_SSLVERSION, CURLOPT_SSLVERSION); |
311 | 128 | FU32TLV(fuzz, TLV_TYPE_TIMECONDITION, CURLOPT_TIMECONDITION); |
312 | 92 | FU32TLV(fuzz, TLV_TYPE_PROXYAUTH, CURLOPT_PROXYAUTH); |
313 | 96 | FU32TLV(fuzz, TLV_TYPE_IPRESOLVE, CURLOPT_IPRESOLVE); |
314 | 119 | FU32TLV(fuzz, TLV_TYPE_USE_SSL, CURLOPT_USE_SSL); |
315 | 119 | FU32TLV(fuzz, TLV_TYPE_FTPSSLAUTH, CURLOPT_FTPSSLAUTH); |
316 | 135 | FU32TLV(fuzz, TLV_TYPE_FTP_FILEMETHOD, CURLOPT_FTP_FILEMETHOD); |
317 | 8 | FU32TLV(fuzz, TLV_TYPE_SSH_AUTH_TYPES, CURLOPT_SSH_AUTH_TYPES); |
318 | 106 | FU32TLV(fuzz, TLV_TYPE_POSTREDIR, CURLOPT_POSTREDIR); |
319 | 6 | FU32TLV(fuzz, TLV_TYPE_GSSAPI_DELEGATION, CURLOPT_GSSAPI_DELEGATION); |
320 | 22 | FU32TLV(fuzz, TLV_TYPE_SSL_OPTIONS, CURLOPT_SSL_OPTIONS); |
321 | 10 | FU32TLV(fuzz, TLV_TYPE_HEADEROPT, CURLOPT_HEADEROPT); |
322 | 77 | FU32TLV(fuzz, TLV_TYPE_PROXY_SSLVERSION, CURLOPT_PROXY_SSLVERSION); |
323 | 107 | FU32TLV(fuzz, TLV_TYPE_RESUME_FROM_LARGE, CURLOPT_RESUME_FROM_LARGE); |
324 | 107 | FU32TLV(fuzz, TLV_TYPE_MAXFILESIZE_LARGE, CURLOPT_MAXFILESIZE_LARGE); |
325 | | // too easy for API misuse FU32TLV(fuzz, TLV_TYPE_POSTFIELDSIZE_LARGE, CURLOPT_POSTFIELDSIZE_LARGE); |
326 | 81 | FU32TLV(fuzz, TLV_TYPE_MAX_SEND_SPEED_LARGE, CURLOPT_MAX_SEND_SPEED_LARGE); |
327 | 111 | FU32TLV(fuzz, TLV_TYPE_MAX_RECV_SPEED_LARGE, CURLOPT_MAX_RECV_SPEED_LARGE); |
328 | 20 | FU32TLV(fuzz, TLV_TYPE_TIMEVALUE_LARGE, CURLOPT_TIMEVALUE_LARGE); |
329 | | |
330 | | /* Define a set of singleton TLVs - they can only have their value set once |
331 | | and all follow the same pattern. */ |
332 | 87 | FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL); |
333 | 13 | FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL); |
334 | 13 | FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME); |
335 | 13 | FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD); |
336 | 13 | FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE); |
337 | 15 | FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE); |
338 | 11 | FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST); |
339 | 15 | FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM); |
340 | 29 | FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING); |
341 | 17 | FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID); |
342 | 19 | FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI); |
343 | 15 | FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT); |
344 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH); |
345 | 13 | FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS); |
346 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER); |
347 | 15 | FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD); |
348 | 11 | FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT); |
349 | 6 | FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256); |
350 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY, CURLOPT_PROXY); |
351 | 307 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXYUSERPWD, CURLOPT_PROXYUSERPWD); |
352 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_REFERER, CURLOPT_REFERER); |
353 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_FTPPORT, CURLOPT_FTPPORT); |
354 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_SSLCERT, CURLOPT_SSLCERT); |
355 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_KEYPASSWD, CURLOPT_KEYPASSWD); |
356 | 237 | FSINGLETONTLV(fuzz, TLV_TYPE_INTERFACE, CURLOPT_INTERFACE); |
357 | 4 | FSINGLETONTLV(fuzz, TLV_TYPE_KRBLEVEL, CURLOPT_KRBLEVEL); |
358 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_CAINFO, CURLOPT_CAINFO); |
359 | 15 | FSINGLETONTLV(fuzz, TLV_TYPE_SSL_CIPHER_LIST, CURLOPT_SSL_CIPHER_LIST); |
360 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_SSLCERTTYPE, CURLOPT_SSLCERTTYPE); |
361 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_SSLKEY, CURLOPT_SSLKEY); |
362 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_SSLKEYTYPE, CURLOPT_SSLKEYTYPE); |
363 | 459 | FSINGLETONTLV(fuzz, TLV_TYPE_SSLENGINE, CURLOPT_SSLENGINE); |
364 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_CAPATH, CURLOPT_CAPATH); |
365 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_FTP_ACCOUNT, CURLOPT_FTP_ACCOUNT); |
366 | 3.78k | FSINGLETONTLV(fuzz, TLV_TYPE_COOKIELIST, CURLOPT_COOKIELIST); |
367 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_ALTERNATIVE_TO_USER); |
368 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_SSH_PUBLIC_KEYFILE, CURLOPT_SSH_PUBLIC_KEYFILE); |
369 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_SSH_PRIVATE_KEYFILE, CURLOPT_SSH_PRIVATE_KEYFILE); |
370 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_MD5, CURLOPT_SSH_HOST_PUBLIC_KEY_MD5); |
371 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_ISSUERCERT, CURLOPT_ISSUERCERT); |
372 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXYUSERNAME, CURLOPT_PROXYUSERNAME); |
373 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXYPASSWORD, CURLOPT_PROXYPASSWORD); |
374 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_NOPROXY, CURLOPT_NOPROXY); |
375 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_SSH_KNOWNHOSTS, CURLOPT_SSH_KNOWNHOSTS); |
376 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_TLSAUTH_USERNAME, CURLOPT_TLSAUTH_USERNAME); |
377 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_TLSAUTH_PASSWORD, CURLOPT_TLSAUTH_PASSWORD); |
378 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_TLSAUTH_TYPE, CURLOPT_TLSAUTH_TYPE); |
379 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_DNS_SERVERS, CURLOPT_DNS_SERVERS); |
380 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_DNS_INTERFACE, CURLOPT_DNS_INTERFACE); |
381 | 4 | FSINGLETONTLV(fuzz, TLV_TYPE_DNS_LOCAL_IP4, CURLOPT_DNS_LOCAL_IP4); |
382 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_DNS_LOCAL_IP6, CURLOPT_DNS_LOCAL_IP6); |
383 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_PINNEDPUBLICKEY, CURLOPT_PINNEDPUBLICKEY); |
384 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_UNIX_SOCKET_PATH, CURLOPT_UNIX_SOCKET_PATH); |
385 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_SERVICE_NAME, CURLOPT_PROXY_SERVICE_NAME); |
386 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_SERVICE_NAME, CURLOPT_SERVICE_NAME); |
387 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_DEFAULT_PROTOCOL, CURLOPT_DEFAULT_PROTOCOL); |
388 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_CAINFO, CURLOPT_PROXY_CAINFO); |
389 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_CAPATH, CURLOPT_PROXY_CAPATH); |
390 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_TLSAUTH_USERNAME, CURLOPT_PROXY_TLSAUTH_USERNAME); |
391 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_TLSAUTH_PASSWORD, CURLOPT_PROXY_TLSAUTH_PASSWORD); |
392 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_TLSAUTH_TYPE, CURLOPT_PROXY_TLSAUTH_TYPE); |
393 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_SSLCERT, CURLOPT_PROXY_SSLCERT); |
394 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_SSLCERTTYPE, CURLOPT_PROXY_SSLCERTTYPE); |
395 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_SSLKEY, CURLOPT_PROXY_SSLKEY); |
396 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_SSLKEYTYPE, CURLOPT_PROXY_SSLKEYTYPE); |
397 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_KEYPASSWD, CURLOPT_PROXY_KEYPASSWD); |
398 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_SSL_CIPHER_LIST, CURLOPT_PROXY_SSL_CIPHER_LIST); |
399 | 7 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_CRLFILE, CURLOPT_PROXY_CRLFILE); |
400 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PRE_PROXY, CURLOPT_PRE_PROXY); |
401 | 11 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_PINNEDPUBLICKEY, CURLOPT_PROXY_PINNEDPUBLICKEY); |
402 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_ABSTRACT_UNIX_SOCKET, CURLOPT_ABSTRACT_UNIX_SOCKET); |
403 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_REQUEST_TARGET, CURLOPT_REQUEST_TARGET); |
404 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_TLS13_CIPHERS, CURLOPT_TLS13_CIPHERS); |
405 | 9 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_TLS13_CIPHERS, CURLOPT_PROXY_TLS13_CIPHERS); |
406 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_SASL_AUTHZID, CURLOPT_SASL_AUTHZID); |
407 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_PROXY_ISSUERCERT, CURLOPT_PROXY_ISSUERCERT); |
408 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_SSL_EC_CURVES, CURLOPT_SSL_EC_CURVES); |
409 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_AWS_SIGV4, CURLOPT_AWS_SIGV4); |
410 | 117 | FSINGLETONTLV(fuzz, TLV_TYPE_REDIR_PROTOCOLS_STR, CURLOPT_REDIR_PROTOCOLS_STR); |
411 | 5 | FSINGLETONTLV(fuzz, TLV_TYPE_HAPROXY_CLIENT_IP, CURLOPT_HAPROXY_CLIENT_IP); |
412 | 4 | FSINGLETONTLV(fuzz, TLV_TYPE_ECH, CURLOPT_ECH); |
413 | 35 | default: |
414 | | /* The fuzzer generates lots of unknown TLVs - we don't want these in the |
415 | | corpus so we reject any unknown TLVs. */ |
416 | 35 | rc = 127; |
417 | 35 | goto EXIT_LABEL; |
418 | 0 | break; |
419 | 20.7k | } |
420 | | |
421 | 18.5k | rc = 0; |
422 | | |
423 | 20.7k | EXIT_LABEL: |
424 | | |
425 | 20.7k | fuzz_free((void **)&tmp); |
426 | | |
427 | 20.7k | return rc; |
428 | 18.5k | } |
429 | | |
430 | | /** |
431 | | * Converts a TLV data and length into an allocated string. |
432 | | */ |
433 | | char *fuzz_tlv_to_string(TLV *tlv) |
434 | 11.0k | { |
435 | 11.0k | char *tlvstr; |
436 | | |
437 | | /* Allocate enough space, plus a null terminator */ |
438 | 11.0k | tlvstr = (char *)malloc(tlv->length + 1); |
439 | | |
440 | 11.0k | if(tlvstr != NULL) { |
441 | 11.0k | memcpy(tlvstr, tlv->value, tlv->length); |
442 | 11.0k | tlvstr[tlv->length] = 0; |
443 | 11.0k | } |
444 | | |
445 | 11.0k | return tlvstr; |
446 | 11.0k | } |
447 | | |
448 | | /* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */ |
449 | | void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv) |
450 | 17 | { |
451 | 17 | if (fuzz->httppost == NULL) { |
452 | 17 | struct curl_httppost *post = NULL; |
453 | 17 | struct curl_httppost *last = NULL; |
454 | | |
455 | 17 | fuzz->post_body = fuzz_tlv_to_string(tlv); |
456 | 17 | if (fuzz->post_body == NULL) { |
457 | 0 | return; |
458 | 0 | } |
459 | | |
460 | | /* This is just one of several possible entrypoints to |
461 | | * the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html |
462 | | * for lots of others which could be added here. |
463 | | */ |
464 | 17 | curl_formadd(&post, &last, |
465 | 17 | CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME, |
466 | 17 | CURLFORM_PTRCONTENTS, fuzz->post_body, |
467 | 17 | CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body), |
468 | 17 | CURLFORM_END); |
469 | | |
470 | 17 | fuzz->last_post_part = last; |
471 | 17 | fuzz->httppost = post; |
472 | 17 | } |
473 | | |
474 | 17 | return; |
475 | 17 | } |
476 | | |
477 | | /** |
478 | | * Extract the values from the TLV. |
479 | | */ |
480 | | int fuzz_add_mime_part(TLV *src_tlv, curl_mimepart *part) |
481 | 3.84k | { |
482 | 3.84k | FUZZ_DATA part_fuzz; |
483 | 3.84k | TLV tlv; |
484 | 3.84k | int rc = 0; |
485 | 3.84k | int tlv_rc; |
486 | | |
487 | 3.84k | memset(&part_fuzz, 0, sizeof(FUZZ_DATA)); |
488 | | |
489 | 3.84k | if(src_tlv->length < sizeof(TLV_RAW)) { |
490 | | /* Not enough data for a single TLV - don't continue */ |
491 | 2.78k | goto EXIT_LABEL; |
492 | 2.78k | } |
493 | | |
494 | | /* Set up the state parser */ |
495 | 1.06k | part_fuzz.state.data = src_tlv->value; |
496 | 1.06k | part_fuzz.state.data_len = src_tlv->length; |
497 | | |
498 | 1.06k | for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv); |
499 | 1.92k | tlv_rc == 0; |
500 | 1.09k | tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) { |
501 | | |
502 | | /* Have the TLV in hand. Parse the TLV. */ |
503 | 1.09k | rc = fuzz_parse_mime_tlv(part, &tlv); |
504 | | |
505 | 1.09k | if(rc != 0) { |
506 | | /* Failed to parse the TLV. Can't continue. */ |
507 | 231 | goto EXIT_LABEL; |
508 | 231 | } |
509 | 1.09k | } |
510 | | |
511 | 830 | if(tlv_rc != TLV_RC_NO_MORE_TLVS) { |
512 | | /* A TLV call failed. Can't continue. */ |
513 | 488 | goto EXIT_LABEL; |
514 | 488 | } |
515 | | |
516 | 3.84k | EXIT_LABEL: |
517 | | |
518 | 3.84k | return(rc); |
519 | 830 | } |
520 | | |
521 | | /** |
522 | | * Do different actions on the mime part for different received TLVs. |
523 | | */ |
524 | | int fuzz_parse_mime_tlv(curl_mimepart *part, TLV *tlv) |
525 | 1.09k | { |
526 | 1.09k | int rc; |
527 | 1.09k | char *tmp; |
528 | | |
529 | 1.09k | switch(tlv->type) { |
530 | 201 | case TLV_TYPE_MIME_PART_NAME: |
531 | 201 | tmp = fuzz_tlv_to_string(tlv); |
532 | 201 | curl_mime_name(part, tmp); |
533 | 201 | fuzz_free((void **)&tmp); |
534 | 201 | break; |
535 | | |
536 | 662 | case TLV_TYPE_MIME_PART_DATA: |
537 | 662 | curl_mime_data(part, (const char *)tlv->value, tlv->length); |
538 | 662 | break; |
539 | | |
540 | 231 | default: |
541 | | /* The fuzzer generates lots of unknown TLVs - we don't want these in the |
542 | | corpus so we reject any unknown TLVs. */ |
543 | 231 | rc = 255; |
544 | 231 | goto EXIT_LABEL; |
545 | 0 | break; |
546 | 1.09k | } |
547 | | |
548 | 863 | rc = 0; |
549 | | |
550 | 1.09k | EXIT_LABEL: |
551 | | |
552 | 1.09k | return rc; |
553 | 863 | } |