/src/curl_fuzzer/curl_fuzzer_tlv.cc
Line | Count | Source (jump to first uncovered line) |
1 | | /*************************************************************************** |
2 | | * _ _ ____ _ |
3 | | * Project ___| | | | _ \| | |
4 | | * / __| | | | |_) | | |
5 | | * | (__| |_| | _ <| |___ |
6 | | * \___|\___/|_| \_\_____| |
7 | | * |
8 | | * Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al. |
9 | | * |
10 | | * This software is licensed as described in the file COPYING, which |
11 | | * you should have received as part of this distribution. The terms |
12 | | * are also available at https://curl.se/docs/copyright.html. |
13 | | * |
14 | | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | | * copies of the Software, and permit persons to whom the Software is |
16 | | * furnished to do so, under the terms of the COPYING file. |
17 | | * |
18 | | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | | * KIND, either express or implied. |
20 | | * |
21 | | ***************************************************************************/ |
22 | | #include <stdlib.h> |
23 | | #include <string.h> |
24 | | #include <curl/curl.h> |
25 | | #include "curl_fuzzer.h" |
26 | | |
27 | | /** |
28 | | * TLV access function - gets the first TLV from a data stream. |
29 | | */ |
30 | | int fuzz_get_first_tlv(FUZZ_DATA *fuzz, |
31 | | TLV *tlv) |
32 | 1.79M | { |
33 | | /* Reset the cursor. */ |
34 | 1.79M | fuzz->state.data_pos = 0; |
35 | 1.79M | return fuzz_get_tlv_comn(fuzz, tlv); |
36 | 1.79M | } |
37 | | |
38 | | /** |
39 | | * TLV access function - gets the next TLV from a data stream. |
40 | | */ |
41 | | int fuzz_get_next_tlv(FUZZ_DATA *fuzz, |
42 | | TLV *tlv) |
43 | 8.74M | { |
44 | | /* Advance the cursor by the full length of the previous TLV. */ |
45 | 8.74M | fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length; |
46 | | |
47 | | /* Work out if there's a TLV's worth of data to read */ |
48 | 8.74M | if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) { |
49 | | /* No more TLVs to parse */ |
50 | 1.63M | return TLV_RC_NO_MORE_TLVS; |
51 | 1.63M | } |
52 | | |
53 | 7.10M | return fuzz_get_tlv_comn(fuzz, tlv); |
54 | 8.74M | } |
55 | | |
56 | | /** |
57 | | * Common TLV function for accessing TLVs in a data stream. |
58 | | */ |
59 | | int fuzz_get_tlv_comn(FUZZ_DATA *fuzz, |
60 | | TLV *tlv) |
61 | 8.89M | { |
62 | 8.89M | int rc = 0; |
63 | 8.89M | size_t data_offset; |
64 | 8.89M | TLV_RAW *raw; |
65 | | |
66 | | /* Start by casting the data stream to a TLV. */ |
67 | 8.89M | raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos]; |
68 | 8.89M | data_offset = fuzz->state.data_pos + sizeof(TLV_RAW); |
69 | | |
70 | | /* Set the TLV values. */ |
71 | 8.89M | tlv->type = to_u16(raw->raw_type); |
72 | 8.89M | tlv->length = to_u32(raw->raw_length); |
73 | 8.89M | tlv->value = &fuzz->state.data[data_offset]; |
74 | | |
75 | 8.89M | FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length); |
76 | | |
77 | | /* Use uint64s to verify lengths of TLVs so that overflow problems don't |
78 | | matter. */ |
79 | 8.89M | uint64_t check_length = data_offset; |
80 | 8.89M | check_length += tlv->length; |
81 | | |
82 | 8.89M | uint64_t remaining_len = fuzz->state.data_len; |
83 | 8.89M | FV_PRINTF(fuzz, "Check length of data: %lu \n", check_length); |
84 | 8.89M | FV_PRINTF(fuzz, "Remaining length of data: %lu \n", remaining_len); |
85 | | |
86 | | /* Sanity check that the TLV length is ok. */ |
87 | 8.89M | if(check_length > remaining_len) { |
88 | 91.9k | FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n"); |
89 | 91.9k | rc = TLV_RC_SIZE_ERROR; |
90 | 91.9k | } |
91 | | |
92 | 8.89M | return rc; |
93 | 8.89M | } |
94 | | |
95 | | /** |
96 | | * Do different actions on the CURL handle for different received TLVs. |
97 | | */ |
98 | | int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv) |
99 | 7.19M | { |
100 | 7.19M | int rc; |
101 | 7.19M | char *tmp = NULL; |
102 | 7.19M | uint32_t tmp_u32; |
103 | | |
104 | 7.19M | switch(tlv->type) { |
105 | | /* The pointers in response TLVs will always be valid as long as the fuzz |
106 | | data is in scope, which is the entirety of this file. */ |
107 | 32.2k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0); |
108 | 29.5k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1); |
109 | 7.59k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2); |
110 | 68.8k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3); |
111 | 6.21k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4); |
112 | 6.45k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5); |
113 | 4.72k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6); |
114 | 4.41k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7); |
115 | 4.64k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8); |
116 | 3.87k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9); |
117 | 4.17k | FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10); |
118 | | |
119 | 9.12k | FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0); |
120 | 3.88k | FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1); |
121 | | |
122 | 1.56k | case TLV_TYPE_UPLOAD1: |
123 | | /* The pointers in the TLV will always be valid as long as the fuzz data |
124 | | is in scope, which is the entirety of this file. */ |
125 | | |
126 | 1.56k | FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD); |
127 | | |
128 | 1.55k | fuzz->upload1_data = tlv->value; |
129 | 1.55k | fuzz->upload1_data_len = tlv->length; |
130 | | |
131 | 1.55k | FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L); |
132 | 1.55k | FSET_OPTION(fuzz, |
133 | 1.55k | CURLOPT_INFILESIZE_LARGE, |
134 | 1.55k | (curl_off_t)fuzz->upload1_data_len); |
135 | 1.55k | break; |
136 | | |
137 | 249k | case TLV_TYPE_HEADER: |
138 | | /* Limit the number of headers that can be added to a message to prevent |
139 | | timeouts. */ |
140 | 249k | if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) { |
141 | 18 | rc = 255; |
142 | 18 | goto EXIT_LABEL; |
143 | 18 | } |
144 | | |
145 | 249k | tmp = fuzz_tlv_to_string(tlv); |
146 | 249k | fuzz->header_list = curl_slist_append(fuzz->header_list, tmp); |
147 | 249k | fuzz->header_list_count++; |
148 | 249k | break; |
149 | | |
150 | 436k | case TLV_TYPE_MAIL_RECIPIENT: |
151 | 436k | tmp = fuzz_tlv_to_string(tlv); |
152 | 436k | fuzz->mail_recipients_list = |
153 | 436k | curl_slist_append(fuzz->mail_recipients_list, tmp); |
154 | 436k | break; |
155 | | |
156 | 6.20M | case TLV_TYPE_MIME_PART: |
157 | 6.20M | if(fuzz->mime == NULL) { |
158 | 6.52k | fuzz->mime = curl_mime_init(fuzz->easy); |
159 | 6.52k | } |
160 | | |
161 | 6.20M | fuzz->part = curl_mime_addpart(fuzz->mime); |
162 | | |
163 | | /* This TLV may have sub TLVs. */ |
164 | 6.20M | fuzz_add_mime_part(tlv, fuzz->part); |
165 | | |
166 | 6.20M | break; |
167 | | |
168 | 1.01k | case TLV_TYPE_POSTFIELDS: |
169 | 1.01k | FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS); |
170 | 1.00k | fuzz->postfields = fuzz_tlv_to_string(tlv); |
171 | 1.00k | FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields); |
172 | 1.00k | break; |
173 | | |
174 | 0 | case TLV_TYPE_HTTPPOSTBODY: |
175 | 0 | FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST); |
176 | 0 | fuzz_setup_http_post(fuzz, tlv); |
177 | 0 | FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost); |
178 | 0 | break; |
179 | | |
180 | | /* Define a set of u32 options. */ |
181 | 11.1k | FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH); |
182 | 1.87k | FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER); |
183 | 4.60k | FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY); |
184 | 7.62k | FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION); |
185 | 2.84k | FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH); |
186 | 7.00k | FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST); |
187 | 676 | FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ); |
188 | 24.5k | FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION); |
189 | 0 | FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC); |
190 | 0 | FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS); |
191 | 0 | FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY); |
192 | 1 | FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST); |
193 | | |
194 | | /* Define a set of singleton TLVs - they can only have their value set once |
195 | | and all follow the same pattern. */ |
196 | 175k | FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL); |
197 | 313 | FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL); |
198 | 5.18k | FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME); |
199 | 4.01k | FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD); |
200 | 784 | FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE); |
201 | 2.02k | FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE); |
202 | 1.16k | FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST); |
203 | 867 | FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM); |
204 | 1.08k | FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING); |
205 | 300 | FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID); |
206 | 312 | FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI); |
207 | 280 | FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT); |
208 | 338 | FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH); |
209 | 0 | FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS); |
210 | 0 | FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER); |
211 | 0 | FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD); |
212 | 2 | FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT); |
213 | 0 | FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256); |
214 | 0 | FSINGLETONTLV(fuzz, TLV_TYPE_HSTS, CURLOPT_HSTS); |
215 | | |
216 | 109 | default: |
217 | | /* The fuzzer generates lots of unknown TLVs - we don't want these in the |
218 | | corpus so we reject any unknown TLVs. */ |
219 | 109 | rc = 127; |
220 | 109 | goto EXIT_LABEL; |
221 | 0 | break; |
222 | 7.19M | } |
223 | | |
224 | 7.18M | rc = 0; |
225 | | |
226 | 7.19M | EXIT_LABEL: |
227 | | |
228 | 7.19M | fuzz_free((void **)&tmp); |
229 | | |
230 | 7.19M | return rc; |
231 | 7.18M | } |
232 | | |
233 | | /** |
234 | | * Converts a TLV data and length into an allocated string. |
235 | | */ |
236 | | char *fuzz_tlv_to_string(TLV *tlv) |
237 | 2.31M | { |
238 | 2.31M | char *tlvstr; |
239 | | |
240 | | /* Allocate enough space, plus a null terminator */ |
241 | 2.31M | tlvstr = (char *)malloc(tlv->length + 1); |
242 | | |
243 | 2.31M | if(tlvstr != NULL) { |
244 | 2.31M | memcpy(tlvstr, tlv->value, tlv->length); |
245 | 2.31M | tlvstr[tlv->length] = 0; |
246 | 2.31M | } |
247 | | |
248 | 2.31M | return tlvstr; |
249 | 2.31M | } |
250 | | |
251 | | /* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */ |
252 | | void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv) |
253 | 0 | { |
254 | 0 | if (fuzz->httppost == NULL) { |
255 | 0 | struct curl_httppost *post = NULL; |
256 | 0 | struct curl_httppost *last = NULL; |
257 | |
|
258 | 0 | fuzz->post_body = fuzz_tlv_to_string(tlv); |
259 | | |
260 | | /* This is just one of several possible entrypoints to |
261 | | * the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html |
262 | | * for lots of others which could be added here. |
263 | | */ |
264 | 0 | curl_formadd(&post, &last, |
265 | 0 | CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME, |
266 | 0 | CURLFORM_PTRCONTENTS, fuzz->post_body, |
267 | 0 | CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body), |
268 | 0 | CURLFORM_END); |
269 | |
|
270 | 0 | fuzz->last_post_part = last; |
271 | 0 | fuzz->httppost = post; |
272 | 0 | } |
273 | |
|
274 | 0 | return; |
275 | 0 | } |
276 | | |
277 | | /** |
278 | | * Extract the values from the TLV. |
279 | | */ |
280 | | int fuzz_add_mime_part(TLV *src_tlv, curl_mimepart *part) |
281 | 6.20M | { |
282 | 6.20M | FUZZ_DATA part_fuzz; |
283 | 6.20M | TLV tlv; |
284 | 6.20M | int rc = 0; |
285 | 6.20M | int tlv_rc; |
286 | | |
287 | 6.20M | memset(&part_fuzz, 0, sizeof(FUZZ_DATA)); |
288 | | |
289 | 6.20M | if(src_tlv->length < sizeof(TLV_RAW)) { |
290 | | /* Not enough data for a single TLV - don't continue */ |
291 | 4.51M | goto EXIT_LABEL; |
292 | 4.51M | } |
293 | | |
294 | | /* Set up the state parser */ |
295 | 1.68M | part_fuzz.state.data = src_tlv->value; |
296 | 1.68M | part_fuzz.state.data_len = src_tlv->length; |
297 | | |
298 | 1.68M | for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv); |
299 | 3.24M | tlv_rc == 0; |
300 | 1.68M | tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) { |
301 | | |
302 | | /* Have the TLV in hand. Parse the TLV. */ |
303 | 1.61M | rc = fuzz_parse_mime_tlv(part, &tlv); |
304 | | |
305 | 1.61M | if(rc != 0) { |
306 | | /* Failed to parse the TLV. Can't continue. */ |
307 | 55.9k | goto EXIT_LABEL; |
308 | 55.9k | } |
309 | 1.61M | } |
310 | | |
311 | 1.63M | if(tlv_rc != TLV_RC_NO_MORE_TLVS) { |
312 | | /* A TLV call failed. Can't continue. */ |
313 | 90.2k | goto EXIT_LABEL; |
314 | 90.2k | } |
315 | | |
316 | 6.20M | EXIT_LABEL: |
317 | | |
318 | 6.20M | return(rc); |
319 | 1.63M | } |
320 | | |
321 | | /** |
322 | | * Do different actions on the mime part for different received TLVs. |
323 | | */ |
324 | | int fuzz_parse_mime_tlv(curl_mimepart *part, TLV *tlv) |
325 | 1.61M | { |
326 | 1.61M | int rc; |
327 | 1.61M | char *tmp; |
328 | | |
329 | 1.61M | switch(tlv->type) { |
330 | 1.53M | case TLV_TYPE_MIME_PART_NAME: |
331 | 1.53M | tmp = fuzz_tlv_to_string(tlv); |
332 | 1.53M | curl_mime_name(part, tmp); |
333 | 1.53M | fuzz_free((void **)&tmp); |
334 | 1.53M | break; |
335 | | |
336 | 22.4k | case TLV_TYPE_MIME_PART_DATA: |
337 | 22.4k | curl_mime_data(part, (const char *)tlv->value, tlv->length); |
338 | 22.4k | break; |
339 | | |
340 | 55.9k | default: |
341 | | /* The fuzzer generates lots of unknown TLVs - we don't want these in the |
342 | | corpus so we reject any unknown TLVs. */ |
343 | 55.9k | rc = 255; |
344 | 55.9k | goto EXIT_LABEL; |
345 | 0 | break; |
346 | 1.61M | } |
347 | | |
348 | 1.55M | rc = 0; |
349 | | |
350 | 1.61M | EXIT_LABEL: |
351 | | |
352 | 1.61M | return rc; |
353 | 1.55M | } |