/src/curl_fuzzer/curl_fuzzer_callback.cc

Source (jump to first uncovered line)
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/

#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <sys/un.h>
#include <curl/curl.h>
#include "curl_fuzzer.h"

/**
 * Define a macro which checks to see that allocated file descriptors are
 * valid and won't cause issue with FD_SETs.  Taken from lib/select.h
 */
#define FUZZ_VALID_SOCK(s) (((s) >= 0) && ((s) < FD_SETSIZE))

/**
 * Function for providing a socket to CURL already primed with data.
 */
curl_socket_t fuzz_open_socket(void *ptr,
                               curlsocktype purpose,
                               struct curl_sockaddr *address)
{
  FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
  int fds[2];
  int flags;
  int status;
  const uint8_t *data;
  size_t data_len;
  struct sockaddr_un client_addr;
  FUZZ_SOCKET_MANAGER *sman;

  /* Handle unused parameters */
  (void)purpose;
  (void)address;

  if(fuzz->sockman[0].fd_state != FUZZ_SOCK_CLOSED &&
     fuzz->sockman[1].fd_state != FUZZ_SOCK_CLOSED) {
    /* Both sockets have already been opened. */
    return CURL_SOCKET_BAD;
  }
  else if(fuzz->sockman[0].fd_state != FUZZ_SOCK_CLOSED) {
    sman = &fuzz->sockman[1];
  }
  else {
    FV_PRINTF(fuzz, "FUZZ: Using socket manager 0 \n");
    sman = &fuzz->sockman[0];
  }
  FV_PRINTF(fuzz, "FUZZ[%d]: Using socket manager %d \n",
            sman->index,
            sman->index);

  if(socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) {
    /* Failed to create a pair of sockets. */
    return CURL_SOCKET_BAD;
  }

  if(!FUZZ_VALID_SOCK(fds[0]) || !FUZZ_VALID_SOCK(fds[1])) {
    /* One or more of the file descriptors is too large to fit in an fd_set,
       so reject it here. Print out a message because this ought to be quite
       rare. */
    printf("FUZZ[%d]: Not using file descriptors %d,%d as FD_SETSIZE is %d\n",
           sman->index,
           fds[0],
           fds[1],
           FD_SETSIZE);

    /* Close the file descriptors so they don't leak. */
    close(fds[0]);
    close(fds[1]);

    return CURL_SOCKET_BAD;
  }

  /* Make the server non-blocking. */
  flags = fcntl(fds[0], F_GETFL, 0);
  status = fcntl(fds[0], F_SETFL, flags | O_NONBLOCK);

  if(status == -1) {
    /* Close the file descriptors so they don't leak. */
    close(fds[0]);
    close(fds[1]);

    /* Setting non-blocking failed. Return a negative response code. */
    return CURL_SOCKET_BAD;
  }

  /* At this point, the file descriptors in hand should be good enough to
     work with. */
  sman->fd = fds[0];
  sman->fd_state = FUZZ_SOCK_OPEN;

  /* If the server should be sending data immediately, send it here. */
  data = sman->responses[0].data;
  data_len = sman->responses[0].data_len;

  if(data != NULL) {
    FV_PRINTF(fuzz, "FUZZ[%d]: Sending initial response \n", sman->index);

    if(write(sman->fd, data, data_len) != (ssize_t)data_len) {
      /* Close the file descriptors so they don't leak. */
      close(sman->fd);
      sman->fd = -1;

      close(fds[1]);

      /* Failed to write all of the response data. */
      return CURL_SOCKET_BAD;
    }
  }

  /* Check to see if the socket should be shut down immediately. */
  if(sman->responses[1].data == NULL) {
    FV_PRINTF(fuzz,
              "FUZZ[%d]: Shutting down server socket: %d \n",
              sman->index,
              sman->fd);
    shutdown(sman->fd, SHUT_WR);
    sman->fd_state = FUZZ_SOCK_SHUTDOWN;
  }

  /* Return the other half of the socket pair. */
  return fds[1];
}

/**
 * Callback function for setting socket options on the sockets created by
 * fuzz_open_socket. In our testbed the sockets are "already connected".
 */
int fuzz_sockopt_callback(void *ptr,
                          curl_socket_t curlfd,
                          curlsocktype purpose)
{
  (void)ptr;
  (void)curlfd;
  (void)purpose;

  return CURL_SOCKOPT_ALREADY_CONNECTED;
}

/**
 * Callback function for doing data uploads.
 */
size_t fuzz_read_callback(char *buffer,
                          size_t size,
                          size_t nitems,
                          void *ptr)
{
  FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
  size_t remaining_data;
  size_t buffer_size = size * nitems;

  /* If no upload data has been specified, then return an error code. */
  if(fuzz->upload1_data_len == 0) {
    /* No data to upload */
    return CURL_READFUNC_ABORT;
  }

  /* Work out how much data is remaining to upload. */
  remaining_data = fuzz->upload1_data_len - fuzz->upload1_data_written;

  /* Respect the buffer size that libcurl is giving us! */
  if(remaining_data > buffer_size) {
    remaining_data = buffer_size;
  }

  if(remaining_data > 0) {
    FV_PRINTF(fuzz,
              "FUZZ: Uploading %zu bytes from position %zu \n",
              remaining_data,
              fuzz->upload1_data_written);

    /* Send the upload data. */
    memcpy(buffer,
           &fuzz->upload1_data[fuzz->upload1_data_written],
           remaining_data);

    /* Increase the count of written data */
    fuzz->upload1_data_written += remaining_data;
  }

  return(remaining_data);
}

/**
 * Callback function for handling data output quietly.
 */
size_t fuzz_write_callback(void *contents,
                           size_t size,
                           size_t nmemb,
                           void *ptr)
{
  size_t total = size * nmemb;
  FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
  size_t copy_len = total;

  /* Restrict copy_len to at most TEMP_WRITE_ARRAY_SIZE. */
  if(copy_len > TEMP_WRITE_ARRAY_SIZE) {
    copy_len = TEMP_WRITE_ARRAY_SIZE;
  }

  /* Copy bytes to the temp store just to ensure the parameters are
     exercised. */
  memcpy(fuzz->write_array, contents, copy_len);

  /* Add on the total to the count. If it exceeds the maximum then return
     zero to the caller so that the transfer is terminated early. */
  fuzz->written_data += total;

  if(fuzz->written_data > MAXIMUM_WRITE_LENGTH) {
    FV_PRINTF(fuzz,
              "FUZZ: Exceeded maximum write length (%lu) \n",
              fuzz->written_data);
    total = 0;
  }

  return total;
}

Coverage Report

Created: 2023-03-26 06:11

Line	Count	Source (jump to first uncovered line)
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		***************************************************************************/
22
23		#include <fcntl.h>
24		#include <string.h>
25		#include <unistd.h>
26		#include <sys/un.h>
27		#include <curl/curl.h>
28		#include "curl_fuzzer.h"
29
30		/**
31		* Define a macro which checks to see that allocated file descriptors are
32		* valid and won't cause issue with FD_SETs. Taken from lib/select.h
33		*/
34	0	#define FUZZ_VALID_SOCK(s) (((s) >= 0) && ((s) < FD_SETSIZE))
35
36		/**
37		* Function for providing a socket to CURL already primed with data.
38		*/
39		curl_socket_t fuzz_open_socket(void *ptr,
40		curlsocktype purpose,
41		struct curl_sockaddr *address)
42	0	{
43	0	FUZZ_DATA fuzz = (FUZZ_DATA )ptr;
44	0	int fds[2];
45	0	int flags;
46	0	int status;
47	0	const uint8_t *data;
48	0	size_t data_len;
49	0	struct sockaddr_un client_addr;
50	0	FUZZ_SOCKET_MANAGER *sman;
51
52		/* Handle unused parameters */
53	0	(void)purpose;
54	0	(void)address;
55
56	0	if(fuzz->sockman[0].fd_state != FUZZ_SOCK_CLOSED &&
57	0	fuzz->sockman[1].fd_state != FUZZ_SOCK_CLOSED) {
58		/* Both sockets have already been opened. */
59	0	return CURL_SOCKET_BAD;
60	0	}
61	0	else if(fuzz->sockman[0].fd_state != FUZZ_SOCK_CLOSED) {
62	0	sman = &fuzz->sockman[1];
63	0	}
64	0	else {
65	0	FV_PRINTF(fuzz, "FUZZ: Using socket manager 0 \n");
66	0	sman = &fuzz->sockman[0];
67	0	}
68	0	FV_PRINTF(fuzz, "FUZZ[%d]: Using socket manager %d \n",
69	0	sman->index,
70	0	sman->index);
71
72	0	if(socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) {
73		/* Failed to create a pair of sockets. */
74	0	return CURL_SOCKET_BAD;
75	0	}
76
77	0	if(!FUZZ_VALID_SOCK(fds[0]) \|\| !FUZZ_VALID_SOCK(fds[1])) {
78		/* One or more of the file descriptors is too large to fit in an fd_set,
79		so reject it here. Print out a message because this ought to be quite
80		rare. */
81	0	printf("FUZZ[%d]: Not using file descriptors %d,%d as FD_SETSIZE is %d\n",
82	0	sman->index,
83	0	fds[0],
84	0	fds[1],
85	0	FD_SETSIZE);
86
87		/* Close the file descriptors so they don't leak. */
88	0	close(fds[0]);
89	0	close(fds[1]);
90
91	0	return CURL_SOCKET_BAD;
92	0	}
93
94		/* Make the server non-blocking. */
95	0	flags = fcntl(fds[0], F_GETFL, 0);
96	0	status = fcntl(fds[0], F_SETFL, flags \| O_NONBLOCK);
97
98	0	if(status == -1) {
99		/* Close the file descriptors so they don't leak. */
100	0	close(fds[0]);
101	0	close(fds[1]);
102
103		/* Setting non-blocking failed. Return a negative response code. */
104	0	return CURL_SOCKET_BAD;
105	0	}
106
107		/* At this point, the file descriptors in hand should be good enough to
108		work with. */
109	0	sman->fd = fds[0];
110	0	sman->fd_state = FUZZ_SOCK_OPEN;
111
112		/* If the server should be sending data immediately, send it here. */
113	0	data = sman->responses[0].data;
114	0	data_len = sman->responses[0].data_len;
115
116	0	if(data != NULL) {
117	0	FV_PRINTF(fuzz, "FUZZ[%d]: Sending initial response \n", sman->index);
118
119	0	if(write(sman->fd, data, data_len) != (ssize_t)data_len) {
120		/* Close the file descriptors so they don't leak. */
121	0	close(sman->fd);
122	0	sman->fd = -1;
123
124	0	close(fds[1]);
125
126		/* Failed to write all of the response data. */
127	0	return CURL_SOCKET_BAD;
128	0	}
129	0	}
130
131		/* Check to see if the socket should be shut down immediately. */
132	0	if(sman->responses[1].data == NULL) {
133	0	FV_PRINTF(fuzz,
134	0	"FUZZ[%d]: Shutting down server socket: %d \n",
135	0	sman->index,
136	0	sman->fd);
137	0	shutdown(sman->fd, SHUT_WR);
138	0	sman->fd_state = FUZZ_SOCK_SHUTDOWN;
139	0	}
140
141		/* Return the other half of the socket pair. */
142	0	return fds[1];
143	0	}
144
145		/**
146		* Callback function for setting socket options on the sockets created by
147		* fuzz_open_socket. In our testbed the sockets are "already connected".
148		*/
149		int fuzz_sockopt_callback(void *ptr,
150		curl_socket_t curlfd,
151		curlsocktype purpose)
152	0	{
153	0	(void)ptr;
154	0	(void)curlfd;
155	0	(void)purpose;
156
157	0	return CURL_SOCKOPT_ALREADY_CONNECTED;
158	0	}
159
160		/**
161		* Callback function for doing data uploads.
162		*/
163		size_t fuzz_read_callback(char *buffer,
164		size_t size,
165		size_t nitems,
166		void *ptr)
167	0	{
168	0	FUZZ_DATA fuzz = (FUZZ_DATA )ptr;
169	0	size_t remaining_data;
170	0	size_t buffer_size = size * nitems;
171
172		/* If no upload data has been specified, then return an error code. */
173	0	if(fuzz->upload1_data_len == 0) {
174		/* No data to upload */
175	0	return CURL_READFUNC_ABORT;
176	0	}
177
178		/* Work out how much data is remaining to upload. */
179	0	remaining_data = fuzz->upload1_data_len - fuzz->upload1_data_written;
180
181		/* Respect the buffer size that libcurl is giving us! */
182	0	if(remaining_data > buffer_size) {
183	0	remaining_data = buffer_size;
184	0	}
185
186	0	if(remaining_data > 0) {
187	0	FV_PRINTF(fuzz,
188	0	"FUZZ: Uploading %zu bytes from position %zu \n",
189	0	remaining_data,
190	0	fuzz->upload1_data_written);
191
192		/* Send the upload data. */
193	0	memcpy(buffer,
194	0	&fuzz->upload1_data[fuzz->upload1_data_written],
195	0	remaining_data);
196
197		/* Increase the count of written data */
198	0	fuzz->upload1_data_written += remaining_data;
199	0	}
200
201	0	return(remaining_data);
202	0	}
203
204		/**
205		* Callback function for handling data output quietly.
206		*/
207		size_t fuzz_write_callback(void *contents,
208		size_t size,
209		size_t nmemb,
210		void *ptr)
211	0	{
212	0	size_t total = size * nmemb;
213	0	FUZZ_DATA fuzz = (FUZZ_DATA )ptr;
214	0	size_t copy_len = total;
215
216		/* Restrict copy_len to at most TEMP_WRITE_ARRAY_SIZE. */
217	0	if(copy_len > TEMP_WRITE_ARRAY_SIZE) {
218	0	copy_len = TEMP_WRITE_ARRAY_SIZE;
219	0	}
220
221		/* Copy bytes to the temp store just to ensure the parameters are
222		exercised. */
223	0	memcpy(fuzz->write_array, contents, copy_len);
224
225		/* Add on the total to the count. If it exceeds the maximum then return
226		zero to the caller so that the transfer is terminated early. */
227	0	fuzz->written_data += total;
228
229	0	if(fuzz->written_data > MAXIMUM_WRITE_LENGTH) {
230	0	FV_PRINTF(fuzz,
231	0	"FUZZ: Exceeded maximum write length (%lu) \n",
232	0	fuzz->written_data);
233	0	total = 0;
234	0	}
235
236	0	return total;
237	0	}