/src/curl_fuzzer/curl_fuzzer_tlv.cc

Source (jump to first uncovered line)
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include "curl_fuzzer.h"

/**
 * TLV access function - gets the first TLV from a data stream.
 */
int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
                       TLV *tlv)
{
  /* Reset the cursor. */
  fuzz->state.data_pos = 0;
  return fuzz_get_tlv_comn(fuzz, tlv);
}

/**
 * TLV access function - gets the next TLV from a data stream.
*/
int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
                      TLV *tlv)
{
  /* Advance the cursor by the full length of the previous TLV. */
  fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;

  /* Work out if there's a TLV's worth of data to read */
  if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
    /* No more TLVs to parse */
    return TLV_RC_NO_MORE_TLVS;
  }

  return fuzz_get_tlv_comn(fuzz, tlv);
}

/**
 * Common TLV function for accessing TLVs in a data stream.
 */
int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
                      TLV *tlv)
{
  int rc = 0;
  size_t data_offset;
  TLV_RAW *raw;

  /* Start by casting the data stream to a TLV. */
  raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
  data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);

  /* Set the TLV values. */
  tlv->type = to_u16(raw->raw_type);
  tlv->length = to_u32(raw->raw_length);
  tlv->value = &fuzz->state.data[data_offset];

  FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length);

  /* Use uint64s to verify lengths of TLVs so that overflow problems don't
     matter. */
  uint64_t check_length = data_offset;
  check_length += tlv->length;

  uint64_t remaining_len = fuzz->state.data_len;
  FV_PRINTF(fuzz, "Check length of data: %lu \n", check_length);
  FV_PRINTF(fuzz, "Remaining length of data: %lu \n", remaining_len);

  /* Sanity check that the TLV length is ok. */
  if(check_length > remaining_len) {
    FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n");
    rc = TLV_RC_SIZE_ERROR;
  }

  return rc;
}

/**
 * Do different actions on the CURL handle for different received TLVs.
 */
int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
{
  int rc;
  char *tmp = NULL;
  uint32_t tmp_u32;
  curl_slist *new_list;

  switch(tlv->type) {
    /* The pointers in response TLVs will always be valid as long as the fuzz
       data is in scope, which is the entirety of this file. */
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10);

    FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0);
    FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1);

    case TLV_TYPE_UPLOAD1:
      /* The pointers in the TLV will always be valid as long as the fuzz data
         is in scope, which is the entirety of this file. */

      FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD);

      fuzz->upload1_data = tlv->value;
      fuzz->upload1_data_len = tlv->length;

      FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L);
      FSET_OPTION(fuzz,
                  CURLOPT_INFILESIZE_LARGE,
                  (curl_off_t)fuzz->upload1_data_len);
      break;

    case TLV_TYPE_HEADER:
      /* Limit the number of headers that can be added to a message to prevent
         timeouts. */
      if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
        rc = 255;
        goto EXIT_LABEL;
      }

      tmp = fuzz_tlv_to_string(tlv);
      if (tmp == NULL) {
        // keep on despite allocation failure
        break;
      }
      new_list = curl_slist_append(fuzz->header_list, tmp);
      if (new_list == NULL) {
        break;
      }
      fuzz->header_list = new_list;
      fuzz->header_list_count++;
      break;

    case TLV_TYPE_MAIL_RECIPIENT:
      tmp = fuzz_tlv_to_string(tlv);
      if (tmp == NULL) {
        // keep on despite allocation failure
        break;
      }
      new_list = curl_slist_append(fuzz->mail_recipients_list, tmp);
      if (new_list != NULL) {
        fuzz->mail_recipients_list = new_list;
      }
      break;

    case TLV_TYPE_MIME_PART:
      if(fuzz->mime == NULL) {
        fuzz->mime = curl_mime_init(fuzz->easy);
      }

      fuzz->part = curl_mime_addpart(fuzz->mime);

      /* This TLV may have sub TLVs. */
      fuzz_add_mime_part(tlv, fuzz->part);

      break;

    case TLV_TYPE_POSTFIELDS:
      FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS);
      fuzz->postfields = fuzz_tlv_to_string(tlv);
      FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields);
      break;

    case TLV_TYPE_HTTPPOSTBODY:
      FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST);
      fuzz_setup_http_post(fuzz, tlv);
      FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost);
      break;

    /* Define a set of u32 options. */
    FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH);
    FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER);
    FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY);
    FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION);
    FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH);
    FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST);
    FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ);
    FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION);
    FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC);
    FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS);
    FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY);
    FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST);

    /* Define a set of singleton TLVs - they can only have their value set once
       and all follow the same pattern. */
    FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL);
    FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME);
    FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD);
    FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE);
    FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE);
    FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST);
    FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM);
    FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT);
    FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH);
    FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS);
    FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT);
    FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256);

    default:
      /* The fuzzer generates lots of unknown TLVs - we don't want these in the
         corpus so we reject any unknown TLVs. */
      rc = 127;
      goto EXIT_LABEL;
      break;
  }

  rc = 0;

EXIT_LABEL:

  fuzz_free((void **)&tmp);

  return rc;
}

/**
 * Converts a TLV data and length into an allocated string.
 */
char *fuzz_tlv_to_string(TLV *tlv)
{
  char *tlvstr;

  /* Allocate enough space, plus a null terminator */
  tlvstr = (char *)malloc(tlv->length + 1);

  if(tlvstr != NULL) {
    memcpy(tlvstr, tlv->value, tlv->length);
    tlvstr[tlv->length] = 0;
  }

  return tlvstr;
}

/* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */
void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv)
{
  if (fuzz->httppost == NULL) {
    struct curl_httppost *post = NULL;
    struct curl_httppost *last = NULL;

    fuzz->post_body = fuzz_tlv_to_string(tlv);
    if (fuzz->post_body == NULL) {
      return;
    }

    /* This is just one of several possible entrypoints to
     * the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html
     * for lots of others which could be added here.
     */
    curl_formadd(&post, &last,
     CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME,
     CURLFORM_PTRCONTENTS, fuzz->post_body,
     CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body),
     CURLFORM_END);

    fuzz->last_post_part = last;
    fuzz->httppost = post;
  }

  return;
}

/**
 * Extract the values from the TLV.
 */
int fuzz_add_mime_part(TLV *src_tlv, curl_mimepart *part)
{
  FUZZ_DATA part_fuzz;
  TLV tlv;
  int rc = 0;
  int tlv_rc;

  memset(&part_fuzz, 0, sizeof(FUZZ_DATA));

  if(src_tlv->length < sizeof(TLV_RAW)) {
    /* Not enough data for a single TLV - don't continue */
    goto EXIT_LABEL;
  }

  /* Set up the state parser */
  part_fuzz.state.data = src_tlv->value;
  part_fuzz.state.data_len = src_tlv->length;

  for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv);
      tlv_rc == 0;
      tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) {

    /* Have the TLV in hand. Parse the TLV. */
    rc = fuzz_parse_mime_tlv(part, &tlv);

    if(rc != 0) {
      /* Failed to parse the TLV. Can't continue. */
      goto EXIT_LABEL;
    }
  }

  if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
    /* A TLV call failed. Can't continue. */
    goto EXIT_LABEL;
  }

EXIT_LABEL:

  return(rc);
}

/**
 * Do different actions on the mime part for different received TLVs.
 */
int fuzz_parse_mime_tlv(curl_mimepart *part, TLV *tlv)
{
  int rc;
  char *tmp;

  switch(tlv->type) {
    case TLV_TYPE_MIME_PART_NAME:
      tmp = fuzz_tlv_to_string(tlv);
      curl_mime_name(part, tmp);
      fuzz_free((void **)&tmp);
      break;

    case TLV_TYPE_MIME_PART_DATA:
      curl_mime_data(part, (const char *)tlv->value, tlv->length);
      break;

    default:
      /* The fuzzer generates lots of unknown TLVs - we don't want these in the
         corpus so we reject any unknown TLVs. */
      rc = 255;
      goto EXIT_LABEL;
      break;
  }

  rc = 0;

EXIT_LABEL:

  return rc;
}

Coverage Report

Created: 2023-06-07 07:02

Line	Count	Source (jump to first uncovered line)
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		***************************************************************************/
22		#include <stdlib.h>
23		#include <string.h>
24		#include <curl/curl.h>
25		#include "curl_fuzzer.h"
26
27		/**
28		* TLV access function - gets the first TLV from a data stream.
29		*/
30		int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
31		TLV *tlv)
32	134k	{
33		/* Reset the cursor. */
34	134k	fuzz->state.data_pos = 0;
35	134k	return fuzz_get_tlv_comn(fuzz, tlv);
36	134k	}
37
38		/**
39		* TLV access function - gets the next TLV from a data stream.
40		*/
41		int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
42		TLV *tlv)
43	874k	{
44		/* Advance the cursor by the full length of the previous TLV. */
45	874k	fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;
46
47		/* Work out if there's a TLV's worth of data to read */
48	874k	if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
49		/* No more TLVs to parse */
50	96.1k	return TLV_RC_NO_MORE_TLVS;
51	96.1k	}
52
53	778k	return fuzz_get_tlv_comn(fuzz, tlv);
54	874k	}
55
56		/**
57		* Common TLV function for accessing TLVs in a data stream.
58		*/
59		int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
60		TLV *tlv)
61	913k	{
62	913k	int rc = 0;
63	913k	size_t data_offset;
64	913k	TLV_RAW *raw;
65
66		/* Start by casting the data stream to a TLV. */
67	913k	raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
68	913k	data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);
69
70		/* Set the TLV values. */
71	913k	tlv->type = to_u16(raw->raw_type);
72	913k	tlv->length = to_u32(raw->raw_length);
73	913k	tlv->value = &fuzz->state.data[data_offset];
74
75	913k	FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length);
76
77		/* Use uint64s to verify lengths of TLVs so that overflow problems don't
78		matter. */
79	913k	uint64_t check_length = data_offset;
80	913k	check_length += tlv->length;
81
82	913k	uint64_t remaining_len = fuzz->state.data_len;
83	913k	FV_PRINTF(fuzz, "Check length of data: %lu \n", check_length);
84	913k	FV_PRINTF(fuzz, "Remaining length of data: %lu \n", remaining_len);
85
86		/* Sanity check that the TLV length is ok. */
87	913k	if(check_length > remaining_len) {
88	19.3k	FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n");
89	19.3k	rc = TLV_RC_SIZE_ERROR;
90	19.3k	}
91
92	913k	return rc;
93	913k	}
94
95		/**
96		* Do different actions on the CURL handle for different received TLVs.
97		*/
98		int fuzz_parse_tlv(FUZZ_DATA fuzz, TLV tlv)
99	782k	{
100	782k	int rc;
101	782k	char *tmp = NULL;
102	782k	uint32_t tmp_u32;
103	782k	curl_slist *new_list;
104
105	782k	switch(tlv->type) {
106		/* The pointers in response TLVs will always be valid as long as the fuzz
107		data is in scope, which is the entirety of this file. */
108	4.73k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0);
109	4.29k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1);
110	4.10k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2);
111	5.67k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3);
112	4.98k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4);
113	5.32k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5);
114	4.03k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6);
115	3.92k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7);
116	4.13k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8);
117	4.76k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9);
118	4.10k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10);
119
120	3.75k	FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0);
121	3.76k	FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1);
122
123	600	case TLV_TYPE_UPLOAD1:
124		/* The pointers in the TLV will always be valid as long as the fuzz data
125		is in scope, which is the entirety of this file. */
126
127	600	FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD);
128
129	581	fuzz->upload1_data = tlv->value;
130	581	fuzz->upload1_data_len = tlv->length;
131
132	581	FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L);
133	581	FSET_OPTION(fuzz,
134	581	CURLOPT_INFILESIZE_LARGE,
135	581	(curl_off_t)fuzz->upload1_data_len);
136	581	break;
137
138	391k	case TLV_TYPE_HEADER:
139		/* Limit the number of headers that can be added to a message to prevent
140		timeouts. */
141	391k	if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
142	18	rc = 255;
143	18	goto EXIT_LABEL;
144	18	}
145
146	391k	tmp = fuzz_tlv_to_string(tlv);
147	391k	if (tmp == NULL) {
148		// keep on despite allocation failure
149	0	break;
150	0	}
151	391k	new_list = curl_slist_append(fuzz->header_list, tmp);
152	391k	if (new_list == NULL) {
153	0	break;
154	0	}
155	391k	fuzz->header_list = new_list;
156	391k	fuzz->header_list_count++;
157	391k	break;
158
159	23.2k	case TLV_TYPE_MAIL_RECIPIENT:
160	23.2k	tmp = fuzz_tlv_to_string(tlv);
161	23.2k	if (tmp == NULL) {
162		// keep on despite allocation failure
163	0	break;
164	0	}
165	23.2k	new_list = curl_slist_append(fuzz->mail_recipients_list, tmp);
166	23.2k	if (new_list != NULL) {
167	23.2k	fuzz->mail_recipients_list = new_list;
168	23.2k	}
169	23.2k	break;
170
171	292k	case TLV_TYPE_MIME_PART:
172	292k	if(fuzz->mime == NULL) {
173	3.46k	fuzz->mime = curl_mime_init(fuzz->easy);
174	3.46k	}
175
176	292k	fuzz->part = curl_mime_addpart(fuzz->mime);
177
178		/* This TLV may have sub TLVs. */
179	292k	fuzz_add_mime_part(tlv, fuzz->part);
180
181	292k	break;
182
183	158	case TLV_TYPE_POSTFIELDS:
184	158	FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS);
185	139	fuzz->postfields = fuzz_tlv_to_string(tlv);
186	139	FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields);
187	139	break;
188
189	568	case TLV_TYPE_HTTPPOSTBODY:
190	568	FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST);
191	549	fuzz_setup_http_post(fuzz, tlv);
192	549	FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost);
193	549	break;
194
195		/* Define a set of u32 options. */
196	2.81k	FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH);
197	2.58k	FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER);
198	2.59k	FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY);
199	2.57k	FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION);
200	2.45k	FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH);
201	2.70k	FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST);
202	659	FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ);
203	3.31k	FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION);
204	3.04k	FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC);
205	736	FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS);
206	2.43k	FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY);
207	2.52k	FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST);
208
209		/* Define a set of singleton TLVs - they can only have their value set once
210		and all follow the same pattern. */
211	1.51k	FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL);
212	296	FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL);
213	288	FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME);
214	465	FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD);
215	332	FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE);
216	285	FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE);
217	239	FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST);
218	317	FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM);
219	621	FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING);
220	265	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID);
221	322	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI);
222	267	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT);
223	267	FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH);
224	266	FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS);
225	276	FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER);
226	1.59k	FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD);
227	373	FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT);
228	114	FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256);
229
230	103	default:
231		/* The fuzzer generates lots of unknown TLVs - we don't want these in the
232		corpus so we reject any unknown TLVs. */
233	103	rc = 127;
234	103	goto EXIT_LABEL;
235	0	break;
236	782k	}
237
238	775k	rc = 0;
239
240	782k	EXIT_LABEL:
241
242	782k	fuzz_free((void **)&tmp);
243
244	782k	return rc;
245	775k	}
246
247		/**
248		* Converts a TLV data and length into an allocated string.
249		*/
250		char fuzz_tlv_to_string(TLV tlv)
251	500k	{
252	500k	char *tlvstr;
253
254		/* Allocate enough space, plus a null terminator */
255	500k	tlvstr = (char *)malloc(tlv->length + 1);
256
257	500k	if(tlvstr != NULL) {
258	500k	memcpy(tlvstr, tlv->value, tlv->length);
259	500k	tlvstr[tlv->length] = 0;
260	500k	}
261
262	500k	return tlvstr;
263	500k	}
264
265		/* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */
266		void fuzz_setup_http_post(FUZZ_DATA fuzz, TLV tlv)
267	549	{
268	549	if (fuzz->httppost == NULL) {
269	549	struct curl_httppost *post = NULL;
270	549	struct curl_httppost *last = NULL;
271
272	549	fuzz->post_body = fuzz_tlv_to_string(tlv);
273	549	if (fuzz->post_body == NULL) {
274	0	return;
275	0	}
276
277		/* This is just one of several possible entrypoints to
278		* the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html
279		* for lots of others which could be added here.
280		*/
281	549	curl_formadd(&post, &last,
282	549	CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME,
283	549	CURLFORM_PTRCONTENTS, fuzz->post_body,
284	549	CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body),
285	549	CURLFORM_END);
286
287	549	fuzz->last_post_part = last;
288	549	fuzz->httppost = post;
289	549	}
290
291	549	return;
292	549	}
293
294		/**
295		* Extract the values from the TLV.
296		*/
297		int fuzz_add_mime_part(TLV src_tlv, curl_mimepart part)
298	292k	{
299	292k	FUZZ_DATA part_fuzz;
300	292k	TLV tlv;
301	292k	int rc = 0;
302	292k	int tlv_rc;
303
304	292k	memset(&part_fuzz, 0, sizeof(FUZZ_DATA));
305
306	292k	if(src_tlv->length < sizeof(TLV_RAW)) {
307		/* Not enough data for a single TLV - don't continue */
308	179k	goto EXIT_LABEL;
309	179k	}
310
311		/* Set up the state parser */
312	112k	part_fuzz.state.data = src_tlv->value;
313	112k	part_fuzz.state.data_len = src_tlv->length;
314
315	112k	for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv);
316	211k	tlv_rc == 0;
317	112k	tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) {
318
319		/* Have the TLV in hand. Parse the TLV. */
320	111k	rc = fuzz_parse_mime_tlv(part, &tlv);
321
322	111k	if(rc != 0) {
323		/* Failed to parse the TLV. Can't continue. */
324	11.9k	goto EXIT_LABEL;
325	11.9k	}
326	111k	}
327
328	100k	if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
329		/* A TLV call failed. Can't continue. */
330	17.6k	goto EXIT_LABEL;
331	17.6k	}
332
333	292k	EXIT_LABEL:
334
335	292k	return(rc);
336	100k	}
337
338		/**
339		* Do different actions on the mime part for different received TLVs.
340		*/
341		int fuzz_parse_mime_tlv(curl_mimepart part, TLV tlv)
342	111k	{
343	111k	int rc;
344	111k	char *tmp;
345
346	111k	switch(tlv->type) {
347	81.3k	case TLV_TYPE_MIME_PART_NAME:
348	81.3k	tmp = fuzz_tlv_to_string(tlv);
349	81.3k	curl_mime_name(part, tmp);
350	81.3k	fuzz_free((void **)&tmp);
351	81.3k	break;
352
353	17.8k	case TLV_TYPE_MIME_PART_DATA:
354	17.8k	curl_mime_data(part, (const char *)tlv->value, tlv->length);
355	17.8k	break;
356
357	11.9k	default:
358		/* The fuzzer generates lots of unknown TLVs - we don't want these in the
359		corpus so we reject any unknown TLVs. */
360	11.9k	rc = 255;
361	11.9k	goto EXIT_LABEL;
362	0	break;
363	111k	}
364
365	99.2k	rc = 0;
366
367	111k	EXIT_LABEL:
368
369	111k	return rc;
370	99.2k	}