/src/curl_fuzzer/curl_fuzzer_tlv.cc

Source (jump to first uncovered line)
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include "curl_fuzzer.h"

/**
 * TLV access function - gets the first TLV from a data stream.
 */
int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
                       TLV *tlv)
{
  /* Reset the cursor. */
  fuzz->state.data_pos = 0;
  return fuzz_get_tlv_comn(fuzz, tlv);
}

/**
 * TLV access function - gets the next TLV from a data stream.
*/
int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
                      TLV *tlv)
{
  /* Advance the cursor by the full length of the previous TLV. */
  fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;

  /* Work out if there's a TLV's worth of data to read */
  if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
    /* No more TLVs to parse */
    return TLV_RC_NO_MORE_TLVS;
  }

  return fuzz_get_tlv_comn(fuzz, tlv);
}

/**
 * Common TLV function for accessing TLVs in a data stream.
 */
int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
                      TLV *tlv)
{
  int rc = 0;
  size_t data_offset;
  TLV_RAW *raw;

  /* Start by casting the data stream to a TLV. */
  raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
  data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);

  /* Set the TLV values. */
  tlv->type = to_u16(raw->raw_type);
  tlv->length = to_u32(raw->raw_length);
  tlv->value = &fuzz->state.data[data_offset];

  FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length);

  /* Use uint64s to verify lengths of TLVs so that overflow problems don't
     matter. */
  uint64_t check_length = data_offset;
  check_length += tlv->length;

  uint64_t remaining_len = fuzz->state.data_len;
  FV_PRINTF(fuzz, "Check length of data: %lu \n", check_length);
  FV_PRINTF(fuzz, "Remaining length of data: %lu \n", remaining_len);

  /* Sanity check that the TLV length is ok. */
  if(check_length > remaining_len) {
    FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n");
    rc = TLV_RC_SIZE_ERROR;
  }

  return rc;
}

/**
 * Do different actions on the CURL handle for different received TLVs.
 */
int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
{
  int rc;
  char *tmp = NULL;
  uint32_t tmp_u32;
  curl_slist *new_list;

  switch(tlv->type) {
    /* The pointers in response TLVs will always be valid as long as the fuzz
       data is in scope, which is the entirety of this file. */
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10);

    FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0);
    FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1);

    case TLV_TYPE_UPLOAD1:
      /* The pointers in the TLV will always be valid as long as the fuzz data
         is in scope, which is the entirety of this file. */

      FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD);

      fuzz->upload1_data = tlv->value;
      fuzz->upload1_data_len = tlv->length;

      FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L);
      FSET_OPTION(fuzz,
                  CURLOPT_INFILESIZE_LARGE,
                  (curl_off_t)fuzz->upload1_data_len);
      break;

    case TLV_TYPE_HEADER:
      /* Limit the number of headers that can be added to a message to prevent
         timeouts. */
      if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
        rc = 255;
        goto EXIT_LABEL;
      }

      tmp = fuzz_tlv_to_string(tlv);
      if (tmp == NULL) {
        // keep on despite allocation failure
        break;
      }
      new_list = curl_slist_append(fuzz->header_list, tmp);
      if (new_list == NULL) {
        break;
      }
      fuzz->header_list = new_list;
      fuzz->header_list_count++;
      break;

    case TLV_TYPE_MAIL_RECIPIENT:
      /* Limit the number of headers that can be added to a message to prevent
         timeouts. */
      if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
        rc = 255;
        goto EXIT_LABEL;
      }
      tmp = fuzz_tlv_to_string(tlv);
      if (tmp == NULL) {
        // keep on despite allocation failure
        break;
      }
      new_list = curl_slist_append(fuzz->mail_recipients_list, tmp);
      if (new_list != NULL) {
        fuzz->mail_recipients_list = new_list;
        fuzz->header_list_count++;
      }
      break;

    case TLV_TYPE_MIME_PART:
      if(fuzz->mime == NULL) {
        fuzz->mime = curl_mime_init(fuzz->easy);
      }

      fuzz->part = curl_mime_addpart(fuzz->mime);

      /* This TLV may have sub TLVs. */
      fuzz_add_mime_part(tlv, fuzz->part);

      break;

    case TLV_TYPE_POSTFIELDS:
      FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS);
      fuzz->postfields = fuzz_tlv_to_string(tlv);
      FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields);
      break;

    case TLV_TYPE_HTTPPOSTBODY:
      FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST);
      fuzz_setup_http_post(fuzz, tlv);
      FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost);
      break;

    /* Define a set of u32 options. */
    FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH);
    FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER);
    FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY);
    FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION);
    FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH);
    FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST);
    FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ);
    FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION);
    FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC);
    FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS);
    FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY);
    FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST);

    /* Define a set of singleton TLVs - they can only have their value set once
       and all follow the same pattern. */
    FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL);
    FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME);
    FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD);
    FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE);
    FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE);
    FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST);
    FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM);
    FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT);
    FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH);
    FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS);
    FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT);
    FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256);

    default:
      /* The fuzzer generates lots of unknown TLVs - we don't want these in the
         corpus so we reject any unknown TLVs. */
      rc = 127;
      goto EXIT_LABEL;
      break;
  }

  rc = 0;

EXIT_LABEL:

  fuzz_free((void **)&tmp);

  return rc;
}

/**
 * Converts a TLV data and length into an allocated string.
 */
char *fuzz_tlv_to_string(TLV *tlv)
{
  char *tlvstr;

  /* Allocate enough space, plus a null terminator */
  tlvstr = (char *)malloc(tlv->length + 1);

  if(tlvstr != NULL) {
    memcpy(tlvstr, tlv->value, tlv->length);
    tlvstr[tlv->length] = 0;
  }

  return tlvstr;
}

/* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */
void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv)
{
  if (fuzz->httppost == NULL) {
    struct curl_httppost *post = NULL;
    struct curl_httppost *last = NULL;

    fuzz->post_body = fuzz_tlv_to_string(tlv);
    if (fuzz->post_body == NULL) {
      return;
    }

    /* This is just one of several possible entrypoints to
     * the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html
     * for lots of others which could be added here.
     */
    curl_formadd(&post, &last,
     CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME,
     CURLFORM_PTRCONTENTS, fuzz->post_body,
     CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body),
     CURLFORM_END);

    fuzz->last_post_part = last;
    fuzz->httppost = post;
  }

  return;
}

/**
 * Extract the values from the TLV.
 */
int fuzz_add_mime_part(TLV *src_tlv, curl_mimepart *part)
{
  FUZZ_DATA part_fuzz;
  TLV tlv;
  int rc = 0;
  int tlv_rc;

  memset(&part_fuzz, 0, sizeof(FUZZ_DATA));

  if(src_tlv->length < sizeof(TLV_RAW)) {
    /* Not enough data for a single TLV - don't continue */
    goto EXIT_LABEL;
  }

  /* Set up the state parser */
  part_fuzz.state.data = src_tlv->value;
  part_fuzz.state.data_len = src_tlv->length;

  for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv);
      tlv_rc == 0;
      tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) {

    /* Have the TLV in hand. Parse the TLV. */
    rc = fuzz_parse_mime_tlv(part, &tlv);

    if(rc != 0) {
      /* Failed to parse the TLV. Can't continue. */
      goto EXIT_LABEL;
    }
  }

  if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
    /* A TLV call failed. Can't continue. */
    goto EXIT_LABEL;
  }

EXIT_LABEL:

  return(rc);
}

/**
 * Do different actions on the mime part for different received TLVs.
 */
int fuzz_parse_mime_tlv(curl_mimepart *part, TLV *tlv)
{
  int rc;
  char *tmp;

  switch(tlv->type) {
    case TLV_TYPE_MIME_PART_NAME:
      tmp = fuzz_tlv_to_string(tlv);
      curl_mime_name(part, tmp);
      fuzz_free((void **)&tmp);
      break;

    case TLV_TYPE_MIME_PART_DATA:
      curl_mime_data(part, (const char *)tlv->value, tlv->length);
      break;

    default:
      /* The fuzzer generates lots of unknown TLVs - we don't want these in the
         corpus so we reject any unknown TLVs. */
      rc = 255;
      goto EXIT_LABEL;
      break;
  }

  rc = 0;

EXIT_LABEL:

  return rc;
}

Coverage Report

Created: 2023-12-08 06:48

Line	Count	Source (jump to first uncovered line)
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		***************************************************************************/
22		#include <stdlib.h>
23		#include <string.h>
24		#include <curl/curl.h>
25		#include "curl_fuzzer.h"
26
27		/**
28		* TLV access function - gets the first TLV from a data stream.
29		*/
30		int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
31		TLV *tlv)
32	127k	{
33		/* Reset the cursor. */
34	127k	fuzz->state.data_pos = 0;
35	127k	return fuzz_get_tlv_comn(fuzz, tlv);
36	127k	}
37
38		/**
39		* TLV access function - gets the next TLV from a data stream.
40		*/
41		int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
42		TLV *tlv)
43	1.11M	{
44		/* Advance the cursor by the full length of the previous TLV. */
45	1.11M	fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;
46
47		/* Work out if there's a TLV's worth of data to read */
48	1.11M	if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
49		/* No more TLVs to parse */
50	93.1k	return TLV_RC_NO_MORE_TLVS;
51	93.1k	}
52
53	1.02M	return fuzz_get_tlv_comn(fuzz, tlv);
54	1.11M	}
55
56		/**
57		* Common TLV function for accessing TLVs in a data stream.
58		*/
59		int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
60		TLV *tlv)
61	1.15M	{
62	1.15M	int rc = 0;
63	1.15M	size_t data_offset;
64	1.15M	TLV_RAW *raw;
65
66		/* Start by casting the data stream to a TLV. */
67	1.15M	raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
68	1.15M	data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);
69
70		/* Set the TLV values. */
71	1.15M	tlv->type = to_u16(raw->raw_type);
72	1.15M	tlv->length = to_u32(raw->raw_length);
73	1.15M	tlv->value = &fuzz->state.data[data_offset];
74
75	1.15M	FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length);
76
77		/* Use uint64s to verify lengths of TLVs so that overflow problems don't
78		matter. */
79	1.15M	uint64_t check_length = data_offset;
80	1.15M	check_length += tlv->length;
81
82	1.15M	uint64_t remaining_len = fuzz->state.data_len;
83	1.15M	FV_PRINTF(fuzz, "Check length of data: %lu \n", check_length);
84	1.15M	FV_PRINTF(fuzz, "Remaining length of data: %lu \n", remaining_len);
85
86		/* Sanity check that the TLV length is ok. */
87	1.15M	if(check_length > remaining_len) {
88	19.7k	FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n");
89	19.7k	rc = TLV_RC_SIZE_ERROR;
90	19.7k	}
91
92	1.15M	return rc;
93	1.15M	}
94
95		/**
96		* Do different actions on the CURL handle for different received TLVs.
97		*/
98		int fuzz_parse_tlv(FUZZ_DATA fuzz, TLV tlv)
99	1.03M	{
100	1.03M	int rc;
101	1.03M	char *tmp = NULL;
102	1.03M	uint32_t tmp_u32;
103	1.03M	curl_slist *new_list;
104
105	1.03M	switch(tlv->type) {
106		/* The pointers in response TLVs will always be valid as long as the fuzz
107		data is in scope, which is the entirety of this file. */
108	3.92k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0);
109	4.11k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1);
110	4.05k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2);
111	4.86k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3);
112	4.85k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4);
113	7.90k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5);
114	4.57k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6);
115	3.86k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7);
116	3.75k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8);
117	4.44k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9);
118	4.00k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10);
119
120	3.75k	FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0);
121	3.83k	FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1);
122
123	609	case TLV_TYPE_UPLOAD1:
124		/* The pointers in the TLV will always be valid as long as the fuzz data
125		is in scope, which is the entirety of this file. */
126
127	609	FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD);
128
129	590	fuzz->upload1_data = tlv->value;
130	590	fuzz->upload1_data_len = tlv->length;
131
132	590	FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L);
133	590	FSET_OPTION(fuzz,
134	590	CURLOPT_INFILESIZE_LARGE,
135	590	(curl_off_t)fuzz->upload1_data_len);
136	590	break;
137
138	669k	case TLV_TYPE_HEADER:
139		/* Limit the number of headers that can be added to a message to prevent
140		timeouts. */
141	669k	if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
142	18	rc = 255;
143	18	goto EXIT_LABEL;
144	18	}
145
146	669k	tmp = fuzz_tlv_to_string(tlv);
147	669k	if (tmp == NULL) {
148		// keep on despite allocation failure
149	0	break;
150	0	}
151	669k	new_list = curl_slist_append(fuzz->header_list, tmp);
152	669k	if (new_list == NULL) {
153	0	break;
154	0	}
155	669k	fuzz->header_list = new_list;
156	669k	fuzz->header_list_count++;
157	669k	break;
158
159	14.9k	case TLV_TYPE_MAIL_RECIPIENT:
160		/* Limit the number of headers that can be added to a message to prevent
161		timeouts. */
162	14.9k	if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
163	18	rc = 255;
164	18	goto EXIT_LABEL;
165	18	}
166	14.9k	tmp = fuzz_tlv_to_string(tlv);
167	14.9k	if (tmp == NULL) {
168		// keep on despite allocation failure
169	0	break;
170	0	}
171	14.9k	new_list = curl_slist_append(fuzz->mail_recipients_list, tmp);
172	14.9k	if (new_list != NULL) {
173	14.9k	fuzz->mail_recipients_list = new_list;
174	14.9k	fuzz->header_list_count++;
175	14.9k	}
176	14.9k	break;
177
178	270k	case TLV_TYPE_MIME_PART:
179	270k	if(fuzz->mime == NULL) {
180	3.43k	fuzz->mime = curl_mime_init(fuzz->easy);
181	3.43k	}
182
183	270k	fuzz->part = curl_mime_addpart(fuzz->mime);
184
185		/* This TLV may have sub TLVs. */
186	270k	fuzz_add_mime_part(tlv, fuzz->part);
187
188	270k	break;
189
190	171	case TLV_TYPE_POSTFIELDS:
191	171	FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS);
192	152	fuzz->postfields = fuzz_tlv_to_string(tlv);
193	152	FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields);
194	152	break;
195
196	697	case TLV_TYPE_HTTPPOSTBODY:
197	697	FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST);
198	678	fuzz_setup_http_post(fuzz, tlv);
199	678	FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost);
200	678	break;
201
202		/* Define a set of u32 options. */
203	2.83k	FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH);
204	2.54k	FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER);
205	2.70k	FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY);
206	2.56k	FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION);
207	2.57k	FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH);
208	2.72k	FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST);
209	695	FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ);
210	2.32k	FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION);
211	3.02k	FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC);
212	711	FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS);
213	2.48k	FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY);
214	2.57k	FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST);
215
216		/* Define a set of singleton TLVs - they can only have their value set once
217		and all follow the same pattern. */
218	1.28k	FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL);
219	286	FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL);
220	306	FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME);
221	421	FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD);
222	367	FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE);
223	289	FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE);
224	264	FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST);
225	340	FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM);
226	624	FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING);
227	274	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID);
228	333	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI);
229	255	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT);
230	265	FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH);
231	289	FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS);
232	323	FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER);
233	885	FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD);
234	361	FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT);
235	122	FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256);
236
237	92	default:
238		/* The fuzzer generates lots of unknown TLVs - we don't want these in the
239		corpus so we reject any unknown TLVs. */
240	92	rc = 127;
241	92	goto EXIT_LABEL;
242	0	break;
243	1.03M	}
244
245	1.02M	rc = 0;
246
247	1.03M	EXIT_LABEL:
248
249	1.03M	fuzz_free((void **)&tmp);
250
251	1.03M	return rc;
252	1.02M	}
253
254		/**
255		* Converts a TLV data and length into an allocated string.
256		*/
257		char fuzz_tlv_to_string(TLV tlv)
258	763k	{
259	763k	char *tlvstr;
260
261		/* Allocate enough space, plus a null terminator */
262	763k	tlvstr = (char *)malloc(tlv->length + 1);
263
264	763k	if(tlvstr != NULL) {
265	763k	memcpy(tlvstr, tlv->value, tlv->length);
266	763k	tlvstr[tlv->length] = 0;
267	763k	}
268
269	763k	return tlvstr;
270	763k	}
271
272		/* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */
273		void fuzz_setup_http_post(FUZZ_DATA fuzz, TLV tlv)
274	678	{
275	678	if (fuzz->httppost == NULL) {
276	678	struct curl_httppost *post = NULL;
277	678	struct curl_httppost *last = NULL;
278
279	678	fuzz->post_body = fuzz_tlv_to_string(tlv);
280	678	if (fuzz->post_body == NULL) {
281	0	return;
282	0	}
283
284		/* This is just one of several possible entrypoints to
285		* the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html
286		* for lots of others which could be added here.
287		*/
288	678	curl_formadd(&post, &last,
289	678	CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME,
290	678	CURLFORM_PTRCONTENTS, fuzz->post_body,
291	678	CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body),
292	678	CURLFORM_END);
293
294	678	fuzz->last_post_part = last;
295	678	fuzz->httppost = post;
296	678	}
297
298	678	return;
299	678	}
300
301		/**
302		* Extract the values from the TLV.
303		*/
304		int fuzz_add_mime_part(TLV src_tlv, curl_mimepart part)
305	270k	{
306	270k	FUZZ_DATA part_fuzz;
307	270k	TLV tlv;
308	270k	int rc = 0;
309	270k	int tlv_rc;
310
311	270k	memset(&part_fuzz, 0, sizeof(FUZZ_DATA));
312
313	270k	if(src_tlv->length < sizeof(TLV_RAW)) {
314		/* Not enough data for a single TLV - don't continue */
315	165k	goto EXIT_LABEL;
316	165k	}
317
318		/* Set up the state parser */
319	104k	part_fuzz.state.data = src_tlv->value;
320	104k	part_fuzz.state.data_len = src_tlv->length;
321
322	104k	for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv);
323	200k	tlv_rc == 0;
324	104k	tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) {
325
326		/* Have the TLV in hand. Parse the TLV. */
327	102k	rc = fuzz_parse_mime_tlv(part, &tlv);
328
329	102k	if(rc != 0) {
330		/* Failed to parse the TLV. Can't continue. */
331	7.01k	goto EXIT_LABEL;
332	7.01k	}
333	102k	}
334
335	97.9k	if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
336		/* A TLV call failed. Can't continue. */
337	18.1k	goto EXIT_LABEL;
338	18.1k	}
339
340	270k	EXIT_LABEL:
341
342	270k	return(rc);
343	97.9k	}
344
345		/**
346		* Do different actions on the mime part for different received TLVs.
347		*/
348		int fuzz_parse_mime_tlv(curl_mimepart part, TLV tlv)
349	102k	{
350	102k	int rc;
351	102k	char *tmp;
352
353	102k	switch(tlv->type) {
354	74.4k	case TLV_TYPE_MIME_PART_NAME:
355	74.4k	tmp = fuzz_tlv_to_string(tlv);
356	74.4k	curl_mime_name(part, tmp);
357	74.4k	fuzz_free((void **)&tmp);
358	74.4k	break;
359
360	21.0k	case TLV_TYPE_MIME_PART_DATA:
361	21.0k	curl_mime_data(part, (const char *)tlv->value, tlv->length);
362	21.0k	break;
363
364	7.01k	default:
365		/* The fuzzer generates lots of unknown TLVs - we don't want these in the
366		corpus so we reject any unknown TLVs. */
367	7.01k	rc = 255;
368	7.01k	goto EXIT_LABEL;
369	0	break;
370	102k	}
371
372	95.5k	rc = 0;
373
374	102k	EXIT_LABEL:
375
376	102k	return rc;
377	95.5k	}