/src/curl_fuzzer/curl_fuzzer_tlv.cc

Source (jump to first uncovered line)
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include "curl_fuzzer.h"

/**
 * TLV access function - gets the first TLV from a data stream.
 */
int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
                       TLV *tlv)
{
  /* Reset the cursor. */
  fuzz->state.data_pos = 0;
  return fuzz_get_tlv_comn(fuzz, tlv);
}

/**
 * TLV access function - gets the next TLV from a data stream.
*/
int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
                      TLV *tlv)
{
  /* Advance the cursor by the full length of the previous TLV. */
  fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;

  /* Work out if there's a TLV's worth of data to read */
  if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
    /* No more TLVs to parse */
    return TLV_RC_NO_MORE_TLVS;
  }

  return fuzz_get_tlv_comn(fuzz, tlv);
}

/**
 * Common TLV function for accessing TLVs in a data stream.
 */
int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
                      TLV *tlv)
{
  int rc = 0;
  size_t data_offset;
  TLV_RAW *raw;

  /* Start by casting the data stream to a TLV. */
  raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
  data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);

  /* Set the TLV values. */
  tlv->type = to_u16(raw->raw_type);
  tlv->length = to_u32(raw->raw_length);
  tlv->value = &fuzz->state.data[data_offset];

  FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length);

  /* Use uint64s to verify lengths of TLVs so that overflow problems don't
     matter. */
  uint64_t check_length = data_offset;
  check_length += tlv->length;

  uint64_t remaining_len = fuzz->state.data_len;
  FV_PRINTF(fuzz, "Check length of data: %" PRIu64 " \n", check_length);
  FV_PRINTF(fuzz, "Remaining length of data: %" PRIu64 " \n", remaining_len);

  /* Sanity check that the TLV length is ok. */
  if(check_length > remaining_len) {
    FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n");
    rc = TLV_RC_SIZE_ERROR;
  }

  return rc;
}

/**
 * Do different actions on the CURL handle for different received TLVs.
 */
int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
{
  int rc;
  char *tmp = NULL;
  uint32_t tmp_u32;
  curl_slist *new_list;

  switch(tlv->type) {
    /* The pointers in response TLVs will always be valid as long as the fuzz
       data is in scope, which is the entirety of this file. */
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9);
    FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10);

    FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0);
    FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1);

    case TLV_TYPE_UPLOAD1:
      /* The pointers in the TLV will always be valid as long as the fuzz data
         is in scope, which is the entirety of this file. */

      FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD);

      fuzz->upload1_data = tlv->value;
      fuzz->upload1_data_len = tlv->length;

      FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L);
      FSET_OPTION(fuzz,
                  CURLOPT_INFILESIZE_LARGE,
                  (curl_off_t)fuzz->upload1_data_len);
      break;

    case TLV_TYPE_HEADER:
      /* Limit the number of headers that can be added to a message to prevent
         timeouts. */
      if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
        rc = 255;
        goto EXIT_LABEL;
      }

      tmp = fuzz_tlv_to_string(tlv);
      if (tmp == NULL) {
        // keep on despite allocation failure
        break;
      }
      new_list = curl_slist_append(fuzz->header_list, tmp);
      if (new_list == NULL) {
        break;
      }
      fuzz->header_list = new_list;
      fuzz->header_list_count++;
      break;

    case TLV_TYPE_MAIL_RECIPIENT:
      /* Limit the number of headers that can be added to a message to prevent
         timeouts. */
      if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
        rc = 255;
        goto EXIT_LABEL;
      }
      tmp = fuzz_tlv_to_string(tlv);
      if (tmp == NULL) {
        // keep on despite allocation failure
        break;
      }
      new_list = curl_slist_append(fuzz->mail_recipients_list, tmp);
      if (new_list != NULL) {
        fuzz->mail_recipients_list = new_list;
        fuzz->header_list_count++;
      }
      break;

    case TLV_TYPE_MIME_PART:
      if(fuzz->mime == NULL) {
        fuzz->mime = curl_mime_init(fuzz->easy);
      }

      fuzz->part = curl_mime_addpart(fuzz->mime);

      /* This TLV may have sub TLVs. */
      fuzz_add_mime_part(tlv, fuzz->part);

      break;

    case TLV_TYPE_POSTFIELDS:
      FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS);
      fuzz->postfields = fuzz_tlv_to_string(tlv);
      FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields);
      break;

    case TLV_TYPE_HTTPPOSTBODY:
      FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST);
      fuzz_setup_http_post(fuzz, tlv);
      FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost);
      break;

    /* Define a set of u32 options. */
    FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH);
    FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER);
    FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY);
    FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION);
    FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH);
    FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST);
    FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ);
    FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION);
    FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC);
    FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS);
    FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY);
    FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST);

    /* Define a set of singleton TLVs - they can only have their value set once
       and all follow the same pattern. */
    FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL);
    FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME);
    FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD);
    FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE);
    FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE);
    FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST);
    FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM);
    FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI);
    FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT);
    FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH);
    FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS);
    FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD);
    FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT);
    FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256);

    default:
      /* The fuzzer generates lots of unknown TLVs - we don't want these in the
         corpus so we reject any unknown TLVs. */
      rc = 127;
      goto EXIT_LABEL;
      break;
  }

  rc = 0;

EXIT_LABEL:

  fuzz_free((void **)&tmp);

  return rc;
}

/**
 * Converts a TLV data and length into an allocated string.
 */
char *fuzz_tlv_to_string(TLV *tlv)
{
  char *tlvstr;

  /* Allocate enough space, plus a null terminator */
  tlvstr = (char *)malloc(tlv->length + 1);

  if(tlvstr != NULL) {
    memcpy(tlvstr, tlv->value, tlv->length);
    tlvstr[tlv->length] = 0;
  }

  return tlvstr;
}

/* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */
void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv)
{
  if (fuzz->httppost == NULL) {
    struct curl_httppost *post = NULL;
    struct curl_httppost *last = NULL;

    fuzz->post_body = fuzz_tlv_to_string(tlv);
    if (fuzz->post_body == NULL) {
      return;
    }

    /* This is just one of several possible entrypoints to
     * the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html
     * for lots of others which could be added here.
     */
    curl_formadd(&post, &last,
     CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME,
     CURLFORM_PTRCONTENTS, fuzz->post_body,
     CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body),
     CURLFORM_END);

    fuzz->last_post_part = last;
    fuzz->httppost = post;
  }

  return;
}

/**
 * Extract the values from the TLV.
 */
int fuzz_add_mime_part(TLV *src_tlv, curl_mimepart *part)
{
  FUZZ_DATA part_fuzz;
  TLV tlv;
  int rc = 0;
  int tlv_rc;

  memset(&part_fuzz, 0, sizeof(FUZZ_DATA));

  if(src_tlv->length < sizeof(TLV_RAW)) {
    /* Not enough data for a single TLV - don't continue */
    goto EXIT_LABEL;
  }

  /* Set up the state parser */
  part_fuzz.state.data = src_tlv->value;
  part_fuzz.state.data_len = src_tlv->length;

  for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv);
      tlv_rc == 0;
      tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) {

    /* Have the TLV in hand. Parse the TLV. */
    rc = fuzz_parse_mime_tlv(part, &tlv);

    if(rc != 0) {
      /* Failed to parse the TLV. Can't continue. */
      goto EXIT_LABEL;
    }
  }

  if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
    /* A TLV call failed. Can't continue. */
    goto EXIT_LABEL;
  }

EXIT_LABEL:

  return(rc);
}

/**
 * Do different actions on the mime part for different received TLVs.
 */
int fuzz_parse_mime_tlv(curl_mimepart *part, TLV *tlv)
{
  int rc;
  char *tmp;

  switch(tlv->type) {
    case TLV_TYPE_MIME_PART_NAME:
      tmp = fuzz_tlv_to_string(tlv);
      curl_mime_name(part, tmp);
      fuzz_free((void **)&tmp);
      break;

    case TLV_TYPE_MIME_PART_DATA:
      curl_mime_data(part, (const char *)tlv->value, tlv->length);
      break;

    default:
      /* The fuzzer generates lots of unknown TLVs - we don't want these in the
         corpus so we reject any unknown TLVs. */
      rc = 255;
      goto EXIT_LABEL;
      break;
  }

  rc = 0;

EXIT_LABEL:

  return rc;
}

Coverage Report

Created: 2024-05-21 06:52

Line	Count	Source (jump to first uncovered line)
1		/***************************************************************************
2		* _ _ ____ _
3		* Project ___\| \| \| \| _ \\| \|
4		* / __\| \| \| \| \|_) \| \|
5		* \| (__\| \|_\| \| _ <\| \|___
6		* \___\|\___/\|_\| \_\_____\|
7		*
8		* Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
9		*
10		* This software is licensed as described in the file COPYING, which
11		* you should have received as part of this distribution. The terms
12		* are also available at https://curl.se/docs/copyright.html.
13		*
14		* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15		* copies of the Software, and permit persons to whom the Software is
16		* furnished to do so, under the terms of the COPYING file.
17		*
18		* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19		* KIND, either express or implied.
20		*
21		***************************************************************************/
22		#include <stdlib.h>
23		#include <string.h>
24		#include <curl/curl.h>
25		#include "curl_fuzzer.h"
26
27		/**
28		* TLV access function - gets the first TLV from a data stream.
29		*/
30		int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
31		TLV *tlv)
32	1.86M	{
33		/* Reset the cursor. */
34	1.86M	fuzz->state.data_pos = 0;
35	1.86M	return fuzz_get_tlv_comn(fuzz, tlv);
36	1.86M	}
37
38		/**
39		* TLV access function - gets the next TLV from a data stream.
40		*/
41		int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
42		TLV *tlv)
43	8.12M	{
44		/* Advance the cursor by the full length of the previous TLV. */
45	8.12M	fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;
46
47		/* Work out if there's a TLV's worth of data to read */
48	8.12M	if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
49		/* No more TLVs to parse */
50	1.59M	return TLV_RC_NO_MORE_TLVS;
51	1.59M	}
52
53	6.52M	return fuzz_get_tlv_comn(fuzz, tlv);
54	8.12M	}
55
56		/**
57		* Common TLV function for accessing TLVs in a data stream.
58		*/
59		int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
60		TLV *tlv)
61	8.38M	{
62	8.38M	int rc = 0;
63	8.38M	size_t data_offset;
64	8.38M	TLV_RAW *raw;
65
66		/* Start by casting the data stream to a TLV. */
67	8.38M	raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
68	8.38M	data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);
69
70		/* Set the TLV values. */
71	8.38M	tlv->type = to_u16(raw->raw_type);
72	8.38M	tlv->length = to_u32(raw->raw_length);
73	8.38M	tlv->value = &fuzz->state.data[data_offset];
74
75	8.38M	FV_PRINTF(fuzz, "TLV: type %x length %u\n", tlv->type, tlv->length);
76
77		/* Use uint64s to verify lengths of TLVs so that overflow problems don't
78		matter. */
79	8.38M	uint64_t check_length = data_offset;
80	8.38M	check_length += tlv->length;
81
82	8.38M	uint64_t remaining_len = fuzz->state.data_len;
83	8.38M	FV_PRINTF(fuzz, "Check length of data: %" PRIu64 " \n", check_length);
84	8.38M	FV_PRINTF(fuzz, "Remaining length of data: %" PRIu64 " \n", remaining_len);
85
86		/* Sanity check that the TLV length is ok. */
87	8.38M	if(check_length > remaining_len) {
88	186k	FV_PRINTF(fuzz, "Returning TLV_RC_SIZE_ERROR\n");
89	186k	rc = TLV_RC_SIZE_ERROR;
90	186k	}
91
92	8.38M	return rc;
93	8.38M	}
94
95		/**
96		* Do different actions on the CURL handle for different received TLVs.
97		*/
98		int fuzz_parse_tlv(FUZZ_DATA fuzz, TLV tlv)
99	6.58M	{
100	6.58M	int rc;
101	6.58M	char *tmp = NULL;
102	6.58M	uint32_t tmp_u32;
103	6.58M	curl_slist *new_list;
104
105	6.58M	switch(tlv->type) {
106		/* The pointers in response TLVs will always be valid as long as the fuzz
107		data is in scope, which is the entirety of this file. */
108	22.8k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE0, 0);
109	35.6k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE1, 1);
110	14.5k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE2, 2);
111	22.9k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE3, 3);
112	9.38k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE4, 4);
113	66.6k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE5, 5);
114	8.07k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE6, 6);
115	6.10k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE7, 7);
116	3.68k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE8, 8);
117	26.3k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE9, 9);
118	7.22k	FRESPONSETLV(&fuzz->sockman[0], TLV_TYPE_RESPONSE10, 10);
119
120	4.47k	FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE0, 0);
121	3.58k	FRESPONSETLV(&fuzz->sockman[1], TLV_TYPE_SECOND_RESPONSE1, 1);
122
123	2.02k	case TLV_TYPE_UPLOAD1:
124		/* The pointers in the TLV will always be valid as long as the fuzz data
125		is in scope, which is the entirety of this file. */
126
127	2.02k	FCHECK_OPTION_UNSET(fuzz, CURLOPT_UPLOAD);
128
129	2.01k	fuzz->upload1_data = tlv->value;
130	2.01k	fuzz->upload1_data_len = tlv->length;
131
132	2.01k	FSET_OPTION(fuzz, CURLOPT_UPLOAD, 1L);
133	2.01k	FSET_OPTION(fuzz,
134	2.01k	CURLOPT_INFILESIZE_LARGE,
135	2.01k	(curl_off_t)fuzz->upload1_data_len);
136	2.01k	break;
137
138	228k	case TLV_TYPE_HEADER:
139		/* Limit the number of headers that can be added to a message to prevent
140		timeouts. */
141	228k	if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
142	14	rc = 255;
143	14	goto EXIT_LABEL;
144	14	}
145
146	228k	tmp = fuzz_tlv_to_string(tlv);
147	228k	if (tmp == NULL) {
148		// keep on despite allocation failure
149	0	break;
150	0	}
151	228k	new_list = curl_slist_append(fuzz->header_list, tmp);
152	228k	if (new_list == NULL) {
153	0	break;
154	0	}
155	228k	fuzz->header_list = new_list;
156	228k	fuzz->header_list_count++;
157	228k	break;
158
159	25.0k	case TLV_TYPE_MAIL_RECIPIENT:
160		/* Limit the number of headers that can be added to a message to prevent
161		timeouts. */
162	25.0k	if(fuzz->header_list_count >= TLV_MAX_NUM_CURLOPT_HEADER) {
163	14	rc = 255;
164	14	goto EXIT_LABEL;
165	14	}
166	25.0k	tmp = fuzz_tlv_to_string(tlv);
167	25.0k	if (tmp == NULL) {
168		// keep on despite allocation failure
169	0	break;
170	0	}
171	25.0k	new_list = curl_slist_append(fuzz->mail_recipients_list, tmp);
172	25.0k	if (new_list != NULL) {
173	25.0k	fuzz->mail_recipients_list = new_list;
174	25.0k	fuzz->header_list_count++;
175	25.0k	}
176	25.0k	break;
177
178	5.97M	case TLV_TYPE_MIME_PART:
179	5.97M	if(fuzz->mime == NULL) {
180	5.92k	fuzz->mime = curl_mime_init(fuzz->easy);
181	5.92k	}
182
183	5.97M	fuzz->part = curl_mime_addpart(fuzz->mime);
184
185		/* This TLV may have sub TLVs. */
186	5.97M	fuzz_add_mime_part(tlv, fuzz->part);
187
188	5.97M	break;
189
190	808	case TLV_TYPE_POSTFIELDS:
191	808	FCHECK_OPTION_UNSET(fuzz, CURLOPT_POSTFIELDS);
192	794	fuzz->postfields = fuzz_tlv_to_string(tlv);
193	794	FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields);
194	794	break;
195
196	1.15k	case TLV_TYPE_HTTPPOSTBODY:
197	1.15k	FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST);
198	1.13k	fuzz_setup_http_post(fuzz, tlv);
199	1.13k	FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost);
200	1.13k	break;
201
202		/* Define a set of u32 options. */
203	19.9k	FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH);
204	2.08k	FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER);
205	2.87k	FU32TLV(fuzz, TLV_TYPE_NOBODY, CURLOPT_NOBODY);
206	8.24k	FU32TLV(fuzz, TLV_TYPE_FOLLOWLOCATION, CURLOPT_FOLLOWLOCATION);
207	5.61k	FU32TLV(fuzz, TLV_TYPE_WILDCARDMATCH, CURLOPT_WILDCARDMATCH);
208	7.15k	FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST);
209	697	FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ);
210	38.4k	FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION);
211	2.38k	FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC);
212	399	FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS);
213	2.11k	FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY);
214	2.50k	FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST);
215
216		/* Define a set of singleton TLVs - they can only have their value set once
217		and all follow the same pattern. */
218	145k	FSINGLETONTLV(fuzz, TLV_TYPE_URL, CURLOPT_URL);
219	433	FSINGLETONTLV(fuzz, TLV_TYPE_DOH_URL, CURLOPT_DOH_URL);
220	1.69k	FSINGLETONTLV(fuzz, TLV_TYPE_USERNAME, CURLOPT_USERNAME);
221	2.85k	FSINGLETONTLV(fuzz, TLV_TYPE_PASSWORD, CURLOPT_PASSWORD);
222	2.01k	FSINGLETONTLV(fuzz, TLV_TYPE_COOKIE, CURLOPT_COOKIE);
223	6.05k	FSINGLETONTLV(fuzz, TLV_TYPE_RANGE, CURLOPT_RANGE);
224	2.33k	FSINGLETONTLV(fuzz, TLV_TYPE_CUSTOMREQUEST, CURLOPT_CUSTOMREQUEST);
225	825	FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_FROM, CURLOPT_MAIL_FROM);
226	5.95k	FSINGLETONTLV(fuzz, TLV_TYPE_ACCEPTENCODING, CURLOPT_ACCEPT_ENCODING);
227	991	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_SESSION_ID, CURLOPT_RTSP_SESSION_ID);
228	480	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI);
229	631	FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT);
230	682	FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH);
231	861	FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS);
232	1.89k	FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER);
233	4.94k	FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD);
234	1.53k	FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT);
235	102	FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256);
236
237	78	default:
238		/* The fuzzer generates lots of unknown TLVs - we don't want these in the
239		corpus so we reject any unknown TLVs. */
240	78	rc = 127;
241	78	goto EXIT_LABEL;
242	0	break;
243	6.58M	}
244
245	6.58M	rc = 0;
246
247	6.58M	EXIT_LABEL:
248
249	6.58M	fuzz_free((void **)&tmp);
250
251	6.58M	return rc;
252	6.58M	}
253
254		/**
255		* Converts a TLV data and length into an allocated string.
256		*/
257		char fuzz_tlv_to_string(TLV tlv)
258	1.86M	{
259	1.86M	char *tlvstr;
260
261		/* Allocate enough space, plus a null terminator */
262	1.86M	tlvstr = (char *)malloc(tlv->length + 1);
263
264	1.86M	if(tlvstr != NULL) {
265	1.86M	memcpy(tlvstr, tlv->value, tlv->length);
266	1.86M	tlvstr[tlv->length] = 0;
267	1.86M	}
268
269	1.86M	return tlvstr;
270	1.86M	}
271
272		/* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */
273		void fuzz_setup_http_post(FUZZ_DATA fuzz, TLV tlv)
274	1.13k	{
275	1.13k	if (fuzz->httppost == NULL) {
276	1.13k	struct curl_httppost *post = NULL;
277	1.13k	struct curl_httppost *last = NULL;
278
279	1.13k	fuzz->post_body = fuzz_tlv_to_string(tlv);
280	1.13k	if (fuzz->post_body == NULL) {
281	0	return;
282	0	}
283
284		/* This is just one of several possible entrypoints to
285		* the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html
286		* for lots of others which could be added here.
287		*/
288	1.13k	curl_formadd(&post, &last,
289	1.13k	CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME,
290	1.13k	CURLFORM_PTRCONTENTS, fuzz->post_body,
291	1.13k	CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body),
292	1.13k	CURLFORM_END);
293
294	1.13k	fuzz->last_post_part = last;
295	1.13k	fuzz->httppost = post;
296	1.13k	}
297
298	1.13k	return;
299	1.13k	}
300
301		/**
302		* Extract the values from the TLV.
303		*/
304		int fuzz_add_mime_part(TLV src_tlv, curl_mimepart part)
305	5.97M	{
306	5.97M	FUZZ_DATA part_fuzz;
307	5.97M	TLV tlv;
308	5.97M	int rc = 0;
309	5.97M	int tlv_rc;
310
311	5.97M	memset(&part_fuzz, 0, sizeof(FUZZ_DATA));
312
313	5.97M	if(src_tlv->length < sizeof(TLV_RAW)) {
314		/* Not enough data for a single TLV - don't continue */
315	4.19M	goto EXIT_LABEL;
316	4.19M	}
317
318		/* Set up the state parser */
319	1.78M	part_fuzz.state.data = src_tlv->value;
320	1.78M	part_fuzz.state.data_len = src_tlv->length;
321
322	1.78M	for(tlv_rc = fuzz_get_first_tlv(&part_fuzz, &tlv);
323	3.31M	tlv_rc == 0;
324	1.78M	tlv_rc = fuzz_get_next_tlv(&part_fuzz, &tlv)) {
325
326		/* Have the TLV in hand. Parse the TLV. */
327	1.61M	rc = fuzz_parse_mime_tlv(part, &tlv);
328
329	1.61M	if(rc != 0) {
330		/* Failed to parse the TLV. Can't continue. */
331	77.0k	goto EXIT_LABEL;
332	77.0k	}
333	1.61M	}
334
335	1.70M	if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
336		/* A TLV call failed. Can't continue. */
337	185k	goto EXIT_LABEL;
338	185k	}
339
340	5.97M	EXIT_LABEL:
341
342	5.97M	return(rc);
343	1.70M	}
344
345		/**
346		* Do different actions on the mime part for different received TLVs.
347		*/
348		int fuzz_parse_mime_tlv(curl_mimepart part, TLV tlv)
349	1.61M	{
350	1.61M	int rc;
351	1.61M	char *tmp;
352
353	1.61M	switch(tlv->type) {
354	1.51M	case TLV_TYPE_MIME_PART_NAME:
355	1.51M	tmp = fuzz_tlv_to_string(tlv);
356	1.51M	curl_mime_name(part, tmp);
357	1.51M	fuzz_free((void **)&tmp);
358	1.51M	break;
359
360	19.2k	case TLV_TYPE_MIME_PART_DATA:
361	19.2k	curl_mime_data(part, (const char *)tlv->value, tlv->length);
362	19.2k	break;
363
364	77.0k	default:
365		/* The fuzzer generates lots of unknown TLVs - we don't want these in the
366		corpus so we reject any unknown TLVs. */
367	77.0k	rc = 255;
368	77.0k	goto EXIT_LABEL;
369	0	break;
370	1.61M	}
371
372	1.53M	rc = 0;
373
374	1.61M	EXIT_LABEL:
375
376	1.61M	return rc;
377	1.53M	}