/src/curl_fuzzer/proto_fuzzer/ws_frame.cc

Source
/*
 * Copyright (C) Max Dymond, <cmeister2@gmail.com>, et al.
 *
 * SPDX-License-Identifier: curl
 */

/// @file
/// @brief Implementation of SerializeWebSocketFrame.

#include "proto_fuzzer/ws_frame.h"

#include <cstddef>
#include <cstdint>
#include <string>

namespace proto_fuzzer {

namespace {

// RFC 6455 §5.2 length-form selectors.
constexpr std::uint32_t kLenFormAuto = 0;
constexpr std::uint32_t kLenForm7 = 1;
constexpr std::uint32_t kLenForm16 = 2;
constexpr std::uint32_t kLenForm64 = 3;

/// Pick a length encoding for 'payload_len' honouring an explicit override.
/// When 'form' names a shorter encoding than the payload actually needs, we
/// still emit the shorter form and let the decoder reject it — the point is
/// to exercise the error path.
std::uint32_t ResolveLengthForm(std::uint32_t form, std::size_t payload_len) {
  if (form == kLenForm7 || form == kLenForm16 || form == kLenForm64) {
    return form;
  }
  if (payload_len < 126) {
    return kLenForm7;
  }
  if (payload_len <= 0xFFFF) {
    return kLenForm16;
  }
  return kLenForm64;
}

/// Append 'value' as big-endian bytes of width 'width' to 'out'.
void AppendBigEndian(std::string* out, std::uint64_t value, std::size_t width) {
  for (std::size_t i = 0; i < width; ++i) {
    std::size_t shift = (width - 1 - i) * 8;
    out->push_back(static_cast<char>((value >> shift) & 0xFF));
  }
}

}  // namespace

/// Serialise a proto WebSocketFrame into RFC 6455 wire bytes. No validation
/// is performed — invalid combinations (reserved bits set, oversized
/// length_form for a tiny payload, opcode > 15) round-trip to the decoder
/// unchanged, which is the point.
/// @param frame The WebSocketFrame proto message to render.
/// @return The serialised byte string, ready to push onto the mock socket.
std::string SerializeWebSocketFrame(const curl::fuzzer::proto::WebSocketFrame& frame) {
  std::string out;
  const std::string& payload = frame.payload();
  const std::size_t payload_len = payload.size();

  // Byte 0: FIN | RSV1 | RSV2 | RSV3 | opcode(4 bits).
  std::uint8_t byte0 = 0;
  if (frame.fin()) byte0 |= 0x80;
  if (frame.rsv1()) byte0 |= 0x40;
  if (frame.rsv2()) byte0 |= 0x20;
  if (frame.rsv3()) byte0 |= 0x10;
  byte0 |= static_cast<std::uint8_t>(frame.opcode() & 0x0F);
  out.push_back(static_cast<char>(byte0));

  // Byte 1: MASK bit | payload-length indicator (7 bits).
  const std::uint32_t length_form = ResolveLengthForm(frame.length_form(), payload_len);
  std::uint8_t byte1 = frame.masked() ? 0x80 : 0x00;
  switch (length_form) {
    case kLenForm7:
      // Clamp the 7-bit length to the payload's actual size. If the payload
      // is > 125 bytes and the caller forced 7-bit form, low 7 bits of size
      // are what the decoder sees — which is exactly the malformed-frame
      // path we want to reach.
      byte1 |= static_cast<std::uint8_t>(payload_len & 0x7F);
      out.push_back(static_cast<char>(byte1));
      break;
    case kLenForm16:
      byte1 |= 126;
      out.push_back(static_cast<char>(byte1));
      AppendBigEndian(&out, static_cast<std::uint64_t>(payload_len & 0xFFFF), 2);
      break;
    case kLenForm64:
    default:
      byte1 |= 127;
      out.push_back(static_cast<char>(byte1));
      AppendBigEndian(&out, static_cast<std::uint64_t>(payload_len), 8);
      break;
  }

  // Masking key (4 bytes) and XORed payload. Client-to-server frames must be
  // masked per spec; server-to-client frames must NOT — but we emit whatever
  // the scenario says, so the decoder's "masked server frame" error path is
  // reachable.
  if (frame.masked()) {
    const std::uint32_t key = frame.mask_key();
    std::uint8_t key_bytes[4] = {
        static_cast<std::uint8_t>((key >> 24) & 0xFF),
        static_cast<std::uint8_t>((key >> 16) & 0xFF),
        static_cast<std::uint8_t>((key >> 8) & 0xFF),
        static_cast<std::uint8_t>(key & 0xFF),
    };
    for (unsigned char b : key_bytes) {
      out.push_back(static_cast<char>(b));
    }
    out.reserve(out.size() + payload_len);
    for (std::size_t i = 0; i < payload_len; ++i) {
      out.push_back(static_cast<char>(static_cast<std::uint8_t>(payload[i]) ^ key_bytes[i & 0x3]));
    }
  } else {
    out.append(payload);
  }

  return out;
}

}  // namespace proto_fuzzer

Line	Count	Source
1		/*
2		* Copyright (C) Max Dymond, <cmeister2@gmail.com>, et al.
3		*
4		* SPDX-License-Identifier: curl
5		*/
6
7		/// @file
8		/// @brief Implementation of SerializeWebSocketFrame.
9
10		#include "proto_fuzzer/ws_frame.h"
11
12		#include <cstddef>
13		#include <cstdint>
14		#include <string>
15
16		namespace proto_fuzzer {
17
18		namespace {
19
20		// RFC 6455 §5.2 length-form selectors.
21		constexpr std::uint32_t kLenFormAuto = 0;
22		constexpr std::uint32_t kLenForm7 = 1;
23		constexpr std::uint32_t kLenForm16 = 2;
24		constexpr std::uint32_t kLenForm64 = 3;
25
26		/// Pick a length encoding for 'payload_len' honouring an explicit override.
27		/// When 'form' names a shorter encoding than the payload actually needs, we
28		/// still emit the shorter form and let the decoder reject it — the point is
29		/// to exercise the error path.
30	2.30k	std::uint32_t ResolveLengthForm(std::uint32_t form, std::size_t payload_len) {
31	2.30k	if (form == kLenForm7 \|\| form == kLenForm16 \|\| form == kLenForm64) {
32	188	return form;
33	188	}
34	2.11k	if (payload_len < 126) {
35	2.05k	return kLenForm7;
36	2.05k	}
37	63	if (payload_len <= 0xFFFF) {
38	63	return kLenForm16;
39	63	}
40	0	return kLenForm64;
41	63	}
42
43		/// Append 'value' as big-endian bytes of width 'width' to 'out'.
44	201	void AppendBigEndian(std::string* out, std::uint64_t value, std::size_t width) {
45	903	for (std::size_t i = 0; i < width; ++i) {
46	702	std::size_t shift = (width - 1 - i) * 8;
47	702	out->push_back(static_cast<char>((value >> shift) & 0xFF));
48	702	}
49	201	}
50
51		} // namespace
52
53		/// Serialise a proto WebSocketFrame into RFC 6455 wire bytes. No validation
54		/// is performed — invalid combinations (reserved bits set, oversized
55		/// length_form for a tiny payload, opcode > 15) round-trip to the decoder
56		/// unchanged, which is the point.
57		/// @param frame The WebSocketFrame proto message to render.
58		/// @return The serialised byte string, ready to push onto the mock socket.
59	2.30k	std::string SerializeWebSocketFrame(const curl::fuzzer::proto::WebSocketFrame& frame) {
60	2.30k	std::string out;
61	2.30k	const std::string& payload = frame.payload();
62	2.30k	const std::size_t payload_len = payload.size();
63
64		// Byte 0: FIN \| RSV1 \| RSV2 \| RSV3 \| opcode(4 bits).
65	2.30k	std::uint8_t byte0 = 0;
66	2.30k	if (frame.fin()) byte0 \|= 0x80;
67	2.30k	if (frame.rsv1()) byte0 \|= 0x40;
68	2.30k	if (frame.rsv2()) byte0 \|= 0x20;
69	2.30k	if (frame.rsv3()) byte0 \|= 0x10;
70	2.30k	byte0 \|= static_cast<std::uint8_t>(frame.opcode() & 0x0F);
71	2.30k	out.push_back(static_cast<char>(byte0));
72
73		// Byte 1: MASK bit \| payload-length indicator (7 bits).
74	2.30k	const std::uint32_t length_form = ResolveLengthForm(frame.length_form(), payload_len);
75	2.30k	std::uint8_t byte1 = frame.masked() ? 0x80 : 0x00;
76	2.30k	switch (length_form) {
77	2.10k	case kLenForm7:
78		// Clamp the 7-bit length to the payload's actual size. If the payload
79		// is > 125 bytes and the caller forced 7-bit form, low 7 bits of size
80		// are what the decoder sees — which is exactly the malformed-frame
81		// path we want to reach.
82	2.10k	byte1 \|= static_cast<std::uint8_t>(payload_len & 0x7F);
83	2.10k	out.push_back(static_cast<char>(byte1));
84	2.10k	break;
85	151	case kLenForm16:
86	151	byte1 \|= 126;
87	151	out.push_back(static_cast<char>(byte1));
88	151	AppendBigEndian(&out, static_cast<std::uint64_t>(payload_len & 0xFFFF), 2);
89	151	break;
90	50	case kLenForm64:
91	50	default:
92	50	byte1 \|= 127;
93	50	out.push_back(static_cast<char>(byte1));
94	50	AppendBigEndian(&out, static_cast<std::uint64_t>(payload_len), 8);
95	50	break;
96	2.30k	}
97
98		// Masking key (4 bytes) and XORed payload. Client-to-server frames must be
99		// masked per spec; server-to-client frames must NOT — but we emit whatever
100		// the scenario says, so the decoder's "masked server frame" error path is
101		// reachable.
102	2.30k	if (frame.masked()) {
103	537	const std::uint32_t key = frame.mask_key();
104	537	std::uint8_t key_bytes[4] = {
105	537	static_cast<std::uint8_t>((key >> 24) & 0xFF),
106	537	static_cast<std::uint8_t>((key >> 16) & 0xFF),
107	537	static_cast<std::uint8_t>((key >> 8) & 0xFF),
108	537	static_cast<std::uint8_t>(key & 0xFF),
109	537	};
110	2.14k	for (unsigned char b : key_bytes) {
111	2.14k	out.push_back(static_cast<char>(b));
112	2.14k	}
113	537	out.reserve(out.size() + payload_len);
114	20.7k	for (std::size_t i = 0; i < payload_len; ++i) {
115	20.1k	out.push_back(static_cast<char>(static_cast<std::uint8_t>(payload[i]) ^ key_bytes[i & 0x3]));
116	20.1k	}
117	1.76k	} else {
118	1.76k	out.append(payload);
119	1.76k	}
120
121	2.30k	return out;
122	2.30k	}
123
124		} // namespace proto_fuzzer

Coverage Report

Created: 2026-04-28 07:09