/src/libhtp/test/fuzz/fuzz_htp.c

Source (jump to first uncovered line)
/**
 * @file
 * @author Philippe Antoine <contact@catenacyber.fr>
 * fuzz harness for libhtp
 */


#include <errno.h>
#include <stdlib.h>
#include <sys/types.h>
#include <string.h>
#include <stdio.h>
#include <inttypes.h>
#include <sys/stat.h>
#include <fcntl.h>

#include "htp/htp.h"
#include "test/test.h"
#include "fuzz_htp.h"

FILE * logfile = NULL;


/**
 * Invoked at the end of every transaction. 
 *
 * @param[in] connp
 */
static int HTPCallbackResponse(htp_tx_t *out_tx) {
    if (out_tx != NULL) {
        char *x = bstr_util_strdup_to_c(out_tx->request_line);
        fprintf(logfile, "HTPCallbackResponse %s\n", x);
        free(x);
    }
    return 0;
}

static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data)
{
    fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
    if (tx_data->len > 0) {
        fprintf(logfile, "HTPCallbackRequestHeaderData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
    }
    return 0;
}

static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data)
{
    fprintf(logfile, "HTPCallbackResponseHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
    if (tx_data->len > 0) {
        fprintf(logfile, "HTPCallbackResponseHeaderData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
    }
    return 0;
}

static int HTPCallbackRequestHasTrailer(htp_tx_t *tx)
{
    fprintf(logfile, "HTPCallbackRequestHasTrailer\n");
    return 0;
}

static int HTPCallbackResponseHasTrailer(htp_tx_t *tx)
{
    fprintf(logfile, "HTPCallbackResponseHasTrailer\n");
    return 0;
}

static int HTPCallbackRequestBodyData(htp_tx_data_t *tx_data)
{
    fprintf(logfile, "HTPCallbackRequestBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
    if (tx_data->len > 0 && tx_data->data != NULL) {
        fprintf(logfile, "HTPCallbackRequestBodyData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
    }
    return 0;
}

static int HTPCallbackResponseBodyData(htp_tx_data_t *tx_data)
{
    fprintf(logfile, "HTPCallbackResponseBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
    if (tx_data->len > 0 && tx_data->data != NULL) {
        fprintf(logfile, "HTPCallbackResponseBodyData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
    }
    return 0;
}

static int HTPCallbackRequestStart(htp_tx_t *tx)
{
    fprintf(logfile, "HTPCallbackRequestStart\n");
    return 0;
}

static int HTPCallbackRequest(htp_tx_t *tx)
{
    fprintf(logfile, "HTPCallbackRequest\n");
    return 0;
}

static int HTPCallbackResponseStart(htp_tx_t *tx)
{
    fprintf(logfile, "HTPCallbackResponseStart\n");
    return 0;
}

static int HTPCallbackRequestLine(htp_tx_t *tx)
{
    fprintf(logfile, "HTPCallbackRequestLine\n");
    return 0;
}

/**
 * Invoked every time LibHTP wants to log. 
 *
 * @param[in] log
 */
static int HTPCallbackLog(htp_log_t *log) {
    fprintf(logfile, "HTPCallbackLog [%d][code %d][file %s][line %d] %s\n",
        log->level, log->code, log->file, log->line, log->msg);
    return 0;
}

void fuzz_openFile(const char * name) {
    if (logfile != NULL) {
        fclose(logfile);
    }
    logfile = fopen(name, "w");
}

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    htp_cfg_t *cfg;
    htp_connp_t * connp;
    int rc;
    test_t test;

    //initialize output file
    if (logfile == NULL) {
        logfile = fopen("/dev/null", "w");
        if (logfile == NULL) {
            abort();
        }
    }

    // Create LibHTP configuration
    cfg = htp_config_create();
    if (htp_config_set_server_personality(cfg, HTP_SERVER_IDS) != HTP_OK) {
        htp_config_destroy(cfg);
        return 0;
    }
    htp_config_register_log(cfg, HTPCallbackLog);
    htp_config_register_request_header_data(cfg, HTPCallbackRequestHeaderData);
    htp_config_register_request_trailer_data(cfg, HTPCallbackRequestHeaderData);
    htp_config_register_response_header_data(cfg, HTPCallbackResponseHeaderData);
    htp_config_register_response_trailer_data(cfg, HTPCallbackResponseHeaderData);
    htp_config_register_request_trailer(cfg, HTPCallbackRequestHasTrailer);
    htp_config_register_response_trailer(cfg, HTPCallbackResponseHasTrailer);
    htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData);
    htp_config_register_response_body_data(cfg, HTPCallbackResponseBodyData);
    htp_config_register_request_start(cfg, HTPCallbackRequestStart);
    htp_config_register_request_complete(cfg, HTPCallbackRequest);
    htp_config_register_response_start(cfg, HTPCallbackResponseStart);
    htp_config_register_response_complete(cfg, HTPCallbackResponse);
    htp_config_register_request_line(cfg, HTPCallbackRequestLine);
    htp_config_set_max_tx(cfg, 512);

    connp = htp_connp_create(cfg);
    htp_connp_set_user_data(connp, (void *) 0x02);
    htp_connp_open(connp, (const char *) "192.168.2.3", 12345, (const char *) "192.168.2.2", 80, NULL);

    test.buf = (char *)Data;
    test.len = Size;
    test.pos = 0;
    test.chunk = NULL;

    // Find all chunks and feed them to the parser
    int in_data_other = 0;
    char *in_data = NULL;
    size_t in_data_len = 0;
    size_t in_data_offset = 0;
    int out_data_other = 0;
    char *out_data = NULL;
    size_t out_data_len = 0;
    size_t out_data_offset = 0;

    for (;;) {
        if (test_next_chunk(&test) <= 0) {
            break;
        }
        if (test.chunk_len == 0) {
            continue;
        }
        if (test.chunk_direction == CLIENT) {
            if (in_data_other) {
                break;
            }
            rc = htp_connp_req_data(connp, NULL, test.chunk, test.chunk_len);
            if (rc == HTP_STREAM_ERROR) {
                break;
            }
            if (rc == HTP_STREAM_DATA_OTHER) {
                // Parser needs to see the outbound stream in order to continue
                // parsing the inbound stream.
                in_data_other = 1;
                in_data = test.chunk;
                in_data_len = test.chunk_len;
                in_data_offset = htp_connp_req_data_consumed(connp);
            }
        } else {
            if (out_data_other) {
                if (out_data == NULL) {
                    rc = htp_connp_res_data(connp, NULL, NULL, out_data_len - out_data_offset);
                } else {
                    rc = htp_connp_res_data(connp, NULL, out_data + out_data_offset, out_data_len - out_data_offset);
                }
                if (rc == HTP_STREAM_ERROR) {
                    break;
                }
                out_data_other = 0;
            }
            rc = htp_connp_res_data(connp, NULL, test.chunk, test.chunk_len);
            if (rc == HTP_STREAM_ERROR) {
                break;
            }
            if (rc == HTP_STREAM_DATA_OTHER) {
                // Parser needs to see the outbound stream in order to continue
                // parsing the inbound stream.
                out_data_other = 1;
                out_data = test.chunk;
                out_data_len = test.chunk_len;
                out_data_offset = htp_connp_res_data_consumed(connp);
            }
            if (in_data_other) {
                if (in_data == NULL) {
                    rc = htp_connp_req_data(connp, NULL, NULL, in_data_len - in_data_offset);
                } else {
                    rc = htp_connp_req_data(connp, NULL, in_data + in_data_offset, in_data_len - in_data_offset);
                }
                if (rc == HTP_STREAM_ERROR) {
                    break;
                }
                in_data_other = 0;
            }
        }
    }
    if (out_data_other) {
        if (out_data == NULL) {
            (void) htp_connp_res_data(connp, NULL, NULL, out_data_len - out_data_offset);
        } else {
            (void) htp_connp_res_data(connp, NULL, out_data + out_data_offset, out_data_len - out_data_offset);
        }
    }

    htp_connp_close(connp, NULL);
    htp_connp_destroy_all(connp);
    // Destroy LibHTP configuration    
    htp_config_destroy(cfg);

    return 0;
}


Coverage Report

Created: 2025-08-28 06:45

Line	Count	Source (jump to first uncovered line)
1		/**
2		* @file
3		* @author Philippe Antoine <contact@catenacyber.fr>
4		* fuzz harness for libhtp
5		*/
6
7
8		#include <errno.h>
9		#include <stdlib.h>
10		#include <sys/types.h>
11		#include <string.h>
12		#include <stdio.h>
13		#include <inttypes.h>
14		#include <sys/stat.h>
15		#include <fcntl.h>
16
17		#include "htp/htp.h"
18		#include "test/test.h"
19		#include "fuzz_htp.h"
20
21		FILE * logfile = NULL;
22
23
24		/**
25		* Invoked at the end of every transaction.
26		*
27		* @param[in] connp
28		*/
29	41.8k	static int HTPCallbackResponse(htp_tx_t *out_tx) {
30	41.8k	if (out_tx != NULL) {
31	41.8k	char *x = bstr_util_strdup_to_c(out_tx->request_line);
32	41.8k	fprintf(logfile, "HTPCallbackResponse %s\n", x);
33	41.8k	free(x);
34	41.8k	}
35	41.8k	return 0;
36	41.8k	}
37
38		static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data)
39	446k	{
40	446k	fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
41	446k	if (tx_data->len > 0) {
42	444k	fprintf(logfile, "HTPCallbackRequestHeaderData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
43	444k	}
44	446k	return 0;
45	446k	}
46
47		static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data)
48	106k	{
49	106k	fprintf(logfile, "HTPCallbackResponseHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
50	106k	if (tx_data->len > 0) {
51	104k	fprintf(logfile, "HTPCallbackResponseHeaderData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
52	104k	}
53	106k	return 0;
54	106k	}
55
56		static int HTPCallbackRequestHasTrailer(htp_tx_t *tx)
57	1.16k	{
58	1.16k	fprintf(logfile, "HTPCallbackRequestHasTrailer\n");
59	1.16k	return 0;
60	1.16k	}
61
62		static int HTPCallbackResponseHasTrailer(htp_tx_t *tx)
63	1.46k	{
64	1.46k	fprintf(logfile, "HTPCallbackResponseHasTrailer\n");
65	1.46k	return 0;
66	1.46k	}
67
68		static int HTPCallbackRequestBodyData(htp_tx_data_t *tx_data)
69	16.6k	{
70	16.6k	fprintf(logfile, "HTPCallbackRequestBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
71	16.6k	if (tx_data->len > 0 && tx_data->data != NULL) {
72	16.6k	fprintf(logfile, "HTPCallbackRequestBodyData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
73	16.6k	}
74	16.6k	return 0;
75	16.6k	}
76
77		static int HTPCallbackResponseBodyData(htp_tx_data_t *tx_data)
78	2.89M	{
79	2.89M	fprintf(logfile, "HTPCallbackResponseBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
80	2.89M	if (tx_data->len > 0 && tx_data->data != NULL) {
81	2.88M	fprintf(logfile, "HTPCallbackResponseBodyData %x %x\n", tx_data->data[0], tx_data->data[(uintmax_t)tx_data->len-1]);
82	2.88M	}
83	2.89M	return 0;
84	2.89M	}
85
86		static int HTPCallbackRequestStart(htp_tx_t *tx)
87	57.4k	{
88	57.4k	fprintf(logfile, "HTPCallbackRequestStart\n");
89	57.4k	return 0;
90	57.4k	}
91
92		static int HTPCallbackRequest(htp_tx_t *tx)
93	88.0k	{
94	88.0k	fprintf(logfile, "HTPCallbackRequest\n");
95	88.0k	return 0;
96	88.0k	}
97
98		static int HTPCallbackResponseStart(htp_tx_t *tx)
99	42.1k	{
100	42.1k	fprintf(logfile, "HTPCallbackResponseStart\n");
101	42.1k	return 0;
102	42.1k	}
103
104		static int HTPCallbackRequestLine(htp_tx_t *tx)
105	57.0k	{
106	57.0k	fprintf(logfile, "HTPCallbackRequestLine\n");
107	57.0k	return 0;
108	57.0k	}
109
110		/**
111		* Invoked every time LibHTP wants to log.
112		*
113		* @param[in] log
114		*/
115	5.35M	static int HTPCallbackLog(htp_log_t *log) {
116	5.35M	fprintf(logfile, "HTPCallbackLog [%d][code %d][file %s][line %d] %s\n",
117	5.35M	log->level, log->code, log->file, log->line, log->msg);
118	5.35M	return 0;
119	5.35M	}
120
121	0	void fuzz_openFile(const char * name) {
122	0	if (logfile != NULL) {
123	0	fclose(logfile);
124	0	}
125	0	logfile = fopen(name, "w");
126	0	}
127
128	13.5k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
129	13.5k	htp_cfg_t *cfg;
130	13.5k	htp_connp_t * connp;
131	13.5k	int rc;
132	13.5k	test_t test;
133
134		//initialize output file
135	13.5k	if (logfile == NULL) {
136	1	logfile = fopen("/dev/null", "w");
137	1	if (logfile == NULL) {
138	0	abort();
139	0	}
140	1	}
141
142		// Create LibHTP configuration
143	13.5k	cfg = htp_config_create();
144	13.5k	if (htp_config_set_server_personality(cfg, HTP_SERVER_IDS) != HTP_OK) {
145	0	htp_config_destroy(cfg);
146	0	return 0;
147	0	}
148	13.5k	htp_config_register_log(cfg, HTPCallbackLog);
149	13.5k	htp_config_register_request_header_data(cfg, HTPCallbackRequestHeaderData);
150	13.5k	htp_config_register_request_trailer_data(cfg, HTPCallbackRequestHeaderData);
151	13.5k	htp_config_register_response_header_data(cfg, HTPCallbackResponseHeaderData);
152	13.5k	htp_config_register_response_trailer_data(cfg, HTPCallbackResponseHeaderData);
153	13.5k	htp_config_register_request_trailer(cfg, HTPCallbackRequestHasTrailer);
154	13.5k	htp_config_register_response_trailer(cfg, HTPCallbackResponseHasTrailer);
155	13.5k	htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData);
156	13.5k	htp_config_register_response_body_data(cfg, HTPCallbackResponseBodyData);
157	13.5k	htp_config_register_request_start(cfg, HTPCallbackRequestStart);
158	13.5k	htp_config_register_request_complete(cfg, HTPCallbackRequest);
159	13.5k	htp_config_register_response_start(cfg, HTPCallbackResponseStart);
160	13.5k	htp_config_register_response_complete(cfg, HTPCallbackResponse);
161	13.5k	htp_config_register_request_line(cfg, HTPCallbackRequestLine);
162	13.5k	htp_config_set_max_tx(cfg, 512);
163
164	13.5k	connp = htp_connp_create(cfg);
165	13.5k	htp_connp_set_user_data(connp, (void *) 0x02);
166	13.5k	htp_connp_open(connp, (const char ) "192.168.2.3", 12345, (const char ) "192.168.2.2", 80, NULL);
167
168	13.5k	test.buf = (char *)Data;
169	13.5k	test.len = Size;
170	13.5k	test.pos = 0;
171	13.5k	test.chunk = NULL;
172
173		// Find all chunks and feed them to the parser
174	13.5k	int in_data_other = 0;
175	13.5k	char *in_data = NULL;
176	13.5k	size_t in_data_len = 0;
177	13.5k	size_t in_data_offset = 0;
178	13.5k	int out_data_other = 0;
179	13.5k	char *out_data = NULL;
180	13.5k	size_t out_data_len = 0;
181	13.5k	size_t out_data_offset = 0;
182
183	497k	for (;;) {
184	497k	if (test_next_chunk(&test) <= 0) {
185	13.4k	break;
186	13.4k	}
187	484k	if (test.chunk_len == 0) {
188	1.71k	continue;
189	1.71k	}
190	482k	if (test.chunk_direction == CLIENT) {
191	436k	if (in_data_other) {
192	8	break;
193	8	}
194	436k	rc = htp_connp_req_data(connp, NULL, test.chunk, test.chunk_len);
195	436k	if (rc == HTP_STREAM_ERROR) {
196	56	break;
197	56	}
198	436k	if (rc == HTP_STREAM_DATA_OTHER) {
199		// Parser needs to see the outbound stream in order to continue
200		// parsing the inbound stream.
201	2.61k	in_data_other = 1;
202	2.61k	in_data = test.chunk;
203	2.61k	in_data_len = test.chunk_len;
204	2.61k	in_data_offset = htp_connp_req_data_consumed(connp);
205	2.61k	}
206	436k	} else {
207	45.9k	if (out_data_other) {
208	1.64k	if (out_data == NULL) {
209	310	rc = htp_connp_res_data(connp, NULL, NULL, out_data_len - out_data_offset);
210	1.33k	} else {
211	1.33k	rc = htp_connp_res_data(connp, NULL, out_data + out_data_offset, out_data_len - out_data_offset);
212	1.33k	}
213	1.64k	if (rc == HTP_STREAM_ERROR) {
214	1	break;
215	1	}
216	1.64k	out_data_other = 0;
217	1.64k	}
218	45.9k	rc = htp_connp_res_data(connp, NULL, test.chunk, test.chunk_len);
219	45.9k	if (rc == HTP_STREAM_ERROR) {
220	49	break;
221	49	}
222	45.8k	if (rc == HTP_STREAM_DATA_OTHER) {
223		// Parser needs to see the outbound stream in order to continue
224		// parsing the inbound stream.
225	1.78k	out_data_other = 1;
226	1.78k	out_data = test.chunk;
227	1.78k	out_data_len = test.chunk_len;
228	1.78k	out_data_offset = htp_connp_res_data_consumed(connp);
229	1.78k	}
230	45.8k	if (in_data_other) {
231	2.58k	if (in_data == NULL) {
232	0	rc = htp_connp_req_data(connp, NULL, NULL, in_data_len - in_data_offset);
233	2.58k	} else {
234	2.58k	rc = htp_connp_req_data(connp, NULL, in_data + in_data_offset, in_data_len - in_data_offset);
235	2.58k	}
236	2.58k	if (rc == HTP_STREAM_ERROR) {
237	2	break;
238	2	}
239	2.58k	in_data_other = 0;
240	2.58k	}
241	45.8k	}
242	482k	}
243	13.5k	if (out_data_other) {
244	141	if (out_data == NULL) {
245	16	(void) htp_connp_res_data(connp, NULL, NULL, out_data_len - out_data_offset);
246	125	} else {
247	125	(void) htp_connp_res_data(connp, NULL, out_data + out_data_offset, out_data_len - out_data_offset);
248	125	}
249	141	}
250
251	13.5k	htp_connp_close(connp, NULL);
252	13.5k	htp_connp_destroy_all(connp);
253		// Destroy LibHTP configuration
254	13.5k	htp_config_destroy(cfg);
255
256	13.5k	return 0;
257	13.5k	}
258