Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 2025 Google LLC |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // http://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | // |
15 | | //////////////////////////////////////////////////////////////////////////////// |
16 | | #include <stdint.h> |
17 | | #include <stddef.h> |
18 | | #include <string> |
19 | | #include <stdlib.h> |
20 | | #include <string.h> |
21 | | |
22 | | #include "fuzzer/FuzzedDataProvider.h" |
23 | | |
24 | | extern "C" { |
25 | | #include "mhd_connection.h" |
26 | | #include "mhd_action.h" |
27 | | #include "mhd_post_parser.h" |
28 | | #include "http_post_enc.h" |
29 | | #include "mempool_funcs.h" |
30 | | #include "mhd_daemon.h" |
31 | | #include "daemon_funcs.h" |
32 | | #include "microhttpd2.h" |
33 | | #include "post_parser_funcs.h" |
34 | | #include "stream_process_request.h" |
35 | | #include "stream_funcs.h" |
36 | | } |
37 | | |
38 | | // MHD memory pool |
39 | | static struct mhd_MemoryPool *g_pool = nullptr; |
40 | | static const size_t g_pool_size = 64 * 1024; |
41 | | |
42 | | // Helper to clear memory pool |
43 | 1 | static void destroy_global_pool() { |
44 | 1 | if (g_pool) { mhd_pool_destroy(g_pool); g_pool = nullptr; } |
45 | 1 | } |
46 | | |
47 | | // Initialising the memory pool |
48 | 1 | extern "C" int LLVMFuzzerInitialize() { |
49 | 1 | g_pool = mhd_pool_create(g_pool_size, MHD_MEMPOOL_ZEROING_ON_RESET); |
50 | 1 | atexit(destroy_global_pool); |
51 | 1 | return 0; |
52 | 1 | } |
53 | | |
54 | | // Dummy upload actions |
55 | | static const struct MHD_UploadAction kContinueAction = { |
56 | | mhd_UPLOAD_ACTION_CONTINUE, { nullptr } |
57 | | }; |
58 | | static const struct MHD_UploadAction kSuspend = { |
59 | | mhd_UPLOAD_ACTION_SUSPEND, { nullptr } |
60 | | }; |
61 | | static const struct MHD_UploadAction kAbort = { |
62 | | mhd_UPLOAD_ACTION_ABORT, { nullptr } |
63 | | }; |
64 | | |
65 | | // Dummy reader function |
66 | | static const struct MHD_UploadAction * |
67 | | dummy_reader(struct MHD_Request*, void*, const struct MHD_String*, |
68 | | const struct MHD_StringNullable*, const struct MHD_StringNullable*, |
69 | | const struct MHD_StringNullable*, size_t, const void*, |
70 | 0 | uint_fast64_t, enum MHD_Bool) { |
71 | 0 | return &kContinueAction; |
72 | 0 | } |
73 | | |
74 | | // Dummy connection request ending function |
75 | | static const struct MHD_UploadAction * |
76 | 0 | dummy_done(struct MHD_Request*, void*, enum MHD_PostParseResult) { |
77 | 0 | return &kContinueAction; |
78 | 0 | } |
79 | | |
80 | | static void init_daemon_connection(FuzzedDataProvider& fdp, |
81 | 0 | MHD_Daemon& d, MHD_Connection& c) { |
82 | | // Basic initialisation |
83 | 0 | d = {}; |
84 | 0 | c = {}; |
85 | 0 | c.daemon = &d; |
86 | 0 | c.pool = g_pool; |
87 | | |
88 | | // Configure daemon memory pool |
89 | 0 | d.conns.cfg.mem_pool_size = g_pool_size; |
90 | 0 | d.conns.cfg.mem_pool_zeroing = MHD_MEMPOOL_ZEROING_ON_RESET; |
91 | | |
92 | | // Confiugre daemon request |
93 | 0 | d.req_cfg.large_buf.space_left = fdp.ConsumeIntegralInRange<size_t>(256, 65536); |
94 | 0 | d.req_cfg.strictness = static_cast<enum MHD_ProtocolStrictLevel>( |
95 | 0 | fdp.ConsumeIntegralInRange<int>(-1, 2)); |
96 | | |
97 | | // Configure connection request and general settings |
98 | 0 | c.rq.http_ver = MHD_HTTP_VERSION_1_1; |
99 | 0 | c.rq.http_mthd = static_cast<enum mhd_HTTP_Method>( |
100 | 0 | fdp.ConsumeIntegralInRange<int>(0, 7)); |
101 | 0 | c.discard_request = false; |
102 | 0 | c.suspended = false; |
103 | 0 | c.connection_timeout_ms = fdp.ConsumeIntegralInRange<uint32_t>(0, 4096); |
104 | 0 | c.last_activity = 0; |
105 | 0 | } |
106 | | |
107 | 0 | static void init_connection_buffer(FuzzedDataProvider& fdp, MHD_Connection& c) { |
108 | | // Prepare connection buffer in memory pool |
109 | 0 | size_t required = 0; |
110 | 0 | const size_t capacity = fdp.ConsumeIntegralInRange<size_t>(256, 8192); |
111 | 0 | char* buf = static_cast<char*>(mhd_pool_try_alloc(c.pool, capacity, &required)); |
112 | 0 | if (!buf) { |
113 | 0 | c.read_buffer = nullptr; |
114 | 0 | c.read_buffer_size = 0; |
115 | 0 | c.read_buffer_offset = 0; |
116 | 0 | return; |
117 | 0 | } |
118 | | |
119 | | // Inject random data to the connection buffer fpor fuzzing |
120 | 0 | std::vector<char> data = fdp.ConsumeBytesWithTerminator<char>(capacity - 1, '\0'); |
121 | 0 | memcpy(buf, data.data(), data.size()); |
122 | |
|
123 | 0 | c.read_buffer = buf; |
124 | 0 | c.read_buffer_size = capacity; |
125 | 0 | c.read_buffer_offset = data.size(); |
126 | | |
127 | | // Configure post parsing state of the connection object |
128 | 0 | c.rq.u_proc.post.parse_result = MHD_POST_PARSE_RES_OK; |
129 | 0 | c.rq.u_proc.post.next_parse_pos = 0; |
130 | 0 | } |
131 | | |
132 | 0 | static void init_parsing_configuration(FuzzedDataProvider& fdp, MHD_Connection& c, bool reset) { |
133 | 0 | MHD_HTTP_PostEncoding enc = MHD_HTTP_POST_ENCODING_TEXT_PLAIN; |
134 | |
|
135 | 0 | if (!reset) { |
136 | | // Configure connection encoding abd methods |
137 | 0 | c.rq.app_act.head_act.act = mhd_ACTION_POST_PARSE; |
138 | 0 | if (fdp.ConsumeBool()) { |
139 | 0 | enc = MHD_HTTP_POST_ENCODING_FORM_URLENCODED; |
140 | 0 | } else if (fdp.ConsumeBool()) { |
141 | 0 | enc = MHD_HTTP_POST_ENCODING_MULTIPART_FORMDATA; |
142 | 0 | } |
143 | |
|
144 | 0 | c.rq.app_act.head_act.data.post_parse.buffer_size = |
145 | 0 | fdp.ConsumeIntegralInRange<size_t>(1, 4096); |
146 | 0 | c.rq.app_act.head_act.data.post_parse.max_nonstream_size = |
147 | 0 | fdp.ConsumeIntegralInRange<size_t>(1, 4096); |
148 | 0 | } |
149 | | |
150 | | // Confiugre head action for connection post parsing process |
151 | 0 | c.rq.app_act.head_act.data.post_parse.enc = enc; |
152 | 0 | c.rq.app_act.head_act.data.post_parse.stream_reader = dummy_reader; |
153 | 0 | c.rq.app_act.head_act.data.post_parse.reader_cls = nullptr; |
154 | 0 | c.rq.app_act.head_act.data.post_parse.done_cb = dummy_done; |
155 | 0 | c.rq.app_act.head_act.data.post_parse.done_cb_cls = nullptr; |
156 | 0 | } |
157 | | |
158 | 0 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
159 | 0 | if (size == 0 || g_pool == nullptr) { |
160 | 0 | return 0; |
161 | 0 | } |
162 | | |
163 | 0 | FuzzedDataProvider fdp(data, size); |
164 | | |
165 | | // Reseting the memory pool for each iteartion |
166 | 0 | mhd_pool_reset(g_pool, nullptr, 0, g_pool_size); |
167 | | |
168 | | // Initialising the daemon, connection and other MHD components |
169 | 0 | MHD_Daemon daemon; |
170 | 0 | MHD_Connection connection; |
171 | 0 | init_daemon_connection(fdp, daemon, connection); |
172 | 0 | init_connection_buffer(fdp, connection); |
173 | 0 | init_parsing_configuration(fdp, connection, false); |
174 | | |
175 | | // Randomly choose how many targets to fuzz |
176 | 0 | std::vector<int> selectors; |
177 | 0 | for (int i = 0; i < fdp.ConsumeIntegralInRange<int>(1, 8); i++) { |
178 | 0 | selectors.push_back(fdp.ConsumeIntegralInRange<int>(0, 11)); |
179 | 0 | } |
180 | | |
181 | | // Use remaining bytes to generate random body for fuzzing |
182 | 0 | std::string body = fdp.ConsumeRemainingBytesAsString(); |
183 | 0 | size_t body_size = body.size(); |
184 | 0 | if (body_size == 0) { |
185 | 0 | return 0; |
186 | 0 | } |
187 | | |
188 | | // Fuzz mhd_stream_prepare_for_post_parse once |
189 | 0 | mhd_stream_prepare_for_post_parse(&connection); |
190 | | |
191 | | // Fuzz mhd_stream_post_parse |
192 | 0 | mhd_stream_post_parse(&connection, &body_size, body.data()); |
193 | | |
194 | | // Fuzz random round of target functions |
195 | 0 | for (int selector : selectors) { |
196 | 0 | switch (selector) { |
197 | 0 | case 0: { |
198 | 0 | mhd_stream_is_timeout_expired(&connection); |
199 | 0 | break; |
200 | 0 | } |
201 | 0 | case 1: { |
202 | 0 | connection.stage = mhd_HTTP_STAGE_REQ_LINE_RECEIVING; |
203 | 0 | mhd_stream_get_request_line(&connection); |
204 | 0 | break; |
205 | 0 | } |
206 | 0 | case 2: { |
207 | 0 | mhd_stream_switch_to_rq_headers_proc(&connection); |
208 | 0 | break; |
209 | 0 | } |
210 | 0 | case 3: { |
211 | | // Ensure reparisng of the body |
212 | 0 | init_parsing_configuration(fdp, connection, true); |
213 | 0 | mhd_stream_prepare_for_post_parse(&connection); |
214 | 0 | mhd_stream_post_parse(&connection, &body_size, body.data()); |
215 | 0 | connection.stage = mhd_HTTP_STAGE_BODY_RECEIVING; |
216 | 0 | connection.rq.have_chunked_upload = ((reinterpret_cast<uintptr_t>(&connection) & 1) != 0); |
217 | 0 | connection.rq.cntn.cntn_size = connection.rq.have_chunked_upload ? 0 : connection.read_buffer_offset; |
218 | 0 | mhd_stream_process_request_body(&connection); |
219 | 0 | break; |
220 | 0 | } |
221 | 0 | case 4: { |
222 | 0 | const struct MHD_UploadAction* act = &kContinueAction; |
223 | 0 | mhd_stream_process_upload_action(&connection, &kContinueAction, false); |
224 | 0 | mhd_stream_process_upload_action(&connection, &kSuspend, false); |
225 | 0 | mhd_stream_process_upload_action(&connection, &kAbort, true); |
226 | 0 | break; |
227 | 0 | } |
228 | 0 | case 5: { |
229 | 0 | connection.stage = mhd_HTTP_STAGE_REQ_RECV_FINISHED; |
230 | 0 | mhd_stream_process_req_recv_finished(&connection); |
231 | 0 | break; |
232 | 0 | } |
233 | 0 | case 6: { |
234 | 0 | mhd_stream_reset_rq_hdr_proc_state(&connection); |
235 | 0 | break; |
236 | 0 | } |
237 | 0 | case 7: { |
238 | 0 | mhd_stream_alloc_memory(&connection, 1024); |
239 | 0 | break; |
240 | 0 | } |
241 | 0 | case 8: { |
242 | | // Safe guard for out of buffer space |
243 | 0 | if (connection.write_buffer_send_offset > connection.write_buffer_append_offset) { |
244 | 0 | connection.write_buffer_send_offset = connection.write_buffer_append_offset; |
245 | 0 | } |
246 | 0 | mhd_stream_maximize_write_buffer(&connection); |
247 | 0 | break; |
248 | 0 | } |
249 | 0 | case 9: { |
250 | | // Safe guard for out of buffer space |
251 | 0 | connection.write_buffer_send_offset = connection.write_buffer_append_offset; |
252 | 0 | mhd_stream_release_write_buffer(&connection); |
253 | 0 | break; |
254 | 0 | } |
255 | 0 | case 10: { |
256 | | // Safe guard for out of buffer read |
257 | 0 | if (connection.read_buffer_offset > connection.read_buffer_size) { |
258 | 0 | connection.read_buffer_offset = connection.read_buffer_size; |
259 | 0 | } |
260 | 0 | mhd_stream_shrink_read_buffer(&connection); |
261 | 0 | break; |
262 | 0 | } |
263 | 0 | default: case 11: { |
264 | 0 | mhd_stream_switch_from_recv_to_send(&connection); |
265 | 0 | break; |
266 | 0 | } |
267 | 0 | } |
268 | 0 | } |
269 | | |
270 | | // Release buffers in daemon to avoid memory leakage |
271 | 0 | if (connection.rq.cntn.lbuf.data != nullptr || connection.rq.cntn.lbuf.size != 0) { |
272 | 0 | mhd_daemon_free_lbuf(&daemon, &connection.rq.cntn.lbuf); |
273 | 0 | } |
274 | |
|
275 | 0 | return 0; |
276 | 0 | } |