/src/connection_helper.cpp

Source
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
#include "connection_helper.h"
#include <cstring>
#include <unordered_set>

#include "mhd_action.h"
#include "http_post_enc.h"
#include "mempool_funcs.h"
#include "daemon_funcs.h"
#include "post_parser_funcs.h"
#include "response_funcs.h"
#include "stream_process_request.h"
#include "stream_funcs.h"


// MHD memory pool
struct mhd_MemoryPool *g_pool = nullptr;
const size_t g_pool_size = 14 * 1024;
std::string g_mpart_boundary;

// Body status
static std::unordered_set<const MHD_Connection*> g_post_parse_ready;

// Helper to clear memory pool
void destroy_global_pool() {
  if (g_pool) { mhd_pool_destroy(g_pool); g_pool = nullptr; }
}


// Helper to set body parsing ready
void mark_post_parse_ready(MHD_Connection& c) {
  g_post_parse_ready.insert(&c);
}

// Helper to check parse body status
bool is_post_parse_ready(const MHD_Connection& c) {
  return g_post_parse_ready.find(&c) != g_post_parse_ready.end();
}

// Helper to clear parse body status
void clear_post_parse_ready(const MHD_Connection& c) {
  g_post_parse_ready.erase(&c);
}

// Helper to destroy error response
static bool destroy_error_response(MHD_Connection c) {
  if (c.stage == mhd_HTTP_STAGE_START_REPLY) {
    MHD_response_destroy(c.rp.response);
    c.rp.response = nullptr;
    return true;
  }

  return false;
}

// Helper to randomly choose HTTP methods
static std::string pick_method(FuzzedDataProvider& fdp) {
  static const char* kMethods[] = {
    "GET","POST","PUT","HEAD","DELETE","CONNECT","OPTIONS","TRACE","*"
  };
  return std::string(fdp.PickValueInArray(kMethods));
}

// Helper to randomly choose http versions
static std::string pick_http_version(FuzzedDataProvider& fdp) {
  // Common + a chance to be malformed to trigger version errors.
  switch (fdp.ConsumeIntegralInRange<int>(0, 5)) {
    case 0: return "HTTP/1.1";
    case 1: return "HTTP/1.0";
    case 2: return "HTTP/2.0";
    case 3: return "HTTP/0.9";
    case 4: return "HTTX/1.1";
    default: {
      std::string s = "HTTP/";
      s.push_back(char('0' + fdp.ConsumeIntegralInRange<int>(0,9)));
      s.push_back('.');
      s.push_back(char('0' + fdp.ConsumeIntegralInRange<int>(0,9)));
      return s;
    }
  }
}

// Helper to check and expand buffer capcaity
bool ensure_lbuf_capacity(MHD_Connection& c, size_t min_needed) {
  if (!c.daemon) {
    return false;
  }

  if (c.rq.cntn.lbuf.data && c.rq.cntn.lbuf.size >= min_needed) {
    return true;
  }
  size_t have = c.rq.cntn.lbuf.size;
  size_t need = (min_needed > have) ? (min_needed - have) : 0;
  if (need) {
    mhd_daemon_extend_lbuf_up_to(c.daemon, need, &c.rq.cntn.lbuf);
  }
  return (c.rq.cntn.lbuf.data != nullptr) && (c.rq.cntn.lbuf.size >= min_needed);
}

// Dummy upload actions
const struct MHD_UploadAction kContinueAction = {
  mhd_UPLOAD_ACTION_CONTINUE, { nullptr }
};
const struct MHD_UploadAction kSuspend = {
  mhd_UPLOAD_ACTION_SUSPEND, { nullptr }
};
const struct MHD_UploadAction kAbort = {
  mhd_UPLOAD_ACTION_ABORT, { nullptr }
};

// Dummy reader function
const struct MHD_UploadAction *
dummy_reader(struct MHD_Request*, void*, const struct MHD_String*,
             const struct MHD_StringNullable*, const struct MHD_StringNullable*,
             const struct MHD_StringNullable*, size_t, const void*,
             uint_fast64_t, enum MHD_Bool) {
  return &kContinueAction;
}

// Dummy connection request ending function
const struct MHD_UploadAction *
dummy_done(struct MHD_Request*, void*, enum MHD_PostParseResult) {
  return &kContinueAction;
}

// Dummy request callback function
static const struct MHD_Action*
dummy_request_cb(void* cls,
                 struct MHD_Request* request,
                 const struct MHD_String* path,
                 enum MHD_HTTP_Method method,
                 uint_fast64_t upload_size) {
  return nullptr;
}

void init_daemon_connection(FuzzedDataProvider& fdp,
                                   MHD_Daemon& d, MHD_Connection& c) {
  // Basic initialisation
  d = {};
  c = {};
  c.daemon = &d;
  c.pool = g_pool;

  // Configure daemon memory pool
  d.conns.cfg.mem_pool_size = g_pool_size;
  d.conns.cfg.mem_pool_zeroing = MHD_MEMPOOL_ZEROING_ON_RESET;

  // Confiugre daemon request
  d.req_cfg.large_buf.space_left = fdp.ConsumeIntegralInRange<size_t>(256, 65536);
  d.req_cfg.strictness = static_cast<enum MHD_ProtocolStrictLevel>(
      fdp.ConsumeIntegralInRange<int>(0, 2));

  // Safe guard for buffer space
  if (fdp.ConsumeBool()) {
    const size_t clamp = fdp.ConsumeIntegralInRange<size_t>(64, 512);
    if (d.req_cfg.large_buf.space_left > clamp)
      d.req_cfg.large_buf.space_left = clamp;
  }

  // Configure connection request and general settings
  c.discard_request = false;
  c.suspended = false;
  c.timeout.milsec = fdp.ConsumeIntegralInRange<uint32_t>(0, 4096);
  c.timeout.last_act = 0;

  // Add dummy callback function
  d.req_cfg.cb = dummy_request_cb;
  d.req_cfg.cb_cls = nullptr;
}

void init_connection_buffer(FuzzedDataProvider& fdp, MHD_Connection& c) {
  // Prepare connection buffer in memory pool
  size_t required = 0;
  const size_t capacity = fdp.ConsumeIntegralInRange<size_t>(512, 16384);
  char* buf = static_cast<char*>(mhd_pool_try_alloc(c.pool, capacity, &required));
  if (!buf) {
    c.read_buffer = nullptr;
    c.read_buffer_size = 0;
    c.read_buffer_offset = 0;
    return;
  }

  // Randomly choose configuration
  std::string hdrs;
  const std::string method = pick_method(fdp);
  const std::string version = pick_http_version(fdp);
  const std::string target  = (method == "*") ? "*" : (fdp.ConsumeBool() ? "/upload" : "/x?y=z");

  // Randomly break line endings in request line
  const bool bare_lf = fdp.ConsumeBool();
  const bool bare_cr = (!bare_lf) && fdp.ConsumeBool();
  auto EOL = [&](bool final=false) {
    if (bare_lf) {
      return std::string("\n");
    }
    if (bare_cr) {
      return std::string("\r");
    }

    return std::string("\r\n");
  };
  std::string req = method + " " + target + " " + version + EOL();

  // Host headers
  int host_count = 0;
  if (version == "HTTP/1.1") {
    host_count = fdp.ConsumeIntegralInRange<int>(0,2);
   } else {
    host_count = fdp.ConsumeIntegralInRange<int>(0,1);
   }

  for (int i = 0; i < host_count; ++i) {
    if (fdp.ConsumeBool()) {
      hdrs += " Host: fuzz" + std::to_string(i) + EOL();
    } else if (fdp.ConsumeBool()) {
      hdrs += "Host : fuzz" + std::to_string(i) + EOL();
    } else {
      hdrs += "Host: fuzz" + std::to_string(i) + EOL();
    }
  }

  // Transfer-Encoding and Content-Length headers
  const bool add_te = fdp.ConsumeBool();
  const bool add_cl = fdp.ConsumeBool();
  std::string te_val = fdp.PickValueInArray({"chunked","gzip","br","compress"});
  if (add_te) {
    hdrs += "Transfer-Encoding: " + te_val + EOL();
  }
  if (add_cl) {
    std::string cl;
    switch (fdp.ConsumeIntegralInRange<int>(0,3)) {
      case 0: cl = "0"; break;
      case 1: cl = std::to_string(fdp.ConsumeIntegralInRange<uint32_t>(0, 1<<20));
              break;
      case 2: cl = "18446744073709551616"; break;
      default: cl = "xyz"; break;
    }
    hdrs += "Content-Length: " + cl + EOL();
  }

  // Random minimum headers
  if (fdp.ConsumeBool()) {
    hdrs += (fdp.ConsumeBool() ? "Expect: 100-continue" : "Expect: something-weird") + EOL();
  }

  bool detect_mpart = false;
  switch (c.rq.app_act.head_act.data.post_parse.enc) {
    case MHD_HTTP_POST_ENCODING_MULTIPART_FORMDATA:
      g_mpart_boundary = "fuzz" + std::to_string(fdp.ConsumeIntegral<uint32_t>());
      hdrs += "Content-Type: multipart/form-data; boundary=" + g_mpart_boundary + EOL();
      break;
    case MHD_HTTP_POST_ENCODING_FORM_URLENCODED:
      hdrs += "Content-Type: application/x-www-form-urlencoded" + EOL();
      break;
    case MHD_HTTP_POST_ENCODING_TEXT_PLAIN:
      hdrs += "Content-Type: text/plain" + EOL();
      break;
    default: case MHD_HTTP_POST_ENCODING_OTHER:
      detect_mpart = fdp.ConsumeBool();
      if (detect_mpart) {
        g_mpart_boundary = "fuzz" + std::to_string(fdp.ConsumeIntegral<uint32_t>());
        hdrs += "Content-Type: multipart/form-data; boundary=" + g_mpart_boundary + EOL();
      } else {
        hdrs += std::string("Content-Type: ")
             + (fdp.ConsumeBool() ? "application/x-www-form-urlencoded" : "text/plain") + EOL();
      }
      break;
  }

  // Randomly add some chunked headers
  const bool add_te_chunked = fdp.ConsumeBool();
  if (add_te_chunked) {
    hdrs += "Transfer-Encoding: chunked" + EOL();
  }
  if (fdp.ConsumeBool()) {
    const uint32_t cl = fdp.ConsumeIntegralInRange<uint32_t>(0, 256);
    hdrs += "Content-Length: " + std::to_string(cl) + EOL();
  }
  if (add_te_chunked && fdp.ConsumeBool()) {
    if (fdp.ConsumeBool())
      hdrs += "Trailer: X-Fuzz-Trace" + EOL();
    else
      hdrs += "Trailer: X-One, X-Two" + EOL();
  }
  if (fdp.ConsumeBool()) {
    hdrs += (fdp.ConsumeBool() ? "Expect: 100-continue" : "Expect: something-weird") + EOL();
  }

  // Connection ending line
  hdrs += "Connection: close" + EOL();
  std::string end = EOL() + EOL();

  // Write into the read buffer
  std::string full = req + hdrs + end;
  const size_t n = (full.size() <= capacity) ? full.size() : capacity;
  memcpy(buf, full.data(), n);

  c.read_buffer = buf;
  c.read_buffer_size = capacity;
  c.read_buffer_offset = n;
}

void init_parsing_configuration(FuzzedDataProvider& fdp, MHD_Connection& c) {
  MHD_HTTP_PostEncoding enc;

  // Configure connection encoding abd methods
  if (fdp.ConsumeBool()) {
    c.rq.app_act.head_act.act = mhd_ACTION_POST_PARSE;
  } else {
    c.rq.app_act.head_act.act = mhd_ACTION_NO_ACTION;
  }
  if (fdp.ConsumeBool()) {
    enc = MHD_HTTP_POST_ENCODING_TEXT_PLAIN;
  } else if (fdp.ConsumeBool()) {
    enc = MHD_HTTP_POST_ENCODING_FORM_URLENCODED;
  } else if (fdp.ConsumeBool()) {
    enc = MHD_HTTP_POST_ENCODING_MULTIPART_FORMDATA;
  } else {
    enc = MHD_HTTP_POST_ENCODING_OTHER;
  }

  c.rq.app_act.head_act.data.post_parse.buffer_size =
    fdp.ConsumeIntegralInRange<size_t>(1, 4096);
  c.rq.app_act.head_act.data.post_parse.max_nonstream_size =
    fdp.ConsumeIntegralInRange<size_t>(1, 4096);

  // Confiugre head action for connection post parsing process
  c.rq.app_act.head_act.data.post_parse.enc = enc;
  c.rq.app_act.head_act.data.post_parse.stream_reader = dummy_reader;
  c.rq.app_act.head_act.data.post_parse.reader_cls = nullptr;
  c.rq.app_act.head_act.data.post_parse.done_cb = dummy_done;
  c.rq.app_act.head_act.data.post_parse.done_cb_cls = nullptr;
}

void prepare_headers_and_parse(MHD_Connection& connection, size_t size) {
  // Manually add a parameter for parsing
  auto add_hdr = [&](const char* name_c, const std::string& val_s) {
    const size_t nlen = strlen(name_c);
    const size_t vlen = val_s.size();
    char* nbuf = static_cast<char*>(mhd_stream_alloc_memory(&connection, nlen + 1));
    char* vbuf = static_cast<char*>(mhd_stream_alloc_memory(&connection, vlen + 1));
    if (!nbuf || !vbuf) {
      return;
    }
    memcpy(nbuf, name_c, nlen); nbuf[nlen] = '\0';
    memcpy(vbuf, val_s.data(), vlen); vbuf[vlen] = '\0';
    struct MHD_String name;
    name.len  = nlen;
    name.cstr = nbuf;
    struct MHD_String value;
    value.len  = vlen;
    value.cstr = vbuf;
    mhd_stream_add_field(&connection.h1_stream, MHD_VK_HEADER, &name, &value);
  };
  add_hdr("Host", "fuzz");
  if ((size & 3u) == 0u) {
    add_hdr("Transfer-Encoding", "chunked");
  }
  if ((size & 7u) == 0u) {
    add_hdr("Content-Length", "0");
  }

  bool force_mpart = (connection.rq.app_act.head_act.data.post_parse.enc
                        == MHD_HTTP_POST_ENCODING_MULTIPART_FORMDATA);
  if (!force_mpart) {
    force_mpart = ((size & 0x3Fu) == 0u);
  }
  if (force_mpart) {
    if (g_mpart_boundary.empty()) {
      g_mpart_boundary = "fuzz" + std::to_string(size ^ 0x9e3779b97f4a7c15ULL);
    }
    std::string ct = "multipart/form-data; boundary=" + g_mpart_boundary;
    add_hdr("Content-Type", ct);
  }

  // If we wrote a real HTTP header for multipart, parse it so Content-Type is visible
  connection.stage = mhd_HTTP_STAGE_INIT;
  bool got_line = mhd_stream_get_request_line(&connection);
  if (destroy_error_response(connection)) {
    return;
  }
  if (got_line && connection.stage == mhd_HTTP_STAGE_REQ_LINE_RECEIVED) {
    mhd_stream_switch_to_rq_headers_proc(&connection);
  }
  mhd_stream_parse_request_headers(&connection);

  // Only proceed to post-parse if header parsing did not bail out
  destroy_error_response(connection);
}

void prepare_body_and_process(MHD_Connection& connection, std::string& body, size_t body_size, bool use_stream_body) {
  // Use streaming if boundary is not empty
  if (!g_mpart_boundary.empty()) {
    std::string wrapped;
    wrapped.reserve(body.size() + g_mpart_boundary.size() * 2 + 128);
    wrapped += "\r\n--"; wrapped += g_mpart_boundary; wrapped += "\r\n";
    wrapped += "Content-Disposition: form-data; name=\"x\"; filename=\"f\"\r\n";
    wrapped += "Content-Type: application/octet-stream\r\n\r\n";
    wrapped += body; wrapped += "\r\n";
    wrapped += "--"; wrapped += g_mpart_boundary; wrapped += "--\r\n";
    body.swap(wrapped);
    body_size = body.size();
  }

  if (!use_stream_body) {
    // Fuzz mhd_stream_prepare_for_post_parse once and mhd_stream_post_parse
    mhd_stream_prepare_for_post_parse(&connection);
    mhd_stream_post_parse(&connection, &body_size, &body[0]);
    mark_post_parse_ready(connection);
  } else {
    // Try prepare the body by streaming connection buffer
    const bool want_chunked = (connection.rq.have_chunked_upload == MHD_YES);

    std::string to_feed;
    if (want_chunked) {
      auto append_chunk = [&](const char* data, size_t len) {
        char hex[32];
        const int n = snprintf(hex, sizeof(hex), "%zx", len);
        to_feed.append(hex, (size_t)n);
        if ((len & 3u) == 0u) {
          to_feed += ";ext=1";
        }
        to_feed += "\r\n";
        to_feed.append(data, len);
        to_feed += "\r\n";
      };
      if (body_size <= 32) {
        append_chunk(body.data(), body_size);
      } else {
        const size_t mid = body_size / 2;
        append_chunk(body.data(), mid);
        append_chunk(body.data() + mid, body_size - mid);
      }
      to_feed += "0\r\n";
      if (body_size & 1) {
        to_feed += "X-Fuzz-Trace: 1\r\n\r\n";
      } else {
        to_feed += "\r\n";
      }
    } else {
      // Non-chunked body is handled as is
      to_feed.assign(body.data(), body_size);
    }

    // Stage into the connection read buffer (allocate if needed).
    size_t feed_sz = to_feed.size();
    bool staged = false;
    if (connection.read_buffer && connection.read_buffer_size >= feed_sz) {
      memcpy(connection.read_buffer, to_feed.data(), feed_sz);
      connection.read_buffer_offset = feed_sz;
      staged = true;
    } else {
      size_t need = 0;
      char *nb = (char*) mhd_pool_try_alloc(connection.pool, feed_sz, &need);
      if (nb) {
        memcpy(nb, to_feed.data(), feed_sz);
        connection.read_buffer = nb;
        connection.read_buffer_size = feed_sz;
        connection.read_buffer_offset = feed_sz;
        staged = true;
      }
    }

    if (staged) {
      // Use stream body approach if success
      const size_t min_needed = body_size + 1;
      if (ensure_lbuf_capacity(connection, min_needed)) {
        // Only post parse the request if buffer is enough
        connection.stage = mhd_HTTP_STAGE_BODY_RECEIVING;
        connection.rq.have_chunked_upload = MHD_NO;
        connection.rq.cntn.cntn_size = (uint64_t) body_size;
        mhd_stream_prepare_for_post_parse(&connection);
        mhd_stream_process_request_body(&connection);
        mark_post_parse_ready(connection);
      } else {
        // Fall back if not enough buffer
        size_t tmp = body_size;
        mhd_stream_prepare_for_post_parse(&connection);
        mhd_stream_post_parse(&connection, &tmp, body.data());
        mark_post_parse_ready(connection);
      }
    } else {
      // Use post prase approach if stream body failed
      mhd_stream_prepare_for_post_parse(&connection);
      mhd_stream_post_parse(&connection, &body_size, &body[0]);
      mark_post_parse_ready(connection);
    }
  }
}

void final_cleanup(MHD_Connection& connection, MHD_Daemon& daemon) {
  // Post process response
  mhd_stream_switch_from_recv_to_send(&connection);
  mhd_stream_process_req_recv_finished(&connection);
  mhd_stream_release_write_buffer(&connection);

  // Release buffers in daemon to avoid memory leakage
  if (connection.rq.cntn.lbuf.data != nullptr || connection.rq.cntn.lbuf.size != 0) {
    mhd_daemon_free_lbuf(&daemon, &connection.rq.cntn.lbuf);
  }

  // Clean post parse body status
  clear_post_parse_ready(connection);
}

Coverage Report

Created: 2026-02-26 07:05

Line	Count	Source
1		// Copyright 2025 Google LLC
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// http://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14		//
15		////////////////////////////////////////////////////////////////////////////////
16		#include "connection_helper.h"
17		#include <cstring>
18		#include <unordered_set>
19
20		#include "mhd_action.h"
21		#include "http_post_enc.h"
22		#include "mempool_funcs.h"
23		#include "daemon_funcs.h"
24		#include "post_parser_funcs.h"
25		#include "response_funcs.h"
26		#include "stream_process_request.h"
27		#include "stream_funcs.h"
28
29
30		// MHD memory pool
31		struct mhd_MemoryPool *g_pool = nullptr;
32		const size_t g_pool_size = 14 * 1024;
33		std::string g_mpart_boundary;
34
35		// Body status
36		static std::unordered_set<const MHD_Connection*> g_post_parse_ready;
37
38		// Helper to clear memory pool
39	2	void destroy_global_pool() {
40	2	if (g_pool) { mhd_pool_destroy(g_pool); g_pool = nullptr; }
41	2	}
42
43
44		// Helper to set body parsing ready
45	5	void mark_post_parse_ready(MHD_Connection& c) {
46	5	g_post_parse_ready.insert(&c);
47	5	}
48
49		// Helper to check parse body status
50	0	bool is_post_parse_ready(const MHD_Connection& c) {
51	0	return g_post_parse_ready.find(&c) != g_post_parse_ready.end();
52	0	}
53
54		// Helper to clear parse body status
55	5	void clear_post_parse_ready(const MHD_Connection& c) {
56	5	g_post_parse_ready.erase(&c);
57	5	}
58
59		// Helper to destroy error response
60	8	static bool destroy_error_response(MHD_Connection c) {
61	8	if (c.stage == mhd_HTTP_STAGE_START_REPLY) {
62	5	MHD_response_destroy(c.rp.response);
63	5	c.rp.response = nullptr;
64	5	return true;
65	5	}
66
67	3	return false;
68	8	}
69
70		// Helper to randomly choose HTTP methods
71	5	static std::string pick_method(FuzzedDataProvider& fdp) {
72	5	static const char* kMethods[] = {
73	5	"GET","POST","PUT","HEAD","DELETE","CONNECT","OPTIONS","TRACE","*"
74	5	};
75	5	return std::string(fdp.PickValueInArray(kMethods));
76	5	}
77
78		// Helper to randomly choose http versions
79	5	static std::string pick_http_version(FuzzedDataProvider& fdp) {
80		// Common + a chance to be malformed to trigger version errors.
81	5	switch (fdp.ConsumeIntegralInRange<int>(0, 5)) {
82	1	case 0: return "HTTP/1.1";
83	0	case 1: return "HTTP/1.0";
84	0	case 2: return "HTTP/2.0";
85	1	case 3: return "HTTP/0.9";
86	3	case 4: return "HTTX/1.1";
87	0	default: {
88	0	std::string s = "HTTP/";
89	0	s.push_back(char('0' + fdp.ConsumeIntegralInRange<int>(0,9)));
90	0	s.push_back('.');
91	0	s.push_back(char('0' + fdp.ConsumeIntegralInRange<int>(0,9)));
92	0	return s;
93	0	}
94	5	}
95	5	}
96
97		// Helper to check and expand buffer capcaity
98	0	bool ensure_lbuf_capacity(MHD_Connection& c, size_t min_needed) {
99	0	if (!c.daemon) {
100	0	return false;
101	0	}
102
103	0	if (c.rq.cntn.lbuf.data && c.rq.cntn.lbuf.size >= min_needed) {
104	0	return true;
105	0	}
106	0	size_t have = c.rq.cntn.lbuf.size;
107	0	size_t need = (min_needed > have) ? (min_needed - have) : 0;
108	0	if (need) {
109	0	mhd_daemon_extend_lbuf_up_to(c.daemon, need, &c.rq.cntn.lbuf);
110	0	}
111	0	return (c.rq.cntn.lbuf.data != nullptr) && (c.rq.cntn.lbuf.size >= min_needed);
112	0	}
113
114		// Dummy upload actions
115		const struct MHD_UploadAction kContinueAction = {
116		mhd_UPLOAD_ACTION_CONTINUE, { nullptr }
117		};
118		const struct MHD_UploadAction kSuspend = {
119		mhd_UPLOAD_ACTION_SUSPEND, { nullptr }
120		};
121		const struct MHD_UploadAction kAbort = {
122		mhd_UPLOAD_ACTION_ABORT, { nullptr }
123		};
124
125		// Dummy reader function
126		const struct MHD_UploadAction *
127		dummy_reader(struct MHD_Request, void, const struct MHD_String*,
128		const struct MHD_StringNullable, const struct MHD_StringNullable,
129		const struct MHD_StringNullable, size_t, const void,
130	0	uint_fast64_t, enum MHD_Bool) {
131	0	return &kContinueAction;
132	0	}
133
134		// Dummy connection request ending function
135		const struct MHD_UploadAction *
136	0	dummy_done(struct MHD_Request, void, enum MHD_PostParseResult) {
137	0	return &kContinueAction;
138	0	}
139
140		// Dummy request callback function
141		static const struct MHD_Action*
142		dummy_request_cb(void* cls,
143		struct MHD_Request* request,
144		const struct MHD_String* path,
145		enum MHD_HTTP_Method method,
146	0	uint_fast64_t upload_size) {
147	0	return nullptr;
148	0	}
149
150		void init_daemon_connection(FuzzedDataProvider& fdp,
151	5	MHD_Daemon& d, MHD_Connection& c) {
152		// Basic initialisation
153	5	d = {};
154	5	c = {};
155	5	c.daemon = &d;
156	5	c.pool = g_pool;
157
158		// Configure daemon memory pool
159	5	d.conns.cfg.mem_pool_size = g_pool_size;
160	5	d.conns.cfg.mem_pool_zeroing = MHD_MEMPOOL_ZEROING_ON_RESET;
161
162		// Confiugre daemon request
163	5	d.req_cfg.large_buf.space_left = fdp.ConsumeIntegralInRange<size_t>(256, 65536);
164	5	d.req_cfg.strictness = static_cast<enum MHD_ProtocolStrictLevel>(
165	5	fdp.ConsumeIntegralInRange<int>(0, 2));
166
167		// Safe guard for buffer space
168	5	if (fdp.ConsumeBool()) {
169	1	const size_t clamp = fdp.ConsumeIntegralInRange<size_t>(64, 512);
170	1	if (d.req_cfg.large_buf.space_left > clamp)
171	1	d.req_cfg.large_buf.space_left = clamp;
172	1	}
173
174		// Configure connection request and general settings
175	5	c.discard_request = false;
176	5	c.suspended = false;
177	5	c.timeout.milsec = fdp.ConsumeIntegralInRange<uint32_t>(0, 4096);
178	5	c.timeout.last_act = 0;
179
180		// Add dummy callback function
181	5	d.req_cfg.cb = dummy_request_cb;
182	5	d.req_cfg.cb_cls = nullptr;
183	5	}
184
185	5	void init_connection_buffer(FuzzedDataProvider& fdp, MHD_Connection& c) {
186		// Prepare connection buffer in memory pool
187	5	size_t required = 0;
188	5	const size_t capacity = fdp.ConsumeIntegralInRange<size_t>(512, 16384);
189	5	char* buf = static_cast<char*>(mhd_pool_try_alloc(c.pool, capacity, &required));
190	5	if (!buf) {
191	0	c.read_buffer = nullptr;
192	0	c.read_buffer_size = 0;
193	0	c.read_buffer_offset = 0;
194	0	return;
195	0	}
196
197		// Randomly choose configuration
198	5	std::string hdrs;
199	5	const std::string method = pick_method(fdp);
200	5	const std::string version = pick_http_version(fdp);
201	5	const std::string target = (method == "") ? "" : (fdp.ConsumeBool() ? "/upload" : "/x?y=z");
202
203		// Randomly break line endings in request line
204	5	const bool bare_lf = fdp.ConsumeBool();
205	5	const bool bare_cr = (!bare_lf) && fdp.ConsumeBool();
206	37	auto EOL = [&](bool final=false) {
207	37	if (bare_lf) {
208	18	return std::string("\n");
209	18	}
210	19	if (bare_cr) {
211	14	return std::string("\r");
212	14	}
213
214	5	return std::string("\r\n");
215	19	};
216	5	std::string req = method + " " + target + " " + version + EOL();
217
218		// Host headers
219	5	int host_count = 0;
220	5	if (version == "HTTP/1.1") {
221	1	host_count = fdp.ConsumeIntegralInRange<int>(0,2);
222	4	} else {
223	4	host_count = fdp.ConsumeIntegralInRange<int>(0,1);
224	4	}
225
226	6	for (int i = 0; i < host_count; ++i) {
227	1	if (fdp.ConsumeBool()) {
228	0	hdrs += " Host: fuzz" + std::to_string(i) + EOL();
229	1	} else if (fdp.ConsumeBool()) {
230	0	hdrs += "Host : fuzz" + std::to_string(i) + EOL();
231	1	} else {
232	1	hdrs += "Host: fuzz" + std::to_string(i) + EOL();
233	1	}
234	1	}
235
236		// Transfer-Encoding and Content-Length headers
237	5	const bool add_te = fdp.ConsumeBool();
238	5	const bool add_cl = fdp.ConsumeBool();
239	5	std::string te_val = fdp.PickValueInArray({"chunked","gzip","br","compress"});
240	5	if (add_te) {
241	1	hdrs += "Transfer-Encoding: " + te_val + EOL();
242	1	}
243	5	if (add_cl) {
244	1	std::string cl;
245	1	switch (fdp.ConsumeIntegralInRange<int>(0,3)) {
246	0	case 0: cl = "0"; break;
247	0	case 1: cl = std::to_string(fdp.ConsumeIntegralInRange<uint32_t>(0, 1<<20));
248	0	break;
249	0	case 2: cl = "18446744073709551616"; break;
250	1	default: cl = "xyz"; break;
251	1	}
252	1	hdrs += "Content-Length: " + cl + EOL();
253	1	}
254
255		// Random minimum headers
256	5	if (fdp.ConsumeBool()) {
257	2	hdrs += (fdp.ConsumeBool() ? "Expect: 100-continue" : "Expect: something-weird") + EOL();
258	2	}
259
260	5	bool detect_mpart = false;
261	5	switch (c.rq.app_act.head_act.data.post_parse.enc) {
262	0	case MHD_HTTP_POST_ENCODING_MULTIPART_FORMDATA:
263	0	g_mpart_boundary = "fuzz" + std::to_string(fdp.ConsumeIntegral<uint32_t>());
264	0	hdrs += "Content-Type: multipart/form-data; boundary=" + g_mpart_boundary + EOL();
265	0	break;
266	0	case MHD_HTTP_POST_ENCODING_FORM_URLENCODED:
267	0	hdrs += "Content-Type: application/x-www-form-urlencoded" + EOL();
268	0	break;
269	1	case MHD_HTTP_POST_ENCODING_TEXT_PLAIN:
270	1	hdrs += "Content-Type: text/plain" + EOL();
271	1	break;
272	4	default: case MHD_HTTP_POST_ENCODING_OTHER:
273	4	detect_mpart = fdp.ConsumeBool();
274	4	if (detect_mpart) {
275	1	g_mpart_boundary = "fuzz" + std::to_string(fdp.ConsumeIntegral<uint32_t>());
276	1	hdrs += "Content-Type: multipart/form-data; boundary=" + g_mpart_boundary + EOL();
277	3	} else {
278	3	hdrs += std::string("Content-Type: ")
279	3	+ (fdp.ConsumeBool() ? "application/x-www-form-urlencoded" : "text/plain") + EOL();
280	3	}
281	4	break;
282	5	}
283
284		// Randomly add some chunked headers
285	5	const bool add_te_chunked = fdp.ConsumeBool();
286	5	if (add_te_chunked) {
287	4	hdrs += "Transfer-Encoding: chunked" + EOL();
288	4	}
289	5	if (fdp.ConsumeBool()) {
290	1	const uint32_t cl = fdp.ConsumeIntegralInRange<uint32_t>(0, 256);
291	1	hdrs += "Content-Length: " + std::to_string(cl) + EOL();
292	1	}
293	5	if (add_te_chunked && fdp.ConsumeBool()) {
294	1	if (fdp.ConsumeBool())
295	0	hdrs += "Trailer: X-Fuzz-Trace" + EOL();
296	1	else
297	1	hdrs += "Trailer: X-One, X-Two" + EOL();
298	1	}
299	5	if (fdp.ConsumeBool()) {
300	1	hdrs += (fdp.ConsumeBool() ? "Expect: 100-continue" : "Expect: something-weird") + EOL();
301	1	}
302
303		// Connection ending line
304	5	hdrs += "Connection: close" + EOL();
305	5	std::string end = EOL() + EOL();
306
307		// Write into the read buffer
308	5	std::string full = req + hdrs + end;
309	5	const size_t n = (full.size() <= capacity) ? full.size() : capacity;
310	5	memcpy(buf, full.data(), n);
311
312	5	c.read_buffer = buf;
313	5	c.read_buffer_size = capacity;
314	5	c.read_buffer_offset = n;
315	5	}
316
317	5	void init_parsing_configuration(FuzzedDataProvider& fdp, MHD_Connection& c) {
318	5	MHD_HTTP_PostEncoding enc;
319
320		// Configure connection encoding abd methods
321	5	if (fdp.ConsumeBool()) {
322	2	c.rq.app_act.head_act.act = mhd_ACTION_POST_PARSE;
323	3	} else {
324	3	c.rq.app_act.head_act.act = mhd_ACTION_NO_ACTION;
325	3	}
326	5	if (fdp.ConsumeBool()) {
327	1	enc = MHD_HTTP_POST_ENCODING_TEXT_PLAIN;
328	4	} else if (fdp.ConsumeBool()) {
329	0	enc = MHD_HTTP_POST_ENCODING_FORM_URLENCODED;
330	4	} else if (fdp.ConsumeBool()) {
331	0	enc = MHD_HTTP_POST_ENCODING_MULTIPART_FORMDATA;
332	4	} else {
333	4	enc = MHD_HTTP_POST_ENCODING_OTHER;
334	4	}
335
336	5	c.rq.app_act.head_act.data.post_parse.buffer_size =
337	5	fdp.ConsumeIntegralInRange<size_t>(1, 4096);
338	5	c.rq.app_act.head_act.data.post_parse.max_nonstream_size =
339	5	fdp.ConsumeIntegralInRange<size_t>(1, 4096);
340
341		// Confiugre head action for connection post parsing process
342	5	c.rq.app_act.head_act.data.post_parse.enc = enc;
343	5	c.rq.app_act.head_act.data.post_parse.stream_reader = dummy_reader;
344	5	c.rq.app_act.head_act.data.post_parse.reader_cls = nullptr;
345	5	c.rq.app_act.head_act.data.post_parse.done_cb = dummy_done;
346	5	c.rq.app_act.head_act.data.post_parse.done_cb_cls = nullptr;
347	5	}
348
349	5	void prepare_headers_and_parse(MHD_Connection& connection, size_t size) {
350		// Manually add a parameter for parsing
351	20	auto add_hdr = [&](const char* name_c, const std::string& val_s) {
352	20	const size_t nlen = strlen(name_c);
353	20	const size_t vlen = val_s.size();
354	20	char* nbuf = static_cast<char*>(mhd_stream_alloc_memory(&connection, nlen + 1));
355	20	char* vbuf = static_cast<char*>(mhd_stream_alloc_memory(&connection, vlen + 1));
356	20	if (!nbuf \|\| !vbuf) {
357	0	return;
358	0	}
359	20	memcpy(nbuf, name_c, nlen); nbuf[nlen] = '\0';
360	20	memcpy(vbuf, val_s.data(), vlen); vbuf[vlen] = '\0';
361	20	struct MHD_String name;
362	20	name.len = nlen;
363	20	name.cstr = nbuf;
364	20	struct MHD_String value;
365	20	value.len = vlen;
366	20	value.cstr = vbuf;
367	20	mhd_stream_add_field(&connection.h1_stream, MHD_VK_HEADER, &name, &value);
368	20	};
369	5	add_hdr("Host", "fuzz");
370	5	if ((size & 3u) == 0u) {
371	5	add_hdr("Transfer-Encoding", "chunked");
372	5	}
373	5	if ((size & 7u) == 0u) {
374	5	add_hdr("Content-Length", "0");
375	5	}
376
377	5	bool force_mpart = (connection.rq.app_act.head_act.data.post_parse.enc
378	5	== MHD_HTTP_POST_ENCODING_MULTIPART_FORMDATA);
379	5	if (!force_mpart) {
380	5	force_mpart = ((size & 0x3Fu) == 0u);
381	5	}
382	5	if (force_mpart) {
383	5	if (g_mpart_boundary.empty()) {
384	1	g_mpart_boundary = "fuzz" + std::to_string(size ^ 0x9e3779b97f4a7c15ULL);
385	1	}
386	5	std::string ct = "multipart/form-data; boundary=" + g_mpart_boundary;
387	5	add_hdr("Content-Type", ct);
388	5	}
389
390		// If we wrote a real HTTP header for multipart, parse it so Content-Type is visible
391	5	connection.stage = mhd_HTTP_STAGE_INIT;
392	5	bool got_line = mhd_stream_get_request_line(&connection);
393	5	if (destroy_error_response(connection)) {
394	2	return;
395	2	}
396	3	if (got_line && connection.stage == mhd_HTTP_STAGE_REQ_LINE_RECEIVED) {
397	1	mhd_stream_switch_to_rq_headers_proc(&connection);
398	1	}
399	3	mhd_stream_parse_request_headers(&connection);
400
401		// Only proceed to post-parse if header parsing did not bail out
402	3	destroy_error_response(connection);
403	3	}
404
405	5	void prepare_body_and_process(MHD_Connection& connection, std::string& body, size_t body_size, bool use_stream_body) {
406		// Use streaming if boundary is not empty
407	5	if (!g_mpart_boundary.empty()) {
408	5	std::string wrapped;
409	5	wrapped.reserve(body.size() + g_mpart_boundary.size() * 2 + 128);
410	5	wrapped += "\r\n--"; wrapped += g_mpart_boundary; wrapped += "\r\n";
411	5	wrapped += "Content-Disposition: form-data; name=\"x\"; filename=\"f\"\r\n";
412	5	wrapped += "Content-Type: application/octet-stream\r\n\r\n";
413	5	wrapped += body; wrapped += "\r\n";
414	5	wrapped += "--"; wrapped += g_mpart_boundary; wrapped += "--\r\n";
415	5	body.swap(wrapped);
416	5	body_size = body.size();
417	5	}
418
419	5	if (!use_stream_body) {
420		// Fuzz mhd_stream_prepare_for_post_parse once and mhd_stream_post_parse
421	5	mhd_stream_prepare_for_post_parse(&connection);
422	5	mhd_stream_post_parse(&connection, &body_size, &body[0]);
423	5	mark_post_parse_ready(connection);
424	5	} else {
425		// Try prepare the body by streaming connection buffer
426	0	const bool want_chunked = (connection.rq.have_chunked_upload == MHD_YES);
427
428	0	std::string to_feed;
429	0	if (want_chunked) {
430	0	auto append_chunk = [&](const char* data, size_t len) {
431	0	char hex[32];
432	0	const int n = snprintf(hex, sizeof(hex), "%zx", len);
433	0	to_feed.append(hex, (size_t)n);
434	0	if ((len & 3u) == 0u) {
435	0	to_feed += ";ext=1";
436	0	}
437	0	to_feed += "\r\n";
438	0	to_feed.append(data, len);
439	0	to_feed += "\r\n";
440	0	};
441	0	if (body_size <= 32) {
442	0	append_chunk(body.data(), body_size);
443	0	} else {
444	0	const size_t mid = body_size / 2;
445	0	append_chunk(body.data(), mid);
446	0	append_chunk(body.data() + mid, body_size - mid);
447	0	}
448	0	to_feed += "0\r\n";
449	0	if (body_size & 1) {
450	0	to_feed += "X-Fuzz-Trace: 1\r\n\r\n";
451	0	} else {
452	0	to_feed += "\r\n";
453	0	}
454	0	} else {
455		// Non-chunked body is handled as is
456	0	to_feed.assign(body.data(), body_size);
457	0	}
458
459		// Stage into the connection read buffer (allocate if needed).
460	0	size_t feed_sz = to_feed.size();
461	0	bool staged = false;
462	0	if (connection.read_buffer && connection.read_buffer_size >= feed_sz) {
463	0	memcpy(connection.read_buffer, to_feed.data(), feed_sz);
464	0	connection.read_buffer_offset = feed_sz;
465	0	staged = true;
466	0	} else {
467	0	size_t need = 0;
468	0	char nb = (char) mhd_pool_try_alloc(connection.pool, feed_sz, &need);
469	0	if (nb) {
470	0	memcpy(nb, to_feed.data(), feed_sz);
471	0	connection.read_buffer = nb;
472	0	connection.read_buffer_size = feed_sz;
473	0	connection.read_buffer_offset = feed_sz;
474	0	staged = true;
475	0	}
476	0	}
477
478	0	if (staged) {
479		// Use stream body approach if success
480	0	const size_t min_needed = body_size + 1;
481	0	if (ensure_lbuf_capacity(connection, min_needed)) {
482		// Only post parse the request if buffer is enough
483	0	connection.stage = mhd_HTTP_STAGE_BODY_RECEIVING;
484	0	connection.rq.have_chunked_upload = MHD_NO;
485	0	connection.rq.cntn.cntn_size = (uint64_t) body_size;
486	0	mhd_stream_prepare_for_post_parse(&connection);
487	0	mhd_stream_process_request_body(&connection);
488	0	mark_post_parse_ready(connection);
489	0	} else {
490		// Fall back if not enough buffer
491	0	size_t tmp = body_size;
492	0	mhd_stream_prepare_for_post_parse(&connection);
493	0	mhd_stream_post_parse(&connection, &tmp, body.data());
494	0	mark_post_parse_ready(connection);
495	0	}
496	0	} else {
497		// Use post prase approach if stream body failed
498	0	mhd_stream_prepare_for_post_parse(&connection);
499	0	mhd_stream_post_parse(&connection, &body_size, &body[0]);
500	0	mark_post_parse_ready(connection);
501	0	}
502	0	}
503	5	}
504
505	5	void final_cleanup(MHD_Connection& connection, MHD_Daemon& daemon) {
506		// Post process response
507	5	mhd_stream_switch_from_recv_to_send(&connection);
508	5	mhd_stream_process_req_recv_finished(&connection);
509	5	mhd_stream_release_write_buffer(&connection);
510
511		// Release buffers in daemon to avoid memory leakage
512	5	if (connection.rq.cntn.lbuf.data != nullptr \|\| connection.rq.cntn.lbuf.size != 0) {
513	0	mhd_daemon_free_lbuf(&daemon, &connection.rq.cntn.lbuf);
514	0	}
515
516		// Clean post parse body status
517	5	clear_post_parse_ready(connection);
518	5	}