/src/nghttp2/fuzz/fuzz_frames.cc

Source
#include <string>
#include <fuzzer/FuzzedDataProvider.h>

extern "C" {
#include <string.h>
#include "nghttp2_hd.h"
#include "nghttp2_frame.h"

#include "nghttp2_test_helper.h"

#define HEADERS_LENGTH 7

static nghttp2_nv fuzz_make_nv(std::string s1, std::string s2) {
  nghttp2_nv nv;
  uint8_t *n = (uint8_t *)malloc(s1.size());
  memcpy(n, s1.c_str(), s1.size());

  uint8_t *v = (uint8_t *)malloc(s2.size());
  memcpy(v, s2.c_str(), s2.size());

  nv.name = n;
  nv.value = v;
  nv.namelen = s1.size();
  nv.valuelen = s2.size();
  nv.flags = NGHTTP2_NV_FLAG_NONE;

  return nv;
}

static void fuzz_free_nv(nghttp2_nv *nv) {
  free(nv->name);
  free(nv->value);
}

void check_frame_pack_headers(FuzzedDataProvider *data_provider) {
  nghttp2_hd_deflater deflater;
  nghttp2_hd_inflater inflater;
  nghttp2_headers frame, oframe;
  nghttp2_bufs bufs;
  nghttp2_nv *nva;
  nghttp2_priority_spec pri_spec;
  size_t nvlen;
  nva_out out;
  size_t hdblocklen;
  int rv;
  nghttp2_mem *mem;

  mem = nghttp2_mem_default();
  frame_pack_bufs_init(&bufs);

  nva_out_init(&out);
  nghttp2_hd_deflate_init(&deflater, mem);
  nghttp2_hd_inflate_init(&inflater, mem);

  /* Create a set of headers seeded with data from the fuzzer */
  nva = (nghttp2_nv *)mem->malloc(sizeof(nghttp2_nv) * HEADERS_LENGTH, NULL);
  for (int i = 0; i < HEADERS_LENGTH; i++) {
    nva[i] = fuzz_make_nv(data_provider->ConsumeRandomLengthString(30),
                          data_provider->ConsumeRandomLengthString(300));
  }

  nvlen = HEADERS_LENGTH;
  nghttp2_priority_spec_default_init(&pri_spec);
  nghttp2_frame_headers_init(
    &frame, NGHTTP2_FLAG_END_STREAM | NGHTTP2_FLAG_END_HEADERS, 1000000007,
    NGHTTP2_HCAT_REQUEST, &pri_spec, nva, nvlen);

  /* Perform a set of operations with the fuzz data */
  rv = nghttp2_frame_pack_headers(&bufs, &frame, &deflater);
  if (rv == 0) {
    unpack_framebuf((nghttp2_frame *)&oframe, &bufs);

    inflate_hd(&inflater, &out, &bufs, NGHTTP2_FRAME_HDLEN, mem);
    nva_out_reset(&out, mem);
    nghttp2_bufs_reset(&bufs);
  }

  nghttp2_nv *nva2 = NULL;
  rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
  if (rv == 0) {
    nghttp2_nv_array_del(nva2, mem);
  }

  /* Cleanup */
  for (int i = 0; i < HEADERS_LENGTH; i++) {
    fuzz_free_nv(&nva[i]);
  }

  nghttp2_bufs_free(&bufs);
  nghttp2_frame_headers_free(&frame, mem);
  nghttp2_hd_inflate_free(&inflater);
  nghttp2_hd_deflate_free(&deflater);
}

void check_frame_push_promise(FuzzedDataProvider *data_provider) {
  nghttp2_hd_deflater deflater;
  nghttp2_hd_inflater inflater;
  nghttp2_push_promise frame, oframe;
  nghttp2_bufs bufs;
  nghttp2_nv *nva;
  nghttp2_priority_spec pri_spec;
  size_t nvlen;
  nva_out out;
  size_t hdblocklen;
  int rv;
  nghttp2_mem *mem;

  mem = nghttp2_mem_default();
  frame_pack_bufs_init(&bufs);

  nva_out_init(&out);
  nghttp2_hd_deflate_init(&deflater, mem);
  nghttp2_hd_inflate_init(&inflater, mem);

  /* Create a set of headers seeded with data from the fuzzer */
  nva = (nghttp2_nv *)mem->malloc(sizeof(nghttp2_nv) * HEADERS_LENGTH, NULL);
  for (int i = 0; i < HEADERS_LENGTH; i++) {
    nva[i] = fuzz_make_nv(data_provider->ConsumeRandomLengthString(30),
                          data_provider->ConsumeRandomLengthString(300));
  }
  nvlen = HEADERS_LENGTH;
  nghttp2_priority_spec_default_init(&pri_spec);

  /* Perform a set of operations with the fuzz data */
  nghttp2_frame_push_promise_init(&frame, NGHTTP2_FLAG_END_HEADERS, 1000000007,
                                  (1U << 31) - 1, nva, nvlen);

  rv = nghttp2_frame_pack_push_promise(&bufs, &frame, &deflater);
  if (rv == 0) {
    unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
  }

  nghttp2_nv *nva2 = NULL;
  rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
  if (rv == 0) {
    nghttp2_nv_array_del(nva2, mem);
  }

  /* Cleanup */
  for (int i = 0; i < HEADERS_LENGTH; i++) {
    fuzz_free_nv(&nva[i]);
  }

  nghttp2_bufs_reset(&bufs);
  nghttp2_bufs_free(&bufs);

  nghttp2_frame_push_promise_free(&frame, mem);
  nghttp2_hd_inflate_free(&inflater);
  nghttp2_hd_deflate_free(&deflater);
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  FuzzedDataProvider data_provider(data, size);

  check_frame_pack_headers(&data_provider);
  check_frame_push_promise(&data_provider);
  return 0;
}

} // extern C

Line	Count	Source
1		#include <string>
2		#include <fuzzer/FuzzedDataProvider.h>
3
4		extern "C" {
5		#include <string.h>
6		#include "nghttp2_hd.h"
7		#include "nghttp2_frame.h"
8
9		#include "nghttp2_test_helper.h"
10
11	83.9k	#define HEADERS_LENGTH 7
12
13	32.6k	static nghttp2_nv fuzz_make_nv(std::string s1, std::string s2) {
14	32.6k	nghttp2_nv nv;
15	32.6k	uint8_t n = (uint8_t )malloc(s1.size());
16	32.6k	memcpy(n, s1.c_str(), s1.size());
17
18	32.6k	uint8_t v = (uint8_t )malloc(s2.size());
19	32.6k	memcpy(v, s2.c_str(), s2.size());
20
21	32.6k	nv.name = n;
22	32.6k	nv.value = v;
23	32.6k	nv.namelen = s1.size();
24	32.6k	nv.valuelen = s2.size();
25	32.6k	nv.flags = NGHTTP2_NV_FLAG_NONE;
26
27	32.6k	return nv;
28	32.6k	}
29
30	32.6k	static void fuzz_free_nv(nghttp2_nv *nv) {
31	32.6k	free(nv->name);
32	32.6k	free(nv->value);
33	32.6k	}
34
35	2.33k	void check_frame_pack_headers(FuzzedDataProvider *data_provider) {
36	2.33k	nghttp2_hd_deflater deflater;
37	2.33k	nghttp2_hd_inflater inflater;
38	2.33k	nghttp2_headers frame, oframe;
39	2.33k	nghttp2_bufs bufs;
40	2.33k	nghttp2_nv *nva;
41	2.33k	nghttp2_priority_spec pri_spec;
42	2.33k	size_t nvlen;
43	2.33k	nva_out out;
44	2.33k	size_t hdblocklen;
45	2.33k	int rv;
46	2.33k	nghttp2_mem *mem;
47
48	2.33k	mem = nghttp2_mem_default();
49	2.33k	frame_pack_bufs_init(&bufs);
50
51	2.33k	nva_out_init(&out);
52	2.33k	nghttp2_hd_deflate_init(&deflater, mem);
53	2.33k	nghttp2_hd_inflate_init(&inflater, mem);
54
55		/* Create a set of headers seeded with data from the fuzzer */
56	2.33k	nva = (nghttp2_nv )mem->malloc(sizeof(nghttp2_nv) HEADERS_LENGTH, NULL);
57	18.6k	for (int i = 0; i < HEADERS_LENGTH; i++) {
58	16.3k	nva[i] = fuzz_make_nv(data_provider->ConsumeRandomLengthString(30),
59	16.3k	data_provider->ConsumeRandomLengthString(300));
60	16.3k	}
61
62	2.33k	nvlen = HEADERS_LENGTH;
63	2.33k	nghttp2_priority_spec_default_init(&pri_spec);
64	2.33k	nghttp2_frame_headers_init(
65	2.33k	&frame, NGHTTP2_FLAG_END_STREAM \| NGHTTP2_FLAG_END_HEADERS, 1000000007,
66	2.33k	NGHTTP2_HCAT_REQUEST, &pri_spec, nva, nvlen);
67
68		/* Perform a set of operations with the fuzz data */
69	2.33k	rv = nghttp2_frame_pack_headers(&bufs, &frame, &deflater);
70	2.33k	if (rv == 0) {
71	2.33k	unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
72
73	2.33k	inflate_hd(&inflater, &out, &bufs, NGHTTP2_FRAME_HDLEN, mem);
74	2.33k	nva_out_reset(&out, mem);
75	2.33k	nghttp2_bufs_reset(&bufs);
76	2.33k	}
77
78	2.33k	nghttp2_nv *nva2 = NULL;
79	2.33k	rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
80	2.33k	if (rv == 0) {
81	2.33k	nghttp2_nv_array_del(nva2, mem);
82	2.33k	}
83
84		/* Cleanup */
85	18.6k	for (int i = 0; i < HEADERS_LENGTH; i++) {
86	16.3k	fuzz_free_nv(&nva[i]);
87	16.3k	}
88
89	2.33k	nghttp2_bufs_free(&bufs);
90	2.33k	nghttp2_frame_headers_free(&frame, mem);
91	2.33k	nghttp2_hd_inflate_free(&inflater);
92	2.33k	nghttp2_hd_deflate_free(&deflater);
93	2.33k	}
94
95	2.33k	void check_frame_push_promise(FuzzedDataProvider *data_provider) {
96	2.33k	nghttp2_hd_deflater deflater;
97	2.33k	nghttp2_hd_inflater inflater;
98	2.33k	nghttp2_push_promise frame, oframe;
99	2.33k	nghttp2_bufs bufs;
100	2.33k	nghttp2_nv *nva;
101	2.33k	nghttp2_priority_spec pri_spec;
102	2.33k	size_t nvlen;
103	2.33k	nva_out out;
104	2.33k	size_t hdblocklen;
105	2.33k	int rv;
106	2.33k	nghttp2_mem *mem;
107
108	2.33k	mem = nghttp2_mem_default();
109	2.33k	frame_pack_bufs_init(&bufs);
110
111	2.33k	nva_out_init(&out);
112	2.33k	nghttp2_hd_deflate_init(&deflater, mem);
113	2.33k	nghttp2_hd_inflate_init(&inflater, mem);
114
115		/* Create a set of headers seeded with data from the fuzzer */
116	2.33k	nva = (nghttp2_nv )mem->malloc(sizeof(nghttp2_nv) HEADERS_LENGTH, NULL);
117	18.6k	for (int i = 0; i < HEADERS_LENGTH; i++) {
118	16.3k	nva[i] = fuzz_make_nv(data_provider->ConsumeRandomLengthString(30),
119	16.3k	data_provider->ConsumeRandomLengthString(300));
120	16.3k	}
121	2.33k	nvlen = HEADERS_LENGTH;
122	2.33k	nghttp2_priority_spec_default_init(&pri_spec);
123
124		/* Perform a set of operations with the fuzz data */
125	2.33k	nghttp2_frame_push_promise_init(&frame, NGHTTP2_FLAG_END_HEADERS, 1000000007,
126	2.33k	(1U << 31) - 1, nva, nvlen);
127
128	2.33k	rv = nghttp2_frame_pack_push_promise(&bufs, &frame, &deflater);
129	2.33k	if (rv == 0) {
130	2.33k	unpack_framebuf((nghttp2_frame *)&oframe, &bufs);
131	2.33k	}
132
133	2.33k	nghttp2_nv *nva2 = NULL;
134	2.33k	rv = nghttp2_nv_array_copy(&nva2, nva, nvlen, mem);
135	2.33k	if (rv == 0) {
136	2.33k	nghttp2_nv_array_del(nva2, mem);
137	2.33k	}
138
139		/* Cleanup */
140	18.6k	for (int i = 0; i < HEADERS_LENGTH; i++) {
141	16.3k	fuzz_free_nv(&nva[i]);
142	16.3k	}
143
144	2.33k	nghttp2_bufs_reset(&bufs);
145	2.33k	nghttp2_bufs_free(&bufs);
146
147	2.33k	nghttp2_frame_push_promise_free(&frame, mem);
148	2.33k	nghttp2_hd_inflate_free(&inflater);
149	2.33k	nghttp2_hd_deflate_free(&deflater);
150	2.33k	}
151
152	13.4k	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
153	13.4k	FuzzedDataProvider data_provider(data, size);
154
155	13.4k	check_frame_pack_headers(&data_provider);
156	13.4k	check_frame_push_promise(&data_provider);
157	13.4k	return 0;
158	13.4k	}
159
160		} // extern C

Coverage Report

Created: 2026-01-17 06:08