/src/nghttp2/fuzz/fuzz_target_fdp.cc
Line | Count | Source |
1 | | #include <string> |
2 | | #include <vector> |
3 | | #include <fuzzer/FuzzedDataProvider.h> |
4 | | |
5 | | #include <nghttp2/nghttp2.h> |
6 | | |
7 | | namespace { |
8 | | int on_frame_recv_callback(nghttp2_session *session, const nghttp2_frame *frame, |
9 | 63.8k | void *user_data) { |
10 | 63.8k | return 0; |
11 | 63.8k | } |
12 | | } // namespace |
13 | | |
14 | | namespace { |
15 | | int on_begin_headers_callback(nghttp2_session *session, |
16 | 12.7k | const nghttp2_frame *frame, void *user_data) { |
17 | 12.7k | return 0; |
18 | 12.7k | } |
19 | | } // namespace |
20 | | |
21 | | namespace { |
22 | | int on_header_callback2(nghttp2_session *session, const nghttp2_frame *frame, |
23 | | nghttp2_rcbuf *name, nghttp2_rcbuf *value, |
24 | 60.9k | uint8_t flags, void *user_data) { |
25 | 60.9k | return 0; |
26 | 60.9k | } |
27 | | } // namespace |
28 | | |
29 | | namespace { |
30 | | int before_frame_send_callback(nghttp2_session *session, |
31 | 31.4k | const nghttp2_frame *frame, void *user_data) { |
32 | 31.4k | return 0; |
33 | 31.4k | } |
34 | | } // namespace |
35 | | |
36 | | namespace { |
37 | | int on_frame_send_callback(nghttp2_session *session, const nghttp2_frame *frame, |
38 | 31.4k | void *user_data) { |
39 | 31.4k | return 0; |
40 | 31.4k | } |
41 | | } // namespace |
42 | | |
43 | | namespace { |
44 | 23.4k | void send_pending(nghttp2_session *session) { |
45 | 54.8k | for (;;) { |
46 | 54.8k | const uint8_t *data; |
47 | 54.8k | auto n = nghttp2_session_mem_send2(session, &data); |
48 | 54.8k | if (n == 0) { |
49 | 23.4k | return; |
50 | 23.4k | } |
51 | 54.8k | } |
52 | 23.4k | } |
53 | | } // namespace |
54 | | |
55 | 11.7k | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
56 | 11.7k | nghttp2_session *session; |
57 | 11.7k | nghttp2_session_callbacks *callbacks; |
58 | | |
59 | 11.7k | nghttp2_session_callbacks_new(&callbacks); |
60 | 11.7k | nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks, |
61 | 11.7k | on_frame_recv_callback); |
62 | 11.7k | nghttp2_session_callbacks_set_on_begin_headers_callback( |
63 | 11.7k | callbacks, on_begin_headers_callback); |
64 | 11.7k | nghttp2_session_callbacks_set_on_header_callback2(callbacks, |
65 | 11.7k | on_header_callback2); |
66 | 11.7k | nghttp2_session_callbacks_set_before_frame_send_callback( |
67 | 11.7k | callbacks, before_frame_send_callback); |
68 | 11.7k | nghttp2_session_callbacks_set_on_frame_send_callback(callbacks, |
69 | 11.7k | on_frame_send_callback); |
70 | | |
71 | 11.7k | nghttp2_session_server_new(&session, callbacks, nullptr); |
72 | 11.7k | nghttp2_session_callbacks_del(callbacks); |
73 | | |
74 | 11.7k | FuzzedDataProvider data_provider(data, size); |
75 | | |
76 | | /* Initialise a random iv */ |
77 | 11.7k | nghttp2_settings_entry *iv; |
78 | 11.7k | int size_of_iv = data_provider.ConsumeIntegralInRange(1, 10); |
79 | 11.7k | iv = (nghttp2_settings_entry *)malloc(sizeof(nghttp2_settings_entry) * |
80 | 11.7k | size_of_iv); |
81 | 24.9k | for (int i = 0; i < size_of_iv; i++) { |
82 | 13.2k | iv[i].settings_id = data_provider.ConsumeIntegralInRange(0, 1000); |
83 | 13.2k | iv[i].value = data_provider.ConsumeIntegralInRange(0, 1000); |
84 | 13.2k | } |
85 | | |
86 | 11.7k | nghttp2_submit_settings(session, NGHTTP2_FLAG_NONE, iv, size_of_iv); |
87 | 11.7k | send_pending(session); |
88 | | |
89 | 11.7k | std::vector<uint8_t> d = data_provider.ConsumeRemainingBytes<uint8_t>(); |
90 | 11.7k | nghttp2_session_mem_recv2(session, d.data(), d.size()); |
91 | | |
92 | 11.7k | send_pending(session); |
93 | | |
94 | 11.7k | nghttp2_session_del(session); |
95 | | |
96 | 11.7k | free(iv); |
97 | | |
98 | 11.7k | return 0; |
99 | 11.7k | } |