/src/unit/fuzzing/nxt_http_h1p_fuzz.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright (C) NGINX, Inc. |
3 | | */ |
4 | | |
5 | | #include <nxt_main.h> |
6 | | |
7 | | /* DO NOT TRY THIS AT HOME! */ |
8 | | #include "nxt_h1proto.c" |
9 | | |
10 | | |
11 | 6.06k | #define KMININPUTLENGTH 2 |
12 | 3.02k | #define KMAXINPUTLENGTH 1024 |
13 | | |
14 | | |
15 | | extern int LLVMFuzzerInitialize(int *argc, char ***argv); |
16 | | extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); |
17 | | |
18 | | |
19 | | extern char **environ; |
20 | | |
21 | | |
22 | | int |
23 | | LLVMFuzzerInitialize(int *argc, char ***argv) |
24 | 6 | { |
25 | 6 | nxt_int_t ret; |
26 | | |
27 | 6 | if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) { |
28 | 0 | return NXT_ERROR; |
29 | 0 | } |
30 | | |
31 | 6 | ret = nxt_http_fields_hash(&nxt_h1p_fields_hash, |
32 | 6 | nxt_h1p_fields, nxt_nitems(nxt_h1p_fields)); |
33 | 6 | if (ret != NXT_OK) { |
34 | 0 | return NXT_ERROR; |
35 | 0 | } |
36 | | |
37 | 6 | return 0; |
38 | 6 | } |
39 | | |
40 | | |
41 | | int |
42 | | LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
43 | 3.03k | { |
44 | 3.03k | nxt_mp_t *mp; |
45 | 3.03k | nxt_int_t rc; |
46 | 3.03k | nxt_buf_mem_t buf; |
47 | 3.03k | nxt_http_request_t *req; |
48 | 3.03k | nxt_http_request_parse_t rp; |
49 | | |
50 | 3.03k | if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) { |
51 | 25 | return 0; |
52 | 25 | } |
53 | | |
54 | 3.00k | mp = nxt_mp_create(1024, 128, 256, 32); |
55 | 3.00k | if (mp == NULL) { |
56 | 0 | return 0; |
57 | 0 | } |
58 | | |
59 | 3.00k | req = nxt_mp_zget(mp, sizeof(nxt_http_request_t)); |
60 | 3.00k | if (req == NULL) { |
61 | 0 | goto failed; |
62 | 0 | } |
63 | | |
64 | 3.00k | req->proto.h1 = nxt_mp_zget(mp, sizeof(nxt_h1proto_t)); |
65 | 3.00k | if (req->proto.h1 == NULL) { |
66 | 0 | goto failed; |
67 | 0 | } |
68 | | |
69 | 3.00k | req->conf = nxt_mp_zget(mp, sizeof(nxt_socket_conf_joint_t)); |
70 | 3.00k | if (req->conf == NULL) { |
71 | 0 | goto failed; |
72 | 0 | } |
73 | | |
74 | 3.00k | req->conf->socket_conf = nxt_mp_zget(mp, sizeof(nxt_socket_conf_t)); |
75 | 3.00k | if (req->conf->socket_conf == NULL) { |
76 | 0 | goto failed; |
77 | 0 | } |
78 | | |
79 | 3.00k | buf.start = (u_char *)data; |
80 | 3.00k | buf.end = (u_char *)data + size; |
81 | 3.00k | buf.pos = buf.start; |
82 | 3.00k | buf.free = buf.end; |
83 | | |
84 | 3.00k | req->mem_pool = mp; |
85 | 3.00k | req->conf->socket_conf->max_body_size = 8 * 1024 * 1024; |
86 | | |
87 | 3.00k | nxt_memzero(&rp, sizeof(nxt_http_request_parse_t)); |
88 | | |
89 | 3.00k | rc = nxt_http_parse_request_init(&rp, mp); |
90 | 3.00k | if (rc != NXT_OK) { |
91 | 0 | goto failed; |
92 | 0 | } |
93 | | |
94 | 3.00k | rc = nxt_http_parse_request(&rp, &buf); |
95 | 3.00k | if (rc != NXT_DONE) { |
96 | 2.00k | goto failed; |
97 | 2.00k | } |
98 | | |
99 | 999 | nxt_http_fields_process(rp.fields, &nxt_h1p_fields_hash, req); |
100 | | |
101 | 3.00k | failed: |
102 | | |
103 | 3.00k | nxt_mp_destroy(mp); |
104 | | |
105 | 3.00k | return 0; |
106 | 999 | } |