/src/varnish-cache/bin/varnishd/fuzzers/esi_parse_fuzzer.c

Source (jump to first uncovered line)
/*-
 * Copyright (c) 2018 Varnish Software AS
 * All rights reserved.
 *
 * Author: Federico G. Schwindt <fgsch@lodoss.net>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * ESI parser fuzzer.
 */

#include "config.h"

#include <string.h>
#include <stdlib.h>
#include <stdio.h>

#include "cache/cache_varnishd.h"
#include "cache/cache_vgz.h"    /* enum vgz_flag */
#include "cache/cache_esi.h"
#include "cache/cache_filter.h"   /* struct vfp_ctx */

#include "vfil.h"

int LLVMFuzzerTestOneInput(const uint8_t *, size_t);

struct VSC_main *VSC_C_main;
volatile struct params *cache_param;

int
PAN__DumpStruct(struct vsb *vsb, int block, int track, const void *ptr,
    const char *smagic, unsigned magic, const char *fmt, ...)
{
  (void)vsb;
  (void)block;
  (void)track;
  (void)ptr;
  (void)smagic;
  (void)magic;
  (void)fmt;
  return (0);
}

void
VSL(enum VSL_tag_e tag, vxid_t vxid, const char *fmt, ...)
{
  (void)tag;
  (void)vxid;
  (void)fmt;
}

void
VSLb(struct vsl_log *vsl, enum VSL_tag_e tag, const char *fmt, ...)
{
  (void)vsl;
  (void)tag;
  (void)fmt;
}

void
VSLb_ts(struct vsl_log *l, const char *event, vtim_real first, vtim_real *pprev,
    vtim_real now)
{
  (void)l;
  (void)event;
  (void)first;
  (void)pprev;
  (void)now;
}

void
WRK_Log(enum VSL_tag_e tag, const char *fmt, ...)
{

  (void)tag;
  (void)fmt;
}

int
LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
  struct VSC_main __VSC_C_main;
  struct params __cache_param;
  struct http req[1];
  struct http resp[1];
  struct vfp_ctx vc[1];
  struct worker wrk[1];
  struct ws ws[1];
  struct vep_state *vep;
  struct vsb *vsb;
  txt hd[HTTP_HDR_URL + 1];
  char ws_buf[1024];

  if (size < 1)
    return (0);

  AN(data);

  VSC_C_main = &__VSC_C_main;
  cache_param = &__cache_param;

  memset(&__cache_param, 0, sizeof(__cache_param));
#define BSET(b, no) (b)[(no) >> 3] |= (0x80 >> ((no) & 7))
  if (data[0] & 0x8f)
    BSET(__cache_param.feature_bits, FEATURE_ESI_IGNORE_HTTPS);
  if (size > 1 && data[1] & 0x8f)
    BSET(__cache_param.feature_bits, FEATURE_ESI_DISABLE_XML_CHECK);
  if (size > 2 && data[2] & 0x8f)
    BSET(__cache_param.feature_bits, FEATURE_ESI_IGNORE_OTHER_ELEMENTS);
  if (size > 3 && data[3] & 0x8f)
    BSET(__cache_param.feature_bits, FEATURE_ESI_REMOVE_BOM);
#undef BSET

  /* Setup ws */
  WS_Init(ws, "req", ws_buf, sizeof ws_buf);

  /* Setup req */
  INIT_OBJ(req, HTTP_MAGIC);
  req->hd = hd;
  req->hd[HTTP_HDR_URL].b = "/";
  req->ws = ws;

  /* Setup resp */
  INIT_OBJ(resp, HTTP_MAGIC);
  resp->ws = ws;

  /* Setup wrk */
  INIT_OBJ(wrk, WORKER_MAGIC);

  /* Setup vc */
  INIT_OBJ(vc, VFP_CTX_MAGIC);
  vc->wrk = wrk;
  vc->resp = resp;

  vep = VEP_Init(vc, req, NULL, NULL);
  AN(vep);
  VEP_Parse(vep, (const char *)data, size);
  vsb = VEP_Finish(vep);
  if (vsb != NULL)
    VSB_destroy(&vsb);
  WS_Rollback(ws, 0);

  return (0);
}

#if defined(TEST_DRIVER)
int
main(int argc, char **argv)
{
  ssize_t len;
  char *buf;
  int i;

  for (i = 1; i < argc; i++) {
    len = 0;
    buf = VFIL_readfile(NULL, argv[i], &len);
    AN(buf);
    LLVMFuzzerTestOneInput((uint8_t *)buf, len);
    free(buf);
  }
}
#endif

Line	Count	Source (jump to first uncovered line)
1		/*-
2		* Copyright (c) 2018 Varnish Software AS
3		* All rights reserved.
4		*
5		* Author: Federico G. Schwindt <fgsch@lodoss.net>
6		*
7		* SPDX-License-Identifier: BSD-2-Clause
8		*
9		* Redistribution and use in source and binary forms, with or without
10		* modification, are permitted provided that the following conditions
11		* are met:
12		* 1. Redistributions of source code must retain the above copyright
13		* notice, this list of conditions and the following disclaimer.
14		* 2. Redistributions in binary form must reproduce the above copyright
15		* notice, this list of conditions and the following disclaimer in the
16		* documentation and/or other materials provided with the distribution.
17		*
18		* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21		* ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
22		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28		* SUCH DAMAGE.
29		*
30		* ESI parser fuzzer.
31		*/
32
33		#include "config.h"
34
35		#include <string.h>
36		#include <stdlib.h>
37		#include <stdio.h>
38
39		#include "cache/cache_varnishd.h"
40		#include "cache/cache_vgz.h" /* enum vgz_flag */
41		#include "cache/cache_esi.h"
42		#include "cache/cache_filter.h" /* struct vfp_ctx */
43
44		#include "vfil.h"
45
46		int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
47
48		struct VSC_main *VSC_C_main;
49		volatile struct params *cache_param;
50
51		int
52		PAN__DumpStruct(struct vsb vsb, int block, int track, const void ptr,
53		const char smagic, unsigned magic, const char fmt, ...)
54	0	{
55	0	(void)vsb;
56	0	(void)block;
57	0	(void)track;
58	0	(void)ptr;
59	0	(void)smagic;
60	0	(void)magic;
61	0	(void)fmt;
62	0	return (0);
63	0	}
64
65		void
66		VSL(enum VSL_tag_e tag, vxid_t vxid, const char *fmt, ...)
67	0	{
68	0	(void)tag;
69	0	(void)vxid;
70	0	(void)fmt;
71	0	}
72
73		void
74		VSLb(struct vsl_log vsl, enum VSL_tag_e tag, const char fmt, ...)
75	1.56k	{
76	1.56k	(void)vsl;
77	1.56k	(void)tag;
78	1.56k	(void)fmt;
79	1.56k	}
80
81		void
82		VSLb_ts(struct vsl_log l, const char event, vtim_real first, vtim_real *pprev,
83		vtim_real now)
84	0	{
85	0	(void)l;
86	0	(void)event;
87	0	(void)first;
88	0	(void)pprev;
89	0	(void)now;
90	0	}
91
92		void
93		WRK_Log(enum VSL_tag_e tag, const char *fmt, ...)
94	0	{
95
96	0	(void)tag;
97	0	(void)fmt;
98	0	}
99
100		int
101		LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
102	790	{
103	790	struct VSC_main __VSC_C_main;
104	790	struct params __cache_param;
105	790	struct http req[1];
106	790	struct http resp[1];
107	790	struct vfp_ctx vc[1];
108	790	struct worker wrk[1];
109	790	struct ws ws[1];
110	790	struct vep_state *vep;
111	790	struct vsb *vsb;
112	790	txt hd[HTTP_HDR_URL + 1];
113	790	char ws_buf[1024];
114
115	790	if (size < 1)
116	0	return (0);
117
118	790	AN(data);
119
120	790	VSC_C_main = &__VSC_C_main;
121	790	cache_param = &__cache_param;
122
123	790	memset(&__cache_param, 0, sizeof(__cache_param));
124	2.70k	#define BSET(b, no) (b)[(no) >> 3] \|= (0x80 >> ((no) & 7))
125	790	if (data[0] & 0x8f)
126	733	BSET(__cache_param.feature_bits, FEATURE_ESI_IGNORE_HTTPS);
127	790	if (size > 1 && data[1] & 0x8f)
128	673	BSET(__cache_param.feature_bits, FEATURE_ESI_DISABLE_XML_CHECK);
129	790	if (size > 2 && data[2] & 0x8f)
130	637	BSET(__cache_param.feature_bits, FEATURE_ESI_IGNORE_OTHER_ELEMENTS);
131	790	if (size > 3 && data[3] & 0x8f)
132	658	BSET(__cache_param.feature_bits, FEATURE_ESI_REMOVE_BOM);
133	790	#undef BSET
134
135		/* Setup ws */
136	790	WS_Init(ws, "req", ws_buf, sizeof ws_buf);
137
138		/* Setup req */
139	790	INIT_OBJ(req, HTTP_MAGIC);
140	790	req->hd = hd;
141	790	req->hd[HTTP_HDR_URL].b = "/";
142	790	req->ws = ws;
143
144		/* Setup resp */
145	790	INIT_OBJ(resp, HTTP_MAGIC);
146	790	resp->ws = ws;
147
148		/* Setup wrk */
149	790	INIT_OBJ(wrk, WORKER_MAGIC);
150
151		/* Setup vc */
152	790	INIT_OBJ(vc, VFP_CTX_MAGIC);
153	790	vc->wrk = wrk;
154	790	vc->resp = resp;
155
156	790	vep = VEP_Init(vc, req, NULL, NULL);
157	790	AN(vep);
158	790	VEP_Parse(vep, (const char *)data, size);
159	790	vsb = VEP_Finish(vep);
160	790	if (vsb != NULL)
161	218	VSB_destroy(&vsb);
162	790	WS_Rollback(ws, 0);
163
164	790	return (0);
165	790	}
166
167		#if defined(TEST_DRIVER)
168		int
169		main(int argc, char **argv)
170		{
171		ssize_t len;
172		char *buf;
173		int i;
174
175		for (i = 1; i < argc; i++) {
176		len = 0;
177		buf = VFIL_readfile(NULL, argv[i], &len);
178		AN(buf);
179		LLVMFuzzerTestOneInput((uint8_t *)buf, len);
180		free(buf);
181		}
182		}
183		#endif

Coverage Report

Created: 2023-06-07 06:09