Coverage Report

Created: 2025-07-11 06:40

/src/varnish-cache/bin/varnishd/fuzzers/esi_parse_fuzzer.c
Line
Count
Source (jump to first uncovered line)
1
/*-
2
 * Copyright (c) 2018 Varnish Software AS
3
 * All rights reserved.
4
 *
5
 * Author: Federico G. Schwindt <fgsch@lodoss.net>
6
 *
7
 * SPDX-License-Identifier: BSD-2-Clause
8
 *
9
 * Redistribution and use in source and binary forms, with or without
10
 * modification, are permitted provided that the following conditions
11
 * are met:
12
 * 1. Redistributions of source code must retain the above copyright
13
 *    notice, this list of conditions and the following disclaimer.
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in the
16
 *    documentation and/or other materials provided with the distribution.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
 * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
22
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28
 * SUCH DAMAGE.
29
 *
30
 * ESI parser fuzzer.
31
 */
32
33
#include "config.h"
34
35
#include <string.h>
36
#include <stdlib.h>
37
#include <stdio.h>
38
39
#include "cache/cache_varnishd.h"
40
#include "cache/cache_vgz.h"    /* enum vgz_flag */
41
#include "cache/cache_esi.h"
42
#include "cache/cache_filter.h"   /* struct vfp_ctx */
43
#include "cache/cache_obj.h"    /* cache_filter.h uses ObjVAI */
44
45
#include "vfil.h"
46
47
int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
48
49
struct VSC_main *VSC_C_main;
50
volatile struct params *cache_param;
51
52
int
53
PAN__DumpStruct(struct vsb *vsb, int block, int track, const void *ptr,
54
    const char *smagic, unsigned magic, const char *fmt, ...)
55
0
{
56
0
  (void)vsb;
57
0
  (void)block;
58
0
  (void)track;
59
0
  (void)ptr;
60
0
  (void)smagic;
61
0
  (void)magic;
62
0
  (void)fmt;
63
0
  return (0);
64
0
}
65
66
void
67
VSL(enum VSL_tag_e tag, vxid_t vxid, const char *fmt, ...)
68
0
{
69
0
  (void)tag;
70
0
  (void)vxid;
71
0
  (void)fmt;
72
0
}
73
74
void
75
VSLb(struct vsl_log *vsl, enum VSL_tag_e tag, const char *fmt, ...)
76
2.04k
{
77
2.04k
  (void)vsl;
78
2.04k
  (void)tag;
79
2.04k
  (void)fmt;
80
2.04k
}
81
82
void
83
VSLb_ts(struct vsl_log *l, const char *event, vtim_real first, vtim_real *pprev,
84
    vtim_real now)
85
0
{
86
0
  (void)l;
87
0
  (void)event;
88
0
  (void)first;
89
0
  (void)pprev;
90
0
  (void)now;
91
0
}
92
93
int
94
ObjVAIlease(struct worker *wrk, vai_hdl vhdl, struct vscarab *scarab)
95
0
{
96
97
0
  (void)wrk;
98
0
  (void)vhdl;
99
0
  (void)scarab;
100
0
  return (0);
101
0
}
102
103
void
104
ObjVAIreturn(struct worker *wrk, vai_hdl vhdl, struct vscaret *scaret)
105
0
{
106
0
  (void)wrk;
107
0
  (void)vhdl;
108
0
  (void)scaret;
109
0
}
110
111
void
112
WRK_Log(enum VSL_tag_e tag, const char *fmt, ...)
113
0
{
114
115
0
  (void)tag;
116
0
  (void)fmt;
117
0
}
118
119
int
120
LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
121
765
{
122
765
  struct VSC_main __VSC_C_main;
123
765
  struct params __cache_param;
124
765
  struct http req[1];
125
765
  struct http resp[1];
126
765
  struct vfp_ctx vc[1];
127
765
  struct worker wrk[1];
128
765
  struct ws ws[1];
129
765
  struct vep_state *vep;
130
765
  struct vsb *vsb;
131
765
  txt hd[HTTP_HDR_URL + 1];
132
765
  char ws_buf[1024];
133
134
765
  if (size < 1)
135
0
    return (0);
136
137
765
  AN(data);
138
139
765
  VSC_C_main = &__VSC_C_main;
140
765
  cache_param = &__cache_param;
141
142
765
  memset(&__cache_param, 0, sizeof(__cache_param));
143
2.66k
#define BSET(b, no) (b)[(no) >> 3] |= (0x80 >> ((no) & 7))
144
765
  if (data[0] & 0x8f)
145
722
    BSET(__cache_param.feature_bits, FEATURE_ESI_IGNORE_HTTPS);
146
765
  if (size > 1 && data[1] & 0x8f)
147
674
    BSET(__cache_param.feature_bits, FEATURE_ESI_DISABLE_XML_CHECK);
148
765
  if (size > 2 && data[2] & 0x8f)
149
632
    BSET(__cache_param.feature_bits, FEATURE_ESI_IGNORE_OTHER_ELEMENTS);
150
765
  if (size > 3 && data[3] & 0x8f)
151
637
    BSET(__cache_param.feature_bits, FEATURE_ESI_REMOVE_BOM);
152
765
#undef BSET
153
154
  /* Setup ws */
155
765
  WS_Init(ws, "req", ws_buf, sizeof ws_buf);
156
157
  /* Setup req */
158
765
  INIT_OBJ(req, HTTP_MAGIC);
159
765
  req->hd = hd;
160
765
  req->hd[HTTP_HDR_URL].b = "/";
161
765
  req->ws = ws;
162
163
  /* Setup resp */
164
765
  INIT_OBJ(resp, HTTP_MAGIC);
165
765
  resp->ws = ws;
166
167
  /* Setup wrk */
168
765
  INIT_OBJ(wrk, WORKER_MAGIC);
169
170
  /* Setup vc */
171
765
  INIT_OBJ(vc, VFP_CTX_MAGIC);
172
765
  vc->wrk = wrk;
173
765
  vc->resp = resp;
174
175
765
  vep = VEP_Init(vc, req, NULL, NULL);
176
765
  AN(vep);
177
765
  VEP_Parse(vep, (const char *)data, size);
178
765
  vsb = VEP_Finish(vep);
179
765
  if (vsb != NULL)
180
216
    VSB_destroy(&vsb);
181
765
  WS_Rollback(ws, 0);
182
183
765
  return (0);
184
765
}
185
186
#if defined(TEST_DRIVER)
187
int
188
main(int argc, char **argv)
189
{
190
  ssize_t len;
191
  char *buf;
192
  int i;
193
194
  for (i = 1; i < argc; i++) {
195
    len = 0;
196
    buf = VFIL_readfile(NULL, argv[i], &len);
197
    AN(buf);
198
    LLVMFuzzerTestOneInput((uint8_t *)buf, len);
199
    free(buf);
200
  }
201
}
202
#endif