/src/vinyl-cache/bin/vinyld/fuzzers/esi_parse_fuzzer.c

Source
/*-
 * Copyright (c) 2018 Varnish Software AS
 * All rights reserved.
 *
 * Author: Federico G. Schwindt <fgsch@lodoss.net>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * ESI parser fuzzer.
 */

#include "config.h"

#include <string.h>
#include <stdlib.h>
#include <stdio.h>

#include "cache/cache_vinyld.h"
#include "cache/cache_vgz.h"    /* enum vgz_flag */
#include "cache/cache_esi.h"
#include "cache/cache_filter.h"   /* struct vfp_ctx */
#include "cache/cache_obj.h"    /* cache_filter.h uses ObjVAI */

#include "vfil.h"

int LLVMFuzzerTestOneInput(const uint8_t *, size_t);

struct VSC_main *VSC_C_main;
volatile struct params *cache_param;

int
PAN__DumpStruct(struct vsb *vsb, int block, int track, const void *ptr,
    const char *smagic, unsigned magic, const char *fmt, ...)
{
  (void)vsb;
  (void)block;
  (void)track;
  (void)ptr;
  (void)smagic;
  (void)magic;
  (void)fmt;
  return (0);
}

void
VSL(enum VSL_tag_e tag, vxid_t vxid, const char *fmt, ...)
{
  (void)tag;
  (void)vxid;
  (void)fmt;
}

void
VSLb(struct vsl_log *vsl, enum VSL_tag_e tag, const char *fmt, ...)
{
  (void)vsl;
  (void)tag;
  (void)fmt;
}

void
VSLb_ts(struct vsl_log *l, const char *event, vtim_real first, vtim_real *pprev,
    vtim_real now)
{
  (void)l;
  (void)event;
  (void)first;
  (void)pprev;
  (void)now;
}

int
ObjVAIlease(struct worker *wrk, vai_hdl vhdl, struct vscarab *scarab)
{

  (void)wrk;
  (void)vhdl;
  (void)scarab;
  return (0);
}

void
ObjVAIreturn(struct worker *wrk, vai_hdl vhdl, struct vscaret *scaret)
{
  (void)wrk;
  (void)vhdl;
  (void)scaret;
}

void
WRK_Log(enum VSL_tag_e tag, const char *fmt, ...)
{

  (void)tag;
  (void)fmt;
}

int
LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
  struct VSC_main __VSC_C_main;
  struct params __cache_param;
  struct http req[1];
  struct http resp[1];
  struct vfp_ctx vc[1];
  struct worker wrk[1];
  struct ws ws[1];
  struct vep_state *vep;
  struct vsb *vsb;
  txt hd[HTTP_HDR_URL + 1];
  struct vep_flags flags = {0};
  char ws_buf[1024];

  if (size < 1)
    return (0);

  AN(data);

  VSC_C_main = &__VSC_C_main;
  cache_param = &__cache_param;

  memset(&__cache_param, 0, sizeof(__cache_param));
  if (data[0] & 0x8f)
    flags.esi_ignore_https = 1;
  if (size > 1 && data[1] & 0x8f)
    flags.esi_disable_xml_check = 1;
  if (size > 2 && data[2] & 0x8f)
    flags.esi_ignore_other_elements = 1;
  if (size > 3 && data[3] & 0x8f)
    flags.esi_remove_bom = 1;

  /* Setup ws */
  WS_Init(ws, "req", ws_buf, sizeof ws_buf);

  /* Setup req */
  INIT_OBJ(req, HTTP_MAGIC);
  req->hd = hd;
  req->hd[HTTP_HDR_URL].b = "/";
  req->ws = ws;

  /* Setup resp */
  INIT_OBJ(resp, HTTP_MAGIC);
  resp->ws = ws;

  /* Setup wrk */
  INIT_OBJ(wrk, WORKER_MAGIC);

  /* Setup vc */
  INIT_OBJ(vc, VFP_CTX_MAGIC);
  vc->wrk = wrk;
  vc->resp = resp;

  vep = VEP_Init(vc, req, NULL, NULL, flags);

  AN(vep);
  VEP_Parse(vep, (const char *)data, size);
  vsb = VEP_Finish(vep);
  if (vsb != NULL)
    VSB_destroy(&vsb);
  WS_Rollback(ws, 0);

  return (0);
}

#if defined(TEST_DRIVER)
int
main(int argc, char **argv)
{
  ssize_t len;
  char *buf;
  int i;

  for (i = 1; i < argc; i++) {
    len = 0;
    buf = VFIL_readfile(NULL, argv[i], &len);
    AN(buf);
    LLVMFuzzerTestOneInput((uint8_t *)buf, len);
    free(buf);
  }
}
#endif

Coverage Report

Created: 2026-06-13 06:23

Line	Count	Source
1		/*-
2		* Copyright (c) 2018 Varnish Software AS
3		* All rights reserved.
4		*
5		* Author: Federico G. Schwindt <fgsch@lodoss.net>
6		*
7		* SPDX-License-Identifier: BSD-2-Clause
8		*
9		* Redistribution and use in source and binary forms, with or without
10		* modification, are permitted provided that the following conditions
11		* are met:
12		* 1. Redistributions of source code must retain the above copyright
13		* notice, this list of conditions and the following disclaimer.
14		* 2. Redistributions in binary form must reproduce the above copyright
15		* notice, this list of conditions and the following disclaimer in the
16		* documentation and/or other materials provided with the distribution.
17		*
18		* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21		* ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
22		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28		* SUCH DAMAGE.
29		*
30		* ESI parser fuzzer.
31		*/
32
33		#include "config.h"
34
35		#include <string.h>
36		#include <stdlib.h>
37		#include <stdio.h>
38
39		#include "cache/cache_vinyld.h"
40		#include "cache/cache_vgz.h" /* enum vgz_flag */
41		#include "cache/cache_esi.h"
42		#include "cache/cache_filter.h" /* struct vfp_ctx */
43		#include "cache/cache_obj.h" /* cache_filter.h uses ObjVAI */
44
45		#include "vfil.h"
46
47		int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
48
49		struct VSC_main *VSC_C_main;
50		volatile struct params *cache_param;
51
52		int
53		PAN__DumpStruct(struct vsb vsb, int block, int track, const void ptr,
54		const char smagic, unsigned magic, const char fmt, ...)
55	0	{
56	0	(void)vsb;
57	0	(void)block;
58	0	(void)track;
59	0	(void)ptr;
60	0	(void)smagic;
61	0	(void)magic;
62	0	(void)fmt;
63	0	return (0);
64	0	}
65
66		void
67		VSL(enum VSL_tag_e tag, vxid_t vxid, const char *fmt, ...)
68	0	{
69	0	(void)tag;
70	0	(void)vxid;
71	0	(void)fmt;
72	0	}
73
74		void
75		VSLb(struct vsl_log vsl, enum VSL_tag_e tag, const char fmt, ...)
76	41.3k	{
77	41.3k	(void)vsl;
78	41.3k	(void)tag;
79	41.3k	(void)fmt;
80	41.3k	}
81
82		void
83		VSLb_ts(struct vsl_log l, const char event, vtim_real first, vtim_real *pprev,
84		vtim_real now)
85	0	{
86	0	(void)l;
87	0	(void)event;
88	0	(void)first;
89	0	(void)pprev;
90	0	(void)now;
91	0	}
92
93		int
94		ObjVAIlease(struct worker wrk, vai_hdl vhdl, struct vscarab scarab)
95	0	{
96
97	0	(void)wrk;
98	0	(void)vhdl;
99	0	(void)scarab;
100	0	return (0);
101	0	}
102
103		void
104		ObjVAIreturn(struct worker wrk, vai_hdl vhdl, struct vscaret scaret)
105	0	{
106	0	(void)wrk;
107	0	(void)vhdl;
108	0	(void)scaret;
109	0	}
110
111		void
112		WRK_Log(enum VSL_tag_e tag, const char *fmt, ...)
113	0	{
114
115	0	(void)tag;
116	0	(void)fmt;
117	0	}
118
119		int
120		LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
121	1.62k	{
122	1.62k	struct VSC_main __VSC_C_main;
123	1.62k	struct params __cache_param;
124	1.62k	struct http req[1];
125	1.62k	struct http resp[1];
126	1.62k	struct vfp_ctx vc[1];
127	1.62k	struct worker wrk[1];
128	1.62k	struct ws ws[1];
129	1.62k	struct vep_state *vep;
130	1.62k	struct vsb *vsb;
131	1.62k	txt hd[HTTP_HDR_URL + 1];
132	1.62k	struct vep_flags flags = {0};
133	1.62k	char ws_buf[1024];
134
135	1.62k	if (size < 1)
136	0	return (0);
137
138	1.62k	AN(data);
139
140	1.62k	VSC_C_main = &__VSC_C_main;
141	1.62k	cache_param = &__cache_param;
142
143	1.62k	memset(&__cache_param, 0, sizeof(__cache_param));
144	1.62k	if (data[0] & 0x8f)
145	1.57k	flags.esi_ignore_https = 1;
146	1.62k	if (size > 1 && data[1] & 0x8f)
147	1.52k	flags.esi_disable_xml_check = 1;
148	1.62k	if (size > 2 && data[2] & 0x8f)
149	1.50k	flags.esi_ignore_other_elements = 1;
150	1.62k	if (size > 3 && data[3] & 0x8f)
151	1.51k	flags.esi_remove_bom = 1;
152
153		/* Setup ws */
154	1.62k	WS_Init(ws, "req", ws_buf, sizeof ws_buf);
155
156		/* Setup req */
157	1.62k	INIT_OBJ(req, HTTP_MAGIC);
158	1.62k	req->hd = hd;
159	1.62k	req->hd[HTTP_HDR_URL].b = "/";
160	1.62k	req->ws = ws;
161
162		/* Setup resp */
163	1.62k	INIT_OBJ(resp, HTTP_MAGIC);
164	1.62k	resp->ws = ws;
165
166		/* Setup wrk */
167	1.62k	INIT_OBJ(wrk, WORKER_MAGIC);
168
169		/* Setup vc */
170	1.62k	INIT_OBJ(vc, VFP_CTX_MAGIC);
171	1.62k	vc->wrk = wrk;
172	1.62k	vc->resp = resp;
173
174	1.62k	vep = VEP_Init(vc, req, NULL, NULL, flags);
175
176	1.62k	AN(vep);
177	1.62k	VEP_Parse(vep, (const char *)data, size);
178	1.62k	vsb = VEP_Finish(vep);
179	1.62k	if (vsb != NULL)
180	1.11k	VSB_destroy(&vsb);
181	1.62k	WS_Rollback(ws, 0);
182
183	1.62k	return (0);
184	1.62k	}
185
186		#if defined(TEST_DRIVER)
187		int
188		main(int argc, char **argv)
189		{
190		ssize_t len;
191		char *buf;
192		int i;
193
194		for (i = 1; i < argc; i++) {
195		len = 0;
196		buf = VFIL_readfile(NULL, argv[i], &len);
197		AN(buf);
198		LLVMFuzzerTestOneInput((uint8_t *)buf, len);
199		free(buf);
200		}
201		}
202		#endif