| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include <algorithm> |
| 6 #include <iostream> |
| 7 #include <set> |
| 8 #include <vector> |
| 9 |
| 10 #include "base/command_line.h" |
| 11 #include "base/hash_tables.h" |
| 12 #include "base/memory/singleton.h" |
| 13 #include "base/message_loop.h" |
| 14 #include "base/process_util.h" |
| 15 #include "base/scoped_ptr.h" |
| 16 #include "base/string_number_conversions.h" |
| 17 #include "base/string_util.h" |
| 18 #include "base/threading/thread.h" |
| 19 #include "base/time.h" |
| 20 #include "base/utf_string_conversions.h" |
| 21 #include "chrome/tools/ipclist/all_messages.h" |
| 22 #include "ipc/ipc_message.h" |
| 23 #include "ipc/ipc_message_utils.h" |
| 24 #include "ipc/ipc_switches.h" |
| 25 #include "ipc/ipc_sync_channel.h" |
| 26 #include "ipc/ipc_sync_message.h" |
| 27 |
| 28 #if defined(OS_POSIX) |
| 29 #include <unistd.h> |
| 30 #endif |
| 31 |
| 32 namespace IPC { |
| 33 class Message; |
| 34 |
| 35 // Interface implemented by those who select messages for fuzzing. |
| 36 class Selector { |
| 37 public: |
| 38 virtual bool FuzzThisMessage(const IPC::Message *msg) = 0; |
| 39 }; |
| 40 |
| 41 // Interface implemented by those who fuzz basic types. The types all |
| 42 // correspond to the types which a pickle from base/pickle.h can pickle, |
| 43 // plus the floating point types. |
| 44 class Fuzzer { |
| 45 public: |
| 46 virtual void FuzzBool(bool* value) = 0; |
| 47 virtual void FuzzInt(int* value) = 0; |
| 48 virtual void FuzzLong(long* value) = 0; |
| 49 virtual void FuzzSize(size_t* value) = 0; |
| 50 virtual void FuzzUChar(unsigned char *value) = 0; |
| 51 virtual void FuzzUInt16(uint16* value) = 0; |
| 52 virtual void FuzzUInt32(uint32* value) = 0; |
| 53 virtual void FuzzInt64(int64* value) = 0; |
| 54 virtual void FuzzUInt64(uint64* value) = 0; |
| 55 virtual void FuzzFloat(float *value) = 0; |
| 56 virtual void FuzzDouble(double *value) = 0; |
| 57 virtual void FuzzString(std::string* value) = 0; |
| 58 virtual void FuzzWString(std::wstring* value) = 0; |
| 59 virtual void FuzzString16(string16* value) = 0; |
| 60 virtual void FuzzData(char* data, int length) = 0; |
| 61 virtual void FuzzBytes(void* data, int data_len) = 0; |
| 62 }; |
| 63 |
| 64 } // Namespace IPC |
| 65 |
| 66 namespace { |
| 67 |
| 68 template <typename T> |
| 69 void FuzzIntegralType(T* value, unsigned int frequency) { |
| 70 if (rand() % frequency == 0) { |
| 71 switch (rand() % 4) { |
| 72 case 0: (*value) = 0; break; |
| 73 case 1: (*value)--; break; |
| 74 case 2: (*value)++; break; |
| 75 case 3: (*value) ^= rand(); break; |
| 76 } |
| 77 } |
| 78 } |
| 79 |
| 80 template <typename T> |
| 81 void FuzzStringType(T* value, unsigned int frequency, |
| 82 const T& literal1, const T& literal2) { |
| 83 if (rand() % frequency == 0) { |
| 84 switch (rand() % 5) { |
| 85 case 4: (*value) = (*value) + (*value); // FALLTHROUGH |
| 86 case 3: (*value) = (*value) + (*value); // FALLTHROUGH |
| 87 case 2: (*value) = (*value) + (*value); break; |
| 88 case 1: (*value) += literal1; break; |
| 89 case 0: (*value) = literal2; break; |
| 90 } |
| 91 } |
| 92 } |
| 93 |
| 94 } // Namespace |
| 95 |
| 96 // One such fuzzer implementation. |
| 97 class DefaultFuzzer : public IPC::Fuzzer, public IPC::Selector { |
| 98 public: |
| 99 static const int DEFAULT_FREQUENCY = 23; |
| 100 |
| 101 DefaultFuzzer() : frequency_(DEFAULT_FREQUENCY) { |
| 102 const char *env_var; |
| 103 if ((env_var = getenv("CHROME_IPC_FUZZING_LIST"))) { |
| 104 std::string str = std::string(env_var); |
| 105 size_t pos; |
| 106 while ((pos = str.find_first_of(',')) != std::string::npos) { |
| 107 message_set_.insert(atoi(str.substr(0, pos).c_str())); |
| 108 str = str.substr(pos+1); |
| 109 } |
| 110 message_set_.insert(atoi(str.c_str())); |
| 111 } |
| 112 |
| 113 if ((env_var = getenv("CHROME_IPC_FUZZING_SEED"))) { |
| 114 int new_seed = atoi(env_var); |
| 115 if (new_seed) |
| 116 srand(new_seed); |
| 117 } |
| 118 |
| 119 if ((env_var = getenv("CHROME_IPC_FUZZING_FREQUENCY"))) |
| 120 { |
| 121 unsigned int new_frequency = atoi(env_var); |
| 122 if (new_frequency) |
| 123 frequency_ = new_frequency; |
| 124 } |
| 125 } |
| 126 |
| 127 virtual ~DefaultFuzzer() {} |
| 128 |
| 129 // Interface "fuzzer" methods. |
| 130 virtual void FuzzBool(bool* value) { |
| 131 if (rand() % frequency_ == 0) |
| 132 (*value) = !(*value); |
| 133 } |
| 134 |
| 135 virtual void FuzzInt(int* value) { |
| 136 FuzzIntegralType<int>(value, frequency_); |
| 137 } |
| 138 |
| 139 virtual void FuzzLong(long* value) { |
| 140 FuzzIntegralType<long>(value, frequency_); |
| 141 } |
| 142 |
| 143 virtual void FuzzSize(size_t* value) { |
| 144 FuzzIntegralType<size_t>(value, frequency_); |
| 145 } |
| 146 |
| 147 virtual void FuzzUChar(unsigned char* value) { |
| 148 FuzzIntegralType<unsigned char>(value, frequency_); |
| 149 } |
| 150 |
| 151 virtual void FuzzUInt16(uint16* value) { |
| 152 FuzzIntegralType<uint16>(value, frequency_); |
| 153 } |
| 154 |
| 155 virtual void FuzzUInt32(uint32* value) { |
| 156 FuzzIntegralType<uint32>(value, frequency_); |
| 157 } |
| 158 |
| 159 virtual void FuzzInt64(int64* value) { |
| 160 FuzzIntegralType<int64>(value, frequency_); |
| 161 } |
| 162 |
| 163 virtual void FuzzUInt64(uint64* value) { |
| 164 FuzzIntegralType<uint64>(value, frequency_); |
| 165 } |
| 166 |
| 167 virtual void FuzzFloat(float* value) { |
| 168 if (rand() % frequency_ == 0) |
| 169 (*value) *= rand() / 1000000.0; |
| 170 } |
| 171 |
| 172 virtual void FuzzDouble(double* value) { |
| 173 if (rand() % frequency_ == 0) |
| 174 (*value) *= rand() / 1000000.0; |
| 175 } |
| 176 |
| 177 virtual void FuzzString(std::string* value) { |
| 178 FuzzStringType<std::string>(value, frequency_, "BORKED", ""); |
| 179 } |
| 180 |
| 181 virtual void FuzzWString(std::wstring* value) { |
| 182 FuzzStringType<std::wstring>(value, frequency_, L"BORKED", L""); |
| 183 } |
| 184 |
| 185 virtual void FuzzString16(string16* value) { |
| 186 FuzzStringType<string16>(value, frequency_, |
| 187 WideToUTF16(L"BORKED"), |
| 188 WideToUTF16(L"")); |
| 189 } |
| 190 |
| 191 virtual void FuzzData(char* data, int length) { |
| 192 if (rand() % frequency_ == 0) { |
| 193 for (int i = 0; i < length; ++i) { |
| 194 FuzzIntegralType<char>(&data[i], frequency_); |
| 195 } |
| 196 } |
| 197 } |
| 198 |
| 199 virtual void FuzzBytes(void* data, int data_len) { |
| 200 FuzzData(static_cast<char*>(data), data_len); |
| 201 } |
| 202 |
| 203 // Interface "selector" methods. |
| 204 virtual bool FuzzThisMessage(const IPC::Message *msg) { |
| 205 return (message_set_.empty() || |
| 206 std::find(message_set_.begin(), |
| 207 message_set_.end(), |
| 208 msg->type()) != message_set_.end()); |
| 209 } |
| 210 |
| 211 private: |
| 212 std::set<int> message_set_; |
| 213 unsigned int frequency_; |
| 214 }; |
| 215 |
| 216 // Partially-specialized class that knows how to fuzz a given type. |
| 217 template <class P> |
| 218 struct FuzzTraits { |
| 219 static void Fuzz(P* p, IPC::Fuzzer *fuzzer) {} |
| 220 }; |
| 221 |
| 222 // Template function to invoke partially-specialized class method. |
| 223 template <class P> |
| 224 static void FuzzParam(P* p, IPC::Fuzzer* fuzzer) { |
| 225 FuzzTraits<P>::Fuzz(p, fuzzer); |
| 226 } |
| 227 |
| 228 // Specializations to fuzz primitive types. |
| 229 template <> |
| 230 struct FuzzTraits<bool> { |
| 231 static void Fuzz(bool* p, IPC::Fuzzer* fuzzer) { |
| 232 fuzzer->FuzzBool(p); |
| 233 } |
| 234 }; |
| 235 |
| 236 template <> |
| 237 struct FuzzTraits<int> { |
| 238 static void Fuzz(int* p, IPC::Fuzzer* fuzzer) { |
| 239 fuzzer->FuzzInt(p); |
| 240 } |
| 241 }; |
| 242 |
| 243 template <> |
| 244 struct FuzzTraits<unsigned int> { |
| 245 static void Fuzz(unsigned int* p, IPC::Fuzzer* fuzzer) { |
| 246 fuzzer->FuzzInt(reinterpret_cast<int*>(p)); |
| 247 } |
| 248 }; |
| 249 |
| 250 template <> |
| 251 struct FuzzTraits<long> { |
| 252 static void Fuzz(long* p, IPC::Fuzzer* fuzzer) { |
| 253 fuzzer->FuzzLong(p); |
| 254 } |
| 255 }; |
| 256 |
| 257 template <> |
| 258 struct FuzzTraits<unsigned long> { |
| 259 static void Fuzz(unsigned long* p, IPC::Fuzzer* fuzzer) { |
| 260 fuzzer->FuzzLong(reinterpret_cast<long*>(p)); |
| 261 } |
| 262 }; |
| 263 |
| 264 template <> |
| 265 struct FuzzTraits<long long> { |
| 266 static void Fuzz(long long* p, IPC::Fuzzer* fuzzer) { |
| 267 fuzzer->FuzzInt64(reinterpret_cast<int64*>(p)); |
| 268 } |
| 269 }; |
| 270 |
| 271 template <> |
| 272 struct FuzzTraits<unsigned long long> { |
| 273 static void Fuzz(unsigned long long* p, IPC::Fuzzer* fuzzer) { |
| 274 fuzzer->FuzzInt64(reinterpret_cast<int64*>(p)); |
| 275 } |
| 276 }; |
| 277 |
| 278 template <> |
| 279 struct FuzzTraits<short> { |
| 280 static void Fuzz(short* p, IPC::Fuzzer* fuzzer) { |
| 281 fuzzer->FuzzUInt16(reinterpret_cast<uint16*>(p)); |
| 282 } |
| 283 }; |
| 284 |
| 285 template <> |
| 286 struct FuzzTraits<unsigned short> { |
| 287 static void Fuzz(unsigned short* p, IPC::Fuzzer* fuzzer) { |
| 288 fuzzer->FuzzUInt16(reinterpret_cast<uint16*>(p)); |
| 289 } |
| 290 }; |
| 291 |
| 292 template <> |
| 293 struct FuzzTraits<char> { |
| 294 static void Fuzz(char* p, IPC::Fuzzer* fuzzer) { |
| 295 fuzzer->FuzzUChar(reinterpret_cast<unsigned char*>(p)); |
| 296 } |
| 297 }; |
| 298 |
| 299 template <> |
| 300 struct FuzzTraits<unsigned char> { |
| 301 static void Fuzz(unsigned char* p, IPC::Fuzzer* fuzzer) { |
| 302 fuzzer->FuzzUChar(p); |
| 303 } |
| 304 }; |
| 305 |
| 306 template <> |
| 307 struct FuzzTraits<float> { |
| 308 static void Fuzz(float* p, IPC::Fuzzer* fuzzer) { |
| 309 fuzzer->FuzzFloat(p); |
| 310 } |
| 311 }; |
| 312 |
| 313 template <> |
| 314 struct FuzzTraits<double> { |
| 315 static void Fuzz(double* p, IPC::Fuzzer* fuzzer) { |
| 316 fuzzer->FuzzDouble(p); |
| 317 } |
| 318 }; |
| 319 |
| 320 template <> |
| 321 struct FuzzTraits<std::string> { |
| 322 static void Fuzz(std::string* p, IPC::Fuzzer* fuzzer) { |
| 323 fuzzer->FuzzString(p); |
| 324 } |
| 325 }; |
| 326 |
| 327 template <> |
| 328 struct FuzzTraits<std::wstring> { |
| 329 static void Fuzz(std::wstring* p, IPC::Fuzzer* fuzzer) { |
| 330 fuzzer->FuzzWString(p); |
| 331 } |
| 332 }; |
| 333 |
| 334 template <> |
| 335 struct FuzzTraits<string16> { |
| 336 static void Fuzz(string16* p, IPC::Fuzzer* fuzzer) { |
| 337 fuzzer->FuzzString16(p); |
| 338 } |
| 339 }; |
| 340 |
| 341 // Specializations to fuzz tuples. |
| 342 template <class A> |
| 343 struct FuzzTraits<Tuple1<A> > { |
| 344 static void Fuzz(Tuple1<A>* p, IPC::Fuzzer* fuzzer) { |
| 345 FuzzParam(&p->a, fuzzer); |
| 346 } |
| 347 }; |
| 348 |
| 349 template <class A, class B> |
| 350 struct FuzzTraits<Tuple2<A, B> > { |
| 351 static void Fuzz(Tuple2<A, B>* p, IPC::Fuzzer* fuzzer) { |
| 352 FuzzParam(&p->a, fuzzer); |
| 353 FuzzParam(&p->b, fuzzer); |
| 354 } |
| 355 }; |
| 356 |
| 357 template <class A, class B, class C> |
| 358 struct FuzzTraits<Tuple3<A, B, C> > { |
| 359 static void Fuzz(Tuple3<A, B, C>* p, IPC::Fuzzer* fuzzer) { |
| 360 FuzzParam(&p->a, fuzzer); |
| 361 FuzzParam(&p->b, fuzzer); |
| 362 FuzzParam(&p->c, fuzzer); |
| 363 } |
| 364 }; |
| 365 |
| 366 template <class A, class B, class C, class D> |
| 367 struct FuzzTraits<Tuple4<A, B, C, D> > { |
| 368 static void Fuzz(Tuple4<A, B, C, D>* p, IPC::Fuzzer* fuzzer) { |
| 369 FuzzParam(&p->a, fuzzer); |
| 370 FuzzParam(&p->b, fuzzer); |
| 371 FuzzParam(&p->c, fuzzer); |
| 372 FuzzParam(&p->d, fuzzer); |
| 373 } |
| 374 }; |
| 375 |
| 376 template <class A, class B, class C, class D, class E> |
| 377 struct FuzzTraits<Tuple5<A, B, C, D, E> > { |
| 378 static void Fuzz(Tuple5<A, B, C, D, E>* p, IPC::Fuzzer* fuzzer) { |
| 379 FuzzParam(&p->a, fuzzer); |
| 380 FuzzParam(&p->b, fuzzer); |
| 381 FuzzParam(&p->c, fuzzer); |
| 382 FuzzParam(&p->d, fuzzer); |
| 383 FuzzParam(&p->e, fuzzer); |
| 384 } |
| 385 }; |
| 386 |
| 387 // Specializations to fuzz containers. |
| 388 template <class A> |
| 389 struct FuzzTraits<std::vector<A> > { |
| 390 static void Fuzz(std::vector<A>* p, IPC::Fuzzer* fuzzer) { |
| 391 for (size_t i = 0; i < p->size(); ++i) { |
| 392 FuzzParam(&p->at(i), fuzzer); |
| 393 } |
| 394 } |
| 395 }; |
| 396 |
| 397 template <class A, class B> |
| 398 struct FuzzTraits<std::map<A, B> > { |
| 399 static void Fuzz(std::map<A, B>* p, IPC::Fuzzer* fuzzer) { |
| 400 typename std::map<A, B>::iterator it; |
| 401 for (it = p->begin(); it != p->end(); ++it) { |
| 402 FuzzParam(&it->second, fuzzer); |
| 403 } |
| 404 } |
| 405 }; |
| 406 |
| 407 template <class A, class B> |
| 408 struct FuzzTraits<std::pair<A, B> > { |
| 409 static void Fuzz(std::pair<A, B>* p, IPC::Fuzzer* fuzzer) { |
| 410 FuzzParam(&p->second, fuzzer); |
| 411 } |
| 412 }; |
| 413 |
| 414 // Specializations to fuzz hand-coded tyoes |
| 415 template <> |
| 416 struct FuzzTraits<base::FileDescriptor> { |
| 417 static void Fuzz(base::FileDescriptor* p, IPC::Fuzzer* fuzzer) { |
| 418 FuzzParam(&p->fd, fuzzer); |
| 419 } |
| 420 }; |
| 421 |
| 422 template <> |
| 423 struct FuzzTraits<GURL> { |
| 424 static void Fuzz(GURL *p, IPC::Fuzzer* fuzzer) { |
| 425 FuzzParam(&p->possibly_invalid_spec(), fuzzer); |
| 426 } |
| 427 }; |
| 428 |
| 429 template <> |
| 430 struct FuzzTraits<gfx::Point> { |
| 431 static void Fuzz(gfx::Point *p, IPC::Fuzzer* fuzzer) { |
| 432 int x = p->x(); |
| 433 int y = p->y(); |
| 434 FuzzParam(&x, fuzzer); |
| 435 FuzzParam(&y, fuzzer); |
| 436 p->SetPoint(x, y); |
| 437 } |
| 438 }; |
| 439 |
| 440 template <> |
| 441 struct FuzzTraits<gfx::Size> { |
| 442 static void Fuzz(gfx::Size *p, IPC::Fuzzer* fuzzer) { |
| 443 int w = p->width(); |
| 444 int h = p->height(); |
| 445 FuzzParam(&w, fuzzer); |
| 446 FuzzParam(&h, fuzzer); |
| 447 p->SetSize(w, h); |
| 448 } |
| 449 }; |
| 450 |
| 451 template <> |
| 452 struct FuzzTraits<gfx::Rect> { |
| 453 static void Fuzz(gfx::Rect *p, IPC::Fuzzer* fuzzer) { |
| 454 gfx::Point origin = p->origin(); |
| 455 gfx::Size size = p->size(); |
| 456 FuzzParam(&origin, fuzzer); |
| 457 FuzzParam(&size, fuzzer); |
| 458 p->set_origin(origin); |
| 459 p->set_size(size); |
| 460 } |
| 461 }; |
| 462 |
| 463 // Redefine macros to generate fuzzing from traits declarations. |
| 464 // Null out all the macros that need nulling. |
| 465 #include "ipc/ipc_message_null_macros.h" |
| 466 |
| 467 // STRUCT declarations cause corresponding STRUCT_TRAITS declarations to occur. |
| 468 #undef IPC_STRUCT_BEGIN |
| 469 #undef IPC_STRUCT_MEMBER |
| 470 #undef IPC_STRUCT_END |
| 471 #define IPC_STRUCT_BEGIN(struct_name) IPC_STRUCT_TRAITS_BEGIN(struct_name) |
| 472 #define IPC_STRUCT_MEMBER(type, name) IPC_STRUCT_TRAITS_MEMBER(name) |
| 473 #define IPC_STRUCT_END() IPC_STRUCT_TRAITS_END() |
| 474 |
| 475 // Set up so next include will generate fuzz trait classes. |
| 476 #undef IPC_STRUCT_TRAITS_BEGIN |
| 477 #undef IPC_STRUCT_TRAITS_MEMBER |
| 478 #undef IPC_STRUCT_TRAITS_PARENT |
| 479 #undef IPC_STRUCT_TRAITS_END |
| 480 #define IPC_STRUCT_TRAITS_BEGIN(struct_name) \ |
| 481 template <> \ |
| 482 struct FuzzTraits<struct_name> { \ |
| 483 static void Fuzz(struct_name *p, IPC::Fuzzer* fuzzer) { \ |
| 484 |
| 485 #define IPC_STRUCT_TRAITS_MEMBER(name) \ |
| 486 FuzzParam(&p->name, fuzzer); |
| 487 |
| 488 #define IPC_STRUCT_TRAITS_PARENT(type) \ |
| 489 FuzzParam(static_cast<type*>(p), fuzzer); |
| 490 |
| 491 #define IPC_STRUCT_TRAITS_END() \ |
| 492 } \ |
| 493 }; |
| 494 |
| 495 #undef IPC_ENUM_TRAITS |
| 496 #define IPC_ENUM_TRAITS(enum_name) \ |
| 497 template <> \ |
| 498 struct FuzzTraits<enum_name> { \ |
| 499 static void Fuzz(enum_name* p, IPC::Fuzzer* fuzzer) { \ |
| 500 FuzzParam(reinterpret_cast<int*>(p), fuzzer); \ |
| 501 } \ |
| 502 }; |
| 503 |
| 504 // Bring them into existence. |
| 505 #include "chrome/tools/ipclist/all_messages.h" |
| 506 |
| 507 // Redefine macros to generate fuzzing funtions |
| 508 #include "ipc/ipc_message_null_macros.h" |
| 509 #undef IPC_MESSAGE_DECL |
| 510 #define IPC_MESSAGE_DECL(kind, type, name, in, out, ilist, olist) \ |
| 511 IPC_##kind##_##type##_FUZZ(name, in, out, ilist, olist) |
| 512 |
| 513 #define IPC_EMPTY_CONTROL_FUZZ(name, in, out, ilist, olist) \ |
| 514 IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ |
| 515 return NULL; \ |
| 516 } |
| 517 |
| 518 #define IPC_EMPTY_ROUTED_FUZZ(name, in, out, ilist, olist) \ |
| 519 IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ |
| 520 return NULL; \ |
| 521 } |
| 522 |
| 523 #define IPC_ASYNC_CONTROL_FUZZ(name, in, out, ilist, olist) \ |
| 524 IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ |
| 525 name* real_msg = static_cast<name*>(msg); \ |
| 526 IPC_TUPLE_IN_##in ilist p; \ |
| 527 name::Read(real_msg, &p); \ |
| 528 FuzzParam(&p, fuzzer); \ |
| 529 return new name(IPC_MEMBERS_IN_##in(p)); \ |
| 530 } |
| 531 |
| 532 #define IPC_ASYNC_ROUTED_FUZZ(name, in, out, ilist, olist) \ |
| 533 IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ |
| 534 name* real_msg = static_cast<name*>(msg); \ |
| 535 IPC_TUPLE_IN_##in ilist p; \ |
| 536 name::Read(real_msg, &p); \ |
| 537 FuzzParam(&p, fuzzer); \ |
| 538 return new name(msg->routing_id() \ |
| 539 IPC_COMMA_##in \ |
| 540 IPC_MEMBERS_IN_##in(p)); \ |
| 541 } |
| 542 |
| 543 #define IPC_SYNC_CONTROL_FUZZ(name, in, out, ilist, olist) \ |
| 544 IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ |
| 545 name* real_msg = static_cast<name*>(msg); \ |
| 546 IPC_TUPLE_IN_##in ilist p; \ |
| 547 name::ReadSendParam(real_msg, &p); \ |
| 548 FuzzParam(&p, fuzzer); \ |
| 549 IPC_TUPLE_OUT_##out olist q = \ |
| 550 static_cast<IPC::ParamDeserializer<IPC_TUPLE_OUT_##out olist>*>( \ |
| 551 real_msg->GetReplyDeserializer())->out_; \ |
| 552 name* new_msg = new name(IPC_MEMBERS_IN_##in(p) \ |
| 553 IPC_COMMA_AND_##out(IPC_COMMA_##in) \ |
| 554 IPC_MEMBERS_OUT_##out(q)); \ |
| 555 return new_msg; \ |
| 556 } |
| 557 |
| 558 |
| 559 #define IPC_SYNC_ROUTED_FUZZ(name, in, out, ilist, olist) \ |
| 560 IPC::Message* fuzzer_for_##name(IPC::Message *msg, IPC::Fuzzer* fuzzer) { \ |
| 561 name* real_msg = static_cast<name*>(msg); \ |
| 562 IPC_TUPLE_IN_##in ilist p; \ |
| 563 name::ReadSendParam(real_msg, &p); \ |
| 564 FuzzParam(&p, fuzzer); \ |
| 565 IPC_TUPLE_OUT_##out olist q = \ |
| 566 static_cast<IPC::ParamDeserializer<IPC_TUPLE_OUT_##out olist>*>( \ |
| 567 real_msg->GetReplyDeserializer())->out_; \ |
| 568 name* new_msg = new name(msg->routing_id() \ |
| 569 IPC_COMMA_OR_##out(IPC_COMMA_##in) \ |
| 570 IPC_MEMBERS_IN_##in(p) \ |
| 571 IPC_COMMA_AND_##out(IPC_COMMA_##in) \ |
| 572 IPC_MEMBERS_OUT_##out(q)); \ |
| 573 return new_msg; \ |
| 574 } |
| 575 |
| 576 #define IPC_MEMBERS_IN_0(p) |
| 577 #define IPC_MEMBERS_IN_1(p) p.a |
| 578 #define IPC_MEMBERS_IN_2(p) p.a, p.b |
| 579 #define IPC_MEMBERS_IN_3(p) p.a, p.b, p.c |
| 580 #define IPC_MEMBERS_IN_4(p) p.a, p.b, p.c, p.d |
| 581 #define IPC_MEMBERS_IN_5(p) p.a, p.b, p.c, p.d, p.e |
| 582 |
| 583 #define IPC_MEMBERS_OUT_0(q) |
| 584 #define IPC_MEMBERS_OUT_1(q) &q.a |
| 585 #define IPC_MEMBERS_OUT_2(q) &q.a, &q.b |
| 586 #define IPC_MEMBERS_OUT_3(q) &q.a, &q.b, &q.c |
| 587 #define IPC_MEMBERS_OUT_4(q) &q.a, &q.b, &q.c, &q.d |
| 588 #define IPC_MEMBERS_OUT_5(q) &q.a, &q.b, &q.c, &q.d, &q.e |
| 589 |
| 590 #include "chrome/tools/ipclist/all_messages.h" |
| 591 |
| 592 typedef IPC::Message* (*FuzzFunction)(IPC::Message*, IPC::Fuzzer*); |
| 593 typedef base::hash_map<uint32, FuzzFunction> FuzzFunctionMap; |
| 594 |
| 595 // Redefine macros to register fuzzing functions into map. |
| 596 #include "ipc/ipc_message_null_macros.h" |
| 597 #undef IPC_MESSAGE_DECL |
| 598 #define IPC_MESSAGE_DECL(kind, type, name, in, out, ilist, olist) \ |
| 599 (*map)[static_cast<uint32>(name::ID)] = fuzzer_for_##name; |
| 600 |
| 601 void PopulateFuzzFunctionMap(FuzzFunctionMap *map) { |
| 602 #include "chrome/tools/ipclist/all_messages.h" |
| 603 } |
| 604 |
| 605 class ipcfuzz : public IPC::OutgoingMessageFilter { |
| 606 public: |
| 607 ipcfuzz() : fuzzer_(NULL), selector_(NULL) { |
| 608 PopulateFuzzFunctionMap(&fuzz_function_map_); |
| 609 DefaultFuzzer *fuzzer = new DefaultFuzzer(); |
| 610 fuzzer_ = fuzzer; |
| 611 selector_ = fuzzer; |
| 612 } |
| 613 |
| 614 IPC::Message* Rewrite(IPC::Message* message) { |
| 615 if (fuzzer_ && selector_ && selector_->FuzzThisMessage(message)) { |
| 616 FuzzFunctionMap::iterator it = fuzz_function_map_.find(message->type()); |
| 617 if (it != fuzz_function_map_.end()) { |
| 618 IPC::Message* fuzzed_message = (*it->second)(message, fuzzer_); |
| 619 if (fuzzed_message) { |
| 620 delete message; |
| 621 message = fuzzed_message; |
| 622 } |
| 623 } |
| 624 } |
| 625 return message; |
| 626 } |
| 627 |
| 628 private: |
| 629 IPC::Fuzzer* fuzzer_; |
| 630 IPC::Selector* selector_; |
| 631 FuzzFunctionMap fuzz_function_map_; |
| 632 }; |
| 633 |
| 634 ipcfuzz g_ipcfuzz; |
| 635 |
| 636 // Entry point avoiding mangled names. |
| 637 extern "C" { |
| 638 __attribute__((visibility("default"))) |
| 639 IPC::OutgoingMessageFilter* GetFilter(void); |
| 640 } |
| 641 |
| 642 IPC::OutgoingMessageFilter* GetFilter(void) { |
| 643 return &g_ipcfuzz; |
| 644 } |
| 645 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6711024:
Example of how to interpose yourself in a message stream. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/