OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <algorithm> | 5 #include <algorithm> |
6 #include <ostream> | 6 #include <ostream> |
7 #include <set> | 7 #include <set> |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
118 | 118 |
119 if ((env_var = getenv("CHROME_IPC_FUZZING_FREQUENCY"))) { | 119 if ((env_var = getenv("CHROME_IPC_FUZZING_FREQUENCY"))) { |
120 unsigned int new_frequency = atoi(env_var); | 120 unsigned int new_frequency = atoi(env_var); |
121 if (new_frequency) | 121 if (new_frequency) |
122 frequency_ = new_frequency; | 122 frequency_ = new_frequency; |
123 } | 123 } |
124 } | 124 } |
125 | 125 |
126 virtual ~DefaultFuzzer() {} | 126 virtual ~DefaultFuzzer() {} |
127 | 127 |
128 virtual bool FuzzThisMessage(const IPC::Message *msg) { | 128 virtual bool FuzzThisMessage(const IPC::Message *msg) OVERRIDE { |
129 return (message_set_.empty() || | 129 return (message_set_.empty() || |
130 std::find(message_set_.begin(), | 130 std::find(message_set_.begin(), |
131 message_set_.end(), | 131 message_set_.end(), |
132 msg->type()) != message_set_.end()); | 132 msg->type()) != message_set_.end()); |
133 } | 133 } |
134 | 134 |
135 virtual void FuzzBool(bool* value) { | 135 virtual void FuzzBool(bool* value) OVERRIDE { |
136 if (rand() % frequency_ == 0) | 136 if (rand() % frequency_ == 0) |
137 (*value) = !(*value); | 137 (*value) = !(*value); |
138 } | 138 } |
139 | 139 |
140 virtual void FuzzInt(int* value) { | 140 virtual void FuzzInt(int* value) OVERRIDE { |
141 FuzzIntegralType<int>(value, frequency_); | 141 FuzzIntegralType<int>(value, frequency_); |
142 } | 142 } |
143 | 143 |
144 virtual void FuzzLong(long* value) { | 144 virtual void FuzzLong(long* value) OVERRIDE { |
145 FuzzIntegralType<long>(value, frequency_); | 145 FuzzIntegralType<long>(value, frequency_); |
146 } | 146 } |
147 | 147 |
148 virtual void FuzzSize(size_t* value) { | 148 virtual void FuzzSize(size_t* value) OVERRIDE { |
149 FuzzIntegralType<size_t>(value, frequency_); | 149 FuzzIntegralType<size_t>(value, frequency_); |
150 } | 150 } |
151 | 151 |
152 virtual void FuzzUChar(unsigned char* value) { | 152 virtual void FuzzUChar(unsigned char* value) OVERRIDE { |
153 FuzzIntegralType<unsigned char>(value, frequency_); | 153 FuzzIntegralType<unsigned char>(value, frequency_); |
154 } | 154 } |
155 | 155 |
156 virtual void FuzzUInt16(uint16* value) { | 156 virtual void FuzzUInt16(uint16* value) OVERRIDE { |
157 FuzzIntegralType<uint16>(value, frequency_); | 157 FuzzIntegralType<uint16>(value, frequency_); |
158 } | 158 } |
159 | 159 |
160 virtual void FuzzUInt32(uint32* value) { | 160 virtual void FuzzUInt32(uint32* value) OVERRIDE { |
161 FuzzIntegralType<uint32>(value, frequency_); | 161 FuzzIntegralType<uint32>(value, frequency_); |
162 } | 162 } |
163 | 163 |
164 virtual void FuzzInt64(int64* value) { | 164 virtual void FuzzInt64(int64* value) OVERRIDE { |
165 FuzzIntegralType<int64>(value, frequency_); | 165 FuzzIntegralType<int64>(value, frequency_); |
166 } | 166 } |
167 | 167 |
168 virtual void FuzzUInt64(uint64* value) { | 168 virtual void FuzzUInt64(uint64* value) OVERRIDE { |
169 FuzzIntegralType<uint64>(value, frequency_); | 169 FuzzIntegralType<uint64>(value, frequency_); |
170 } | 170 } |
171 | 171 |
172 virtual void FuzzFloat(float* value) { | 172 virtual void FuzzFloat(float* value) OVERRIDE { |
173 if (rand() % frequency_ == 0) | 173 if (rand() % frequency_ == 0) |
174 (*value) *= rand() / 1000000.0; | 174 (*value) *= rand() / 1000000.0; |
175 } | 175 } |
176 | 176 |
177 virtual void FuzzDouble(double* value) { | 177 virtual void FuzzDouble(double* value) OVERRIDE { |
178 if (rand() % frequency_ == 0) | 178 if (rand() % frequency_ == 0) |
179 (*value) *= rand() / 1000000.0; | 179 (*value) *= rand() / 1000000.0; |
180 } | 180 } |
181 | 181 |
182 virtual void FuzzString(std::string* value) { | 182 virtual void FuzzString(std::string* value) OVERRIDE { |
183 FuzzStringType<std::string>(value, frequency_, "BORKED", ""); | 183 FuzzStringType<std::string>(value, frequency_, "BORKED", ""); |
184 } | 184 } |
185 | 185 |
186 virtual void FuzzWString(std::wstring* value) { | 186 virtual void FuzzWString(std::wstring* value) OVERRIDE { |
187 FuzzStringType<std::wstring>(value, frequency_, L"BORKED", L""); | 187 FuzzStringType<std::wstring>(value, frequency_, L"BORKED", L""); |
188 } | 188 } |
189 | 189 |
190 virtual void FuzzString16(string16* value) { | 190 virtual void FuzzString16(string16* value) OVERRIDE { |
191 FuzzStringType<string16>(value, frequency_, | 191 FuzzStringType<string16>(value, frequency_, |
192 WideToUTF16(L"BORKED"), | 192 WideToUTF16(L"BORKED"), |
193 WideToUTF16(L"")); | 193 WideToUTF16(L"")); |
194 } | 194 } |
195 | 195 |
196 virtual void FuzzData(char* data, int length) { | 196 virtual void FuzzData(char* data, int length) OVERRIDE { |
197 if (rand() % frequency_ == 0) { | 197 if (rand() % frequency_ == 0) { |
198 for (int i = 0; i < length; ++i) { | 198 for (int i = 0; i < length; ++i) { |
199 FuzzIntegralType<char>(&data[i], frequency_); | 199 FuzzIntegralType<char>(&data[i], frequency_); |
200 } | 200 } |
201 } | 201 } |
202 } | 202 } |
203 | 203 |
204 virtual void FuzzBytes(void* data, int data_len) { | 204 virtual void FuzzBytes(void* data, int data_len) OVERRIDE { |
205 FuzzData(static_cast<char*>(data), data_len); | 205 FuzzData(static_cast<char*>(data), data_len); |
206 } | 206 } |
207 | 207 |
208 private: | 208 private: |
209 std::set<int> message_set_; | 209 std::set<int> message_set_; |
210 unsigned int frequency_; | 210 unsigned int frequency_; |
211 }; | 211 }; |
212 | 212 |
213 | 213 |
214 // No-op fuzzer. Rewrites each message unchanged to check if the message | 214 // No-op fuzzer. Rewrites each message unchanged to check if the message |
215 // re-assembly is legit. | 215 // re-assembly is legit. |
216 class NoOpFuzzer : public IPC::Fuzzer { | 216 class NoOpFuzzer : public IPC::Fuzzer { |
217 public: | 217 public: |
218 NoOpFuzzer() {} | 218 NoOpFuzzer() {} |
219 virtual ~NoOpFuzzer() {} | 219 virtual ~NoOpFuzzer() {} |
220 | 220 |
221 virtual bool FuzzThisMessage(const IPC::Message *msg) { | 221 virtual bool FuzzThisMessage(const IPC::Message *msg) OVERRIDE { |
222 return true; | 222 return true; |
223 } | 223 } |
224 | 224 |
225 virtual void FuzzBool(bool* value) {} | 225 virtual void FuzzBool(bool* value) OVERRIDE {} |
226 virtual void FuzzInt(int* value) {} | 226 virtual void FuzzInt(int* value) OVERRIDE {} |
227 virtual void FuzzLong(long* value) {} | 227 virtual void FuzzLong(long* value) OVERRIDE {} |
228 virtual void FuzzSize(size_t* value) {} | 228 virtual void FuzzSize(size_t* value) OVERRIDE {} |
229 virtual void FuzzUChar(unsigned char* value) {} | 229 virtual void FuzzUChar(unsigned char* value) OVERRIDE {} |
230 virtual void FuzzUInt16(uint16* value) {} | 230 virtual void FuzzUInt16(uint16* value) OVERRIDE {} |
231 virtual void FuzzUInt32(uint32* value) {} | 231 virtual void FuzzUInt32(uint32* value) OVERRIDE {} |
232 virtual void FuzzInt64(int64* value) {} | 232 virtual void FuzzInt64(int64* value) OVERRIDE {} |
233 virtual void FuzzUInt64(uint64* value) {} | 233 virtual void FuzzUInt64(uint64* value) OVERRIDE {} |
234 virtual void FuzzFloat(float* value) {} | 234 virtual void FuzzFloat(float* value) OVERRIDE {} |
235 virtual void FuzzDouble(double* value) {} | 235 virtual void FuzzDouble(double* value) OVERRIDE {} |
236 virtual void FuzzString(std::string* value) {} | 236 virtual void FuzzString(std::string* value) OVERRIDE {} |
237 virtual void FuzzWString(std::wstring* value) {} | 237 virtual void FuzzWString(std::wstring* value) OVERRIDE {} |
238 virtual void FuzzString16(string16* value) {} | 238 virtual void FuzzString16(string16* value) OVERRIDE {} |
239 virtual void FuzzData(char* data, int length) {} | 239 virtual void FuzzData(char* data, int length) OVERRIDE {} |
240 virtual void FuzzBytes(void* data, int data_len) {} | 240 virtual void FuzzBytes(void* data, int data_len) OVERRIDE {} |
241 }; | 241 }; |
242 | 242 |
243 class FuzzerFactory { | 243 class FuzzerFactory { |
244 public: | 244 public: |
245 static IPC::Fuzzer *NewFuzzer(const std::string& name) { | 245 static IPC::Fuzzer *NewFuzzer(const std::string& name) { |
246 if (name == "no-op") | 246 if (name == "no-op") |
247 return new NoOpFuzzer(); | 247 return new NoOpFuzzer(); |
248 else | 248 else |
249 return new DefaultFuzzer(); | 249 return new DefaultFuzzer(); |
250 } | 250 } |
(...skipping 403 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
654 } | 654 } |
655 | 655 |
656 class ipcfuzz : public IPC::ChannelProxy::OutgoingMessageFilter { | 656 class ipcfuzz : public IPC::ChannelProxy::OutgoingMessageFilter { |
657 public: | 657 public: |
658 ipcfuzz() { | 658 ipcfuzz() { |
659 const char* env_var = getenv("CHROME_IPC_FUZZING_KIND"); | 659 const char* env_var = getenv("CHROME_IPC_FUZZING_KIND"); |
660 fuzzer_ = FuzzerFactory::NewFuzzer(env_var ? env_var : ""); | 660 fuzzer_ = FuzzerFactory::NewFuzzer(env_var ? env_var : ""); |
661 PopulateFuzzFunctionMap(&fuzz_function_map_); | 661 PopulateFuzzFunctionMap(&fuzz_function_map_); |
662 } | 662 } |
663 | 663 |
664 IPC::Message* Rewrite(IPC::Message* message) { | 664 virtual IPC::Message* Rewrite(IPC::Message* message) OVERRIDE { |
665 if (fuzzer_ && fuzzer_->FuzzThisMessage(message)) { | 665 if (fuzzer_ && fuzzer_->FuzzThisMessage(message)) { |
666 FuzzFunctionMap::iterator it = fuzz_function_map_.find(message->type()); | 666 FuzzFunctionMap::iterator it = fuzz_function_map_.find(message->type()); |
667 if (it != fuzz_function_map_.end()) { | 667 if (it != fuzz_function_map_.end()) { |
668 IPC::Message* fuzzed_message = (*it->second)(message, fuzzer_); | 668 IPC::Message* fuzzed_message = (*it->second)(message, fuzzer_); |
669 if (fuzzed_message) { | 669 if (fuzzed_message) { |
670 delete message; | 670 delete message; |
671 message = fuzzed_message; | 671 message = fuzzed_message; |
672 } | 672 } |
673 } | 673 } |
674 } | 674 } |
675 return message; | 675 return message; |
676 } | 676 } |
677 | 677 |
678 private: | 678 private: |
679 IPC::Fuzzer* fuzzer_; | 679 IPC::Fuzzer* fuzzer_; |
680 FuzzFunctionMap fuzz_function_map_; | 680 FuzzFunctionMap fuzz_function_map_; |
681 }; | 681 }; |
682 | 682 |
683 ipcfuzz g_ipcfuzz; | 683 ipcfuzz g_ipcfuzz; |
684 | 684 |
685 // Entry point avoiding mangled names. | 685 // Entry point avoiding mangled names. |
686 extern "C" { | 686 extern "C" { |
687 __attribute__((visibility("default"))) | 687 __attribute__((visibility("default"))) |
688 IPC::ChannelProxy::OutgoingMessageFilter* GetFilter(void); | 688 IPC::ChannelProxy::OutgoingMessageFilter* GetFilter(void); |
689 } | 689 } |
690 | 690 |
691 IPC::ChannelProxy::OutgoingMessageFilter* GetFilter(void) { | 691 IPC::ChannelProxy::OutgoingMessageFilter* GetFilter(void) { |
692 return &g_ipcfuzz; | 692 return &g_ipcfuzz; |
693 } | 693 } |
OLD | NEW |