Add a fuzzer for HttpProxyClientSocket.

net/http/http_proxy_client_socket_fuzzer.cc

Index: net/http/http_proxy_client_socket_fuzzer.cc
diff --git a/net/http/http_proxy_client_socket_fuzzer.cc b/net/http/http_proxy_client_socket_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..940af8e11c56881df42cb65a25d55032d67a230e
--- /dev/null
+++ b/net/http/http_proxy_client_socket_fuzzer.cc
@@ -0,0 +1,89 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/http/http_proxy_client_socket.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <string>
+
+#include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/message_loop/message_loop.h"
+#include "base/strings/utf_string_conversions.h"
+#include "net/base/address_list.h"
+#include "net/base/auth.h"
+#include "net/base/host_port_pair.h"
+#include "net/base/test_completion_callback.h"
+#include "net/http/http_auth_cache.h"
+#include "net/http/http_auth_handler_basic.h"
+#include "net/http/http_auth_handler_digest.h"
+#include "net/http/http_auth_handler_factory.h"
+#include "net/http/http_auth_scheme.h"
+#include "net/log/test_net_log.h"
+#include "net/socket/client_socket_handle.h"
+#include "net/socket/fuzzed_socket.h"
+#include "net/socket/next_proto.h"
+
+// Fuzzer for HttpProxyClientSocket only tests establshing a connection when

[eroman, 2016/04/15 19:07:21]

typo: establishing

[mmenke, 2016/04/15 19:23:52]

Done.

+// using the proxy as a tunnel.
+//
+// |data| is used to create a FuzzedSocket to fuzz reads and writes, see that
+// class for details.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Needed for thread checks and waits.
+  base::MessageLoopForIO message_loop;
+
+  // Use a test NetLog, to exercise logging code.
+  net::BoundTestNetLog bound_test_net_log;
+
+  // Use last byte to determine if the HttpProxyClientSocket should be told the
+  // underlying socket is HTTPS.
+  bool is_https_proxy = 0;
+  if (size > 0) {
+    is_https_proxy = !(data[size - 1] & 1);

[eroman, 2016/04/15 19:07:21]

It might be interesting to add our own fuzzer support .h file which can do
things like:

is_https_proxy = ConsumeBits(1, &data, &size);

Or fancier like:

  // Consume 1 byte of the fuzz data.
  int length = fuzz_data.ConsumeBits(6);
  bool sync = 1 == fuzz_data.ConsumeBits(1);
  bool error = 1 == fuzz_data.ConsumeBits(1);

[mmenke, 2016/04/15 19:23:52]

I'm actually planning on implementing a shared refcounted structure with this
functionality (At least byte and string functionality), when I write fuzzers for
URLRequest, so it can handle things like cross domain redirects, and
non-reuseable sockets, which will require creating new sockets with the
remaining bits.

[eroman, 2016/04/15 19:31:56]

sounds good, I was envisioning something similar :)

+    size--;
+  }
+
+  net::TestCompletionCallback callback;
+  scoped_ptr<net::FuzzedSocket> fuzzed_socket(

[eroman, 2016/04/15 19:07:21]

I believe std::unique_ptr<> is the new hotness now.
9 out of 10 dentists recommend it.

[mmenke, 2016/04/15 19:23:52]

Dang dentists...Always messing with a good thing (Done.).

+      new net::FuzzedSocket(data, size, bound_test_net_log.bound()));

[eroman, 2016/04/15 19:07:21]

Assuming our style allows std::make_unique, this could now be:

 auto fuzzed_socket = std::make_unique<FuzzedSocket>(data, size,
bound_test_net_log.bound());

(avoid typing net::FuzzedSocket twice).

[mmenke, 2016/04/15 19:23:52]

I'm happy with the old ways...The ways of our great forecoders.

(Actually, I just think having FuzzedSocket near the start of the line is easier
to follow, so leaving as-is)

+  CHECK_EQ(net::OK, fuzzed_socket->Connect(callback.callback()));
+
+  scoped_ptr<net::ClientSocketHandle> socket_handle(
+      new net::ClientSocketHandle());
+  socket_handle->SetSocket(std::move(fuzzed_socket));
+
+  // Create auth handler supporting basic and digest schemes.  Other schemes can
+  // make system calls, which doesn't seem like a great idea.
+  net::HttpAuthCache auth_cache;
+  net::HttpAuthHandlerRegistryFactory auth_handler_factory;
+  auth_handler_factory.RegisterSchemeFactory(
+      net::kBasicAuthScheme, new net::HttpAuthHandlerBasic::Factory());
+  auth_handler_factory.RegisterSchemeFactory(
+      net::kDigestAuthScheme, new net::HttpAuthHandlerDigest::Factory());
+
+  scoped_refptr<net::HttpAuthController> auth_controller(
+      new net::HttpAuthController(net::HttpAuth::AUTH_PROXY,
+                                  GURL("http://proxy:42/"), &auth_cache,
+                                  &auth_handler_factory));
+  net::HttpProxyClientSocket socket(
+      socket_handle.release(), "Bond/007", net::HostPortPair("foo", 80),

[eroman, 2016/04/15 19:07:21]

shaken not stirred

+      net::HostPortPair("proxy", 42), auth_controller.get(), true /* tunnel */,
+      false /* using_spdy */, net::kProtoUnknown, nullptr /* proxy_delegate */,
+      is_https_proxy);
+  int result = socket.Connect(callback.callback());
+  result = callback.GetResult(result);
+
+  // Repeatedly try to log in with the same credentials.
+  while (result == net::ERR_PROXY_AUTH_REQUESTED) {

[eroman, 2016/04/15 19:07:21]

How many times will this loop?

[mmenke, 2016/04/15 19:23:52]

Until it stops reading new auth challenges.  If the credentials aren't valid,
the server can respond with another challenge.  Every time we consume a fair
number of bytes (At least 60+, for the challenge), so I don't think that's going
to be a problem.  There is no re-challenge limit anywhere in net/, that I'm
aware of, but I don't think the bots will find sending dozens of challenges that
interesting.

[eroman, 2016/04/15 19:31:56]

Good point - this necessarily terminates provided we consume at least 1 byte of
data each time.

+    auth_controller->ResetAuth(net::AuthCredentials(
+        base::ASCIIToUTF16("user"), base::ASCIIToUTF16("pass")));
+    result = socket.RestartWithAuth(callback.callback());
+    result = callback.GetResult(result);
+  }
+
+  return 0;
+}