net/http/http_proxy_client_socket_fuzzer.cc - Issue 1917503002: URLRequest fuzzer.

Side by Side Diff: net/http/http_proxy_client_socket_fuzzer.cc

Issue 1917503002: URLRequest fuzzer. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@fuzz

Patch Set: Update other fuzzers (Lost them in a merge) Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/http/http_proxy_client_socket.h"	5 #include "net/http/http_proxy_client_socket.h"

6	6

7 #include <stddef.h>	7 #include <stddef.h>

8 #include <stdint.h>	8 #include <stdint.h>

9	9

10 #include <memory>	10 #include <memory>

11 #include <string>	11 #include <string>

12	12

13 #include "base/logging.h"	13 #include "base/logging.h"

14 #include "base/strings/utf_string_conversions.h"	14 #include "base/strings/utf_string_conversions.h"

15 #include "net/base/address_list.h"	15 #include "net/base/address_list.h"

16 #include "net/base/auth.h"	16 #include "net/base/auth.h"

	17 #include "net/base/fuzzed_data_provider.h"

17 #include "net/base/host_port_pair.h"	18 #include "net/base/host_port_pair.h"

18 #include "net/base/test_completion_callback.h"	19 #include "net/base/test_completion_callback.h"

19 #include "net/http/http_auth_cache.h"	20 #include "net/http/http_auth_cache.h"

20 #include "net/http/http_auth_handler_basic.h"	21 #include "net/http/http_auth_handler_basic.h"

21 #include "net/http/http_auth_handler_digest.h"	22 #include "net/http/http_auth_handler_digest.h"

22 #include "net/http/http_auth_handler_factory.h"	23 #include "net/http/http_auth_handler_factory.h"

23 #include "net/http/http_auth_scheme.h"	24 #include "net/http/http_auth_scheme.h"

24 #include "net/log/test_net_log.h"	25 #include "net/log/test_net_log.h"

25 #include "net/socket/client_socket_handle.h"	26 #include "net/socket/client_socket_handle.h"

26 #include "net/socket/fuzzed_socket.h"	27 #include "net/socket/fuzzed_socket.h"

27 #include "net/socket/next_proto.h"	28 #include "net/socket/next_proto.h"

28	29

29 // Fuzzer for HttpProxyClientSocket only tests establishing a connection when	30 // Fuzzer for HttpProxyClientSocket only tests establishing a connection when

30 // using the proxy as a tunnel.	31 // using the proxy as a tunnel.

31 //	32 //

32 // \|data\| is used to create a FuzzedSocket to fuzz reads and writes, see that	33 // \|data\| is used to create a FuzzedSocket to fuzz reads and writes, see that

33 // class for details.	34 // class for details.

34 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {	35 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

35 // Use a test NetLog, to exercise logging code.	36 // Use a test NetLog, to exercise logging code.

36 net::BoundTestNetLog bound_test_net_log;	37 net::TestNetLog test_net_log;

	38

	39 net::FuzzedDataProvider data_provider(data, size);

37	40

38 // Use last byte to determine if the HttpProxyClientSocket should be told the	41 // Use last byte to determine if the HttpProxyClientSocket should be told the
	eroman 2016/04/22 22:07:10 Generalize this comment, or remove it. Where the d Generalize this comment, or remove it. Where the data came from is an abstraction of the FuzzedDataProvider layer. mmenke 2016/04/27 19:53:25 Done. Show quoted text On 2016/04/22 22:07:10, eroman wrote: > Generalize this comment, or remove it. Where the data came from is an > abstraction of the FuzzedDataProvider layer. Done.
39 // underlying socket is HTTPS.	42 // underlying socket is HTTPS.

40 bool is_https_proxy = 0;	43 bool is_https_proxy = !(data_provider.ConsumeBits(8) & 1);
	eroman 2016/04/22 22:07:10 Why not "!data_provider.ConsumeBits(1)" ? Are you Why not "!data_provider.ConsumeBits(1)" ? Are you concerned with changing the current corpus data? mmenke 2016/04/22 22:59:32 My concern is stability - the fuzzer works by modi Show quoted text On 2016/04/22 22:07:10, eroman wrote: > Why not "!data_provider.ConsumeBits(1)" ? > > Are you concerned with changing the current corpus data? My concern is stability - the fuzzer works by modifying previous interesting inputs. If we remove things in multiples of 8, behavior tends to be more stable when the input is modified. Yes, the data may be used for completely different things, but in the case of multiple reads in a row, for example, the data is interpreted the exact same way. If we don't read in multiples of 8, the results of subsequent operations are basically completely random. mmenke 2016/04/27 19:53:25 I've updated ConsumeBits to always consume an exac Show quoted text On 2016/04/22 22:59:32, mmenke wrote: > On 2016/04/22 22:07:10, eroman wrote: > > Why not "!data_provider.ConsumeBits(1)" ? > > > > Are you concerned with changing the current corpus data? > > My concern is stability - the fuzzer works by modifying previous interesting > inputs. If we remove things in multiples of 8, behavior tends to be more stable > when the input is modified. Yes, the data may be used for completely different > things, but in the case of multiple reads in a row, for example, the data is > interpreted the exact same way. If we don't read in multiples of 8, the results > of subsequent operations are basically completely random. I've updated ConsumeBits to always consume an exact number of bytes.
41 if (size > 0) {

42 is_https_proxy = !(data[size - 1] & 1);

43 size--;

44 }

45	44

46 net::TestCompletionCallback callback;	45 net::TestCompletionCallback callback;

47 std::unique_ptr<net::FuzzedSocket> fuzzed_socket(	46 std::unique_ptr<net::FuzzedSocket> fuzzed_socket(

48 new net::FuzzedSocket(data, size, bound_test_net_log.bound()));	47 new net::FuzzedSocket(&data_provider, &test_net_log));

49 CHECK_EQ(net::OK, fuzzed_socket->Connect(callback.callback()));	48 CHECK_EQ(net::OK, fuzzed_socket->Connect(callback.callback()));

50	49

51 std::unique_ptr<net::ClientSocketHandle> socket_handle(	50 std::unique_ptr<net::ClientSocketHandle> socket_handle(

52 new net::ClientSocketHandle());	51 new net::ClientSocketHandle());

53 socket_handle->SetSocket(std::move(fuzzed_socket));	52 socket_handle->SetSocket(std::move(fuzzed_socket));

54	53

55 // Create auth handler supporting basic and digest schemes. Other schemes can	54 // Create auth handler supporting basic and digest schemes. Other schemes can

56 // make system calls, which doesn't seem like a great idea.	55 // make system calls, which doesn't seem like a great idea.

57 net::HttpAuthCache auth_cache;	56 net::HttpAuthCache auth_cache;

58 net::HttpAuthHandlerRegistryFactory auth_handler_factory;	57 net::HttpAuthHandlerRegistryFactory auth_handler_factory;

(...skipping 17 matching lines...) Expand all Loading...
76 // Repeatedly try to log in with the same credentials.	75 // Repeatedly try to log in with the same credentials.

77 while (result == net::ERR_PROXY_AUTH_REQUESTED) {	76 while (result == net::ERR_PROXY_AUTH_REQUESTED) {

78 auth_controller->ResetAuth(net::AuthCredentials(	77 auth_controller->ResetAuth(net::AuthCredentials(

79 base::ASCIIToUTF16("user"), base::ASCIIToUTF16("pass")));	78 base::ASCIIToUTF16("user"), base::ASCIIToUTF16("pass")));

80 result = socket.RestartWithAuth(callback.callback());	79 result = socket.RestartWithAuth(callback.callback());

81 result = callback.GetResult(result);	80 result = callback.GetResult(result);

82 }	81 }

83	82

84 return 0;	83 return 0;

85 }	84 }

OLD	NEW

« net/base/fuzzed_data_provider.cc ('K') | « net/data/http/http.dict ('k') | net/http/http_stream_parser_fuzzer.cc » ('j') | net/socket/fuzzed_socket.cc » ('J')