| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include <memory> |
| 6 |
| 7 #include "base/memory/ptr_util.h" |
| 8 #include "base/memory/singleton.h" |
| 9 #include "base/run_loop.h" |
| 10 #include "net/base/fuzzed_data_provider.h" |
| 11 #include "net/http/http_request_headers.h" |
| 12 #include "net/url_request/data_protocol_handler.h" |
| 13 #include "net/url_request/url_request.h" |
| 14 #include "net/url_request/url_request_job_factory_impl.h" |
| 15 #include "net/url_request/url_request_test_util.h" |
| 16 |
| 17 namespace { |
| 18 |
| 19 const size_t kMaxLengthForFuzzedRange = 32; |
| 20 |
| 21 } // namespace |
| 22 |
| 23 // This class tests creating and reading to completion a URLRequest with fuzzed |
| 24 // input. The fuzzer provides a data: URL and optionally generates custom Range |
| 25 // headers. The amount of data read in each Read call is also fuzzed, as is |
| 26 // the size of the IOBuffer to read data into. |
| 27 class URLRequestDataJobFuzzerHarness : public net::URLRequest::Delegate { |
| 28 public: |
| 29 URLRequestDataJobFuzzerHarness() |
| 30 : context_(true), task_runner_(base::ThreadTaskRunnerHandle::Get()) { |
| 31 job_factory_.SetProtocolHandler( |
| 32 "data", base::WrapUnique(new net::DataProtocolHandler())); |
| 33 context_.set_job_factory(&job_factory_); |
| 34 context_.Init(); |
| 35 } |
| 36 |
| 37 static URLRequestDataJobFuzzerHarness* GetInstance() { |
| 38 return base::Singleton<URLRequestDataJobFuzzerHarness>::get(); |
| 39 } |
| 40 |
| 41 int CreateAndReadFromDataURLRequest(const uint8_t* data, size_t size) { |
| 42 net::FuzzedDataProvider provider(data, size); |
| 43 read_lengths_.clear(); |
| 44 |
| 45 // Allocate an IOBuffer with fuzzed size. |
| 46 uint32_t buf_size = provider.ConsumeValueInRange(1, 127); // 7 bits. |
| 47 scoped_refptr<net::IOBuffer> buf( |
| 48 new net::IOBuffer(static_cast<size_t>(buf_size))); |
| 49 buf_.swap(buf); |
| 50 |
| 51 // Generate a range header, and a bool determining whether to use it. |
| 52 // Generate the header regardless of the bool value to keep the data URL and |
| 53 // header in consistent byte addresses so the fuzzer doesn't have to work as |
| 54 // hard. |
| 55 bool use_range = provider.ConsumeBool(); |
| 56 base::StringPiece range(provider.ConsumeBytes(kMaxLengthForFuzzedRange)); |
| 57 |
| 58 // Generate a sequence of reads sufficient to read the entire data URL. |
| 59 size_t simulated_bytes_read = 0; |
| 60 while (simulated_bytes_read < provider.remaining_bytes()) { |
| 61 size_t read_length = provider.ConsumeValueInRange(1, buf_size); |
| 62 read_lengths_.push_back(read_length); |
| 63 simulated_bytes_read += read_length; |
| 64 } |
| 65 |
| 66 // The data URL is the rest of the fuzzed data. If the URL is invalid just |
| 67 // use a test variant, so the fuzzer has a chance to execute something. |
| 68 base::StringPiece data_bytes(provider.ConsumeRemainingBytes()); |
| 69 GURL data_url(data_bytes); |
| 70 if (!data_url.is_valid()) |
| 71 data_url = GURL("data:text/html;charset=utf-8,<p>test</p>"); |
| 72 |
| 73 // Create a URLRequest with the given data URL and start reading |
| 74 // from it. |
| 75 std::unique_ptr<net::URLRequest> request = |
| 76 context_.CreateRequest(data_url, net::DEFAULT_PRIORITY, this); |
| 77 if (use_range) { |
| 78 std::string range_str = range.as_string(); |
| 79 if (!net::HttpUtil::IsValidHeaderValue(range_str)) |
| 80 range_str = "bytes=3-"; |
| 81 request->SetExtraRequestHeaderByName("Range", range_str, true); |
| 82 } |
| 83 |
| 84 // Block the thread while the request is read. |
| 85 base::RunLoop read_loop; |
| 86 read_loop_ = &read_loop; |
| 87 request->Start(); |
| 88 read_loop.Run(); |
| 89 read_loop_ = nullptr; |
| 90 return 0; |
| 91 } |
| 92 |
| 93 void QuitLoop() { |
| 94 DCHECK(read_loop_); |
| 95 task_runner_->PostTask(FROM_HERE, read_loop_->QuitClosure()); |
| 96 } |
| 97 |
| 98 void ReadFromRequest(net::URLRequest* request) { |
| 99 bool sync = false; |
| 100 do { |
| 101 // If possible, pop the next read size. If none exists, then this should |
| 102 // be the last call to Read. |
| 103 bool using_populated_read = read_lengths_.size() > 0; |
| 104 size_t read_size = 1; |
| 105 if (using_populated_read) { |
| 106 read_size = read_lengths_.back(); |
| 107 read_lengths_.pop_back(); |
| 108 } |
| 109 |
| 110 int bytes_read = 0; |
| 111 sync = request->Read(buf_.get(), read_size, &bytes_read); |
| 112 // No more populated reads implies !bytes_read. |
| 113 DCHECK(using_populated_read || !bytes_read); |
| 114 } while (sync); |
| 115 |
| 116 if (!request->status().is_io_pending()) |
| 117 QuitLoop(); |
| 118 } |
| 119 |
| 120 // net::URLRequest::Delegate: |
| 121 void OnReceivedRedirect(net::URLRequest* request, |
| 122 const net::RedirectInfo& redirect_info, |
| 123 bool* defer_redirect) override {} |
| 124 void OnAuthRequired(net::URLRequest* request, |
| 125 net::AuthChallengeInfo* auth_info) override {} |
| 126 void OnCertificateRequested( |
| 127 net::URLRequest* request, |
| 128 net::SSLCertRequestInfo* cert_request_info) override {} |
| 129 void OnSSLCertificateError(net::URLRequest* request, |
| 130 const net::SSLInfo& ssl_info, |
| 131 bool fatal) override {} |
| 132 void OnBeforeNetworkStart(net::URLRequest* request, bool* defer) override {} |
| 133 void OnResponseStarted(net::URLRequest* request) override { |
| 134 DCHECK(!request->status().is_io_pending()); |
| 135 DCHECK(buf_.get()); |
| 136 DCHECK(read_loop_); |
| 137 if (request->status().is_success()) { |
| 138 ReadFromRequest(request); |
| 139 } else { |
| 140 QuitLoop(); |
| 141 } |
| 142 } |
| 143 void OnReadCompleted(net::URLRequest* request, int bytes_read) override { |
| 144 DCHECK(!request->status().is_io_pending()); |
| 145 DCHECK(buf_.get()); |
| 146 DCHECK(read_loop_); |
| 147 if (request->status().is_success() && bytes_read > 0) { |
| 148 ReadFromRequest(request); |
| 149 } else { |
| 150 QuitLoop(); |
| 151 } |
| 152 } |
| 153 |
| 154 private: |
| 155 friend struct base::DefaultSingletonTraits<URLRequestDataJobFuzzerHarness>; |
| 156 |
| 157 net::TestURLRequestContext context_; |
| 158 net::URLRequestJobFactoryImpl job_factory_; |
| 159 std::vector<size_t> read_lengths_; |
| 160 scoped_refptr<net::IOBuffer> buf_; |
| 161 scoped_refptr<base::SingleThreadTaskRunner> task_runner_; |
| 162 base::RunLoop* read_loop_; |
| 163 |
| 164 DISALLOW_COPY_AND_ASSIGN(URLRequestDataJobFuzzerHarness); |
| 165 }; |
| 166 |
| 167 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| 168 // Using a static singleton test harness lets the test run ~3-4x faster. |
| 169 return URLRequestDataJobFuzzerHarness::GetInstance() |
| 170 ->CreateAndReadFromDataURLRequest(data, size); |
| 171 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1919013003:
Add fuzzer to test Fuzz URLRequestDataJob (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@url_request_fuzzer