Add a fuzzer for WebSocketDeflateStream::ReadFrames()

Add a fuzzer for WebSocketDeflateStream::ReadFrames()

The ReadFrames() method of WebSocketDeflateStream decompresses WebSocket frames
received from the network. It thus consistitutes a potential attack surface and
needs to be robust against bad input.

Add a fuzzer to ensure that WebSocketDeflateStream does not misbehave if given
bad input.

BUG=

Committed: https://crrev.com/7b870e72a79e574f8dcfbbd37858a081a9fdc2f8
Cr-Commit-Position: refs/heads/master@{#415882}

[Adam Rice, 2016-08-30 13:16:27]

ricea@chromium.org changed reviewers:
+ yhirano@chromium.org

[Adam Rice, 2016-08-30 13:16:28]

I'm not sure how useful this is really. It didn't find any bugs when I ran it
locally. But it does seem to be effective at finding code paths to test.

See libfuzzer docs at
https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/REA...

[Adam Rice, 2016-08-30 13:34:23]

The CQ bit was checked by ricea@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-08-30 13:34:49]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-08-30 14:47:29]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-08-30 14:47:29]

Dry run: This issue passed the CQ dry run.

[yhirano, 2016-08-31 05:30:04]

https://codereview.chromium.org/2292083002/diff/20001/net/websockets/websocke...
File net/websockets/websocket_deflate_stream_fuzzer.cc (right):

https://codereview.chromium.org/2292083002/diff/20001/net/websockets/websocke...
net/websockets/websocket_deflate_stream_fuzzer.cc:29: class
WebSocketFuzzedStream : public WebSocketStream {
final

https://codereview.chromium.org/2292083002/diff/20001/net/websockets/websocke...
net/websockets/websocket_deflate_stream_fuzzer.cc:80: void
WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) {
Does it make sense to hide this function in an unnamed namespace, or add
"static" keyword?

[Adam Rice, 2016-08-31 06:02:59]

https://codereview.chromium.org/2292083002/diff/20001/net/websockets/websocke...
File net/websockets/websocket_deflate_stream_fuzzer.cc (right):

https://codereview.chromium.org/2292083002/diff/20001/net/websockets/websocke...
net/websockets/websocket_deflate_stream_fuzzer.cc:29: class
WebSocketFuzzedStream : public WebSocketStream {
On 2016/08/31 05:30:04, yhirano wrote:
> final

Done.

https://codereview.chromium.org/2292083002/diff/20001/net/websockets/websocke...
net/websockets/websocket_deflate_stream_fuzzer.cc:80: void
WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) {
On 2016/08/31 05:30:04, yhirano wrote:
> Does it make sense to hide this function in an unnamed namespace, or add
> "static" keyword?

I moved it into an anonymous namespace. It looks weird to call a function as
net::WebSocketDeflateStreamFuzz() when it's actually in an anonymous namespace.
But it seems to work.

[yhirano, 2016-08-31 06:10:00]

lgtm

https://codereview.chromium.org/2292083002/diff/40001/net/websockets/websocke...
File net/websockets/websocket_deflate_stream_fuzzer.cc (right):

https://codereview.chromium.org/2292083002/diff/40001/net/websockets/websocke...
net/websockets/websocket_deflate_stream_fuzzer.cc:13: #include
"base/memory/ptr_util.h"
+base/strings/string_piece.h

[Adam Rice, 2016-08-31 06:57:20]

https://codereview.chromium.org/2292083002/diff/40001/net/websockets/websocke...
File net/websockets/websocket_deflate_stream_fuzzer.cc (right):

https://codereview.chromium.org/2292083002/diff/40001/net/websockets/websocke...
net/websockets/websocket_deflate_stream_fuzzer.cc:13: #include
"base/memory/ptr_util.h"
On 2016/08/31 06:10:00, yhirano wrote:
> +base/strings/string_piece.h

Done.

[Adam Rice, 2016-08-31 06:58:54]

ricea@chromium.org changed reviewers:
+ bengr@chromium.org

[Adam Rice, 2016-08-31 06:58:55]

+bengr for net/BUILD.gn

[bengr, 2016-08-31 23:40:15]

net/BUILD.gn lgtm

[Adam Rice, 2016-09-01 03:26:08]

The CQ bit was checked by ricea@chromium.org

[Adam Rice, 2016-09-01 03:26:09]

The patchset sent to the CQ was uploaded after l-g-t-m from yhirano@chromium.org
Link to the patchset: https://codereview.chromium.org/2292083002/#ps60001
(title: "Add string_piece.h include")

[commit-bot: I haz the power, 2016-09-01 03:26:24]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-09-01 04:41:21]

Committed patchset #4 (id:60001)

[commit-bot: I haz the power, 2016-09-01 04:43:18]

Description was changed from

==========
Add a fuzzer for WebSocketDeflateStream::ReadFrames()

The ReadFrames() method of WebSocketDeflateStream decompresses WebSocket frames
received from the network. It thus consistitutes a potential attack surface and
needs to be robust against bad input.

Add a fuzzer to ensure that WebSocketDeflateStream does not misbehave if given
bad input.

BUG=
==========

to

==========
Add a fuzzer for WebSocketDeflateStream::ReadFrames()

The ReadFrames() method of WebSocketDeflateStream decompresses WebSocket frames
received from the network. It thus consistitutes a potential attack surface and
needs to be robust against bad input.

Add a fuzzer to ensure that WebSocketDeflateStream does not misbehave if given
bad input.

BUG=

Committed: https://crrev.com/7b870e72a79e574f8dcfbbd37858a081a9fdc2f8
Cr-Commit-Position: refs/heads/master@{#415882}
==========

[commit-bot: I haz the power, 2016-09-01 04:43:19]

Patchset 4 (id:??) landed as
https://crrev.com/7b870e72a79e574f8dcfbbd37858a081a9fdc2f8
Cr-Commit-Position: refs/heads/master@{#415882}