OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <stddef.h> | |
6 #include <stdint.h> | |
7 | |
8 #include <memory> | |
9 #include <string> | |
10 #include <vector> | |
11 | |
12 #include "base/logging.h" | |
13 #include "base/memory/ptr_util.h" | |
14 #include "base/test/fuzzed_data_provider.h" | |
15 #include "net/base/completion_callback.h" | |
16 #include "net/base/io_buffer.h" | |
17 #include "net/base/net_errors.h" | |
18 #include "net/websockets/websocket_deflate_parameters.h" | |
19 #include "net/websockets/websocket_deflate_predictor.h" | |
20 #include "net/websockets/websocket_deflate_predictor_impl.h" | |
21 #include "net/websockets/websocket_deflate_stream.h" | |
22 #include "net/websockets/websocket_extension.h" | |
23 #include "net/websockets/websocket_frame.h" | |
24 #include "net/websockets/websocket_stream.h" | |
25 | |
26 namespace net { | |
27 | |
28 namespace { | |
29 class WebSocketFuzzedStream : public WebSocketStream { | |
yhirano
2016/08/31 05:30:04
final
Adam Rice
2016/08/31 06:02:59
Done.
| |
30 public: | |
31 WebSocketFuzzedStream(const uint8_t* data, size_t size) | |
32 : fuzzed_data_provider_(data, size) {} | |
33 | |
34 int ReadFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames, | |
35 const CompletionCallback& callback) override { | |
36 if (fuzzed_data_provider_.remaining_bytes() == 0) | |
37 return ERR_CONNECTION_CLOSED; | |
38 while (fuzzed_data_provider_.remaining_bytes() > 0) | |
39 frames->push_back(CreateFrame()); | |
40 return OK; | |
41 } | |
42 | |
43 int WriteFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames, | |
44 const CompletionCallback& callback) override { | |
45 return ERR_FILE_NOT_FOUND; | |
46 } | |
47 | |
48 void Close() override {} | |
49 std::string GetSubProtocol() const override { return std::string(); } | |
50 std::string GetExtensions() const override { return std::string(); } | |
51 | |
52 private: | |
53 std::unique_ptr<WebSocketFrame> CreateFrame() { | |
54 WebSocketFrameHeader::OpCode opcode = | |
55 fuzzed_data_provider_.ConsumeInt32InRange( | |
56 WebSocketFrameHeader::kOpCodeContinuation, | |
57 WebSocketFrameHeader::kOpCodeControlUnused); | |
58 auto frame = base::MakeUnique<WebSocketFrame>(opcode); | |
59 // Bad news: ConsumeBool actually consumes a whole byte per call, so do | |
60 // something hacky to conserve precious bits. | |
61 uint8_t flags = fuzzed_data_provider_.ConsumeUint8(); | |
62 frame->header.final = flags & 0x1; | |
63 frame->header.reserved1 = (flags >> 1) & 0x1; | |
64 frame->header.reserved2 = (flags >> 2) & 0x1; | |
65 frame->header.reserved3 = (flags >> 3) & 0x1; | |
66 frame->header.masked = (flags >> 4) & 0x1; | |
67 uint64_t payload_length = fuzzed_data_provider_.ConsumeInt32InRange(0, 64); | |
68 base::StringPiece payload = | |
69 fuzzed_data_provider_.ConsumeBytes(payload_length); | |
70 frame->data = new WrappedIOBuffer(payload.data()); | |
71 frame->header.payload_length = payload.size(); | |
72 return frame; | |
73 } | |
74 | |
75 base::FuzzedDataProvider fuzzed_data_provider_; | |
76 }; | |
77 | |
78 } // namespace | |
79 | |
80 void WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) { | |
yhirano
2016/08/31 05:30:04
Does it make sense to hide this function in an unn
Adam Rice
2016/08/31 06:02:59
I moved it into an anonymous namespace. It looks w
| |
81 // WebSocketDeflateStream needs to be constructed on each call because it | |
82 // has state. | |
83 std::string failure_message; | |
84 WebSocketDeflateParameters parameters; | |
85 parameters.Initialize(WebSocketExtension("permessage-deflate"), | |
86 &failure_message); | |
87 WebSocketDeflateStream deflate_stream( | |
88 base::MakeUnique<WebSocketFuzzedStream>(data, size), parameters, | |
89 base::MakeUnique<WebSocketDeflatePredictorImpl>()); | |
90 std::vector<std::unique_ptr<net::WebSocketFrame>> frames; | |
91 deflate_stream.ReadFrames(&frames, CompletionCallback()); | |
92 } | |
93 | |
94 } // namespace net | |
95 | |
96 // Entry point for LibFuzzer. | |
97 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { | |
98 net::WebSocketDeflateStreamFuzz(data, size); | |
99 | |
100 return 0; | |
101 } | |
OLD | NEW |