Initial fuzzer for SpdySession

net/spdy/spdy_session_fuzzer.cc

Index: net/spdy/spdy_session_fuzzer.cc
diff --git a/net/spdy/spdy_session_fuzzer.cc b/net/spdy/spdy_session_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..6a4c8076bb7c47a845894f312d902c13c534c42f
--- /dev/null
+++ b/net/spdy/spdy_session_fuzzer.cc
@@ -0,0 +1,91 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/logging.h"
+#include "base/macros.h"
+#include "base/memory/ptr_util.h"
+#include "base/run_loop.h"
+#include "base/test/fuzzed_data_provider.h"
+#include "net/base/net_errors.h"
+#include "net/base/request_priority.h"
+#include "net/log/test_net_log.h"
+#include "net/socket/fuzzed_socket_factory.h"
+#include "net/spdy/spdy_test_util_common.h"
+
+namespace {
+
+class FuzzerDelegate : public net::SpdyStream::Delegate {
+ public:
+  explicit FuzzerDelegate(const base::Closure& done_closure)
+      : done_closure_(done_closure) {}
+
+  void OnHeadersSent() override {}
+  void OnHeadersReceived(
+      const net::SpdyHeaderBlock& response_headers) override {}
+  void OnDataReceived(std::unique_ptr<net::SpdyBuffer> buffer) override {}
+  void OnDataSent() override {}
+  void OnTrailers(const net::SpdyHeaderBlock& trailers) override {}
+
+  void OnClose(int status) override { done_closure_.Run(); }
+
+ private:
+  base::Closure done_closure_;
+  DISALLOW_COPY_AND_ASSIGN(FuzzerDelegate);
+};
+
+}  // namespace
+
+// Fuzzer for SpdySession
+//
+// |data| is used to create a FuzzedServerSocket.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::BoundTestNetLog bound_test_net_log;
+  base::FuzzedDataProvider data_provider(data, size);
+  net::FuzzedSocketFactory socket_factory(&data_provider);
+  socket_factory.set_fuzz_connect_result(false);
+  net::SpdySessionDependencies deps;
+  std::unique_ptr<net::HttpNetworkSession> http_session(
+      net::SpdySessionDependencies::SpdyCreateSessionWithSocketFactory(
+          &deps, &socket_factory));
+
+  net::ProxyServer direct_connect(net::ProxyServer::Direct());
+  net::SpdySessionKey session_key(net::HostPortPair("127.0.0.1", 80),
+                                  direct_connect, net::PRIVACY_MODE_DISABLED);
+  base::WeakPtr<net::SpdySession> spdy_session(net::CreateInsecureSpdySession(
+      http_session.get(), session_key, bound_test_net_log.bound()));
+
+  net::SpdyStreamRequest stream_request;
+  base::WeakPtr<net::SpdyStream> stream;
+
+  net::TestCompletionCallback wait_for_start;
+  int rv = stream_request.StartRequest(

[mmoroz, 2017/02/09 08:21:01]

Does it actually send a request to chromium.org?

[morlovich, 2017/02/09 14:05:01]

It shouldn't, as it uses a FuzzedSocketFactory, so it should rather fuzz
failures of the network writes.

[Bence, 2017/02/09 14:11:10]

Consider using www.example.org or some other reserved name per RFC2606,
regardless of whether the value actually matters.

[Maks Orlovich, 2017/02/10 14:59:16]

Went with example.invalid given the original comment, since not resolving seems
like a nice property to have just in case.

+      net::SPDY_REQUEST_RESPONSE_STREAM, spdy_session,
+      GURL("http://www.chromium.org/"), net::DEFAULT_PRIORITY,
+      bound_test_net_log.bound(), wait_for_start.callback());
+
+  if (rv == net::ERR_IO_PENDING) {
+    rv = wait_for_start.WaitForResult();
+  }
+
+  // re-check the status after potential event loop.

[Bence, 2017/02/09 14:11:10]

Nit: Capitalize first letter of sentence.

[Maks Orlovich, 2017/02/10 14:59:16]

Done.

+  if (rv != net::OK) {
+    LOG(WARNING) << "StartRequest failed with result=" << rv;
+    return 0;
+  }
+
+  stream = stream_request.ReleaseStream();
+  stream->SendRequestHeaders(
+      net::SpdyTestUtil::ConstructGetHeaderBlock("http://www.chromium.org"),
+      net::NO_MORE_DATA_TO_SEND);
+
+  base::RunLoop run_loop;
+  FuzzerDelegate delegate(run_loop.QuitClosure());
+  stream->SetDelegate(&delegate);
+  run_loop.Run();
+
+  // Give a chance for GOING_AWAY sessions to wrap up.
+  base::RunLoop().RunUntilIdle();
+
+  return 0;
+}