| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stddef.h> | 5 #include <stddef.h> |
| 6 #include <stdint.h> | 6 #include <stdint.h> |
| 7 | 7 |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| 11 | 11 |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/memory/ptr_util.h" | 13 #include "base/memory/ptr_util.h" |
| 14 #include "base/strings/string_number_conversions.h" |
| 14 #include "base/strings/string_piece.h" | 15 #include "base/strings/string_piece.h" |
| 15 #include "base/test/fuzzed_data_provider.h" | 16 #include "base/test/fuzzed_data_provider.h" |
| 16 #include "net/base/completion_callback.h" | 17 #include "net/base/completion_callback.h" |
| 17 #include "net/base/io_buffer.h" | 18 #include "net/base/io_buffer.h" |
| 18 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 19 #include "net/websockets/websocket_deflate_parameters.h" | 20 #include "net/websockets/websocket_deflate_parameters.h" |
| 20 #include "net/websockets/websocket_deflate_predictor.h" | 21 #include "net/websockets/websocket_deflate_predictor.h" |
| 21 #include "net/websockets/websocket_deflate_predictor_impl.h" | 22 #include "net/websockets/websocket_deflate_predictor_impl.h" |
| 22 #include "net/websockets/websocket_deflate_stream.h" | 23 #include "net/websockets/websocket_deflate_stream.h" |
| 23 #include "net/websockets/websocket_extension.h" | 24 #include "net/websockets/websocket_extension.h" |
| 24 #include "net/websockets/websocket_frame.h" | 25 #include "net/websockets/websocket_frame.h" |
| 25 #include "net/websockets/websocket_stream.h" | 26 #include "net/websockets/websocket_stream.h" |
| 26 | 27 |
| 27 namespace net { | 28 namespace net { |
| 28 | 29 |
| 29 namespace { | 30 namespace { |
| 30 | 31 |
| 32 // If there are less random bytes left than MIN_BYTES_TO_CREATE_A_FRAME then |
| 33 // CreateFrame() will always create an empty frame. Since the fuzzer can create |
| 34 // the same empty frame with MIN_BYTES_TO_CREATE_A_FRAME bytes of input, save it |
| 35 // from exploring a large space of ways to do the same thing. |
| 36 constexpr size_t MIN_BYTES_TO_CREATE_A_FRAME = 3; |
| 37 |
| 38 constexpr size_t BYTES_CONSUMED_BY_PARAMS = 2; |
| 39 |
| 40 // If there are exactly BYTES_CONSUMED_BY_PARAMS + MIN_BYTES_TO_CREATE_A_FRAME |
| 41 // bytes of input, then the fuzzer will test a single frame. In order to also |
| 42 // test the case with zero frames, allow one less byte than this. |
| 43 constexpr size_t MIN_USEFUL_SIZE = |
| 44 BYTES_CONSUMED_BY_PARAMS + MIN_BYTES_TO_CREATE_A_FRAME - 1; |
| 45 |
| 31 class WebSocketFuzzedStream final : public WebSocketStream { | 46 class WebSocketFuzzedStream final : public WebSocketStream { |
| 32 public: | 47 public: |
| 33 WebSocketFuzzedStream(const uint8_t* data, size_t size) | 48 WebSocketFuzzedStream(base::FuzzedDataProvider* fuzzed_data_provider) |
| 34 : fuzzed_data_provider_(data, size) {} | 49 : fuzzed_data_provider_(fuzzed_data_provider) {} |
| 35 | 50 |
| 36 int ReadFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames, | 51 int ReadFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames, |
| 37 const CompletionCallback& callback) override { | 52 const CompletionCallback& callback) override { |
| 38 if (fuzzed_data_provider_.remaining_bytes() == 0) | 53 if (fuzzed_data_provider_->remaining_bytes() < MIN_BYTES_TO_CREATE_A_FRAME) |
| 39 return ERR_CONNECTION_CLOSED; | 54 return ERR_CONNECTION_CLOSED; |
| 40 while (fuzzed_data_provider_.remaining_bytes() > 0) | 55 while (fuzzed_data_provider_->remaining_bytes() > 0) |
| 41 frames->push_back(CreateFrame()); | 56 frames->push_back(CreateFrame()); |
| 42 return OK; | 57 return OK; |
| 43 } | 58 } |
| 44 | 59 |
| 45 int WriteFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames, | 60 int WriteFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames, |
| 46 const CompletionCallback& callback) override { | 61 const CompletionCallback& callback) override { |
| 47 return ERR_FILE_NOT_FOUND; | 62 return ERR_FILE_NOT_FOUND; |
| 48 } | 63 } |
| 49 | 64 |
| 50 void Close() override {} | 65 void Close() override {} |
| 51 std::string GetSubProtocol() const override { return std::string(); } | 66 std::string GetSubProtocol() const override { return std::string(); } |
| 52 std::string GetExtensions() const override { return std::string(); } | 67 std::string GetExtensions() const override { return std::string(); } |
| 53 | 68 |
| 54 private: | 69 private: |
| 55 std::unique_ptr<WebSocketFrame> CreateFrame() { | 70 std::unique_ptr<WebSocketFrame> CreateFrame() { |
| 56 WebSocketFrameHeader::OpCode opcode = | 71 WebSocketFrameHeader::OpCode opcode = |
| 57 fuzzed_data_provider_.ConsumeInt32InRange( | 72 fuzzed_data_provider_->ConsumeUint32InRange( |
| 58 WebSocketFrameHeader::kOpCodeContinuation, | 73 WebSocketFrameHeader::kOpCodeContinuation, |
| 59 WebSocketFrameHeader::kOpCodeControlUnused); | 74 WebSocketFrameHeader::kOpCodeControlUnused); |
| 60 auto frame = base::MakeUnique<WebSocketFrame>(opcode); | 75 auto frame = base::MakeUnique<WebSocketFrame>(opcode); |
| 61 // Bad news: ConsumeBool actually consumes a whole byte per call, so do | 76 // Bad news: ConsumeBool actually consumes a whole byte per call, so do |
| 62 // something hacky to conserve precious bits. | 77 // something hacky to conserve precious bits. |
| 63 uint8_t flags = fuzzed_data_provider_.ConsumeUint8(); | 78 uint8_t flags = fuzzed_data_provider_->ConsumeUint8(); |
| 64 frame->header.final = flags & 0x1; | 79 frame->header.final = flags & 0x1; |
| 65 frame->header.reserved1 = (flags >> 1) & 0x1; | 80 frame->header.reserved1 = (flags >> 1) & 0x1; |
| 66 frame->header.reserved2 = (flags >> 2) & 0x1; | 81 frame->header.reserved2 = (flags >> 2) & 0x1; |
| 67 frame->header.reserved3 = (flags >> 3) & 0x1; | 82 frame->header.reserved3 = (flags >> 3) & 0x1; |
| 68 frame->header.masked = (flags >> 4) & 0x1; | 83 frame->header.masked = (flags >> 4) & 0x1; |
| 69 uint64_t payload_length = fuzzed_data_provider_.ConsumeInt32InRange(0, 64); | 84 uint64_t payload_length = |
| 70 std::string payload = fuzzed_data_provider_.ConsumeBytes(payload_length); | 85 fuzzed_data_provider_->ConsumeUint32InRange(0, 64); |
| 86 std::string payload = fuzzed_data_provider_->ConsumeBytes(payload_length); |
| 71 frame->data = new StringIOBuffer(payload); | 87 frame->data = new StringIOBuffer(payload); |
| 72 frame->header.payload_length = payload.size(); | 88 frame->header.payload_length = payload.size(); |
| 73 return frame; | 89 return frame; |
| 74 } | 90 } |
| 75 | 91 |
| 76 base::FuzzedDataProvider fuzzed_data_provider_; | 92 base::FuzzedDataProvider* fuzzed_data_provider_; |
| 77 }; | 93 }; |
| 78 | 94 |
| 79 void WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) { | 95 void WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) { |
| 96 base::FuzzedDataProvider fuzzed_data_provider(data, size); |
| 97 uint8_t flags = fuzzed_data_provider.ConsumeUint8(); |
| 98 bool server_no_context_takeover = flags & 0x1; |
| 99 bool client_no_context_takeover = (flags >> 1) & 0x1; |
| 100 uint8_t window_bits = fuzzed_data_provider.ConsumeUint8(); |
| 101 int server_max_window_bits = (window_bits & 0x7) + 8; |
| 102 int client_max_window_bits = ((window_bits >> 3) & 0x7) + 8; |
| 80 // WebSocketDeflateStream needs to be constructed on each call because it | 103 // WebSocketDeflateStream needs to be constructed on each call because it |
| 81 // has state. | 104 // has state. |
| 105 WebSocketExtension params("permessage-deflate"); |
| 106 if (server_no_context_takeover) |
| 107 params.Add(WebSocketExtension::Parameter("server_no_context_takeover")); |
| 108 if (client_no_context_takeover) |
| 109 params.Add(WebSocketExtension::Parameter("client_no_context_takeover")); |
| 110 params.Add(WebSocketExtension::Parameter( |
| 111 "server_max_window_bits", base::IntToString(server_max_window_bits))); |
| 112 params.Add(WebSocketExtension::Parameter( |
| 113 "client_max_window_bits", base::IntToString(client_max_window_bits))); |
| 82 std::string failure_message; | 114 std::string failure_message; |
| 83 WebSocketDeflateParameters parameters; | 115 WebSocketDeflateParameters parameters; |
| 84 parameters.Initialize(WebSocketExtension("permessage-deflate"), | 116 DCHECK(parameters.Initialize(params, &failure_message)) << failure_message; |
| 85 &failure_message); | |
| 86 WebSocketDeflateStream deflate_stream( | 117 WebSocketDeflateStream deflate_stream( |
| 87 base::MakeUnique<WebSocketFuzzedStream>(data, size), parameters, | 118 base::MakeUnique<WebSocketFuzzedStream>(&fuzzed_data_provider), |
| 88 base::MakeUnique<WebSocketDeflatePredictorImpl>()); | 119 parameters, base::MakeUnique<WebSocketDeflatePredictorImpl>()); |
| 89 std::vector<std::unique_ptr<net::WebSocketFrame>> frames; | 120 std::vector<std::unique_ptr<net::WebSocketFrame>> frames; |
| 90 deflate_stream.ReadFrames(&frames, CompletionCallback()); | 121 deflate_stream.ReadFrames(&frames, CompletionCallback()); |
| 91 } | 122 } |
| 92 | 123 |
| 93 } // namespace | 124 } // namespace |
| 94 | 125 |
| 95 } // namespace net | 126 } // namespace net |
| 96 | 127 |
| 97 // Entry point for LibFuzzer. | 128 // Entry point for LibFuzzer. |
| 98 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { | 129 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| 130 if (size < net::MIN_USEFUL_SIZE) |
| 131 return 0; |
| 99 net::WebSocketDeflateStreamFuzz(data, size); | 132 net::WebSocketDeflateStreamFuzz(data, size); |
| 100 | 133 |
| 101 return 0; | 134 return 0; |
| 102 } | 135 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2706433003:
Vary the parameters to WebSocketDeflateStream in fuzzer (Closed)
