| Index: net/websockets/websocket_deflate_stream_fuzzer.cc
|
| diff --git a/net/websockets/websocket_deflate_stream_fuzzer.cc b/net/websockets/websocket_deflate_stream_fuzzer.cc
|
| index ca401d14d5f0fc91df2890edcb4fc3ac50796cd1..4f9bed3b7df51804fa8449abe99a8f72ab1f851e 100644
|
| --- a/net/websockets/websocket_deflate_stream_fuzzer.cc
|
| +++ b/net/websockets/websocket_deflate_stream_fuzzer.cc
|
| @@ -11,6 +11,7 @@
|
|
|
| #include "base/logging.h"
|
| #include "base/memory/ptr_util.h"
|
| +#include "base/strings/string_number_conversions.h"
|
| #include "base/strings/string_piece.h"
|
| #include "base/test/fuzzed_data_provider.h"
|
| #include "net/base/completion_callback.h"
|
| @@ -28,16 +29,30 @@ namespace net {
|
|
|
| namespace {
|
|
|
| +// If there are less random bytes left than MIN_BYTES_TO_CREATE_A_FRAME then
|
| +// CreateFrame() will always create an empty frame. Since the fuzzer can create
|
| +// the same empty frame with MIN_BYTES_TO_CREATE_A_FRAME bytes of input, save it
|
| +// from exploring a large space of ways to do the same thing.
|
| +constexpr size_t MIN_BYTES_TO_CREATE_A_FRAME = 3;
|
| +
|
| +constexpr size_t BYTES_CONSUMED_BY_PARAMS = 2;
|
| +
|
| +// If there are exactly BYTES_CONSUMED_BY_PARAMS + MIN_BYTES_TO_CREATE_A_FRAME
|
| +// bytes of input, then the fuzzer will test a single frame. In order to also
|
| +// test the case with zero frames, allow one less byte than this.
|
| +constexpr size_t MIN_USEFUL_SIZE =
|
| + BYTES_CONSUMED_BY_PARAMS + MIN_BYTES_TO_CREATE_A_FRAME - 1;
|
| +
|
| class WebSocketFuzzedStream final : public WebSocketStream {
|
| public:
|
| - WebSocketFuzzedStream(const uint8_t* data, size_t size)
|
| - : fuzzed_data_provider_(data, size) {}
|
| + WebSocketFuzzedStream(base::FuzzedDataProvider* fuzzed_data_provider)
|
| + : fuzzed_data_provider_(fuzzed_data_provider) {}
|
|
|
| int ReadFrames(std::vector<std::unique_ptr<WebSocketFrame>>* frames,
|
| const CompletionCallback& callback) override {
|
| - if (fuzzed_data_provider_.remaining_bytes() == 0)
|
| + if (fuzzed_data_provider_->remaining_bytes() < MIN_BYTES_TO_CREATE_A_FRAME)
|
| return ERR_CONNECTION_CLOSED;
|
| - while (fuzzed_data_provider_.remaining_bytes() > 0)
|
| + while (fuzzed_data_provider_->remaining_bytes() > 0)
|
| frames->push_back(CreateFrame());
|
| return OK;
|
| }
|
| @@ -54,38 +69,54 @@ class WebSocketFuzzedStream final : public WebSocketStream {
|
| private:
|
| std::unique_ptr<WebSocketFrame> CreateFrame() {
|
| WebSocketFrameHeader::OpCode opcode =
|
| - fuzzed_data_provider_.ConsumeInt32InRange(
|
| + fuzzed_data_provider_->ConsumeUint32InRange(
|
| WebSocketFrameHeader::kOpCodeContinuation,
|
| WebSocketFrameHeader::kOpCodeControlUnused);
|
| auto frame = base::MakeUnique<WebSocketFrame>(opcode);
|
| // Bad news: ConsumeBool actually consumes a whole byte per call, so do
|
| // something hacky to conserve precious bits.
|
| - uint8_t flags = fuzzed_data_provider_.ConsumeUint8();
|
| + uint8_t flags = fuzzed_data_provider_->ConsumeUint8();
|
| frame->header.final = flags & 0x1;
|
| frame->header.reserved1 = (flags >> 1) & 0x1;
|
| frame->header.reserved2 = (flags >> 2) & 0x1;
|
| frame->header.reserved3 = (flags >> 3) & 0x1;
|
| frame->header.masked = (flags >> 4) & 0x1;
|
| - uint64_t payload_length = fuzzed_data_provider_.ConsumeInt32InRange(0, 64);
|
| - std::string payload = fuzzed_data_provider_.ConsumeBytes(payload_length);
|
| + uint64_t payload_length =
|
| + fuzzed_data_provider_->ConsumeUint32InRange(0, 64);
|
| + std::string payload = fuzzed_data_provider_->ConsumeBytes(payload_length);
|
| frame->data = new StringIOBuffer(payload);
|
| frame->header.payload_length = payload.size();
|
| return frame;
|
| }
|
|
|
| - base::FuzzedDataProvider fuzzed_data_provider_;
|
| + base::FuzzedDataProvider* fuzzed_data_provider_;
|
| };
|
|
|
| void WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) {
|
| + base::FuzzedDataProvider fuzzed_data_provider(data, size);
|
| + uint8_t flags = fuzzed_data_provider.ConsumeUint8();
|
| + bool server_no_context_takeover = flags & 0x1;
|
| + bool client_no_context_takeover = (flags >> 1) & 0x1;
|
| + uint8_t window_bits = fuzzed_data_provider.ConsumeUint8();
|
| + int server_max_window_bits = (window_bits & 0x7) + 8;
|
| + int client_max_window_bits = ((window_bits >> 3) & 0x7) + 8;
|
| // WebSocketDeflateStream needs to be constructed on each call because it
|
| // has state.
|
| + WebSocketExtension params("permessage-deflate");
|
| + if (server_no_context_takeover)
|
| + params.Add(WebSocketExtension::Parameter("server_no_context_takeover"));
|
| + if (client_no_context_takeover)
|
| + params.Add(WebSocketExtension::Parameter("client_no_context_takeover"));
|
| + params.Add(WebSocketExtension::Parameter(
|
| + "server_max_window_bits", base::IntToString(server_max_window_bits)));
|
| + params.Add(WebSocketExtension::Parameter(
|
| + "client_max_window_bits", base::IntToString(client_max_window_bits)));
|
| std::string failure_message;
|
| WebSocketDeflateParameters parameters;
|
| - parameters.Initialize(WebSocketExtension("permessage-deflate"),
|
| - &failure_message);
|
| + DCHECK(parameters.Initialize(params, &failure_message)) << failure_message;
|
| WebSocketDeflateStream deflate_stream(
|
| - base::MakeUnique<WebSocketFuzzedStream>(data, size), parameters,
|
| - base::MakeUnique<WebSocketDeflatePredictorImpl>());
|
| + base::MakeUnique<WebSocketFuzzedStream>(&fuzzed_data_provider),
|
| + parameters, base::MakeUnique<WebSocketDeflatePredictorImpl>());
|
| std::vector<std::unique_ptr<net::WebSocketFrame>> frames;
|
| deflate_stream.ReadFrames(&frames, CompletionCallback());
|
| }
|
| @@ -96,6 +127,8 @@ void WebSocketDeflateStreamFuzz(const uint8_t* data, size_t size) {
|
|
|
| // Entry point for LibFuzzer.
|
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
| + if (size < net::MIN_USEFUL_SIZE)
|
| + return 0;
|
| net::WebSocketDeflateStreamFuzz(data, size);
|
|
|
| return 0;
|
|
|
Chromium Code Reviews
Issue 2706433003:
Vary the parameters to WebSocketDeflateStream in fuzzer (Closed)
