Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(277)

Side by Side Diff: ipc/ipc_fuzzing_tests.cc

Issue 57783006: Revert https://src.chromium.org/viewvc/chrome?view=rev&revision=231330 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fix compile (cc perftest). Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « ipc/ipc_channel_win.cc ('k') | ipc/ipc_logging.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <stdio.h> 5 #include <stdio.h>
6 #include <string> 6 #include <string>
7 #include <sstream> 7 #include <sstream>
8 8
9 #include "base/message_loop/message_loop.h" 9 #include "base/message_loop/message_loop.h"
10 #include "base/threading/platform_thread.h" 10 #include "base/threading/platform_thread.h"
(...skipping 20 matching lines...) Expand all
31 IPC_MESSAGE_CONTROL0(MsgUnhandled) 31 IPC_MESSAGE_CONTROL0(MsgUnhandled)
32 32
33 // ----------------------------------------------------------------------------- 33 // -----------------------------------------------------------------------------
34 34
35 namespace { 35 namespace {
36 36
37 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) { 37 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
38 //This was BUG 984408. 38 //This was BUG 984408.
39 uint32 v1 = kuint32max - 1; 39 uint32 v1 = kuint32max - 1;
40 int v2 = 666; 40 int v2 = 666;
41 IPC::Message m(0, 1); 41 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
42 EXPECT_TRUE(m.WriteInt(v1)); 42 EXPECT_TRUE(m.WriteInt(v1));
43 EXPECT_TRUE(m.WriteInt(v2)); 43 EXPECT_TRUE(m.WriteInt(v2));
44 44
45 PickleIterator iter(m); 45 PickleIterator iter(m);
46 std::string vs; 46 std::string vs;
47 EXPECT_FALSE(m.ReadString(&iter, &vs)); 47 EXPECT_FALSE(m.ReadString(&iter, &vs));
48 } 48 }
49 49
50 TEST(IPCMessageIntegrity, ReadBeyondBufferWStr) { 50 TEST(IPCMessageIntegrity, ReadBeyondBufferWStr) {
51 //This was BUG 984408. 51 //This was BUG 984408.
52 uint32 v1 = kuint32max - 1; 52 uint32 v1 = kuint32max - 1;
53 int v2 = 777; 53 int v2 = 777;
54 IPC::Message m(0, 1); 54 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
55 EXPECT_TRUE(m.WriteInt(v1)); 55 EXPECT_TRUE(m.WriteInt(v1));
56 EXPECT_TRUE(m.WriteInt(v2)); 56 EXPECT_TRUE(m.WriteInt(v2));
57 57
58 PickleIterator iter(m); 58 PickleIterator iter(m);
59 std::wstring vs; 59 std::wstring vs;
60 EXPECT_FALSE(m.ReadWString(&iter, &vs)); 60 EXPECT_FALSE(m.ReadWString(&iter, &vs));
61 } 61 }
62 62
63 TEST(IPCMessageIntegrity, ReadBytesBadIterator) { 63 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
64 // This was BUG 1035467. 64 // This was BUG 1035467.
65 IPC::Message m(0, 1); 65 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
66 EXPECT_TRUE(m.WriteInt(1)); 66 EXPECT_TRUE(m.WriteInt(1));
67 EXPECT_TRUE(m.WriteInt(2)); 67 EXPECT_TRUE(m.WriteInt(2));
68 68
69 PickleIterator iter(m); 69 PickleIterator iter(m);
70 const char* data = NULL; 70 const char* data = NULL;
71 EXPECT_TRUE(m.ReadBytes(&iter, &data, sizeof(int))); 71 EXPECT_TRUE(m.ReadBytes(&iter, &data, sizeof(int)));
72 } 72 }
73 73
74 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) { 74 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
75 // A slight variation of BUG 984408. Note that the pickling of vector<char> 75 // A slight variation of BUG 984408. Note that the pickling of vector<char>
76 // has a specialized template which is not vulnerable to this bug. So here 76 // has a specialized template which is not vulnerable to this bug. So here
77 // try to hit the non-specialized case vector<P>. 77 // try to hit the non-specialized case vector<P>.
78 IPC::Message m(0, 1); 78 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
79 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements. 79 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
80 EXPECT_TRUE(m.WriteInt(1)); 80 EXPECT_TRUE(m.WriteInt(1));
81 EXPECT_TRUE(m.WriteInt(2)); 81 EXPECT_TRUE(m.WriteInt(2));
82 EXPECT_TRUE(m.WriteInt(3)); 82 EXPECT_TRUE(m.WriteInt(3));
83 83
84 std::vector<double> vec; 84 std::vector<double> vec;
85 PickleIterator iter(m); 85 PickleIterator iter(m);
86 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); 86 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
87 } 87 }
88 88
89 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) { 89 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) {
90 // This was BUG 1006367. This is the large but positive length case. Again 90 // This was BUG 1006367. This is the large but positive length case. Again
91 // we try to hit the non-specialized case vector<P>. 91 // we try to hit the non-specialized case vector<P>.
92 IPC::Message m(0, 1); 92 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
93 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements. 93 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
94 EXPECT_TRUE(m.WriteInt64(1)); 94 EXPECT_TRUE(m.WriteInt64(1));
95 EXPECT_TRUE(m.WriteInt64(2)); 95 EXPECT_TRUE(m.WriteInt64(2));
96 96
97 std::vector<int64> vec; 97 std::vector<int64> vec;
98 PickleIterator iter(m); 98 PickleIterator iter(m);
99 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); 99 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
100 } 100 }
101 101
102 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) { 102 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
103 // This was BUG 1006367. This is the large but positive with an additional 103 // This was BUG 1006367. This is the large but positive with an additional
104 // integer overflow when computing the actual byte size. Again we try to hit 104 // integer overflow when computing the actual byte size. Again we try to hit
105 // the non-specialized case vector<P>. 105 // the non-specialized case vector<P>.
106 IPC::Message m(0, 1); 106 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
107 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements. 107 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
108 EXPECT_TRUE(m.WriteInt64(1)); 108 EXPECT_TRUE(m.WriteInt64(1));
109 EXPECT_TRUE(m.WriteInt64(2)); 109 EXPECT_TRUE(m.WriteInt64(2));
110 110
111 std::vector<int64> vec; 111 std::vector<int64> vec;
112 PickleIterator iter(m); 112 PickleIterator iter(m);
113 EXPECT_FALSE(ReadParam(&m, &iter, &vec)); 113 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
114 } 114 }
115 115
116 class SimpleListener : public IPC::Listener { 116 class SimpleListener : public IPC::Listener {
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
157 Cleanup(); 157 Cleanup();
158 } 158 }
159 159
160 void OnMsgClassSIMessage(const std::wstring& text, int value) { 160 void OnMsgClassSIMessage(const std::wstring& text, int value) {
161 UseData(MsgClassSI::ID, value, text); 161 UseData(MsgClassSI::ID, value, text);
162 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value); 162 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
163 Cleanup(); 163 Cleanup();
164 } 164 }
165 165
166 bool RoundtripAckReply(int routing, uint32 type_id, int reply) { 166 bool RoundtripAckReply(int routing, uint32 type_id, int reply) {
167 IPC::Message* message = new IPC::Message(routing, type_id); 167 IPC::Message* message = new IPC::Message(routing, type_id,
168 IPC::Message::PRIORITY_NORMAL);
168 message->WriteInt(reply + 1); 169 message->WriteInt(reply + 1);
169 message->WriteInt(reply); 170 message->WriteInt(reply);
170 return other_->Send(message); 171 return other_->Send(message);
171 } 172 }
172 173
173 void Cleanup() { 174 void Cleanup() {
174 --message_count_; 175 --message_count_;
175 --pending_messages_; 176 --pending_messages_;
176 if (0 == message_count_) 177 if (0 == message_count_)
177 base::MessageLoop::current()->Quit(); 178 base::MessageLoop::current()->Quit();
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after
290 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON) 291 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
291 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) { 292 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
292 Init("FuzzServerClient"); 293 Init("FuzzServerClient");
293 294
294 FuzzerClientListener listener; 295 FuzzerClientListener listener;
295 CreateChannel(&listener); 296 CreateChannel(&listener);
296 listener.Init(channel()); 297 listener.Init(channel());
297 ASSERT_TRUE(ConnectChannel()); 298 ASSERT_TRUE(ConnectChannel());
298 ASSERT_TRUE(StartClient()); 299 ASSERT_TRUE(StartClient());
299 300
300 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID); 301 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
302 IPC::Message::PRIORITY_NORMAL);
301 msg->WriteInt(666); 303 msg->WriteInt(666);
302 sender()->Send(msg); 304 sender()->Send(msg);
303 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID)); 305 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
304 306
305 msg = new MsgClassSI(L"expect one", 1); 307 msg = new MsgClassSI(L"expect one", 1);
306 sender()->Send(msg); 308 sender()->Send(msg);
307 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID)); 309 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
308 310
309 EXPECT_TRUE(WaitForClientShutdown()); 311 EXPECT_TRUE(WaitForClientShutdown());
310 DestroyChannel(); 312 DestroyChannel();
311 } 313 }
312 #endif 314 #endif
313 315
314 // This test uses a payload that has too many arguments, but so the payload size 316 // This test uses a payload that has too many arguments, but so the payload size
315 // is big enough so the unpacking routine does not generate an error as in the 317 // is big enough so the unpacking routine does not generate an error as in the
316 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se) 318 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
317 // as by design we don't carry type information on the IPC message. 319 // as by design we don't carry type information on the IPC message.
318 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) { 320 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
319 Init("FuzzServerClient"); 321 Init("FuzzServerClient");
320 322
321 FuzzerClientListener listener; 323 FuzzerClientListener listener;
322 CreateChannel(&listener); 324 CreateChannel(&listener);
323 listener.Init(channel()); 325 listener.Init(channel());
324 ASSERT_TRUE(ConnectChannel()); 326 ASSERT_TRUE(ConnectChannel());
325 ASSERT_TRUE(StartClient()); 327 ASSERT_TRUE(StartClient());
326 328
327 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID); 329 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
330 IPC::Message::PRIORITY_NORMAL);
328 msg->WriteWString(L"d"); 331 msg->WriteWString(L"d");
329 msg->WriteInt(0); 332 msg->WriteInt(0);
330 msg->WriteInt(0x65); // Extra argument. 333 msg->WriteInt(0x65); // Extra argument.
331 334
332 sender()->Send(msg); 335 sender()->Send(msg);
333 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID)); 336 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
334 337
335 // Now send a well formed message to make sure the receiver wasn't 338 // Now send a well formed message to make sure the receiver wasn't
336 // thrown out of sync by the extra argument. 339 // thrown out of sync by the extra argument.
337 msg = new MsgClassIS(3, L"expect three"); 340 msg = new MsgClassIS(3, L"expect three");
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
383 // Test the regular messages. 386 // Test the regular messages.
384 msg = new MsgClassIS(3, L"text3"); 387 msg = new MsgClassIS(3, L"text3");
385 EXPECT_TRUE(server.OnMessageReceived(*msg)); 388 EXPECT_TRUE(server.OnMessageReceived(*msg));
386 delete msg; 389 delete msg;
387 msg = new MsgClassSI(L"text2", 2); 390 msg = new MsgClassSI(L"text2", 2);
388 EXPECT_TRUE(server.OnMessageReceived(*msg)); 391 EXPECT_TRUE(server.OnMessageReceived(*msg));
389 delete msg; 392 delete msg;
390 393
391 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON) 394 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
392 // Test a bad message. 395 // Test a bad message.
393 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID); 396 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
397 IPC::Message::PRIORITY_NORMAL);
394 msg->WriteInt(2); 398 msg->WriteInt(2);
395 EXPECT_FALSE(server.OnMessageReceived(*msg)); 399 EXPECT_FALSE(server.OnMessageReceived(*msg));
396 delete msg; 400 delete msg;
397 401
398 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID); 402 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
403 IPC::Message::PRIORITY_NORMAL);
399 msg->WriteInt(0x64); 404 msg->WriteInt(0x64);
400 msg->WriteInt(0x32); 405 msg->WriteInt(0x32);
401 EXPECT_FALSE(server.OnMessageReceived(*msg)); 406 EXPECT_FALSE(server.OnMessageReceived(*msg));
402 delete msg; 407 delete msg;
403 408
404 EXPECT_EQ(0, server.unhandled_msgs()); 409 EXPECT_EQ(0, server.unhandled_msgs());
405 #endif 410 #endif
406 } 411 }
407 412
408 } // namespace 413 } // namespace
OLDNEW
« no previous file with comments | « ipc/ipc_channel_win.cc ('k') | ipc/ipc_logging.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698