| // Copyright 2019 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include <stddef.h> |
| #include <stdint.h> |
| |
| #include <base/files/file_path.h> |
| #include <base/files/file_util.h> |
| #include <base/files/scoped_temp_dir.h> |
| #include <base/logging.h> |
| #include <brillo/http/http_form_data.h> |
| #include <brillo/streams/memory_stream.h> |
| #include <fuzzer/FuzzedDataProvider.h> |
| |
| namespace { |
| constexpr int kRandomDataMaxLength = 64; |
| constexpr int kMaxRecursionDepth = 256; |
| |
| std::unique_ptr<brillo::http::TextFormField> CreateTextFormField( |
| FuzzedDataProvider* data_provider) { |
| return std::make_unique<brillo::http::TextFormField>( |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength)); |
| } |
| |
| std::unique_ptr<brillo::http::FileFormField> CreateFileFormField( |
| FuzzedDataProvider* data_provider) { |
| brillo::StreamPtr mem_stream = brillo::MemoryStream::OpenCopyOf( |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), nullptr); |
| return std::make_unique<brillo::http::FileFormField>( |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| std::move(mem_stream), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength)); |
| } |
| |
| std::unique_ptr<brillo::http::MultiPartFormField> CreateMultipartFormField( |
| FuzzedDataProvider* data_provider, int depth) { |
| std::unique_ptr<brillo::http::MultiPartFormField> multipart_field = |
| std::make_unique<brillo::http::MultiPartFormField>( |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), |
| data_provider->ConsumeRandomLengthString(kRandomDataMaxLength)); |
| |
| // Randomly add fields to this like we do the base FormData, but don't loop |
| // forever. |
| while (data_provider->ConsumeBool()) { |
| if (data_provider->ConsumeBool()) { |
| // Add a random text field to the form. |
| multipart_field->AddCustomField(CreateTextFormField(data_provider)); |
| } |
| if (data_provider->ConsumeBool()) { |
| // Add a random file field to the form. |
| multipart_field->AddCustomField(CreateFileFormField(data_provider)); |
| } |
| // Limit our recursion depth. We could make this part of our code iterative, |
| // but that won't help because in libbrillo we use recursion to generate the |
| // stream so we would hit a stack depth limit there as well. |
| if (depth < kMaxRecursionDepth && data_provider->ConsumeBool()) { |
| // Add a random multipart form field to the form. |
| multipart_field->AddCustomField( |
| CreateMultipartFormField(data_provider, depth + 1)); |
| } |
| } |
| |
| return multipart_field; |
| } |
| |
| } // namespace |
| |
| bool IgnoreLogging(int, const char*, int, size_t, const std::string&) { |
| return true; |
| } |
| |
| class Environment { |
| public: |
| Environment() { |
| // Disable logging. Normally this would be done with logging::SetMinLogLevel |
| // but that doesn't work for brillo::Error for because it's not using the |
| // LOG(ERROR) macro which is where the actual log level check occurs. |
| logging::SetLogMessageHandler(&IgnoreLogging); |
| } |
| }; |
| |
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| static Environment env; |
| FuzzedDataProvider data_provider(data, size); |
| // Randomly add a bunch of fields to the FormData and then when done extract |
| // and consume the data stream. |
| brillo::http::FormData form_data( |
| data_provider.ConsumeRandomLengthString(kRandomDataMaxLength)); |
| while (data_provider.remaining_bytes() > 0) { |
| if (data_provider.ConsumeBool()) { |
| // Add a random text field to the form. |
| form_data.AddCustomField(CreateTextFormField(&data_provider)); |
| } |
| if (data_provider.ConsumeBool()) { |
| // Add a random file field to the form. |
| form_data.AddCustomField(CreateFileFormField(&data_provider)); |
| } |
| if (data_provider.ConsumeBool()) { |
| // Add a random multipart form field to the form. |
| form_data.AddCustomField(CreateMultipartFormField(&data_provider, 0)); |
| } |
| } |
| |
| brillo::StreamPtr form_stream = form_data.ExtractDataStream(); |
| if (!form_stream) |
| return 0; |
| |
| // We need to use a decent sized buffer and call ReadAllBlocking to avoid |
| // excess overhead with reading here that can make the fuzzer timeout. |
| uint8_t buffer[32768]; |
| while (form_stream->GetRemainingSize() > 0) { |
| if (!form_stream->ReadAllBlocking(buffer, sizeof(buffer), nullptr)) { |
| // If there's an error reading from the stream, then bail since we'd |
| // likely just see repeated errors and never exit. |
| break; |
| } |
| } |
| |
| return 0; |
| } |