[6.0] 382fc262c Add a fuzzer for the ESI parser

Dridi Boukelmoune dridi.boukelmoune at gmail.com
Thu Aug 16 08:52:47 UTC 2018 

commit 382fc262c0a0e1c7fbaa514208678cc3f5ef8dca
Author: Federico G. Schwindt <fgsch at lodoss.net>
Date:   Sat Apr 21 08:17:41 2018 +0100

    Add a fuzzer for the ESI parser
    
    This includes building the fuzzer to avoid code rot, but exercising
    the fuzzer will be done elsewhere.

diff --git a/.gitignore b/.gitignore
index 74f73ae61..cdba66f7f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -130,6 +130,9 @@ cscope.*out
 /tools/vt_key
 /tools/vt_key.pub
 
+# fuzzers
+/bin/varnishd/esi_parse_fuzzer
+
 # Coverity output
 /cov-int
 /myproject.tgz
diff --git a/bin/varnishd/Makefile.am b/bin/varnishd/Makefile.am
index 9329f3674..255650181 100644
--- a/bin/varnishd/Makefile.am
+++ b/bin/varnishd/Makefile.am
@@ -194,6 +194,16 @@ vhp_decode_test_CFLAGS = @SAN_CFLAGS@ \
 vhp_decode_test_LDADD = \
 	$(top_builddir)/lib/libvarnish/libvarnish.a
 
+noinst_PROGRAMS += esi_parse_fuzzer
+esi_parse_fuzzer_SOURCES = \
+	cache/cache_esi_parse.c \
+	fuzzers/esi_parse_fuzzer.c
+esi_parse_fuzzer_CFLAGS = \
+	@SAN_CFLAGS@ -DNOT_IN_A_VMOD -DTEST_DRIVER -include config.h
+esi_parse_fuzzer_LDADD = \
+	$(top_builddir)/lib/libvarnish/libvarnish.a \
+	$(top_builddir)/lib/libvgz/libvgz.a
+
 TESTS = vhp_table_test vhp_decode_test
 
 #
diff --git a/bin/varnishd/fuzzers/esi_parse_fuzzer.c b/bin/varnishd/fuzzers/esi_parse_fuzzer.c
new file mode 100644
index 000000000..056e63677
--- /dev/null
+++ b/bin/varnishd/fuzzers/esi_parse_fuzzer.c
@@ -0,0 +1,121 @@
+/*-
+ * Copyright (c) 2018 Varnish Software AS
+ * All rights reserved.
+ *
+ * Author: Federico G. Schwindt <fgsch at lodoss.net>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * ESI parser fuzzer.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "cache/cache.h"
+#include "cache/cache_vgz.h"		/* enum vgz_flag */
+#include "cache/cache_esi.h"
+#include "cache/cache_filter.h"		/* struct vfp_ctx */
+#include "common/common_param.h"	/* struct params */
+
+#include "VSC_main.h"
+#include "vfil.h"
+#include "vsb.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
+
+struct VSC_main *VSC_C_main;
+struct params *cache_param;
+
+void
+VSLb(struct vsl_log *vsl, enum VSL_tag_e tag, const char *fmt, ...)
+{
+	(void)vsl;
+	(void)tag;
+	(void)fmt;
+}
+
+void *
+WS_Alloc(struct ws *ws, unsigned bytes)
+{
+	(void)ws;
+	return (calloc(1, bytes));
+}
+
+int
+LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+	struct VSC_main __VSC_C_main;
+	struct params __cache_param;
+	struct http req = { .magic = HTTP_MAGIC };
+	struct http resp = { .magic = HTTP_MAGIC };
+	struct vfp_ctx vc = { .magic = VFP_CTX_MAGIC };
+	struct vep_state *vep;
+	struct vsb *vsb;
+	struct worker wrk;
+	txt hd[HTTP_HDR_URL + 1];
+
+	if (size < 1)
+		return (0);
+
+	VSC_C_main = &__VSC_C_main;
+	cache_param = &__cache_param;
+
+	/* Zero out the esi feature bits for now */
+	memset(&__cache_param, 0, sizeof(__cache_param));
+
+	/* Setup req */
+	req.hd = hd;
+	req.hd[HTTP_HDR_URL].b = "/";
+
+	/* Setup vc */
+	vc.wrk = &wrk;
+	vc.resp = &resp;
+
+	vep = VEP_Init(&vc, &req, NULL, NULL);
+	AN(vep);
+	VEP_Parse(vep, (const char *)data, size);
+	vsb = VEP_Finish(vep);
+	if (vsb != NULL)
+		VSB_destroy(&vsb);
+	free(vep);
+
+	return (0);
+}
+
+#if defined(TEST_DRIVER)
+int
+main(int argc, char **argv)
+{
+	size_t len;
+	char *buf;
+	int i;
+
+	for (i = 1; i < argc; i++) {
+		buf = VFIL_readfile(NULL, argv[i], &len);
+		AN(buf);
+		LLVMFuzzerTestOneInput(buf, len);
+		free(buf);
+	}
+}
+#endif

More information about the varnish-commit mailing list