[6.0] 382fc262c Add a fuzzer for the ESI parser
Dridi Boukelmoune
dridi.boukelmoune at gmail.com
Thu Aug 16 08:52:47 UTC 2018
commit 382fc262c0a0e1c7fbaa514208678cc3f5ef8dca
Author: Federico G. Schwindt <fgsch at lodoss.net>
Date: Sat Apr 21 08:17:41 2018 +0100
Add a fuzzer for the ESI parser
This includes building the fuzzer to avoid code rot, but exercising
the fuzzer will be done elsewhere.
diff --git a/.gitignore b/.gitignore
index 74f73ae61..cdba66f7f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -130,6 +130,9 @@ cscope.*out
/tools/vt_key
/tools/vt_key.pub
+# fuzzers
+/bin/varnishd/esi_parse_fuzzer
+
# Coverity output
/cov-int
/myproject.tgz
diff --git a/bin/varnishd/Makefile.am b/bin/varnishd/Makefile.am
index 9329f3674..255650181 100644
--- a/bin/varnishd/Makefile.am
+++ b/bin/varnishd/Makefile.am
@@ -194,6 +194,16 @@ vhp_decode_test_CFLAGS = @SAN_CFLAGS@ \
vhp_decode_test_LDADD = \
$(top_builddir)/lib/libvarnish/libvarnish.a
+noinst_PROGRAMS += esi_parse_fuzzer
+esi_parse_fuzzer_SOURCES = \
+ cache/cache_esi_parse.c \
+ fuzzers/esi_parse_fuzzer.c
+esi_parse_fuzzer_CFLAGS = \
+ @SAN_CFLAGS@ -DNOT_IN_A_VMOD -DTEST_DRIVER -include config.h
+esi_parse_fuzzer_LDADD = \
+ $(top_builddir)/lib/libvarnish/libvarnish.a \
+ $(top_builddir)/lib/libvgz/libvgz.a
+
TESTS = vhp_table_test vhp_decode_test
#
diff --git a/bin/varnishd/fuzzers/esi_parse_fuzzer.c b/bin/varnishd/fuzzers/esi_parse_fuzzer.c
new file mode 100644
index 000000000..056e63677
--- /dev/null
+++ b/bin/varnishd/fuzzers/esi_parse_fuzzer.c
@@ -0,0 +1,121 @@
+/*-
+ * Copyright (c) 2018 Varnish Software AS
+ * All rights reserved.
+ *
+ * Author: Federico G. Schwindt <fgsch at lodoss.net>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * ESI parser fuzzer.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "cache/cache.h"
+#include "cache/cache_vgz.h" /* enum vgz_flag */
+#include "cache/cache_esi.h"
+#include "cache/cache_filter.h" /* struct vfp_ctx */
+#include "common/common_param.h" /* struct params */
+
+#include "VSC_main.h"
+#include "vfil.h"
+#include "vsb.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
+
+struct VSC_main *VSC_C_main;
+struct params *cache_param;
+
+void
+VSLb(struct vsl_log *vsl, enum VSL_tag_e tag, const char *fmt, ...)
+{
+ (void)vsl;
+ (void)tag;
+ (void)fmt;
+}
+
+void *
+WS_Alloc(struct ws *ws, unsigned bytes)
+{
+ (void)ws;
+ return (calloc(1, bytes));
+}
+
+int
+LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ struct VSC_main __VSC_C_main;
+ struct params __cache_param;
+ struct http req = { .magic = HTTP_MAGIC };
+ struct http resp = { .magic = HTTP_MAGIC };
+ struct vfp_ctx vc = { .magic = VFP_CTX_MAGIC };
+ struct vep_state *vep;
+ struct vsb *vsb;
+ struct worker wrk;
+ txt hd[HTTP_HDR_URL + 1];
+
+ if (size < 1)
+ return (0);
+
+ VSC_C_main = &__VSC_C_main;
+ cache_param = &__cache_param;
+
+ /* Zero out the esi feature bits for now */
+ memset(&__cache_param, 0, sizeof(__cache_param));
+
+ /* Setup req */
+ req.hd = hd;
+ req.hd[HTTP_HDR_URL].b = "/";
+
+ /* Setup vc */
+ vc.wrk = &wrk;
+ vc.resp = &resp;
+
+ vep = VEP_Init(&vc, &req, NULL, NULL);
+ AN(vep);
+ VEP_Parse(vep, (const char *)data, size);
+ vsb = VEP_Finish(vep);
+ if (vsb != NULL)
+ VSB_destroy(&vsb);
+ free(vep);
+
+ return (0);
+}
+
+#if defined(TEST_DRIVER)
+int
+main(int argc, char **argv)
+{
+ size_t len;
+ char *buf;
+ int i;
+
+ for (i = 1; i < argc; i++) {
+ buf = VFIL_readfile(NULL, argv[i], &len);
+ AN(buf);
+ LLVMFuzzerTestOneInput(buf, len);
+ free(buf);
+ }
+}
+#endif
More information about the varnish-commit
mailing list