Add a fuzzer for the ESI parser

This includes building the fuzzer to avoid code rot, but exercising the fuzzer will be done elsewhere.

Add a fuzzer for the ESI parser
This includes building the fuzzer to avoid code rot, but exercising the fuzzer will be done elsewhere.
3e57151e · Federico G. Schwindt · 2e6178c0 · 3e57151e · 3e57151e · 3e57151e
Commit 3e57151e authored Apr 21, 2018 by Federico G. Schwindt
Hide whitespace changes
Inline Side-by-side

Showing with 134 additions and 0 deletions

.gitignore .gitignore +3 -0

Makefile.am bin/varnishd/Makefile.am +10 -0

esi_parse_fuzzer.c bin/varnishd/fuzzers/esi_parse_fuzzer.c +121 -0

No files found.
--- a/.gitignore
+++ b/.gitignore
@@ -130,6 +130,9 @@ cscope.*out
 /tools/vt_key
 /tools/vt_key.pub
+# fuzzers
+/bin/varnishd/esi_parse_fuzzer
 # Coverity output
 /cov-int
 /myproject.tgz

--- a/bin/varnishd/Makefile.am
+++ b/bin/varnishd/Makefile.am
@@ -194,6 +194,16 @@ vhp_decode_test_CFLAGS = @SAN_CFLAGS@ \
 vhp_decode_test_LDADD = \
 	$(top_builddir)/lib/libvarnish/libvarnish.a
+noinst_PROGRAMS += esi_parse_fuzzer
+esi_parse_fuzzer_SOURCES = \
+	cache/cache_esi_parse.c \
+	fuzzers/esi_parse_fuzzer.c
+esi_parse_fuzzer_CFLAGS = \
+	@SAN_CFLAGS@ -DNOT_IN_A_VMOD -DTEST_DRIVER -include config.h
+esi_parse_fuzzer_LDADD = \
+	$(top_builddir)/lib/libvarnish/libvarnish.a \
+	$(top_builddir)/lib/libvgz/libvgz.a
 TESTS = vhp_table_test vhp_decode_test
 #

--- a/bin/varnishd/fuzzers/esi_parse_fuzzer.c
+++ b/bin/varnishd/fuzzers/esi_parse_fuzzer.c
+/*-
+ * Copyright (c) 2018 Varnish Software AS
+ * All rights reserved.
+ *
+ * Author: Federico G. Schwindt <fgsch@lodoss.net>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * ESI parser fuzzer.
+ */
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "cache/cache.h"
+#include "cache/cache_vgz.h"		/* enum vgz_flag */
+#include "cache/cache_esi.h"
+#include "cache/cache_filter.h"		/* struct vfp_ctx */
+#include "common/common_param.h"	/* struct params */
+#include "VSC_main.h"
+#include "vfil.h"
+#include "vsb.h"
+int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
+struct VSC_main *VSC_C_main;
+struct params *cache_param;
+void
+VSLb(struct vsl_log *vsl, enum VSL_tag_e tag, const char *fmt, ...)
+{
+	(void)vsl;
+	(void)tag;
+	(void)fmt;
+}
+void *
+WS_Alloc(struct ws *ws, unsigned bytes)
+{
+	(void)ws;
+	return (calloc(1, bytes));
+}
+int
+LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+	struct VSC_main __VSC_C_main;
+	struct params __cache_param;
+	struct http req = { .magic = HTTP_MAGIC };
+	struct http resp = { .magic = HTTP_MAGIC };
+	struct vfp_ctx vc = { .magic = VFP_CTX_MAGIC };
+	struct vep_state *vep;
+	struct vsb *vsb;
+	struct worker wrk;
+	txt hd[HTTP_HDR_URL + 1];
+	if (size < 1)
+		return (0);
+	VSC_C_main = &__VSC_C_main;
+	cache_param = &__cache_param;
+	/* Zero out the esi feature bits for now */
+	memset(&__cache_param, 0, sizeof(__cache_param));
+	/* Setup req */
+	req.hd = hd;
+	req.hd[HTTP_HDR_URL].b = "/";
+	/* Setup vc */
+	vc.wrk = &wrk;
+	vc.resp = &resp;
+	vep = VEP_Init(&vc, &req, NULL, NULL);
+	AN(vep);
+	VEP_Parse(vep, (const char *)data, size);
+	vsb = VEP_Finish(vep);
+	if (vsb != NULL)
+		VSB_destroy(&vsb);
+	free(vep);
+	return (0);
+}
+#if defined(TEST_DRIVER)
+int
+main(int argc, char **argv)
+{
+	size_t len;
+	char *buf;
+	int i;
+	for (i = 1; i < argc; i++) {
+		buf = VFIL_readfile(NULL, argv[i], &len);
+		AN(buf);
+		LLVMFuzzerTestOneInput(buf, len);
+		free(buf);
+	}
+}
+#endif