Home Explore Help
Register Sign In
PSG
/
civetweb
mirror of https://github.com/civetweb/civetweb.git
5
0
Fork 0
Files Issues 0 Wiki
Tree: 9c96991d7e
Branches Tags
civetweb
/
fuzztest
/
fuzzmain.c

fuzzmain.c 5.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239 
  1. #include "civetweb.h"
    2. 

  2. #include <errno.h>
    3. 

  3. #include <stdint.h>
    4. 

  4. #include <stdlib.h>
    5. 

  5. #include <string.h>
    6. 

  6. 

  7. #if defined(_WIN32)
    8. 

  8. #error "Currently not supported"
    9. 

  9. #else
    10. 

  10. 

  11. #include <unistd.h>
    12. 

  12. #define test_sleep(x) (sleep(x))
    13. 

  13. #include <arpa/inet.h>
    14. 

  14. #include <netinet/in.h>
    15. 

  15. #include <netinet/ip.h>
    16. 

  16. #include <sys/socket.h>
    17. 

  17. #include <sys/types.h>
    18. 

  18. typedef int SOCKET;
    19. 

  19. #define closesocket(a) (close(a))
    20. 

  20. 

  21. #endif
    22. 

  22. 

  23. 

  24. static uint64_t call_count = 0;
    25. 

  25. 

  26. static struct mg_context *ctx;
    27. 

  27. static const char *OPTIONS[] = {"listening_ports",
    28. 

  28.                                 "8080,8443s",
    29. 

  29.                                 "document_root",
    30. 

  30.                                 "fuzztest/docroot",
    31. 

  31.                                 "ssl_certificate",
    32. 

  32.                                 "resources/cert/server.pem",
    33. 

  33.                                 NULL,
    34. 

  34.                                 NULL};
    35. 

  35. 

  36. 

  37. static void
    38. 

  38. init_civetweb(void)
    39. 

  39. {
    40. 

  40. 	struct mg_callbacks callbacks;
    41. 

  41. 	memset(&callbacks, 0, sizeof(callbacks));
    42. 

  42. 

  43. 	ctx = mg_start(&callbacks, 0, OPTIONS);
    44. 

  44. 

  45. 	if (!ctx) {
    46. 

  46. 		fprintf(stderr, "\nCivetWeb test server failed to start\n");
    47. 

  47. 		abort();
    48. 

  48. 	}
    49. 

  49. 

  50. 	/* Give server 5 seconds to start, before flooding with requests.
    51. 

  51. 	 * Don't know if this is required for fuzz-tests, but it was helpful
    52. 

  52. 	 * when testing starting/stopping the server multiple times in test
    53. 

  53. 	 * container environments. */
    54. 

  54. 	test_sleep(5);
    55. 

  55. }
    56. 

  56. 

  57. 

  58. static int
    59. 

  59. test_http_request(const char *server,
    60. 

  60.                   uint16_t port,
    61. 

  61.                   int use_ssl,
    62. 

  62.                   const char *uri)
    63. 

  63. {
    64. 

  64. 	/* Client var */
    65. 

  65. 	struct mg_connection *client;
    66. 

  66. 	char client_err_buf[256];
    67. 

  67. 	char client_data_buf[4096];
    68. 

  68. 	const struct mg_response_info *client_ri;
    69. 

  69. 	int64_t data_read;
    70. 

  70. 	int r;
    71. 

  71. 

  72. 	client = mg_connect_client(
    73. 

  73. 	    server, port, use_ssl, client_err_buf, sizeof(client_err_buf));
    74. 

  74. 

  75. 	if ((client == NULL) || (0 != strcmp(client_err_buf, ""))) {
    76. 

  76. 		fprintf(stderr,
    77. 

  77. 		        "%s connection to server [%s] port [%u] failed: [%s]\n",
    78. 

  78. 		        use_ssl ? "HTTPS" : "HTTP",
    79. 

  79. 		        server,
    80. 

  80. 		        port,
    81. 

  81. 		        client_err_buf);
    82. 

  82. 		if (client) {
    83. 

  83. 			mg_close_connection(client);
    84. 

  84. 		}
    85. 

  85. 

  86. 		/* In heavy fuzz testing, sometimes we run out of available sockets.
    87. 

  87. 		 * Wait for some seconds, and retry. */
    88. 

  88. 		test_sleep(5);
    89. 

  89. 

  90. 		/* retry once */
    91. 

  91. 		client = mg_connect_client(
    92. 

  92. 		    server, port, use_ssl, client_err_buf, sizeof(client_err_buf));
    93. 

  93. 		if (!client) {
    94. 

  94. 			fprintf(stderr, "Retry: error\n");
    95. 

  95. 			return 1;
    96. 

  96. 		}
    97. 

  97. 		fprintf(stderr, "Retry: success\n");
    98. 

  98. 	}
    99. 

  99. 

  100. 	mg_printf(client, "GET %s HTTP/1.0\r\n\r\n", uri);
    101. 

  101. 

  102. 	r = mg_get_response(client, client_err_buf, sizeof(client_err_buf), 10000);
    103. 

  103. 

  104. 	if ((r < 0) || (0 != strcmp(client_err_buf, ""))) {
    105. 

  105. 		mg_close_connection(client);
    106. 

  106. 		return 1;
    107. 

  107. 	}
    108. 

  108. 

  109. 	client_ri = mg_get_response_info(client);
    110. 

  110. 	if (client_ri == NULL) {
    111. 

  111. 		mg_close_connection(client);
    112. 

  112. 		return 1;
    113. 

  113. 	}
    114. 

  114. 

  115. 	data_read = 0;
    116. 

  116. 	while (data_read < client_ri->content_length) {
    117. 

  117. 		/* store the first sizeof(client_data_buf) bytes
    118. 

  118. 		 * of the HTTP response. */
    119. 

  119. 		r = mg_read(client,
    120. 

  120. 		            client_data_buf + data_read,
    121. 

  121. 		            sizeof(client_data_buf) - (size_t)data_read);
    122. 

  122. 		if (r > 0) {
    123. 

  123. 			data_read += r;
    124. 

  124. 		}
    125. 

  125. 

  126. 		/* buffer filled? */
    127. 

  127. 		if (sizeof(client_data_buf) == (size_t)data_read) {
    128. 

  128. 			/* ignore the rest */
    129. 

  129. 			while (r > 0) {
    130. 

  130. 				char trash[1024];
    131. 

  131. 				r = mg_read(client, trash, sizeof(trash));
    132. 

  132. 			}
    133. 

  133. 			break;
    134. 

  134. 		}
    135. 

  135. 	}
    136. 

  136. 

  137. 	/* Nothing left to read */
    138. 

  138. 	r = mg_read(client, client_data_buf, sizeof(client_data_buf));
    139. 

  139. 	if (r != 0) {
    140. 

  140. 		mg_close_connection(client);
    141. 

  141. 		return 1;
    142. 

  142. 	}
    143. 

  143. 

  144. 	mg_close_connection(client);
    145. 

  145. 	return 0;
    146. 

  146. }
    147. 

  147. 

  148. 

  149. static int
    150. 

  150. LLVMFuzzerTestOneInput_URI(const uint8_t *data, size_t size)
    151. 

  151. {
    152. 

  152. 	static char URI[1024 * 64]; /* static, to avoid stack overflow */
    153. 

  153. 

  154. 	if (call_count == 0) {
    155. 

  155. 		memset(URI, 0, sizeof(URI));
    156. 

  156. 		init_civetweb();
    157. 

  157. 	}
    158. 

  158. 	call_count++;
    159. 

  159. 

  160. 	if (size < sizeof(URI)) {
    161. 

  161. 		memcpy(URI, data, size);
    162. 

  162. 		URI[size] = 0;
    163. 

  163. 	} else {
    164. 

  164. 		return 1;
    165. 

  165. 	}
    166. 

  166. 

  167. 	printf("URI: %s\n", URI);
    168. 

  168. 

  169. 	return test_http_request("127.0.0.1", 8080, 0, URI);
    170. 

  170. }
    171. 

  171. 

  172. 

  173. static int
    174. 

  174. LLVMFuzzerTestOneInput_REQUEST(const uint8_t *data, size_t size)
    175. 

  175. {
    176. 

  176. 	if (call_count == 0) {
    177. 

  177. 		init_civetweb();
    178. 

  178. 	}
    179. 

  179. 	call_count++;
    180. 

  180. 

  181. 	int r;
    182. 

  182. 	SOCKET sock = socket(AF_INET, SOCK_STREAM, 6);
    183. 

  183. 	if (sock == -1) {
    184. 

  184. 		r = errno;
    185. 

  185. 		fprintf(stderr, "Error: Cannot create socket [%s]\n", strerror(r));
    186. 

  186. 		return 1;
    187. 

  187. 	}
    188. 

  188. 	struct sockaddr_in sin;
    189. 

  189. 	memset(&sin, 0, sizeof(sin));
    190. 

  190. 	sin.sin_family = AF_INET;
    191. 

  191. 	sin.sin_addr.s_addr = inet_addr("127.0.0.1");
    192. 

  192. 	sin.sin_port = htons(8080);
    193. 

  193. 	r = connect(sock, (struct sockaddr *)&sin, sizeof(sin));
    194. 

  194. 	if (r != 0) {
    195. 

  195. 		r = errno;
    196. 

  196. 		fprintf(stderr, "Error: Cannot connect [%s]\n", strerror(r));
    197. 

  197. 		closesocket(sock);
    198. 

  198. 		return 1;
    199. 

  199. 	}
    200. 

  200. 

  201. 	char trash[1024];
    202. 

  202. 	r = send(sock, data, size, 0);
    203. 

  203. 	if (r != size) {
    204. 

  204. 		fprintf(stderr, "Warning: %i bytes sent (TODO: Repeat)\n", r);
    205. 

  205. 	}
    206. 

  206. 

  207. 	int data_read = 0;
    208. 

  208. 	while ((r = recv(sock, trash, sizeof(trash), 0)) > 0) {
    209. 

  209. 		data_read += r;
    210. 

  210. 	};
    211. 

  211. 

  212. 	shutdown(sock, SHUT_RDWR);
    213. 

  213. 	closesocket(sock);
    214. 

  214. 

  215. 	static int max_data_read = 0;
    216. 

  216. 	if (data_read > max_data_read) {
    217. 

  217. 		max_data_read = data_read;
    218. 

  218. 		printf("GOT data: %i\n", data_read);
    219. 

  219. 	}
    220. 

  220. }
    221. 

  221. 

  222. int
    223. 

  223. LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
    224. 

  224. {
    225. 

  225. #if defined(TEST_FUZZ1)
    226. 

  226. 	/* fuzz target 1: different URI for HTTP/1 server */
    227. 

  227. 	return LLVMFuzzerTestOneInput_URI(data, size);
    228. 

  228. #elif defined(TEST_FUZZ2)
    229. 

  229. 	/* fuzz target 2: different requests for HTTP/1 server */
    230. 

  230. 	return LLVMFuzzerTestOneInput_REQUEST(data, size);
    231. 

  231. #else
    232. 

  232. /* planned targets */
    233. 

  233. /* fuzz target 3: different responses for HTTP/1 client */
    234. 

  234. /* fuzz target 4: different requests for HTTP/2 server */
    235. 

  235. /* fuzz target 5: calling an internal server test function,
    236. 

  236.  *                bypassing network sockets */
    237. 

  237. #error "Unknown fuzz target"
    238. 

  238. #endif
    239. 

  239. }
    240.