Add a fuzzer for HTTP CONNECT

1 files changed, 105 insertions, 0 deletions

diff --git a/src/test/fuzz/fuzz_http_connect.c b/src/test/fuzz/fuzz_http_connect.c
new file mode 100644
index 0000000000..68f58387ed
--- /dev/null
+++ b/src/test/fuzz/fuzz_http_connect.c
@@ -0,0 +1,105 @@
+/* Copyright (c) 2016-2017, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#include "orconfig.h"
+
+#define BUFFERS_PRIVATE
+#define CONNECTION_EDGE_PRIVATE
+
+#include "or.h"
+#include "backtrace.h"
+#include "buffers.h"
+#include "config.h"
+#include "connection.h"
+#include "connection_edge.h"
+#include "torlog.h"
+
+#include "fuzzing.h"
+
+static void
+mock_connection_write_to_buf_impl_(const char *string, size_t len,
+                                   connection_t *conn, int compressed)
+{
+  log_debug(LD_GENERAL, "%sResponse:\n%u\nConnection: %p\n%s\n",
+            compressed ? "Compressed " : "", (unsigned)len, conn, string);
+}
+
+static void
+mock_connection_mark_unattached_ap_(entry_connection_t *conn, int endreason,
+                                    int line, const char *file)
+{
+  (void)conn;
+  (void)endreason;
+  (void)line;
+  (void)file;
+}
+
+static int
+mock_connection_ap_rewrite_and_attach_if_allowed(entry_connection_t *conn,
+                                                 origin_circuit_t *circ,
+                                                 crypt_path_t *cpath)
+{
+  (void)conn;
+  (void)circ;
+  (void)cpath;
+  return 0;
+}
+
+int
+fuzz_init(void)
+{
+  /* Set up fake response handler */
+  MOCK(connection_write_to_buf_impl_, mock_connection_write_to_buf_impl_);
+  /* Set up the fake handler functions */
+  MOCK(connection_mark_unattached_ap_, mock_connection_mark_unattached_ap_);
+  MOCK(connection_ap_rewrite_and_attach_if_allowed,
+       mock_connection_ap_rewrite_and_attach_if_allowed);
+
+  return 0;
+}
+
+int
+fuzz_cleanup(void)
+{
+  UNMOCK(connection_write_to_buf_impl_);
+  UNMOCK(connection_mark_unattached_ap_);
+  UNMOCK(connection_ap_rewrite_and_attach_if_allowed);
+  return 0;
+}
+
+int
+fuzz_main(const uint8_t *stdin_buf, size_t data_size)
+{
+  entry_connection_t conn;
+
+  /* Set up the fake connection */
+  memset(&conn, 0, sizeof(conn));
+  conn.edge_.base_.type = CONN_TYPE_AP;
+  conn.edge_.base_.state = AP_CONN_STATE_HTTP_CONNECT_WAIT;
+  conn.socks_request = tor_malloc_zero(sizeof(socks_request_t));
+  conn.socks_request->listener_type = CONN_TYPE_AP_HTTP_CONNECT_LISTENER;
+
+  conn.edge_.base_.inbuf = buf_new_with_data((char*)stdin_buf, data_size);
+  if (!conn.edge_.base_.inbuf) {
+    log_debug(LD_GENERAL, "Zero-Length-Input\n");
+    goto done;
+  }
+
+  /* Parse the headers */
+  int rv = connection_ap_process_http_connect(&conn);
+
+  /* TODO: check the output is correctly parsed based on the input */
+
+  log_debug(LD_GENERAL, "Result:\n%d\n", rv);
+
+  goto done;
+
+ done:
+  /* Reset. */
+  socks_request_free(conn.socks_request);
+  buf_free(conn.edge_.base_.inbuf);
+  conn.edge_.base_.inbuf = NULL;
+
+  return 0;
+}
+