From 60769e710f1099168f7508fe6834e458ce435ad9 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 13 Dec 2016 19:41:03 -0500 Subject: Port fuzz_http to use fuzzing_common. Move common logic from fuzz_http to fuzzing_common. --- src/test/fuzz/fuzz_descriptor.c | 6 ++ src/test/fuzz/fuzz_http.c | 120 ++++++++-------------------------------- src/test/fuzz/fuzzing.h | 1 + src/test/fuzz/fuzzing_common.c | 52 +++++++++++++---- src/test/fuzz/include.am | 2 +- 5 files changed, 74 insertions(+), 107 deletions(-) diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c index 1364bf4291..12297fdfc2 100644 --- a/src/test/fuzz/fuzz_descriptor.c +++ b/src/test/fuzz/fuzz_descriptor.c @@ -11,6 +11,12 @@ fuzz_init(void) return 0; } +int +fuzz_cleanup(void) +{ + return 0; +} + int fuzz_main(const uint8_t *data, size_t sz) { diff --git a/src/test/fuzz/fuzz_http.c b/src/test/fuzz/fuzz_http.c index abf5de8f97..ea63e836f7 100644 --- a/src/test/fuzz/fuzz_http.c +++ b/src/test/fuzz/fuzz_http.c @@ -4,6 +4,7 @@ #include "orconfig.h" #define BUFFERS_PRIVATE +#define DIRECTORY_PRIVATE #include "or.h" #include "backtrace.h" @@ -13,11 +14,7 @@ #include "directory.h" #include "torlog.h" -/* Silence compiler warnings about a missing extern */ -extern const char tor_git_revision[]; -const char tor_git_revision[] = ""; - -#define MAX_FUZZ_SIZE (2*MAX_HEADERS_SIZE + MAX_DIR_UL_SIZE) +#include "fuzzing.h" static int mock_get_options_calls = 0; static or_options_t *mock_options = NULL; @@ -47,101 +44,45 @@ mock_connection_write_to_buf_impl_(const char *string, size_t len, zlib ? "Compressed " : "", len, conn, string); } -/* Read a directory command (including HTTP headers) from stdin, parse it, and - * output what tor parsed */ int -main(int c, char** v) +fuzz_init(void) { - /* Disable logging by default to speed up fuzzing. */ - int loglevel = LOG_ERR; - - /* Initialise logging first */ - init_logging(1); - configure_backtrace_handler(get_version()); - - for (int i = 1; i < c; ++i) { - if (!strcmp(v[i], "--warn")) { - loglevel = LOG_WARN; - } else if (!strcmp(v[i], "--notice")) { - loglevel = LOG_NOTICE; - } else if (!strcmp(v[i], "--info")) { - loglevel = LOG_INFO; - } else if (!strcmp(v[i], "--debug")) { - loglevel = LOG_DEBUG; - } - } - - { - log_severity_list_t s; - memset(&s, 0, sizeof(s)); - set_log_severity_config(loglevel, LOG_ERR, &s); - /* ALWAYS log bug warnings. */ - s.masks[LOG_WARN-LOG_ERR] |= LD_BUG; - add_stream_log(&s, "", fileno(stdout)); - } - - /* Make BUG() and nonfatal asserts crash */ - tor_set_failed_assertion_callback(abort); - - /* Set up fake variables */ - dir_connection_t dir_conn; - int rv = -1; - ssize_t data_size = -1; - char *stdin_buf = tor_malloc(MAX_FUZZ_SIZE+1); - - /* directory_handle_command checks some tor options - * just make them all 0 */ mock_options = tor_malloc(sizeof(or_options_t)); reset_options(mock_options, &mock_get_options_calls); MOCK(get_options, mock_get_options); - - /* Set up the fake connection */ - memset(&dir_conn, 0, sizeof(dir_connection_t)); - dir_conn.base_.type = CONN_TYPE_DIR; - /* Set up fake response handler */ MOCK(connection_write_to_buf_impl_, mock_connection_write_to_buf_impl_); + return 0; +} -/* -afl extension - loop and reset state after parsing -likely needs to reset the allocation data structures and counts as well -#ifdef __AFL_HAVE_MANUAL_CONTROL - while (__AFL_LOOP(1000)) { -#endif -*/ +int +fuzz_cleanup(void) +{ + tor_free(mock_options); + UNMOCK(get_options); + UNMOCK(connection_write_to_buf_impl_); + return 0; +} - /* Initialise the data structures */ - memset(stdin_buf, 0, MAX_FUZZ_SIZE+1); +int +fuzz_main(const uint8_t *stdin_buf, size_t data_size) +{ + dir_connection_t dir_conn; + /* Set up the fake connection */ + memset(&dir_conn, 0, sizeof(dir_connection_t)); + dir_conn.base_.type = CONN_TYPE_DIR; /* Apparently tor sets this before directory_handle_command() is called. */ dir_conn.base_.address = tor_strdup("replace-this-address.example.com"); -#ifdef __AFL_HAVE_MANUAL_CONTROL - /* Tell AFL to pause and fork here - ignored if not using AFL */ - __AFL_INIT(); -#endif - - /* Read the data */ - data_size = read(STDIN_FILENO, stdin_buf, MAX_FUZZ_SIZE); - tor_assert(data_size != -1); - tor_assert(data_size <= MAX_FUZZ_SIZE); - stdin_buf[data_size] = '\0'; - tor_assert(strlen(stdin_buf) >= 0); - tor_assert(strlen(stdin_buf) <= MAX_FUZZ_SIZE); - - log_debug(LD_GENERAL, "Input-Length:\n%zu\n", data_size); - log_debug(LD_GENERAL, "Input:\n%s\n", stdin_buf); - - /* Copy the stdin data into the buffer */ - tor_assert(data_size >= 0); - dir_conn.base_.inbuf = buf_new_with_data(stdin_buf, (size_t)data_size); + dir_conn.base_.inbuf = buf_new_with_data((char*)stdin_buf, data_size); if (!dir_conn.base_.inbuf) { log_debug(LD_GENERAL, "Zero-Length-Input\n"); return 0; } /* Parse the headers */ - rv = directory_handle_command(&dir_conn); + int rv = directory_handle_command(&dir_conn); /* TODO: check the output is correctly parsed based on the input */ @@ -152,23 +93,10 @@ likely needs to reset the allocation data structures and counts as well log_debug(LD_GENERAL, "Result:\n%d\n", rv); - /* Reset */ + /* Reset. */ tor_free(dir_conn.base_.address); - buf_free(dir_conn.base_.inbuf); dir_conn.base_.inbuf = NULL; -/* -#ifdef __AFL_HAVE_MANUAL_CONTROL - } -#endif -*/ - - /* Cleanup */ - tor_free(mock_options); - UNMOCK(get_options); - - UNMOCK(connection_write_to_buf_impl_); - - tor_free(stdin_buf); + return 0; } diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h index fbd54dafa0..794ed1461e 100644 --- a/src/test/fuzz/fuzzing.h +++ b/src/test/fuzz/fuzzing.h @@ -2,6 +2,7 @@ #define FUZZING_H int fuzz_init(void); +int fuzz_cleanup(void); int fuzz_main(const uint8_t *data, size_t sz); #endif /* FUZZING_H */ diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c index 51d519b861..87affc4c04 100644 --- a/src/test/fuzz/fuzzing_common.c +++ b/src/test/fuzz/fuzzing_common.c @@ -1,8 +1,7 @@ #include "orconfig.h" -#include "torint.h" -#include "util.h" -#include "torlog.h" +#include "or.h" #include "backtrace.h" +#include "config.h" #include "fuzzing.h" extern const char tor_git_revision[]; @@ -28,23 +27,56 @@ int main(int argc, char **argv) { size_t size; - char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size); tor_threads_init(); init_logging(1); - if (argc > 1 && !strcmp(argv[1], "--info")) { - log_severity_list_t sev; - set_log_severity_config(LOG_INFO, LOG_ERR, &sev); - add_stream_log(&sev, "stdout", 1); - configure_backtrace_handler(NULL); + /* Disable logging by default to speed up fuzzing. */ + int loglevel = LOG_ERR; + + /* Initialise logging first */ + init_logging(1); + configure_backtrace_handler(get_version()); + + for (int i = 1; i < argc; ++i) { + if (!strcmp(argv[i], "--warn")) { + loglevel = LOG_WARN; + } else if (!strcmp(argv[i], "--notice")) { + loglevel = LOG_NOTICE; + } else if (!strcmp(argv[i], "--info")) { + loglevel = LOG_INFO; + } else if (!strcmp(argv[i], "--debug")) { + loglevel = LOG_DEBUG; + } } - tor_assert(input); + { + log_severity_list_t s; + memset(&s, 0, sizeof(s)); + set_log_severity_config(loglevel, LOG_ERR, &s); + /* ALWAYS log bug warnings. */ + s.masks[LOG_WARN-LOG_ERR] |= LD_BUG; + add_stream_log(&s, "", fileno(stdout)); + } + + /* Make BUG() and nonfatal asserts crash */ + tor_set_failed_assertion_callback(abort); + if (fuzz_init() < 0) abort(); + +#ifdef __AFL_HAVE_MANUAL_CONTROL + /* Tell AFL to pause and fork here - ignored if not using AFL */ + __AFL_INIT(); +#endif + + char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size); + tor_assert(input); fuzz_main((const uint8_t*)input, size); tor_free(input); + + if (fuzz_cleanup() < 0) + abort(); return 0; } diff --git a/src/test/fuzz/include.am b/src/test/fuzz/include.am index 323798f050..7948b204c9 100644 --- a/src/test/fuzz/include.am +++ b/src/test/fuzz/include.am @@ -21,7 +21,7 @@ FUZZING_LIBS = \ noinst_HEADERS += \ - src/test/fuzz/fuzzing_boilerplate.h + src/test/fuzz/fuzzing.h src_test_fuzz_fuzz_descriptor_SOURCES = \ src/test/fuzz/fuzzing_common.c \ -- cgit v1.2.3-54-g00ecf