diff options
author | Max Dymond <cmeister2@gmail.com> | 2017-09-11 20:00:27 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-09-18 22:58:39 +0200 |
commit | e239eda39e3f0f9342bc0dd6658b49d4bd900875 (patch) | |
tree | 736f6629242e176afdcb4080a7298c64581f63ac | |
parent | 2bc230de63bd7da197280a69d84972b61455cd18 (diff) |
ossfuzz: don't write out to stdout
Don't make the fuzzer write out to stdout - instead write some of the
contents to a memory block so we exercise the data output code but
quietly.
Closes #1885
-rw-r--r-- | tests/fuzz/curl_fuzzer.cc | 30 | ||||
-rw-r--r-- | tests/fuzz/curl_fuzzer.h | 10 |
2 files changed, 40 insertions, 0 deletions
diff --git a/tests/fuzz/curl_fuzzer.cc b/tests/fuzz/curl_fuzzer.cc index bbf91c222..fadb3231b 100644 --- a/tests/fuzz/curl_fuzzer.cc +++ b/tests/fuzz/curl_fuzzer.cc @@ -136,6 +136,12 @@ int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz, fuzz_read_callback)); FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_READDATA, fuzz)); + /* Set the standard write function callback. */ + FTRY(curl_easy_setopt(fuzz->easy, + CURLOPT_WRITEFUNCTION, + fuzz_write_callback)); + FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_WRITEDATA, fuzz)); + /* Can enable verbose mode by changing 0L to 1L */ FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_VERBOSE, 0L)); @@ -270,6 +276,30 @@ static size_t fuzz_read_callback(char *buffer, } /** + * Callback function for handling data output quietly. + */ +static size_t fuzz_write_callback(void *contents, + size_t size, + size_t nmemb, + void *ptr) +{ + size_t total = size * nmemb; + FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr; + size_t copy_len = total; + + /* Restrict copy_len to at most TEMP_WRITE_ARRAY_SIZE. */ + if(copy_len > TEMP_WRITE_ARRAY_SIZE) { + copy_len = TEMP_WRITE_ARRAY_SIZE; + } + + /* Copy bytes to the temp store just to ensure the parameters are + exercised. */ + memcpy(fuzz->write_array, contents, copy_len); + + return total; +} + +/** * TLV access function - gets the first TLV from a data stream. */ int fuzz_get_first_tlv(FUZZ_DATA *fuzz, diff --git a/tests/fuzz/curl_fuzzer.h b/tests/fuzz/curl_fuzzer.h index 2dd3827d0..e7af89bb4 100644 --- a/tests/fuzz/curl_fuzzer.h +++ b/tests/fuzz/curl_fuzzer.h @@ -46,6 +46,9 @@ #define TLV_RC_NO_MORE_TLVS 1 #define TLV_RC_SIZE_ERROR 2 +/* Temporary write array size */ +#define TEMP_WRITE_ARRAY_SIZE 10 + /** * Byte stream representation of the TLV header. Casting the byte stream * to a TLV_RAW allows us to examine the type and length. @@ -98,6 +101,9 @@ typedef struct fuzz_data /* Parser state */ FUZZ_PARSE_STATE state; + /* Temporary writefunction state */ + char write_array[TEMP_WRITE_ARRAY_SIZE]; + /* Response data and length */ const uint8_t *rsp1_data; size_t rsp1_data_len; @@ -142,6 +148,10 @@ static size_t fuzz_read_callback(char *buffer, size_t size, size_t nitems, void *ptr); +static size_t fuzz_write_callback(void *contents, + size_t size, + size_t nmemb, + void *ptr); int fuzz_get_first_tlv(FUZZ_DATA *fuzz, TLV *tlv); int fuzz_get_next_tlv(FUZZ_DATA *fuzz, TLV *tlv); int fuzz_get_tlv_comn(FUZZ_DATA *fuzz, TLV *tlv); |