1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
|
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2017, Max Dymond, <cmeister2@gmail.com>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <curl/curl.h>
#include "curl_fuzzer.h"
/**
* Fuzzing entry point. This function is passed a buffer containing a test
* case. This test case should drive the CURL API into making a request.
*/
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
int rc = 0;
int tlv_rc;
FUZZ_DATA fuzz;
TLV tlv;
if(size < sizeof(TLV_RAW)) {
/* Not enough data */
goto EXIT_LABEL;
}
/* Try to initialize the fuzz data */
FTRY(fuzz_initialize_fuzz_data(&fuzz, data, size));
for(tlv_rc = fuzz_get_first_tlv(&fuzz, &tlv);
tlv_rc == 0;
tlv_rc = fuzz_get_next_tlv(&fuzz, &tlv)) {
/* Have the TLV in hand. Parse the TLV. */
fuzz_parse_tlv(&fuzz, &tlv);
}
if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
/* A TLV call failed. Can't continue. */
goto EXIT_LABEL;
}
/* Do the CURL stuff! */
curl_easy_perform(fuzz.easy);
EXIT_LABEL:
fuzz_terminate_fuzz_data(&fuzz);
/* This function must always return 0. Non-zero codes are reserved. */
return 0;
}
/**
* Utility function to convert 4 bytes to a u32 predictably.
*/
uint32_t to_u32(uint8_t b[4])
{
uint32_t u;
u = (b[0] << 24) + (b[1] << 16) + (b[2] << 8) + b[3];
return u;
}
/**
* Utility function to convert 2 bytes to a u16 predictably.
*/
uint16_t to_u16(uint8_t b[2])
{
uint16_t u;
u = (b[0] << 8) + b[1];
return u;
}
/**
* Initialize the local fuzz data structure.
*/
int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz,
const uint8_t *data,
size_t data_len)
{
int rc = 0;
/* Initialize the fuzz data. */
memset(fuzz, 0, sizeof(FUZZ_DATA));
/* Create an easy handle. This will have all of the settings configured on
it. */
fuzz->easy = curl_easy_init();
FCHECK(fuzz->easy != NULL);
/* Set some standard options on the CURL easy handle. We need to override the
socket function so that we create our own sockets to present to CURL. */
FTRY(curl_easy_setopt(fuzz->easy,
CURLOPT_OPENSOCKETFUNCTION,
fuzz_open_socket));
FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_OPENSOCKETDATA, fuzz));
/* In case something tries to set a socket option, intercept this. */
FTRY(curl_easy_setopt(fuzz->easy,
CURLOPT_SOCKOPTFUNCTION,
fuzz_sockopt_callback));
/* Can enable verbose mode */
/* FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_VERBOSE, 1L)); */
/* Set up the state parser */
fuzz->state.data = data;
fuzz->state.data_len = data_len;
EXIT_LABEL:
return rc;
}
/**
* Terminate the fuzz data structure, including freeing any allocated memory.
*/
void fuzz_terminate_fuzz_data(FUZZ_DATA *fuzz)
{
fuzz_free((void **)&fuzz->url);
fuzz_free((void **)&fuzz->username);
fuzz_free((void **)&fuzz->password);
fuzz_free((void **)&fuzz->postfields);
if(fuzz->easy != NULL) {
curl_easy_cleanup(fuzz->easy);
fuzz->easy = NULL;
}
}
/**
* If a pointer has been allocated, free that pointer.
*/
void fuzz_free(void **ptr)
{
if(*ptr != NULL) {
free(*ptr);
*ptr = NULL;
}
}
/**
* Function for providing a socket to CURL already primed with data.
*/
static curl_socket_t fuzz_open_socket(void *ptr,
curlsocktype purpose,
struct curl_sockaddr *address)
{
FUZZ_DATA *fuzz = (FUZZ_DATA *)ptr;
int fds[2];
curl_socket_t server_fd;
curl_socket_t client_fd;
/* Handle unused parameters */
(void)purpose;
(void)address;
if(socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) {
/* Failed to create a pair of sockets. */
return CURL_SOCKET_BAD;
}
server_fd = fds[0];
client_fd = fds[1];
/* Try and write the response data to the server file descriptor so the
client can read it. */
if(write(server_fd,
fuzz->rsp1_data,
fuzz->rsp1_data_len) != (ssize_t)fuzz->rsp1_data_len) {
/* Failed to write the data. */
return CURL_SOCKET_BAD;
}
if(shutdown(server_fd, SHUT_WR)) {
return CURL_SOCKET_BAD;
}
return client_fd;
}
/**
* Callback function for setting socket options on the sockets created by
* fuzz_open_socket. In our testbed the sockets are "already connected".
*/
static int fuzz_sockopt_callback(void *ptr,
curl_socket_t curlfd,
curlsocktype purpose)
{
(void)ptr;
(void)curlfd;
(void)purpose;
return CURL_SOCKOPT_ALREADY_CONNECTED;
}
/**
* TLV access function - gets the first TLV from a data stream.
*/
int fuzz_get_first_tlv(FUZZ_DATA *fuzz,
TLV *tlv)
{
/* Reset the cursor. */
fuzz->state.data_pos = 0;
return fuzz_get_tlv_comn(fuzz, tlv);
}
/**
* TLV access function - gets the next TLV from a data stream.
*/
int fuzz_get_next_tlv(FUZZ_DATA *fuzz,
TLV *tlv)
{
/* Advance the cursor by the full length of the previous TLV. */
fuzz->state.data_pos += sizeof(TLV_RAW) + tlv->length;
/* Work out if there's a TLV's worth of data to read */
if(fuzz->state.data_pos + sizeof(TLV_RAW) > fuzz->state.data_len) {
/* No more TLVs to parse */
return TLV_RC_NO_MORE_TLVS;
}
return fuzz_get_tlv_comn(fuzz, tlv);
}
/**
* Common TLV function for accessing TLVs in a data stream.
*/
int fuzz_get_tlv_comn(FUZZ_DATA *fuzz,
TLV *tlv)
{
int rc = 0;
size_t data_offset;
TLV_RAW *raw;
/* Start by casting the data stream to a TLV. */
raw = (TLV_RAW *)&fuzz->state.data[fuzz->state.data_pos];
data_offset = fuzz->state.data_pos + sizeof(TLV_RAW);
/* Set the TLV values. */
tlv->type = to_u16(raw->raw_type);
tlv->length = to_u32(raw->raw_length);
tlv->value = &fuzz->state.data[data_offset];
/* Sanity check that the TLV length is ok. */
if(data_offset + tlv->length > fuzz->state.data_len) {
rc = TLV_RC_SIZE_ERROR;
}
return rc;
}
/**
* Do different actions on the CURL handle for different received TLVs.
*/
int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
{
int rc;
switch(tlv->type) {
case TLV_TYPE_URL:
FCHECK(fuzz->url == NULL);
fuzz->url = fuzz_tlv_to_string(tlv);
FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_URL, fuzz->url));
break;
case TLV_TYPE_RESPONSE1:
/* The pointers in the TLV will always be valid as long as the fuzz data
is in scope, which is the entirety of this file. */
fuzz->rsp1_data = tlv->value;
fuzz->rsp1_data_len = tlv->length;
break;
case TLV_TYPE_USERNAME:
FCHECK(fuzz->username == NULL);
fuzz->username = fuzz_tlv_to_string(tlv);
FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_USERNAME, fuzz->username));
break;
case TLV_TYPE_PASSWORD:
FCHECK(fuzz->password == NULL);
fuzz->password = fuzz_tlv_to_string(tlv);
FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_PASSWORD, fuzz->password));
break;
case TLV_TYPE_POSTFIELDS:
FCHECK(fuzz->postfields == NULL);
fuzz->postfields = fuzz_tlv_to_string(tlv);
FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_POSTFIELDS, fuzz->postfields));
break;
default:
/* The fuzzer generates lots of unknown TLVs, so don't do anything if
the TLV isn't known. */
break;
}
rc = 0;
EXIT_LABEL:
return rc;
}
/**
* Converts a TLV data and length into an allocated string.
*/
char *fuzz_tlv_to_string(TLV *tlv)
{
char *tlvstr;
/* Allocate enough space, plus a null terminator */
tlvstr = malloc(tlv->length + 1);
if(tlvstr != NULL) {
memcpy(tlvstr, tlv->value, tlv->length);
tlvstr[tlv->length] = 0;
}
return tlvstr;
}
|