Skip to content

Commit

Permalink
Fuzzing bozohttpd: by adding a mock function for bozo_read to feed fu…
Browse files Browse the repository at this point in the history 
…zzing input
  • Loading branch information
@plusun
plusun committed Aug 3, 2018
1 parent 192d684 commit 312c8ee
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 0 deletions.
17 changes: 17 additions & 0 deletions tests/fuzz/bozohttpd/bozohttpd/Makefile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# $NetBSD: Makefile,v 1.15 2007/05/28 12:06:25 tls Exp $
# @(#)Makefile 8.2 (Berkeley) 4/2/94

.include <bsd.own.mk>

PROG= fuzz_bozohttpd
SRCS= fuzz_bozohttpd.c mock-ssl-bozo.c
.PATH: ${NETBSDSRCDIR}/libexec/httpd
SRCS+= bozohttpd.c daemon-bozo.c dir-index-bozo.c content-bozo.c tilde-luzah-bozo.c cgi-bozo.c lua-bozo.c

CFLAGS= -fsanitize=fuzzer-no-link,address,undefined -Wall -Werror -I${NETBSDSRCDIR}/libexec/httpd #-Dbozowarn=mock_bozowarn
LDFLAGS= -fsanitize=fuzzer,address,undefined -Wall -Werror -lssl -llua

fuzz: fuzz_bozohttpd
export UBSAN_OPTIONS=halt_on_error=1 && ./fuzz_bozohttpd -only_ascii=1 ./input > /dev/null

This comment has been minimized.

Sign in to view

Copy link
@krytarowski

krytarowski Aug 3, 2018

Collaborator

Probably we want to test ascii and non-ascii.

This comment has been minimized.

Sign in to view

Copy link
@plusun

plusun Aug 4, 2018

Author Owner

I've added another rule to fuzz with non-ascii inputs. But it seems that the bozo_read_request function assumes to get input from STDIN (https://github.com/plusun/src/blob/gsoc2018/libexec/httpd/bozohttpd.c#L639), and the inputs are handled as HTTP request. Is it meaningful to fuzz with non-ascii inputs?

This comment has been minimized.

Sign in to view

Copy link
@krytarowski

krytarowski Aug 4, 2018

Collaborator

As long as some other remote computer can prompt it with non-ascii I think yes.

This comment has been minimized.

Sign in to view

Copy link
@krytarowski

krytarowski Aug 4, 2018

Collaborator

bozo might be a good candidate for LD_PRELOAD fuzzing with honggfuzz... but let's keep it beyond GSoC. BTW. I'm trying to reach you in IRC but unsuccessfully.

This comment has been minimized.

Sign in to view

Copy link
@plusun

plusun Aug 4, 2018

Author Owner

I received your "hi" and I've sent a "hi" back.

This comment has been minimized.

Sign in to view

Copy link
@plusun

plusun Aug 4, 2018

Author Owner

Found a potential nullptr bug with non-ascii input: 492f1d7#diff-c94f41301c8ca6eee6a5f918117f5513R1

.include <bsd.prog.mk>
25 changes: 25 additions & 0 deletions tests/fuzz/bozohttpd/bozohttpd/fuzz_bozohttpd.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#include <stdint.h>
#include <stddef.h>
#include <string.h>
#include "bozohttpd.h"

extern void init_bozo_read_buffer(const uint8_t *data, size_t size);

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
init_bozo_read_buffer(data, size);
bozohttpd_t httpd;
bozoprefs_t prefs;
memset(&httpd, 0x0, sizeof(httpd));
memset(&prefs, 0x0, sizeof(prefs));
bozo_set_defaults(&httpd, &prefs);
bozo_setup(&httpd, &prefs, "localhost", "./slashdir");
do {
bozo_httpreq_t *request;
if ((request = bozo_read_request(&httpd)) != NULL) {
bozo_process_request(request);
bozo_clean_request(request);
}
} while (httpd.background);

return 0;
}
34 changes: 34 additions & 0 deletions tests/fuzz/bozohttpd/bozohttpd/mock-ssl-bozo.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#include "bozohttpd.h"
#include <string.h>

struct {
const uint8_t *data;
size_t size;
} buffer;

void init_bozo_read_buffer(const uint8_t *data, size_t size) {
buffer.data = data;
buffer.size = size;
}

void bozo_ssl_init(bozohttpd_t *httpd) {}
int bozo_ssl_accept(bozohttpd_t *httpd) { return 0; }
void bozo_ssl_destroy(bozohttpd_t *httpd) {}
int bozo_printf(bozohttpd_t *httpd, const char *fmt, ...) { return 0; }
int bozo_flush(bozohttpd_t *httpd, FILE *fp) { return 0; }
ssize_t bozo_write(bozohttpd_t *httpd, int fd, const void *buf, size_t len) { return len; }
ssize_t bozo_read(bozohttpd_t *httpd, int fd, void *buf, size_t len) {
if (len > buffer.size) {
len = buffer.size;
}
if (len == 0) {
return len;
}

memcpy(buf, buffer.data, len);
buffer.data += len;
buffer.size -= len;
return len;
}

void mock_bozowarn(bozohttpd_t *httpd, const char *fmt, ...) {}

0 comments on commit 312c8ee

Please sign in to comment.