Branch data Line data Source code
1 : : // Copyright (c) 2020-2022 The Bitcoin Core developers
2 : : // Distributed under the MIT software license, see the accompanying
3 : : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 : :
5 : : #include <httpserver.h>
6 : : #include <netaddress.h>
7 : : #include <test/fuzz/FuzzedDataProvider.h>
8 : : #include <test/fuzz/fuzz.h>
9 : : #include <test/fuzz/util.h>
10 : : #include <util/signalinterrupt.h>
11 : : #include <util/strencodings.h>
12 : :
13 : : #include <event2/buffer.h>
14 : : #include <event2/event.h>
15 : : #include <event2/http.h>
16 : : #include <event2/http_struct.h>
17 : :
18 : : #include <cassert>
19 : : #include <cstdint>
20 : : #include <string>
21 : : #include <vector>
22 : :
23 : : extern "C" int evhttp_parse_firstline_(struct evhttp_request*, struct evbuffer*);
24 : : extern "C" int evhttp_parse_headers_(struct evhttp_request*, struct evbuffer*);
25 : :
26 : : std::string RequestMethodString(HTTPRequest::RequestMethod m);
27 : :
28 [ + - ]: 684 : FUZZ_TARGET(http_request)
29 : : {
30 : 66 : FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
31 : 66 : evhttp_request* evreq = evhttp_request_new(nullptr, nullptr);
32 [ - + ]: 66 : assert(evreq != nullptr);
33 : 66 : evreq->kind = EVHTTP_REQUEST;
34 : 66 : evbuffer* evbuf = evbuffer_new();
35 [ - + ]: 66 : assert(evbuf != nullptr);
36 : 66 : const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
37 [ + - ]: 66 : evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
38 : : // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering
39 : : // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line
40 : : // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in
41 : : // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome
42 : : // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround.
43 [ + - + - ]: 132 : const std::string http_buffer_str = ToLower(std::string{http_buffer.begin(), http_buffer.end()});
44 [ + + + + ]: 189 : if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos ||
45 [ + + + - : 162 : evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
+ - + + ]
46 [ + - ]: 34 : evbuffer_free(evbuf);
47 [ + - ]: 34 : evhttp_request_free(evreq);
48 : 34 : return;
49 : : }
50 : :
51 [ + - ]: 32 : util::SignalInterrupt interrupt;
52 [ + - ]: 32 : HTTPRequest http_request{evreq, interrupt, true};
53 [ + - ]: 32 : const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod();
54 [ + - ]: 32 : (void)RequestMethodString(request_method);
55 [ + - ]: 32 : (void)http_request.GetURI();
56 [ + - + - ]: 64 : (void)http_request.GetHeader("Host");
57 [ + - ]: 32 : const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16);
58 [ + - ]: 32 : (void)http_request.GetHeader(header);
59 [ + - + - ]: 32 : (void)http_request.WriteHeader(header, fuzzed_data_provider.ConsumeRandomLengthString(16));
60 [ + - ]: 32 : (void)http_request.GetHeader(header);
61 [ + - ]: 32 : const std::string body = http_request.ReadBody();
62 [ - + ]: 32 : assert(body.empty());
63 [ + - ]: 32 : const CService service = http_request.GetPeer();
64 [ + - - + ]: 32 : assert(service.ToStringAddrPort() == "[::]:0");
65 : :
66 [ + - ]: 32 : evbuffer_free(evbuf);
67 [ + - ]: 32 : evhttp_request_free(evreq);
68 : 98 : }
|
