Skip to content

Commit

Permalink
fuzzing: add fuzzing targets
Browse files Browse the repository at this point in the history
Signed-off-by: Arjun <pkillarjun@protonmail.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
  • Loading branch information
pkillarjun authored and ac000 committed Jun 14, 2024
1 parent 965fc94 commit a93d878
Showing 5 changed files with 425 additions and 0 deletions.
91 changes: 91 additions & 0 deletions fuzzing/nxt_basic_fuzz.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
/*
* Copyright (C) NGINX, Inc.
*/

#include <nxt_main.h>


#define KMININPUTLENGTH 2
#define KMAXINPUTLENGTH 128


extern int LLVMFuzzerInitialize(int *argc, char ***argv);
extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);

void nxt_base64_fuzz(const u_char *data, size_t size);
void nxt_term_fuzz(const u_char *data, size_t size);
void nxt_time_fuzz(const u_char *data, size_t size);
void nxt_utf8_fuzz(const u_char *data, size_t size);


extern char **environ;


int
LLVMFuzzerInitialize(int *argc, char ***argv)
{
if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
return NXT_ERROR;
}

return 0;
}


int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
return 0;
}

nxt_base64_fuzz(data, size);
nxt_term_fuzz(data, size);
nxt_time_fuzz(data, size);
nxt_utf8_fuzz(data, size);

return 0;
}


void
nxt_base64_fuzz(const u_char *data, size_t size)
{
u_char buf[256];
ssize_t ret;

/*
* Validate base64 data before decoding.
*/
ret = nxt_base64_decode(NULL, (u_char *)data, size);
if (ret == NXT_ERROR) {
return;
}

nxt_base64_decode(buf, (u_char *)data, size);
}


void
nxt_term_fuzz(const u_char *data, size_t size)
{
nxt_term_parse(data, size, 0);
nxt_term_parse(data, size, 1);
}


void
nxt_time_fuzz(const u_char *data, size_t size)
{
nxt_time_parse(data, size);
}


void
nxt_utf8_fuzz(const u_char *data, size_t size)
{
const u_char *in;

in = data;
nxt_utf8_decode(&in, data + size);
}
87 changes: 87 additions & 0 deletions fuzzing/nxt_http_controller_fuzz.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
/*
* Copyright (C) NGINX, Inc.
*/

#include <nxt_main.h>

/* DO NOT TRY THIS AT HOME! */
#include "nxt_controller.c"


#define KMININPUTLENGTH 2
#define KMAXINPUTLENGTH 1024


extern int LLVMFuzzerInitialize(int *argc, char ***argv);
extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);


extern char **environ;


int
LLVMFuzzerInitialize(int *argc, char ***argv)
{
nxt_int_t ret;

if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
return NXT_ERROR;
}

ret = nxt_http_fields_hash(&nxt_controller_fields_hash,
nxt_controller_request_fields,
nxt_nitems(nxt_controller_request_fields));
if (ret != NXT_OK) {
return NXT_ERROR;
}

return 0;
}


int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
nxt_mp_t *mp;
nxt_buf_mem_t buf;
nxt_controller_request_t *r_controller;
nxt_http_request_parse_t rp;

if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
return 0;
}

mp = nxt_mp_create(1024, 128, 256, 32);
if (mp == NULL) {
return 0;
}

nxt_memzero(&rp, sizeof(nxt_http_request_parse_t));
if (nxt_http_parse_request_init(&rp, mp) != NXT_OK) {
goto failed;
}

buf.start = (u_char *)data;
buf.end = (u_char *)data + size;
buf.pos = buf.start;
buf.free = buf.end;

if (nxt_http_parse_request(&rp, &buf) != NXT_DONE) {
goto failed;
}

r_controller = nxt_mp_zget(mp, sizeof(nxt_controller_request_t));

if (r_controller == NULL) {
goto failed;
}

nxt_http_fields_process(rp.fields, &nxt_controller_fields_hash,
r_controller);

failed:

nxt_mp_destroy(mp);

return 0;
}
85 changes: 85 additions & 0 deletions fuzzing/nxt_http_h1p_fuzz.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
/*
* Copyright (C) NGINX, Inc.
*/

#include <nxt_main.h>

/* DO NOT TRY THIS AT HOME! */
#include "nxt_h1proto.c"


#define KMININPUTLENGTH 2
#define KMAXINPUTLENGTH 1024


extern int LLVMFuzzerInitialize(int *argc, char ***argv);
extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);


extern char **environ;


int
LLVMFuzzerInitialize(int *argc, char ***argv)
{
nxt_int_t ret;

if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
return NXT_ERROR;
}

ret = nxt_http_fields_hash(&nxt_h1p_fields_hash,
nxt_h1p_fields, nxt_nitems(nxt_h1p_fields));
if (ret != NXT_OK) {
return NXT_ERROR;
}

return 0;
}


int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
nxt_mp_t *mp;
nxt_buf_mem_t buf;
nxt_http_request_t *r_h1p;
nxt_http_request_parse_t rp;

if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
return 0;
}

mp = nxt_mp_create(1024, 128, 256, 32);
if (mp == NULL) {
return 0;
}

nxt_memzero(&rp, sizeof(nxt_http_request_parse_t));
if (nxt_http_parse_request_init(&rp, mp) != NXT_OK) {
goto failed;
}

buf.start = (u_char *)data;
buf.end = (u_char *)data + size;
buf.pos = buf.start;
buf.free = buf.end;

if (nxt_http_parse_request(&rp, &buf) != NXT_DONE) {
goto failed;
}

r_h1p = nxt_mp_zget(mp, sizeof(nxt_http_request_t));

if (r_h1p == NULL) {
goto failed;
}

nxt_http_fields_process(rp.fields, &nxt_h1p_fields_hash, r_h1p);

failed:

nxt_mp_destroy(mp);

return 0;
}
86 changes: 86 additions & 0 deletions fuzzing/nxt_http_h1p_peer_fuzz.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
/*
* Copyright (C) NGINX, Inc.
*/

#include <nxt_main.h>

/* DO NOT TRY THIS AT HOME! */
#include "nxt_h1proto.c"


#define KMININPUTLENGTH 2
#define KMAXINPUTLENGTH 1024


extern int LLVMFuzzerInitialize(int *argc, char ***argv);
extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);


extern char **environ;


int
LLVMFuzzerInitialize(int *argc, char ***argv)
{
nxt_int_t ret;

if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
return NXT_ERROR;
}

ret = nxt_http_fields_hash(&nxt_h1p_peer_fields_hash,
nxt_h1p_peer_fields,
nxt_nitems(nxt_h1p_peer_fields));
if (ret != NXT_OK) {
return NXT_ERROR;
}

return 0;
}


int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
nxt_mp_t *mp;
nxt_buf_mem_t buf;
nxt_http_request_t *r_h1p_peer;
nxt_http_request_parse_t rp;

if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
return 0;
}

mp = nxt_mp_create(1024, 128, 256, 32);
if (mp == NULL) {
return 0;
}

nxt_memzero(&rp, sizeof(nxt_http_request_parse_t));
if (nxt_http_parse_request_init(&rp, mp) != NXT_OK) {
goto failed;
}

buf.start = (u_char *)data;
buf.end = (u_char *)data + size;
buf.pos = buf.start;
buf.free = buf.end;

if (nxt_http_parse_request(&rp, &buf) != NXT_DONE) {
goto failed;
}

r_h1p_peer = nxt_mp_zget(mp, sizeof(nxt_http_request_t));

if (r_h1p_peer == NULL) {
goto failed;
}

nxt_http_fields_process(rp.fields, &nxt_h1p_peer_fields_hash, r_h1p_peer);

failed:

nxt_mp_destroy(mp);

return 0;
}
Loading

0 comments on commit a93d878

Please sign in to comment.