mongoose/test/fuzz.c

#define MG_ENABLE_SOCKET 0
#define MG_ENABLE_LOG 0
#define MG_ENABLE_LINES 1
#define MG_ENABLE_TCPIP 1
#define MG_IO_SIZE (32 * 1024 * 1024)  // Big IO size for fast resizes

#include "mongoose.c"

#include "driver_mock.c"

#ifdef __cplusplus
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
#else
int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
#endif

static void fn(struct mg_connection *c, int ev, void *ev_data) {
  struct mg_http_serve_opts opts = {.root_dir = "."};
  if (ev == MG_EV_HTTP_MSG) {
    mg_http_serve_dir(c, (struct mg_http_message *) ev_data, &opts);
  }
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  mg_log_set(MG_LL_INFO);

  struct mg_dns_message dm;
  mg_dns_parse(data, size, &dm);
  mg_dns_parse(NULL, 0, &dm);

  struct mg_http_message hm;
  if (mg_http_parse((const char *) data, size, &hm) > 0) {
    mg_crc32(0, hm.method.buf, hm.method.len);
    mg_crc32(0, hm.uri.buf, hm.uri.len);
    mg_crc32(0, hm.uri.buf, hm.uri.len);
    for (size_t i = 0; i < sizeof(hm.headers) / sizeof(hm.headers[0]); i++) {
      struct mg_str *k = &hm.headers[i].name, *v = &hm.headers[i].value;
      mg_crc32(0, k->buf, k->len);
      mg_crc32(0, v->buf, v->len);
    }
  }
  mg_http_parse(NULL, 0, &hm);

  struct mg_str body = mg_str_n((const char *) data, size);
  char tmp[256];
  mg_http_get_var(&body, "key", tmp, sizeof(tmp));
  mg_http_get_var(&body, "key", NULL, 0);
  mg_url_decode((char *) data, size, tmp, sizeof(tmp), 1);
  mg_url_decode((char *) data, size, tmp, 1, 1);
  mg_url_decode(NULL, 0, tmp, 1, 1);

  struct mg_mqtt_message mm;
  if (mg_mqtt_parse(data, size, 0, &mm) == MQTT_OK) {
    mg_crc32(0, mm.topic.buf, mm.topic.len);
    mg_crc32(0, mm.data.buf, mm.data.len);
    mg_crc32(0, mm.dgram.buf, mm.dgram.len);
  }
  mg_mqtt_parse(NULL, 0, 0, &mm);
  if (mg_mqtt_parse(data, size, 5, &mm) == MQTT_OK) {
    mg_crc32(0, mm.topic.buf, mm.topic.len);
    mg_crc32(0, mm.data.buf, mm.data.len);
    mg_crc32(0, mm.dgram.buf, mm.dgram.len);
  }
  mg_mqtt_parse(NULL, 0, 5, &mm);

  mg_sntp_parse(data, size);
  mg_sntp_parse(NULL, 0);

  char buf[size * 4 / 3 + 5];  // At least 4 chars and nul termination
  mg_base64_decode((char *) data, size, buf, sizeof(buf));
  mg_base64_decode(NULL, 0, buf, sizeof(buf));
  mg_base64_encode(data, size, buf, sizeof(buf));
  mg_base64_encode(NULL, 0, buf, sizeof(buf));

  mg_match(mg_str_n((char *) data, size), mg_str_n((char *) data, size), NULL);

  struct mg_str entry, s = mg_str_n((char *) data, size);
  while (mg_span(s, &entry, &s, ',')) entry.len = 0;

  int n;
  mg_json_get(mg_str_n((char *) data, size), "$", &n);
  mg_json_get(mg_str_n((char *) data, size), "$.a.b", &n);
  mg_json_get(mg_str_n((char *) data, size), "$[0]", &n);

  if (size > 0) {
    struct mg_tcpip_if mif = {.ip = 0x01020304,
                              .mask = 255,
                              .gw = 0x01010101,
                              .driver = &mg_tcpip_driver_mock};
    struct mg_mgr mgr;
    mg_mgr_init(&mgr);
    mg_tcpip_init(&mgr, &mif);

    // Make a copy of the random data, in order to modify it
    void *pkt = malloc(size);
    struct eth *eth = (struct eth *) pkt;
    memcpy(pkt, data, size);
    if (size > sizeof(*eth)) {
      static size_t i;
      uint16_t eth_types[] = {0x800, 0x800, 0x806, 0x86dd};
      memcpy(eth->dst, mif.mac, 6);  // Set valid destination MAC
      eth->type = mg_htons(eth_types[i++]);
      if (i >= sizeof(eth_types) / sizeof(eth_types[0])) i = 0;
    }

    mg_tcpip_rx(&mif, pkt, size);

    // Test HTTP serving
    const char *url = "http://localhost:12345";
    struct mg_connection *c = mg_http_connect(&mgr, url, fn, NULL);
    mg_iobuf_add(&c->recv, 0, data, size);
    c->pfn(c, MG_EV_READ, NULL); // manually invoke protocol event handler

    mg_mgr_free(&mgr);
    free(pkt);
    mg_tcpip_free(&mif);
  }

  return 0;
}

#if defined(MAIN)
int main(int argc, char *argv[]) {
  int res = EXIT_FAILURE;
  if (argc > 1) {
    struct mg_str data = mg_file_read(&mg_fs_posix, argv[1]);
    if (data.buf != NULL) {
      LLVMFuzzerTestOneInput((uint8_t *) data.buf, data.len);
      res = EXIT_SUCCESS;
    }
    free(data.buf);
  }
  return res;
}
#endif
Fuzzing MIP 2022-09-19 20:28:07 +08:00			`#define MG_ENABLE_SOCKET 0`
			`#define MG_ENABLE_LOG 0`
			`#define MG_ENABLE_LINES 1`
Move mip/ -> src/tcpip/, rename mip_ -> mg_tcpip_ 2023-02-08 05:16:42 +08:00			`#define MG_ENABLE_TCPIP 1`
Get rid of MG_EV_HTTP_CHUNK 2023-09-27 02:59:42 +08:00			`#define MG_IO_SIZE (32 * 1024 * 1024) // Big IO size for fast resizes`
Fuzzing MIP 2022-09-19 20:28:07 +08:00
			`#include "mongoose.c"`

			`#include "driver_mock.c"`
Better UI PUBLISHED_FROM=50f0cafa84cd06428f0da376d85766dcf62af9da 2019-07-12 20:28:20 +08:00
Fix c++ fuzzer build 2020-12-14 00:56:30 +08:00			`#ifdef __cplusplus`
			`extern "C" int LLVMFuzzerTestOneInput(const uint8_t *, size_t);`
Remove private.h 2021-10-23 02:41:26 +08:00			`#else`
			`int LLVMFuzzerTestOneInput(const uint8_t *, size_t);`
Fix c++ fuzzer build 2020-12-14 00:56:30 +08:00			`#endif`
7.0 refactor 2020-12-05 19:26:32 +08:00
remove fn_data from event handler signature 2024-01-09 04:34:34 +08:00			`static void fn(struct mg_connection c, int ev, void ev_data) {`
Add http serve to fuzzer 2023-08-15 22:09:48 +08:00			`struct mg_http_serve_opts opts = {.root_dir = "."};`
			`if (ev == MG_EV_HTTP_MSG) {`
			`mg_http_serve_dir(c, (struct mg_http_message *) ev_data, &opts);`
			`}`
			`}`

Better UI PUBLISHED_FROM=50f0cafa84cd06428f0da376d85766dcf62af9da 2019-07-12 20:28:20 +08:00			`int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {`
TLS layer: c->rtls to optimise recvd TLS data 2023-08-15 18:52:22 +08:00			`mg_log_set(MG_LL_INFO);`
Get rid of MG_ENABLE_LOG, change mg_hexdump() 2022-05-07 04:09:13 +08:00
7.0 refactor 2020-12-05 19:26:32 +08:00			`struct mg_dns_message dm;`
			`mg_dns_parse(data, size, &dm);`
Fix mg_sntp_parse() 2020-12-11 21:16:51 +08:00			`mg_dns_parse(NULL, 0, &dm);`
7.0 refactor 2020-12-05 19:26:32 +08:00
			`struct mg_http_message hm;`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`if (mg_http_parse((const char *) data, size, &hm) > 0) {`
fix fuzzer 2024-04-18 21:05:41 +08:00			`mg_crc32(0, hm.method.buf, hm.method.len);`
			`mg_crc32(0, hm.uri.buf, hm.uri.len);`
			`mg_crc32(0, hm.uri.buf, hm.uri.len);`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`for (size_t i = 0; i < sizeof(hm.headers) / sizeof(hm.headers[0]); i++) {`
			`struct mg_str k = &hm.headers[i].name, v = &hm.headers[i].value;`
fix fuzzer 2024-04-18 21:05:41 +08:00			`mg_crc32(0, k->buf, k->len);`
			`mg_crc32(0, v->buf, v->len);`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`}`
Extend fuzzer, access parsed fields 2023-06-29 23:34:15 +08:00			`}`
Fix mg_sntp_parse() 2020-12-11 21:16:51 +08:00			`mg_http_parse(NULL, 0, &hm);`
7.0 refactor 2020-12-05 19:26:32 +08:00
Fuzz-test mg_http_var and base64 2020-12-08 02:52:40 +08:00			`struct mg_str body = mg_str_n((const char *) data, size);`
			`char tmp[256];`
			`mg_http_get_var(&body, "key", tmp, sizeof(tmp));`
Add minor case to fuzzer 2020-12-14 00:33:46 +08:00			`mg_http_get_var(&body, "key", NULL, 0);`
Fix mg_url_decode fuzz 2020-12-11 17:35:50 +08:00			`mg_url_decode((char *) data, size, tmp, sizeof(tmp), 1);`
			`mg_url_decode((char *) data, size, tmp, 1, 1);`
Fix mg_sntp_parse() 2020-12-11 21:16:51 +08:00			`mg_url_decode(NULL, 0, tmp, 1, 1);`
Fuzz-test mg_http_var and base64 2020-12-08 02:52:40 +08:00
7.0 refactor 2020-12-05 19:26:32 +08:00			`struct mg_mqtt_message mm;`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`if (mg_mqtt_parse(data, size, 0, &mm) == MQTT_OK) {`
fix fuzzer 2024-04-18 21:05:41 +08:00			`mg_crc32(0, mm.topic.buf, mm.topic.len);`
			`mg_crc32(0, mm.data.buf, mm.data.len);`
			`mg_crc32(0, mm.dgram.buf, mm.dgram.len);`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`}`
Initial mqtt5 support 2022-06-28 18:31:13 +08:00			`mg_mqtt_parse(NULL, 0, 0, &mm);`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`if (mg_mqtt_parse(data, size, 5, &mm) == MQTT_OK) {`
fix fuzzer 2024-04-18 21:05:41 +08:00			`mg_crc32(0, mm.topic.buf, mm.topic.len);`
			`mg_crc32(0, mm.data.buf, mm.data.len);`
			`mg_crc32(0, mm.dgram.buf, mm.dgram.len);`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`}`
Initial mqtt5 support 2022-06-28 18:31:13 +08:00			`mg_mqtt_parse(NULL, 0, 5, &mm);`
7.0 refactor 2020-12-05 19:26:32 +08:00
Use int64_t for timers and mg_millis() 2021-12-22 05:50:18 +08:00			`mg_sntp_parse(data, size);`
			`mg_sntp_parse(NULL, 0);`
7.0 refactor 2020-12-05 19:26:32 +08:00
Fuzz-test mg_http_var and base64 2020-12-08 02:52:40 +08:00			`char buf[size * 4 / 3 + 5]; // At least 4 chars and nul termination`
Change base64 API 2023-08-22 18:50:19 +08:00			`mg_base64_decode((char *) data, size, buf, sizeof(buf));`
			`mg_base64_decode(NULL, 0, buf, sizeof(buf));`
			`mg_base64_encode(data, size, buf, sizeof(buf));`
			`mg_base64_encode(NULL, 0, buf, sizeof(buf));`
Fuzz-test mg_http_var and base64 2020-12-08 02:52:40 +08:00
cleanup 'str' API 2024-05-01 05:19:42 +08:00			`mg_match(mg_str_n((char ) data, size), mg_str_n((char ) data, size), NULL);`
Add more fuzz tests 2020-12-24 17:07:55 +08:00
Fix fuzzer call for mg_span() 2024-02-22 16:36:22 +08:00			`struct mg_str entry, s = mg_str_n((char *) data, size);`
			`while (mg_span(s, &entry, &s, ',')) entry.len = 0;`
Add more fuzz tests 2020-12-24 17:07:55 +08:00
Add JSON API 2022-06-09 19:39:48 +08:00			`int n;`
Refactor JSON and RPC API 2022-07-30 14:55:26 +08:00			`mg_json_get(mg_str_n((char *) data, size), "$", &n);`
Fuzzing MIP 2022-09-19 20:28:07 +08:00			`mg_json_get(mg_str_n((char *) data, size), "$.a.b", &n);`
			`mg_json_get(mg_str_n((char *) data, size), "$[0]", &n);`

Optimize fuzzer 2022-09-25 17:19:17 +08:00			`if (size > 0) {`
Move mip/ -> src/tcpip/, rename mip_ -> mg_tcpip_ 2023-02-08 05:16:42 +08:00			`struct mg_tcpip_if mif = {.ip = 0x01020304,`
access only when parsing is valid 2023-06-30 05:37:10 +08:00			`.mask = 255,`
			`.gw = 0x01010101,`
			`.driver = &mg_tcpip_driver_mock};`
Optimize fuzzer 2022-09-25 17:19:17 +08:00			`struct mg_mgr mgr;`
			`mg_mgr_init(&mgr);`
Move mip/ -> src/tcpip/, rename mip_ -> mg_tcpip_ 2023-02-08 05:16:42 +08:00			`mg_tcpip_init(&mgr, &mif);`
Optimize fuzzer 2022-09-25 17:19:17 +08:00
			`// Make a copy of the random data, in order to modify it`
Fuzzer nits 2022-10-18 22:21:59 +08:00			`void *pkt = malloc(size);`
Optimize fuzzer 2022-09-25 17:19:17 +08:00			`struct eth eth = (struct eth ) pkt;`
			`memcpy(pkt, data, size);`
			`if (size > sizeof(*eth)) {`
Optimize fuzzer 2022-09-25 18:58:28 +08:00			`static size_t i;`
			`uint16_t eth_types[] = {0x800, 0x800, 0x806, 0x86dd};`
Expose mip guts 2022-11-09 21:11:22 +08:00			`memcpy(eth->dst, mif.mac, 6); // Set valid destination MAC`
Optimize fuzzer 2022-09-25 18:58:28 +08:00			`eth->type = mg_htons(eth_types[i++]);`
			`if (i >= sizeof(eth_types) / sizeof(eth_types[0])) i = 0;`
Optimize fuzzer 2022-09-25 17:19:17 +08:00			`}`

Move mip/ -> src/tcpip/, rename mip_ -> mg_tcpip_ 2023-02-08 05:16:42 +08:00			`mg_tcpip_rx(&mif, pkt, size);`
Add http serve to fuzzer 2023-08-15 22:09:48 +08:00
			`// Test HTTP serving`
			`const char *url = "http://localhost:12345";`
			`struct mg_connection *c = mg_http_connect(&mgr, url, fn, NULL);`
			`mg_iobuf_add(&c->recv, 0, data, size);`
remove fn_data from event handler signature 2024-01-09 04:34:34 +08:00			`c->pfn(c, MG_EV_READ, NULL); // manually invoke protocol event handler`
Add http serve to fuzzer 2023-08-15 22:09:48 +08:00
Optimize fuzzer 2022-09-25 17:19:17 +08:00			`mg_mgr_free(&mgr);`
Fix stack overflow in fuzzer - too big on-stack array 2022-10-15 19:54:56 +08:00			`free(pkt);`
Use mg_queue in mip 2023-02-19 17:48:11 +08:00			`mg_tcpip_free(&mif);`
Optimize fuzzer 2022-09-25 17:19:17 +08:00			`}`
Add JSON API 2022-06-09 19:39:48 +08:00
Better UI PUBLISHED_FROM=50f0cafa84cd06428f0da376d85766dcf62af9da 2019-07-12 20:28:20 +08:00			`return 0;`
			`}`
Fix overflow in rx_icmp 2022-09-29 23:53:11 +08:00
			`#if defined(MAIN)`
			`int main(int argc, char *argv[]) {`
Use CC for fuzzer, not CXX 2022-09-30 18:44:50 +08:00			`int res = EXIT_FAILURE;`
Fix overflow in rx_icmp 2022-09-29 23:53:11 +08:00			`if (argc > 1) {`
move Makefile to test/ 2024-04-20 05:28:13 +08:00			`struct mg_str data = mg_file_read(&mg_fs_posix, argv[1]);`
			`if (data.buf != NULL) {`
			`LLVMFuzzerTestOneInput((uint8_t *) data.buf, data.len);`
Use CC for fuzzer, not CXX 2022-09-30 18:44:50 +08:00			`res = EXIT_SUCCESS;`
			`}`
move Makefile to test/ 2024-04-20 05:28:13 +08:00			`free(data.buf);`
Fix overflow in rx_icmp 2022-09-29 23:53:11 +08:00			`}`
Use CC for fuzzer, not CXX 2022-09-30 18:44:50 +08:00			`return res;`
Fix overflow in rx_icmp 2022-09-29 23:53:11 +08:00			`}`
			`#endif`