libevent: extend fuzzing suite (#11052)

Signed-off-by: David Korczynski <[email protected]>
google · Sep 30, 2023 · f724cfc · f724cfc
1 parent f3b1a5c
commit f724cfc
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 6 deletions.
diff --git a/projects/libevent/Dockerfile b/projects/libevent/Dockerfile
@@ -17,5 +17,6 @@
 FROM gcr.io/oss-fuzz-base/base-builder
 RUN apt-get update && apt-get install -y cmake make
 RUN git clone --depth 1 https:/libevent/libevent.git libevent
+RUN git clone --depth 1 https:/google/fuzzing fuzzing
 WORKDIR libevent
 COPY build.sh *.cc *.c $SRC/
diff --git a/projects/libevent/build.sh b/projects/libevent/build.sh
@@ -44,3 +44,5 @@ then
  ./lib/libevent_pthreads.a ./lib/libevent_extra.a \
  -o $OUT/fuzz_request
 fi
+
+cp $SRC/fuzzing/dictionaries/http.dict $OUT/http_fuzzer2.dict
diff --git a/projects/libevent/http_fuzzer.cc b/projects/libevent/http_fuzzer.cc
@@ -32,12 +32,25 @@ extern "C" {
 }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
- if (size < 1) {
+ if (size < 5) {
  return 0;
  }
+
+ // Decider to determine which request type to parse.
+ uint8_t decider = data[0];
+ data++;
+ size--;
+ int maxHeaderSize = *(int*)data;
+ data += 4;
+ size -= 4;
+ if (maxHeaderSize < 0) {
+ return 0;
+ }
+
  // Prepare in case it's used.
  struct evhttp_connection evcon;
  evcon.ext_method_cmp = NULL;
+ evcon.max_headers_size = maxHeaderSize % 2048;
 
  struct evhttp *http_val = NULL;
  http_val = evhttp_new(NULL);
@@ -46,11 +59,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  }
  evcon.http_server = http_val;
 
- // Decider to determine which request type to parse.
- uint8_t decider = data[0];
- data++;
- size--;
-
  FuzzedDataProvider data_provider(data, size);
  std::string s1 = data_provider.ConsumeRandomLengthString();
 
@@ -84,6 +92,18 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  free(encoded);
  }
 
+ // Minor utils function
+ evhttp_htmlescape(s1.c_str());
+
+ // URI utils
+ struct evhttp_uri *uri;
+ uri = evhttp_uri_parse(s1.c_str());
+ if (uri != NULL) {
+ char uri_buf[256];
+ evhttp_uri_join(uri, uri_buf, 256);
+ evhttp_uri_free(uri);
+ }
+
  // Cleanup
  evhttp_request_free(req);
  evbuffer_free(buf);

diff --git a/projects/libevent/utils_fuzzer.cc b/projects/libevent/utils_fuzzer.cc
@@ -46,5 +46,24 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  evutil_freeaddrinfo(addr_info);
  }
 
+ int portnum=-1;
+ struct evutil_addrinfo *res = NULL;
+ struct evutil_addrinfo hints;
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = PF_UNSPEC;
+ evutil_getaddrinfo_common_(NULL, s1.c_str(), &hints, &res, &portnum);
+ if (res != NULL) {
+ evutil_freeaddrinfo(res);
+ }
+
+ res = NULL;
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = PF_UNSPEC;
+ evutil_getaddrinfo_common_(s1.c_str(), NULL, &hints, &res, &portnum);
+ if (res != NULL) {
+ evutil_freeaddrinfo(res);
+ }
+
  return 0;
 }