From d1ff92ece3dfad6102494ac22df1f5f5d52423a3 Mon Sep 17 00:00:00 2001 From: ganeshmurthy Date: Mon, 16 Sep 2024 16:43:32 -0400 Subject: [PATCH] Fixes #1613: Added fuzz testing for the http2 decoder. Fixes for two issues that the fuzz tester found. --- CMakeLists.txt | 1 + pom.xml | 2 + run.py.in | 1 + src/decoders/http2/http2_decoder.c | 40 ++++- tests/CMakeLists.txt | 5 +- tests/fuzz/CMakeLists.txt | 56 +++++++ tests/fuzz/Containerfile | 60 ++++++++ tests/fuzz/README.md | 31 ++++ tests/fuzz/StandaloneFuzzTargetInit.c | 36 +++++ tests/fuzz/StandaloneFuzzTargetMain.c | 141 ++++++++++++++++++ tests/fuzz/fuzz_http2_decoder.c | 66 ++++++++ tests/fuzz/fuzz_http2_decoder.h | 26 ++++ ...01,time:10347,execs:182257,op:splice,rep:1 | Bin 0 -> 99 bytes .../corpus/id:000000,time:0,execs:0,orig:file | 4 + .../id:000001,time:0,execs:0,orig:file2 | Bin 0 -> 99 bytes ...00001,time:9,execs:57,op:havoc,rep:14,+cov | Bin 0 -> 170 bytes ...0001,time:11,execs:66,op:havoc,rep:12,+cov | Bin 0 -> 122 bytes ...00001,time:16,execs:98,op:havoc,rep:3,+cov | Bin 0 -> 124 bytes ...0001,time:18,execs:111,op:havoc,rep:1,+cov | Bin 0 -> 99 bytes ...rc:000001,time:20,execs:124,op:havoc,rep:3 | Bin 0 -> 99 bytes ...c:000001,time:22,execs:144,op:havoc,rep:16 | Bin 0 -> 56 bytes ...rc:000001,time:25,execs:181,op:havoc,rep:1 | Bin 0 -> 60 bytes ...rc:000001,time:26,execs:194,op:havoc,rep:2 | Bin 0 -> 99 bytes ...rc:000001,time:29,execs:223,op:havoc,rep:5 | Bin 0 -> 32 bytes ...0001,time:32,execs:275,op:havoc,rep:3,+cov | Bin 0 -> 67 bytes ...rc:000001,time:41,execs:413,op:havoc,rep:3 | Bin 0 -> 75 bytes ...0001,time:46,execs:504,op:havoc,rep:1,+cov | Bin 0 -> 99 bytes ...0001,time:54,execs:622,op:havoc,rep:5,+cov | Bin 0 -> 99 bytes ...0001,time:57,execs:667,op:havoc,rep:3,+cov | Bin 0 -> 68 bytes ...0001,time:60,execs:724,op:havoc,rep:4,+cov | Bin 0 -> 85 bytes ...01,time:86,execs:1172,op:havoc,rep:10,+cov | Bin 0 -> 131 bytes ...c:000001,time:97,execs:1350,op:havoc,rep:8 | Bin 0 -> 104 bytes ...:000001,time:114,execs:1633,op:havoc,rep:6 | Bin 0 -> 104 bytes ...1,time:135,execs:1942,op:havoc,rep:16,+cov | Bin 0 -> 4 bytes ...:000001,time:297,execs:4435,op:havoc,rep:1 | Bin 0 -> 104 bytes ...:000001,time:572,execs:9596,op:havoc,rep:3 | Bin 0 -> 108 bytes ...00015,time:844,execs:14581,op:splice,rep:1 | Bin 0 -> 52 bytes ...00020,time:1595,execs:29722,op:havoc,rep:2 | Bin 0 -> 26 bytes ...00014,time:2149,execs:39258,op:havoc,rep:7 | Bin 0 -> 113 bytes ...00014,time:2154,execs:39348,op:havoc,rep:6 | Bin 0 -> 153 bytes ...00025,time:2588,execs:46911,op:havoc,rep:2 | Bin 0 -> 150 bytes ...0008,time:3033,execs:55613,op:splice,rep:2 | Bin 0 -> 28 bytes ...18,time:16456,execs:313183,op:splice,rep:5 | Bin 0 -> 104 bytes ...04,time:21269,execs:406759,op:splice,rep:2 | Bin 0 -> 76 bytes ...e:52315,execs:985143,op:splice,rep:10,+cov | Bin 0 -> 148 bytes ...,time:63268,execs:1174313,op:splice,rep:13 | Bin 0 -> 272 bytes ...2,time:146341,execs:2772510,op:havoc,rep:1 | Bin 0 -> 131 bytes ...4,time:209083,execs:3978023,op:havoc,rep:3 | Bin 0 -> 99 bytes ...,time:373224,execs:6614074,op:splice,rep:3 | Bin 0 -> 100 bytes ...5,time:386748,execs:6805442,op:havoc,rep:1 | Bin 0 -> 100 bytes ...6,time:389018,execs:6830806,op:havoc,rep:2 | Bin 0 -> 124 bytes ...7,time:395813,execs:6924470,op:havoc,rep:1 | Bin 0 -> 124 bytes ...7,time:395822,execs:6924599,op:havoc,rep:2 | Bin 0 -> 124 bytes ...9,time:409617,execs:7109000,op:havoc,rep:3 | Bin 0 -> 124 bytes ...,time:600293,execs:9927577,op:splice,rep:3 | Bin 0 -> 904 bytes ...,time:600658,execs:9930663,op:splice,rep:3 | Bin 0 -> 552 bytes ...,time:600813,execs:9933283,op:havoc,rep:20 | Bin 0 -> 2212 bytes ...time:624601,execs:10266729,op:splice,rep:3 | Bin 0 -> 969 bytes ...,time:649469,execs:10621673,op:havoc,rep:5 | Bin 0 -> 1856 bytes ...,time:655671,execs:10713824,op:havoc,rep:3 | Bin 0 -> 152 bytes ...time:715386,execs:11589946,op:splice,rep:9 | Bin 0 -> 612 bytes ...ime:757227,execs:12207286,op:splice,rep:10 | Bin 0 -> 508 bytes ...time:800151,execs:12827140,op:splice,rep:2 | Bin 0 -> 560 bytes ...ime:803234,execs:12871426,op:splice,rep:12 | Bin 0 -> 2316 bytes .../fuzz_http2_decoder/corpus/original-seed1 | 4 + .../fuzz_http2_decoder/corpus/original-seed2 | Bin 0 -> 103 bytes ...h-d372d784d8584f8fecd69151a9efcf3afcfc8320 | Bin 0 -> 111 bytes ...h-d372d784d8584f8fecd69151a9efcf3afcfc8321 | 4 + ...0041,time:12145,execs:46229,op:havoc,rep:1 | Bin 0 -> 133 bytes tests/fuzz/libFuzzingEngine.h | 40 +++++ tests/http2_decoder_tests.c | 16 +- 71 files changed, 523 insertions(+), 10 deletions(-) create mode 100644 tests/fuzz/CMakeLists.txt create mode 100644 tests/fuzz/Containerfile create mode 100644 tests/fuzz/README.md create mode 100644 tests/fuzz/StandaloneFuzzTargetInit.c create mode 100644 tests/fuzz/StandaloneFuzzTargetMain.c create mode 100644 tests/fuzz/fuzz_http2_decoder.c create mode 100644 tests/fuzz/fuzz_http2_decoder.h create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000000,sig:06,src:000015+000001,time:10347,execs:182257,op:splice,rep:1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000000,time:0,execs:0,orig:file create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000001,time:0,execs:0,orig:file2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000002,src:000001,time:9,execs:57,op:havoc,rep:14,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000003,src:000001,time:11,execs:66,op:havoc,rep:12,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000004,src:000001,time:16,execs:98,op:havoc,rep:3,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000005,src:000001,time:18,execs:111,op:havoc,rep:1,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000006,src:000001,time:20,execs:124,op:havoc,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000007,src:000001,time:22,execs:144,op:havoc,rep:16 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000008,src:000001,time:25,execs:181,op:havoc,rep:1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000009,src:000001,time:26,execs:194,op:havoc,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000010,src:000001,time:29,execs:223,op:havoc,rep:5 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000011,src:000001,time:32,execs:275,op:havoc,rep:3,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000012,src:000001,time:41,execs:413,op:havoc,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000013,src:000001,time:46,execs:504,op:havoc,rep:1,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000014,src:000001,time:54,execs:622,op:havoc,rep:5,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000015,src:000001,time:57,execs:667,op:havoc,rep:3,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000016,src:000001,time:60,execs:724,op:havoc,rep:4,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000017,src:000001,time:86,execs:1172,op:havoc,rep:10,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000018,src:000001,time:97,execs:1350,op:havoc,rep:8 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000019,src:000001,time:114,execs:1633,op:havoc,rep:6 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000020,src:000001,time:135,execs:1942,op:havoc,rep:16,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000021,src:000001,time:297,execs:4435,op:havoc,rep:1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000022,src:000001,time:572,execs:9596,op:havoc,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000023,src:000016+000015,time:844,execs:14581,op:splice,rep:1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000024,src:000020,time:1595,execs:29722,op:havoc,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000025,src:000014,time:2149,execs:39258,op:havoc,rep:7 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000026,src:000014,time:2154,execs:39348,op:havoc,rep:6 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000027,src:000025,time:2588,execs:46911,op:havoc,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000028,src:000016+000008,time:3033,execs:55613,op:splice,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000029,src:000016+000018,time:16456,execs:313183,op:splice,rep:5 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000030,src:000014+000004,time:21269,execs:406759,op:splice,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000031,src:000021+000005,time:52315,execs:985143,op:splice,rep:10,+cov create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000032,src:000021+000026,time:63268,execs:1174313,op:splice,rep:13 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000033,src:000022,time:146341,execs:2772510,op:havoc,rep:1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000034,src:000014,time:209083,execs:3978023,op:havoc,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000035,src:000034+000021,time:373224,execs:6614074,op:splice,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000036,src:000035,time:386748,execs:6805442,op:havoc,rep:1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000037,src:000036,time:389018,execs:6830806,op:havoc,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000038,src:000037,time:395813,execs:6924470,op:havoc,rep:1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000039,src:000037,time:395822,execs:6924599,op:havoc,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000040,src:000039,time:409617,execs:7109000,op:havoc,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000041,src:000034+000029,time:600293,execs:9927577,op:splice,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000042,src:000034+000022,time:600658,execs:9930663,op:splice,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000043,src:000036,time:600813,execs:9933283,op:havoc,rep:20 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000044,src:000034+000031,time:624601,execs:10266729,op:splice,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000045,src:000016,time:649469,execs:10621673,op:havoc,rep:5 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000046,src:000036,time:655671,execs:10713824,op:havoc,rep:3 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000047,src:000034+000042,time:715386,execs:11589946,op:splice,rep:9 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000048,src:000036+000042,time:757227,execs:12207286,op:splice,rep:10 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000049,src:000036+000048,time:800151,execs:12827140,op:splice,rep:2 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/id:000050,src:000034+000019,time:803234,execs:12871426,op:splice,rep:12 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/original-seed1 create mode 100644 tests/fuzz/fuzz_http2_decoder/corpus/original-seed2 create mode 100644 tests/fuzz/fuzz_http2_decoder/crash/crash-d372d784d8584f8fecd69151a9efcf3afcfc8320 create mode 100644 tests/fuzz/fuzz_http2_decoder/crash/crash-d372d784d8584f8fecd69151a9efcf3afcfc8321 create mode 100644 tests/fuzz/fuzz_http2_decoder/crash/id:000000,sig:06,src:000041,time:12145,execs:46229,op:havoc,rep:1 create mode 100644 tests/fuzz/libFuzzingEngine.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 308dc9c0e..198044f30 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -45,6 +45,7 @@ set(CMAKE_ENABLE_EXPORTS TRUE) option(CMAKE_INTERPROCEDURAL_OPTIMIZATION "Perform link time optimization" ON) option(ENABLE_WARNING_ERROR "Consider compiler warnings to be errors" ON) option(ENABLE_PROFILE_GUIDED_OPTIMIZATION "Perform profile guided optimization" OFF) +option(ENABLE_FUZZ_TESTING "Enable building fuzzers and regression testing with libFuzzer" ON) # preserve frame pointers for ease of debugging and profiling # see https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer diff --git a/pom.xml b/pom.xml index 5a9fe3a32..977ebe8b7 100644 --- a/pom.xml +++ b/pom.xml @@ -108,6 +108,8 @@ share/index.html scripts/git-clang-format tests/nginx/** + tests/fuzz/fuzz_http2_decoder/** + tests/fuzz/fuzz_http1_decoder/** diff --git a/run.py.in b/run.py.in index 6b4b530d9..931385c47 100755 --- a/run.py.in +++ b/run.py.in @@ -70,6 +70,7 @@ env_vars = { 'PYTHONPATH': os.pathsep.join(python_path), 'PATH': os.pathsep.join(dedup(["${CMAKE_BINARY_DIR}", os.path.join("${CMAKE_BINARY_DIR}", 'tests'), + os.path.join("${CMAKE_BINARY_DIR}", 'tests/fuzz'), os.path.join("${CMAKE_BINARY_DIR}", 'router'), os.path.join("${CMAKE_SOURCE_DIR}", 'tools'), os.path.join("${CMAKE_BINARY_DIR}", 'tools'), diff --git a/src/decoders/http2/http2_decoder.c b/src/decoders/http2/http2_decoder.c index 9347f7220..35c0bdfac 100644 --- a/src/decoders/http2/http2_decoder.c +++ b/src/decoders/http2/http2_decoder.c @@ -126,6 +126,12 @@ qd_http2_frame_type get_frame_type(const uint8_t frame_type) return FRAME_TYPE_OTHER; } +uint8_t get_pad_length(const uint8_t *data) +{ + uint8_t pad_length = (uint8_t) ((data)[0]); + return pad_length; +} + uint32_t get_stream_identifier(const uint8_t *data) { uint32_t stream_id = (((uint32_t) (data)[0]) << 24) | (((uint32_t) (data)[1]) << 16) | (((uint32_t) (data)[2]) << 8) | ((uint32_t) (data)[3]); @@ -321,8 +327,9 @@ bool get_request_headers(qd_http2_decoder_t *decoder) qd_log(LOG_HTTP2_DECODER, QD_LOG_DEBUG, "[C%"PRIu64"] get_request_headers - end_stream=%i, end_headers=%i, is_padded=%i, has_priority=%i, stream_id=%" PRIu32, decoder->conn_state->conn_id, end_stream, end_headers, is_padded, has_priority, stream_id); scratch_buffer->offset += HTTP2_FRAME_STREAM_ID_LENGTH; decoder->frame_length_processed += HTTP2_FRAME_STREAM_ID_LENGTH; - + uint8_t pad_length = 0; if(is_padded) { + pad_length = get_pad_length(scratch_buffer->bytes + scratch_buffer->offset); // Move one byte to account for pad length scratch_buffer->offset += 1; decoder->frame_length_processed += 1; @@ -330,6 +337,7 @@ bool get_request_headers(qd_http2_decoder_t *decoder) if(has_priority) { // Skip the Stream Dependency field if the priority flag is set + // Stream Dependency field is 4 octets. scratch_buffer->offset += 4; decoder->frame_length_processed += 4; @@ -338,6 +346,29 @@ bool get_request_headers(qd_http2_decoder_t *decoder) decoder->frame_length_processed += 1; } + // + // Before the call to decompress_headers(), we need to make sure that there is some data left in the scratch buffer before we decompress it. + // + int buffer_data_size = scratch_buffer->size - scratch_buffer->offset; + printf("get_request_headers buffer_data_size=%i\n", buffer_data_size); + int contains_pad_length = scratch_buffer->size - pad_length; + int pad_length_offset = scratch_buffer->size - pad_length - scratch_buffer->offset; + bool valid_pad_length = contains_pad_length > 0; + bool valid_buffer_data = buffer_data_size > 0; + bool valid_pad_length_offset = pad_length_offset > 0; + if(decoder->frame_payload_length == 0 || !valid_buffer_data || !valid_pad_length || !valid_pad_length_offset) { + qd_log(LOG_HTTP2_DECODER, QD_LOG_DEBUG, "[C%"PRIu64"] get_request_headers - failure, moving decoder state to HTTP2_DECODE_ERROR", decoder->conn_state->conn_id); + static char error[130]; + snprintf(error, sizeof(error), "get_request_headers - either request or response header was received with zero payload or contains bogus data, stopping decoder"); + reset_decoder_frame_info(decoder); + reset_scratch_buffer(&decoder->scratch_buffer); + parser_error(decoder, error); + return false; + } + + // Take out the padding bytes from the end of the scratch buffer + scratch_buffer->size = scratch_buffer->size - pad_length; + // We are now finally at a place which matters to us - The Header block fragment. We will look thru and decompress it so we can get the request/response headers. int rv = decompress_headers(decoder, stream_id, scratch_buffer->bytes + scratch_buffer->offset, scratch_buffer->size - scratch_buffer->offset); if(rv < 0) { @@ -380,11 +411,12 @@ static bool parse_request_header(qd_http2_decoder_t *decoder, const uint8_t **da parser_error(decoder, "scratch buffer size exceeded 65535 bytes, stopping decoder"); return false; } - decoder->frame_length_processed += bytes_to_copy; *data += bytes_to_copy; *length -= bytes_to_copy; - if(decoder->frame_length_processed == decoder->frame_length) { - get_request_headers(decoder); + if((decoder->frame_length_processed + bytes_to_copy) == decoder->frame_length) { + bool header_success = get_request_headers(decoder); + if(!header_success) + return false; } if (*length > 0) { return true; // More bytes remain to be processed, continue processing. diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 4f8c732cc..31d57f73a 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -40,7 +40,6 @@ set(unit_test_SOURCES hash_test.c thread_test.c platform_test.c - static_assert_test.c ) add_executable(unit_tests ${unit_test_SOURCES}) @@ -253,3 +252,7 @@ add_subdirectory(cpp) if(BUILD_BENCHMARKS) add_subdirectory(c_benchmarks) endif() + +if (ENABLE_FUZZ_TESTING) + add_subdirectory(fuzz) +endif (ENABLE_FUZZ_TESTING) diff --git a/tests/fuzz/CMakeLists.txt b/tests/fuzz/CMakeLists.txt new file mode 100644 index 000000000..06168bd3c --- /dev/null +++ b/tests/fuzz/CMakeLists.txt @@ -0,0 +1,56 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +add_definitions(${C_STANDARD_FLAGS} ${COMPILE_WARNING_FLAGS}) + +option(FUZZ_REGRESSION_TESTS "Run fuzz tests with regression test driver" ON) +option(FUZZ_LONG_TESTS "Run fuzz tests that take a long time" OFF) +set(FUZZER AFL CACHE STRING "Fuzzing engine to use") # Set AFL as the default fuzzer +set(FUZZING_LIB_LibFuzzer FuzzingEngine) +set(FUZZING_LIB_AFL -fsanitize=fuzzer) + +add_library(StandaloneFuzzTargetMain STATIC StandaloneFuzzTargetMain.c StandaloneFuzzTargetInit.c) + +if (FUZZ_REGRESSION_TESTS) + message(STATUS "FUZZ_REGRESSION_TESTS") + set(FUZZING_LIBRARY StandaloneFuzzTargetMain) +else () + message(STATUS "NO FUZZ_REGRESSION_TESTS") + set(FUZZING_LIBRARY ${FUZZING_LIB_${FUZZER}}) +endif () + +macro(add_fuzz_test test) + add_executable (${test} ${ARGN}) + target_link_libraries (${test} ${FUZZING_LIBRARY} skupper-router) + set_target_properties(fuzz_http2_decoder PROPERTIES LINKER_LANGUAGE CXX) + + if(FUZZ_REGRESSION_TESTS) + file(GLOB_RECURSE files ${CMAKE_CURRENT_SOURCE_DIR}/${test}/*) + unset(file_lines) + foreach(f IN LISTS files) + set(file_lines "${file_lines}${f}\n") + endforeach() + file(WRITE "${CMAKE_CURRENT_BINARY_DIR}/${test}-files" "${file_lines}") + add_test(${test} ${TEST_WRAP} ${test} "@${CMAKE_CURRENT_BINARY_DIR}/${test}-files") + else(FUZZ_REGRESSION_TESTS) + add_test(${test} ${TEST_WRAP} ${test} "${CMAKE_CURRENT_SOURCE_DIR}/${test}") + endif(FUZZ_REGRESSION_TESTS) +endmacro(add_fuzz_test test) + +add_fuzz_test(fuzz_http2_decoder fuzz_http2_decoder.c) +#add_fuzz_test(fuzz_http1_decoder fuzz_http1_decoder.c) diff --git a/tests/fuzz/Containerfile b/tests/fuzz/Containerfile new file mode 100644 index 000000000..7580a53e3 --- /dev/null +++ b/tests/fuzz/Containerfile @@ -0,0 +1,60 @@ +# Copyright 2017 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update + +# Ensure we work from right python version +# Minimum python version required by qpid-proton and skupper-router is Python 3.9 +RUN apt-get install -y python3.9 python3.9-dev && \ + ln --force -s /usr/bin/python3.9 /usr/local/bin/python3 && \ + apt-get install -y python3-pip +RUN apt-get install -y libuv1-dev wget cmake emacs python3-dev libwebsockets-dev libtool zlib1g-dev cmake libsasl2-dev libssl-dev sasl2-bin libnghttp2-dev + +# LibwebSockets library is required by skupper-router +# We are using v4.2-stable instead v4.3-stable because of this lws compilation error - https://github.com/warmcat/libwebsockets/issues/3163 +RUN git clone https://github.com/warmcat/libwebsockets.git --branch v4.2-stable +WORKDIR /src +RUN mkdir libwebsockets/build && cd libwebsockets/build && cmake .. -DLWS_LINK_TESTAPPS_DYNAMIC=ON -DLWS_WITH_LIBUV=OFF -DLWS_WITHOUT_BUILTIN_GETIFADDRS=ON -DLWS_WITHOUT_BUILTIN_SHA1=ON -DLWS_WITH_STATIC=OFF -DLWS_IPV6=ON -DLWS_WITH_HTTP2=OFF -DLWS_WITHOUT_CLIENT=OFF -DLWS_WITHOUT_SERVER=OFF -DLWS_WITHOUT_TESTAPPS=ON -DLWS_WITHOUT_TEST_SERVER=ON -DLWS_WITHOUT_TEST_SERVER_EXTPOLL=ON -DLWS_WITHOUT_TEST_PING=ON -DLWS_WITHOUT_TEST_CLIENT=ON && make install + +RUN git clone https://github.com/apache/qpid-proton.git +WORKDIR /src/qpid-proton +RUN mkdir build && cd build && cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INTERPROCEDURAL_OPTIMIZATION=OFF -DENABLE_LINKTIME_OPTIMIZATION=OFF -DBUILD_TLS=ON -DSSL_IMPL=openssl -DBUILD_TOOLS=OFF -DBUILD_EXAMPLES=OFF -DBUILD_TESTING=OFF && make install + +WORKDIR /src +RUN git clone https://github.com/ganeshmurthy/skupper-router.git --branch FUZZ-TESTING + +WORKDIR /src/skupper-router + +# refresh the build directory if it exists already +RUN rm build -rf || true + +# /usr/local/bin/compile compiles libFuzzer or AmericanFuzzyLop(afl), then calls /src/build.sh and sets correct environment variables for it +RUN echo cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INTERPROCEDURAL_OPTIMIZATION=OFF -DFUZZ_REGRESSION_TESTS=OFF -DCMAKE_C_FLAGS=-DQD_MEMORY_DEBUG -DRUNTIME_CHECK=asan > /src/build.sh + +# build and run the test. Choose AFL for fuzzer +RUN mkdir build +WORKDIR /src/skupper-router/build +RUN FUZZING_LANGUAGE='' FUZZING_ENGINE=afl /usr/local/bin/compile +WORKDIR /src/skupper-router/build/tests/fuzz +RUN make + +# This starts the AFL fuzzer that runs in an infinite loop. Let it run for about 30 minutes and press Ctrl + C to kill it. +# The AFL program displays the stats on stdout upon termination. +# Uncomment ONE of the following lines to start the AFL fuzzer for the http2 or the http1 decoder. Before starting the AFL fuzzer, make sure you have some seed datta in the respective corpus folders. +#ENTRYPOINT LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http2_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http2_decoder; bash +#ENTRYPOINT LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http1_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http1_decoder; bash +CMD ["/bin/bash"] diff --git a/tests/fuzz/README.md b/tests/fuzz/README.md new file mode 100644 index 000000000..794996377 --- /dev/null +++ b/tests/fuzz/README.md @@ -0,0 +1,31 @@ +# Fuzz testing http1 and http2 adaptors in skupper-router + +##Basics - +For a glossary of fuzzing terms please see - https://github.com/google/fuzzing/blob/master/docs/glossary.md +libFuzzer(https://llvm.org/docs/LibFuzzer.html) and AFL(https://github.com/google/AFL) are popular fuzzing engines that can be used for fuzz testing the http1 and the http2 adaptors. +OSS-Fuzz (https://github.com/google/oss-fuzz) supports both libFuzzer and AFL. + +##skupper-router/tests/fuzz/CMakeLists.txt +The CMakeLists.txt by defaults the fuzzing engine to AFL. +**set(FUZZER AFL CACHE STRING "Fuzzing engine to use")** +You can change the default fuzzing engine to libFuzzer like this - +**set(FUZZER LibFuzzer CACHE STRING "Fuzzing engine to use")** +The StandaloneFuzzTargetMain is set as the FUZZING_LIBRARY when regression testing is required (FUZZ_REGRESSION_TESTS=ON) +The regression tests are run as part of the skupper-router test suite in github CI. +The corpus files used by the regression tests are generated by running the fuzzer of your choice inside the container built using the Containerfile which is found in the skupper-router/tests/fuzz folder. + +##Containerfile +skupper-router/tests/fuzzContainerfile creates an environment where you can run the fuzzer of your choice. You will need to have seed corpus files which the fuzzer will use and build upon to create numerous additional corpus files. +If the code crashes, the input that led to the crash is saved. The crash files and the corpus files are downloaded from the container and used in regression testing. + +##Building and running Containerfile +To build the Containerfile from the skupper-router/tests/fuzz/folder + podman build -t oss-fuzz/skupper-router --file=Containerfile . +To run the container + podman run --net host -i -t oss-fuzz/skupper-router + +Notice in the Containerfile the two commented ENTRYPOINT lines. +Once you are inside the container, run the AFL fuzzer as seen in the commented ENTRYPOINT lines. For example, to run the http2 fuzzing - +LD_LIBRARY_PATH=/usr/local/lib/clang/18/lib/x86_64-unknown-linux-gnu/ AFL_MAP_SIZE=10000000 AFL_DEBUG=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i /src/skupper-router/tests/fuzz/fuzz_http2_decoder/corpus/ -o findings_dir /src/skupper-router/build/tests/fuzz/fuzz_http2_decoder +Let the fuzzer run for about an hour. Since the fuzzer runs infinitely, to stop the fuzzer, press Ctrl + C. Check for the findings_dir for crashes and additional corpus files. Download the crash and corpus files from the container and run them locally against your code to help fix the crashes. + diff --git a/tests/fuzz/StandaloneFuzzTargetInit.c b/tests/fuzz/StandaloneFuzzTargetInit.c new file mode 100644 index 000000000..c79c721a0 --- /dev/null +++ b/tests/fuzz/StandaloneFuzzTargetInit.c @@ -0,0 +1,36 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +#include +#include + +void qd_log_initialize(void); +void qd_error_initialize(void); + +#include "libFuzzingEngine.h" + +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + qd_alloc_initialize(); + qd_log_initialize(); + qd_error_initialize(); + return 0; +} + diff --git a/tests/fuzz/StandaloneFuzzTargetMain.c b/tests/fuzz/StandaloneFuzzTargetMain.c new file mode 100644 index 000000000..0cccf9358 --- /dev/null +++ b/tests/fuzz/StandaloneFuzzTargetMain.c @@ -0,0 +1,141 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*===- StandaloneFuzzTargetMain.c - standalone main() for fuzz targets. ---===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// This main() function can be linked to a fuzz target (i.e. a library +// that exports LLVMFuzzerTestOneInput() and possibly LLVMFuzzerInitialize()) +// instead of libFuzzer. This main() function will not perform any fuzzing +// but will simply feed all input files one by one to the fuzz target. +// +// Use this file to provide reproducers for bugs when linking against libFuzzer +// or other fuzzing engine is undesirable. +//===----------------------------------------------------------------------===*/ + +#include +#include +#include +#include + +#include "libFuzzingEngine.h" +#include "fuzz_http2_decoder.h" +#include +#include + +/* + * Use this to implement response file: + * - Check if there is one file mentioned and its name starts with '@' + * - If so then read the file line by line making up the new argv + * - Modify argc/argv then return. + * + */ + +/* Free allocated memory at program exit to avoid the leak sanitizer complaining */ +static char *buf = 0; +static char **nargv = 0; + +static void freeall(void) +{ + free(buf); + free(nargv); +} + +int ProcessResponseFile(int *argc, char ***argv) { + if (*argc==2 && (*argv)[1][0]=='@') { + const char* rfilename = (*argv)[1]+1; + + /* Read entire file into memory */ + fprintf(stderr, "Reading response file: %s\n", rfilename); + FILE *f = fopen(rfilename, "rb"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + buf = (char*)malloc(len+1); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + buf[len] = '\0'; + + /* scan file counting lines and replacing line ends with \0 */ + int line = 0; + char *p = buf; + while (p<&buf[len]) { + p += strcspn(p, "\n\r "); + *p++ = '\0'; + line +=1; + }; + + fprintf(stderr, " response file: (%zd bytes, %d lines)\n", n_read, line); + + /* scan again putting each line into the argv array */ + nargv = (char**) calloc(line+1, sizeof(p)); + + p = buf; + line = 1; + do { + char* s = p; + int l = strlen(p); + p += l+1; + if (l>0) nargv[line++] = s; + } while (p<&buf[len]); + + int nargc = line; + *argc = nargc; + *argv = nargv; + } + return 0; +} + + +int main(int argc, char **argv) { + fprintf(stderr, "StandaloneFuzzTargetMain: running %d inputs\n", argc - 1); + LLVMFuzzerInitialize(&argc, &argv); + set_alloc_pool_initialized(true); + + // Process response file + ProcessResponseFile(&argc, &argv); + + + for (int i = 1; i < argc; i++) { + printf("Running: %s\n", argv[i]); + fflush(stdout); + FILE *f = fopen(argv[i], "rb"); + assert(f); + fseek(f, 0, SEEK_END); + size_t len = ftell(f); + fseek(f, 0, SEEK_SET); + unsigned char *buf = (unsigned char*)malloc(len); + size_t n_read = fread(buf, 1, len, f); + fclose(f); + assert(n_read == len); + LLVMFuzzerTestOneInput(buf, len); + free(buf); + fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read); + } + freeall(); + + +} diff --git a/tests/fuzz/fuzz_http2_decoder.c b/tests/fuzz/fuzz_http2_decoder.c new file mode 100644 index 000000000..20f7d1807 --- /dev/null +++ b/tests/fuzz/fuzz_http2_decoder.c @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#include + +#include "decoders/http2/http2_decoder.h" +#include "decoders/http2/http2_test.h" +#include "qpid/dispatch/ctools.h" + +#include "libFuzzingEngine.h" + +void qd_log_initialize(void); +void qd_error_initialize(void); +void qd_router_id_finalize(void); +void qd_log_finalize(void); + +bool alloc_pool_initialized = false; + +void set_alloc_pool_initialized(bool initialized) +{ + alloc_pool_initialized = initialized; +} + +bool is_alloc_pool_initialized(void) +{ + return alloc_pool_initialized; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (!is_alloc_pool_initialized()) { + qd_alloc_initialize(); + qd_log_initialize(); + qd_error_initialize(); + set_alloc_pool_initialized(true); + } + + qd_http2_decoder_connection_t *conn_state = qd_http2_decoder_connection(0, 0/*user_context*/, 1/*conn_id*/); + decode(conn_state, true, data, size); + qd_http2_decoder_connection_free(conn_state); + //qd_http2_decoder_connection_final(); + return 0; +} + +__attribute__((destructor)) void fuzz_http2_destructor(void) +{ + qd_log_finalize(); + qd_alloc_finalize(); + qd_router_id_finalize(); +} + diff --git a/tests/fuzz/fuzz_http2_decoder.h b/tests/fuzz/fuzz_http2_decoder.h new file mode 100644 index 000000000..a4d0cde63 --- /dev/null +++ b/tests/fuzz/fuzz_http2_decoder.h @@ -0,0 +1,26 @@ +#ifndef __fuzz_fuzz_http2_decoder_h__ +#define __fuzz_fuzz_http2_decoder_h__ 1 +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +#include "decoders/http2/http2_test.h" + +void set_alloc_pool_initialized(bool initialized); +bool is_alloc_pool_initialized(void); + +#endif diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000000,sig:06,src:000015+000001,time:10347,execs:182257,op:splice,rep:1 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000000,sig:06,src:000015+000001,time:10347,execs:182257,op:splice,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..5284a50b4912d2989c653f0fc846680230dc19a5 GIT binary patch literal 99 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bfd3=BZTkOGqivVnkw15DY~GcYnRura>< V58{H=u`o;qGMT{AKxF|ilL4Tj48{Ne literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000000,time:0,execs:0,orig:file b/tests/fuzz/fuzz_http2_decoder/corpus/id:000000,time:0,execs:0,orig:file new file mode 100644 index 000000000..0d3b835ad --- /dev/null +++ b/tests/fuzz/fuzz_http2_decoder/corpus/id:000000,time:0,execs:0,orig:file @@ -0,0 +1,4 @@ +PRI * HTTP/2.0 + +SM + diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000001,time:0,execs:0,orig:file2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000001,time:0,execs:0,orig:file2 new file mode 100644 index 0000000000000000000000000000000000000000..362b8cac8e580bb777659c07a0d21398c53ec5a3 GIT binary patch literal 99 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!qa50SgD1va4rc rWMGhEWCijVo7x<^IOfK1Hx}HfVPJ2q>QLPlaQJj*!T(@pEqyHjv^5f= literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000002,src:000001,time:9,execs:57,op:havoc,rep:14,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000002,src:000001,time:9,execs:57,op:havoc,rep:14,+cov new file mode 100644 index 0000000000000000000000000000000000000000..0c535bee8366fe67109f3fab5f6fc8cd4cfd1d2c GIT binary patch literal 170 zcmWFt@>I~0V_;-p&^OXE;Qe3!|GzJQLPlaQJj*0nnTn am>{YQ$XYI5u3%qYE@VYj9msmM^tAvutTI6W literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000003,src:000001,time:11,execs:66,op:havoc,rep:12,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000003,src:000001,time:11,execs:66,op:havoc,rep:12,+cov new file mode 100644 index 0000000000000000000000000000000000000000..05484bfbb6e9ca27f263cb7e30ee33efba8bc524 GIT binary patch literal 122 zcmWFtVgP~2dIm-YhX4Qn*E2A1FmUm5F)#?RFf_F}c5yH)04cBoE0AMk1+p0t;!Gep p1_l-|iL8bLXc|OU1b1V>of-!A)~XKGZ2^Z*cNY8)X4cZz0s!LQ7l8l( literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000004,src:000001,time:16,execs:98,op:havoc,rep:3,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000004,src:000001,time:16,execs:98,op:havoc,rep:3,+cov new file mode 100644 index 0000000000000000000000000000000000000000..74ceb214fe4bb2d5677ecc230444c75513711d9e GIT binary patch literal 124 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+0t_h(EDQ@67#Ns<7zkK6z?5A* y10w^293v}`$Jo^7*u^n7hP$!gP7MQlYgLEpwt&N@I}82?Gi#w~18VsN(*gjM(iM{c literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000005,src:000001,time:18,execs:111,op:havoc,rep:1,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000005,src:000001,time:18,execs:111,op:havoc,rep:1,+cov new file mode 100644 index 0000000000000000000000000000000000000000..758806860ee0a1f04ed4f8a41c768b5b49fd2998 GIT binary patch literal 99 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!qa50SgD1va4rc rWMGhEWCijVo7x<^IOfK1Hx}HfVPI&j>QLPlaQJj*!T(@pEqyHjv%V6X literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000006,src:000001,time:20,execs:124,op:havoc,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000006,src:000001,time:20,execs:124,op:havoc,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..608bbadd7b586fc3cd764f3310ee1fe67183bc57 GIT binary patch literal 99 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!qa50SgD1va4rc sWMGhEWMx!hD7aJO*u^n7hP#omsf~fXwW>pPTfpJdody4cnYHw_0KhL2#sB~S literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000007,src:000001,time:22,execs:144,op:havoc,rep:16 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000007,src:000001,time:22,execs:144,op:havoc,rep:16 new file mode 100644 index 0000000000000000000000000000000000000000..1818e4e5ccf2f8bb2fad1a911ebb0feaf238f002 GIT binary patch literal 56 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=BfduNasa!2Ear85-(q7}#5@mZ)wEIDERR G;6DIV+7H_R literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000008,src:000001,time:25,execs:181,op:havoc,rep:1 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000008,src:000001,time:25,execs:181,op:havoc,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..61ca6a05fd167113fc2a23665b82ef53f441ae8c GIT binary patch literal 60 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=F(13=GT+3=Am@EDQ^PG!qa*K)~VCody4c FnE?y{37Y@_ literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000009,src:000001,time:26,execs:194,op:havoc,rep:2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000009,src:000001,time:26,execs:194,op:havoc,rep:2 new file mode 100644 index 0000000000000000000000000000000000000000..7745db4df914bcb1bb36f2bdba75be43c54223e8 GIT binary patch literal 99 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!qa50W$}fva4rc rWMGhEWCijVo7x<^IOfK1Hx}HfVPH?M>QLPlaQJj*!T(@pEqyHjvLh0N literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000010,src:000001,time:29,execs:223,op:havoc,rep:5 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000010,src:000001,time:29,execs:223,op:havoc,rep:5 new file mode 100644 index 0000000000000000000000000000000000000000..8a0483a1a896ac8cd00b56193e888092ab6eee11 GIT binary patch literal 32 lcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3`I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3?RS+A{M|H3=AwBAOQxudIm-Y?nXu} GeJubS>IUTi literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000012,src:000001,time:41,execs:413,op:havoc,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000012,src:000001,time:41,execs:413,op:havoc,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..0130e3910ddaa39525f9b0d57802dc2dadcdd703 GIT binary patch literal 75 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn4EO*eD^QlPDd6zw&Vv8J%v$I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!qa50SgD1va4rc rWMGhER0HxDo7x<^IOfK1Hx}HfVPJ2q>QLPlaQJj*!T(@pEqyHjxVRF; literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000014,src:000001,time:54,execs:622,op:havoc,rep:5,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000014,src:000001,time:54,execs:622,op:havoc,rep:5,+cov new file mode 100644 index 0000000000000000000000000000000000000000..96b85b6329e4a68e5e89a74787e17c47dc2c634f GIT binary patch literal 99 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+PzD1ksE2ap7^_yOZVNbky0d^| cZVY#0!JQfg_EuJ)EMrsKv9ABY%v$I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3?CU77#S8YFfcFyF%YnDFfg#U SR&}Uu3pjkbv*3R)vlakty9~(y literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000016,src:000001,time:60,execs:724,op:havoc,rep:4,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000016,src:000001,time:60,execs:724,op:havoc,rep:4,+cov new file mode 100644 index 0000000000000000000000000000000000000000..bcba43d249f2668063b0a7d6d2d3f3797887e84c GIT binary patch literal 85 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!qa50V@ZPU~Fo0 h{QrM$40mI}of-!A)~XKGZ2^Z*cNRDVGi&K<0RUsW5^n$i literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000017,src:000001,time:86,execs:1172,op:havoc,rep:10,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000017,src:000001,time:86,execs:1172,op:havoc,rep:10,+cov new file mode 100644 index 0000000000000000000000000000000000000000..dd8f8e28ecfab9b83429cd6c4ffa32bfe1166328 GIT binary patch literal 131 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG*dK?U|?Y308@7L z42%p6a*V7%9%ECRV;9HV81BY`J1I2`46Riis@tHtfYPEs%nH)Q2-3p94wBv)aQJj* K!TAOtUkd==nHDSn literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000018,src:000001,time:97,execs:1350,op:havoc,rep:8 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000018,src:000001,time:97,execs:1350,op:havoc,rep:8 new file mode 100644 index 0000000000000000000000000000000000000000..32c030b9dedd494df13909055749ea1b536e17bc GIT binary patch literal 104 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=EGMSQr)nX(k}9XJBCA0MZN$ ucJ&O53=DFNtUxwnQ=4NK|J)ev#)3OFKiFGaTY0&F1O!xdsBUAZX9fUeFcv`o literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000019,src:000001,time:114,execs:1633,op:havoc,rep:6 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000019,src:000001,time:114,execs:1633,op:havoc,rep:6 new file mode 100644 index 0000000000000000000000000000000000000000..0a2ec16f59edd366be5d2b9141bf3a08f18d0f0f GIT binary patch literal 104 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=GMiSQr*CGB7X!*+9U;0j9$0 m8GvGPjI2N&V^f=BAIIDn?#6;UH4N;nRUN9^S`h%mWdHzULl%|* literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000020,src:000001,time:135,execs:1942,op:havoc,rep:16,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000020,src:000001,time:135,execs:1942,op:havoc,rep:16,+cov new file mode 100644 index 0000000000000000000000000000000000000000..a44d70de4b7e350f6acdcff859aad14f367b9b64 GIT binary patch literal 4 LcmWFtVqgFO0y+Sr literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000021,src:000001,time:297,execs:4435,op:havoc,rep:1 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000021,src:000001,time:297,execs:4435,op:havoc,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..b04465a0dd8733d1a514fc13336ada4f1c7ee826 GIT binary patch literal 104 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!qa50SgD1va4rc fWMGhEWCijVo7x<^IOfK1Hx}HfVPJ1vj0FGyJ31KC literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000022,src:000001,time:572,execs:9596,op:havoc,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000022,src:000001,time:572,execs:9596,op:havoc,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..924d116bdc0b7653c50af41cb15f691a00173c38 GIT binary patch literal 108 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDUmttUwlHQ=4NK3kQ(J pz+hL;z{r3s&M`NJyRqO-4Fh{?Rfp=ffWxOd3;rW?1~Y5v0|2H16nX#v literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000023,src:000016+000015,time:844,execs:14581,op:splice,rep:1 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000023,src:000016+000015,time:844,execs:14581,op:splice,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..5bd1a2a7de32658280a64fc615339ee4c460b722 GIT binary patch literal 52 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDQ^PG!p|u07M!9(8dOm literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000024,src:000020,time:1595,execs:29722,op:havoc,rep:2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000024,src:000020,time:1595,execs:29722,op:havoc,rep:2 new file mode 100644 index 0000000000000000000000000000000000000000..d6f1967c197b53f4fd95283e8439594fc292a66f GIT binary patch literal 26 ecmWFt@>I}L@CXSB&^OXE;N{}w3ibt&K@0#&B?O}Y literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000025,src:000014,time:2149,execs:39258,op:havoc,rep:7 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000025,src:000014,time:2149,execs:39258,op:havoc,rep:7 new file mode 100644 index 0000000000000000000000000000000000000000..3147fd7ef2f79cc5bbaf254136fd19ac0503fc32 GIT binary patch literal 113 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+PzD1KK!i0Kpu!*_LZBY1K#q~& MSl9nxW-Wa!04bXZGXMYp literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000026,src:000014,time:2154,execs:39348,op:havoc,rep:6 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000026,src:000014,time:2154,execs:39348,op:havoc,rep:6 new file mode 100644 index 0000000000000000000000000000000000000000..03a4253cb4463bf7e0c4078d59ffb24dee30e20b GIT binary patch literal 153 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+Ach13I;ck%0P+806T~Ja$5^#O lb$h_!)13tzb7Qz03+~h~u(z@Tl`=N99qalZ%&eua1ppX!6DI%w literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000027,src:000025,time:2588,execs:46911,op:havoc,rep:2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000027,src:000025,time:2588,execs:46911,op:havoc,rep:2 new file mode 100644 index 0000000000000000000000000000000000000000..81a28d07fa4ca876b7086ca39f101238a6d1619c GIT binary patch literal 150 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+PzD1oP!ExSXwhhZYQd!%t2opM Q202ECV_pA)nYHw_00cn^vH$=8 literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000028,src:000016+000008,time:3033,execs:55613,op:splice,rep:2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000028,src:000016+000008,time:3033,execs:55613,op:splice,rep:2 new file mode 100644 index 0000000000000000000000000000000000000000..55200d7156e3ae69301e0f9d2f3a945f2de07ae1 GIT binary patch literal 28 gcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=9GK08;V<&;S4c literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000029,src:000016+000018,time:16456,execs:313183,op:splice,rep:5 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000029,src:000016+000018,time:16456,execs:313183,op:splice,rep:5 new file mode 100644 index 0000000000000000000000000000000000000000..d2d3a6fa68985950b8287fbdd715ce6c870224e0 GIT binary patch literal 104 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+tpESBGBEHlHnlna|IYvftQ>Ie R+!*dgGbWHAhHwG8IRI$f6+Qp} literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000030,src:000014+000004,time:21269,execs:406759,op:splice,rep:2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000030,src:000014+000004,time:21269,execs:406759,op:splice,rep:2 new file mode 100644 index 0000000000000000000000000000000000000000..3449eb8e4e1605d54779cd28820b9324e2c9ee6f GIT binary patch literal 76 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+PzD1ksE2Zy7;6~V13*TAv;zP~ C=Le$z literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000031,src:000021+000005,time:52315,execs:985143,op:splice,rep:10,+cov b/tests/fuzz/fuzz_http2_decoder/corpus/id:000031,src:000021+000005,time:52315,execs:985143,op:splice,rep:10,+cov new file mode 100644 index 0000000000000000000000000000000000000000..8c0113cccf9728051e7cda1e05ede7c1f77bf697 GIT binary patch literal 148 zcmWFt@>I}Lunh?b&^OXE;N{}w3ibt&3=Bdn3=GT+3=H}#|G{($0}I0fAfE|{fq;d< ouAYIBfkBRu6~sm6Fd{2-VBrACGuTZ*sAgI}L@CXSB&^OXE;N{}w3ibt&40wSM3j+f)P(=y@3&R2+%>+`7A;2KZ5`bp> tcg|p#m@hNf8n96uK>LIwK!$(;JCv@6(n?U8f#E-#h0Y+X28&)yApq*k5{&== literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000033,src:000022,time:146341,execs:2772510,op:havoc,rep:1 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000033,src:000022,time:146341,execs:2772510,op:havoc,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..7ae0eec0720d4fe80c68a1fac71667281c6d32b5 GIT binary patch literal 131 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3=GT+3=Am@EDUmttUwlHQ=4NK3kQ(J zz+hL;3S{tsg#Q1Z8^hgb#sn4zs$xJ^&H<7uxKqQx-dfe6x-H=F>CS@x2m^zewe$g) Cj~SW( literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000034,src:000014,time:209083,execs:3978023,op:havoc,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000034,src:000014,time:209083,execs:3978023,op:havoc,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..af87ef828c2415870dcedcf3bad05dc49bcfd48b GIT binary patch literal 99 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI-~=*Q7|=mIR6vfgYK7{yfWxOd f3pnP+a5om*sbOGmWd+JIHnkn=`X9`!rLP45fX@{P literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000035,src:000034+000021,time:373224,execs:6614074,op:splice,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000035,src:000034+000021,time:373224,execs:6614074,op:splice,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..14c5786021a91fe8624849e2435404bc9eb9c3e9 GIT binary patch literal 100 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqri7e2h(Pj{pD9jp1%I bV}i)BaxgG}gdtjiI+%gtDGV$O3m6yxVEhjV literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000036,src:000035,time:386748,execs:6805442,op:havoc,rep:1 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000036,src:000035,time:386748,execs:6805442,op:havoc,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..bb243faec57cbe60b790da466f88c403ba447991 GIT binary patch literal 100 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqri7e2h(Pj{pD9jp1%I cV}i)BaxgG}guz-FfjXFh;wcO)3=0?-0AKwM_W%F@ literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000037,src:000036,time:389018,execs:6830806,op:havoc,rep:2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000037,src:000036,time:389018,execs:6830806,op:havoc,rep:2 new file mode 100644 index 0000000000000000000000000000000000000000..7516ba1701223a39e5cf84887052748d5bd7c0aa GIT binary patch literal 124 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqri7e2h(Pj{pD9jp1%I aV*<)KFfg!k5Yz$E1vZ%(s3nDgg#iFJ%@XGT literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000038,src:000037,time:395813,execs:6924470,op:havoc,rep:1 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000038,src:000037,time:395813,execs:6924470,op:havoc,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..1c1ab9197e739833392c0c34178736d37c24a170 GIT binary patch literal 124 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqri7e2h(Pj{pD9jp1%I cV*<)KFfg!k5YREF4WtWfGBZ$13IhuR06Du80RR91 literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000039,src:000037,time:395822,execs:6924599,op:havoc,rep:2 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000039,src:000037,time:395822,execs:6924599,op:havoc,rep:2 new file mode 100644 index 0000000000000000000000000000000000000000..c9dd8af7f646a51a5f357b8da4f8833541f9e42b GIT binary patch literal 124 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqri7e2h(Pj{pD9jp1%I gV*<)KFfg!kAnO1MpaPH%AdUu`%nX!EVPIhZ06tq1_y7O^ literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000040,src:000039,time:409617,execs:7109000,op:havoc,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000040,src:000039,time:409617,execs:7109000,op:havoc,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..cfe7cfa6f22ea809e66ebe510d606a89bc35be34 GIT binary patch literal 124 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|CtyVI2Z(kSQyX%A7fLSI}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI-~=*Q7)HSe2?53t;?F_j&948! I0iY}h01V&?k^lez literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000042,src:000034+000022,time:600658,execs:9930663,op:splice,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000042,src:000034+000022,time:600658,execs:9930663,op:splice,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..2280a0418bff9c816f683a89ab3b4b29767a3a48 GIT binary patch literal 552 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;A9wXfN{8ai01yWt7l*Y0D!Cr ADF6Tf literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000043,src:000036,time:600813,execs:9933283,op:havoc,rep:20 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000043,src:000036,time:600813,execs:9933283,op:havoc,rep:20 new file mode 100644 index 0000000000000000000000000000000000000000..e7437f855b18954483ecf9bcf51f075d084ceb04 GIT binary patch literal 2212 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqw4qfGYmulEWn~gG++2 zcmqM}{=Yys#Q|Mllt0Kq;5o@jXpnhe)H$OeFd70wKLi};>;+{y+c&hV6H95T1UEz& E0sc@GD*ylh literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000044,src:000034+000031,time:624601,execs:10266729,op:splice,rep:3 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000044,src:000034+000031,time:624601,execs:10266729,op:splice,rep:3 new file mode 100644 index 0000000000000000000000000000000000000000..56666a9d5ef836add93ad9cf0e046458b9b163b0 GIT binary patch literal 969 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI-~=*Q7)HU+4gtnN=6vx%<{nx( zCjgwgY_a4n6JVxd23o7n@*hm6Ft9Kz0P>k2PGMoNt7iblnj9l5NC26`h^)|og#)a? GZVCXVW)b87 literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000045,src:000016,time:649469,execs:10621673,op:havoc,rep:5 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000045,src:000016,time:649469,execs:10621673,op:havoc,rep:5 new file mode 100644 index 0000000000000000000000000000000000000000..98de5bd2237d91522db74a43f4ca7f2a664570bd GIT binary patch literal 1856 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&45MJshJfs#b=j!HMnhmU1V%$(ScHHO3j+f) d&?hMjEDQ^PG!w*EtQI}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqri7c%=9ko7x=z|DPMf a-Dt)H)aJmzz{-KwFh0gPZG4OjXc_@(KpDOO literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000047,src:000034+000042,time:715386,execs:11589946,op:splice,rep:9 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000047,src:000034+000042,time:715386,execs:11589946,op:splice,rep:9 new file mode 100644 index 0000000000000000000000000000000000000000..8f7960a38193eda7f39e8393042b478034f2b320 GIT binary patch literal 612 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI-~=*Q7|=mIR3Lz`Zgj2G;Q#qg z4O7T6gOMyTjb=bK3=RwotQ@d(0nz~!fCDg_ Qk1-u&3^M~L`AER!0NAD+g8%>k literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/id:000048,src:000036+000042,time:757227,execs:12207286,op:splice,rep:10 b/tests/fuzz/fuzz_http2_decoder/corpus/id:000048,src:000036+000042,time:757227,execs:12207286,op:splice,rep:10 new file mode 100644 index 0000000000000000000000000000000000000000..e0954263733da894c77c5dd0021044608f183632 GIT binary patch literal 508 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAIzz-PlNF&VPU=R>ufvKdi@gQrM zfS8Z5sm<~K|G6>Tjbj3Ej$7~8z F6ab5~E3NI}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI;9w9CVqri7e2h(Pj{pD9jp1%I zV*<$`>p)YB#$`m~BXe=sis~R_4VY{)j0YJ4@&vl4>|ZgkasY!t5E=}ameEP10cH=G Wo&#yeI}L@CXSB&^OXE;N{}w3ibt&3=Bey|NsAI-~=*Q7)HTp2#kinfQP`y&4|nc b9`>US7!84;83Kc=)c82K0ukQY0frI)9MB11 literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/original-seed1 b/tests/fuzz/fuzz_http2_decoder/corpus/original-seed1 new file mode 100644 index 000000000..0d3b835ad --- /dev/null +++ b/tests/fuzz/fuzz_http2_decoder/corpus/original-seed1 @@ -0,0 +1,4 @@ +PRI * HTTP/2.0 + +SM + diff --git a/tests/fuzz/fuzz_http2_decoder/corpus/original-seed2 b/tests/fuzz/fuzz_http2_decoder/corpus/original-seed2 new file mode 100644 index 0000000000000000000000000000000000000000..2ccb96c53f24c71ad899c4c5b41db94f818d3af0 GIT binary patch literal 103 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bdn3}CE1@ai1+8nz$=EiV07Tl>}U~jGJP~8@A_;hE%|6pbI}L@CXSB&^OXE;N{}w3ibt&3={)KY$gBzxQYZ) literal 0 HcmV?d00001 diff --git a/tests/fuzz/fuzz_http2_decoder/crash/crash-d372d784d8584f8fecd69151a9efcf3afcfc8321 b/tests/fuzz/fuzz_http2_decoder/crash/crash-d372d784d8584f8fecd69151a9efcf3afcfc8321 new file mode 100644 index 000000000..0d3b835ad --- /dev/null +++ b/tests/fuzz/fuzz_http2_decoder/crash/crash-d372d784d8584f8fecd69151a9efcf3afcfc8321 @@ -0,0 +1,4 @@ +PRI * HTTP/2.0 + +SM + diff --git a/tests/fuzz/fuzz_http2_decoder/crash/id:000000,sig:06,src:000041,time:12145,execs:46229,op:havoc,rep:1 b/tests/fuzz/fuzz_http2_decoder/crash/id:000000,sig:06,src:000041,time:12145,execs:46229,op:havoc,rep:1 new file mode 100644 index 0000000000000000000000000000000000000000..3ede858b585dcd8408deb1d20d12a8456ba8c614 GIT binary patch literal 133 zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=Bey|CtyVI2Z(kSQyX%A0u2{Q=8-e|8rxw r8_j@<85|fGSUJF2|NjST1q#3cn9awS-p0q+6b-h587P;+z`_6k|5OqX literal 0 HcmV?d00001 diff --git a/tests/fuzz/libFuzzingEngine.h b/tests/fuzz/libFuzzingEngine.h new file mode 100644 index 000000000..c2877d180 --- /dev/null +++ b/tests/fuzz/libFuzzingEngine.h @@ -0,0 +1,40 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +#ifndef _LIB_FUZZING_ENGINE_H_ +#define _LIB_FUZZING_ENGINE_H_ + +#include +#include + +// This header defines `extern "C"` for the fuzzing interface functions + +#ifdef __cplusplus +extern "C" +#endif +int LLVMFuzzerInitialize(int *argc, char ***argv); + +#ifdef __cplusplus +extern "C" +#endif +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +#endif diff --git a/tests/http2_decoder_tests.c b/tests/http2_decoder_tests.c index 6aa85207c..45b538370 100644 --- a/tests/http2_decoder_tests.c +++ b/tests/http2_decoder_tests.c @@ -384,7 +384,7 @@ char* test_http2_decode_request_double_header(void *context) const uint8_t data1[27] = { 0x50, 0x52, 0x49, 0x20, 0x2a, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x32, - 0x2e, 0x30, 0x0d, 0x0a, 0x0d, 0x0a, 0x53, 0x4d, 0x0d, 0x0a, 0x0d, 0x0a, /* HEADER frame starts */ 0x00, 0x00, 0x1e + 0x2e, 0x30, 0x0d, 0x0a, 0x0d, 0x0a, 0x53, 0x4d, 0x0d, 0x0a, 0x0d, 0x0a, /* HEADER frame starts */ 0x00, 0x00, 0x21 }; decode(conn_state, true, data1, 27); @@ -394,12 +394,18 @@ char* test_http2_decode_request_double_header(void *context) return "Expected client decoder state to be HTTP2_DECODE_FRAME_HEADER but it is not"; } - const uint8_t data2[74] = { - 0x01, 0x05, 0x00, 0x00, 0x00, 0x02, /* HEADER frame payload starts */ 0x82, 0x86, 0x41, 0x8a, 0x08, 0x9d, 0x5c, 0x0b, 0x81, 0x70, 0xdc, 0x7c, 0x00, 0x07, 0x85, 0x7a, 0x88, 0x25, 0xb6, 0x50, 0xc3, - 0xcb, 0x89, 0x70, 0xff, 0x53, 0x03, 0x2a, 0x2f, 0x2a, /* another HEADER frame starts */ 0x00, 0x00, 0x1e, 0x01, 0x05, 0x00, 0x00, 0x00, 0x03, /* HEADER frame payload starts */ 0x82, 0x86, 0x41, + const uint8_t data2[77] = { + 0x01, 0x0d, 0x00, 0x00, 0x00, 0x02, /* HEADER frame payload starts */ 0x02 /*pad length is 2*/, 0x82, 0x86, 0x41, 0x8a, 0x08, 0x9d, 0x5c, 0x0b, 0x81, 0x70, 0xdc, 0x7c, 0x00, 0x07, 0x85, 0x7a, 0x88, 0x25, 0xb6, 0x50, 0xc3, + 0xcb, 0x89, 0x70, 0xff, 0x53, 0x03, 0x2a, 0x2f, 0x2a, /* the following two bytes are pad bytes*/0x00, 0x00,/* another HEADER frame starts */ 0x00, 0x00, 0x1e, 0x01, 0x05, 0x00, 0x00, 0x00, 0x03, /* HEADER frame payload starts */ 0x82, 0x86, 0x41, 0x8a, 0x08, 0x9d, 0x5c, 0x0b, 0x81, 0x70, 0xdc, 0x7c, 0x00, 0x07, 0x85, 0x7a, 0x88, 0x25, 0xb6, 0x50, 0xc3, 0xcb, 0x89, 0x70, 0xff, 0x53, 0x03, 0x2a, 0x2f }; - decode(conn_state, true, data2, 74); + int ret_val = decode(conn_state, true, data2, 77); + + if(ret_val != 0) { + qd_http2_decoder_connection_free(conn_state); + return "Call to decode() failed with ret_val -1"; + } + const uint8_t data3[1] = { 0x2a