diff options
author | Yihua Zhang <yihuaz@google.com> | 2018-05-08 10:15:03 -0700 |
---|---|---|
committer | Yihua Zhang <yihuaz@google.com> | 2018-05-08 10:15:03 -0700 |
commit | cc93663910cd17f6d1faeef020ec0b3fc27df263 (patch) | |
tree | af57bcf1d818c15f3e72f690ab67fc278296a0fe /test/core/end2end/fuzzers/api_fuzzer.cc | |
parent | d8f35e95dc48b144c741e70dc90589c374854a64 (diff) |
Add ALTS fuzzer
Diffstat (limited to 'test/core/end2end/fuzzers/api_fuzzer.cc')
-rw-r--r-- | test/core/end2end/fuzzers/api_fuzzer.cc | 139 |
1 files changed, 44 insertions, 95 deletions
diff --git a/test/core/end2end/fuzzers/api_fuzzer.cc b/test/core/end2end/fuzzers/api_fuzzer.cc index 9ace7d04aa..36f257d6da 100644 --- a/test/core/end2end/fuzzers/api_fuzzer.cc +++ b/test/core/end2end/fuzzers/api_fuzzer.cc @@ -38,8 +38,14 @@ #include "src/core/lib/surface/server.h" #include "src/core/lib/transport/metadata.h" #include "test/core/end2end/data/ssl_test_data.h" +#include "test/core/util/fuzzer_util.h" #include "test/core/util/passthru_endpoint.h" +using grpc_core::testing::grpc_fuzzer_get_next_byte; +using grpc_core::testing::grpc_fuzzer_get_next_string; +using grpc_core::testing::grpc_fuzzer_get_next_uint32; +using grpc_core::testing::input_stream; + //////////////////////////////////////////////////////////////////////////////// // logging @@ -65,58 +71,20 @@ static gpr_timespec now_impl(gpr_clock_type clock_type) { return ts; } -//////////////////////////////////////////////////////////////////////////////// -// input_stream: allows easy access to input bytes, and allows reading a little -// past the end (avoiding needing to check everywhere) - -typedef struct { - const uint8_t* cur; - const uint8_t* end; -} input_stream; - -static uint8_t next_byte(input_stream* inp) { - if (inp->cur == inp->end) { - return 0; - } - return *inp->cur++; -} - static void end(input_stream* inp) { inp->cur = inp->end; } -static char* read_string(input_stream* inp, bool* special) { - char* str = nullptr; - size_t cap = 0; - size_t sz = 0; - char c; - do { - if (cap == sz) { - cap = GPR_MAX(3 * cap / 2, cap + 8); - str = static_cast<char*>(gpr_realloc(str, cap)); - } - c = static_cast<char>(next_byte(inp)); - str[sz++] = c; - } while (c != 0 && c != 1); - if (special != nullptr) { - *special = (c == 1); - } - if (c == 1) { - str[sz - 1] = 0; - } - return str; -} - static void read_buffer(input_stream* inp, char** buffer, size_t* length, bool* special) { - *length = next_byte(inp); + *length = grpc_fuzzer_get_next_byte(inp); if (*length == 255) { if (special != nullptr) *special = true; - *length = next_byte(inp); + *length = grpc_fuzzer_get_next_byte(inp); } else { if (special != nullptr) *special = false; } *buffer = static_cast<char*>(gpr_malloc(*length)); for (size_t i = 0; i < *length; i++) { - (*buffer)[i] = static_cast<char>(next_byte(inp)); + (*buffer)[i] = static_cast<char>(grpc_fuzzer_get_next_byte(inp)); } } @@ -128,7 +96,7 @@ static grpc_slice maybe_intern(grpc_slice s, bool intern) { static grpc_slice read_string_like_slice(input_stream* inp) { bool special; - char* s = read_string(inp, &special); + char* s = grpc_fuzzer_get_next_string(inp, &special); grpc_slice r = maybe_intern(grpc_slice_from_copied_string(s), special); gpr_free(s); return r; @@ -146,39 +114,15 @@ static grpc_slice read_buffer_like_slice(input_stream* inp) { } static uint32_t read_uint22(input_stream* inp) { - uint8_t b = next_byte(inp); + uint8_t b = grpc_fuzzer_get_next_byte(inp); uint32_t x = b & 0x7f; if (b & 0x80) { x <<= 7; - b = next_byte(inp); + b = grpc_fuzzer_get_next_byte(inp); x |= b & 0x7f; if (b & 0x80) { x <<= 8; - x |= next_byte(inp); - } - } - return x; -} - -static uint32_t read_uint32(input_stream* inp) { - uint8_t b = next_byte(inp); - uint32_t x = b & 0x7f; - if (b & 0x80) { - x <<= 7; - b = next_byte(inp); - x |= b & 0x7f; - if (b & 0x80) { - x <<= 7; - b = next_byte(inp); - x |= b & 0x7f; - if (b & 0x80) { - x <<= 7; - b = next_byte(inp); - x |= b & 0x7f; - if (b & 0x80) { - x = (x << 4) | (next_byte(inp) & 0x0f); - } - } + x |= grpc_fuzzer_get_next_byte(inp); } } return x; @@ -193,22 +137,22 @@ static grpc_byte_buffer* read_message(input_stream* inp) { } static int read_int(input_stream* inp) { - return static_cast<int>(read_uint32(inp)); + return static_cast<int>(grpc_fuzzer_get_next_uint32(inp)); } static grpc_channel_args* read_args(input_stream* inp) { - size_t n = next_byte(inp); + size_t n = grpc_fuzzer_get_next_byte(inp); grpc_arg* args = static_cast<grpc_arg*>(gpr_malloc(sizeof(*args) * n)); for (size_t i = 0; i < n; i++) { - switch (next_byte(inp)) { + switch (grpc_fuzzer_get_next_byte(inp)) { case 1: args[i].type = GRPC_ARG_STRING; - args[i].key = read_string(inp, nullptr); - args[i].value.string = read_string(inp, nullptr); + args[i].key = grpc_fuzzer_get_next_string(inp, nullptr); + args[i].value.string = grpc_fuzzer_get_next_string(inp, nullptr); break; case 2: args[i].type = GRPC_ARG_INTEGER; - args[i].key = read_string(inp, nullptr); + args[i].key = grpc_fuzzer_get_next_string(inp, nullptr); args[i].value.integer = read_int(inp); break; case 3: @@ -249,10 +193,11 @@ static void cred_artifact_ctx_finish(cred_artifact_ctx* ctx) { static const char* read_cred_artifact(cred_artifact_ctx* ctx, input_stream* inp, const char** builtins, size_t num_builtins) { - uint8_t b = next_byte(inp); + uint8_t b = grpc_fuzzer_get_next_byte(inp); if (b == 0) return nullptr; if (b == 1) - return ctx->release[ctx->num_release++] = read_string(inp, nullptr); + return ctx->release[ctx->num_release++] = + grpc_fuzzer_get_next_string(inp, nullptr); if (b >= num_builtins + 1) { end(inp); return nullptr; @@ -288,7 +233,7 @@ static grpc_call_credentials* read_call_creds(input_stream* inp, int depth) { end(inp); return nullptr; } - switch (next_byte(inp)) { + switch (grpc_fuzzer_get_next_byte(inp)) { default: end(inp); return nullptr; @@ -339,7 +284,7 @@ static grpc_call_credentials* read_call_creds(input_stream* inp, int depth) { } static grpc_channel_credentials* read_channel_creds(input_stream* inp) { - switch (next_byte(inp)) { + switch (grpc_fuzzer_get_next_byte(inp)) { case 0: return read_ssl_channel_creds(inp); break; @@ -673,7 +618,7 @@ static grpc_slice* add_slice_to_unref(call_state* call, grpc_slice s) { static void read_metadata(input_stream* inp, size_t* count, grpc_metadata** metadata, call_state* cs) { - *count = next_byte(inp); + *count = grpc_fuzzer_get_next_byte(inp); if (*count) { *metadata = static_cast<grpc_metadata*>(gpr_malloc(*count * sizeof(**metadata))); @@ -681,7 +626,7 @@ static void read_metadata(input_stream* inp, size_t* count, for (size_t i = 0; i < *count; i++) { (*metadata)[i].key = read_string_like_slice(inp); (*metadata)[i].value = read_buffer_like_slice(inp); - (*metadata)[i].flags = read_uint32(inp); + (*metadata)[i].flags = grpc_fuzzer_get_next_uint32(inp); add_slice_to_unref(cs, (*metadata)[i].key); add_slice_to_unref(cs, (*metadata)[i].value); } @@ -811,7 +756,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { grpc_timer_manager_tick(); - switch (next_byte(&inp)) { + switch (grpc_fuzzer_get_next_byte(&inp)) { // terminate on bad bytes default: end(&inp); @@ -838,13 +783,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // increment global time case 1: { g_now = gpr_time_add( - g_now, gpr_time_from_micros(read_uint32(&inp), GPR_TIMESPAN)); + g_now, gpr_time_from_micros(grpc_fuzzer_get_next_uint32(&inp), + GPR_TIMESPAN)); break; } // create an insecure channel case 2: { if (g_channel == nullptr) { - char* target = read_string(&inp, nullptr); + char* target = grpc_fuzzer_get_next_string(&inp, nullptr); char* target_uri; gpr_asprintf(&target_uri, "dns:%s", target); grpc_channel_args* args = read_args(&inp); @@ -927,7 +873,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // check connectivity case 8: { if (g_channel != nullptr) { - uint8_t try_to_connect = next_byte(&inp); + uint8_t try_to_connect = grpc_fuzzer_get_next_byte(&inp); if (try_to_connect == 0 || try_to_connect == 1) { grpc_channel_check_connectivity_state(g_channel, try_to_connect); } else { @@ -946,7 +892,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { if (st != GRPC_CHANNEL_SHUTDOWN) { gpr_timespec deadline = gpr_time_add( gpr_now(GPR_CLOCK_REALTIME), - gpr_time_from_micros(read_uint32(&inp), GPR_TIMESPAN)); + gpr_time_from_micros(grpc_fuzzer_get_next_uint32(&inp), + GPR_TIMESPAN)); grpc_channel_watch_connectivity_state( g_channel, st, deadline, cq, create_validator(validate_connectivity_watch, @@ -971,7 +918,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } parent_call = g_active_call->call; } - uint32_t propagation_mask = read_uint32(&inp); + uint32_t propagation_mask = grpc_fuzzer_get_next_uint32(&inp); grpc_slice method = read_string_like_slice(&inp); if (GRPC_SLICE_LENGTH(method) == 0) { ok = false; @@ -979,7 +926,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { grpc_slice host = read_string_like_slice(&inp); gpr_timespec deadline = gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), - gpr_time_from_micros(read_uint32(&inp), GPR_TIMESPAN)); + gpr_time_from_micros(grpc_fuzzer_get_next_uint32(&inp), + GPR_TIMESPAN)); if (ok) { call_state* cs = new_call(g_active_call, CLIENT); @@ -1005,7 +953,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { end(&inp); break; } - size_t num_ops = next_byte(&inp); + size_t num_ops = grpc_fuzzer_get_next_byte(&inp); if (num_ops > 6) { end(&inp); break; @@ -1019,7 +967,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { uint8_t has_ops = 0; for (i = 0; i < num_ops; i++) { op = &ops[i]; - switch (next_byte(&inp)) { + switch (grpc_fuzzer_get_next_byte(&inp)) { default: /* invalid value */ op->op = (grpc_op_type)-1; @@ -1060,7 +1008,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { &op->data.send_status_from_server.trailing_metadata, g_active_call); op->data.send_status_from_server.status = - static_cast<grpc_status_code>(next_byte(&inp)); + static_cast<grpc_status_code>( + grpc_fuzzer_get_next_byte(&inp)); op->data.send_status_from_server.status_details = add_slice_to_unref(g_active_call, read_buffer_like_slice(&inp)); @@ -1097,7 +1046,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { break; } op->reserved = nullptr; - op->flags = read_uint32(&inp); + op->flags = grpc_fuzzer_get_next_uint32(&inp); } if (ok) { validator* v = make_finished_batch_validator(g_active_call, has_ops); @@ -1160,14 +1109,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } // enable a tracer case 17: { - char* tracer = read_string(&inp, nullptr); + char* tracer = grpc_fuzzer_get_next_string(&inp, nullptr); grpc_tracer_set_enabled(tracer, 1); gpr_free(tracer); break; } // disable a tracer case 18: { - char* tracer = read_string(&inp, nullptr); + char* tracer = grpc_fuzzer_get_next_string(&inp, nullptr); grpc_tracer_set_enabled(tracer, 0); gpr_free(tracer); break; @@ -1209,7 +1158,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // create a secure channel case 22: { if (g_channel == nullptr) { - char* target = read_string(&inp, nullptr); + char* target = grpc_fuzzer_get_next_string(&inp, nullptr); char* target_uri; gpr_asprintf(&target_uri, "dns:%s", target); grpc_channel_args* args = read_args(&inp); |