aboutsummaryrefslogtreecommitdiffhomepage
path: root/test/core/end2end/fuzzers
diff options
context:
space:
mode:
Diffstat (limited to 'test/core/end2end/fuzzers')
-rw-r--r--test/core/end2end/fuzzers/api_fuzzer.c9
-rw-r--r--test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5867145026076672bin0 -> 46 bytes
-rw-r--r--test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-6462055064272896bin0 -> 51 bytes
-rw-r--r--test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-5175380371570688bin0 -> 48 bytes
-rw-r--r--test/core/end2end/fuzzers/client_fuzzer.c4
-rw-r--r--test/core/end2end/fuzzers/hpack.dictionary7
-rw-r--r--test/core/end2end/fuzzers/server_fuzzer.c4
-rw-r--r--test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696bin0 -> 92 bytes
8 files changed, 15 insertions, 9 deletions
diff --git a/test/core/end2end/fuzzers/api_fuzzer.c b/test/core/end2end/fuzzers/api_fuzzer.c
index a0acf5bf60..88a0e301da 100644
--- a/test/core/end2end/fuzzers/api_fuzzer.c
+++ b/test/core/end2end/fuzzers/api_fuzzer.c
@@ -661,7 +661,7 @@ static void read_metadata(input_stream *inp, size_t *count,
}
static call_state *destroy_call(call_state *call) {
- grpc_call_destroy(call->call);
+ grpc_call_unref(call->call);
call->call = NULL;
return maybe_delete_call_state(call);
}
@@ -735,7 +735,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
g_active_call = new_call(NULL, ROOT);
g_resource_quota = grpc_resource_quota_create("api_fuzzer");
- grpc_completion_queue *cq = grpc_completion_queue_create(NULL);
+ grpc_completion_queue *cq = grpc_completion_queue_create_for_next(NULL);
while (!is_eof(&inp) || g_channel != NULL || g_server != NULL ||
pending_channel_watches > 0 || pending_pings > 0 ||
@@ -932,6 +932,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
}
uint32_t propagation_mask = read_uint32(&inp);
grpc_slice method = read_string_like_slice(&inp);
+ if (GRPC_SLICE_LENGTH(method) == 0) {
+ ok = false;
+ }
grpc_slice host = read_string_like_slice(&inp);
gpr_timespec deadline =
gpr_time_add(gpr_now(GPR_CLOCK_REALTIME),
@@ -967,7 +970,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
break;
}
grpc_op *ops = gpr_malloc(sizeof(grpc_op) * num_ops);
- memset(ops, 0, sizeof(grpc_op) * num_ops);
+ if (num_ops > 0) memset(ops, 0, sizeof(grpc_op) * num_ops);
bool ok = true;
size_t i;
grpc_op *op;
diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5867145026076672 b/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5867145026076672
new file mode 100644
index 0000000000..3fd5427b46
--- /dev/null
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5867145026076672
Binary files differ
diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-6462055064272896 b/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-6462055064272896
new file mode 100644
index 0000000000..c121283242
--- /dev/null
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-6462055064272896
Binary files differ
diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-5175380371570688 b/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-5175380371570688
new file mode 100644
index 0000000000..9c7aebc63a
--- /dev/null
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-5175380371570688
Binary files differ
diff --git a/test/core/end2end/fuzzers/client_fuzzer.c b/test/core/end2end/fuzzers/client_fuzzer.c
index e7e7dbefd0..6f49baffd2 100644
--- a/test/core/end2end/fuzzers/client_fuzzer.c
+++ b/test/core/end2end/fuzzers/client_fuzzer.c
@@ -65,7 +65,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
grpc_mock_endpoint_create(discard_write, resource_quota);
grpc_resource_quota_unref_internal(&exec_ctx, resource_quota);
- grpc_completion_queue *cq = grpc_completion_queue_create(NULL);
+ grpc_completion_queue *cq = grpc_completion_queue_create_for_next(NULL);
grpc_transport *transport =
grpc_create_chttp2_transport(&exec_ctx, NULL, mock_endpoint, 1);
grpc_chttp2_transport_start_reading(&exec_ctx, transport, NULL);
@@ -151,7 +151,7 @@ done:
ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME), NULL);
GPR_ASSERT(ev.type == GRPC_QUEUE_SHUTDOWN);
}
- grpc_call_destroy(call);
+ grpc_call_unref(call);
grpc_completion_queue_destroy(cq);
grpc_metadata_array_destroy(&initial_metadata_recv);
grpc_metadata_array_destroy(&trailing_metadata_recv);
diff --git a/test/core/end2end/fuzzers/hpack.dictionary b/test/core/end2end/fuzzers/hpack.dictionary
index 6b96785419..2bb9de34c5 100644
--- a/test/core/end2end/fuzzers/hpack.dictionary
+++ b/test/core/end2end/fuzzers/hpack.dictionary
@@ -10,14 +10,15 @@
"\x10grpc-payload-bin"
"\x0Dgrpc-encoding"
"\x14grpc-accept-encoding"
+"\x15grpc-server-stats-bin"
+"\x0Dgrpc-tags-bin"
+"\x0Egrpc-trace-bin"
"\x0Ccontent-type"
"\x1Egrpc-internal-encoding-request"
"\x0Auser-agent"
"\x04host"
"\x08lb-token"
"\x0Cgrpc-timeout"
-"\x10grpc-tracing-bin"
-"\x0Egrpc-stats-bin"
"\x00"
"\x13grpc.wait_for_ready"
"\x0Cgrpc.timeout"
@@ -76,6 +77,7 @@
"\x08if-range"
"\x13if-unmodified-since"
"\x0Dlast-modified"
+"\x0Blb-cost-bin"
"\x04link"
"\x08location"
"\x0Cmax-forwards"
@@ -152,6 +154,7 @@
"\x00\x13if-unmodified-since\x00"
"\x00\x0Dlast-modified\x00"
"\x00\x08lb-token\x00"
+"\x00\x0Blb-cost-bin\x00"
"\x00\x04link\x00"
"\x00\x08location\x00"
"\x00\x0Cmax-forwards\x00"
diff --git a/test/core/end2end/fuzzers/server_fuzzer.c b/test/core/end2end/fuzzers/server_fuzzer.c
index 186542d4b2..6d65fe1847 100644
--- a/test/core/end2end/fuzzers/server_fuzzer.c
+++ b/test/core/end2end/fuzzers/server_fuzzer.c
@@ -67,7 +67,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
grpc_slice_from_copied_buffer((const char *)data, size));
grpc_server *server = grpc_server_create(NULL, NULL);
- grpc_completion_queue *cq = grpc_completion_queue_create(NULL);
+ grpc_completion_queue *cq = grpc_completion_queue_create_for_next(NULL);
grpc_server_register_completion_queue(server, cq, NULL);
// TODO(ctiller): add registered methods (one for POST, one for PUT)
// void *registered_method =
@@ -109,7 +109,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
}
done:
- if (call1 != NULL) grpc_call_destroy(call1);
+ if (call1 != NULL) grpc_call_unref(call1);
grpc_call_details_destroy(&call_details1);
grpc_metadata_array_destroy(&request_metadata1);
grpc_server_shutdown_and_notify(server, cq, tag(0xdead));
diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696 b/test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696
new file mode 100644
index 0000000000..335ce87196
--- /dev/null
+++ b/test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696
Binary files differ
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-24 15:13:22 +0000