1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
#include <stdlib.h>
#include <fluent-bit/flb_time.h>
#include <fluent-bit/flb_parser.h>
#include <fluent-bit/flb_info.h>
#include <fluent-bit/flb_mem.h>
#include <fluent-bit/flb_error.h>
#include <fluent-bit/flb_socket.h>
#include <fluent-bit/flb_stream.h>
#include <fluent-bit/flb_connection.h>
#include <fluent-bit/flb_http_client.h>
#include "flb_fuzz_header.h"
extern int fuzz_process_data(struct flb_http_client *c);
extern int fuzz_check_connection(struct flb_http_client *c);
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
/* Set fuzzer-malloc chance of failure */
flb_malloc_p = 0;
flb_malloc_mod = 25000;
struct flb_upstream *u;
struct flb_connection *u_conn = NULL;
struct flb_http_client *c;
struct flb_config *config;
char *uri = NULL;
if (size < 160) {
return 0;
}
config = flb_config_init();
if (config == NULL) {
return 0;
}
u = flb_upstream_create(config, "127.0.0.1", 8001, 0, NULL);
u_conn = flb_connection_create(-1,
FLB_TRANSPORT_TCP,
(void *) u,
NULL,
NULL);
if (u_conn == NULL) {
return 0;
}
char *proxy = NULL;
if (GET_MOD_EQ(2,1)) {
proxy = get_null_terminated(50, &data, &size);
}
uri = get_null_terminated(20, &data, &size);
int method = (int)data[0];
c = flb_http_client(u_conn, method, uri, NULL, 0,
"127.0.0.1", 8001, proxy, 0);
if (c != NULL) {
char *null_terminated = get_null_terminated(30, &data, &size);
/* Perform a set of operations on the http_client */
flb_http_basic_auth(c, null_terminated, null_terminated);
flb_http_set_content_encoding_gzip(c);
flb_http_set_keepalive(c);
flb_http_strip_port_from_host(c);
flb_http_allow_duplicated_headers(c, 0);
flb_http_buffer_size(c, (*(size_t *)data) & 0xfff);
MOVE_INPUT(4)
flb_http_add_header(c, "User-Agent", 10, "Fluent-Bit", 10);
flb_http_add_header(c, (char*)data, size, "Fluent-Bit", 10);
flb_http_buffer_size(c, (int)data[0]);
MOVE_INPUT(1)
flb_http_buffer_available(c);
size_t b_sent;
flb_http_do(c, &b_sent);
size_t out_size = 0;
flb_http_buffer_increase(c, (*(size_t *)data) & 0xfff, &out_size);
MOVE_INPUT(4)
/* Now we need to simulate the reading of data */
c->resp.status = 200;
if (c->resp.data != NULL) {
flb_free(c->resp.data);
}
char *new_nulltm = get_null_terminated(30, &data, &size);
c->resp.data_len = 30;
c->resp.data = new_nulltm;
fuzz_process_data(c);
fuzz_check_connection(c);
flb_http_client_destroy(c);
flb_free(null_terminated);
}
/* Now try the http_client_proxy_connect function. */
flb_http_client_proxy_connect(u_conn);
flb_connection_destroy(u_conn);
flb_upstream_destroy(u);
flb_config_exit(config);
if (uri != NULL) {
flb_free(uri);
}
if (proxy != NULL) {
flb_free(proxy);
}
return 0;
}
|