/root/bitcoin/src/test/fuzz/http_request.cpp
Line | Count | Source |
1 | | // Copyright (c) 2020-2022 The Bitcoin Core developers |
2 | | // Distributed under the MIT software license, see the accompanying |
3 | | // file COPYING or http://www.opensource.org/licenses/mit-license.php. |
4 | | |
5 | | #include <httpserver.h> |
6 | | #include <netaddress.h> |
7 | | #include <test/fuzz/FuzzedDataProvider.h> |
8 | | #include <test/fuzz/fuzz.h> |
9 | | #include <test/fuzz/util.h> |
10 | | #include <util/signalinterrupt.h> |
11 | | #include <util/strencodings.h> |
12 | | |
13 | | #include <event2/buffer.h> |
14 | | #include <event2/event.h> |
15 | | #include <event2/http.h> |
16 | | #include <event2/http_struct.h> |
17 | | |
18 | | #include <cassert> |
19 | | #include <cstdint> |
20 | | #include <string> |
21 | | #include <vector> |
22 | | |
23 | | extern "C" int evhttp_parse_firstline_(struct evhttp_request*, struct evbuffer*); |
24 | | extern "C" int evhttp_parse_headers_(struct evhttp_request*, struct evbuffer*); |
25 | | |
26 | | std::string RequestMethodString(HTTPRequest::RequestMethod m); |
27 | | |
28 | | FUZZ_TARGET(http_request) |
29 | 0 | { |
30 | 0 | FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; |
31 | 0 | evhttp_request* evreq = evhttp_request_new(nullptr, nullptr); |
32 | 0 | assert(evreq != nullptr); |
33 | 0 | evreq->kind = EVHTTP_REQUEST; |
34 | 0 | evbuffer* evbuf = evbuffer_new(); |
35 | 0 | assert(evbuf != nullptr); |
36 | 0 | const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096); |
37 | 0 | evbuffer_add(evbuf, http_buffer.data(), http_buffer.size()); |
38 | | // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering |
39 | | // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line |
40 | | // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in |
41 | | // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome |
42 | | // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround. |
43 | 0 | const std::string http_buffer_str = ToLower(std::string{http_buffer.begin(), http_buffer.end()}); |
44 | 0 | if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos || |
45 | 0 | evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) { |
46 | 0 | evbuffer_free(evbuf); |
47 | 0 | evhttp_request_free(evreq); |
48 | 0 | return; |
49 | 0 | } |
50 | | |
51 | 0 | util::SignalInterrupt interrupt; |
52 | 0 | HTTPRequest http_request{evreq, interrupt, true}; |
53 | 0 | const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod(); |
54 | 0 | (void)RequestMethodString(request_method); |
55 | 0 | (void)http_request.GetURI(); |
56 | 0 | (void)http_request.GetHeader("Host"); |
57 | 0 | const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16); |
58 | 0 | (void)http_request.GetHeader(header); |
59 | 0 | (void)http_request.WriteHeader(header, fuzzed_data_provider.ConsumeRandomLengthString(16)); |
60 | 0 | (void)http_request.GetHeader(header); |
61 | 0 | const std::string body = http_request.ReadBody(); |
62 | 0 | assert(body.empty()); |
63 | 0 | const CService service = http_request.GetPeer(); |
64 | 0 | assert(service.ToStringAddrPort() == "[::]:0"); |
65 | | |
66 | 0 | evbuffer_free(evbuf); |
67 | 0 | evhttp_request_free(evreq); |
68 | 0 | } |