Branch data     Line data    Source code

       1                 :            : // Copyright (c) 2020-2022 The Bitcoin Core developers
       2                 :            : // Distributed under the MIT software license, see the accompanying
       3                 :            : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       4                 :            : 
       5                 :            : #include <httpserver.h>
       6                 :            : #include <netaddress.h>
       7                 :            : #include <test/fuzz/FuzzedDataProvider.h>
       8                 :            : #include <test/fuzz/fuzz.h>
       9                 :            : #include <test/fuzz/util.h>
      10                 :            : #include <util/strencodings.h>
      11                 :            : 
      12                 :            : #include <event2/buffer.h>
      13                 :            : #include <event2/event.h>
      14                 :            : #include <event2/http.h>
      15                 :            : #include <event2/http_struct.h>
      16                 :            : 
      17                 :            : #include <cassert>
      18                 :            : #include <cstdint>
      19                 :            : #include <string>
      20                 :            : #include <vector>
      21                 :            : 
      22                 :            : extern "C" int evhttp_parse_firstline_(struct evhttp_request*, struct evbuffer*);
      23                 :            : extern "C" int evhttp_parse_headers_(struct evhttp_request*, struct evbuffer*);
      24                 :            : 
      25                 :          2 : std::string RequestMethodString(HTTPRequest::RequestMethod m);
      26                 :            : 
      27 [ +  - ][ +  - ]:          6 : FUZZ_TARGET(http_request)
      28                 :            : {
      29                 :          0 :     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
      30                 :          0 :     evhttp_request* evreq = evhttp_request_new(nullptr, nullptr);
      31         [ #  # ]:          0 :     assert(evreq != nullptr);
      32                 :          0 :     evreq->kind = EVHTTP_REQUEST;
      33                 :          0 :     evbuffer* evbuf = evbuffer_new();
      34         [ #  # ]:          0 :     assert(evbuf != nullptr);
      35                 :          0 :     const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
      36         [ #  # ]:          0 :     evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
      37                 :            :     // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering
      38                 :            :     // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line
      39                 :            :     // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in
      40                 :            :     // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome
      41                 :            :     // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround.
      42 [ #  # ][ #  # ]:          0 :     const std::string http_buffer_str = ToLower(std::string{http_buffer.begin(), http_buffer.end()});
      43 [ #  # ][ #  # ]:          0 :     if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos ||
                 [ #  # ]
      44 [ #  # ][ #  # ]:          0 :         evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
                 [ #  # ]
      45         [ #  # ]:          0 :         evbuffer_free(evbuf);
      46         [ #  # ]:          0 :         evhttp_request_free(evreq);
      47                 :          0 :         return;
      48                 :            :     }
      49                 :            : 
      50         [ #  # ]:          0 :     HTTPRequest http_request{evreq, true};
      51         [ #  # ]:          0 :     const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod();
      52         [ #  # ]:          0 :     (void)RequestMethodString(request_method);
      53         [ #  # ]:          0 :     (void)http_request.GetURI();
      54 [ #  # ][ #  # ]:          0 :     (void)http_request.GetHeader("Host");
      55         [ #  # ]:          0 :     const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16);
      56         [ #  # ]:          0 :     (void)http_request.GetHeader(header);
      57 [ #  # ][ #  # ]:          0 :     (void)http_request.WriteHeader(header, fuzzed_data_provider.ConsumeRandomLengthString(16));
      58         [ #  # ]:          0 :     (void)http_request.GetHeader(header);
      59         [ #  # ]:          0 :     const std::string body = http_request.ReadBody();
      60         [ #  # ]:          0 :     assert(body.empty());
      61         [ #  # ]:          0 :     const CService service = http_request.GetPeer();
      62 [ #  # ][ #  # ]:          0 :     assert(service.ToStringAddrPort() == "[::]:0");
                 [ #  # ]
      63                 :            : 
      64         [ #  # ]:          0 :     evbuffer_free(evbuf);
      65         [ #  # ]:          0 :     evhttp_request_free(evreq);
      66         [ #  # ]:          0 : }