Branch data     Line data    Source code

       1                 :            : // Copyright (c) 2020-2022 The Bitcoin Core developers
       2                 :            : // Distributed under the MIT software license, see the accompanying
       3                 :            : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       4                 :            : 
       5                 :            : #include <httpserver.h>
       6                 :            : #include <netaddress.h>
       7                 :            : #include <test/fuzz/FuzzedDataProvider.h>
       8                 :            : #include <test/fuzz/fuzz.h>
       9                 :            : #include <test/fuzz/util.h>
      10                 :            : #include <util/signalinterrupt.h>
      11                 :            : #include <util/strencodings.h>
      12                 :            : 
      13                 :            : #include <event2/buffer.h>
      14                 :            : #include <event2/event.h>
      15                 :            : #include <event2/http.h>
      16                 :            : #include <event2/http_struct.h>
      17                 :            : 
      18                 :            : #include <cassert>
      19                 :            : #include <cstdint>
      20                 :            : #include <string>
      21                 :            : #include <vector>
      22                 :            : 
      23                 :            : extern "C" int evhttp_parse_firstline_(struct evhttp_request*, struct evbuffer*);
      24                 :            : extern "C" int evhttp_parse_headers_(struct evhttp_request*, struct evbuffer*);
      25                 :            : 
      26                 :            : std::string RequestMethodString(HTTPRequest::RequestMethod m);
      27                 :            : 
      28 [ +  - ][ +  - ]:          6 : FUZZ_TARGET(http_request)
      29                 :            : {
      30                 :          2 :     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
      31                 :          0 :     evhttp_request* evreq = evhttp_request_new(nullptr, nullptr);
      32         [ #  # ]:          0 :     assert(evreq != nullptr);
      33                 :          0 :     evreq->kind = EVHTTP_REQUEST;
      34                 :          0 :     evbuffer* evbuf = evbuffer_new();
      35         [ #  # ]:          0 :     assert(evbuf != nullptr);
      36                 :          0 :     const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
      37         [ #  # ]:          0 :     evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
      38                 :            :     // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering
      39                 :            :     // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line
      40                 :            :     // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in
      41                 :            :     // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome
      42                 :            :     // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround.
      43 [ #  # ][ #  # ]:          0 :     const std::string http_buffer_str = ToLower(std::string{http_buffer.begin(), http_buffer.end()});
      44 [ #  # ][ #  # ]:          0 :     if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos ||
                 [ #  # ]
      45 [ #  # ][ #  # ]:          0 :         evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
                 [ #  # ]
      46         [ #  # ]:          0 :         evbuffer_free(evbuf);
      47         [ #  # ]:          0 :         evhttp_request_free(evreq);
      48                 :          0 :         return;
      49                 :            :     }
      50                 :            : 
      51         [ #  # ]:          0 :     util::SignalInterrupt interrupt;
      52         [ #  # ]:          0 :     HTTPRequest http_request{evreq, interrupt, true};
      53         [ #  # ]:          0 :     const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod();
      54         [ #  # ]:          0 :     (void)RequestMethodString(request_method);
      55         [ #  # ]:          0 :     (void)http_request.GetURI();
      56 [ #  # ][ #  # ]:          0 :     (void)http_request.GetHeader("Host");
      57         [ #  # ]:          0 :     const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16);
      58         [ #  # ]:          0 :     (void)http_request.GetHeader(header);
      59 [ #  # ][ #  # ]:          0 :     (void)http_request.WriteHeader(header, fuzzed_data_provider.ConsumeRandomLengthString(16));
      60         [ #  # ]:          0 :     (void)http_request.GetHeader(header);
      61         [ #  # ]:          0 :     const std::string body = http_request.ReadBody();
      62         [ #  # ]:          0 :     assert(body.empty());
      63         [ #  # ]:          0 :     const CService service = http_request.GetPeer();
      64 [ #  # ][ #  # ]:          0 :     assert(service.ToStringAddrPort() == "[::]:0");
                 [ #  # ]
      65                 :            : 
      66         [ #  # ]:          0 :     evbuffer_free(evbuf);
      67         [ #  # ]:          0 :     evhttp_request_free(evreq);
      68         [ #  # ]:          0 : }