diff --git a/fuzz/.gitignore b/fuzz/.gitignore new file mode 100644 index 0000000..572e03b --- /dev/null +++ b/fuzz/.gitignore @@ -0,0 +1,4 @@ + +target +corpus +artifacts diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml new file mode 100644 index 0000000..cc6401b --- /dev/null +++ b/fuzz/Cargo.toml @@ -0,0 +1,27 @@ + +[package] +name = "async-h1-fuzz" +version = "0.0.0" +authors = ["Automatically generated"] +publish = false +edition = "2018" + +[package.metadata] +cargo-fuzz = true + +[dependencies] +async-std = "1.5.0" +http-types = "1.0.0" +libfuzzer-sys = "0.3" +futures-io = "0.3" + +[dependencies.async-h1] +path = ".." + +# Prevent this from interfering with workspaces +[workspace] +members = ["."] + +[[bin]] +name = "server_accept" +path = "fuzz_targets/server_accept.rs" diff --git a/fuzz/dicts/server_accept b/fuzz/dicts/server_accept new file mode 100644 index 0000000..e32afe2 --- /dev/null +++ b/fuzz/dicts/server_accept @@ -0,0 +1,30 @@ +"HTTP/1.1" +"GET" +"POST" +"PUT" +"DELETE" +"PATCH" +"OPTIONS" +"CONNECT" +"HEAD" +" /" +"index.html" +"?q=" +"content-type" +"transfer-encoding" +"chunked" +"text/plain" +"application/octet-stream" +"application/json" +"image/png" +"audio/opus" +"authorization" +"cookie" +"content-length" +"host" +"Basic" +"accept-encoding" +"gzip" +"br" +"\x0d\x0a" +": " diff --git a/fuzz/fuzz_targets/server_accept.rs b/fuzz/fuzz_targets/server_accept.rs new file mode 100644 index 0000000..608c569 --- /dev/null +++ b/fuzz/fuzz_targets/server_accept.rs @@ -0,0 +1,56 @@ +#![no_main] +use libfuzzer_sys::fuzz_target; + +use std::pin::Pin; +use std::sync::{Arc, Mutex}; +use std::task::{Context, Poll}; + +use async_std::io::Cursor; +use futures_io::{AsyncRead, AsyncWrite}; + +#[derive(Clone, Debug)] +struct RwWrapper(Arc>>>); + +impl RwWrapper { + fn new(input: Vec) -> Self { + Self(Arc::new(Mutex::new(Cursor::new(input)))) + } +} + +impl AsyncRead for RwWrapper { + fn poll_read( + mut self: Pin<&mut Self>, + cx: &mut Context<'_>, + buf: &mut [u8], + ) -> Poll> { + Pin::new(&mut *self.0.lock().unwrap()).poll_read(cx, buf) + } +} + +impl AsyncWrite for RwWrapper { + fn poll_write( + self: Pin<&mut Self>, + _cx: &mut Context<'_>, + buf: &[u8], + ) -> Poll> { + Poll::Ready(Ok(buf.len())) + } + + fn poll_flush(self: Pin<&mut Self>, _cx: &mut Context<'_>) -> Poll> { + Poll::Ready(Ok(())) + } + + fn poll_close(self: Pin<&mut Self>, _cx: &mut Context<'_>) -> Poll> { + Poll::Ready(Ok(())) + } +} + +fuzz_target!(|request: &[u8]| { + let stream = RwWrapper::new(request.to_vec()); + async_std::task::block_on(async_h1::accept("http://localhost", stream, |req| async { + let mut res = http_types::Response::new(http_types::StatusCode::Ok); + res.set_body(req); + Ok(res) + })) + .ok(); +}); diff --git a/fuzz/init_corpus/server_accept/chunked b/fuzz/init_corpus/server_accept/chunked new file mode 100644 index 0000000..c542ea6 --- /dev/null +++ b/fuzz/init_corpus/server_accept/chunked @@ -0,0 +1,10 @@ +POST / HTTP/1.1 +content-type: text/plain +transfer-encoding: chunked + +5 +Hello +a +aaaaabbbbb +0 + diff --git a/fuzz/init_corpus/server_accept/fixed_length b/fuzz/init_corpus/server_accept/fixed_length new file mode 100644 index 0000000..7ebf368 --- /dev/null +++ b/fuzz/init_corpus/server_accept/fixed_length @@ -0,0 +1,5 @@ +POST / HTTP/1.1 +content-type: text/plain +content-length: 10 + +aaaaabbbbb \ No newline at end of file diff --git a/fuzz/init_corpus/server_accept/zero_length_no_mime b/fuzz/init_corpus/server_accept/zero_length_no_mime new file mode 100644 index 0000000..88d9152 --- /dev/null +++ b/fuzz/init_corpus/server_accept/zero_length_no_mime @@ -0,0 +1,3 @@ +POST / HTTP/1.1 +content-length: 0 + diff --git a/run-fuzzer.sh b/run-fuzzer.sh new file mode 100755 index 0000000..3dad916 --- /dev/null +++ b/run-fuzzer.sh @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +TARGET_NAME="$1" +if [ -z "$TARGET_NAME" ]; then + echo "$0: target name required" >&2 + exit 1 +fi + +mkdir -p "./fuzz/corpus/${TARGET_NAME}/" +cargo +nightly fuzz run "${TARGET_NAME}" \ + "./fuzz/corpus/${TARGET_NAME}/" "./fuzz/init_corpus/${TARGET_NAME}/" -- \ + -dict="./fuzz/dicts/${TARGET_NAME}" \ + -timeout=3