fuzzing: add fuzzing targets

Signed-off-by: Arjun <pkillarjun@protonmail.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

5 files changed, 425 insertions, 0 deletions

diff --git a/fuzzing/nxt_basic_fuzz.c b/fuzzing/nxt_basic_fuzz.c
new file mode 100644
index 00000000..df3a1b6a
--- /dev/null
+++ b/fuzzing/nxt_basic_fuzz.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) NGINX, Inc.
+ */
+
+#include <nxt_main.h>
+
+
+#define KMININPUTLENGTH 2
+#define KMAXINPUTLENGTH 128
+
+
+extern int LLVMFuzzerInitialize(int *argc, char ***argv);
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+void nxt_base64_fuzz(const u_char *data, size_t size);
+void nxt_term_fuzz(const u_char *data, size_t size);
+void nxt_time_fuzz(const u_char *data, size_t size);
+void nxt_utf8_fuzz(const u_char *data, size_t size);
+
+
+extern char  **environ;
+
+
+int
+LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    return 0;
+}
+
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
+        return 0;
+    }
+
+    nxt_base64_fuzz(data, size);
+    nxt_term_fuzz(data, size);
+    nxt_time_fuzz(data, size);
+    nxt_utf8_fuzz(data, size);
+
+    return 0;
+}
+
+
+void
+nxt_base64_fuzz(const u_char *data, size_t size)
+{
+    u_char   buf[256];
+    ssize_t  ret;
+
+    /*
+     * Validate base64 data before decoding.
+     */
+    ret = nxt_base64_decode(NULL, (u_char *)data, size);
+    if (ret == NXT_ERROR) {
+        return;
+    }
+
+    nxt_base64_decode(buf, (u_char *)data, size);
+}
+
+
+void
+nxt_term_fuzz(const u_char *data, size_t size)
+{
+    nxt_term_parse(data, size, 0);
+    nxt_term_parse(data, size, 1);
+}
+
+
+void
+nxt_time_fuzz(const u_char *data, size_t size)
+{
+    nxt_time_parse(data, size);
+}
+
+
+void
+nxt_utf8_fuzz(const u_char *data, size_t size)
+{
+    const u_char  *in;
+
+    in = data;
+    nxt_utf8_decode(&in, data + size);
+}
diff --git a/fuzzing/nxt_http_controller_fuzz.c b/fuzzing/nxt_http_controller_fuzz.c
new file mode 100644
index 00000000..b7c6c272
--- /dev/null
+++ b/fuzzing/nxt_http_controller_fuzz.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) NGINX, Inc.
+ */
+
+#include <nxt_main.h>
+
+/* DO NOT TRY THIS AT HOME! */
+#include "nxt_controller.c"
+
+
+#define KMININPUTLENGTH 2
+#define KMAXINPUTLENGTH 1024
+
+
+extern int LLVMFuzzerInitialize(int *argc, char ***argv);
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+
+extern char  **environ;
+
+
+int
+LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    nxt_int_t  ret;
+
+    if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    ret = nxt_http_fields_hash(&nxt_controller_fields_hash,
+                               nxt_controller_request_fields,
+                               nxt_nitems(nxt_controller_request_fields));
+    if (ret != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    return 0;
+}
+
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    nxt_mp_t                  *mp;
+    nxt_buf_mem_t             buf;
+    nxt_controller_request_t  *r_controller;
+    nxt_http_request_parse_t  rp;
+
+    if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
+        return 0;
+    }
+
+    mp = nxt_mp_create(1024, 128, 256, 32);
+    if (mp == NULL) {
+        return 0;
+    }
+
+    nxt_memzero(&rp, sizeof(nxt_http_request_parse_t));
+    if (nxt_http_parse_request_init(&rp, mp) != NXT_OK) {
+        goto failed;
+    }
+
+    buf.start = (u_char *)data;
+    buf.end = (u_char *)data + size;
+    buf.pos = buf.start;
+    buf.free = buf.end;
+
+    if (nxt_http_parse_request(&rp, &buf) != NXT_DONE) {
+        goto failed;
+    }
+
+    r_controller = nxt_mp_zget(mp, sizeof(nxt_controller_request_t));
+
+    if (r_controller == NULL) {
+        goto failed;
+    }
+
+    nxt_http_fields_process(rp.fields, &nxt_controller_fields_hash,
+                            r_controller);
+
+failed:
+
+    nxt_mp_destroy(mp);
+
+    return 0;
+}
diff --git a/fuzzing/nxt_http_h1p_fuzz.c b/fuzzing/nxt_http_h1p_fuzz.c
new file mode 100644
index 00000000..471e87a4
--- /dev/null
+++ b/fuzzing/nxt_http_h1p_fuzz.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) NGINX, Inc.
+ */
+
+#include <nxt_main.h>
+
+/* DO NOT TRY THIS AT HOME! */
+#include "nxt_h1proto.c"
+
+
+#define KMININPUTLENGTH 2
+#define KMAXINPUTLENGTH 1024
+
+
+extern int LLVMFuzzerInitialize(int *argc, char ***argv);
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+
+extern char  **environ;
+
+
+int
+LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    nxt_int_t  ret;
+
+    if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    ret = nxt_http_fields_hash(&nxt_h1p_fields_hash,
+                               nxt_h1p_fields, nxt_nitems(nxt_h1p_fields));
+    if (ret != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    return 0;
+}
+
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    nxt_mp_t                  *mp;
+    nxt_buf_mem_t             buf;
+    nxt_http_request_t        *r_h1p;
+    nxt_http_request_parse_t  rp;
+
+    if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
+        return 0;
+    }
+
+    mp = nxt_mp_create(1024, 128, 256, 32);
+    if (mp == NULL) {
+        return 0;
+    }
+
+    nxt_memzero(&rp, sizeof(nxt_http_request_parse_t));
+    if (nxt_http_parse_request_init(&rp, mp) != NXT_OK) {
+        goto failed;
+    }
+
+    buf.start = (u_char *)data;
+    buf.end = (u_char *)data + size;
+    buf.pos = buf.start;
+    buf.free = buf.end;
+
+    if (nxt_http_parse_request(&rp, &buf) != NXT_DONE) {
+        goto failed;
+    }
+
+    r_h1p = nxt_mp_zget(mp, sizeof(nxt_http_request_t));
+
+    if (r_h1p == NULL) {
+        goto failed;
+    }
+
+    nxt_http_fields_process(rp.fields, &nxt_h1p_fields_hash, r_h1p);
+
+failed:
+
+    nxt_mp_destroy(mp);
+
+    return 0;
+}
diff --git a/fuzzing/nxt_http_h1p_peer_fuzz.c b/fuzzing/nxt_http_h1p_peer_fuzz.c
new file mode 100644
index 00000000..7b722248
--- /dev/null
+++ b/fuzzing/nxt_http_h1p_peer_fuzz.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) NGINX, Inc.
+ */
+
+#include <nxt_main.h>
+
+/* DO NOT TRY THIS AT HOME! */
+#include "nxt_h1proto.c"
+
+
+#define KMININPUTLENGTH 2
+#define KMAXINPUTLENGTH 1024
+
+
+extern int LLVMFuzzerInitialize(int *argc, char ***argv);
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+
+extern char  **environ;
+
+
+int
+LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    nxt_int_t  ret;
+
+    if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    ret = nxt_http_fields_hash(&nxt_h1p_peer_fields_hash,
+                                nxt_h1p_peer_fields,
+                                nxt_nitems(nxt_h1p_peer_fields));
+    if (ret != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    return 0;
+}
+
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    nxt_mp_t                  *mp;
+    nxt_buf_mem_t             buf;
+    nxt_http_request_t        *r_h1p_peer;
+    nxt_http_request_parse_t  rp;
+
+    if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
+        return 0;
+    }
+
+    mp = nxt_mp_create(1024, 128, 256, 32);
+    if (mp == NULL) {
+        return 0;
+    }
+
+    nxt_memzero(&rp, sizeof(nxt_http_request_parse_t));
+    if (nxt_http_parse_request_init(&rp, mp) != NXT_OK) {
+        goto failed;
+    }
+
+    buf.start = (u_char *)data;
+    buf.end = (u_char *)data + size;
+    buf.pos = buf.start;
+    buf.free = buf.end;
+
+    if (nxt_http_parse_request(&rp, &buf) != NXT_DONE) {
+        goto failed;
+    }
+
+    r_h1p_peer = nxt_mp_zget(mp, sizeof(nxt_http_request_t));
+
+    if (r_h1p_peer == NULL) {
+        goto failed;
+    }
+
+    nxt_http_fields_process(rp.fields, &nxt_h1p_peer_fields_hash, r_h1p_peer);
+
+failed:
+
+    nxt_mp_destroy(mp);
+
+    return 0;
+}
diff --git a/fuzzing/nxt_json_fuzz.c b/fuzzing/nxt_json_fuzz.c
new file mode 100644
index 00000000..532babb1
--- /dev/null
+++ b/fuzzing/nxt_json_fuzz.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) NGINX, Inc.
+ */
+
+#include <nxt_main.h>
+#include <nxt_conf.h>
+
+
+#define KMININPUTLENGTH 2
+#define KMAXINPUTLENGTH 1024
+
+
+extern int LLVMFuzzerInitialize(int *argc, char ***argv);
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+
+extern char  **environ;
+
+
+int
+LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    if (nxt_lib_start("fuzzing", NULL, &environ) != NXT_OK) {
+        return NXT_ERROR;
+    }
+
+    return 0;
+}
+
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    nxt_mp_t               *mp;
+    nxt_str_t              input;
+    nxt_conf_value_t       *conf;
+    nxt_conf_validation_t  vldt;
+
+    if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
+        return 0;
+    }
+
+    mp = nxt_mp_create(1024, 128, 256, 32);
+    if (mp == NULL) {
+        return 0;
+    }
+
+    input.start = (u_char *)data;
+    input.length = size;
+
+    conf = nxt_conf_json_parse_str(mp, &input);
+    if (conf == NULL) {
+        goto failed;
+    }
+
+    nxt_memzero(&vldt, sizeof(nxt_conf_validation_t));
+
+    vldt.pool = nxt_mp_create(1024, 128, 256, 32);
+    if (vldt.pool == NULL) {
+        goto failed;
+    }
+
+    vldt.conf = conf;
+    vldt.conf_pool = mp;
+    vldt.ver = NXT_VERNUM;
+
+    nxt_conf_validate(&vldt);
+
+    nxt_mp_destroy(vldt.pool);
+
+failed:
+
+    nxt_mp_destroy(mp);
+
+    return 0;
+}