tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE

fuzz_http_connect.c (2839B)

      1 /* Copyright (c) 2016-2021, The Tor Project, Inc. */
      2 /* See LICENSE for licensing information */
      3 
      4 #include "orconfig.h"
      5 
      6 #define BUFFERS_PRIVATE
      7 #define CONNECTION_EDGE_PRIVATE
      8 
      9 #include "core/or/or.h"
     10 #include "lib/err/backtrace.h"
     11 #include "lib/buf/buffers.h"
     12 #include "app/config/config.h"
     13 #include "core/mainloop/connection.h"
     14 #include "core/or/connection_edge.h"
     15 #include "core/proto/proto_socks.h"
     16 #include "lib/log/log.h"
     17 
     18 #include "core/or/entry_connection_st.h"
     19 #include "core/or/socks_request_st.h"
     20 
     21 #include "test/fuzz/fuzzing.h"
     22 
     23 static void
     24 mock_connection_write_to_buf_impl_(const char *string, size_t len,
     25                                   connection_t *conn, int compressed)
     26 {
     27  log_debug(LD_GENERAL, "%sResponse:\n%u\nConnection: %p\n%s\n",
     28            compressed ? "Compressed " : "", (unsigned)len, conn, string);
     29 }
     30 
     31 static void
     32 mock_connection_mark_unattached_ap_(entry_connection_t *conn, int endreason,
     33                                    int line, const char *file)
     34 {
     35  (void)conn;
     36  (void)endreason;
     37  (void)line;
     38  (void)file;
     39 }
     40 
     41 static int
     42 mock_connection_ap_rewrite_and_attach_if_allowed(entry_connection_t *conn,
     43                                                 origin_circuit_t *circ,
     44                                                 crypt_path_t *cpath)
     45 {
     46  (void)conn;
     47  (void)circ;
     48  (void)cpath;
     49  return 0;
     50 }
     51 
     52 int
     53 fuzz_init(void)
     54 {
     55  /* Set up fake response handler */
     56  MOCK(connection_write_to_buf_impl_, mock_connection_write_to_buf_impl_);
     57  /* Set up the fake handler functions */
     58  MOCK(connection_mark_unattached_ap_, mock_connection_mark_unattached_ap_);
     59  MOCK(connection_ap_rewrite_and_attach_if_allowed,
     60       mock_connection_ap_rewrite_and_attach_if_allowed);
     61 
     62  return 0;
     63 }
     64 
     65 int
     66 fuzz_cleanup(void)
     67 {
     68  UNMOCK(connection_write_to_buf_impl_);
     69  UNMOCK(connection_mark_unattached_ap_);
     70  UNMOCK(connection_ap_rewrite_and_attach_if_allowed);
     71  return 0;
     72 }
     73 
     74 int
     75 fuzz_main(const uint8_t *stdin_buf, size_t data_size)
     76 {
     77  entry_connection_t conn;
     78 
     79  /* Set up the fake connection */
     80  memset(&conn, 0, sizeof(conn));
     81  conn.edge_.base_.type = CONN_TYPE_AP;
     82  conn.edge_.base_.state = AP_CONN_STATE_HTTP_CONNECT_WAIT;
     83  conn.socks_request = tor_malloc_zero(sizeof(socks_request_t));
     84  conn.socks_request->listener_type = CONN_TYPE_AP_HTTP_CONNECT_LISTENER;
     85 
     86  conn.edge_.base_.inbuf = buf_new_with_data((char*)stdin_buf, data_size);
     87  if (!conn.edge_.base_.inbuf) {
     88    log_debug(LD_GENERAL, "Zero-Length-Input\n");
     89    goto done;
     90  }
     91 
     92  /* Parse the headers */
     93  int rv = connection_ap_process_http_connect(&conn);
     94 
     95  /* TODO: check the output is correctly parsed based on the input */
     96 
     97  log_debug(LD_GENERAL, "Result:\n%d\n", rv);
     98 
     99  goto done;
    100 
    101 done:
    102  /* Reset. */
    103  socks_request_free(conn.socks_request);
    104  buf_free(conn.edge_.base_.inbuf);
    105  conn.edge_.base_.inbuf = NULL;
    106 
    107  return 0;
    108 }