1 #include <string>
2 #include <vector>
3 #include <fuzzer/FuzzedDataProvider.h>
4
5 #include <nghttp2/nghttp2.h>
6
7 namespace {
on_frame_recv_callback(nghttp2_session * session,const nghttp2_frame * frame,void * user_data)8 int on_frame_recv_callback(nghttp2_session *session, const nghttp2_frame *frame,
9 void *user_data) {
10 return 0;
11 }
12 } // namespace
13
14 namespace {
on_begin_headers_callback(nghttp2_session * session,const nghttp2_frame * frame,void * user_data)15 int on_begin_headers_callback(nghttp2_session *session,
16 const nghttp2_frame *frame, void *user_data) {
17 return 0;
18 }
19 } // namespace
20
21 namespace {
on_header_callback2(nghttp2_session * session,const nghttp2_frame * frame,nghttp2_rcbuf * name,nghttp2_rcbuf * value,uint8_t flags,void * user_data)22 int on_header_callback2(nghttp2_session *session, const nghttp2_frame *frame,
23 nghttp2_rcbuf *name, nghttp2_rcbuf *value,
24 uint8_t flags, void *user_data) {
25 return 0;
26 }
27 } // namespace
28
29 namespace {
before_frame_send_callback(nghttp2_session * session,const nghttp2_frame * frame,void * user_data)30 int before_frame_send_callback(nghttp2_session *session,
31 const nghttp2_frame *frame, void *user_data) {
32 return 0;
33 }
34 } // namespace
35
36 namespace {
on_frame_send_callback(nghttp2_session * session,const nghttp2_frame * frame,void * user_data)37 int on_frame_send_callback(nghttp2_session *session, const nghttp2_frame *frame,
38 void *user_data) {
39 return 0;
40 }
41 } // namespace
42
43 namespace {
send_pending(nghttp2_session * session)44 void send_pending(nghttp2_session *session) {
45 for (;;) {
46 const uint8_t *data;
47 auto n = nghttp2_session_mem_send(session, &data);
48 if (n == 0) {
49 return;
50 }
51 }
52 }
53 } // namespace
54
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)55 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
56 nghttp2_session *session;
57 nghttp2_session_callbacks *callbacks;
58
59 nghttp2_session_callbacks_new(&callbacks);
60 nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
61 on_frame_recv_callback);
62 nghttp2_session_callbacks_set_on_begin_headers_callback(
63 callbacks, on_begin_headers_callback);
64 nghttp2_session_callbacks_set_on_header_callback2(callbacks,
65 on_header_callback2);
66 nghttp2_session_callbacks_set_before_frame_send_callback(
67 callbacks, before_frame_send_callback);
68 nghttp2_session_callbacks_set_on_frame_send_callback(callbacks,
69 on_frame_send_callback);
70
71 nghttp2_session_server_new(&session, callbacks, nullptr);
72 nghttp2_session_callbacks_del(callbacks);
73
74 FuzzedDataProvider data_provider(data, size);
75
76 /* Initialise a random iv */
77 nghttp2_settings_entry *iv;
78 int size_of_iv = data_provider.ConsumeIntegralInRange(1, 10);
79 iv = (nghttp2_settings_entry *)malloc(sizeof(nghttp2_settings_entry) *
80 size_of_iv);
81 for (int i = 0; i < size_of_iv; i++) {
82 iv[i].settings_id = data_provider.ConsumeIntegralInRange(0, 1000);
83 iv[i].value = data_provider.ConsumeIntegralInRange(0, 1000);
84 }
85
86 nghttp2_submit_settings(session, NGHTTP2_FLAG_NONE, iv, size_of_iv);
87 send_pending(session);
88
89 std::vector<uint8_t> d = data_provider.ConsumeRemainingBytes<uint8_t>();
90 nghttp2_session_mem_recv(session, d.data(), d.size());
91
92 send_pending(session);
93
94 nghttp2_session_del(session);
95
96 free(iv);
97
98 return 0;
99 }
100