1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <grpc/grpc.h>
20 #include <grpc/slice.h>
21 #include <stdint.h>
22
23 #include <algorithm>
24 #include <memory>
25 #include <utility>
26
27 #include "absl/cleanup/cleanup.h"
28 #include "absl/log/check.h"
29 #include "absl/random/bit_gen_ref.h"
30 #include "src/core/ext/transport/chttp2/transport/hpack_parser.h"
31 #include "src/core/lib/experiments/config.h"
32 #include "src/core/lib/iomgr/error.h"
33 #include "src/core/lib/iomgr/exec_ctx.h"
34 #include "src/core/lib/resource_quota/arena.h"
35 #include "src/core/lib/resource_quota/memory_quota.h"
36 #include "src/core/lib/resource_quota/resource_quota.h"
37 #include "src/core/lib/transport/metadata_batch.h"
38 #include "src/core/util/ref_counted_ptr.h"
39 #include "src/core/util/status_helper.h"
40 #include "src/libfuzzer/libfuzzer_macro.h"
41 #include "test/core/test_util/fuzz_config_vars.h"
42 #include "test/core/test_util/proto_bit_gen.h"
43 #include "test/core/test_util/test_config.h"
44 #include "test/core/transport/chttp2/hpack_parser_fuzzer.pb.h"
45
46 // IWYU pragma: no_include <google/protobuf/repeated_ptr_field.h>
47
48 bool squelch = true;
49 bool leak_check = true;
50
DEFINE_PROTO_FUZZER(const hpack_parser_fuzzer::Msg & msg)51 DEFINE_PROTO_FUZZER(const hpack_parser_fuzzer::Msg& msg) {
52 if (squelch) {
53 grpc_disable_all_absl_logs();
54 }
55 grpc_core::ProtoBitGen proto_bit_src(msg.random_numbers());
56 grpc_core::ApplyFuzzConfigVars(msg.config_vars());
57 grpc_core::TestOnlyReloadExperimentsFromConfigVariables();
58 grpc_init();
59 auto cleanup = absl::MakeCleanup(grpc_shutdown);
60 auto memory_allocator = grpc_core::ResourceQuota::Default()
61 ->memory_quota()
62 ->CreateMemoryAllocator("test-allocator");
63 {
64 std::unique_ptr<grpc_core::HPackParser> parser(new grpc_core::HPackParser);
65 int max_length = 1024;
66 int absolute_max_length = 1024;
67 bool can_update_max_length = true;
68 bool can_add_priority = true;
69 for (int i = 0; i < msg.frames_size(); i++) {
70 auto arena = grpc_core::SimpleArenaAllocator()->MakeArena();
71 grpc_core::ExecCtx exec_ctx;
72 grpc_metadata_batch b;
73 const auto& frame = msg.frames(i);
74 if (frame.parse_size() == 0) continue;
75
76 // we can only update max length after a frame boundary
77 // so simulate that here
78 if (can_update_max_length) {
79 if (frame.max_metadata_length() != 0) {
80 max_length = std::max(0, frame.max_metadata_length());
81 }
82 if (frame.absolute_max_metadata_length() != 0) {
83 absolute_max_length =
84 std::max(0, frame.absolute_max_metadata_length());
85 }
86 if (absolute_max_length < max_length) {
87 std::swap(absolute_max_length, max_length);
88 }
89 }
90 // priority only makes sense on the first frame of a stream
91 grpc_core::HPackParser::Priority priority =
92 grpc_core::HPackParser::Priority::None;
93 if (can_add_priority && frame.priority()) {
94 priority = grpc_core::HPackParser::Priority::Included;
95 }
96 grpc_core::HPackParser::Boundary boundary =
97 grpc_core::HPackParser::Boundary::None;
98 can_update_max_length = false;
99 can_add_priority = false;
100 if (frame.end_of_headers()) {
101 boundary = grpc_core::HPackParser::Boundary::EndOfHeaders;
102 can_update_max_length = true;
103 }
104 if (frame.end_of_stream()) {
105 boundary = grpc_core::HPackParser::Boundary::EndOfStream;
106 can_update_max_length = true;
107 can_add_priority = true;
108 }
109
110 parser->BeginFrame(
111 &b, max_length, absolute_max_length, boundary, priority,
112 grpc_core::HPackParser::LogInfo{
113 1, grpc_core::HPackParser::LogInfo::kHeaders, false});
114 int stop_buffering_ctr =
115 std::max(-1, frame.stop_buffering_after_segments());
116 for (int idx = 0; idx < frame.parse_size(); idx++) {
117 const auto& parse = frame.parse(idx);
118 grpc_slice buffer =
119 grpc_slice_from_copied_buffer(parse.data(), parse.size());
120 auto err = parser->Parse(buffer, idx == frame.parse_size() - 1,
121 absl::BitGenRef(proto_bit_src),
122 /*call_tracer=*/nullptr);
123 grpc_slice_unref(buffer);
124 stop_buffering_ctr--;
125 if (0 == stop_buffering_ctr) parser->StopBufferingFrame();
126 // Ensure we never take on more than four times the absolute limit in
127 // buffer size.
128 // (This is incredibly generous, but having a bound nevertheless means
129 // we don't accidentally flow to infinity, which would be crossing the
130 // streams level bad).
131 CHECK(static_cast<int>(parser->buffered_bytes() / 4) <
132 std::max(1024, absolute_max_length));
133 if (!err.ok()) {
134 intptr_t unused;
135 if (grpc_error_get_int(err, grpc_core::StatusIntProperty::kStreamId,
136 &unused)) {
137 // This is a stream error, we ignore it
138 } else {
139 // This is a connection error, we don't try to parse anymore
140 return;
141 }
142 }
143 }
144 parser->FinishFrame();
145 }
146 }
147 }
148