1 /* Copyright 2021 Google LLC
2 Licensed under the Apache License, Version 2.0 (the "License");
3 you may not use this file except in compliance with the License.
4 You may obtain a copy of the License at
5 http://www.apache.org/licenses/LICENSE-2.0
6 Unless required by applicable law or agreed to in writing, software
7 distributed under the License is distributed on an "AS IS" BASIS,
8 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9 See the License for the specific language governing permissions and
10 limitations under the License.
11 */
12 #include "apr.h"
13 #include "apr_file_io.h"
14 #include "apr_poll.h"
15 #include "apr_portable.h"
16 #include "apr_proc_mutex.h"
17 #include "apr_signal.h"
18 #include "apr_strings.h"
19 #include "apr_thread_mutex.h"
20 #include "apr_thread_proc.h"
21 #include "http_core.h"
22
23 #define APR_WANT_STRFUNC
24 #include "apr_file_io.h"
25 #include "apr_fnmatch.h"
26 #include "apr_want.h"
27
28 #include "apr_poll.h"
29 #include "apr_want.h"
30
31 #include "ap_config.h"
32 #include "ap_expr.h"
33 #include "ap_listen.h"
34 #include "ap_provider.h"
35 #include "ap_regex.h"
36
37 #include "ada_fuzz_header.h"
38
http_scheme2(const request_rec * r)39 static const char *http_scheme2(const request_rec *r) {
40 /*
41 * The http module shouldn't return anything other than
42 * "http" (the default) or "https".
43 */
44 if (r->server->server_scheme &&
45 (strcmp(r->server->server_scheme, "https") == 0))
46 return "https";
47
48 return "http";
49 }
50
51 extern request_rec *ap_create_request(conn_rec *conn);
52 extern int read_request_line(request_rec *r, apr_bucket_brigade *bb);
53
LLVMFuzzerInitialize(int * argc,char *** argv)54 int LLVMFuzzerInitialize(int *argc, char ***argv) {
55 apr_pool_create(&apr_hook_global_pool, NULL);
56 ap_open_stderr_log(apr_hook_global_pool);
57 ap_hook_http_scheme(http_scheme2, NULL, NULL, APR_HOOK_REALLY_LAST);
58 return 0;
59 }
60
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)61 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
62 af_gb_init();
63
64 const uint8_t *data2 = data;
65 size_t size2 = size;
66
67 /* get random data for the fuzzer */
68 char *new_str = af_gb_get_null_terminated(&data2, &size2);
69 char *new_str2 = af_gb_get_null_terminated(&data2, &size2);
70 char *new_str3 = af_gb_get_null_terminated(&data2, &size2);
71 char *new_str4 = af_gb_get_null_terminated(&data2, &size2);
72 char *new_str5 = af_gb_get_null_terminated(&data2, &size2);
73 if (new_str != NULL &&
74 new_str2 != NULL &&
75 new_str3 != NULL &&
76 new_str4 != NULL &&
77 new_str5 != NULL) {
78
79 /* this is the main fuzzing logic */
80
81 apr_pool_initialize();
82 apr_pool_t *v = NULL;
83 apr_pool_create(&v, NULL);
84
85 conn_rec conn;
86 conn.pool = v;
87 server_rec base_server;
88 conn.base_server = &base_server;
89 conn.bucket_alloc = apr_bucket_alloc_create(conn.pool);
90 ap_method_registry_init(conn.pool);
91
92 //server_rec server;
93
94 /* Simulate ap_read_request */
95 request_rec *r = NULL;
96 r = ap_create_request(&conn);
97
98 /* create a logs array for the request */
99 struct ap_logconf logs = {};
100 char *log_levels = calloc(1000, 1);
101 memset(log_levels, 0, 1000);
102 logs.module_levels = log_levels;
103 r->log = &logs;
104 if (r != NULL) {
105 apr_bucket_brigade *tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
106 conn.keepalive = AP_CONN_UNKNOWN;
107
108 ap_run_pre_read_request(r, conn);
109
110 core_server_config conf_mod;
111 conf_mod.http_conformance = (char)af_get_short(&data2, &size2);
112 conf_mod.http09_enable = (char)af_get_short(&data2, &size2);
113 conf_mod.http_methods = (char)af_get_short(&data2, &size2);
114 void **module_config_arr = malloc(1000);
115 module_config_arr[0] = &conf_mod;
116
117 r->server->module_config = module_config_arr;
118 ap_set_core_module_config(r->server->module_config, &conf_mod);
119
120 /* randomise content of request */
121 r->unparsed_uri = new_str;
122 r->uri = new_str2;
123 r->server->server_scheme = new_str3;
124 r->method = new_str4;
125 r->the_request = new_str5;
126
127 /* main target */
128 ap_parse_request_line(r);
129
130 free(module_config_arr);
131 }
132 free(log_levels);
133 apr_pool_terminate();
134 }
135
136 af_gb_cleanup();
137 return 0;
138 }
139