1 //
2 //
3 // Copyright 2015 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include <stdint.h>
20
21 #include <algorithm>
22 #include <memory>
23 #include <utility>
24
25 #include "absl/cleanup/cleanup.h"
26 #include "absl/random/bit_gen_ref.h"
27
28 #include <grpc/grpc.h>
29 #include <grpc/slice.h>
30 #include <grpc/support/log.h>
31
32 #include "src/core/ext/transport/chttp2/transport/hpack_parser.h"
33 #include "src/core/lib/experiments/config.h"
34 #include "src/core/lib/gprpp/ref_counted_ptr.h"
35 #include "src/core/lib/gprpp/status_helper.h"
36 #include "src/core/lib/iomgr/error.h"
37 #include "src/core/lib/iomgr/exec_ctx.h"
38 #include "src/core/lib/resource_quota/arena.h"
39 #include "src/core/lib/resource_quota/memory_quota.h"
40 #include "src/core/lib/resource_quota/resource_quota.h"
41 #include "src/core/lib/transport/metadata_batch.h"
42 #include "src/libfuzzer/libfuzzer_macro.h"
43 #include "test/core/transport/chttp2/hpack_parser_fuzzer.pb.h"
44 #include "test/core/util/fuzz_config_vars.h"
45 #include "test/core/util/proto_bit_gen.h"
46
47 // IWYU pragma: no_include <google/protobuf/repeated_ptr_field.h>
48
49 bool squelch = true;
50 bool leak_check = true;
51
dont_log(gpr_log_func_args *)52 static void dont_log(gpr_log_func_args* /*args*/) {}
53
DEFINE_PROTO_FUZZER(const hpack_parser_fuzzer::Msg & msg)54 DEFINE_PROTO_FUZZER(const hpack_parser_fuzzer::Msg& msg) {
55 if (squelch) gpr_set_log_function(dont_log);
56 grpc_core::ProtoBitGen proto_bit_src(msg.random_numbers());
57 grpc_core::ApplyFuzzConfigVars(msg.config_vars());
58 grpc_core::TestOnlyReloadExperimentsFromConfigVariables();
59 grpc_init();
60 auto cleanup = absl::MakeCleanup(grpc_shutdown);
61 auto memory_allocator = grpc_core::ResourceQuota::Default()
62 ->memory_quota()
63 ->CreateMemoryAllocator("test-allocator");
64 {
65 std::unique_ptr<grpc_core::HPackParser> parser(new grpc_core::HPackParser);
66 int max_length = 1024;
67 int absolute_max_length = 1024;
68 bool can_update_max_length = true;
69 bool can_add_priority = true;
70 for (int i = 0; i < msg.frames_size(); i++) {
71 auto arena = grpc_core::MakeScopedArena(1024, &memory_allocator);
72 grpc_core::ExecCtx exec_ctx;
73 grpc_metadata_batch b;
74 const auto& frame = msg.frames(i);
75 if (frame.parse_size() == 0) continue;
76
77 // we can only update max length after a frame boundary
78 // so simulate that here
79 if (can_update_max_length) {
80 if (frame.max_metadata_length() != 0) {
81 max_length = std::max(0, frame.max_metadata_length());
82 }
83 if (frame.absolute_max_metadata_length() != 0) {
84 absolute_max_length =
85 std::max(0, frame.absolute_max_metadata_length());
86 }
87 if (absolute_max_length < max_length) {
88 std::swap(absolute_max_length, max_length);
89 }
90 }
91 // priority only makes sense on the first frame of a stream
92 grpc_core::HPackParser::Priority priority =
93 grpc_core::HPackParser::Priority::None;
94 if (can_add_priority && frame.priority()) {
95 priority = grpc_core::HPackParser::Priority::Included;
96 }
97 grpc_core::HPackParser::Boundary boundary =
98 grpc_core::HPackParser::Boundary::None;
99 can_update_max_length = false;
100 can_add_priority = false;
101 if (frame.end_of_headers()) {
102 boundary = grpc_core::HPackParser::Boundary::EndOfHeaders;
103 can_update_max_length = true;
104 }
105 if (frame.end_of_stream()) {
106 boundary = grpc_core::HPackParser::Boundary::EndOfStream;
107 can_update_max_length = true;
108 can_add_priority = true;
109 }
110
111 parser->BeginFrame(
112 &b, max_length, absolute_max_length, boundary, priority,
113 grpc_core::HPackParser::LogInfo{
114 1, grpc_core::HPackParser::LogInfo::kHeaders, false});
115 int stop_buffering_ctr =
116 std::max(-1, frame.stop_buffering_after_segments());
117 for (int idx = 0; idx < frame.parse_size(); idx++) {
118 const auto& parse = frame.parse(idx);
119 grpc_slice buffer =
120 grpc_slice_from_copied_buffer(parse.data(), parse.size());
121 auto err = parser->Parse(buffer, idx == frame.parse_size() - 1,
122 absl::BitGenRef(proto_bit_src),
123 /*call_tracer=*/nullptr);
124 grpc_slice_unref(buffer);
125 stop_buffering_ctr--;
126 if (0 == stop_buffering_ctr) parser->StopBufferingFrame();
127 // Ensure we never take on more than four times the absolute limit in
128 // buffer size.
129 // (This is incredibly generous, but having a bound nevertheless means
130 // we don't accidentally flow to infinity, which would be crossing the
131 // streams level bad).
132 GPR_ASSERT(static_cast<int>(parser->buffered_bytes() / 4) <
133 std::max(1024, absolute_max_length));
134 if (!err.ok()) {
135 intptr_t unused;
136 if (grpc_error_get_int(err, grpc_core::StatusIntProperty::kStreamId,
137 &unused)) {
138 // This is a stream error, we ignore it
139 } else {
140 // This is a connection error, we don't try to parse anymore
141 return;
142 }
143 }
144 }
145 parser->FinishFrame();
146 }
147 }
148 }
149