1 // Copyright 2020 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/dns/host_cache.h"
6
7 #include <stddef.h>
8 #include <stdint.h>
9 #include <stdlib.h>
10
11 #include <optional>
12
13 #include "base/json/json_reader.h"
14 #include "base/logging.h"
15 #include "base/numerics/clamped_math.h"
16 #include "base/numerics/ostream_operators.h"
17 #include "net/dns/host_cache_fuzzer.pb.h"
18 #include "testing/libfuzzer/proto/json.pb.h"
19 #include "testing/libfuzzer/proto/json_proto_converter.h"
20 #include "testing/libfuzzer/proto/lpm_interface.h"
21
22 namespace net {
23
24 struct Environment {
Environmentnet::Environment25 Environment() { logging::SetMinLogLevel(logging::LOGGING_INFO); }
26 const bool kDumpStats = getenv("DUMP_FUZZER_STATS");
27 const bool kDumpNativeInput = getenv("LPM_DUMP_NATIVE_INPUT");
28 };
29
30 // This fuzzer checks that parsing a JSON list to a HostCache and then
31 // re-serializing it recreates the original JSON list.
32 //
33 // A side effect of this technique is that our distribution of HostCaches only
34 // contains HostCaches that can be generated by RestoreFromListValue. It's
35 // conceivable that this doesn't capture all possible HostCaches.
36 //
37 // TODO(dmcardle): Check the other direction of this property. Starting from an
38 // arbitrary HostCache, serialize it and then parse a different HostCache.
39 // Verify that the two HostCaches are equal.
DEFINE_PROTO_FUZZER(const host_cache_fuzzer_proto::JsonOrBytes & input)40 DEFINE_PROTO_FUZZER(const host_cache_fuzzer_proto::JsonOrBytes& input) {
41 static Environment env;
42
43 // Clamp these counters to avoid incorrect statistics in case of overflow. On
44 // platforms with 8-byte size_t, it would take roughly 58,000 centuries to
45 // overflow, assuming a very fast fuzzer running at 100,000 exec/s. However, a
46 // 4-byte size_t could overflow in roughly 12 hours.
47 static base::ClampedNumeric<size_t> valid_json_count = 0;
48 static base::ClampedNumeric<size_t> iteration_count = 0;
49
50 constexpr size_t kIterationsPerStatsDump = 1024;
51 static_assert(SIZE_MAX % kIterationsPerStatsDump != 0,
52 "After saturation, stats would print on every iteration.");
53
54 ++iteration_count;
55 if (env.kDumpStats && iteration_count % kIterationsPerStatsDump == 0) {
56 LOG(INFO) << "Valid JSON hit rate:" << valid_json_count << "/"
57 << iteration_count;
58 }
59
60 std::string native_input;
61 if (input.has_json()) {
62 json_proto::JsonProtoConverter converter;
63 native_input = converter.Convert(input.json());
64 } else if (input.has_bytes()) {
65 native_input = input.bytes();
66 } else {
67 return;
68 }
69
70 if (env.kDumpNativeInput)
71 LOG(INFO) << "native_input: " << native_input;
72
73 std::optional<base::Value> value = base::JSONReader::Read(native_input);
74 if (!value || !value->is_list())
75 return;
76 ++valid_json_count;
77
78 // Parse the HostCache.
79 constexpr size_t kMaxEntries = 1000;
80 HostCache host_cache(kMaxEntries);
81 if (!host_cache.RestoreFromListValue(value->GetList()))
82 return;
83
84 // Serialize the HostCache.
85 base::Value::List serialized;
86 host_cache.GetList(
87 serialized /* entry_list */, true /* include_staleness */,
88 HostCache::SerializationType::kRestorable /* serialization_type */);
89
90 CHECK_EQ(*value, serialized);
91 return;
92 }
93 } // namespace net
94