1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/spdy/fuzzing/hpack_fuzz_util.h"
6
7 #include <map>
8
9 #include "base/base_paths.h"
10 #include "base/file_util.h"
11 #include "base/files/file.h"
12 #include "base/path_service.h"
13 #include "net/spdy/spdy_test_utils.h"
14 #include "testing/gmock/include/gmock/gmock.h"
15 #include "testing/gtest/include/gtest/gtest.h"
16
17 namespace net {
18
19 namespace {
20
21 using base::StringPiece;
22 using std::map;
23 using std::string;
24 using test::a2b_hex;
25
TEST(HpackFuzzUtilTest,GeneratorContextInitialization)26 TEST(HpackFuzzUtilTest, GeneratorContextInitialization) {
27 HpackFuzzUtil::GeneratorContext context;
28 HpackFuzzUtil::InitializeGeneratorContext(&context);
29
30 // Context was seeded with initial name & value fixtures.
31 EXPECT_LT(0u, context.names.size());
32 EXPECT_LT(0u, context.values.size());
33 }
34
TEST(HpackFuzzUtil,GeneratorContextExpansion)35 TEST(HpackFuzzUtil, GeneratorContextExpansion) {
36 HpackFuzzUtil::GeneratorContext context;
37
38 map<string, string> headers = HpackFuzzUtil::NextGeneratedHeaderSet(&context);
39
40 // Headers were generated, and the generator context was expanded.
41 EXPECT_LT(0u, headers.size());
42 EXPECT_LT(0u, context.names.size());
43 EXPECT_LT(0u, context.values.size());
44 }
45
46 // TODO(jgraettinger): A better test would mock a random generator and
47 // evaluate SampleExponential along fixed points of the [0,1] domain.
TEST(HpackFuzzUtilTest,SampleExponentialRegression)48 TEST(HpackFuzzUtilTest, SampleExponentialRegression) {
49 // TODO(jgraettinger): Upstream uses a seeded random generator here to pin
50 // the behavior of SampleExponential. Chromium's random generation utilities
51 // are strongly secure, but provide no way to seed the generator.
52 for (size_t i = 0; i != 100; ++i) {
53 EXPECT_GE(30u, HpackFuzzUtil::SampleExponential(10, 30));
54 }
55 }
56
TEST(HpackFuzzUtilTest,ParsesSequenceOfHeaderBlocks)57 TEST(HpackFuzzUtilTest, ParsesSequenceOfHeaderBlocks) {
58 char fixture[] =
59 "\x00\x00\x00\x05""aaaaa"
60 "\x00\x00\x00\x04""bbbb"
61 "\x00\x00\x00\x03""ccc"
62 "\x00\x00\x00\x02""dd"
63 "\x00\x00\x00\x01""e"
64 "\x00\x00\x00\x00"""
65 "\x00\x00\x00\x03""fin";
66
67 HpackFuzzUtil::Input input;
68 input.input.assign(fixture, arraysize(fixture) - 1);
69
70 StringPiece block;
71
72 EXPECT_TRUE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
73 EXPECT_EQ("aaaaa", block);
74 EXPECT_TRUE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
75 EXPECT_EQ("bbbb", block);
76 EXPECT_TRUE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
77 EXPECT_EQ("ccc", block);
78 EXPECT_TRUE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
79 EXPECT_EQ("dd", block);
80 EXPECT_TRUE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
81 EXPECT_EQ("e", block);
82 EXPECT_TRUE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
83 EXPECT_EQ("", block);
84 EXPECT_TRUE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
85 EXPECT_EQ("fin", block);
86 EXPECT_FALSE(HpackFuzzUtil::NextHeaderBlock(&input, &block));
87 }
88
TEST(HpackFuzzUtilTest,SerializedHeaderBlockPrefixes)89 TEST(HpackFuzzUtilTest, SerializedHeaderBlockPrefixes) {
90 EXPECT_EQ(string("\x00\x00\x00\x00", 4), HpackFuzzUtil::HeaderBlockPrefix(0));
91 EXPECT_EQ(string("\x00\x00\x00\x05", 4), HpackFuzzUtil::HeaderBlockPrefix(5));
92 EXPECT_EQ(string("\x4f\xb3\x0a\x91", 4),
93 HpackFuzzUtil::HeaderBlockPrefix(1337133713));
94 }
95
TEST(HpackFuzzUtilTest,PassValidInputThroughAllStages)96 TEST(HpackFuzzUtilTest, PassValidInputThroughAllStages) {
97 // Example lifted from HpackDecoderTest.SectionD3RequestHuffmanExamples.
98 string input = a2b_hex("828786448ce7cf9bebe89b6fb16fa9b6ff");
99
100 HpackFuzzUtil::FuzzerContext context;
101 HpackFuzzUtil::InitializeFuzzerContext(&context);
102
103 EXPECT_TRUE(
104 HpackFuzzUtil::RunHeaderBlockThroughFuzzerStages(&context, input));
105
106 std::map<string, string> expect;
107 expect[":method"] = "GET";
108 expect[":scheme"] = "http";
109 expect[":path"] = "/";
110 expect[":authority"] = "www.example.com";
111 EXPECT_EQ(expect, context.third_stage->decoded_block());
112 }
113
TEST(HpackFuzzUtilTest,ValidFuzzExamplesRegressionTest)114 TEST(HpackFuzzUtilTest, ValidFuzzExamplesRegressionTest) {
115 base::FilePath source_root;
116 ASSERT_TRUE(PathService::Get(base::DIR_SOURCE_ROOT, &source_root));
117
118 // Load the example fixtures versioned with the source tree.
119 HpackFuzzUtil::Input input;
120 ASSERT_TRUE(base::ReadFileToString(
121 source_root.Append(FILE_PATH_LITERAL("net"))
122 .Append(FILE_PATH_LITERAL("data"))
123 .Append(FILE_PATH_LITERAL("spdy_tests"))
124 .Append(FILE_PATH_LITERAL("examples_07.hpack")),
125 &input.input));
126
127 HpackFuzzUtil::FuzzerContext context;
128 HpackFuzzUtil::InitializeFuzzerContext(&context);
129
130 StringPiece block;
131 while (HpackFuzzUtil::NextHeaderBlock(&input, &block)) {
132 // As these are valid examples, all fuzz stages should succeed.
133 EXPECT_TRUE(HpackFuzzUtil::RunHeaderBlockThroughFuzzerStages(
134 &context, block));
135 }
136 }
137
TEST(HpackFuzzUtilTest,FlipBitsMutatesBuffer)138 TEST(HpackFuzzUtilTest, FlipBitsMutatesBuffer) {
139 char buffer[] = "testbuffer1234567890";
140 string unmodified(buffer, arraysize(buffer) - 1);
141
142 EXPECT_EQ(unmodified, buffer);
143 HpackFuzzUtil::FlipBits(reinterpret_cast<uint8*>(buffer),
144 arraysize(buffer) - 1,
145 1);
146 EXPECT_NE(unmodified, buffer);
147 }
148
149 } // namespace
150
151 } // namespace net
152