boost: add fuzzers for beast library

boost_beast_request_fuzzer for fuzzing HTTP requests parser boost_beast_response_fuzzer for fuzzing HTTP responses parser boost_beast_ws_server_fuzzer for fuzzing WebSocket server
google · Jun 17, 2024 · 977f2ac · 977f2ac
1 parent 7f91500
commit 977f2ac
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 0 deletions.
diff --git a/projects/boost/boost_beast_request_fuzzer.cc b/projects/boost/boost_beast_request_fuzzer.cc
@@ -0,0 +1,32 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <boost/beast.hpp>
+#include <boost/beast/_experimental/test/stream.hpp>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    using namespace boost::beast;
+
+    error_code ec;
+    flat_buffer buffer;
+    net::io_context ioc;
+    test::stream stream{ioc, {reinterpret_cast<const char*>(data), size}};
+    stream.close_remote();
+
+    http::request_parser<http::dynamic_body> parser;
+    http::read(stream, buffer, parser, ec);
+
+    return 0;
+}
diff --git a/projects/boost/boost_beast_response_fuzzer.cc b/projects/boost/boost_beast_response_fuzzer.cc
@@ -0,0 +1,40 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <boost/beast.hpp>
+#include <boost/beast/_experimental/test/stream.hpp>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    using namespace boost::beast;
+
+    error_code ec;
+    flat_buffer buffer;
+    net::io_context ioc;
+    test::stream stream{ioc, {reinterpret_cast<const char*>(data), size}};
+    stream.close_remote();
+
+    http::chunk_extensions ce;
+    http::response_parser<http::dynamic_body> parser;
+
+    auto chunk_header_cb
+        = [&ce](std::uint64_t size, string_view extensions, error_code& ev) {
+              ce.parse(extensions, ev);
+          };
+
+    parser.on_chunk_header(chunk_header_cb);
+    http::read(stream, buffer, parser, ec);
+
+    return 0;
+}
diff --git a/projects/boost/boost_beast_ws_server_fuzzer.cc b/projects/boost/boost_beast_ws_server_fuzzer.cc
@@ -0,0 +1,52 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <boost/beast.hpp>
+#include <boost/beast/_experimental/test/stream.hpp>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    using namespace boost::beast;
+
+    error_code ec;
+    flat_buffer buffer;
+    net::io_context ioc;
+    test::stream remote{ioc};
+
+    websocket::stream<test::stream> ws{
+        ioc, string_view{reinterpret_cast<const char*>(data), size}};
+
+    ws.set_option(
+        websocket::stream_base::decorator([](websocket::response_type& res) {
+            res.set(http::field::server, "websocket-server-sync");
+        }));
+
+    ws.set_option(websocket::permessage_deflate{
+        .server_enable = (size % 2) != 0,
+        .compLevel = static_cast<int>(size % 9),
+    });
+
+    ws.next_layer().connect(remote);
+    ws.next_layer().close_remote();
+    ws.accept(ec);
+
+    if (!ec)
+    {
+        ws.read(buffer, ec);
+        ws.text(ws.got_text());
+        ws.write(buffer.data(), ec);
+    }
+
+    return 0;
+}
diff --git a/projects/boost/build.sh b/projects/boost/build.sh
@@ -51,6 +51,11 @@ $CXX $CXXFLAGS -I . ../boost_uuid_fuzzer.cc $LIB_FUZZING_ENGINE -o boost_uuid_fu
 #boost programoptions
 $CXX $CXXFLAGS -I . ../boost_programoptions_fuzzer.cc $LIB_FUZZING_ENGINE -o boost_programoptions_fuzzer stage/lib/libboost_program_options.a
 
+#boost beast
+$CXX $CXXFLAGS -I . ../boost_beast_request_fuzzer.cc $LIB_FUZZING_ENGINE -o boost_beast_request_fuzzer
+$CXX $CXXFLAGS -I . ../boost_beast_response_fuzzer.cc $LIB_FUZZING_ENGINE -o boost_beast_response_fuzzer
+$CXX $CXXFLAGS -I . ../boost_beast_ws_server_fuzzer.cc $LIB_FUZZING_ENGINE -o boost_beast_ws_server_fuzzer
+
 # Copy the fuzzer executables, zip-ed corpora, option and dictionary files to $OUT
 find . -name '*_fuzzer' -exec cp -v '{}' $OUT ';'
 # find . -name '*_fuzzer.dict' -exec cp -v '{}' $OUT ';'     # If you have dictionaries.