Page MenuHomePhabricator
Files F13115631

D9002.diff
No OneTemporary
Actions

D9002.diff
View Options

diff --git a/src/test/fuzz/http_request.cpp b/src/test/fuzz/http_request.cpp
--- a/src/test/fuzz/http_request.cpp
+++ b/src/test/fuzz/http_request.cpp
@@ -4,6 +4,7 @@
#include <httpserver.h>
#include <netaddress.h>
+#include <util/strencodings.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
@@ -51,7 +52,19 @@
const std::vector<uint8_t> http_buffer =
ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
- if (evhttp_parse_firstline_(evreq, evbuf) != 1 ||
+ // Avoid constructing requests that will be interpreted by libevent as PROXY
+ // requests to avoid triggering a nullptr dereference. The dereference
+ // (req->evcon->http_server) takes place in evhttp_parse_request_line and is
+ // a consequence of our hacky but necessary use of the internal function
+ // evhttp_parse_firstline_ in this fuzzing harness. The workaround is not
+ // aesthetically pleasing, but it successfully avoids the troublesome code
+ // path. " http:// HTTP/1.1\n" was a crashing input prior to this
+ // workaround.
+ const std::string http_buffer_str =
+ ToLower({http_buffer.begin(), http_buffer.end()});
+ if (http_buffer_str.find(" http://") != std::string::npos ||
+ http_buffer_str.find(" https://") != std::string::npos ||
+ evhttp_parse_firstline_(evreq, evbuf) != 1 ||
evhttp_parse_headers_(evreq, evbuf) != 1) {
evbuffer_free(evbuf);
evhttp_request_free(evreq);

File Metadata

Mime Type
text/plain
Expires
Sat, Mar 1, 11:35 (6 h, 24 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5187642
Default Alt Text
D9002.diff (1 KB)

Event Timeline