diff --git a/src/test/fuzz/http_request.cpp b/src/test/fuzz/http_request.cpp index 9b4dee0ca..2ff8bb1de 100644 --- a/src/test/fuzz/http_request.cpp +++ b/src/test/fuzz/http_request.cpp @@ -1,80 +1,93 @@ // Copyright (c) 2020 The Bitcoin Core developers // Distributed under the MIT software license, see the accompanying // file COPYING or http://www.opensource.org/licenses/mit-license.php. #include #include +#include #include #include #include #include #include #include #include #include #include #include #include // workaround for libevent versions before 2.1.1, // when internal functions didn't have underscores at the end #if LIBEVENT_VERSION_NUMBER < 0x02010100 extern "C" int evhttp_parse_firstline(struct evhttp_request *, struct evbuffer *); extern "C" int evhttp_parse_headers(struct evhttp_request *, struct evbuffer *); inline int evhttp_parse_firstline_(struct evhttp_request *r, struct evbuffer *b) { return evhttp_parse_firstline(r, b); } inline int evhttp_parse_headers_(struct evhttp_request *r, struct evbuffer *b) { return evhttp_parse_headers(r, b); } #else extern "C" int evhttp_parse_firstline_(struct evhttp_request *, struct evbuffer *); extern "C" int evhttp_parse_headers_(struct evhttp_request *, struct evbuffer *); #endif std::string RequestMethodString(HTTPRequest::RequestMethod m); void test_one_input(const std::vector &buffer) { FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; evhttp_request *evreq = evhttp_request_new(nullptr, nullptr); assert(evreq != nullptr); evreq->kind = EVHTTP_REQUEST; evbuffer *evbuf = evbuffer_new(); assert(evbuf != nullptr); const std::vector http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096); evbuffer_add(evbuf, http_buffer.data(), http_buffer.size()); - if (evhttp_parse_firstline_(evreq, evbuf) != 1 || + // Avoid constructing requests that will be interpreted by libevent as PROXY + // requests to avoid triggering a nullptr dereference. The dereference + // (req->evcon->http_server) takes place in evhttp_parse_request_line and is + // a consequence of our hacky but necessary use of the internal function + // evhttp_parse_firstline_ in this fuzzing harness. The workaround is not + // aesthetically pleasing, but it successfully avoids the troublesome code + // path. " http:// HTTP/1.1\n" was a crashing input prior to this + // workaround. + const std::string http_buffer_str = + ToLower({http_buffer.begin(), http_buffer.end()}); + if (http_buffer_str.find(" http://") != std::string::npos || + http_buffer_str.find(" https://") != std::string::npos || + evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) { evbuffer_free(evbuf); evhttp_request_free(evreq); return; } HTTPRequest http_request{evreq, true}; const HTTPRequest::RequestMethod request_method = http_request.GetRequestMethod(); (void)RequestMethodString(request_method); (void)http_request.GetURI(); (void)http_request.GetHeader("Host"); const std::string header = fuzzed_data_provider.ConsumeRandomLengthString(16); (void)http_request.GetHeader(header); (void)http_request.WriteHeader( header, fuzzed_data_provider.ConsumeRandomLengthString(16)); (void)http_request.GetHeader(header); const std::string body = http_request.ReadBody(); assert(body.empty()); const CService service = http_request.GetPeer(); assert(service.ToString() == "[::]:0"); evbuffer_free(evbuf); evhttp_request_free(evreq); }