libevent: extend fuzzing suite (#11052)

Signed-off-by: David Korczynski <[email protected]>

Author: DavidKorczynski

projects/libevent/Dockerfile

@@ -17,5 +17,6 @@
 FROM gcr.io/oss-fuzz-base/base-builder
 RUN apt-get update && apt-get install -y cmake make
 RUN git clone --depth 1 https://github.com/libevent/libevent.git libevent
+RUN git clone --depth 1 https://github.com/google/fuzzing fuzzing
 WORKDIR libevent
 COPY build.sh *.cc *.c $SRC/

projects/libevent/build.sh

@@ -44,3 +44,5 @@ then
       ./lib/libevent_pthreads.a ./lib/libevent_extra.a \
       -o $OUT/fuzz_request
 fi
+
+cp $SRC/fuzzing/dictionaries/http.dict $OUT/http_fuzzer2.dict

projects/libevent/http_fuzzer.cc

@@ -32,12 +32,25 @@ extern "C" {
 }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  if (size < 1) {
+  if (size < 5) {
     return 0;
   }
+
+  // Decider to determine which request type to parse.
+  uint8_t decider = data[0];
+  data++;
+  size--;
+  int maxHeaderSize = *(int*)data;
+  data += 4;
+  size -= 4;
+  if (maxHeaderSize < 0) {
+    return 0;
+  }
+
   // Prepare in case it's used.
   struct evhttp_connection evcon;
   evcon.ext_method_cmp = NULL;
+  evcon.max_headers_size = maxHeaderSize % 2048;
 
   struct evhttp *http_val = NULL;
   http_val = evhttp_new(NULL);
@@ -46,11 +59,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   }
   evcon.http_server = http_val;
 
-  // Decider to determine which request type to parse.
-  uint8_t decider = data[0];
-  data++;
-  size--;
-
   FuzzedDataProvider data_provider(data, size);
   std::string s1 = data_provider.ConsumeRandomLengthString();
 
@@ -84,6 +92,18 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     free(encoded);
   }
 
+  // Minor utils function
+  evhttp_htmlescape(s1.c_str());
+
+  // URI utils
+  struct evhttp_uri *uri;
+  uri = evhttp_uri_parse(s1.c_str());
+  if (uri != NULL) {
+    char uri_buf[256];
+    evhttp_uri_join(uri, uri_buf, 256);
+    evhttp_uri_free(uri);
+  }
+
   // Cleanup
   evhttp_request_free(req);
   evbuffer_free(buf);

projects/libevent/utils_fuzzer.cc

@@ -46,5 +46,24 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     evutil_freeaddrinfo(addr_info);
   }
 
+  int portnum=-1;
+  struct evutil_addrinfo *res = NULL;
+  struct evutil_addrinfo hints;
+
+  memset(&hints, 0, sizeof(hints));
+  hints.ai_family = PF_UNSPEC;
+  evutil_getaddrinfo_common_(NULL, s1.c_str(), &hints, &res, &portnum);
+  if (res != NULL) {
+    evutil_freeaddrinfo(res);
+  }
+
+  res = NULL;
+  memset(&hints, 0, sizeof(hints));
+  hints.ai_family = PF_UNSPEC;
+  evutil_getaddrinfo_common_(s1.c_str(), NULL, &hints, &res, &portnum);
+  if (res != NULL) {
+    evutil_freeaddrinfo(res);
+  }
+
   return 0;
 }