fuzzer: add several new CURLOPT types and the ability to generate them

Plus bump the size of FUZZ_CURLOPT_TRACKER_SPACE so that the main fuzz
harness uses memory for tracking CURLOPTs correctly.

Co-authored-by: Shaun Mirani <[email protected]>

Author: 2 people

corpus.py

@@ -48,6 +48,17 @@ class BaseType(object):
     TYPE_MAIL_AUTH = 39
     TYPE_HTTP_VERSION = 40
     TYPE_DOH_URL = 41
+    TYPE_LOGIN_OPTIONS = 42
+    TYPE_XOAUTH2_BEARER = 43
+    TYPE_USERPWD = 44
+    TYPE_USERAGENT = 45
+    TYPE_NETRC = 46
+    TYPE_SSH_HOST_PUBLIC_KEY_SHA256 = 47
+    TYPE_POST = 48
+    TYPE_WS_OPTIONS = 49
+    TYPE_CONNECT_ONLY = 50
+    TYPE_HSTS = 51
+    TYPE_HTTPPOSTBODY = 52 # https://curl.se/libcurl/c/CURLOPT_HTTPPOST.html
 
     TYPEMAP = {
         TYPE_URL: "CURLOPT_URL",
@@ -91,6 +102,17 @@ class BaseType(object):
         TYPE_MAIL_AUTH: "CURLOPT_MAIL_AUTH",
         TYPE_HTTP_VERSION: "CURLOPT_HTTP_VERSION",
         TYPE_DOH_URL: "CURLOPT_DOH_URL",
+        TYPE_LOGIN_OPTIONS: "CURLOPT_LOGIN_OPTIONS",
+        TYPE_XOAUTH2_BEARER: "CURLOPT_XOAUTH2_BEARER",
+        TYPE_USERPWD: "CURLOPT_USERPWD",
+        TYPE_USERAGENT: "CURLOPT_USERAGENT",
+        TYPE_NETRC: "CURLOPT_NETRC",
+        TYPE_SSH_HOST_PUBLIC_KEY_SHA256: "CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256",
+        TYPE_POST: "CURLOPT_POST",
+        TYPE_WS_OPTIONS: "CURLOPT_WS_OPTIONS",
+        TYPE_CONNECT_ONLY: "CURLOPT_CONNECT_ONLY",
+        TYPE_HSTS: "CURLOPT_HSTS",
+        TYPE_HTTPPOSTBODY: "CURLOPT_HTTPPOST",
     }
 
 

curl_fuzzer.cc

@@ -89,6 +89,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     curl_easy_setopt(fuzz.easy, CURLOPT_MIMEPOST, fuzz.mime);
   }
 
+  if (fuzz.httppost != NULL) {
+    curl_easy_setopt(fuzz.easy, CURLOPT_HTTPPOST, fuzz.httppost);
+  }
+
   /* Run the transfer. */
   fuzz_handle_transfer(&fuzz);
 
@@ -252,6 +256,20 @@ void fuzz_terminate_fuzz_data(FUZZ_DATA *fuzz)
     curl_easy_cleanup(fuzz->easy);
     fuzz->easy = NULL;
   }
+
+  /* When you have passed the struct curl_httppost pointer to curl_easy_setopt
+   * (using the CURLOPT_HTTPPOST option), you must not free the list until after
+   *  you have called curl_easy_cleanup for the curl handle.
+   *  https://curl.se/libcurl/c/curl_formadd.html */
+  if (fuzz->httppost != NULL) {
+    curl_formfree(fuzz->httppost);
+    fuzz->httppost = NULL;
+  }
+
+  // free after httppost and last_post_part.
+  if (fuzz->post_body != NULL) {
+    fuzz_free((void **)&fuzz->post_body);
+  }
 }
 
 /**

curl_fuzzer.h

@@ -26,47 +26,58 @@
 /**
  * TLV types.
  */
-#define TLV_TYPE_URL                    1
-#define TLV_TYPE_RESPONSE0              2
-#define TLV_TYPE_USERNAME               3
-#define TLV_TYPE_PASSWORD               4
-#define TLV_TYPE_POSTFIELDS             5
-#define TLV_TYPE_HEADER                 6
-#define TLV_TYPE_COOKIE                 7
-#define TLV_TYPE_UPLOAD1                8
-#define TLV_TYPE_RANGE                  9
-#define TLV_TYPE_CUSTOMREQUEST          10
-#define TLV_TYPE_MAIL_RECIPIENT         11
-#define TLV_TYPE_MAIL_FROM              12
-#define TLV_TYPE_MIME_PART              13
-#define TLV_TYPE_MIME_PART_NAME         14
-#define TLV_TYPE_MIME_PART_DATA         15
-#define TLV_TYPE_HTTPAUTH               16
-#define TLV_TYPE_RESPONSE1              17
-#define TLV_TYPE_RESPONSE2              18
-#define TLV_TYPE_RESPONSE3              19
-#define TLV_TYPE_RESPONSE4              20
-#define TLV_TYPE_RESPONSE5              21
-#define TLV_TYPE_RESPONSE6              22
-#define TLV_TYPE_RESPONSE7              23
-#define TLV_TYPE_RESPONSE8              24
-#define TLV_TYPE_RESPONSE9              25
-#define TLV_TYPE_RESPONSE10             26
-#define TLV_TYPE_OPTHEADER              27
-#define TLV_TYPE_NOBODY                 28
-#define TLV_TYPE_FOLLOWLOCATION         29
-#define TLV_TYPE_ACCEPTENCODING         30
-#define TLV_TYPE_SECOND_RESPONSE0       31
-#define TLV_TYPE_SECOND_RESPONSE1       32
-#define TLV_TYPE_WILDCARDMATCH          33
-#define TLV_TYPE_RTSP_REQUEST           34
-#define TLV_TYPE_RTSP_SESSION_ID        35
-#define TLV_TYPE_RTSP_STREAM_URI        36
-#define TLV_TYPE_RTSP_TRANSPORT         37
-#define TLV_TYPE_RTSP_CLIENT_CSEQ       38
-#define TLV_TYPE_MAIL_AUTH              39
-#define TLV_TYPE_HTTP_VERSION           40
-#define TLV_TYPE_DOH_URL                41
+#define TLV_TYPE_URL                    	1
+#define TLV_TYPE_RESPONSE0              	2
+#define TLV_TYPE_USERNAME               	3
+#define TLV_TYPE_PASSWORD               	4
+#define TLV_TYPE_POSTFIELDS             	5
+#define TLV_TYPE_HEADER                 	6
+#define TLV_TYPE_COOKIE                 	7
+#define TLV_TYPE_UPLOAD1                	8
+#define TLV_TYPE_RANGE                  	9
+#define TLV_TYPE_CUSTOMREQUEST          	10
+#define TLV_TYPE_MAIL_RECIPIENT         	11
+#define TLV_TYPE_MAIL_FROM              	12
+#define TLV_TYPE_MIME_PART              	13
+#define TLV_TYPE_MIME_PART_NAME         	14
+#define TLV_TYPE_MIME_PART_DATA         	15
+#define TLV_TYPE_HTTPAUTH               	16
+#define TLV_TYPE_RESPONSE1              	17
+#define TLV_TYPE_RESPONSE2              	18
+#define TLV_TYPE_RESPONSE3              	19
+#define TLV_TYPE_RESPONSE4              	20
+#define TLV_TYPE_RESPONSE5              	21
+#define TLV_TYPE_RESPONSE6              	22
+#define TLV_TYPE_RESPONSE7              	23
+#define TLV_TYPE_RESPONSE8              	24
+#define TLV_TYPE_RESPONSE9              	25
+#define TLV_TYPE_RESPONSE10             	26
+#define TLV_TYPE_OPTHEADER              	27
+#define TLV_TYPE_NOBODY                 	28
+#define TLV_TYPE_FOLLOWLOCATION         	29
+#define TLV_TYPE_ACCEPTENCODING         	30
+#define TLV_TYPE_SECOND_RESPONSE0       	31
+#define TLV_TYPE_SECOND_RESPONSE1       	32
+#define TLV_TYPE_WILDCARDMATCH          	33
+#define TLV_TYPE_RTSP_REQUEST           	34
+#define TLV_TYPE_RTSP_SESSION_ID        	35
+#define TLV_TYPE_RTSP_STREAM_URI        	36
+#define TLV_TYPE_RTSP_TRANSPORT         	37
+#define TLV_TYPE_RTSP_CLIENT_CSEQ       	38
+#define TLV_TYPE_MAIL_AUTH              	39
+#define TLV_TYPE_HTTP_VERSION           	40
+#define TLV_TYPE_DOH_URL             	   	41
+#define TLV_TYPE_LOGIN_OPTIONS			42
+#define TLV_TYPE_XOAUTH2_BEARER			43
+#define TLV_TYPE_USERPWD			44
+#define TLV_TYPE_USERAGENT			45
+#define TLV_TYPE_NETRC				46
+#define TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256	47
+#define TLV_TYPE_POST				48
+#define TLV_TYPE_WS_OPTIONS			49
+#define TLV_TYPE_CONNECT_ONLY			50
+#define TLV_TYPE_HSTS				51
+#define TLV_TYPE_HTTPPOSTBODY			52
 
 /**
  * TLV function return codes.
@@ -81,6 +92,9 @@
 /* Maximum write size in bytes to stop unbounded writes (50MB) */
 #define MAXIMUM_WRITE_LENGTH            52428800
 
+/* convenience string for HTTPPOST body name */
+#define	FUZZ_HTTPPOST_NAME		"test"
+
 /* Cookie-jar path. */
 #define FUZZ_COOKIE_JAR_PATH            "/dev/null"
 
@@ -91,7 +105,7 @@
 #define TLV_MAX_NUM_CURLOPT_HEADER      2000
 
 /* Space variable for all CURLOPTs. */
-#define FUZZ_CURLOPT_TRACKER_SPACE      300
+#define FUZZ_CURLOPT_TRACKER_SPACE      500
 
 /* Number of connections allowed to be opened */
 #define FUZZ_NUM_CONNECTIONS            2
@@ -211,6 +225,11 @@ typedef struct fuzz_data
   curl_mime *mime;
   curl_mimepart *part;
 
+  /* httppost data */
+  struct curl_httppost *httppost;
+  struct curl_httppost *last_post_part;
+  char *post_body;
+
   /* Server socket managers. Primarily socket manager 0 is used, but some
      protocols (FTP) use two sockets. */
   FUZZ_SOCKET_MANAGER sockman[FUZZ_NUM_CONNECTIONS];
@@ -248,7 +267,7 @@ int fuzz_get_next_tlv(FUZZ_DATA *fuzz, TLV *tlv);
 int fuzz_get_tlv_comn(FUZZ_DATA *fuzz, TLV *tlv);
 int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv);
 char *fuzz_tlv_to_string(TLV *tlv);
-
+void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv);
 int fuzz_add_mime_part(TLV *src_tlv, curl_mimepart *part);
 int fuzz_parse_mime_tlv(curl_mimepart *part, TLV *tlv);
 int fuzz_handle_transfer(FUZZ_DATA *fuzz);

curl_fuzzer_tlv.cc

@@ -162,6 +162,7 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
 
       /* This TLV may have sub TLVs. */
       fuzz_add_mime_part(tlv, fuzz->part);
+
       break;
 
     case TLV_TYPE_POSTFIELDS:
@@ -170,6 +171,12 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
       FSET_OPTION(fuzz, CURLOPT_POSTFIELDS, fuzz->postfields);
       break;
 
+    case TLV_TYPE_HTTPPOSTBODY:
+      FCHECK_OPTION_UNSET(fuzz, CURLOPT_HTTPPOST);
+      fuzz_setup_http_post(fuzz, tlv);
+      FSET_OPTION(fuzz, CURLOPT_HTTPPOST, fuzz->httppost);
+      break;
+
     /* Define a set of u32 options. */
     FU32TLV(fuzz, TLV_TYPE_HTTPAUTH, CURLOPT_HTTPAUTH);
     FU32TLV(fuzz, TLV_TYPE_OPTHEADER, CURLOPT_HEADER);
@@ -179,6 +186,10 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
     FU32TLV(fuzz, TLV_TYPE_RTSP_REQUEST, CURLOPT_RTSP_REQUEST);
     FU32TLV(fuzz, TLV_TYPE_RTSP_CLIENT_CSEQ, CURLOPT_RTSP_CLIENT_CSEQ);
     FU32TLV(fuzz, TLV_TYPE_HTTP_VERSION, CURLOPT_HTTP_VERSION);
+    FU32TLV(fuzz, TLV_TYPE_NETRC, CURLOPT_NETRC);
+    FU32TLV(fuzz, TLV_TYPE_WS_OPTIONS, CURLOPT_WS_OPTIONS);
+    FU32TLV(fuzz, TLV_TYPE_CONNECT_ONLY, CURLOPT_CONNECT_ONLY);
+    FU32TLV(fuzz, TLV_TYPE_POST, CURLOPT_POST);
 
     /* Define a set of singleton TLVs - they can only have their value set once
        and all follow the same pattern. */
@@ -195,6 +206,12 @@ int fuzz_parse_tlv(FUZZ_DATA *fuzz, TLV *tlv)
     FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_STREAM_URI, CURLOPT_RTSP_STREAM_URI);
     FSINGLETONTLV(fuzz, TLV_TYPE_RTSP_TRANSPORT, CURLOPT_RTSP_TRANSPORT);
     FSINGLETONTLV(fuzz, TLV_TYPE_MAIL_AUTH, CURLOPT_MAIL_AUTH);
+    FSINGLETONTLV(fuzz, TLV_TYPE_LOGIN_OPTIONS, CURLOPT_LOGIN_OPTIONS);
+    FSINGLETONTLV(fuzz, TLV_TYPE_XOAUTH2_BEARER, CURLOPT_XOAUTH2_BEARER);
+    FSINGLETONTLV(fuzz, TLV_TYPE_USERPWD, CURLOPT_USERPWD);
+    FSINGLETONTLV(fuzz, TLV_TYPE_USERAGENT, CURLOPT_USERAGENT);
+    FSINGLETONTLV(fuzz, TLV_TYPE_SSH_HOST_PUBLIC_KEY_SHA256, CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256);
+    FSINGLETONTLV(fuzz, TLV_TYPE_HSTS, CURLOPT_HSTS);
 
     default:
       /* The fuzzer generates lots of unknown TLVs - we don't want these in the
@@ -231,6 +248,32 @@ char *fuzz_tlv_to_string(TLV *tlv)
   return tlvstr;
 }
 
+/* set up for CURLOPT_HTTPPOST, an alternative API to CURLOPT_MIMEPOST */
+void fuzz_setup_http_post(FUZZ_DATA *fuzz, TLV *tlv)
+{
+  if (fuzz->httppost == NULL) {
+    struct curl_httppost *post = NULL;
+    struct curl_httppost *last = NULL;
+
+    fuzz->post_body = fuzz_tlv_to_string(tlv);
+    
+    /* This is just one of several possible entrypoints to 
+     * the HTTPPOST API. see https://curl.se/libcurl/c/curl_formadd.html
+     * for lots of others which could be added here. 
+     */
+    curl_formadd(&post, &last,
+		 CURLFORM_COPYNAME, FUZZ_HTTPPOST_NAME,
+		 CURLFORM_PTRCONTENTS, fuzz->post_body,
+		 CURLFORM_CONTENTLEN, (curl_off_t) strlen(fuzz->post_body),
+		 CURLFORM_END);
+
+    fuzz->last_post_part = last;
+    fuzz->httppost = post;
+  }
+
+  return;
+}
+
 /**
  * Extract the values from the TLV.
  */

generate_corpus.py

@@ -7,6 +7,7 @@
 import os
 import sys
 import corpus
+from corpus_curl_opt_http_auth import CurlOptHttpAuth
 log = logging.getLogger(__name__)
 
 
@@ -44,6 +45,7 @@ def generate_corpus(options):
         enc.maybe_write_string(enc.TYPE_USERNAME, options.username)
         enc.maybe_write_string(enc.TYPE_PASSWORD, options.password)
         enc.maybe_write_string(enc.TYPE_POSTFIELDS, options.postfields)
+        enc.maybe_write_string(enc.TYPE_HTTPPOSTBODY, options.postbody)
         enc.maybe_write_string(enc.TYPE_COOKIE, options.cookie)
         enc.maybe_write_string(enc.TYPE_RANGE, options.range)
         enc.maybe_write_string(enc.TYPE_CUSTOMREQUEST, options.customrequest)
@@ -53,15 +55,40 @@ def generate_corpus(options):
         enc.maybe_write_string(enc.TYPE_RTSP_STREAM_URI, options.rtspstreamuri)
         enc.maybe_write_string(enc.TYPE_RTSP_TRANSPORT, options.rtsptransport)
         enc.maybe_write_string(enc.TYPE_MAIL_AUTH, options.mailauth)
+        enc.maybe_write_string(enc.TYPE_LOGIN_OPTIONS, options.loginoptions)
+        enc.maybe_write_string(enc.TYPE_XOAUTH2_BEARER, options.bearertoken)
+        enc.maybe_write_string(enc.TYPE_USERPWD, options.user_and_pass)
+        enc.maybe_write_string(enc.TYPE_USERAGENT, options.useragent)
+        enc.maybe_write_string(enc.TYPE_SSH_HOST_PUBLIC_KEY_SHA256, options.hostpksha256)
+        enc.maybe_write_string(enc.TYPE_HSTS, options.hsts)
 
-        enc.maybe_write_u32(enc.TYPE_HTTPAUTH, options.httpauth)
         enc.maybe_write_u32(enc.TYPE_OPTHEADER, options.optheader)
         enc.maybe_write_u32(enc.TYPE_NOBODY, options.nobody)
         enc.maybe_write_u32(enc.TYPE_FOLLOWLOCATION, options.followlocation)
         enc.maybe_write_u32(enc.TYPE_WILDCARDMATCH, options.wildcardmatch)
         enc.maybe_write_u32(enc.TYPE_RTSP_REQUEST, options.rtsprequest)
         enc.maybe_write_u32(enc.TYPE_RTSP_CLIENT_CSEQ, options.rtspclientcseq)
         enc.maybe_write_u32(enc.TYPE_HTTP_VERSION, options.httpversion)
+        enc.maybe_write_u32(enc.TYPE_NETRC, options.netrclevel)
+        enc.maybe_write_u32(enc.TYPE_CONNECT_ONLY, options.connectonly)
+
+        if options.httpauth:
+            # translate a string HTTP auth name to an unsigned long bitmask
+            # value in the format CURLOPT_HTTPAUTH expects
+            log.debug(f"Mapping provided CURLOPT_HTTPAUTH='{options.httpauth}' "
+                f"to {CurlOptHttpAuth[options.httpauth].value}L (ulong)")
+            http_auth_value = CurlOptHttpAuth[options.httpauth].value
+            enc.maybe_write_u32(enc.TYPE_HTTPAUTH, http_auth_value)
+
+        if options.wsoptions:
+            # can only be 1 or unset currently.
+            # https://curl.se/libcurl/c/CURLOPT_WS_OPTIONS.html
+            enc.write_u32(enc.TYPE_WS_OPTIONS, 1)
+
+        if options.post:
+            # can only be set to 1 or unset
+            # https://curl.se/libcurl/c/CURLOPT_POST.html
+            enc.write_u32(enc.TYPE_POST, 1)
 
         # Write the first upload to the file.
         if options.upload1:
@@ -96,14 +123,15 @@ def get_options():
     parser.add_argument("--username")
     parser.add_argument("--password")
     parser.add_argument("--postfields")
+    parser.add_argument("--postbody", type=str)
     parser.add_argument("--header", action="append")
     parser.add_argument("--cookie")
     parser.add_argument("--range")
     parser.add_argument("--customrequest")
     parser.add_argument("--mailfrom")
     parser.add_argument("--mailrecipient", action="append")
     parser.add_argument("--mimepart", action="append")
-    parser.add_argument("--httpauth", type=int)
+    parser.add_argument("--httpauth", type=str)
     parser.add_argument("--optheader", type=int)
     parser.add_argument("--nobody", type=int)
     parser.add_argument("--followlocation", type=int)
@@ -116,6 +144,16 @@ def get_options():
     parser.add_argument("--rtspclientcseq", type=int)
     parser.add_argument("--mailauth")
     parser.add_argument("--httpversion", type=int)
+    parser.add_argument("--loginoptions", type=str)
+    parser.add_argument("--bearertoken", type=str)
+    parser.add_argument("--user_and_pass", type=str)
+    parser.add_argument("--useragent", type=str)
+    parser.add_argument("--netrclevel", type=int)
+    parser.add_argument("--hostpksha256", type=str)
+    parser.add_argument("--wsoptions", action='store_true')
+    parser.add_argument("--connectonly", type=int)
+    parser.add_argument("--post", action='store_true')
+    parser.add_argument("--hsts")
 
     upload1 = parser.add_mutually_exclusive_group()
     upload1.add_argument("--upload1")