Port fuzz_http to use fuzzing_common.

Move common logic from fuzz_http to fuzzing_common.

src/test/fuzz/fuzz_descriptor.c

@@ -11,6 +11,12 @@ fuzz_init(void)
   return 0;
 }
 
+int
+fuzz_cleanup(void)
+{
+  return 0;
+}
+
 int
 fuzz_main(const uint8_t *data, size_t sz)
 {

src/test/fuzz/fuzz_http.c

@@ -4,6 +4,7 @@
 #include "orconfig.h"
 
 #define BUFFERS_PRIVATE
+#define DIRECTORY_PRIVATE
 
 #include "or.h"
 #include "backtrace.h"
@@ -13,11 +14,7 @@
 #include "directory.h"
 #include "torlog.h"
 
-/* Silence compiler warnings about a missing extern */
+#include "fuzzing.h"
-extern const char tor_git_revision[];
-const char tor_git_revision[] = "";
-
-#define MAX_FUZZ_SIZE (2*MAX_HEADERS_SIZE + MAX_DIR_UL_SIZE)
 
 static int mock_get_options_calls = 0;
 static or_options_t *mock_options = NULL;
@@ -47,101 +44,45 @@ mock_connection_write_to_buf_impl_(const char *string, size_t len,
             zlib ? "Compressed " : "", len, conn, string);
 }
 
-/* Read a directory command (including HTTP headers) from stdin, parse it, and
- * output what tor parsed */
 int
-main(int c, char** v)
+fuzz_init(void)
 {
-  /* Disable logging by default to speed up fuzzing. */
-  int loglevel = LOG_ERR;
-
-  /* Initialise logging first */
-  init_logging(1);
-  configure_backtrace_handler(get_version());
-
-  for (int i = 1; i < c; ++i) {
-    if (!strcmp(v[i], "--warn")) {
-      loglevel = LOG_WARN;
-    } else if (!strcmp(v[i], "--notice")) {
-      loglevel = LOG_NOTICE;
-    } else if (!strcmp(v[i], "--info")) {
-      loglevel = LOG_INFO;
-    } else if (!strcmp(v[i], "--debug")) {
-      loglevel = LOG_DEBUG;
-    }
-  }
-
-  {
-    log_severity_list_t s;
-    memset(&s, 0, sizeof(s));
-    set_log_severity_config(loglevel, LOG_ERR, &s);
-    /* ALWAYS log bug warnings. */
-    s.masks[LOG_WARN-LOG_ERR] |= LD_BUG;
-    add_stream_log(&s, "", fileno(stdout));
-  }
-
-  /* Make BUG() and nonfatal asserts crash */
-  tor_set_failed_assertion_callback(abort);
-
-  /* Set up fake variables */
-  dir_connection_t dir_conn;
-  int rv = -1;
-  ssize_t data_size = -1;
-  char *stdin_buf = tor_malloc(MAX_FUZZ_SIZE+1);
-
-  /* directory_handle_command checks some tor options
-   * just make them all 0 */
   mock_options = tor_malloc(sizeof(or_options_t));
   reset_options(mock_options, &mock_get_options_calls);
   MOCK(get_options, mock_get_options);
+  /* Set up fake response handler */
+  MOCK(connection_write_to_buf_impl_, mock_connection_write_to_buf_impl_);
+  return 0;
+}
+
+int
+fuzz_cleanup(void)
+{
+  tor_free(mock_options);
+  UNMOCK(get_options);
+  UNMOCK(connection_write_to_buf_impl_);
+  return 0;
+}
+
+int
+fuzz_main(const uint8_t *stdin_buf, size_t data_size)
+{
+  dir_connection_t dir_conn;
 
   /* Set up the fake connection */
   memset(&dir_conn, 0, sizeof(dir_connection_t));
   dir_conn.base_.type = CONN_TYPE_DIR;
-
-  /* Set up fake response handler */
-  MOCK(connection_write_to_buf_impl_, mock_connection_write_to_buf_impl_);
-
-/*
-afl extension - loop and reset state after parsing
-likely needs to reset the allocation data structures and counts as well
-#ifdef __AFL_HAVE_MANUAL_CONTROL
-  while (__AFL_LOOP(1000)) {
-#endif
-*/
-
-  /* Initialise the data structures */
-  memset(stdin_buf, 0, MAX_FUZZ_SIZE+1);
-
   /* Apparently tor sets this before directory_handle_command() is called. */
   dir_conn.base_.address = tor_strdup("replace-this-address.example.com");
 
-#ifdef __AFL_HAVE_MANUAL_CONTROL
+  dir_conn.base_.inbuf = buf_new_with_data((char*)stdin_buf, data_size);
-  /* Tell AFL to pause and fork here - ignored if not using AFL */
-  __AFL_INIT();
-#endif
-
-  /* Read the data */
-  data_size = read(STDIN_FILENO, stdin_buf, MAX_FUZZ_SIZE);
-  tor_assert(data_size != -1);
-  tor_assert(data_size <= MAX_FUZZ_SIZE);
-  stdin_buf[data_size] = '\0';
-  tor_assert(strlen(stdin_buf) >= 0);
-  tor_assert(strlen(stdin_buf) <= MAX_FUZZ_SIZE);
-
-  log_debug(LD_GENERAL, "Input-Length:\n%zu\n", data_size);
-  log_debug(LD_GENERAL, "Input:\n%s\n", stdin_buf);
-
-  /* Copy the stdin data into the buffer */
-  tor_assert(data_size >= 0);
-  dir_conn.base_.inbuf = buf_new_with_data(stdin_buf, (size_t)data_size);
   if (!dir_conn.base_.inbuf) {
     log_debug(LD_GENERAL, "Zero-Length-Input\n");
     return 0;
   }
 
   /* Parse the headers */
-  rv = directory_handle_command(&dir_conn);
+  int rv = directory_handle_command(&dir_conn);
 
   /* TODO: check the output is correctly parsed based on the input */
 
@@ -152,23 +93,10 @@ likely needs to reset the allocation data structures and counts as well
 
   log_debug(LD_GENERAL, "Result:\n%d\n", rv);
 
-  /* Reset */
+  /* Reset. */
   tor_free(dir_conn.base_.address);
-
   buf_free(dir_conn.base_.inbuf);
   dir_conn.base_.inbuf = NULL;
 
-/*
+  return 0;
-#ifdef __AFL_HAVE_MANUAL_CONTROL
-  }
-#endif
-*/
-
-  /* Cleanup */
-  tor_free(mock_options);
-  UNMOCK(get_options);
-
-  UNMOCK(connection_write_to_buf_impl_);
-
-  tor_free(stdin_buf);
 }

src/test/fuzz/fuzzing.h

@@ -2,6 +2,7 @@
 #define FUZZING_H
 
 int fuzz_init(void);
+int fuzz_cleanup(void);
 int fuzz_main(const uint8_t *data, size_t sz);
 
 #endif /* FUZZING_H */

src/test/fuzz/fuzzing_common.c

@@ -1,8 +1,7 @@
 #include "orconfig.h"
-#include "torint.h"
+#include "or.h"
-#include "util.h"
-#include "torlog.h"
 #include "backtrace.h"
+#include "config.h"
 #include "fuzzing.h"
 
 extern const char tor_git_revision[];
@@ -28,23 +27,56 @@ int
 main(int argc, char **argv)
 {
   size_t size;
-  char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size);
 
   tor_threads_init();
   init_logging(1);
 
-  if (argc > 1 && !strcmp(argv[1], "--info")) {
+  /* Disable logging by default to speed up fuzzing. */
-    log_severity_list_t sev;
+  int loglevel = LOG_ERR;
-    set_log_severity_config(LOG_INFO, LOG_ERR, &sev);
+
-    add_stream_log(&sev, "stdout", 1);
+  /* Initialise logging first */
-    configure_backtrace_handler(NULL);
+  init_logging(1);
+  configure_backtrace_handler(get_version());
+
+  for (int i = 1; i < argc; ++i) {
+    if (!strcmp(argv[i], "--warn")) {
+      loglevel = LOG_WARN;
+    } else if (!strcmp(argv[i], "--notice")) {
+      loglevel = LOG_NOTICE;
+    } else if (!strcmp(argv[i], "--info")) {
+      loglevel = LOG_INFO;
+    } else if (!strcmp(argv[i], "--debug")) {
+      loglevel = LOG_DEBUG;
+    }
   }
 
-  tor_assert(input);
+  {
+    log_severity_list_t s;
+    memset(&s, 0, sizeof(s));
+    set_log_severity_config(loglevel, LOG_ERR, &s);
+    /* ALWAYS log bug warnings. */
+    s.masks[LOG_WARN-LOG_ERR] |= LD_BUG;
+    add_stream_log(&s, "", fileno(stdout));
+  }
+
+  /* Make BUG() and nonfatal asserts crash */
+  tor_set_failed_assertion_callback(abort);
+
   if (fuzz_init() < 0)
     abort();
+
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+  /* Tell AFL to pause and fork here - ignored if not using AFL */
+  __AFL_INIT();
+#endif
+
+  char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size);
+  tor_assert(input);
   fuzz_main((const uint8_t*)input, size);
   tor_free(input);
+
+  if (fuzz_cleanup() < 0)
+    abort();
   return 0;
 }
 

src/test/fuzz/include.am

@@ -21,7 +21,7 @@ FUZZING_LIBS = \
 
 
 noinst_HEADERS += \
-	src/test/fuzz/fuzzing_boilerplate.h
+	src/test/fuzz/fuzzing.h
 
 src_test_fuzz_fuzz_descriptor_SOURCES = \
 	src/test/fuzz/fuzzing_common.c \