1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker
5*6777b538SAndroid Build Coastguard Worker #include <stdint.h>
6*6777b538SAndroid Build Coastguard Worker #include <stdio.h>
7*6777b538SAndroid Build Coastguard Worker
8*6777b538SAndroid Build Coastguard Worker #include <limits>
9*6777b538SAndroid Build Coastguard Worker #include <memory>
10*6777b538SAndroid Build Coastguard Worker #include <sstream>
11*6777b538SAndroid Build Coastguard Worker #include <string>
12*6777b538SAndroid Build Coastguard Worker
13*6777b538SAndroid Build Coastguard Worker #include "base/memory/raw_ptr.h"
14*6777b538SAndroid Build Coastguard Worker #include "base/run_loop.h"
15*6777b538SAndroid Build Coastguard Worker #include "base/strings/utf_string_conversions.h"
16*6777b538SAndroid Build Coastguard Worker #include "base/threading/platform_thread.h"
17*6777b538SAndroid Build Coastguard Worker #include "build/build_config.h"
18*6777b538SAndroid Build Coastguard Worker #include "ipc/ipc_test_base.h"
19*6777b538SAndroid Build Coastguard Worker #include "testing/gtest/include/gtest/gtest.h"
20*6777b538SAndroid Build Coastguard Worker
21*6777b538SAndroid Build Coastguard Worker // IPC messages for testing ----------------------------------------------------
22*6777b538SAndroid Build Coastguard Worker
23*6777b538SAndroid Build Coastguard Worker #define IPC_MESSAGE_IMPL
24*6777b538SAndroid Build Coastguard Worker #include "ipc/ipc_message_macros.h"
25*6777b538SAndroid Build Coastguard Worker #include "ipc/ipc_message_start.h"
26*6777b538SAndroid Build Coastguard Worker
27*6777b538SAndroid Build Coastguard Worker #define IPC_MESSAGE_START TestMsgStart
28*6777b538SAndroid Build Coastguard Worker
29*6777b538SAndroid Build Coastguard Worker // Generic message class that is an int followed by a string16.
30*6777b538SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL2(MsgClassIS, int, std::u16string)
31*6777b538SAndroid Build Coastguard Worker
32*6777b538SAndroid Build Coastguard Worker // Generic message class that is a string16 followed by an int.
33*6777b538SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL2(MsgClassSI, std::u16string, int)
34*6777b538SAndroid Build Coastguard Worker
35*6777b538SAndroid Build Coastguard Worker // Message to create a mutex in the IPC server, using the received name.
36*6777b538SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL2(MsgDoMutex, std::u16string, int)
37*6777b538SAndroid Build Coastguard Worker
38*6777b538SAndroid Build Coastguard Worker // Used to generate an ID for a message that should not exist.
39*6777b538SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL0(MsgUnhandled)
40*6777b538SAndroid Build Coastguard Worker
41*6777b538SAndroid Build Coastguard Worker // -----------------------------------------------------------------------------
42*6777b538SAndroid Build Coastguard Worker
43*6777b538SAndroid Build Coastguard Worker namespace {
44*6777b538SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadBeyondBufferStr)45*6777b538SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
46*6777b538SAndroid Build Coastguard Worker // This was BUG 984408.
47*6777b538SAndroid Build Coastguard Worker uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
48*6777b538SAndroid Build Coastguard Worker int v2 = 666;
49*6777b538SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
50*6777b538SAndroid Build Coastguard Worker m.WriteInt(v1);
51*6777b538SAndroid Build Coastguard Worker m.WriteInt(v2);
52*6777b538SAndroid Build Coastguard Worker
53*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(m);
54*6777b538SAndroid Build Coastguard Worker std::string vs;
55*6777b538SAndroid Build Coastguard Worker EXPECT_FALSE(iter.ReadString(&vs));
56*6777b538SAndroid Build Coastguard Worker }
57*6777b538SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadBeyondBufferStr16)58*6777b538SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
59*6777b538SAndroid Build Coastguard Worker // This was BUG 984408.
60*6777b538SAndroid Build Coastguard Worker uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
61*6777b538SAndroid Build Coastguard Worker int v2 = 777;
62*6777b538SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
63*6777b538SAndroid Build Coastguard Worker m.WriteInt(v1);
64*6777b538SAndroid Build Coastguard Worker m.WriteInt(v2);
65*6777b538SAndroid Build Coastguard Worker
66*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(m);
67*6777b538SAndroid Build Coastguard Worker std::u16string vs;
68*6777b538SAndroid Build Coastguard Worker EXPECT_FALSE(iter.ReadString16(&vs));
69*6777b538SAndroid Build Coastguard Worker }
70*6777b538SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadBytesBadIterator)71*6777b538SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
72*6777b538SAndroid Build Coastguard Worker // This was BUG 1035467.
73*6777b538SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
74*6777b538SAndroid Build Coastguard Worker m.WriteInt(1);
75*6777b538SAndroid Build Coastguard Worker m.WriteInt(2);
76*6777b538SAndroid Build Coastguard Worker
77*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(m);
78*6777b538SAndroid Build Coastguard Worker const char* data = nullptr;
79*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
80*6777b538SAndroid Build Coastguard Worker }
81*6777b538SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadVectorNegativeSize)82*6777b538SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
83*6777b538SAndroid Build Coastguard Worker // A slight variation of BUG 984408. Note that the pickling of vector<char>
84*6777b538SAndroid Build Coastguard Worker // has a specialized template which is not vulnerable to this bug. So here
85*6777b538SAndroid Build Coastguard Worker // try to hit the non-specialized case vector<P>.
86*6777b538SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
87*6777b538SAndroid Build Coastguard Worker m.WriteInt(-1); // This is the count of elements.
88*6777b538SAndroid Build Coastguard Worker m.WriteInt(1);
89*6777b538SAndroid Build Coastguard Worker m.WriteInt(2);
90*6777b538SAndroid Build Coastguard Worker m.WriteInt(3);
91*6777b538SAndroid Build Coastguard Worker
92*6777b538SAndroid Build Coastguard Worker std::vector<double> vec;
93*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(m);
94*6777b538SAndroid Build Coastguard Worker EXPECT_FALSE(ReadParam(&m, &iter, &vec));
95*6777b538SAndroid Build Coastguard Worker }
96*6777b538SAndroid Build Coastguard Worker
97*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_ANDROID)
98*6777b538SAndroid Build Coastguard Worker #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
99*6777b538SAndroid Build Coastguard Worker #else
100*6777b538SAndroid Build Coastguard Worker #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
101*6777b538SAndroid Build Coastguard Worker #endif
TEST(IPCMessageIntegrity,MAYBE_ReadVectorTooLarge1)102*6777b538SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
103*6777b538SAndroid Build Coastguard Worker // This was BUG 1006367. This is the large but positive length case. Again
104*6777b538SAndroid Build Coastguard Worker // we try to hit the non-specialized case vector<P>.
105*6777b538SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
106*6777b538SAndroid Build Coastguard Worker m.WriteInt(0x21000003); // This is the count of elements.
107*6777b538SAndroid Build Coastguard Worker m.WriteInt64(1);
108*6777b538SAndroid Build Coastguard Worker m.WriteInt64(2);
109*6777b538SAndroid Build Coastguard Worker
110*6777b538SAndroid Build Coastguard Worker std::vector<int64_t> vec;
111*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(m);
112*6777b538SAndroid Build Coastguard Worker EXPECT_FALSE(ReadParam(&m, &iter, &vec));
113*6777b538SAndroid Build Coastguard Worker }
114*6777b538SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadVectorTooLarge2)115*6777b538SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
116*6777b538SAndroid Build Coastguard Worker // This was BUG 1006367. This is the large but positive with an additional
117*6777b538SAndroid Build Coastguard Worker // integer overflow when computing the actual byte size. Again we try to hit
118*6777b538SAndroid Build Coastguard Worker // the non-specialized case vector<P>.
119*6777b538SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
120*6777b538SAndroid Build Coastguard Worker m.WriteInt(0x71000000); // This is the count of elements.
121*6777b538SAndroid Build Coastguard Worker m.WriteInt64(1);
122*6777b538SAndroid Build Coastguard Worker m.WriteInt64(2);
123*6777b538SAndroid Build Coastguard Worker
124*6777b538SAndroid Build Coastguard Worker std::vector<int64_t> vec;
125*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(m);
126*6777b538SAndroid Build Coastguard Worker EXPECT_FALSE(ReadParam(&m, &iter, &vec));
127*6777b538SAndroid Build Coastguard Worker }
128*6777b538SAndroid Build Coastguard Worker
129*6777b538SAndroid Build Coastguard Worker // This test needs ~20 seconds in Debug mode, or ~4 seconds in Release mode.
130*6777b538SAndroid Build Coastguard Worker // See http://crbug.com/741866 for details.
TEST(IPCMessageIntegrity,DISABLED_ReadVectorTooLarge3)131*6777b538SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
132*6777b538SAndroid Build Coastguard Worker base::Pickle pickle;
133*6777b538SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 256 * 1024 * 1024);
134*6777b538SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 0);
135*6777b538SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 1);
136*6777b538SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 2);
137*6777b538SAndroid Build Coastguard Worker
138*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(pickle);
139*6777b538SAndroid Build Coastguard Worker std::vector<int> vec;
140*6777b538SAndroid Build Coastguard Worker EXPECT_FALSE(IPC::ReadParam(&pickle, &iter, &vec));
141*6777b538SAndroid Build Coastguard Worker }
142*6777b538SAndroid Build Coastguard Worker
143*6777b538SAndroid Build Coastguard Worker class SimpleListener : public IPC::Listener {
144*6777b538SAndroid Build Coastguard Worker public:
145*6777b538SAndroid Build Coastguard Worker SimpleListener() = default;
Init(IPC::Sender * s)146*6777b538SAndroid Build Coastguard Worker void Init(IPC::Sender* s) { other_ = s; }
set_run_loop(base::RunLoop * loop)147*6777b538SAndroid Build Coastguard Worker void set_run_loop(base::RunLoop* loop) { loop_ = loop; }
Reset()148*6777b538SAndroid Build Coastguard Worker void Reset() {
149*6777b538SAndroid Build Coastguard Worker other_ = nullptr;
150*6777b538SAndroid Build Coastguard Worker loop_ = nullptr;
151*6777b538SAndroid Build Coastguard Worker }
152*6777b538SAndroid Build Coastguard Worker
153*6777b538SAndroid Build Coastguard Worker protected:
154*6777b538SAndroid Build Coastguard Worker raw_ptr<base::RunLoop> loop_ = nullptr;
155*6777b538SAndroid Build Coastguard Worker raw_ptr<IPC::Sender> other_ = nullptr;
156*6777b538SAndroid Build Coastguard Worker };
157*6777b538SAndroid Build Coastguard Worker
158*6777b538SAndroid Build Coastguard Worker enum {
159*6777b538SAndroid Build Coastguard Worker FUZZER_ROUTING_ID = 5
160*6777b538SAndroid Build Coastguard Worker };
161*6777b538SAndroid Build Coastguard Worker
162*6777b538SAndroid Build Coastguard Worker // The fuzzer server class. It runs in a child process and expects
163*6777b538SAndroid Build Coastguard Worker // only two IPC calls; after that it exits the message loop which
164*6777b538SAndroid Build Coastguard Worker // terminates the child process.
165*6777b538SAndroid Build Coastguard Worker class FuzzerServerListener : public SimpleListener {
166*6777b538SAndroid Build Coastguard Worker public:
FuzzerServerListener()167*6777b538SAndroid Build Coastguard Worker FuzzerServerListener() : message_count_(2), pending_messages_(0) {
168*6777b538SAndroid Build Coastguard Worker }
OnMessageReceived(const IPC::Message & msg)169*6777b538SAndroid Build Coastguard Worker bool OnMessageReceived(const IPC::Message& msg) override {
170*6777b538SAndroid Build Coastguard Worker if (msg.routing_id() == MSG_ROUTING_CONTROL) {
171*6777b538SAndroid Build Coastguard Worker ++pending_messages_;
172*6777b538SAndroid Build Coastguard Worker IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
173*6777b538SAndroid Build Coastguard Worker IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
174*6777b538SAndroid Build Coastguard Worker IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
175*6777b538SAndroid Build Coastguard Worker IPC_END_MESSAGE_MAP()
176*6777b538SAndroid Build Coastguard Worker if (pending_messages_) {
177*6777b538SAndroid Build Coastguard Worker // Probably a problem de-serializing the message.
178*6777b538SAndroid Build Coastguard Worker ReplyMsgNotHandled(msg.type());
179*6777b538SAndroid Build Coastguard Worker }
180*6777b538SAndroid Build Coastguard Worker }
181*6777b538SAndroid Build Coastguard Worker return true;
182*6777b538SAndroid Build Coastguard Worker }
183*6777b538SAndroid Build Coastguard Worker
184*6777b538SAndroid Build Coastguard Worker private:
OnMsgClassISMessage(int value,const std::u16string & text)185*6777b538SAndroid Build Coastguard Worker void OnMsgClassISMessage(int value, const std::u16string& text) {
186*6777b538SAndroid Build Coastguard Worker UseData(MsgClassIS::ID, value, text);
187*6777b538SAndroid Build Coastguard Worker RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
188*6777b538SAndroid Build Coastguard Worker Cleanup();
189*6777b538SAndroid Build Coastguard Worker }
190*6777b538SAndroid Build Coastguard Worker
OnMsgClassSIMessage(const std::u16string & text,int value)191*6777b538SAndroid Build Coastguard Worker void OnMsgClassSIMessage(const std::u16string& text, int value) {
192*6777b538SAndroid Build Coastguard Worker UseData(MsgClassSI::ID, value, text);
193*6777b538SAndroid Build Coastguard Worker RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
194*6777b538SAndroid Build Coastguard Worker Cleanup();
195*6777b538SAndroid Build Coastguard Worker }
196*6777b538SAndroid Build Coastguard Worker
RoundtripAckReply(int routing,uint32_t type_id,int reply)197*6777b538SAndroid Build Coastguard Worker bool RoundtripAckReply(int routing, uint32_t type_id, int reply) {
198*6777b538SAndroid Build Coastguard Worker IPC::Message* message = new IPC::Message(routing, type_id,
199*6777b538SAndroid Build Coastguard Worker IPC::Message::PRIORITY_NORMAL);
200*6777b538SAndroid Build Coastguard Worker message->WriteInt(reply + 1);
201*6777b538SAndroid Build Coastguard Worker message->WriteInt(reply);
202*6777b538SAndroid Build Coastguard Worker return other_->Send(message);
203*6777b538SAndroid Build Coastguard Worker }
204*6777b538SAndroid Build Coastguard Worker
Cleanup()205*6777b538SAndroid Build Coastguard Worker void Cleanup() {
206*6777b538SAndroid Build Coastguard Worker --message_count_;
207*6777b538SAndroid Build Coastguard Worker --pending_messages_;
208*6777b538SAndroid Build Coastguard Worker if (0 == message_count_)
209*6777b538SAndroid Build Coastguard Worker loop_->QuitWhenIdle();
210*6777b538SAndroid Build Coastguard Worker }
211*6777b538SAndroid Build Coastguard Worker
ReplyMsgNotHandled(uint32_t type_id)212*6777b538SAndroid Build Coastguard Worker void ReplyMsgNotHandled(uint32_t type_id) {
213*6777b538SAndroid Build Coastguard Worker RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
214*6777b538SAndroid Build Coastguard Worker Cleanup();
215*6777b538SAndroid Build Coastguard Worker }
216*6777b538SAndroid Build Coastguard Worker
UseData(int caller,int value,const std::u16string & text)217*6777b538SAndroid Build Coastguard Worker void UseData(int caller, int value, const std::u16string& text) {
218*6777b538SAndroid Build Coastguard Worker std::ostringstream os;
219*6777b538SAndroid Build Coastguard Worker os << "IPC fuzzer:" << caller << " [" << value << " "
220*6777b538SAndroid Build Coastguard Worker << base::UTF16ToUTF8(text) << "]\n";
221*6777b538SAndroid Build Coastguard Worker std::string output = os.str();
222*6777b538SAndroid Build Coastguard Worker LOG(WARNING) << output;
223*6777b538SAndroid Build Coastguard Worker }
224*6777b538SAndroid Build Coastguard Worker
225*6777b538SAndroid Build Coastguard Worker int message_count_;
226*6777b538SAndroid Build Coastguard Worker int pending_messages_;
227*6777b538SAndroid Build Coastguard Worker };
228*6777b538SAndroid Build Coastguard Worker
229*6777b538SAndroid Build Coastguard Worker class FuzzerClientListener : public SimpleListener {
230*6777b538SAndroid Build Coastguard Worker public:
231*6777b538SAndroid Build Coastguard Worker FuzzerClientListener() = default;
232*6777b538SAndroid Build Coastguard Worker
OnMessageReceived(const IPC::Message & msg)233*6777b538SAndroid Build Coastguard Worker bool OnMessageReceived(const IPC::Message& msg) override {
234*6777b538SAndroid Build Coastguard Worker last_msg_ = std::make_unique<IPC::Message>(msg);
235*6777b538SAndroid Build Coastguard Worker loop_->QuitWhenIdle();
236*6777b538SAndroid Build Coastguard Worker return true;
237*6777b538SAndroid Build Coastguard Worker }
238*6777b538SAndroid Build Coastguard Worker
ExpectMessage(int value,uint32_t type_id)239*6777b538SAndroid Build Coastguard Worker bool ExpectMessage(int value, uint32_t type_id) {
240*6777b538SAndroid Build Coastguard Worker if (!MsgHandlerInternal(type_id))
241*6777b538SAndroid Build Coastguard Worker return false;
242*6777b538SAndroid Build Coastguard Worker int msg_value1 = 0;
243*6777b538SAndroid Build Coastguard Worker int msg_value2 = 0;
244*6777b538SAndroid Build Coastguard Worker base::PickleIterator iter(*last_msg_);
245*6777b538SAndroid Build Coastguard Worker if (!iter.ReadInt(&msg_value1))
246*6777b538SAndroid Build Coastguard Worker return false;
247*6777b538SAndroid Build Coastguard Worker if (!iter.ReadInt(&msg_value2))
248*6777b538SAndroid Build Coastguard Worker return false;
249*6777b538SAndroid Build Coastguard Worker if ((msg_value2 + 1) != msg_value1)
250*6777b538SAndroid Build Coastguard Worker return false;
251*6777b538SAndroid Build Coastguard Worker if (msg_value2 != value)
252*6777b538SAndroid Build Coastguard Worker return false;
253*6777b538SAndroid Build Coastguard Worker last_msg_.reset();
254*6777b538SAndroid Build Coastguard Worker return true;
255*6777b538SAndroid Build Coastguard Worker }
256*6777b538SAndroid Build Coastguard Worker
ExpectMsgNotHandled(uint32_t type_id)257*6777b538SAndroid Build Coastguard Worker bool ExpectMsgNotHandled(uint32_t type_id) {
258*6777b538SAndroid Build Coastguard Worker return ExpectMessage(type_id, MsgUnhandled::ID);
259*6777b538SAndroid Build Coastguard Worker }
260*6777b538SAndroid Build Coastguard Worker
261*6777b538SAndroid Build Coastguard Worker private:
MsgHandlerInternal(uint32_t type_id)262*6777b538SAndroid Build Coastguard Worker bool MsgHandlerInternal(uint32_t type_id) {
263*6777b538SAndroid Build Coastguard Worker loop_->Run();
264*6777b538SAndroid Build Coastguard Worker if (!last_msg_)
265*6777b538SAndroid Build Coastguard Worker return false;
266*6777b538SAndroid Build Coastguard Worker if (FUZZER_ROUTING_ID != last_msg_->routing_id())
267*6777b538SAndroid Build Coastguard Worker return false;
268*6777b538SAndroid Build Coastguard Worker return (type_id == last_msg_->type());
269*6777b538SAndroid Build Coastguard Worker }
270*6777b538SAndroid Build Coastguard Worker
271*6777b538SAndroid Build Coastguard Worker std::unique_ptr<IPC::Message> last_msg_;
272*6777b538SAndroid Build Coastguard Worker };
273*6777b538SAndroid Build Coastguard Worker
274*6777b538SAndroid Build Coastguard Worker // Runs the fuzzing server child mode. Returns when the preset number of
275*6777b538SAndroid Build Coastguard Worker // messages have been received.
DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient)276*6777b538SAndroid Build Coastguard Worker DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient) {
277*6777b538SAndroid Build Coastguard Worker FuzzerServerListener listener;
278*6777b538SAndroid Build Coastguard Worker base::RunLoop loop;
279*6777b538SAndroid Build Coastguard Worker Connect(&listener);
280*6777b538SAndroid Build Coastguard Worker listener.Init(channel());
281*6777b538SAndroid Build Coastguard Worker listener.set_run_loop(&loop);
282*6777b538SAndroid Build Coastguard Worker loop.Run();
283*6777b538SAndroid Build Coastguard Worker Close();
284*6777b538SAndroid Build Coastguard Worker }
285*6777b538SAndroid Build Coastguard Worker
286*6777b538SAndroid Build Coastguard Worker using IPCFuzzingTest = IPCChannelMojoTestBase;
287*6777b538SAndroid Build Coastguard Worker
288*6777b538SAndroid Build Coastguard Worker // This test makes sure that the FuzzerClientListener and FuzzerServerListener
289*6777b538SAndroid Build Coastguard Worker // are working properly by generating two well formed IPC calls.
TEST_F(IPCFuzzingTest,SanityTest)290*6777b538SAndroid Build Coastguard Worker TEST_F(IPCFuzzingTest, SanityTest) {
291*6777b538SAndroid Build Coastguard Worker Init("FuzzServerClient");
292*6777b538SAndroid Build Coastguard Worker base::RunLoop loop1;
293*6777b538SAndroid Build Coastguard Worker base::RunLoop loop2;
294*6777b538SAndroid Build Coastguard Worker FuzzerClientListener listener;
295*6777b538SAndroid Build Coastguard Worker CreateChannel(&listener);
296*6777b538SAndroid Build Coastguard Worker listener.Init(channel());
297*6777b538SAndroid Build Coastguard Worker listener.set_run_loop(&loop1);
298*6777b538SAndroid Build Coastguard Worker ASSERT_TRUE(ConnectChannel());
299*6777b538SAndroid Build Coastguard Worker
300*6777b538SAndroid Build Coastguard Worker IPC::Message* msg = nullptr;
301*6777b538SAndroid Build Coastguard Worker int value = 43;
302*6777b538SAndroid Build Coastguard Worker msg = new MsgClassIS(value, u"expect 43");
303*6777b538SAndroid Build Coastguard Worker sender()->Send(msg);
304*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
305*6777b538SAndroid Build Coastguard Worker
306*6777b538SAndroid Build Coastguard Worker listener.set_run_loop(&loop2);
307*6777b538SAndroid Build Coastguard Worker msg = new MsgClassSI(u"expect 44", ++value);
308*6777b538SAndroid Build Coastguard Worker sender()->Send(msg);
309*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
310*6777b538SAndroid Build Coastguard Worker
311*6777b538SAndroid Build Coastguard Worker listener.Reset();
312*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(WaitForClientShutdown());
313*6777b538SAndroid Build Coastguard Worker DestroyChannel();
314*6777b538SAndroid Build Coastguard Worker }
315*6777b538SAndroid Build Coastguard Worker
316*6777b538SAndroid Build Coastguard Worker // This test uses a payload that is smaller than expected. This generates an
317*6777b538SAndroid Build Coastguard Worker // error while unpacking the IPC buffer. Right after we generate another valid
318*6777b538SAndroid Build Coastguard Worker // IPC to make sure framing is working properly.
TEST_F(IPCFuzzingTest,MsgBadPayloadShort)319*6777b538SAndroid Build Coastguard Worker TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
320*6777b538SAndroid Build Coastguard Worker Init("FuzzServerClient");
321*6777b538SAndroid Build Coastguard Worker base::RunLoop loop1;
322*6777b538SAndroid Build Coastguard Worker base::RunLoop loop2;
323*6777b538SAndroid Build Coastguard Worker FuzzerClientListener listener;
324*6777b538SAndroid Build Coastguard Worker CreateChannel(&listener);
325*6777b538SAndroid Build Coastguard Worker listener.Init(channel());
326*6777b538SAndroid Build Coastguard Worker listener.set_run_loop(&loop1);
327*6777b538SAndroid Build Coastguard Worker ASSERT_TRUE(ConnectChannel());
328*6777b538SAndroid Build Coastguard Worker
329*6777b538SAndroid Build Coastguard Worker IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
330*6777b538SAndroid Build Coastguard Worker IPC::Message::PRIORITY_NORMAL);
331*6777b538SAndroid Build Coastguard Worker msg->WriteInt(666);
332*6777b538SAndroid Build Coastguard Worker sender()->Send(msg);
333*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
334*6777b538SAndroid Build Coastguard Worker
335*6777b538SAndroid Build Coastguard Worker listener.set_run_loop(&loop2);
336*6777b538SAndroid Build Coastguard Worker msg = new MsgClassSI(u"expect one", 1);
337*6777b538SAndroid Build Coastguard Worker sender()->Send(msg);
338*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
339*6777b538SAndroid Build Coastguard Worker
340*6777b538SAndroid Build Coastguard Worker listener.Reset();
341*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(WaitForClientShutdown());
342*6777b538SAndroid Build Coastguard Worker DestroyChannel();
343*6777b538SAndroid Build Coastguard Worker }
344*6777b538SAndroid Build Coastguard Worker
345*6777b538SAndroid Build Coastguard Worker // This test uses a payload that has too many arguments, but so the payload size
346*6777b538SAndroid Build Coastguard Worker // is big enough so the unpacking routine does not generate an error as in the
347*6777b538SAndroid Build Coastguard Worker // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
348*6777b538SAndroid Build Coastguard Worker // as by design we don't carry type information on the IPC message.
TEST_F(IPCFuzzingTest,MsgBadPayloadArgs)349*6777b538SAndroid Build Coastguard Worker TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
350*6777b538SAndroid Build Coastguard Worker Init("FuzzServerClient");
351*6777b538SAndroid Build Coastguard Worker base::RunLoop loop1;
352*6777b538SAndroid Build Coastguard Worker base::RunLoop loop2;
353*6777b538SAndroid Build Coastguard Worker FuzzerClientListener listener;
354*6777b538SAndroid Build Coastguard Worker CreateChannel(&listener);
355*6777b538SAndroid Build Coastguard Worker listener.Init(channel());
356*6777b538SAndroid Build Coastguard Worker listener.set_run_loop(&loop1);
357*6777b538SAndroid Build Coastguard Worker ASSERT_TRUE(ConnectChannel());
358*6777b538SAndroid Build Coastguard Worker
359*6777b538SAndroid Build Coastguard Worker IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
360*6777b538SAndroid Build Coastguard Worker IPC::Message::PRIORITY_NORMAL);
361*6777b538SAndroid Build Coastguard Worker msg->WriteString16(u"d");
362*6777b538SAndroid Build Coastguard Worker msg->WriteInt(0);
363*6777b538SAndroid Build Coastguard Worker msg->WriteInt(0x65); // Extra argument.
364*6777b538SAndroid Build Coastguard Worker
365*6777b538SAndroid Build Coastguard Worker sender()->Send(msg);
366*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
367*6777b538SAndroid Build Coastguard Worker
368*6777b538SAndroid Build Coastguard Worker listener.set_run_loop(&loop2);
369*6777b538SAndroid Build Coastguard Worker // Now send a well formed message to make sure the receiver wasn't
370*6777b538SAndroid Build Coastguard Worker // thrown out of sync by the extra argument.
371*6777b538SAndroid Build Coastguard Worker msg = new MsgClassIS(3, u"expect three");
372*6777b538SAndroid Build Coastguard Worker sender()->Send(msg);
373*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
374*6777b538SAndroid Build Coastguard Worker
375*6777b538SAndroid Build Coastguard Worker listener.Reset();
376*6777b538SAndroid Build Coastguard Worker EXPECT_TRUE(WaitForClientShutdown());
377*6777b538SAndroid Build Coastguard Worker DestroyChannel();
378*6777b538SAndroid Build Coastguard Worker }
379*6777b538SAndroid Build Coastguard Worker
380*6777b538SAndroid Build Coastguard Worker } // namespace
381