xref: /aosp_15_r20/external/cronet/net/url_request/url_request_fuzzer.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/url_request/url_request.h"
6 
7 #include <stddef.h>
8 #include <stdint.h>
9 
10 #include <fuzzer/FuzzedDataProvider.h>
11 
12 #include <memory>
13 
14 #include "base/run_loop.h"
15 #include "net/base/request_priority.h"
16 #include "net/socket/fuzzed_socket_factory.h"
17 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
18 #include "net/url_request/url_request.h"
19 #include "net/url_request/url_request_context.h"
20 #include "net/url_request/url_request_context_builder.h"
21 #include "net/url_request/url_request_test_util.h"
22 #include "url/gurl.h"
23 
24 
25 // Restrict max input length to reject too long inputs that can be too slow to
26 // process and may lead to an unbounded corpus growth.
27 const size_t kMaxInputSize = 65536 + 257;
28 
29 // Integration fuzzer for URLRequest's handling of HTTP requests. Can follow
30 // redirects, both on the same server (using a new socket or the old one) and
31 // across servers.
32 // TODO(mmenke): Add support for testing HTTPS, auth, proxies, uploading,
33 // cancelation, deferring reads / redirects, using preconnected sockets, SPDY,
34 // QUIC, DNS failures (they all currently resolve to localhost), IPv6 DNS
35 // results, URLs with IPs instead of hostnames (v4 and v6), etc.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)36 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
37   if (size > kMaxInputSize)
38     return 0;
39 
40   FuzzedDataProvider data_provider(data, size);
41   auto context_builder = net::CreateTestURLRequestContextBuilder();
42   net::FuzzedSocketFactory fuzzed_socket_factory(&data_provider);
43   context_builder->set_client_socket_factory_for_testing(
44       &fuzzed_socket_factory);
45   auto url_request_context = context_builder->Build();
46 
47   net::TestDelegate delegate;
48   base::RunLoop loop;
49   delegate.set_on_complete(loop.QuitWhenIdleClosure());
50 
51   std::unique_ptr<net::URLRequest> url_request(
52       url_request_context->CreateRequest(GURL("http://foo/"),
53                                          net::DEFAULT_PRIORITY, &delegate,
54                                          TRAFFIC_ANNOTATION_FOR_TESTS));
55   url_request->Start();
56   // TestDelegate quits the message loop on completion.
57   loop.Run();
58   return 0;
59 }
60