fuzz: added fuzz test for listener filter http_inspector#12411
fuzz: added fuzz test for listener filter http_inspector#12411asraa merged 35 commits intoenvoyproxy:masterfrom
Conversation
Signed-off-by: Arthur Yan <arthuryan@google.com>
Updated original_dst_fuzz_test and original_dst corpus entries to reflect changes Signed-off-by: Arthur Yan <arthuryan@google.com>
…lect new API Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Builds and passes tests for http_inspector unit test Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
…fuzzer Signed-off-by: Arthur Yan <arthuryan@google.com>
Changed the API of ListenerFilterFuzzer Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
|
@jianwen612 Would you like to do a review pass on this? |
Yes! |
test/extensions/filters/listener/common/fuzz/listener_filter_fakes.h
Outdated
Show resolved
Hide resolved
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/listener/http_inspector/http_inspector_fuzz_test.cc
Show resolved
Hide resolved
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
test/extensions/filters/listener/common/fuzz/listener_filter_fakes.h
Outdated
Show resolved
Hide resolved
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
Signed-off-by: Arthur Yan <arthuryan@google.com>
Fixed crashing original_dst_fuzz_test (segmentation fault) Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
test/extensions/filters/listener/common/fuzz/listener_filter_fuzzer.cc
Outdated
Show resolved
Hide resolved
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
asraa
left a comment
asraa
left a comment
There was a problem hiding this comment.
Thanks! Very minor nits, but this looks great.
|
|
||
| while (!got_continue) { | ||
| if (header.done()) { // End of stream reached but not done | ||
| file_event_callback_(Event::FileReadyType::Closed); |
There was a problem hiding this comment.
If there is no more data to fuzz, should this be an early return? (Does "not done" mean that the input data has not been read completely, even if the filter will do a no-op?)
There was a problem hiding this comment.
No, "not done" should handle the case where all of the fuzzed input data has been read (end of stream reached), but the parser fails to determine http. In this case, the file event will fallback to non-http and call continueFilterChain(true), but it needs to receive Event::FileReadyType::Closed in order to trigger that behavior. The file event itself should be able to handle all other possible cases (socket read error, early return after success, waiting for the next event, etc.).
Edit: Actually, great catch! This works as-is for http_inspector due to how done is implemented (continueFilterChain handled separately), but there should be an explicit early return in general (in tls_inspector, continueFilterChain is handled inside done, which causes this while loop to run indefinitely). I'll fix this in the PR for fuzzing tls_inspector.
There was a problem hiding this comment.
Ahhhhh! Gotcha -- thanks so much for the explanation though. Sounds good for fixing later :)
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
Signed-off-by: Arthur Yan <arthuryan@google.com>
4 participants
Signed-off-by: Arthur Yan arthuryan@google.com
Commit Message: Added fuzz test for listener filter http_inspector
Additional Description:
Extended generic listener filter fuzzer library to support mocked dispatcher and system call behavior
Created http_inspector_corpus and populated with testcases (valid and invalid headers)
Created http_inspector_fuzz_test.cc and updated ListenerFilterFuzzer API
Risk Level: Low
Testing: ran fuzzer, increased function coverage of http_inspector.cc to 100.0% and line coverage to 84.9% (covers all parse states except errors related to socket read failure). coverage for other listener filters (original_src and original_dst) unchanged.
Docs Changes: N/A
Release Notes: N/A
/cc @akonradi
/cc @asraa