Merge branch 'master' into arvo-contribution

079035 · web-flow · commit 8294a9688f63 · 2025-09-02T16:43:22.000-04:00
diff --git a/projects/libmicrohttpd2/build.sh b/projects/libmicrohttpd2/build.sh
@@ -25,7 +25,7 @@ ASAN_OPTIONS=detect_leaks=0 make -j$(nproc)
 make install
 
 # Compile fuzzer
-FUZZERS="fuzz_response fuzz_daemon fuzz_mhd2 fuzz_str fuzz_crypto_int fuzz_libinfo fuzz_connection"
+FUZZERS="fuzz_response fuzz_daemon fuzz_mhd2 fuzz_str fuzz_crypto_int fuzz_libinfo fuzz_connection fuzz_daemon_connection"
 
 for fuzzer in $FUZZERS; do
   extra_src=""
@@ -35,7 +35,7 @@ for fuzzer in $FUZZERS; do
       ;;
   esac
   case "$fuzzer" in
-    fuzz_connection)
+    fuzz_connection|fuzz_daemon_connection)
       extra_src="$SRC/connection_helper.cpp"
       ;;
   esac
diff --git a/projects/libmicrohttpd2/connection_helper.cpp b/projects/libmicrohttpd2/connection_helper.cpp
@@ -15,6 +15,7 @@
 ////////////////////////////////////////////////////////////////////////////////
 #include "connection_helper.h"
 #include <cstring>
+#include <unordered_set>
 
 extern "C" {
   #include "mhd_action.h"
@@ -32,11 +33,30 @@ struct mhd_MemoryPool *g_pool = nullptr;
 const size_t g_pool_size = 14 * 1024;
 std::string g_mpart_boundary;
 
+// Body status
+static std::unordered_set<const MHD_Connection*> g_post_parse_ready;
+
 // Helper to clear memory pool
 void destroy_global_pool() {
   if (g_pool) { mhd_pool_destroy(g_pool); g_pool = nullptr; }
 }
 
+
+// Helper to set body parsing ready
+void mark_post_parse_ready(MHD_Connection& c) {
+  g_post_parse_ready.insert(&c);
+}
+
+// Helper to check parse body status
+bool is_post_parse_ready(const MHD_Connection& c) {
+  return g_post_parse_ready.find(&c) != g_post_parse_ready.end();
+}
+
+// Helper to clear parse body status
+void clear_post_parse_ready(const MHD_Connection& c) {
+  g_post_parse_ready.erase(&c);
+}
+
 // Helper to destroy error response
 static bool destroy_error_response(MHD_Connection c) {
   if (c.stage == mhd_HTTP_STAGE_START_REPLY) {
@@ -75,6 +95,23 @@ static std::string pick_http_version(FuzzedDataProvider& fdp) {
   }
 }
 
+// Helper to check and expand buffer capcaity
+bool ensure_lbuf_capacity(MHD_Connection& c, size_t min_needed) {
+  if (!c.daemon) {
+    return false;
+  }
+
+  if (c.rq.cntn.lbuf.data && c.rq.cntn.lbuf.size >= min_needed) {
+    return true;
+  }
+  size_t have = c.rq.cntn.lbuf.size;
+  size_t need = (min_needed > have) ? (min_needed - have) : 0;
+  if (need) {
+    mhd_daemon_extend_lbuf_up_to(c.daemon, need, &c.rq.cntn.lbuf);
+  }
+  return (c.rq.cntn.lbuf.data != nullptr) && (c.rq.cntn.lbuf.size >= min_needed);
+}
+
 // Dummy upload actions
 const struct MHD_UploadAction kContinueAction = {
   mhd_UPLOAD_ACTION_CONTINUE, { nullptr }
@@ -101,6 +138,16 @@ dummy_done(struct MHD_Request*, void*, enum MHD_PostParseResult) {
   return &kContinueAction;
 }
 
+// Dummy request callback function
+static const struct MHD_Action*
+dummy_request_cb(void* cls,
+                 struct MHD_Request* request,
+                 const struct MHD_String* path,
+                 enum MHD_HTTP_Method method,
+                 uint_fast64_t upload_size) {
+  return nullptr;
+}
+
 void init_daemon_connection(FuzzedDataProvider& fdp,
                                    MHD_Daemon& d, MHD_Connection& c) {
   // Basic initialisation
@@ -130,6 +177,10 @@ void init_daemon_connection(FuzzedDataProvider& fdp,
   c.suspended = false;
   c.connection_timeout_ms = fdp.ConsumeIntegralInRange<uint32_t>(0, 4096);
   c.last_activity = 0;
+
+  // Add dummy callback function
+  d.req_cfg.cb = dummy_request_cb;
+  d.req_cfg.cb_cls = nullptr;
 }
 
 void init_connection_buffer(FuzzedDataProvider& fdp, MHD_Connection& c) {
@@ -268,7 +319,11 @@ void init_parsing_configuration(FuzzedDataProvider& fdp, MHD_Connection& c) {
   MHD_HTTP_PostEncoding enc;
 
   // Configure connection encoding abd methods
-  c.rq.app_act.head_act.act = mhd_ACTION_POST_PARSE;
+  if (fdp.ConsumeBool()) {
+    c.rq.app_act.head_act.act = mhd_ACTION_POST_PARSE;
+  } else {
+    c.rq.app_act.head_act.act = mhd_ACTION_NO_ACTION;
+  }
   if (fdp.ConsumeBool()) {
     enc = MHD_HTTP_POST_ENCODING_TEXT_PLAIN;
   } else if (fdp.ConsumeBool()) {
@@ -366,6 +421,7 @@ void prepare_body_and_process(MHD_Connection& connection, std::string& body, siz
     // Fuzz mhd_stream_prepare_for_post_parse once and mhd_stream_post_parse
     mhd_stream_prepare_for_post_parse(&connection);
     mhd_stream_post_parse(&connection, &body_size, &body[0]);
+    mark_post_parse_ready(connection);
   } else {
     // Try prepare the body by streaming connection buffer
     const bool want_chunked = (connection.rq.have_chunked_upload == MHD_YES);
@@ -422,15 +478,27 @@ void prepare_body_and_process(MHD_Connection& connection, std::string& body, siz
 
     if (staged) {
       // Use stream body approach if success
-      connection.stage = mhd_HTTP_STAGE_BODY_RECEIVING;
-      connection.rq.have_chunked_upload = MHD_NO;
-      connection.rq.cntn.cntn_size = (uint64_t) body_size;
-      mhd_stream_prepare_for_post_parse(&connection);
-      mhd_stream_process_request_body(&connection);
+      const size_t min_needed = body_size + 1;
+      if (ensure_lbuf_capacity(connection, min_needed)) {
+        // Only post parse the request if buffer is enough
+        connection.stage = mhd_HTTP_STAGE_BODY_RECEIVING;
+        connection.rq.have_chunked_upload = MHD_NO;
+        connection.rq.cntn.cntn_size = (uint64_t) body_size;
+        mhd_stream_prepare_for_post_parse(&connection);
+        mhd_stream_process_request_body(&connection);
+        mark_post_parse_ready(connection);
+      } else {
+        // Fall back if not enough buffer
+        size_t tmp = body_size;
+        mhd_stream_prepare_for_post_parse(&connection);
+        mhd_stream_post_parse(&connection, &tmp, body.data());
+        mark_post_parse_ready(connection);
+      }
     } else {
       // Use post prase approach if stream body failed
       mhd_stream_prepare_for_post_parse(&connection);
       mhd_stream_post_parse(&connection, &body_size, &body[0]);
+      mark_post_parse_ready(connection);
     }
   }
 }
@@ -445,4 +513,7 @@ void final_cleanup(MHD_Connection& connection, MHD_Daemon& daemon) {
   if (connection.rq.cntn.lbuf.data != nullptr || connection.rq.cntn.lbuf.size != 0) {
     mhd_daemon_free_lbuf(&daemon, &connection.rq.cntn.lbuf);
   }
+
+  // Clean post parse body status
+  clear_post_parse_ready(connection);
 }
diff --git a/projects/libmicrohttpd2/connection_helper.h b/projects/libmicrohttpd2/connection_helper.h
@@ -45,3 +45,7 @@ void init_parsing_configuration(FuzzedDataProvider& fdp, MHD_Connection& c);
 void prepare_headers_and_parse(MHD_Connection& connection, size_t size);
 void prepare_body_and_process(MHD_Connection& connection, std::string& body, size_t body_size, bool use_stream_body);
 void final_cleanup(MHD_Connection& connection, MHD_Daemon& daemon);
+
+void mark_post_parse_ready(MHD_Connection& connection);
+bool is_post_parse_ready(const MHD_Connection& connection);
+void clear_post_parse_ready(const MHD_Connection& connection);
diff --git a/projects/libmicrohttpd2/fuzz_daemon_connection.cpp b/projects/libmicrohttpd2/fuzz_daemon_connection.cpp
@@ -0,0 +1,116 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+#include <stdint.h>
+#include <stddef.h>
+#include <string>
+#include <vector>
+#include <cstring>
+
+#include "fuzzer/FuzzedDataProvider.h"
+#include "connection_helper.h"
+
+extern "C" {
+  #include "conn_tls_check.h"
+  #include "mempool_funcs.h"
+  #include "mhd_send.h"
+  #include "stream_process_request.h"
+  #include "stream_process_states.h"
+}
+
+// Initialising the memory pool
+extern "C" int LLVMFuzzerInitialize() {
+  g_pool = mhd_pool_create(g_pool_size, MHD_MEMPOOL_ZEROING_ON_RESET);
+  atexit(destroy_global_pool);
+  return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  if (size == 0 || g_pool == nullptr) {
+    return 0;
+  }
+
+  FuzzedDataProvider fdp(data, size);
+
+  // Reseting the memory pool for each iteartion
+  mhd_pool_destroy(g_pool);
+  g_pool = mhd_pool_create(g_pool_size, MHD_MEMPOOL_ZEROING_ON_RESET);
+
+  // Initialising the daemon, connection and other MHD components
+  MHD_Daemon daemon;
+  MHD_Connection connection;
+  init_daemon_connection(fdp, daemon, connection);
+  init_parsing_configuration(fdp, connection);
+  init_connection_buffer(fdp, connection);
+  prepare_headers_and_parse(connection, size);
+
+  // Randomly choose how many targets to fuzz
+  std::vector<int> selectors;
+  for (int i = 0; i < fdp.ConsumeIntegralInRange<int>(1, 8); i++) {
+    selectors.push_back(fdp.ConsumeIntegralInRange<int>(0, 5));
+  }
+
+  // Generate random flags
+  bool use_stream_body = fdp.ConsumeBool();
+  bool is_nodelay = fdp.ConsumeBool();
+  bool is_cork = fdp.ConsumeBool();
+
+  // Use remaining bytes to generate random body for fuzzing
+  std::string body = fdp.ConsumeRemainingBytesAsString();
+  size_t body_size = body.size();
+  if (body_size == 0) {
+    return 0;
+  }
+  prepare_body_and_process(connection, body, body_size, use_stream_body);
+
+  for (int selector : selectors) {
+    switch (selector) {
+      case 0: {
+        mhd_conn_event_loop_state_update(&connection);
+        break;
+      }
+      case 1: {
+        if (connection.rq.app_act.head_act.act == mhd_ACTION_NO_ACTION &&
+            connection.daemon && connection.daemon->req_cfg.cb) {
+          mhd_stream_call_app_request_cb(&connection);
+        }
+        break;
+      }
+      case 2: {
+        if (connection.rq.app_act.head_act.act == mhd_ACTION_POST_PARSE &&
+            connection.rq.app_act.head_act.data.post_parse.done_cb != nullptr &&
+            is_post_parse_ready(connection)) {
+          mhd_stream_process_req_recv_finished(&connection);
+        }
+        break;
+      }
+      case 3: {
+        mhd_conn_tls_check(&connection);
+        break;
+      }
+      case 4: {
+        mhd_connection_set_nodelay_state(&connection, is_nodelay);
+        break;
+      }
+      default: case 5: {
+        mhd_connection_set_cork_state(&connection, is_cork);
+        break;
+      }
+    }
+  }
+
+  final_cleanup(connection, daemon);
+  return 0;
+}
