-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Expand file tree
/
Copy pathProtocolFuzzerBase.cs
More file actions
101 lines (92 loc) · 3.58 KB
/
ProtocolFuzzerBase.cs
File metadata and controls
101 lines (92 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
// Licensed to the Apache Software Foundation(ASF) under one
// or more contributor license agreements.See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
using System;
using System.IO;
using SharpFuzz;
using Thrift.Protocol;
using Thrift.Transport;
using Thrift.Transport.Client;
namespace Thrift.Tests.Protocols.Fuzzers
{
/// <summary>
/// Base class for protocol fuzzers that handles the common fuzzing logic.
/// </summary>
/// <typeparam name="FuzzProtocol">The type of protocol to use for deserialization.</typeparam>
public abstract class ProtocolFuzzerBase<FuzzProtocol> where FuzzProtocol : TProtocol
{
/// <summary>
/// Environment variable that controls whether to use in-process fuzzing for AFL.
/// When set to "1", uses Fuzzer.Run instead of Fuzzer.OutOfProcess.Run.
/// </summary>
protected const string UseInProcessFuzzingEnvVar = "THRIFT_AFL_IN_PROCESS";
/// <summary>
/// 10MB message size limit to prevent over-allocation during fuzzing
/// </summary>
protected const int FUZZ_MAX_MESSAGE_SIZE = 10 * 1024 * 1024;
/// <summary>
/// Creates a new instance of the protocol for the given transport.
/// </summary>
protected abstract FuzzProtocol CreateProtocol(TTransport transport);
/// <summary>
/// Helper method that contains the core fuzzing logic.
/// </summary>
private void ProcessFuzzStream(Stream stream)
{
try
{
var config = new TConfiguration();
config.MaxMessageSize = FUZZ_MAX_MESSAGE_SIZE;
var transport = new TStreamTransport(stream, null, config);
var protocol = CreateProtocol(transport);
var obj = new FuzzTest();
obj.ReadAsync(protocol, default).GetAwaiter().GetResult();
}
catch (TException) { /* Expected for malformed input */ }
catch (Exception) { /* Expected for malformed input */ }
}
/// <summary>
/// The core fuzzing logic that processes a single input.
/// </summary>
protected void ProcessFuzzInput(ReadOnlySpan<byte> span)
{
using var stream = new MemoryStream(span.ToArray());
ProcessFuzzStream(stream);
}
/// <summary>
/// Runs the fuzzer with LibFuzzer.
/// </summary>
protected void RunLibFuzzer()
{
Fuzzer.LibFuzzer.Run(ProcessFuzzInput);
}
/// <summary>
/// Runs the fuzzer with AFL.
/// </summary>
protected void RunAFL()
{
var useInProcess = Environment.GetEnvironmentVariable(UseInProcessFuzzingEnvVar) == "1";
if (useInProcess)
{
Fuzzer.Run(ProcessFuzzStream);
}
else
{
Fuzzer.OutOfProcess.Run(ProcessFuzzStream);
}
}
}
}