Skip to content
master
Switch branches/tags
14 branches 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github/workflows
 
 
corpora
 
 
m4
 
 
ossconfig
 
 
scripts
 
 
.gitignore
 
 
LICENSE
 
 
Makefile.am
 
 
README.md
 
 
REPRODUCING.md
 
 
buildconf
 
 
ci_oss.sh
 
 
codecoverage.sh
 
 
codeprofile.sh
 
 
configure.ac
 
 
corpus.py
 
 
corpus_to_pcap.py
 
 
curl_fuzzer.cc
 
 
curl_fuzzer.h
 
 
curl_fuzzer_callback.cc
 
 
curl_fuzzer_tlv.cc
 
 
curl_test_data.py
 
 
fuzz_fnmatch.cc
 
 
generate_corpus.py
 
 
generate_fnmatch.sh
 
 
mainline.sh
 
 
ossfuzz.sh
 
 
read_corpus.py
 
 
standalone_fuzz_target_runner.cc
 
 
testinput.h
 
 
travisoss.sh
 
 
curl-fuzzer I just want to get fuzzing! I want to find the code coverage from the testcases I want more information when running a testcase or multiple testcases I want to reproduce an error hit overnight by OSS-Fuzz What's in this testcase? I want to generate a new testcase I want to enhance the fuzzer! File format Adding a new TLV.

README.md

curl-fuzzer

Code and corpora for curl and libcurl fuzzing.

This is the curl fuzzing OSS-Fuzz runs for us, non-stop.

I just want to get fuzzing!

Great! Run ./mainline.sh. It will download you a fresh copy of curl, compile it with clang, install it to a temporary directory, then compile the fuzzer against curl. It'll also run the regression testcases.

If you have a local copy of curl that you want to use instead, pass the path as an argument to ./mainline.sh. It will compile and install that curl to a temporary directory instead.

./mainline.sh is run regressibly by Travis CI.

I want to find the code coverage from the testcases

Run ./codecoverage.sh. It will download you a fresh copy of curl, compile it with gcc, install it, then compile the fuzzer against it. It'll then run a coverage run and work out the coverage of the test cases, using lcov to generate coverage information.

./codecoverage.sh is run regressibly by Travis CI.

I want more information when running a testcase or multiple testcases

Setting the FUZZ_VERBOSE environment variable turns on curl verbose logging. This can be useful when debugging a single testcase.

I want to reproduce an error hit overnight by OSS-Fuzz

Check out REPRODUCING.md for more detailed instructions.

What's in this testcase?

To look at the contents of a testcase, run

python read_corpus.py --input <path/to/file>

This will print out a list of contents inside the file.

I want to generate a new testcase

To generate a new testcase, run python generate_corpus.py with appropriate options.

I want to enhance the fuzzer!

Wonderful! Here's a bit of information you may need to know.

File format

Testcases are written in a Type-Length-Value or TLV format. Each TLV has:

  • 16 bits for the Type
  • 32 bits for the Length of the TLV data
  • 0 - length bytes of data.

TLV type numbers are defined in both corpus.py and curl_fuzzer.h.

Adding a new TLV.

To add a new TLV:

  • Add support for it in the Python scripts: generate_corpus.py, corpus.py. This means adding options for reading the value of the TLV from the user (or from a file, or from test data)
  • Add support for it in the fuzzer: curl_fuzzer.cc, curl_fuzzer.h. This likely means adding handling of the TLV to fuzz_parse_tlv().

About

Quality assurance testing for the curl project

Topics

curl testcase fuzzer oss-fuzz

Resources

Readme

License

MIT License

Stars

37 stars

Watchers

13 watching

Forks

20 forks

Releases

No releases published

Packages

No packages published

Contributors 5

Languages