This can happen like this:
#8 0x7f14fdf4ec86 in std::terminate() (/usr/lib64/libstdc++.so.6+0xb7c86) (BuildId: c74eca671e2dd0f063706372d103f8acef88f1e3)
#9 0x7f14fdf4eee7 in __cxa_throw (/usr/lib64/libstdc++.so.6+0xb7ee7) (BuildId: c74eca671e2dd0f063706372d103f8acef88f1e3)
#10 0x55ddc5b906d2 in Poco::AutoPtr<Poco::Channel>::operator->() /usr/include/Poco/AutoPtr.h:232:4
#11 0x55ddc5b7eb07 in AdminSocketHandler::handleMessage(std::vector<char, std::allocator<char>> const&) /home/vmiklos/git/collaboraonline/online-fuzz/wsd/Admin.cpp:236:13
Note how LOG_ANY() assumes that Log::logger().getChannel() is not
nullptr (so the caller has to check for it), while the more typical
variants with a log level like LOG_TRC() already do a similar check via
LOG_CONDITIONAL().
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I5e1379f33e6640fd07de673ef0d07b1d4d611c89
- the HttpEcho build broke with commit
08d9081280 (net: don't try to set
TCP_NODELAY on local Unix sockets., 2023-10-30)
- fix an unused variable error from commit
0631593c96 (wasm: proxy wopi documents,
2023-11-06).
- the undefined reference to COOLWSD::ForKitProcId probably went wrong
in commit 3f46c1db44 (kit-in-process:
pure re-factor to a run-time function to flag this., 2023-11-20)
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I0cf06d188860bdb2f795485a91c7634b596255aa
The max input size is 16384, so in case the input is saved after each
run, then this can allocate ~300MB of memory. This is considerable
amount, given that the upper limit of the fuzzer process is 2GB.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ieedb6a537d5b539255ed8bacd79ff23db3c15e9f
This improves the performance of fuzzing
and removes the checks that can't be guaranteed.
And fixes a test failure.
Change-Id: I987fe15b098c00d9a3d60077f0581d2ef35e306c
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
This is a full round-trip http fuzzer.
It can achieve >1000 iterations per second
on a single 2 Ghz core, even while going
through the network loopback layer.
The advantage is that more networking code
is fuzzed this way, including not just
the http code, but also the sockets.
Change-Id: I75d21bd0e25221ee6621097a2605d62c4bb2ae4d
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
The DocumentBroker dtor adds a callback:
#0 SocketPoll::addCallback(std::function<void ()> const&) (this=0x377dce0 <Admin::instance()::admin>, fn=...) at ./net/Socket.hpp:773
#1 0x0000000000947db5 in Admin::rmDoc (this=<optimized out>, docKey=...) at wsd/Admin.cpp:544
#2 0x0000000000bb8192 in DocumentBroker::~DocumentBroker (this=0x61900000e690) at wsd/DocumentBroker.cpp:579
So even if the fuzzer called Admin::instance().poll() on shutdown, there
was one more callback inserted to the list later, leading to OOM in the
long run.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I0832d839b098407fa9e8aadb6f84388a85d62323
An alternative would be to tweak online-fuzz/wsd/DocumentBroker.cpp:534
to check for Util::isFuzzing(), but this is probably a better & more
generic way.
'./clientsession_fuzzer fuzzer/data/load' now works again.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I4d9fa387597695ff0802b268bc4d86be51dbabb2
HttpResponse covers http::Response::readData(), HttpStatus covered
http::StatusLine::parse(). The first calls the second, so remove the
second.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I163819ca470b766a7bc4694a9c6cfe4919e17963
And remove the httpheader one, which is not useful, since it uses Poco
for the actual parsing, it did not find anything. (If we switch away
from Poco there in the future, it's easy enough to restore it.)
Also fix some problems found by the fuzzer.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I254247c46ecc78c9c3e75aac4f10c441b0e10fb3
And fix an unhandled std::length_error it found.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I571cdd71caeda84820f2c64088966936637ce2bf
Run the actual fuzzer like this:
./httpheader_fuzzer -max_len=16384 fuzzer/httpheader-data/
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I91afe44a632826cc15bd1c338bcc5234582e9674
fuzzers build was failing with:
In file included from fuzzer/Admin.cpp:3:
In file included from ./wsd/Admin.hpp:12:
In file included from ./wsd/AdminModel.hpp:20:
In file included from ./net/WebSocketHandler.hpp:18:
./net/HttpRequest.hpp:667:31: error: expected ')'
_header.add("Server", HTTP_SERVER_STRING);
^
./common/Common.hpp:62:51: note: expanded from macro 'HTTP_SERVER_STRING'
#define HTTP_SERVER_STRING "LOOLWSD HTTP Server " LOOLWSD_VERSION
^
./net/HttpRequest.hpp:667:20: note: to match this '('
_header.add("Server", HTTP_SERVER_STRING);
^
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ibc3905e3e62e0eb9788b750971916ff4a4937f12
Happens when renderfont is called without first loading a document.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I1152d1f4b3f610364e22c406cda5494672f20aed
The fuzzer ran out of memory, 955443527 bytes (79%) of the used memory
was this map.
Change-Id: I2dd84a094d3dd3d98618667e3c78591e2193bce2
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
This can happen on a 'savetostorage' which is after a failed load.
Change-Id: Iad26bf6415c772c8646a119b0454c202873d6860
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Also decrease the poll timeout to 0, otherwise testing each input would
now take 5 sec, rather than ~3 ms.
Change-Id: I1a4f347e5ec08a62d40131bfec3c504a19727323
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95437
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
This avoids depending on LOOLWSD's statics, which
makes adding unit-tests much more difficult due to
the high number of dependencies LOOLWSD pulls.
Adds a number of unit-tests for RequestDetails.
Change-Id: I9f1d56f80a633505c7ff548ec0e33ffe61f59f53
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95290
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Tested-by: Jenkins
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
So that one does not have to search back the commit messages to get the
commandlines to run these.
Change-Id: I3acfc0fa5b38577f22f6248a8ae0705e6af68940
And bypass configuration access at two new places, so the fuzzer can
find more interesting failures.
Change-Id: I4c09172e781a7c6120b8c4befe1a84fdd74f2ddc
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93617
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Also adds ServiceRoot handling for clipboard.
Change-Id: I7bc6591130fcc7d693e59ab8561fb9e99f4e93d5
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93578
Tested-by: Michael Meeks <michael.meeks@collabora.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Don't pop an empty container, also use stol() so it does not throw
std::out_of_range.
Change-Id: Id81cb00ccfb0ecc234b8f6fa89edf5a0d8c6d353
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92524
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
This is no longer a huge problem, but it's still a good idea to return
early in that case.
Found with the recently added admin_fuzzer, when I locally disabled the
StringVector safety checks for test purposes.
(If you view the diff with -U30, then you see that we access tokens[2]
later, so if size is < 3, we should give up.)
Change-Id: I46fc531fb042cc1485a17a9e994ad37e9ff0cd80
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91587
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>