1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
9 #include "base/message_loop/message_loop.h"
10 #include "base/strings/string16.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "base/threading/platform_thread.h"
13 #include "ipc/ipc_test_base.h"
14 #include "testing/gtest/include/gtest/gtest.h"
16 // IPC messages for testing ----------------------------------------------------
18 #define IPC_MESSAGE_IMPL
19 #include "ipc/ipc_message_macros.h"
21 #define IPC_MESSAGE_START TestMsgStart
23 // Generic message class that is an int followed by a string16.
24 IPC_MESSAGE_CONTROL2(MsgClassIS
, int, base::string16
)
26 // Generic message class that is a string16 followed by an int.
27 IPC_MESSAGE_CONTROL2(MsgClassSI
, base::string16
, int)
29 // Message to create a mutex in the IPC server, using the received name.
30 IPC_MESSAGE_CONTROL2(MsgDoMutex
, base::string16
, int)
32 // Used to generate an ID for a message that should not exist.
33 IPC_MESSAGE_CONTROL0(MsgUnhandled
)
35 // -----------------------------------------------------------------------------
39 TEST(IPCMessageIntegrity
, ReadBeyondBufferStr
) {
40 // This was BUG 984408.
41 uint32 v1
= kuint32max
- 1;
43 IPC::Message
m(0, 1, IPC::Message::PRIORITY_NORMAL
);
44 EXPECT_TRUE(m
.WriteInt(v1
));
45 EXPECT_TRUE(m
.WriteInt(v2
));
47 base::PickleIterator
iter(m
);
49 EXPECT_FALSE(iter
.ReadString(&vs
));
52 TEST(IPCMessageIntegrity
, ReadBeyondBufferStr16
) {
53 // This was BUG 984408.
54 uint32 v1
= kuint32max
- 1;
56 IPC::Message
m(0, 1, IPC::Message::PRIORITY_NORMAL
);
57 EXPECT_TRUE(m
.WriteInt(v1
));
58 EXPECT_TRUE(m
.WriteInt(v2
));
60 base::PickleIterator
iter(m
);
62 EXPECT_FALSE(iter
.ReadString16(&vs
));
65 TEST(IPCMessageIntegrity
, ReadBytesBadIterator
) {
66 // This was BUG 1035467.
67 IPC::Message
m(0, 1, IPC::Message::PRIORITY_NORMAL
);
68 EXPECT_TRUE(m
.WriteInt(1));
69 EXPECT_TRUE(m
.WriteInt(2));
71 base::PickleIterator
iter(m
);
72 const char* data
= NULL
;
73 EXPECT_TRUE(iter
.ReadBytes(&data
, sizeof(int)));
76 TEST(IPCMessageIntegrity
, ReadVectorNegativeSize
) {
77 // A slight variation of BUG 984408. Note that the pickling of vector<char>
78 // has a specialized template which is not vulnerable to this bug. So here
79 // try to hit the non-specialized case vector<P>.
80 IPC::Message
m(0, 1, IPC::Message::PRIORITY_NORMAL
);
81 EXPECT_TRUE(m
.WriteInt(-1)); // This is the count of elements.
82 EXPECT_TRUE(m
.WriteInt(1));
83 EXPECT_TRUE(m
.WriteInt(2));
84 EXPECT_TRUE(m
.WriteInt(3));
86 std::vector
<double> vec
;
87 base::PickleIterator
iter(m
);
88 EXPECT_FALSE(ReadParam(&m
, &iter
, &vec
));
91 TEST(IPCMessageIntegrity
, ReadVectorTooLarge1
) {
92 // This was BUG 1006367. This is the large but positive length case. Again
93 // we try to hit the non-specialized case vector<P>.
94 IPC::Message
m(0, 1, IPC::Message::PRIORITY_NORMAL
);
95 EXPECT_TRUE(m
.WriteInt(0x21000003)); // This is the count of elements.
96 EXPECT_TRUE(m
.WriteInt64(1));
97 EXPECT_TRUE(m
.WriteInt64(2));
99 std::vector
<int64
> vec
;
100 base::PickleIterator
iter(m
);
101 EXPECT_FALSE(ReadParam(&m
, &iter
, &vec
));
104 TEST(IPCMessageIntegrity
, ReadVectorTooLarge2
) {
105 // This was BUG 1006367. This is the large but positive with an additional
106 // integer overflow when computing the actual byte size. Again we try to hit
107 // the non-specialized case vector<P>.
108 IPC::Message
m(0, 1, IPC::Message::PRIORITY_NORMAL
);
109 EXPECT_TRUE(m
.WriteInt(0x71000000)); // This is the count of elements.
110 EXPECT_TRUE(m
.WriteInt64(1));
111 EXPECT_TRUE(m
.WriteInt64(2));
113 std::vector
<int64
> vec
;
114 base::PickleIterator
iter(m
);
115 EXPECT_FALSE(ReadParam(&m
, &iter
, &vec
));
118 class SimpleListener
: public IPC::Listener
{
120 SimpleListener() : other_(NULL
) {
122 void Init(IPC::Sender
* s
) {
130 FUZZER_ROUTING_ID
= 5
133 // The fuzzer server class. It runs in a child process and expects
134 // only two IPC calls; after that it exits the message loop which
135 // terminates the child process.
136 class FuzzerServerListener
: public SimpleListener
{
138 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
140 bool OnMessageReceived(const IPC::Message
& msg
) override
{
141 if (msg
.routing_id() == MSG_ROUTING_CONTROL
) {
143 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener
, msg
)
144 IPC_MESSAGE_HANDLER(MsgClassIS
, OnMsgClassISMessage
)
145 IPC_MESSAGE_HANDLER(MsgClassSI
, OnMsgClassSIMessage
)
146 IPC_END_MESSAGE_MAP()
147 if (pending_messages_
) {
148 // Probably a problem de-serializing the message.
149 ReplyMsgNotHandled(msg
.type());
156 void OnMsgClassISMessage(int value
, const base::string16
& text
) {
157 UseData(MsgClassIS::ID
, value
, text
);
158 RoundtripAckReply(FUZZER_ROUTING_ID
, MsgClassIS::ID
, value
);
162 void OnMsgClassSIMessage(const base::string16
& text
, int value
) {
163 UseData(MsgClassSI::ID
, value
, text
);
164 RoundtripAckReply(FUZZER_ROUTING_ID
, MsgClassSI::ID
, value
);
168 bool RoundtripAckReply(int routing
, uint32 type_id
, int reply
) {
169 IPC::Message
* message
= new IPC::Message(routing
, type_id
,
170 IPC::Message::PRIORITY_NORMAL
);
171 message
->WriteInt(reply
+ 1);
172 message
->WriteInt(reply
);
173 return other_
->Send(message
);
179 if (0 == message_count_
)
180 base::MessageLoop::current()->Quit();
183 void ReplyMsgNotHandled(uint32 type_id
) {
184 RoundtripAckReply(FUZZER_ROUTING_ID
, MsgUnhandled::ID
, type_id
);
188 void UseData(int caller
, int value
, const base::string16
& text
) {
189 std::ostringstream os
;
190 os
<< "IPC fuzzer:" << caller
<< " [" << value
<< " "
191 << base::UTF16ToUTF8(text
) << "]\n";
192 std::string output
= os
.str();
193 LOG(WARNING
) << output
;
197 int pending_messages_
;
200 class FuzzerClientListener
: public SimpleListener
{
202 FuzzerClientListener() : last_msg_(NULL
) {
205 bool OnMessageReceived(const IPC::Message
& msg
) override
{
206 last_msg_
= new IPC::Message(msg
);
207 base::MessageLoop::current()->Quit();
211 bool ExpectMessage(int value
, uint32 type_id
) {
212 if (!MsgHandlerInternal(type_id
))
216 base::PickleIterator
iter(*last_msg_
);
217 if (!iter
.ReadInt(&msg_value1
))
219 if (!iter
.ReadInt(&msg_value2
))
221 if ((msg_value2
+ 1) != msg_value1
)
223 if (msg_value2
!= value
)
231 bool ExpectMsgNotHandled(uint32 type_id
) {
232 return ExpectMessage(type_id
, MsgUnhandled::ID
);
236 bool MsgHandlerInternal(uint32 type_id
) {
237 base::MessageLoop::current()->Run();
238 if (NULL
== last_msg_
)
240 if (FUZZER_ROUTING_ID
!= last_msg_
->routing_id())
242 return (type_id
== last_msg_
->type());
245 IPC::Message
* last_msg_
;
248 // Runs the fuzzing server child mode. Returns when the preset number of
249 // messages have been received.
250 MULTIPROCESS_IPC_TEST_CLIENT_MAIN(FuzzServerClient
) {
251 base::MessageLoopForIO main_message_loop
;
252 FuzzerServerListener listener
;
253 scoped_ptr
<IPC::Channel
> channel(IPC::Channel::CreateClient(
254 IPCTestBase::GetChannelName("FuzzServerClient"),
256 CHECK(channel
->Connect());
257 listener
.Init(channel
.get());
258 base::MessageLoop::current()->Run();
262 class IPCFuzzingTest
: public IPCTestBase
{
265 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
266 // are working properly by generating two well formed IPC calls.
267 TEST_F(IPCFuzzingTest
, SanityTest
) {
268 Init("FuzzServerClient");
270 FuzzerClientListener listener
;
271 CreateChannel(&listener
);
272 listener
.Init(channel());
273 ASSERT_TRUE(ConnectChannel());
274 ASSERT_TRUE(StartClient());
276 IPC::Message
* msg
= NULL
;
278 msg
= new MsgClassIS(value
, base::ASCIIToUTF16("expect 43"));
280 EXPECT_TRUE(listener
.ExpectMessage(value
, MsgClassIS::ID
));
282 msg
= new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value
);
284 EXPECT_TRUE(listener
.ExpectMessage(value
, MsgClassSI::ID
));
286 EXPECT_TRUE(WaitForClientShutdown());
290 // This test uses a payload that is smaller than expected. This generates an
291 // error while unpacking the IPC buffer which in debug trigger an assertion and
292 // in release is ignored (!). Right after we generate another valid IPC to make
293 // sure framing is working properly.
294 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
295 TEST_F(IPCFuzzingTest
, MsgBadPayloadShort
) {
296 Init("FuzzServerClient");
298 FuzzerClientListener listener
;
299 CreateChannel(&listener
);
300 listener
.Init(channel());
301 ASSERT_TRUE(ConnectChannel());
302 ASSERT_TRUE(StartClient());
304 IPC::Message
* msg
= new IPC::Message(MSG_ROUTING_CONTROL
, MsgClassIS::ID
,
305 IPC::Message::PRIORITY_NORMAL
);
308 EXPECT_TRUE(listener
.ExpectMsgNotHandled(MsgClassIS::ID
));
310 msg
= new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
312 EXPECT_TRUE(listener
.ExpectMessage(1, MsgClassSI::ID
));
314 EXPECT_TRUE(WaitForClientShutdown());
319 // This test uses a payload that has too many arguments, but so the payload size
320 // is big enough so the unpacking routine does not generate an error as in the
321 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
322 // as by design we don't carry type information on the IPC message.
323 TEST_F(IPCFuzzingTest
, MsgBadPayloadArgs
) {
324 Init("FuzzServerClient");
326 FuzzerClientListener listener
;
327 CreateChannel(&listener
);
328 listener
.Init(channel());
329 ASSERT_TRUE(ConnectChannel());
330 ASSERT_TRUE(StartClient());
332 IPC::Message
* msg
= new IPC::Message(MSG_ROUTING_CONTROL
, MsgClassSI::ID
,
333 IPC::Message::PRIORITY_NORMAL
);
334 msg
->WriteString16(base::ASCIIToUTF16("d"));
336 msg
->WriteInt(0x65); // Extra argument.
339 EXPECT_TRUE(listener
.ExpectMessage(0, MsgClassSI::ID
));
341 // Now send a well formed message to make sure the receiver wasn't
342 // thrown out of sync by the extra argument.
343 msg
= new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
345 EXPECT_TRUE(listener
.ExpectMessage(3, MsgClassIS::ID
));
347 EXPECT_TRUE(WaitForClientShutdown());