Fixes crash in HTMLDocument
[chromium-blink-merge.git] / ipc / ipc_fuzzing_tests.cc
blobc19d84220b60f9d189b5811b9cbdcaa6e5b4ca32
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <stdio.h>
6 #include <string>
7 #include <sstream>
9 #include "base/message_loop/message_loop.h"
10 #include "base/strings/string16.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "base/threading/platform_thread.h"
13 #include "ipc/ipc_test_base.h"
14 #include "testing/gtest/include/gtest/gtest.h"
16 // IPC messages for testing ----------------------------------------------------
18 #define IPC_MESSAGE_IMPL
19 #include "ipc/ipc_message_macros.h"
21 #define IPC_MESSAGE_START TestMsgStart
23 // Generic message class that is an int followed by a string16.
24 IPC_MESSAGE_CONTROL2(MsgClassIS, int, base::string16)
26 // Generic message class that is a string16 followed by an int.
27 IPC_MESSAGE_CONTROL2(MsgClassSI, base::string16, int)
29 // Message to create a mutex in the IPC server, using the received name.
30 IPC_MESSAGE_CONTROL2(MsgDoMutex, base::string16, int)
32 // Used to generate an ID for a message that should not exist.
33 IPC_MESSAGE_CONTROL0(MsgUnhandled)
35 // -----------------------------------------------------------------------------
37 namespace {
39 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
40 // This was BUG 984408.
41 uint32 v1 = kuint32max - 1;
42 int v2 = 666;
43 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
44 EXPECT_TRUE(m.WriteInt(v1));
45 EXPECT_TRUE(m.WriteInt(v2));
47 base::PickleIterator iter(m);
48 std::string vs;
49 EXPECT_FALSE(iter.ReadString(&vs));
52 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
53 // This was BUG 984408.
54 uint32 v1 = kuint32max - 1;
55 int v2 = 777;
56 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
57 EXPECT_TRUE(m.WriteInt(v1));
58 EXPECT_TRUE(m.WriteInt(v2));
60 base::PickleIterator iter(m);
61 base::string16 vs;
62 EXPECT_FALSE(iter.ReadString16(&vs));
65 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
66 // This was BUG 1035467.
67 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
68 EXPECT_TRUE(m.WriteInt(1));
69 EXPECT_TRUE(m.WriteInt(2));
71 base::PickleIterator iter(m);
72 const char* data = NULL;
73 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
76 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
77 // A slight variation of BUG 984408. Note that the pickling of vector<char>
78 // has a specialized template which is not vulnerable to this bug. So here
79 // try to hit the non-specialized case vector<P>.
80 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
81 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
82 EXPECT_TRUE(m.WriteInt(1));
83 EXPECT_TRUE(m.WriteInt(2));
84 EXPECT_TRUE(m.WriteInt(3));
86 std::vector<double> vec;
87 base::PickleIterator iter(m);
88 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
91 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) {
92 // This was BUG 1006367. This is the large but positive length case. Again
93 // we try to hit the non-specialized case vector<P>.
94 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
95 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
96 EXPECT_TRUE(m.WriteInt64(1));
97 EXPECT_TRUE(m.WriteInt64(2));
99 std::vector<int64> vec;
100 base::PickleIterator iter(m);
101 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
104 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
105 // This was BUG 1006367. This is the large but positive with an additional
106 // integer overflow when computing the actual byte size. Again we try to hit
107 // the non-specialized case vector<P>.
108 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
109 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
110 EXPECT_TRUE(m.WriteInt64(1));
111 EXPECT_TRUE(m.WriteInt64(2));
113 std::vector<int64> vec;
114 base::PickleIterator iter(m);
115 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
118 class SimpleListener : public IPC::Listener {
119 public:
120 SimpleListener() : other_(NULL) {
122 void Init(IPC::Sender* s) {
123 other_ = s;
125 protected:
126 IPC::Sender* other_;
129 enum {
130 FUZZER_ROUTING_ID = 5
133 // The fuzzer server class. It runs in a child process and expects
134 // only two IPC calls; after that it exits the message loop which
135 // terminates the child process.
136 class FuzzerServerListener : public SimpleListener {
137 public:
138 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
140 bool OnMessageReceived(const IPC::Message& msg) override {
141 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
142 ++pending_messages_;
143 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
144 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
145 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
146 IPC_END_MESSAGE_MAP()
147 if (pending_messages_) {
148 // Probably a problem de-serializing the message.
149 ReplyMsgNotHandled(msg.type());
152 return true;
155 private:
156 void OnMsgClassISMessage(int value, const base::string16& text) {
157 UseData(MsgClassIS::ID, value, text);
158 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
159 Cleanup();
162 void OnMsgClassSIMessage(const base::string16& text, int value) {
163 UseData(MsgClassSI::ID, value, text);
164 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
165 Cleanup();
168 bool RoundtripAckReply(int routing, uint32 type_id, int reply) {
169 IPC::Message* message = new IPC::Message(routing, type_id,
170 IPC::Message::PRIORITY_NORMAL);
171 message->WriteInt(reply + 1);
172 message->WriteInt(reply);
173 return other_->Send(message);
176 void Cleanup() {
177 --message_count_;
178 --pending_messages_;
179 if (0 == message_count_)
180 base::MessageLoop::current()->Quit();
183 void ReplyMsgNotHandled(uint32 type_id) {
184 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
185 Cleanup();
188 void UseData(int caller, int value, const base::string16& text) {
189 std::ostringstream os;
190 os << "IPC fuzzer:" << caller << " [" << value << " "
191 << base::UTF16ToUTF8(text) << "]\n";
192 std::string output = os.str();
193 LOG(WARNING) << output;
196 int message_count_;
197 int pending_messages_;
200 class FuzzerClientListener : public SimpleListener {
201 public:
202 FuzzerClientListener() : last_msg_(NULL) {
205 bool OnMessageReceived(const IPC::Message& msg) override {
206 last_msg_ = new IPC::Message(msg);
207 base::MessageLoop::current()->Quit();
208 return true;
211 bool ExpectMessage(int value, uint32 type_id) {
212 if (!MsgHandlerInternal(type_id))
213 return false;
214 int msg_value1 = 0;
215 int msg_value2 = 0;
216 base::PickleIterator iter(*last_msg_);
217 if (!iter.ReadInt(&msg_value1))
218 return false;
219 if (!iter.ReadInt(&msg_value2))
220 return false;
221 if ((msg_value2 + 1) != msg_value1)
222 return false;
223 if (msg_value2 != value)
224 return false;
226 delete last_msg_;
227 last_msg_ = NULL;
228 return true;
231 bool ExpectMsgNotHandled(uint32 type_id) {
232 return ExpectMessage(type_id, MsgUnhandled::ID);
235 private:
236 bool MsgHandlerInternal(uint32 type_id) {
237 base::MessageLoop::current()->Run();
238 if (NULL == last_msg_)
239 return false;
240 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
241 return false;
242 return (type_id == last_msg_->type());
245 IPC::Message* last_msg_;
248 // Runs the fuzzing server child mode. Returns when the preset number of
249 // messages have been received.
250 MULTIPROCESS_IPC_TEST_CLIENT_MAIN(FuzzServerClient) {
251 base::MessageLoopForIO main_message_loop;
252 FuzzerServerListener listener;
253 scoped_ptr<IPC::Channel> channel(IPC::Channel::CreateClient(
254 IPCTestBase::GetChannelName("FuzzServerClient"),
255 &listener));
256 CHECK(channel->Connect());
257 listener.Init(channel.get());
258 base::MessageLoop::current()->Run();
259 return 0;
262 class IPCFuzzingTest : public IPCTestBase {
265 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
266 // are working properly by generating two well formed IPC calls.
267 TEST_F(IPCFuzzingTest, SanityTest) {
268 Init("FuzzServerClient");
270 FuzzerClientListener listener;
271 CreateChannel(&listener);
272 listener.Init(channel());
273 ASSERT_TRUE(ConnectChannel());
274 ASSERT_TRUE(StartClient());
276 IPC::Message* msg = NULL;
277 int value = 43;
278 msg = new MsgClassIS(value, base::ASCIIToUTF16("expect 43"));
279 sender()->Send(msg);
280 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
282 msg = new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value);
283 sender()->Send(msg);
284 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
286 EXPECT_TRUE(WaitForClientShutdown());
287 DestroyChannel();
290 // This test uses a payload that is smaller than expected. This generates an
291 // error while unpacking the IPC buffer which in debug trigger an assertion and
292 // in release is ignored (!). Right after we generate another valid IPC to make
293 // sure framing is working properly.
294 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
295 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
296 Init("FuzzServerClient");
298 FuzzerClientListener listener;
299 CreateChannel(&listener);
300 listener.Init(channel());
301 ASSERT_TRUE(ConnectChannel());
302 ASSERT_TRUE(StartClient());
304 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
305 IPC::Message::PRIORITY_NORMAL);
306 msg->WriteInt(666);
307 sender()->Send(msg);
308 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
310 msg = new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
311 sender()->Send(msg);
312 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
314 EXPECT_TRUE(WaitForClientShutdown());
315 DestroyChannel();
317 #endif
319 // This test uses a payload that has too many arguments, but so the payload size
320 // is big enough so the unpacking routine does not generate an error as in the
321 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
322 // as by design we don't carry type information on the IPC message.
323 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
324 Init("FuzzServerClient");
326 FuzzerClientListener listener;
327 CreateChannel(&listener);
328 listener.Init(channel());
329 ASSERT_TRUE(ConnectChannel());
330 ASSERT_TRUE(StartClient());
332 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
333 IPC::Message::PRIORITY_NORMAL);
334 msg->WriteString16(base::ASCIIToUTF16("d"));
335 msg->WriteInt(0);
336 msg->WriteInt(0x65); // Extra argument.
338 sender()->Send(msg);
339 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
341 // Now send a well formed message to make sure the receiver wasn't
342 // thrown out of sync by the extra argument.
343 msg = new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
344 sender()->Send(msg);
345 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
347 EXPECT_TRUE(WaitForClientShutdown());
348 DestroyChannel();
351 } // namespace