net/spdy/fuzzing/hpack_fuzz_util.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_SPDY_FUZZING_HPACK_FUZZ_UTIL_H_
   6 #define NET_SPDY_FUZZING_HPACK_FUZZ_UTIL_H_
   7
   8 #include <string>
   9 #include <vector>
  10
  11 #include "base/memory/scoped_ptr.h"
  12 #include "base/strings/string_piece.h"
  13 #include "net/base/net_export.h"
  14 #include "net/spdy/hpack_decoder.h"
  15 #include "net/spdy/hpack_encoder.h"
  16
  17 namespace net {
  18
  19 class NET_EXPORT_PRIVATE HpackFuzzUtil {
  20  public:
  21   // A GeneratorContext holds ordered header names & values which are
  22   // initially seeded and then expanded with dynamically generated data.
  23   struct NET_EXPORT_PRIVATE GeneratorContext {
  24     GeneratorContext();
  25     ~GeneratorContext();
  26     std::vector<std::string> names;
  27     std::vector<std::string> values;
  28   };
  29
  30   // Initializes a GeneratorContext with a random seed and name/value fixtures.
  31   static void InitializeGeneratorContext(GeneratorContext* context);
  32
  33   // Generates a header set from the generator context.
  34   static std::map<std::string, std::string> NextGeneratedHeaderSet(
  35       GeneratorContext* context);
  36
  37   // Samples a size from the exponential distribution with mean |mean|,
  38   // upper-bounded by |sanity_bound|.
  39   static size_t SampleExponential(size_t mean, size_t sanity_bound);
  40
  41   // Holds an input string, and manages an offset into that string.
  42   struct NET_EXPORT_PRIVATE Input {
  43     Input();  // Initializes |offset| to zero.
  44     ~Input();
  45
  46     size_t remaining() {
  47       return input.size() - offset;
  48     }
  49     const char* ptr() {
  50       return input.data() + offset;
  51     }
  52
  53     std::string input;
  54     size_t offset;
  55   };
  56
  57   // Returns true if the next header block was set at |out|. Returns
  58   // false if no input header blocks remain.
  59   static bool NextHeaderBlock(Input* input, base::StringPiece* out);
  60
  61   // Returns the serialized header block length prefix for a block of
  62   // |block_size| bytes.
  63   static std::string HeaderBlockPrefix(size_t block_size);
  64
  65   // A FuzzerContext holds fuzzer input, as well as each of the decoder and
  66   // encoder stages which fuzzed header blocks are processed through.
  67   struct NET_EXPORT_PRIVATE FuzzerContext {
  68     FuzzerContext();
  69     ~FuzzerContext();
  70     scoped_ptr<HpackDecoder> first_stage;
  71     scoped_ptr<HpackEncoder> second_stage;
  72     scoped_ptr<HpackDecoder> third_stage;
  73   };
  74
  75   static void InitializeFuzzerContext(FuzzerContext* context);
  76
  77   // Runs |input_block| through |first_stage| and, iff that succeeds,
  78   // |second_stage| and |third_stage| as well. Returns whether all stages
  79   // processed the input without error.
  80   static bool RunHeaderBlockThroughFuzzerStages(FuzzerContext* context,
  81                                                 base::StringPiece input_block);
  82
  83   // Flips random bits within |buffer|. The total number of flips is
  84   // |flip_per_thousand| bits for every 1,024 bytes of |buffer_length|,
  85   // rounding up.
  86   static void FlipBits(uint8* buffer,
  87                        size_t buffer_length,
  88                        size_t flip_per_thousand);
  89 };
  90
  91 }  // namespace net
  92
  93 #endif  // NET_SPDY_FUZZING_HPACK_FUZZ_UTIL_H_