search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WebKit Roll 77251:77261.
[chromium-blink-merge.git] / ipc / ipc_fuzzing_tests.cc
blob7c96587c02d77e66483aab6ba440d1a832235ffb
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdio.h>
6 #include <string>
7 #include <sstream>
8
9 #include "base/message_loop.h"
10 #include "base/process_util.h"
11 #include "base/threading/platform_thread.h"
12 #include "ipc/ipc_channel.h"
13 #include "ipc/ipc_channel_proxy.h"
14 #include "ipc/ipc_message_utils.h"
15 #include "ipc/ipc_message_utils_impl.h"
16 #include "ipc/ipc_tests.h"
17 #include "testing/gtest/include/gtest/gtest.h"
18 #include "testing/multiprocess_func_list.h"
19
20 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
21 //This was BUG 984408.
22 uint32 v1 = kuint32max - 1;
23 int v2 = 666;
24 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
25 EXPECT_TRUE(m.WriteInt(v1));
26 EXPECT_TRUE(m.WriteInt(v2));
27
28 void* iter = NULL;
29 std::string vs;
30 EXPECT_FALSE(m.ReadString(&iter, &vs));
31 }
32
33 TEST(IPCMessageIntegrity, ReadBeyondBufferWStr) {
34 //This was BUG 984408.
35 uint32 v1 = kuint32max - 1;
36 int v2 = 777;
37 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
38 EXPECT_TRUE(m.WriteInt(v1));
39 EXPECT_TRUE(m.WriteInt(v2));
40
41 void* iter = NULL;
42 std::wstring vs;
43 EXPECT_FALSE(m.ReadWString(&iter, &vs));
44 }
45
46 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
47 // This was BUG 1035467.
48 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
49 EXPECT_TRUE(m.WriteInt(1));
50 EXPECT_TRUE(m.WriteInt(2));
51
52 void* iter = NULL;
53 const char* data = NULL;
54 EXPECT_TRUE(m.ReadBytes(&iter, &data, sizeof(int)));
55 }
56
57 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
58 // A slight variation of BUG 984408. Note that the pickling of vector<char>
59 // has a specialized template which is not vulnerable to this bug. So here
60 // try to hit the non-specialized case vector<P>.
61 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
62 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
63 EXPECT_TRUE(m.WriteInt(1));
64 EXPECT_TRUE(m.WriteInt(2));
65 EXPECT_TRUE(m.WriteInt(3));
66
67 std::vector<double> vec;
68 void* iter = 0;
69 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
70 }
71
72 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) {
73 // This was BUG 1006367. This is the large but positive length case. Again
74 // we try to hit the non-specialized case vector<P>.
75 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
76 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
77 EXPECT_TRUE(m.WriteInt64(1));
78 EXPECT_TRUE(m.WriteInt64(2));
79
80 std::vector<int64> vec;
81 void* iter = 0;
82 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
83 }
84
85 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
86 // This was BUG 1006367. This is the large but positive with an additional
87 // integer overflow when computing the actual byte size. Again we try to hit
88 // the non-specialized case vector<P>.
89 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
90 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
91 EXPECT_TRUE(m.WriteInt64(1));
92 EXPECT_TRUE(m.WriteInt64(2));
93
94 std::vector<int64> vec;
95 void* iter = 0;
96 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
97 }
98
99 // We don't actually use the messages defined in this file, but we do this
100 // to get to the IPC macros.
101 #include "ipc/ipc_sync_message_unittest.h"
102
103 enum IPCMessageIds {
104 UNUSED_IPC_TYPE,
105 SERVER_FIRST_IPC_TYPE, // 1st Test message tag.
106 SERVER_SECOND_IPC_TYPE, // 2nd Test message tag.
107 SERVER_THIRD_IPC_TYPE, // 3rd Test message tag.
108 CLIENT_MALFORMED_IPC, // Sent to client if server detects bad message.
109 CLIENT_UNHANDLED_IPC // Sent to client if server detects unhanded IPC.
110 };
111
112 // Generic message class that is an int followed by a wstring.
113 class MsgClassIS : public IPC::MessageWithTuple< Tuple2<int, std::wstring> > {
114 public:
115 enum { ID = SERVER_FIRST_IPC_TYPE };
116 MsgClassIS(const int& arg1, const std::wstring& arg2)
117 : IPC::MessageWithTuple< Tuple2<int, std::wstring> >(
118 MSG_ROUTING_CONTROL, ID, MakeRefTuple(arg1, arg2)) {}
119 };
120
121 // Generic message class that is a wstring followed by an int.
122 class MsgClassSI : public IPC::MessageWithTuple< Tuple2<std::wstring, int> > {
123 public:
124 enum { ID = SERVER_SECOND_IPC_TYPE };
125 MsgClassSI(const std::wstring& arg1, const int& arg2)
126 : IPC::MessageWithTuple< Tuple2<std::wstring, int> >(
127 MSG_ROUTING_CONTROL, ID, MakeRefTuple(arg1, arg2)) {}
128 };
129
130 // Message to create a mutex in the IPC server, using the received name.
131 class MsgDoMutex : public IPC::MessageWithTuple< Tuple2<std::wstring, int> > {
132 public:
133 enum { ID = SERVER_THIRD_IPC_TYPE };
134 MsgDoMutex(const std::wstring& mutex_name, const int& unused)
135 : IPC::MessageWithTuple< Tuple2<std::wstring, int> >(
136 MSG_ROUTING_CONTROL, ID, MakeRefTuple(mutex_name, unused)) {}
137 };
138
139 class SimpleListener : public IPC::Channel::Listener {
140 public:
141 SimpleListener() : other_(NULL) {
142 }
143 void Init(IPC::Message::Sender* s) {
144 other_ = s;
145 }
146 protected:
147 IPC::Message::Sender* other_;
148 };
149
150 enum {
151 FUZZER_ROUTING_ID = 5
152 };
153
154 // The fuzzer server class. It runs in a child process and expects
155 // only two IPC calls; after that it exits the message loop which
156 // terminates the child process.
157 class FuzzerServerListener : public SimpleListener {
158 public:
159 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
160 }
161 virtual bool OnMessageReceived(const IPC::Message& msg) {
162 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
163 ++pending_messages_;
164 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
165 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
166 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
167 IPC_END_MESSAGE_MAP()
168 if (pending_messages_) {
169 // Probably a problem de-serializing the message.
170 ReplyMsgNotHandled(msg.type());
171 }
172 }
173 return true;
174 }
175
176 private:
177 void OnMsgClassISMessage(int value, const std::wstring& text) {
178 UseData(MsgClassIS::ID, value, text);
179 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
180 Cleanup();
181 }
182
183 void OnMsgClassSIMessage(const std::wstring& text, int value) {
184 UseData(MsgClassSI::ID, value, text);
185 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
186 Cleanup();
187 }
188
189 bool RoundtripAckReply(int routing, uint32 type_id, int reply) {
190 IPC::Message* message = new IPC::Message(routing, type_id,
191 IPC::Message::PRIORITY_NORMAL);
192 message->WriteInt(reply + 1);
193 message->WriteInt(reply);
194 return other_->Send(message);
195 }
196
197 void Cleanup() {
198 --message_count_;
199 --pending_messages_;
200 if (0 == message_count_)
201 MessageLoop::current()->Quit();
202 }
203
204 void ReplyMsgNotHandled(uint32 type_id) {
205 RoundtripAckReply(FUZZER_ROUTING_ID, CLIENT_UNHANDLED_IPC, type_id);
206 Cleanup();
207 }
208
209 void UseData(int caller, int value, const std::wstring& text) {
210 std::wostringstream wos;
211 wos << L"IPC fuzzer:" << caller << " [" << value << L" " << text << L"]\n";
212 std::wstring output = wos.str();
213 LOG(WARNING) << output.c_str();
214 };
215
216 int message_count_;
217 int pending_messages_;
218 };
219
220 class FuzzerClientListener : public SimpleListener {
221 public:
222 FuzzerClientListener() : last_msg_(NULL) {
223 }
224
225 virtual bool OnMessageReceived(const IPC::Message& msg) {
226 last_msg_ = new IPC::Message(msg);
227 MessageLoop::current()->Quit();
228 return true;
229 }
230
231 bool ExpectMessage(int value, uint32 type_id) {
232 if (!MsgHandlerInternal(type_id))
233 return false;
234 int msg_value1 = 0;
235 int msg_value2 = 0;
236 void* iter = NULL;
237 if (!last_msg_->ReadInt(&iter, &msg_value1))
238 return false;
239 if (!last_msg_->ReadInt(&iter, &msg_value2))
240 return false;
241 if ((msg_value2 + 1) != msg_value1)
242 return false;
243 if (msg_value2 != value)
244 return false;
245
246 delete last_msg_;
247 last_msg_ = NULL;
248 return true;
249 }
250
251 bool ExpectMsgNotHandled(uint32 type_id) {
252 return ExpectMessage(type_id, CLIENT_UNHANDLED_IPC);
253 }
254
255 private:
256 bool MsgHandlerInternal(uint32 type_id) {
257 MessageLoop::current()->Run();
258 if (NULL == last_msg_)
259 return false;
260 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
261 return false;
262 return (type_id == last_msg_->type());
263 };
264
265 IPC::Message* last_msg_;
266 };
267
268 // Runs the fuzzing server child mode. Returns when the preset number
269 // of messages have been received.
270 MULTIPROCESS_TEST_MAIN(RunFuzzServer) {
271 MessageLoopForIO main_message_loop;
272 FuzzerServerListener listener;
273 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_CLIENT, &listener);
274 CHECK(chan.Connect());
275 listener.Init(&chan);
276 MessageLoop::current()->Run();
277 return 0;
278 }
279
280 class IPCFuzzingTest : public IPCChannelTest {
281 };
282
283 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
284 // are working properly by generating two well formed IPC calls.
285 TEST_F(IPCFuzzingTest, SanityTest) {
286 FuzzerClientListener listener;
287 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_SERVER,
288 &listener);
289 base::ProcessHandle server_process = SpawnChild(FUZZER_SERVER, &chan);
290 ASSERT_TRUE(server_process);
291 base::PlatformThread::Sleep(1000);
292 ASSERT_TRUE(chan.Connect());
293 listener.Init(&chan);
294
295 IPC::Message* msg = NULL;
296 int value = 43;
297 msg = new MsgClassIS(value, L"expect 43");
298 chan.Send(msg);
299 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
300
301 msg = new MsgClassSI(L"expect 44", ++value);
302 chan.Send(msg);
303 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
304
305 EXPECT_TRUE(base::WaitForSingleProcess(server_process, 5000));
306 base::CloseProcessHandle(server_process);
307 }
308
309 // This test uses a payload that is smaller than expected.
310 // This generates an error while unpacking the IPC buffer which in
311 // In debug this triggers an assertion and in release it is ignored(!!). Right
312 // after we generate another valid IPC to make sure framing is working
313 // properly.
314 #ifdef NDEBUG
315 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
316 FuzzerClientListener listener;
317 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_SERVER,
318 &listener);
319 base::ProcessHandle server_process = SpawnChild(FUZZER_SERVER, &chan);
320 ASSERT_TRUE(server_process);
321 base::PlatformThread::Sleep(1000);
322 ASSERT_TRUE(chan.Connect());
323 listener.Init(&chan);
324
325 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
326 IPC::Message::PRIORITY_NORMAL);
327 msg->WriteInt(666);
328 chan.Send(msg);
329 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
330
331 msg = new MsgClassSI(L"expect one", 1);
332 chan.Send(msg);
333 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
334
335 EXPECT_TRUE(base::WaitForSingleProcess(server_process, 5000));
336 base::CloseProcessHandle(server_process);
337 }
338 #endif // NDEBUG
339
340 // This test uses a payload that has too many arguments, but so the payload
341 // size is big enough so the unpacking routine does not generate an error as
342 // in the case of MsgBadPayloadShort test.
343 // This test does not pinpoint a flaw (per se) as by design we don't carry
344 // type information on the IPC message.
345 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
346 FuzzerClientListener listener;
347 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_SERVER,
348 &listener);
349 base::ProcessHandle server_process = SpawnChild(FUZZER_SERVER, &chan);
350 ASSERT_TRUE(server_process);
351 base::PlatformThread::Sleep(1000);
352 ASSERT_TRUE(chan.Connect());
353 listener.Init(&chan);
354
355 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
356 IPC::Message::PRIORITY_NORMAL);
357 msg->WriteWString(L"d");
358 msg->WriteInt(0);
359 msg->WriteInt(0x65); // Extra argument.
360
361 chan.Send(msg);
362 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
363
364 // Now send a well formed message to make sure the receiver wasn't
365 // thrown out of sync by the extra argument.
366 msg = new MsgClassIS(3, L"expect three");
367 chan.Send(msg);
368 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
369
370 EXPECT_TRUE(base::WaitForSingleProcess(server_process, 5000));
371 base::CloseProcessHandle(server_process);
372 }
373
374 // This class is for testing the IPC_BEGIN_MESSAGE_MAP_EX macros.
375 class ServerMacroExTest {
376 public:
377 ServerMacroExTest() : unhandled_msgs_(0) {
378 }
379 virtual ~ServerMacroExTest() {
380 }
381 virtual bool OnMessageReceived(const IPC::Message& msg) {
382 bool msg_is_ok = false;
383 IPC_BEGIN_MESSAGE_MAP_EX(ServerMacroExTest, msg, msg_is_ok)
384 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
385 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
386 IPC_MESSAGE_UNHANDLED(++unhandled_msgs_)
387 IPC_END_MESSAGE_MAP_EX()
388 return msg_is_ok;
389 }
390
391 int unhandled_msgs() const {
392 return unhandled_msgs_;
393 }
394
395 private:
396 void OnMsgClassISMessage(int value, const std::wstring& text) {
397 }
398 void OnMsgClassSIMessage(const std::wstring& text, int value) {
399 }
400
401 int unhandled_msgs_;
402 };
403
404 TEST_F(IPCFuzzingTest, MsgMapExMacro) {
405 IPC::Message* msg = NULL;
406 ServerMacroExTest server;
407
408 // Test the regular messages.
409 msg = new MsgClassIS(3, L"text3");
410 EXPECT_TRUE(server.OnMessageReceived(*msg));
411 delete msg;
412 msg = new MsgClassSI(L"text2", 2);
413 EXPECT_TRUE(server.OnMessageReceived(*msg));
414 delete msg;
415
416 #ifdef NDEBUG
417 // Test a bad message.
418 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
419 IPC::Message::PRIORITY_NORMAL);
420 msg->WriteInt(2);
421 EXPECT_FALSE(server.OnMessageReceived(*msg));
422 delete msg;
423
424 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
425 IPC::Message::PRIORITY_NORMAL);
426 msg->WriteInt(0x64);
427 msg->WriteInt(0x32);
428 EXPECT_FALSE(server.OnMessageReceived(*msg));
429 delete msg;
430
431 EXPECT_EQ(0, server.unhandled_msgs());
432 #endif
433 }