search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hunspell: Cleanup to fix the header include guards under google/ directory.
[chromium-blink-merge.git] / ipc / ipc_fuzzing_tests.cc
blob5dfddbac2be3d335dc205e474c82105dc235d08c
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdio.h>
6 #include <string>
7 #include <sstream>
8
9 #include "base/message_loop/message_loop.h"
10 #include "base/strings/string16.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "base/threading/platform_thread.h"
13 #include "ipc/ipc_test_base.h"
14 #include "testing/gtest/include/gtest/gtest.h"
15
16 // IPC messages for testing ----------------------------------------------------
17
18 #define IPC_MESSAGE_IMPL
19 #include "ipc/ipc_message_macros.h"
20
21 #define IPC_MESSAGE_START TestMsgStart
22
23 // Generic message class that is an int followed by a string16.
24 IPC_MESSAGE_CONTROL2(MsgClassIS, int, base::string16)
25
26 // Generic message class that is a string16 followed by an int.
27 IPC_MESSAGE_CONTROL2(MsgClassSI, base::string16, int)
28
29 // Message to create a mutex in the IPC server, using the received name.
30 IPC_MESSAGE_CONTROL2(MsgDoMutex, base::string16, int)
31
32 // Used to generate an ID for a message that should not exist.
33 IPC_MESSAGE_CONTROL0(MsgUnhandled)
34
35 // -----------------------------------------------------------------------------
36
37 namespace {
38
39 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
40 // This was BUG 984408.
41 uint32 v1 = kuint32max - 1;
42 int v2 = 666;
43 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
44 EXPECT_TRUE(m.WriteInt(v1));
45 EXPECT_TRUE(m.WriteInt(v2));
46
47 base::PickleIterator iter(m);
48 std::string vs;
49 EXPECT_FALSE(iter.ReadString(&vs));
50 }
51
52 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
53 // This was BUG 984408.
54 uint32 v1 = kuint32max - 1;
55 int v2 = 777;
56 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
57 EXPECT_TRUE(m.WriteInt(v1));
58 EXPECT_TRUE(m.WriteInt(v2));
59
60 base::PickleIterator iter(m);
61 base::string16 vs;
62 EXPECT_FALSE(iter.ReadString16(&vs));
63 }
64
65 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
66 // This was BUG 1035467.
67 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
68 EXPECT_TRUE(m.WriteInt(1));
69 EXPECT_TRUE(m.WriteInt(2));
70
71 base::PickleIterator iter(m);
72 const char* data = NULL;
73 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
74 }
75
76 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
77 // A slight variation of BUG 984408. Note that the pickling of vector<char>
78 // has a specialized template which is not vulnerable to this bug. So here
79 // try to hit the non-specialized case vector<P>.
80 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
81 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
82 EXPECT_TRUE(m.WriteInt(1));
83 EXPECT_TRUE(m.WriteInt(2));
84 EXPECT_TRUE(m.WriteInt(3));
85
86 std::vector<double> vec;
87 base::PickleIterator iter(m);
88 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
89 }
90
91 #if defined(OS_ANDROID)
92 #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
93 #else
94 #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
95 #endif
96 TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
97 // This was BUG 1006367. This is the large but positive length case. Again
98 // we try to hit the non-specialized case vector<P>.
99 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
100 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
101 EXPECT_TRUE(m.WriteInt64(1));
102 EXPECT_TRUE(m.WriteInt64(2));
103
104 std::vector<int64> vec;
105 base::PickleIterator iter(m);
106 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
107 }
108
109 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
110 // This was BUG 1006367. This is the large but positive with an additional
111 // integer overflow when computing the actual byte size. Again we try to hit
112 // the non-specialized case vector<P>.
113 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
114 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
115 EXPECT_TRUE(m.WriteInt64(1));
116 EXPECT_TRUE(m.WriteInt64(2));
117
118 std::vector<int64> vec;
119 base::PickleIterator iter(m);
120 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
121 }
122
123 class SimpleListener : public IPC::Listener {
124 public:
125 SimpleListener() : other_(NULL) {
126 }
127 void Init(IPC::Sender* s) {
128 other_ = s;
129 }
130 protected:
131 IPC::Sender* other_;
132 };
133
134 enum {
135 FUZZER_ROUTING_ID = 5
136 };
137
138 // The fuzzer server class. It runs in a child process and expects
139 // only two IPC calls; after that it exits the message loop which
140 // terminates the child process.
141 class FuzzerServerListener : public SimpleListener {
142 public:
143 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
144 }
145 bool OnMessageReceived(const IPC::Message& msg) override {
146 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
147 ++pending_messages_;
148 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
149 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
150 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
151 IPC_END_MESSAGE_MAP()
152 if (pending_messages_) {
153 // Probably a problem de-serializing the message.
154 ReplyMsgNotHandled(msg.type());
155 }
156 }
157 return true;
158 }
159
160 private:
161 void OnMsgClassISMessage(int value, const base::string16& text) {
162 UseData(MsgClassIS::ID, value, text);
163 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
164 Cleanup();
165 }
166
167 void OnMsgClassSIMessage(const base::string16& text, int value) {
168 UseData(MsgClassSI::ID, value, text);
169 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
170 Cleanup();
171 }
172
173 bool RoundtripAckReply(int routing, uint32 type_id, int reply) {
174 IPC::Message* message = new IPC::Message(routing, type_id,
175 IPC::Message::PRIORITY_NORMAL);
176 message->WriteInt(reply + 1);
177 message->WriteInt(reply);
178 return other_->Send(message);
179 }
180
181 void Cleanup() {
182 --message_count_;
183 --pending_messages_;
184 if (0 == message_count_)
185 base::MessageLoop::current()->Quit();
186 }
187
188 void ReplyMsgNotHandled(uint32 type_id) {
189 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
190 Cleanup();
191 }
192
193 void UseData(int caller, int value, const base::string16& text) {
194 std::ostringstream os;
195 os << "IPC fuzzer:" << caller << " [" << value << " "
196 << base::UTF16ToUTF8(text) << "]\n";
197 std::string output = os.str();
198 LOG(WARNING) << output;
199 }
200
201 int message_count_;
202 int pending_messages_;
203 };
204
205 class FuzzerClientListener : public SimpleListener {
206 public:
207 FuzzerClientListener() : last_msg_(NULL) {
208 }
209
210 bool OnMessageReceived(const IPC::Message& msg) override {
211 last_msg_ = new IPC::Message(msg);
212 base::MessageLoop::current()->Quit();
213 return true;
214 }
215
216 bool ExpectMessage(int value, uint32 type_id) {
217 if (!MsgHandlerInternal(type_id))
218 return false;
219 int msg_value1 = 0;
220 int msg_value2 = 0;
221 base::PickleIterator iter(*last_msg_);
222 if (!iter.ReadInt(&msg_value1))
223 return false;
224 if (!iter.ReadInt(&msg_value2))
225 return false;
226 if ((msg_value2 + 1) != msg_value1)
227 return false;
228 if (msg_value2 != value)
229 return false;
230
231 delete last_msg_;
232 last_msg_ = NULL;
233 return true;
234 }
235
236 bool ExpectMsgNotHandled(uint32 type_id) {
237 return ExpectMessage(type_id, MsgUnhandled::ID);
238 }
239
240 private:
241 bool MsgHandlerInternal(uint32 type_id) {
242 base::MessageLoop::current()->Run();
243 if (NULL == last_msg_)
244 return false;
245 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
246 return false;
247 return (type_id == last_msg_->type());
248 }
249
250 IPC::Message* last_msg_;
251 };
252
253 // Runs the fuzzing server child mode. Returns when the preset number of
254 // messages have been received.
255 MULTIPROCESS_IPC_TEST_CLIENT_MAIN(FuzzServerClient) {
256 base::MessageLoopForIO main_message_loop;
257 FuzzerServerListener listener;
258 scoped_ptr<IPC::Channel> channel(IPC::Channel::CreateClient(
259 IPCTestBase::GetChannelName("FuzzServerClient"), &listener, nullptr));
260 CHECK(channel->Connect());
261 listener.Init(channel.get());
262 base::MessageLoop::current()->Run();
263 return 0;
264 }
265
266 class IPCFuzzingTest : public IPCTestBase {
267 };
268
269 #if defined(OS_ANDROID)
270 #define MAYBE_SanityTest DISABLED_SanityTest
271 #else
272 #define MAYBE_SanityTest SanityTest
273 #endif
274 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
275 // are working properly by generating two well formed IPC calls.
276 TEST_F(IPCFuzzingTest, MAYBE_SanityTest) {
277 Init("FuzzServerClient");
278
279 FuzzerClientListener listener;
280 CreateChannel(&listener);
281 listener.Init(channel());
282 ASSERT_TRUE(ConnectChannel());
283 ASSERT_TRUE(StartClient());
284
285 IPC::Message* msg = NULL;
286 int value = 43;
287 msg = new MsgClassIS(value, base::ASCIIToUTF16("expect 43"));
288 sender()->Send(msg);
289 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
290
291 msg = new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value);
292 sender()->Send(msg);
293 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
294
295 EXPECT_TRUE(WaitForClientShutdown());
296 DestroyChannel();
297 }
298
299 #if defined(OS_ANDROID)
300 #define MAYBE_MsgBadPayloadShort DISABLED_MsgBadPayloadShort
301 #else
302 #define MAYBE_MsgBadPayloadShort MsgBadPayloadShort
303 #endif
304 // This test uses a payload that is smaller than expected. This generates an
305 // error while unpacking the IPC buffer which in debug trigger an assertion and
306 // in release is ignored (!). Right after we generate another valid IPC to make
307 // sure framing is working properly.
308 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
309 TEST_F(IPCFuzzingTest, MAYBE_MsgBadPayloadShort) {
310 Init("FuzzServerClient");
311
312 FuzzerClientListener listener;
313 CreateChannel(&listener);
314 listener.Init(channel());
315 ASSERT_TRUE(ConnectChannel());
316 ASSERT_TRUE(StartClient());
317
318 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
319 IPC::Message::PRIORITY_NORMAL);
320 msg->WriteInt(666);
321 sender()->Send(msg);
322 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
323
324 msg = new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
325 sender()->Send(msg);
326 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
327
328 EXPECT_TRUE(WaitForClientShutdown());
329 DestroyChannel();
330 }
331 #endif
332
333 #if defined(OS_ANDROID)
334 #define MAYBE_MsgBadPayloadArgs DISABLED_MsgBadPayloadArgs
335 #else
336 #define MAYBE_MsgBadPayloadArgs MsgBadPayloadArgs
337 #endif
338 // This test uses a payload that has too many arguments, but so the payload size
339 // is big enough so the unpacking routine does not generate an error as in the
340 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
341 // as by design we don't carry type information on the IPC message.
342 TEST_F(IPCFuzzingTest, MAYBE_MsgBadPayloadArgs) {
343 Init("FuzzServerClient");
344
345 FuzzerClientListener listener;
346 CreateChannel(&listener);
347 listener.Init(channel());
348 ASSERT_TRUE(ConnectChannel());
349 ASSERT_TRUE(StartClient());
350
351 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
352 IPC::Message::PRIORITY_NORMAL);
353 msg->WriteString16(base::ASCIIToUTF16("d"));
354 msg->WriteInt(0);
355 msg->WriteInt(0x65); // Extra argument.
356
357 sender()->Send(msg);
358 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
359
360 // Now send a well formed message to make sure the receiver wasn't
361 // thrown out of sync by the extra argument.
362 msg = new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
363 sender()->Send(msg);
364 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
365
366 EXPECT_TRUE(WaitForClientShutdown());
367 DestroyChannel();
368 }
369
370 } // namespace