search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Switch to using GregorianCalendar.
[chromium-blink-merge.git] / ipc / ipc_fuzzing_tests.cc
blobd3ff1a0103ac4602b1c5d8f65791606ec1a8ea7d
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdio.h>
6 #include <string>
7 #include <sstream>
8
9 #include "base/message_loop/message_loop.h"
10 #include "base/strings/string16.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "base/threading/platform_thread.h"
13 #include "ipc/ipc_test_base.h"
14 #include "testing/gtest/include/gtest/gtest.h"
15
16 // IPC messages for testing ----------------------------------------------------
17
18 #define IPC_MESSAGE_IMPL
19 #include "ipc/ipc_message_macros.h"
20
21 #define IPC_MESSAGE_START TestMsgStart
22
23 // Generic message class that is an int followed by a string16.
24 IPC_MESSAGE_CONTROL2(MsgClassIS, int, base::string16)
25
26 // Generic message class that is a string16 followed by an int.
27 IPC_MESSAGE_CONTROL2(MsgClassSI, base::string16, int)
28
29 // Message to create a mutex in the IPC server, using the received name.
30 IPC_MESSAGE_CONTROL2(MsgDoMutex, base::string16, int)
31
32 // Used to generate an ID for a message that should not exist.
33 IPC_MESSAGE_CONTROL0(MsgUnhandled)
34
35 // -----------------------------------------------------------------------------
36
37 namespace {
38
39 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
40 // This was BUG 984408.
41 uint32 v1 = kuint32max - 1;
42 int v2 = 666;
43 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
44 EXPECT_TRUE(m.WriteInt(v1));
45 EXPECT_TRUE(m.WriteInt(v2));
46
47 base::PickleIterator iter(m);
48 std::string vs;
49 EXPECT_FALSE(iter.ReadString(&vs));
50 }
51
52 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
53 // This was BUG 984408.
54 uint32 v1 = kuint32max - 1;
55 int v2 = 777;
56 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
57 EXPECT_TRUE(m.WriteInt(v1));
58 EXPECT_TRUE(m.WriteInt(v2));
59
60 base::PickleIterator iter(m);
61 base::string16 vs;
62 EXPECT_FALSE(iter.ReadString16(&vs));
63 }
64
65 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
66 // This was BUG 1035467.
67 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
68 EXPECT_TRUE(m.WriteInt(1));
69 EXPECT_TRUE(m.WriteInt(2));
70
71 base::PickleIterator iter(m);
72 const char* data = NULL;
73 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
74 }
75
76 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
77 // A slight variation of BUG 984408. Note that the pickling of vector<char>
78 // has a specialized template which is not vulnerable to this bug. So here
79 // try to hit the non-specialized case vector<P>.
80 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
81 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
82 EXPECT_TRUE(m.WriteInt(1));
83 EXPECT_TRUE(m.WriteInt(2));
84 EXPECT_TRUE(m.WriteInt(3));
85
86 std::vector<double> vec;
87 base::PickleIterator iter(m);
88 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
89 }
90
91 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) {
92 // This was BUG 1006367. This is the large but positive length case. Again
93 // we try to hit the non-specialized case vector<P>.
94 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
95 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
96 EXPECT_TRUE(m.WriteInt64(1));
97 EXPECT_TRUE(m.WriteInt64(2));
98
99 std::vector<int64> vec;
100 base::PickleIterator iter(m);
101 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
102 }
103
104 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
105 // This was BUG 1006367. This is the large but positive with an additional
106 // integer overflow when computing the actual byte size. Again we try to hit
107 // the non-specialized case vector<P>.
108 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
109 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
110 EXPECT_TRUE(m.WriteInt64(1));
111 EXPECT_TRUE(m.WriteInt64(2));
112
113 std::vector<int64> vec;
114 base::PickleIterator iter(m);
115 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
116 }
117
118 class SimpleListener : public IPC::Listener {
119 public:
120 SimpleListener() : other_(NULL) {
121 }
122 void Init(IPC::Sender* s) {
123 other_ = s;
124 }
125 protected:
126 IPC::Sender* other_;
127 };
128
129 enum {
130 FUZZER_ROUTING_ID = 5
131 };
132
133 // The fuzzer server class. It runs in a child process and expects
134 // only two IPC calls; after that it exits the message loop which
135 // terminates the child process.
136 class FuzzerServerListener : public SimpleListener {
137 public:
138 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
139 }
140 bool OnMessageReceived(const IPC::Message& msg) override {
141 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
142 ++pending_messages_;
143 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
144 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
145 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
146 IPC_END_MESSAGE_MAP()
147 if (pending_messages_) {
148 // Probably a problem de-serializing the message.
149 ReplyMsgNotHandled(msg.type());
150 }
151 }
152 return true;
153 }
154
155 private:
156 void OnMsgClassISMessage(int value, const base::string16& text) {
157 UseData(MsgClassIS::ID, value, text);
158 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
159 Cleanup();
160 }
161
162 void OnMsgClassSIMessage(const base::string16& text, int value) {
163 UseData(MsgClassSI::ID, value, text);
164 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
165 Cleanup();
166 }
167
168 bool RoundtripAckReply(int routing, uint32 type_id, int reply) {
169 IPC::Message* message = new IPC::Message(routing, type_id,
170 IPC::Message::PRIORITY_NORMAL);
171 message->WriteInt(reply + 1);
172 message->WriteInt(reply);
173 return other_->Send(message);
174 }
175
176 void Cleanup() {
177 --message_count_;
178 --pending_messages_;
179 if (0 == message_count_)
180 base::MessageLoop::current()->Quit();
181 }
182
183 void ReplyMsgNotHandled(uint32 type_id) {
184 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
185 Cleanup();
186 }
187
188 void UseData(int caller, int value, const base::string16& text) {
189 std::ostringstream os;
190 os << "IPC fuzzer:" << caller << " [" << value << " "
191 << base::UTF16ToUTF8(text) << "]\n";
192 std::string output = os.str();
193 LOG(WARNING) << output;
194 }
195
196 int message_count_;
197 int pending_messages_;
198 };
199
200 class FuzzerClientListener : public SimpleListener {
201 public:
202 FuzzerClientListener() : last_msg_(NULL) {
203 }
204
205 bool OnMessageReceived(const IPC::Message& msg) override {
206 last_msg_ = new IPC::Message(msg);
207 base::MessageLoop::current()->Quit();
208 return true;
209 }
210
211 bool ExpectMessage(int value, uint32 type_id) {
212 if (!MsgHandlerInternal(type_id))
213 return false;
214 int msg_value1 = 0;
215 int msg_value2 = 0;
216 base::PickleIterator iter(*last_msg_);
217 if (!iter.ReadInt(&msg_value1))
218 return false;
219 if (!iter.ReadInt(&msg_value2))
220 return false;
221 if ((msg_value2 + 1) != msg_value1)
222 return false;
223 if (msg_value2 != value)
224 return false;
225
226 delete last_msg_;
227 last_msg_ = NULL;
228 return true;
229 }
230
231 bool ExpectMsgNotHandled(uint32 type_id) {
232 return ExpectMessage(type_id, MsgUnhandled::ID);
233 }
234
235 private:
236 bool MsgHandlerInternal(uint32 type_id) {
237 base::MessageLoop::current()->Run();
238 if (NULL == last_msg_)
239 return false;
240 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
241 return false;
242 return (type_id == last_msg_->type());
243 }
244
245 IPC::Message* last_msg_;
246 };
247
248 // Runs the fuzzing server child mode. Returns when the preset number of
249 // messages have been received.
250 MULTIPROCESS_IPC_TEST_CLIENT_MAIN(FuzzServerClient) {
251 base::MessageLoopForIO main_message_loop;
252 FuzzerServerListener listener;
253 scoped_ptr<IPC::Channel> channel(IPC::Channel::CreateClient(
254 IPCTestBase::GetChannelName("FuzzServerClient"), &listener, nullptr));
255 CHECK(channel->Connect());
256 listener.Init(channel.get());
257 base::MessageLoop::current()->Run();
258 return 0;
259 }
260
261 class IPCFuzzingTest : public IPCTestBase {
262 };
263
264 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
265 // are working properly by generating two well formed IPC calls.
266 TEST_F(IPCFuzzingTest, SanityTest) {
267 Init("FuzzServerClient");
268
269 FuzzerClientListener listener;
270 CreateChannel(&listener);
271 listener.Init(channel());
272 ASSERT_TRUE(ConnectChannel());
273 ASSERT_TRUE(StartClient());
274
275 IPC::Message* msg = NULL;
276 int value = 43;
277 msg = new MsgClassIS(value, base::ASCIIToUTF16("expect 43"));
278 sender()->Send(msg);
279 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
280
281 msg = new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value);
282 sender()->Send(msg);
283 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
284
285 EXPECT_TRUE(WaitForClientShutdown());
286 DestroyChannel();
287 }
288
289 // This test uses a payload that is smaller than expected. This generates an
290 // error while unpacking the IPC buffer which in debug trigger an assertion and
291 // in release is ignored (!). Right after we generate another valid IPC to make
292 // sure framing is working properly.
293 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
294 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
295 Init("FuzzServerClient");
296
297 FuzzerClientListener listener;
298 CreateChannel(&listener);
299 listener.Init(channel());
300 ASSERT_TRUE(ConnectChannel());
301 ASSERT_TRUE(StartClient());
302
303 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
304 IPC::Message::PRIORITY_NORMAL);
305 msg->WriteInt(666);
306 sender()->Send(msg);
307 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
308
309 msg = new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
310 sender()->Send(msg);
311 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
312
313 EXPECT_TRUE(WaitForClientShutdown());
314 DestroyChannel();
315 }
316 #endif
317
318 // This test uses a payload that has too many arguments, but so the payload size
319 // is big enough so the unpacking routine does not generate an error as in the
320 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
321 // as by design we don't carry type information on the IPC message.
322 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
323 Init("FuzzServerClient");
324
325 FuzzerClientListener listener;
326 CreateChannel(&listener);
327 listener.Init(channel());
328 ASSERT_TRUE(ConnectChannel());
329 ASSERT_TRUE(StartClient());
330
331 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
332 IPC::Message::PRIORITY_NORMAL);
333 msg->WriteString16(base::ASCIIToUTF16("d"));
334 msg->WriteInt(0);
335 msg->WriteInt(0x65); // Extra argument.
336
337 sender()->Send(msg);
338 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
339
340 // Now send a well formed message to make sure the receiver wasn't
341 // thrown out of sync by the extra argument.
342 msg = new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
343 sender()->Send(msg);
344 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
345
346 EXPECT_TRUE(WaitForClientShutdown());
347 DestroyChannel();
348 }
349
350 } // namespace