Code and corpora for curl and libcurl fuzzing.

This is the curl fuzzing OSS-Fuzz runs for us, non-stop.

Great! Run ./mainline.sh. It will download you a fresh copy of curl, compile it with clang, install it to a temporary directory, then compile the fuzzer against curl. It'll also run the regression testcases.

If you have a local copy of curl that you want to use instead, pass the path as an argument to ./mainline.sh. It will compile and install that curl to a temporary directory instead.

./mainline.sh is run regressibly by Github Actions.

Setting the FUZZ_VERBOSE environment variable turns on curl verbose logging. This can be useful when debugging a single testcase.

The public corpus links for each target should be accessible here:

• curl_fuzzer_dict
• curl_fuzzer_file
• curl_fuzzer_ftp
• curl_fuzzer_gopher
• curl_fuzzer_http
• curl_fuzzer_https
• curl_fuzzer_imap
• curl_fuzzer_ldap
• curl_fuzzer_mqtt
• curl_fuzzer_pop3
• curl_fuzzer_rtmp
• curl_fuzzer_rtsp
• curl_fuzzer_scp
• curl_fuzzer_sftp
• curl_fuzzer_smb
• curl_fuzzer_smtp
• curl_fuzzer_tftp
• curl_fuzzer_ws
• curl_fuzzer
• fuzz_url: no public link yet.

Check out REPRODUCING.md for more detailed instructions.

To look at the contents of a testcase, run

python read_corpus.py --input <path/to/file>

This will print out a list of contents inside the file.

To generate a new testcase, run python generate_corpus.py with appropriate options.

Wonderful! Here's a bit of information you may need to know.

Testcases are written in a Type-Length-Value or TLV format. Each TLV has:

• 16 bits for the Type
• 32 bits for the Length of the TLV data
• 0 - length bytes of data.

TLV type numbers are defined in both corpus.py and curl_fuzzer.h.

To add a new TLV:

• Add support for it in the Python scripts: generate_corpus.py, corpus.py. This means adding options for reading the value of the TLV from the user (or from a file, or from test data)
• Add support for it in the fuzzer: curl_fuzzer.cc, curl_fuzzer.h. This likely means adding handling of the TLV to fuzz_parse_tlv().
• Ensure that FUZZ_CURLOPT_TRACKER_SPACE can encompass your additional TLVs!
• If you decide to change a TLV number after you have created it and have generated test cases before you changed the TLV, rerun the test case generation to ensure your current TLV numbering maps your test cases as you expect.