1*635a8641SAndroid Build Coastguard Worker // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2*635a8641SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*635a8641SAndroid Build Coastguard Worker // found in the LICENSE file.
4*635a8641SAndroid Build Coastguard Worker
5*635a8641SAndroid Build Coastguard Worker #include <stdint.h>
6*635a8641SAndroid Build Coastguard Worker #include <stdio.h>
7*635a8641SAndroid Build Coastguard Worker
8*635a8641SAndroid Build Coastguard Worker #include <limits>
9*635a8641SAndroid Build Coastguard Worker #include <memory>
10*635a8641SAndroid Build Coastguard Worker #include <sstream>
11*635a8641SAndroid Build Coastguard Worker #include <string>
12*635a8641SAndroid Build Coastguard Worker
13*635a8641SAndroid Build Coastguard Worker #include "base/run_loop.h"
14*635a8641SAndroid Build Coastguard Worker #include "base/strings/string16.h"
15*635a8641SAndroid Build Coastguard Worker #include "base/strings/utf_string_conversions.h"
16*635a8641SAndroid Build Coastguard Worker #include "base/threading/platform_thread.h"
17*635a8641SAndroid Build Coastguard Worker #include "build/build_config.h"
18*635a8641SAndroid Build Coastguard Worker #include "ipc/ipc_test_base.h"
19*635a8641SAndroid Build Coastguard Worker #include "testing/gtest/include/gtest/gtest.h"
20*635a8641SAndroid Build Coastguard Worker
21*635a8641SAndroid Build Coastguard Worker // IPC messages for testing ----------------------------------------------------
22*635a8641SAndroid Build Coastguard Worker
23*635a8641SAndroid Build Coastguard Worker #define IPC_MESSAGE_IMPL
24*635a8641SAndroid Build Coastguard Worker #include "ipc/ipc_message_macros.h"
25*635a8641SAndroid Build Coastguard Worker
26*635a8641SAndroid Build Coastguard Worker #define IPC_MESSAGE_START TestMsgStart
27*635a8641SAndroid Build Coastguard Worker
28*635a8641SAndroid Build Coastguard Worker // Generic message class that is an int followed by a string16.
29*635a8641SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL2(MsgClassIS, int, base::string16)
30*635a8641SAndroid Build Coastguard Worker
31*635a8641SAndroid Build Coastguard Worker // Generic message class that is a string16 followed by an int.
32*635a8641SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL2(MsgClassSI, base::string16, int)
33*635a8641SAndroid Build Coastguard Worker
34*635a8641SAndroid Build Coastguard Worker // Message to create a mutex in the IPC server, using the received name.
35*635a8641SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL2(MsgDoMutex, base::string16, int)
36*635a8641SAndroid Build Coastguard Worker
37*635a8641SAndroid Build Coastguard Worker // Used to generate an ID for a message that should not exist.
38*635a8641SAndroid Build Coastguard Worker IPC_MESSAGE_CONTROL0(MsgUnhandled)
39*635a8641SAndroid Build Coastguard Worker
40*635a8641SAndroid Build Coastguard Worker // -----------------------------------------------------------------------------
41*635a8641SAndroid Build Coastguard Worker
42*635a8641SAndroid Build Coastguard Worker namespace {
43*635a8641SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadBeyondBufferStr)44*635a8641SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
45*635a8641SAndroid Build Coastguard Worker // This was BUG 984408.
46*635a8641SAndroid Build Coastguard Worker uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
47*635a8641SAndroid Build Coastguard Worker int v2 = 666;
48*635a8641SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
49*635a8641SAndroid Build Coastguard Worker m.WriteInt(v1);
50*635a8641SAndroid Build Coastguard Worker m.WriteInt(v2);
51*635a8641SAndroid Build Coastguard Worker
52*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(m);
53*635a8641SAndroid Build Coastguard Worker std::string vs;
54*635a8641SAndroid Build Coastguard Worker EXPECT_FALSE(iter.ReadString(&vs));
55*635a8641SAndroid Build Coastguard Worker }
56*635a8641SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadBeyondBufferStr16)57*635a8641SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
58*635a8641SAndroid Build Coastguard Worker // This was BUG 984408.
59*635a8641SAndroid Build Coastguard Worker uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
60*635a8641SAndroid Build Coastguard Worker int v2 = 777;
61*635a8641SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
62*635a8641SAndroid Build Coastguard Worker m.WriteInt(v1);
63*635a8641SAndroid Build Coastguard Worker m.WriteInt(v2);
64*635a8641SAndroid Build Coastguard Worker
65*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(m);
66*635a8641SAndroid Build Coastguard Worker base::string16 vs;
67*635a8641SAndroid Build Coastguard Worker EXPECT_FALSE(iter.ReadString16(&vs));
68*635a8641SAndroid Build Coastguard Worker }
69*635a8641SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadBytesBadIterator)70*635a8641SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
71*635a8641SAndroid Build Coastguard Worker // This was BUG 1035467.
72*635a8641SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
73*635a8641SAndroid Build Coastguard Worker m.WriteInt(1);
74*635a8641SAndroid Build Coastguard Worker m.WriteInt(2);
75*635a8641SAndroid Build Coastguard Worker
76*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(m);
77*635a8641SAndroid Build Coastguard Worker const char* data = NULL;
78*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
79*635a8641SAndroid Build Coastguard Worker }
80*635a8641SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadVectorNegativeSize)81*635a8641SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
82*635a8641SAndroid Build Coastguard Worker // A slight variation of BUG 984408. Note that the pickling of vector<char>
83*635a8641SAndroid Build Coastguard Worker // has a specialized template which is not vulnerable to this bug. So here
84*635a8641SAndroid Build Coastguard Worker // try to hit the non-specialized case vector<P>.
85*635a8641SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
86*635a8641SAndroid Build Coastguard Worker m.WriteInt(-1); // This is the count of elements.
87*635a8641SAndroid Build Coastguard Worker m.WriteInt(1);
88*635a8641SAndroid Build Coastguard Worker m.WriteInt(2);
89*635a8641SAndroid Build Coastguard Worker m.WriteInt(3);
90*635a8641SAndroid Build Coastguard Worker
91*635a8641SAndroid Build Coastguard Worker std::vector<double> vec;
92*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(m);
93*635a8641SAndroid Build Coastguard Worker EXPECT_FALSE(ReadParam(&m, &iter, &vec));
94*635a8641SAndroid Build Coastguard Worker }
95*635a8641SAndroid Build Coastguard Worker
96*635a8641SAndroid Build Coastguard Worker #if defined(OS_ANDROID)
97*635a8641SAndroid Build Coastguard Worker #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
98*635a8641SAndroid Build Coastguard Worker #else
99*635a8641SAndroid Build Coastguard Worker #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
100*635a8641SAndroid Build Coastguard Worker #endif
TEST(IPCMessageIntegrity,MAYBE_ReadVectorTooLarge1)101*635a8641SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
102*635a8641SAndroid Build Coastguard Worker // This was BUG 1006367. This is the large but positive length case. Again
103*635a8641SAndroid Build Coastguard Worker // we try to hit the non-specialized case vector<P>.
104*635a8641SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
105*635a8641SAndroid Build Coastguard Worker m.WriteInt(0x21000003); // This is the count of elements.
106*635a8641SAndroid Build Coastguard Worker m.WriteInt64(1);
107*635a8641SAndroid Build Coastguard Worker m.WriteInt64(2);
108*635a8641SAndroid Build Coastguard Worker
109*635a8641SAndroid Build Coastguard Worker std::vector<int64_t> vec;
110*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(m);
111*635a8641SAndroid Build Coastguard Worker EXPECT_FALSE(ReadParam(&m, &iter, &vec));
112*635a8641SAndroid Build Coastguard Worker }
113*635a8641SAndroid Build Coastguard Worker
TEST(IPCMessageIntegrity,ReadVectorTooLarge2)114*635a8641SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
115*635a8641SAndroid Build Coastguard Worker // This was BUG 1006367. This is the large but positive with an additional
116*635a8641SAndroid Build Coastguard Worker // integer overflow when computing the actual byte size. Again we try to hit
117*635a8641SAndroid Build Coastguard Worker // the non-specialized case vector<P>.
118*635a8641SAndroid Build Coastguard Worker IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
119*635a8641SAndroid Build Coastguard Worker m.WriteInt(0x71000000); // This is the count of elements.
120*635a8641SAndroid Build Coastguard Worker m.WriteInt64(1);
121*635a8641SAndroid Build Coastguard Worker m.WriteInt64(2);
122*635a8641SAndroid Build Coastguard Worker
123*635a8641SAndroid Build Coastguard Worker std::vector<int64_t> vec;
124*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(m);
125*635a8641SAndroid Build Coastguard Worker EXPECT_FALSE(ReadParam(&m, &iter, &vec));
126*635a8641SAndroid Build Coastguard Worker }
127*635a8641SAndroid Build Coastguard Worker
128*635a8641SAndroid Build Coastguard Worker // This test needs ~20 seconds in Debug mode, or ~4 seconds in Release mode.
129*635a8641SAndroid Build Coastguard Worker // See http://crbug.com/741866 for details.
TEST(IPCMessageIntegrity,DISABLED_ReadVectorTooLarge3)130*635a8641SAndroid Build Coastguard Worker TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
131*635a8641SAndroid Build Coastguard Worker base::Pickle pickle;
132*635a8641SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 256 * 1024 * 1024);
133*635a8641SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 0);
134*635a8641SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 1);
135*635a8641SAndroid Build Coastguard Worker IPC::WriteParam(&pickle, 2);
136*635a8641SAndroid Build Coastguard Worker
137*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(pickle);
138*635a8641SAndroid Build Coastguard Worker std::vector<int> vec;
139*635a8641SAndroid Build Coastguard Worker EXPECT_FALSE(IPC::ReadParam(&pickle, &iter, &vec));
140*635a8641SAndroid Build Coastguard Worker }
141*635a8641SAndroid Build Coastguard Worker
142*635a8641SAndroid Build Coastguard Worker class SimpleListener : public IPC::Listener {
143*635a8641SAndroid Build Coastguard Worker public:
SimpleListener()144*635a8641SAndroid Build Coastguard Worker SimpleListener() : other_(NULL) {
145*635a8641SAndroid Build Coastguard Worker }
Init(IPC::Sender * s)146*635a8641SAndroid Build Coastguard Worker void Init(IPC::Sender* s) {
147*635a8641SAndroid Build Coastguard Worker other_ = s;
148*635a8641SAndroid Build Coastguard Worker }
149*635a8641SAndroid Build Coastguard Worker protected:
150*635a8641SAndroid Build Coastguard Worker IPC::Sender* other_;
151*635a8641SAndroid Build Coastguard Worker };
152*635a8641SAndroid Build Coastguard Worker
153*635a8641SAndroid Build Coastguard Worker enum {
154*635a8641SAndroid Build Coastguard Worker FUZZER_ROUTING_ID = 5
155*635a8641SAndroid Build Coastguard Worker };
156*635a8641SAndroid Build Coastguard Worker
157*635a8641SAndroid Build Coastguard Worker // The fuzzer server class. It runs in a child process and expects
158*635a8641SAndroid Build Coastguard Worker // only two IPC calls; after that it exits the message loop which
159*635a8641SAndroid Build Coastguard Worker // terminates the child process.
160*635a8641SAndroid Build Coastguard Worker class FuzzerServerListener : public SimpleListener {
161*635a8641SAndroid Build Coastguard Worker public:
FuzzerServerListener()162*635a8641SAndroid Build Coastguard Worker FuzzerServerListener() : message_count_(2), pending_messages_(0) {
163*635a8641SAndroid Build Coastguard Worker }
OnMessageReceived(const IPC::Message & msg)164*635a8641SAndroid Build Coastguard Worker bool OnMessageReceived(const IPC::Message& msg) override {
165*635a8641SAndroid Build Coastguard Worker if (msg.routing_id() == MSG_ROUTING_CONTROL) {
166*635a8641SAndroid Build Coastguard Worker ++pending_messages_;
167*635a8641SAndroid Build Coastguard Worker IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
168*635a8641SAndroid Build Coastguard Worker IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
169*635a8641SAndroid Build Coastguard Worker IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
170*635a8641SAndroid Build Coastguard Worker IPC_END_MESSAGE_MAP()
171*635a8641SAndroid Build Coastguard Worker if (pending_messages_) {
172*635a8641SAndroid Build Coastguard Worker // Probably a problem de-serializing the message.
173*635a8641SAndroid Build Coastguard Worker ReplyMsgNotHandled(msg.type());
174*635a8641SAndroid Build Coastguard Worker }
175*635a8641SAndroid Build Coastguard Worker }
176*635a8641SAndroid Build Coastguard Worker return true;
177*635a8641SAndroid Build Coastguard Worker }
178*635a8641SAndroid Build Coastguard Worker
179*635a8641SAndroid Build Coastguard Worker private:
OnMsgClassISMessage(int value,const base::string16 & text)180*635a8641SAndroid Build Coastguard Worker void OnMsgClassISMessage(int value, const base::string16& text) {
181*635a8641SAndroid Build Coastguard Worker UseData(MsgClassIS::ID, value, text);
182*635a8641SAndroid Build Coastguard Worker RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
183*635a8641SAndroid Build Coastguard Worker Cleanup();
184*635a8641SAndroid Build Coastguard Worker }
185*635a8641SAndroid Build Coastguard Worker
OnMsgClassSIMessage(const base::string16 & text,int value)186*635a8641SAndroid Build Coastguard Worker void OnMsgClassSIMessage(const base::string16& text, int value) {
187*635a8641SAndroid Build Coastguard Worker UseData(MsgClassSI::ID, value, text);
188*635a8641SAndroid Build Coastguard Worker RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
189*635a8641SAndroid Build Coastguard Worker Cleanup();
190*635a8641SAndroid Build Coastguard Worker }
191*635a8641SAndroid Build Coastguard Worker
RoundtripAckReply(int routing,uint32_t type_id,int reply)192*635a8641SAndroid Build Coastguard Worker bool RoundtripAckReply(int routing, uint32_t type_id, int reply) {
193*635a8641SAndroid Build Coastguard Worker IPC::Message* message = new IPC::Message(routing, type_id,
194*635a8641SAndroid Build Coastguard Worker IPC::Message::PRIORITY_NORMAL);
195*635a8641SAndroid Build Coastguard Worker message->WriteInt(reply + 1);
196*635a8641SAndroid Build Coastguard Worker message->WriteInt(reply);
197*635a8641SAndroid Build Coastguard Worker return other_->Send(message);
198*635a8641SAndroid Build Coastguard Worker }
199*635a8641SAndroid Build Coastguard Worker
Cleanup()200*635a8641SAndroid Build Coastguard Worker void Cleanup() {
201*635a8641SAndroid Build Coastguard Worker --message_count_;
202*635a8641SAndroid Build Coastguard Worker --pending_messages_;
203*635a8641SAndroid Build Coastguard Worker if (0 == message_count_)
204*635a8641SAndroid Build Coastguard Worker base::RunLoop::QuitCurrentWhenIdleDeprecated();
205*635a8641SAndroid Build Coastguard Worker }
206*635a8641SAndroid Build Coastguard Worker
ReplyMsgNotHandled(uint32_t type_id)207*635a8641SAndroid Build Coastguard Worker void ReplyMsgNotHandled(uint32_t type_id) {
208*635a8641SAndroid Build Coastguard Worker RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
209*635a8641SAndroid Build Coastguard Worker Cleanup();
210*635a8641SAndroid Build Coastguard Worker }
211*635a8641SAndroid Build Coastguard Worker
UseData(int caller,int value,const base::string16 & text)212*635a8641SAndroid Build Coastguard Worker void UseData(int caller, int value, const base::string16& text) {
213*635a8641SAndroid Build Coastguard Worker std::ostringstream os;
214*635a8641SAndroid Build Coastguard Worker os << "IPC fuzzer:" << caller << " [" << value << " "
215*635a8641SAndroid Build Coastguard Worker << base::UTF16ToUTF8(text) << "]\n";
216*635a8641SAndroid Build Coastguard Worker std::string output = os.str();
217*635a8641SAndroid Build Coastguard Worker LOG(WARNING) << output;
218*635a8641SAndroid Build Coastguard Worker }
219*635a8641SAndroid Build Coastguard Worker
220*635a8641SAndroid Build Coastguard Worker int message_count_;
221*635a8641SAndroid Build Coastguard Worker int pending_messages_;
222*635a8641SAndroid Build Coastguard Worker };
223*635a8641SAndroid Build Coastguard Worker
224*635a8641SAndroid Build Coastguard Worker class FuzzerClientListener : public SimpleListener {
225*635a8641SAndroid Build Coastguard Worker public:
FuzzerClientListener()226*635a8641SAndroid Build Coastguard Worker FuzzerClientListener() : last_msg_(NULL) {
227*635a8641SAndroid Build Coastguard Worker }
228*635a8641SAndroid Build Coastguard Worker
OnMessageReceived(const IPC::Message & msg)229*635a8641SAndroid Build Coastguard Worker bool OnMessageReceived(const IPC::Message& msg) override {
230*635a8641SAndroid Build Coastguard Worker last_msg_ = new IPC::Message(msg);
231*635a8641SAndroid Build Coastguard Worker base::RunLoop::QuitCurrentWhenIdleDeprecated();
232*635a8641SAndroid Build Coastguard Worker return true;
233*635a8641SAndroid Build Coastguard Worker }
234*635a8641SAndroid Build Coastguard Worker
ExpectMessage(int value,uint32_t type_id)235*635a8641SAndroid Build Coastguard Worker bool ExpectMessage(int value, uint32_t type_id) {
236*635a8641SAndroid Build Coastguard Worker if (!MsgHandlerInternal(type_id))
237*635a8641SAndroid Build Coastguard Worker return false;
238*635a8641SAndroid Build Coastguard Worker int msg_value1 = 0;
239*635a8641SAndroid Build Coastguard Worker int msg_value2 = 0;
240*635a8641SAndroid Build Coastguard Worker base::PickleIterator iter(*last_msg_);
241*635a8641SAndroid Build Coastguard Worker if (!iter.ReadInt(&msg_value1))
242*635a8641SAndroid Build Coastguard Worker return false;
243*635a8641SAndroid Build Coastguard Worker if (!iter.ReadInt(&msg_value2))
244*635a8641SAndroid Build Coastguard Worker return false;
245*635a8641SAndroid Build Coastguard Worker if ((msg_value2 + 1) != msg_value1)
246*635a8641SAndroid Build Coastguard Worker return false;
247*635a8641SAndroid Build Coastguard Worker if (msg_value2 != value)
248*635a8641SAndroid Build Coastguard Worker return false;
249*635a8641SAndroid Build Coastguard Worker
250*635a8641SAndroid Build Coastguard Worker delete last_msg_;
251*635a8641SAndroid Build Coastguard Worker last_msg_ = NULL;
252*635a8641SAndroid Build Coastguard Worker return true;
253*635a8641SAndroid Build Coastguard Worker }
254*635a8641SAndroid Build Coastguard Worker
ExpectMsgNotHandled(uint32_t type_id)255*635a8641SAndroid Build Coastguard Worker bool ExpectMsgNotHandled(uint32_t type_id) {
256*635a8641SAndroid Build Coastguard Worker return ExpectMessage(type_id, MsgUnhandled::ID);
257*635a8641SAndroid Build Coastguard Worker }
258*635a8641SAndroid Build Coastguard Worker
259*635a8641SAndroid Build Coastguard Worker private:
MsgHandlerInternal(uint32_t type_id)260*635a8641SAndroid Build Coastguard Worker bool MsgHandlerInternal(uint32_t type_id) {
261*635a8641SAndroid Build Coastguard Worker base::RunLoop().Run();
262*635a8641SAndroid Build Coastguard Worker if (NULL == last_msg_)
263*635a8641SAndroid Build Coastguard Worker return false;
264*635a8641SAndroid Build Coastguard Worker if (FUZZER_ROUTING_ID != last_msg_->routing_id())
265*635a8641SAndroid Build Coastguard Worker return false;
266*635a8641SAndroid Build Coastguard Worker return (type_id == last_msg_->type());
267*635a8641SAndroid Build Coastguard Worker }
268*635a8641SAndroid Build Coastguard Worker
269*635a8641SAndroid Build Coastguard Worker IPC::Message* last_msg_;
270*635a8641SAndroid Build Coastguard Worker };
271*635a8641SAndroid Build Coastguard Worker
272*635a8641SAndroid Build Coastguard Worker // Runs the fuzzing server child mode. Returns when the preset number of
273*635a8641SAndroid Build Coastguard Worker // messages have been received.
DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient)274*635a8641SAndroid Build Coastguard Worker DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient) {
275*635a8641SAndroid Build Coastguard Worker FuzzerServerListener listener;
276*635a8641SAndroid Build Coastguard Worker Connect(&listener);
277*635a8641SAndroid Build Coastguard Worker listener.Init(channel());
278*635a8641SAndroid Build Coastguard Worker base::RunLoop().Run();
279*635a8641SAndroid Build Coastguard Worker Close();
280*635a8641SAndroid Build Coastguard Worker }
281*635a8641SAndroid Build Coastguard Worker
282*635a8641SAndroid Build Coastguard Worker using IPCFuzzingTest = IPCChannelMojoTestBase;
283*635a8641SAndroid Build Coastguard Worker
284*635a8641SAndroid Build Coastguard Worker // This test makes sure that the FuzzerClientListener and FuzzerServerListener
285*635a8641SAndroid Build Coastguard Worker // are working properly by generating two well formed IPC calls.
TEST_F(IPCFuzzingTest,SanityTest)286*635a8641SAndroid Build Coastguard Worker TEST_F(IPCFuzzingTest, SanityTest) {
287*635a8641SAndroid Build Coastguard Worker Init("FuzzServerClient");
288*635a8641SAndroid Build Coastguard Worker
289*635a8641SAndroid Build Coastguard Worker FuzzerClientListener listener;
290*635a8641SAndroid Build Coastguard Worker CreateChannel(&listener);
291*635a8641SAndroid Build Coastguard Worker listener.Init(channel());
292*635a8641SAndroid Build Coastguard Worker ASSERT_TRUE(ConnectChannel());
293*635a8641SAndroid Build Coastguard Worker
294*635a8641SAndroid Build Coastguard Worker IPC::Message* msg = NULL;
295*635a8641SAndroid Build Coastguard Worker int value = 43;
296*635a8641SAndroid Build Coastguard Worker msg = new MsgClassIS(value, base::ASCIIToUTF16("expect 43"));
297*635a8641SAndroid Build Coastguard Worker sender()->Send(msg);
298*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
299*635a8641SAndroid Build Coastguard Worker
300*635a8641SAndroid Build Coastguard Worker msg = new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value);
301*635a8641SAndroid Build Coastguard Worker sender()->Send(msg);
302*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
303*635a8641SAndroid Build Coastguard Worker
304*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(WaitForClientShutdown());
305*635a8641SAndroid Build Coastguard Worker DestroyChannel();
306*635a8641SAndroid Build Coastguard Worker }
307*635a8641SAndroid Build Coastguard Worker
308*635a8641SAndroid Build Coastguard Worker // This test uses a payload that is smaller than expected. This generates an
309*635a8641SAndroid Build Coastguard Worker // error while unpacking the IPC buffer. Right after we generate another valid
310*635a8641SAndroid Build Coastguard Worker // IPC to make sure framing is working properly.
TEST_F(IPCFuzzingTest,MsgBadPayloadShort)311*635a8641SAndroid Build Coastguard Worker TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
312*635a8641SAndroid Build Coastguard Worker Init("FuzzServerClient");
313*635a8641SAndroid Build Coastguard Worker
314*635a8641SAndroid Build Coastguard Worker FuzzerClientListener listener;
315*635a8641SAndroid Build Coastguard Worker CreateChannel(&listener);
316*635a8641SAndroid Build Coastguard Worker listener.Init(channel());
317*635a8641SAndroid Build Coastguard Worker ASSERT_TRUE(ConnectChannel());
318*635a8641SAndroid Build Coastguard Worker
319*635a8641SAndroid Build Coastguard Worker IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
320*635a8641SAndroid Build Coastguard Worker IPC::Message::PRIORITY_NORMAL);
321*635a8641SAndroid Build Coastguard Worker msg->WriteInt(666);
322*635a8641SAndroid Build Coastguard Worker sender()->Send(msg);
323*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
324*635a8641SAndroid Build Coastguard Worker
325*635a8641SAndroid Build Coastguard Worker msg = new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
326*635a8641SAndroid Build Coastguard Worker sender()->Send(msg);
327*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
328*635a8641SAndroid Build Coastguard Worker
329*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(WaitForClientShutdown());
330*635a8641SAndroid Build Coastguard Worker DestroyChannel();
331*635a8641SAndroid Build Coastguard Worker }
332*635a8641SAndroid Build Coastguard Worker
333*635a8641SAndroid Build Coastguard Worker // This test uses a payload that has too many arguments, but so the payload size
334*635a8641SAndroid Build Coastguard Worker // is big enough so the unpacking routine does not generate an error as in the
335*635a8641SAndroid Build Coastguard Worker // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
336*635a8641SAndroid Build Coastguard Worker // as by design we don't carry type information on the IPC message.
TEST_F(IPCFuzzingTest,MsgBadPayloadArgs)337*635a8641SAndroid Build Coastguard Worker TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
338*635a8641SAndroid Build Coastguard Worker Init("FuzzServerClient");
339*635a8641SAndroid Build Coastguard Worker
340*635a8641SAndroid Build Coastguard Worker FuzzerClientListener listener;
341*635a8641SAndroid Build Coastguard Worker CreateChannel(&listener);
342*635a8641SAndroid Build Coastguard Worker listener.Init(channel());
343*635a8641SAndroid Build Coastguard Worker ASSERT_TRUE(ConnectChannel());
344*635a8641SAndroid Build Coastguard Worker
345*635a8641SAndroid Build Coastguard Worker IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
346*635a8641SAndroid Build Coastguard Worker IPC::Message::PRIORITY_NORMAL);
347*635a8641SAndroid Build Coastguard Worker msg->WriteString16(base::ASCIIToUTF16("d"));
348*635a8641SAndroid Build Coastguard Worker msg->WriteInt(0);
349*635a8641SAndroid Build Coastguard Worker msg->WriteInt(0x65); // Extra argument.
350*635a8641SAndroid Build Coastguard Worker
351*635a8641SAndroid Build Coastguard Worker sender()->Send(msg);
352*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
353*635a8641SAndroid Build Coastguard Worker
354*635a8641SAndroid Build Coastguard Worker // Now send a well formed message to make sure the receiver wasn't
355*635a8641SAndroid Build Coastguard Worker // thrown out of sync by the extra argument.
356*635a8641SAndroid Build Coastguard Worker msg = new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
357*635a8641SAndroid Build Coastguard Worker sender()->Send(msg);
358*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
359*635a8641SAndroid Build Coastguard Worker
360*635a8641SAndroid Build Coastguard Worker EXPECT_TRUE(WaitForClientShutdown());
361*635a8641SAndroid Build Coastguard Worker DestroyChannel();
362*635a8641SAndroid Build Coastguard Worker }
363*635a8641SAndroid Build Coastguard Worker
364*635a8641SAndroid Build Coastguard Worker } // namespace
365