Home

Awesome

curl-fuzzer

Code and corpora for curl and libcurl fuzzing.

This is the curl fuzzing OSS-Fuzz runs for us, non-stop.

I just want to get fuzzing!

Great! Run ./mainline.sh. It will download you a fresh copy of curl, compile it with clang, install it to a temporary directory, then compile the fuzzer against curl. It'll also run the regression testcases.

If you have a local copy of curl that you want to use instead, pass the path as an argument to ./mainline.sh. It will compile and install that curl to a temporary directory instead.

./mainline.sh is run regressibly by Github Actions.

I want more information when running a testcase or multiple testcases

Setting the FUZZ_VERBOSE environment variable turns on curl verbose logging. This can be useful when debugging a single testcase.

I want to download public corpus test files from OSS-Fuzz

The public corpus links for each target should be accessible here:

I want to reproduce an error hit overnight by OSS-Fuzz

Check out REPRODUCING.md for more detailed instructions.

What's in this testcase?

To look at the contents of a testcase, run

python read_corpus.py --input <path/to/file>

This will print out a list of contents inside the file.

I want to generate a new testcase

To generate a new testcase, run python generate_corpus.py with appropriate options.

I want to enhance the fuzzer!

Wonderful! Here's a bit of information you may need to know.

File format

Testcases are written in a Type-Length-Value or TLV format. Each TLV has:

TLV type numbers are defined in both corpus.py and curl_fuzzer.h.

Adding a new TLV.

To add a new TLV: