curl / curl-fuzzer Goto Github PK

Quality assurance testing for the curl project

License: MIT License

Makefile 4.15% Python 17.37% C++ 38.77% C 10.89% Shell 19.24% M4 9.58%

curl-fuzzer's Introduction

Curl is a command-line tool for transferring data specified with URL syntax. Find out how to use curl by reading the curl.1 man page or the MANUAL document. Find out how to install Curl by reading the INSTALL document.

libcurl is the library curl is using to do its job. It is readily available to be used by your software. Read the libcurl.3 man page to learn how.

You can find answers to the most frequent questions we get in the FAQ document.

Study the COPYING file for distribution terms.

Contact

If you have problems, questions, ideas or suggestions, please contact us by posting to a suitable mailing list.

All contributors to the project are listed in the THANKS document.

Commercial support

For commercial support, maybe private and dedicated help with your problems or applications using (lib)curl visit the support page.

Website

Visit the curl website for the latest news and downloads.

Git

To download the latest source from the Git server, do this:

git clone https://github.com/curl/curl.git

(you will get a directory named curl created, filled with the source code)

Security problems

Report suspected security problems via our HackerOne page and not in public.

Notice

Backers

Thank you to all our backers! 🙏 Become a backer.

curl-fuzzer's People

Contributors

Stargazers

Watchers

curl-fuzzer's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions

.github/workflows/ci.yml

google/oss-fuzz master

actions/upload-artifact v4@65462800fd760344b1a7b4382951275a0abb4808

actions/download-artifact v4@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395

google/oss-fuzz master

actions/upload-artifact v4@65462800fd760344b1a7b4382951275a0abb4808

regex

scripts/VERSIONS

nghttp2/nghttp2 1.59.0

scripts/VERSIONS

openssl/openssl 3.2.0

Check this box to trigger a request for Renovate to run again on this repository

clang: error: unsupported option --with-fuzzer-lib

It's been a while since I built the fuzzer and now when I run mainline.sh it exits in the OpenSSL build pretty quickly with this error message:

making all in crypto...
make[1]: Entering directory '/home/dast/src/curl-fuzzer/openssl/crypto'
...
clang -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H --debug --with-fuzzer-lib=/usr/lib/libFuzzingEngine -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address,fuzzer-no-link -fno-sanitize=alignment -m64 -DL_ENDIAN -O3 -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token  -Wno-extended-offsetof -Qunused-arguments -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION  -c -o cryptlib.o cryptlib.c
clang: error: unsupported option '--with-fuzzer-lib=/usr/lib/libFuzzingEngine'
make[1]: *** [<builtin>: cryptlib.o] Error 1
make[1]: Leaving directory '/home/dast/src/curl-fuzzer/openssl/crypto'
make: *** [Makefile:287: build_crypto] Error 1
+ exit 1

This is clang 16, I also tried forcing it to use 14 but it made no difference. I can't recall having seen this before nor how I overcome this in the past. Any clues?

fuzzing is performed against old openssl 1.0.2

curl should probably be built against openssl 1.1.1 for fuzzing.

"reproduce an error hit overnight by OSS-Fuzz" feels incomplete

Hi.

I wanted to once and for all get my act together and be able to repro OSS-Fuzz problems myself. I follow the guide to repro a OSS-Fuzz problem and the README.db directs me to https://github.com/google/oss-fuzz. But then I'm left stranded. What am I looking for there? I'm lost. Maybe the README can be a little more elaborate?

Questions: Structure aware fuzzing, using internal functions and more

Hi!
I have played around with the fuzzers and have several variations and new fuzzers on my private repo. I wanted to file an issue here to have a discussion if and how to upstream this. I also have some thoughts, so I figured I post everything here in case anyone want to comment.

To prove this is not just hot air, here are the issues I have found, all luckily pretty harmless:

curl/curl#4350 (undefined behaviour)
curl/curl#4352 (buffer overflow in doh)
curl/curl#4366 (doh resource leak)
curl/curl#4386 (qsort on wild cookies)
curl/curl#4389 (index underflow)
curl/curl#4406 (timeout in doh)
curl/curl#4454 (harmless use after free)

Cmake and C++

To make debugging and development easy, I use C++ (it's my primary language) and cmake because it is easy to get an IDE (I use qtcreator) to navigate the code, debug and build it. It is easy to work with, since one can easily set a breakpoint in the debugger when trying to get the fuzzer to reach a certain place in the code. I also refactored the fuzzer to use RAII style so the cleanup is easier.

Using boost asio instead of cstyle select

I use asio to asynchronously wait for network events. Since I am used to it and it is the most well known way to network in C++, it is a good choice. I think I also managed to handle timeouts in a way such that the fuzzing speed is improved, but this is a tricky topic since it involves interaction between curl, asio and waiting for the OS.
I think it is a good foundation to build on, since it is possible to for instance interface openssl through asio, which would open up for fuzzing the contents of https instead of the encrypted layer as the current fuzzers do.

Internal fuzzers

The existing fuzzers use curl as just any libcurl user. I wanted to stress test some functions directly, so I put some fuzzers which access curl from within. I do this by adding an optional section inside a curl CMakefile, which includes files from the curl-fuzzer repo. This will uglify curl, but it is by default off and placed within if (ENABLE_FUZZING) sections.

The benefit is that these fuzz targets can be very focused, and do not need to go through being invented by the TLV fuzzer and sent over the socket. Not all functions can be reached by the existing fuzzers.

I add internal fuzzers for

cookie handling
doh payload encode/decode
escape/unescape
netrc parsing

I think it may be a good idea to fuzz setting curloptions here, so one does not have to let that happen only through the existing fuzzers.

Fuzzing a single function like this, for instance the doh parser, is what libFuzzer is excellent at. It will not be limited by network timeouts or tearing up/down sockets.

These internal fuzzers cover almost everything within a few hours, so these are nice to have, but could perhaps run through a CI build instead of wasting slots at oss fuzz (unless they schedule fuzzing effort to avoid it, I do not know).

Structure aware fuzzing

The fuzz data uses TLV (type length value) which means the default mutation strategy will very likely break the content. Most of the input the fuzzer engine generates is most likely garbage, and has to be rejected while unpacking the TLV during setting curl options.

This is inefficient, but it also makes it difficult for the fuzzing engine to make meaningful input since both the type, content and alignment with other blocks have to match.

So I wrote a custom mutator, which parses the TLV while throwing away parts that don't make sense. With a list of blocks, it can now apply mutation on a single block, then serializing it again. It also implements the custom crossover, for mixing two test cases.

This works, but I have a hard time evaluating it since it takes a very long time to build up the corpus for the existing fuzzers. It sure finds new paths when starting from empty, so I figure if it can do that, it will also be good at exposing cases not yet known.

A proposal

I think it is good to discuss before sending pull requests. Here is my suggestion:

the existing fuzzers are left as is, with build system and all. they work well, and until "proven" it does not make sense to remove them
a new fuzzer build is made in parallel to the existing. It uses cmake.
the fuzzers which do what the existing ones do, but with the custom mutator, are added to the new fuzzer build
the internal fuzzers are added (but maybe not added by default to ossfuzz)

What do I want help with now

I would like to get either access to the corpus from oss fuzz or a copy of it, so I can see which parts of curl are not fuzzed and evaluate the new fuzzers I write. I think the link is this one, based on another project I work with. It needs login through one of the admins: https://console.cloud.google.com/storage/browser/curl-backup.clusterfuzz-external.appspot.com

Thanks,
Paul

Up-to-date corpus from OSS-Fuzz

Would it be possible to merge the current corpus from OSS-fuzz into this repository?

The last time this was requested was over two years ago in #34 and it would be nice
to reflect the newest versions.

Move from travis builds to something else

fuzzing protocols not supported in the build

Currently we build a set of different fuzzers for different protocols and we build a generic one for "all" protocols.

We build several specific ones for protocols that can't be fuzzed because our build does not build with necessary third party libraries:

the rtmp* ones need librtmp
scp and sftp need a SSH library
ldap(s) need OpenLDAP

Maybe we should just disable those or add additional libraries to the build?

The generic curl_fuzzer builds and specify "all" protocols:

  allowed_protocols =
    "dict,file,ftp,ftps,gopher,gophers,http,https,imap,imaps,"
    "ldap,ldaps,mqtt,pop3,pop3s,rtmp,rtmpe,rtmps,rtmpt,rtmpte,rtmpts,"
    "rtsp,scp,sftp,smb,smbs,smtp,smtps,tftp";

But this also means that it will try a lot of protocols that are not supported in the build as listed above. Should we perhaps remove those unsupported protocols from the list?

fuzz_add_mime_part() should be called

Currently fuzz_add_mime_part() is not called by anything - it really should be!

Memory leaks reported

After addign the patch in #19, I see

...
[/tmp/curl-fuzzer/corpora/curl_fuzzer/timeout-4625841444093952] Opened.. Read 8332 bytes, fuzzing.. complete !!

=================================================================
==17032==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 67 byte(s) in 2 object(s) allocated from:
    #0 0x4e4850 in __interceptor_malloc (/tmp/curl-fuzzer/curl_fuzzer+0x4e4850)
    #1 0x52b6fa in curl_domalloc /tmp/curl/lib/memdebug.c:175:9
    #2 0x52bfe8 in curl_dostrdup /tmp/curl/lib/memdebug.c:230:9
    #3 0x62460e in Curl_retry_request /tmp/curl/lib/transfer.c:1694:12
    #4 0x544c72 in multi_runsingle /tmp/curl/lib/multi.c:1930:24
    #5 0x53fb60 in curl_multi_perform /tmp/curl/lib/multi.c:2173:14
    #6 0x51d4a3 in fuzz_handle_transfer(fuzz_data*) /tmp/curl-fuzzer/curl_fuzzer.cc:382:5
    #7 0x51b6b7 in LLVMFuzzerTestOneInput /tmp/curl-fuzzer/curl_fuzzer.cc:93:3
    #8 0xaa712b in main /tmp/curl-fuzzer/standalone_fuzz_target_runner.cc:65:9
    #9 0x7fcd16138b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

SUMMARY: AddressSanitizer: 67 byte(s) leaked in 2 allocation(s).

curl_fuzzer produces unstable outputs

Hi,

I compiled curl-fuzzer using ./mainline.sh. I found that for some inputs, the output ofcurl_fuzzer would change per run.

Compiler: clang13
Platform: Ubuntu 20.04.4 LTS, x86_64
INPUT: unstable_output.tar.gz (decompress it first)
Reproduce: run FUZZ_VERBOSE=1 ./curl_fuzzer unstable_output a few times, you should be able to observe that the field FUZZ[0]: Received 284 bytes would sometimes be FUZZ[0]: Received 283 bytes.

Question: how to use this with AFL?

Hi,

Sorry for this question which may sound stupid. I have been reading the code of this project for quite a while, and I am starting to understand it.

However, I would like to implement this on my computer for fuzzing with AFL, and it is not clear how I should do it...

From what I understand, if I want to try and run an example against curl, I just need to run the generate_corpus.py script, and then run the file against ./curl_fuzzer, which will write the file into curl's socket, instead of letting it go look over the network. However, with AFL, I do not see any quick way to do all this process with the semi-randomly generated files from the AFL program.

Can you please help me with this?

Thank you!

fuzzing SOCKS5 ?

Hello :) Thanks a lot for the great blog post about the recent CVE !
https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
Just made me wonder if the SOCKS implementation was fuzzed ?

Write some usage instructions

There aren't any usage instructions. There really should be!

Build failure on Debian unstable

Not sure what is going on, clang is 6.0.1-9 and used often for fuzzing other projects (also for OSS-Fuzz).

I naively followed the instructions (../curl was fetched from upstream a minute ago)

git clone http://github.com/curl/curl-fuzzer
cd curl-fuzzer/
./mainline.sh ../curl

....

make[2]: Verzeichnis „/tmp/nghttp2/python“ wird betreten
cython -o nghttp2.c nghttp2.pyx
/usr/bin/python setup.py build
running build
running build_ext
building 'nghttp2' extension
creating build
creating build/temp.linux-x86_64-2.7
clang -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -fsanitize=address -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fPIC -I../lib -I../lib/includes -I../lib/includes -I/usr/include/python2.7 -c nghttp2.c -o build/temp.linux-x86_64-2.7/nghttp2.o
creating build/lib.linux-x86_64-2.7
x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-z,relro -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -Wdate-time -D_FORTIFY_SOURCE=2 -g -fdebug-prefix-map=/build/python2.7-A8UpPM/python2.7-2.7.15=. -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -fsanitize=address -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION build/temp.linux-x86_64-2.7/nghttp2.o -L../lib/.libs -L../lib -L.. -lnghttp2 -o build/lib.linux-x86_64-2.7/nghttp2.so
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_session.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_submit.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_helper.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_hd.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_hd_huffman.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_http.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_rcbuf.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_frame.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_buf.o): relocation R_X86_64_32S against symbol `__asan_option_detect_stack_use_after_return' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: ../lib/.libs/libnghttp2.a(nghttp2_outbound_item.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: nonrepresentable section on output
collect2: error: ld returned 1 exit status
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
make[2]: *** [Makefile:544: all-local] Fehler 1
make[2]: Verzeichnis „/tmp/nghttp2/python“ wird verlassen
make[1]: *** [Makefile:567: all-recursive] Fehler 1
make[1]: Verzeichnis „/tmp/nghttp2“ wird verlassen
make: *** [Makefile:476: all] Fehler 2
+ exit 1
tim@ryzen:~/src/curl-fuzzer$ clang --version
clang version 6.0.1-9 (tags/RELEASE_601/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

Possibly something is missing, but not to easily detectable from the above messages.
I appreciate any help / ideas :-)

Have a configure script for curl-fuzzer so bash scripts aren't needed

The bash script approach is fine, but having a proper configure script would make things easier. It may make the pipeline of "compile binaries, edit curl, recompile binaries" easier.

Incorrect / Inconsistent result produced by curl_fuzzer

Hi there,

I compiled curl-fuzzer using ./mainline.sh with gcc11 and clang13 separately. I found that for some inputs, the two compiled curl_fuzzer would emit different results.

Compiler: gcc11 and clang13
Platform: Ubuntu 20.04.4 LTS, x86_64
INPUT: diff_line_number.tar.gz (decompress it first)

Let curl_fuzzer_gcc11 denote gcc11 compiled curl_fuzzer; curl_fuzzer_clang13 denote clang13 compiled one. Reproduce as follows:

$ FUZZ_VERBOSE=yes ./curl_fuzzer_gcc11 diff_line_number > out_gcc11
$ 
$ FUZZ_VERBOSE=yes ./curl_fuzzer_clang13 diff_line_number > out_clang13
$ 
$ diff out_gcc11 out_clang13
< * STATE: CONNECTING => PROTOCONNECT handle ; line 2014 (connection #0)
---
> * STATE: CONNECTING => PROTOCONNECT handle ; line 2012 (connection #0)

Could we update the corpus with the Oss-Fuzz corpus?

Hello!

The corpora/ folder seems old, I figure that OSS-Fuzz has generated a better corpus by now.

Would it make sense to update this repo with the latest corpus?
If not, could I get a copy of the corpus by other means? ( According to https://google.github.io/oss-fuzz/advanced-topics/corpora/ I can't access the corpus of Oss-Fuzz =( )

Prevent large numbers of CURLOPT_HEADERs from being added in testcases

Because we want to test having different combinations of headers, we allow multiple CURLOPT_HEADERs. However, we start hitting timeouts in the fuzzer if we have lots of headers, presumably due to the time taken to insert these entries in the lists (e.g. we have seen issues with 23804 CURLOPT_HEADERs).

This should be limited to a reasonable number like 2000.

Coverage is much much lower without threaded resolution

Disabling threaded resolution causes coverage to drop significantly.

By disabling threaded resolution we have to call Curl_resolv_timeout, which uses an alarm() based timeout mechanism. Because our configured timeout of 200ms is less than 1000ms (alarm() uses integers for timeouts), we fail.

There are two potential fixes:

Re-enable threaded resolution: this ought to fix up the overnights for now.
Disable resolution of names because it's not really necessary: I have no idea how much work this will be, but there's no need for curl to resolve names if we're going to ignore it and open the socket function anyway. This might require a fix in the curl project.

@bagder: any thoughts on this? You previously mentioned that us resolving names may indicate a bug.

Unable to build using mainline.sh with Clang 11 / LLVM 11?

If I don't touch mainline.sh and just run it, I get to this stage:

/bin/bash ./libtool  --tag=CXX   --mode=link clang++ -g -I/tmp/curl_install/include -I/tmp/curl_install/utfuzzer  -DFUZZ_PROTOCOLS_ALL -fsanitize=address -stdlib=libstdc++ -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION   -o curl_fuzzer curl_fuzzer-curl_fuzzer.o curl_fuzzer-curl_fuzzer_tlv.o curl_fuzzer-curl_fuzzer_callback.o /tmp/curl_install/lib/libcurl.la libstandaloneengine.a  -lpthread -lm
libtool: link: clang++ -g -I/tmp/curl_install/include -I/tmp/curl_install/utfuzzer -DFUZZ_PROTOCOLS_ALL -fsanitize=address -stdlib=libstdc++ -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -o curl_fuzzer curl_fuzzer-curl_fuzzer.o curl_fuzzer-curl_fuzzer_tlv.o curl_fuzzer-curl_fuzzer_callback.o  /tmp/curl_install/lib/libcurl.a -L/tmp/curl_install/lib /tmp/curl_install/lib/libnghttp2.a -lidn2 -lssl -lcrypto -lz libstandaloneengine.a -lpthread -lm
clang: error: no such file or directory: 'libstandaloneengine.a'
make: *** [Makefile:753: curl_fuzzer] Error 1
+ exit 4
+ exit 1

If I update mainline.sh to use -fsanitize=address,fuzzer -fsanitize-coverage=trace-pc-guard, this happens:

/usr/bin/ld: openssl.o: in function `main':
/tmp/openssl/apps/openssl.c:219: multiple definition of `main'; /usr/lib/llvm-11/lib/clang/11.0.0/lib/linux/libclang_rt.fuzzer-x86_64.a(fuzzer.o):(.text.main+0x0): first defined here
/usr/bin/ld: /usr/lib/llvm-11/lib/clang/11.0.0/lib/linux/libclang_rt.fuzzer-x86_64.a(fuzzer.o): in function `main':
(.text.main+0x12): undefined reference to `LLVMFuzzerTestOneInput'
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [../Makefile.shared:164: link_app.] Error 1
make[2]: Leaving directory '/tmp/openssl/apps'
make[1]: *** [Makefile:157: openssl] Error 2
make[1]: Leaving directory '/tmp/openssl/apps'
make: *** [Makefile:293: build_apps] Error 1
+ exit 1

Changing the C/CXX flags to -fsanitize=address,fuzzer-no-link and then passing -fsanitize=address,fuzzer in the LD flags doesn't seem to help:

+ autoreconf -i
+ ./configure --prefix=/tmp/curl_install --disable-shared --enable-static --disable-threads
checking for gcc... clang
checking whether the C compiler works... no
configure: error: in `/tmp/nghttp2':
configure: error: C compiler cannot create executables
See `config.log' for more details
+ exit 1

clang -v

Debian clang version 11.0.0-++20200701115111+4c6683eafc1-1~exp1~20200701095721.865
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7.4.0
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.4.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/8
Candidate multilib: .;@m64
Selected multilib: .;@m64

dpkg --list | grep clang

ii  clang                            1:11.0-51+0~20200309211112.9~1.gbp214056                    amd64        C, C++ and Objective-C compiler (LLVM based)
ii  clang-11                         1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        C, C++ and Objective-C compiler
ii  clang-7                          1:7.0.1-8                                                   amd64        C, C++ and Objective-C compiler
ii  clang-8                          1:8.0.1-3~bpo10+1                                           amd64        C, C++ and Objective-C compiler
ii  clang-tools-11                   1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        clang-based tools for C/C++ developments
ii  libclang-11-dev                  1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        Clang library - Development package
ii  libclang-8-dev                   1:8.0.1-3~bpo10+1                                           amd64        Clang library - Development package
ii  libclang-common-11-dev           1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        Clang library - Common development package
ii  libclang-common-7-dev            1:7.0.1-8                                                   amd64        Clang library - Common development package
ii  libclang-common-8-dev            1:8.0.1-3~bpo10+1                                           amd64        Clang library - Common development package
ii  libclang-cpp11                   1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        C++ interface to the Clang library
ii  libclang-cpp11-dev               1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        C++ interface to the Clang library
ii  libclang1-11                     1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        C interface to the Clang library
ii  libclang1-6.0:amd64              1:6.0.1-10                                                  amd64        C interface to the clang library
ii  libclang1-7                      1:7.0.1-8                                                   amd64        C interface to the Clang library
ii  libclang1-8                      1:8.0.1-3~bpo10+1                                           amd64        C interface to the Clang library

dpkg --list | grep llvm

ii  libllvm11:amd64                  1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        Modular compiler and toolchain technologies, runtime library
ii  libllvm6.0:amd64                 1:6.0.1-10                                                  amd64        Modular compiler and toolchain technologies, runtime library
ii  libllvm7:amd64                   1:7.0.1-8                                                   amd64        Modular compiler and toolchain technologies, runtime library
ii  libllvm8:amd64                   1:8.0.1-3~bpo10+1                                           amd64        Modular compiler and toolchain technologies, runtime library
ii  llvm                             1:11.0-51+0~20200309211112.9~1.gbp214056                    amd64        Low-Level Virtual Machine (LLVM)
ii  llvm-11                          1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        Modular compiler and toolchain technologies
ii  llvm-11-dev                      1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        Modular compiler and toolchain technologies, libraries and headers
ii  llvm-11-runtime                  1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        Modular compiler and toolchain technologies, IR interpreter
ii  llvm-11-tools                    1:11~++20200701115111+4c6683eafc1-1~exp1~20200701095721.865 amd64        Modular compiler and toolchain technologies, tools
ii  llvm-7                           1:7.0.1-8                                                   amd64        Modular compiler and toolchain technologies
ii  llvm-7-dev                       1:7.0.1-8                                                   amd64        Modular compiler and toolchain technologies, libraries and headers
ii  llvm-7-runtime                   1:7.0.1-8                                                   amd64        Modular compiler and toolchain technologies, IR interpreter
ii  llvm-8                           1:8.0.1-3~bpo10+1                                           amd64        Modular compiler and toolchain technologies
ii  llvm-8-dev                       1:8.0.1-3~bpo10+1                                           amd64        Modular compiler and toolchain technologies, libraries and headers
ii  llvm-8-doc                       1:8.0.1-3~bpo10+1                                           all          Modular compiler and toolchain technologies, documentation
ii  llvm-8-examples                  1:8.0.1-3~bpo10+1                                           all          Modular compiler and toolchain technologies, examples
ii  llvm-8-runtime                   1:8.0.1-3~bpo10+1                                           amd64        Modular compiler and toolchain technologies, IR interpreter
ii  llvm-8-tools                     1:8.0.1-3~bpo10+1                                           amd64        Modular compiler and toolchain technologies, tools
ii  llvm-dev                         1:11.0-51+0~20200309211112.9~1.gbp214056                    amd64        Low-Level Virtual Machine (LLVM), libraries and headers
ii  llvm-runtime                     1:11.0-51+0~20200309211112.9~1.gbp214056                    amd64        Low-Level Virtual Machine (LLVM), bytecode interpreter

EDIT: I removed all of the clang and llvm artifiacts that weren't from version 11. Didn't change anything.

timeout with WILDCARDMATCH and file://

https://oss-fuzz.com/v2/testcase-detail/6559150071873536 is hitting an infinite loop in the fuzzer:

emrakul@emrakul:/raid/Git/curl-fuzzer (master)$ FUZZ_VERBOSE=yes ./curl_fuzzer ../clusterfuzz-testcase-6559150071873536
* STATE: INIT => CONNECT handle 0x62a000000208; line 1423 (connection #-5000)
* Connecting to hostname: 127.0.1.127
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => DO handle 0x62a000000208; line 1468 (connection #0)
* STATE: DO => DO_DONE handle 0x62a000000208; line 1689 (connection #0)
* STATE: DO_DONE => DONE handle 0x62a000000208; line 1816 (connection #0)
* multi_done
* Closing connection 0
* The cache now contains 0 members
* STATE: INIT => CONNECT handle 0x62a000000208; line 1423 (connection #-5000)
* Connecting to hostname: 127.0.1.127
* Added connection 1. The cache now contains 1 members
* STATE: CONNECT => DO handle 0x62a000000208; line 1468 (connection #1)
* STATE: DO => DO_DONE handle 0x62a000000208; line 1689 (connection #1)
* STATE: DO_DONE => DONE handle 0x62a000000208; line 1816 (connection #1)
* multi_done
* Closing connection 1
* The cache now contains 0 members
* STATE: INIT => CONNECT handle 0x62a000000208; line 1423 (connection #-5000)
* Connecting to hostname: 127.0.1.127
* Added connection 2. The cache now contains 1 members
* STATE: CONNECT => DO handle 0x62a000000208; line 1468 (connection #2)
* STATE: DO => DO_DONE handle 0x62a000000208; line 1689 (connection #2)
* STATE: DO_DONE => DONE handle 0x62a000000208; line 1816 (connection #2)
* multi_done
* Closing connection 2
* The cache now contains 0 members
* STATE: INIT => CONNECT handle 0x62a000000208; line 1423 (connection #-5000)
* Connecting to hostname: 127.0.1.127
* Added connection 3. The cache now contains 1 members
* STATE: CONNECT => DO handle 0x62a000000208; line 1468 (connection #3)
* STATE: DO => DO_DONE handle 0x62a000000208; line 1689 (connection #3)
* STATE: DO_DONE => DONE handle 0x62a000000208; line 1816 (connection #3)
* multi_done
* Closing connection 3
...<ad infinitum>

The test case contents are:

TLVHeader(type='CURLOPT_URL' (1), length=8, data='file:/\x00\x1c')
TLVHeader(type='CURLOPT_WILDCARDMATCH' (33), length=4, data='\x00\x12\x08\x01')
TLVHeader(type='CURLOPT_NOBODY' (28), length=4, data='\xec\x00\x00@')

I suspect this is because of CURLOPT_WILDCARDMATCH (even though it claims it's only used for FTP downloads) because of this code in multi.c: https://github.com/curl/curl/blob/master/lib/multi.c#L2033

      if(data->set.wildcardmatch) {
        if(data->wildcard.state != CURLWC_DONE) {
          /* if a wildcard is set and we are not ending -> lets start again
             with CURLM_STATE_INIT */
          multistate(data, CURLM_STATE_INIT);
          break;
        }
      }

Not sure if this is a problem in curl or the fuzzer, but tracking it here.

ossfuzz.sh is under the Apache 2 license, while the rest of the code is MIT

https://github.com/curl/curl-fuzzer/blob/master/ossfuzz.sh

has headers saying Apache 2.0 and copyright by Google.
the LICENSE file only says MIT

@cmeister2 Is that intentional, or accidental? I know the name 'ossfuzz.sh' is reused in other projects, but the pattern I am seeing is that each project writes their own script (as did you for curl_fuzzer), so the attribution is to the project.

Native write-to-pcap mode?

I've just added a script which generates a one-sided pcap file from corpora responses.

Would it be useful if the fuzzers could generate a pcap file for all traffic on the sockets? FUZZ_VERBOSE gets us some of the way there but it's in text rather than pcap.

(I'm wondering if this is something that libcurl could generate on its own, but I don't think CURLOPT_DEBUGFUNCTION is entirely appropriate for this purpose. Maybe there's an option I'm missing...)

Enable automatic dependency updates for this repo

It'd probably be a good idea to keep this repo's dependencies up to date.

I don't think dependabot will work because the files are not in a supported format: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
https://github.com/renovatebot/renovate will probably work as it supports Github Tags (amongst lots of other dependency types) but it will require onboarding and configuring.