HTTP/2 for Apache httpd


fuzz • (verb) to fly off in or become covered with fluffy particles, Merriam-Webster

I like this description. Unfortunately, it does not apply to programming. Merriam Webster also offers another one:

fuzz • (verb) to become blurred

which, very simplified, in software testing means you wiggle the input bits in all known and unknown directions to make the program misbehave. An ideal task for a computer to perform.


For some time Robert Święcki has contacted my sporadically about his fuzzing the Apache httpd server. His work can be found in his honggfuzz github repository. He was the one behind CVE-2017-7659, for example.

He is always a cheerful, positive person - although he is in direct contact with the miserable side of human programming: crashes and erratic behaviour and tears. I do not know how he does it. ;-)

As to Fuzzing itself, it is - fittingly - not easily definable with sharp borders. The Wikipedia article covers a lot of it. If asked for a description, I'd quote William Gibson from his 1984 Neuromancer:

...ICE patterns formed and reformed on the screen as he probed for gaps, skirted the most obvious traps, and mapped the route he'd take through Sense/Net's ICE.

where network penetrators find the gaps in the defense and make the system let them do unintended things, such as granting them access.


The last report batch of fuzzing mod_http2 came just a couple of days after the 2.4.26 release (bug reports always wait for a release to be published, believe me). And I cursed and cried a bit and had therapy. And after that I said to myself "No more!" and invested some time to make Robert's setup work for me - and anybody else. The result is h2fuzz which you may clone and run yourself (pre-requisites described in the README).

This allowed me to reproduce Robert's crash reports and made it easy to test a variety of fixes. What made this very satisfying is that you immediately see it working (or crashing again in new ways). Usually, nailing down race conditions and spurious crashes often left me with some residual uncertainty. But having a fuzzer run for an hour or two without finding anything that feels good!

You are invited to try this yourself. Also, there are other configurations to fuzz other products. It may be useful for something you are yourself working on!

If you try this on mod_http2, please use the 2.4.27 release (or at least the 1.10.7 release from github). I know already about crashes in earlier versions... I am however most certain that there are still bugs waiting in there to be discovered.


Stefan Eissing, greenbytes GmbH

Copyright (C) 2017 greenbytes GmbH

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind. See LICENSE for details.