1 files changed, 9 insertions, 1 deletions

diff --git a/src/test/fuzz/http_request.cpp b/src/test/fuzz/http_request.cpp
index ebf89749e9..36d44e361f 100644
--- a/src/test/fuzz/http_request.cpp
+++ b/src/test/fuzz/http_request.cpp
@@ -7,6 +7,7 @@
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
 #include <test/fuzz/util.h>
+#include <util/strencodings.h>
 
 #include <event2/buffer.h>
 #include <event2/event.h>
@@ -48,7 +49,14 @@ void test_one_input(const std::vector<uint8_t>& buffer)
     assert(evbuf != nullptr);
     const std::vector<uint8_t> http_buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, 4096);
     evbuffer_add(evbuf, http_buffer.data(), http_buffer.size());
-    if (evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
+    // Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering
+    // a nullptr dereference. The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line
+    // and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in
+    // this fuzzing harness. The workaround is not aesthetically pleasing, but it successfully avoids the troublesome
+    // code path. " http:// HTTP/1.1\n" was a crashing input prior to this workaround.
+    const std::string http_buffer_str = ToLower({http_buffer.begin(), http_buffer.end()});
+    if (http_buffer_str.find(" http://") != std::string::npos || http_buffer_str.find(" https://") != std::string::npos ||
+        evhttp_parse_firstline_(evreq, evbuf) != 1 || evhttp_parse_headers_(evreq, evbuf) != 1) {
         evbuffer_free(evbuf);
         evhttp_request_free(evreq);
         return;