Fuzzing: Direct packet parsing fuzzing

3 years ago · 2b3a64ef69
parent 245b2807ad
commit 2b3a64ef69
3 changed files with 86 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -46,7 +46,11 @@ examples/publish/basic-1
 examples/publish/basic-websockets-1

 fuzzing/broker/broker_fuzz_initial_packet
+fuzzing/broker/broker_fuzz_initial_packet_with_init
+fuzzing/broker/broker_fuzz_read_handle
 fuzzing/broker/broker_fuzz_second_packet
+fuzzing/broker/broker_fuzz_second_packet_with_init
+fuzzing/broker/broker_fuzz_test_config
 fuzzing/corpora/broker/*
 fuzzing/corpora/broker_packet_seed_corpus.zip
 fuzzing/corpora/client/*
@ -104,3 +108,5 @@ test/unit/out/

 www/cache/
 __pycache__
+
+*.sync-conflict-*
--- a/fuzzing/broker/Makefile
+++ b/fuzzing/broker/Makefile
@ -6,9 +6,13 @@ FUZZERS:= \
 	broker_fuzz_second_packet \
 	broker_fuzz_initial_packet_with_init \
 	broker_fuzz_second_packet_with_init \
+	broker_fuzz_read_handle \
 	broker_fuzz_test_config

-LOCAL_CPPFLAGS:=$(CPPFLAGS) -I${R}/include/
+LOCAL_CPPFLAGS:=$(CPPFLAGS) -I${R}/include/ -I${R}/src -I${R}/lib -I${R} -I${R}/common \
+	-DWITH_BRIDGE -DWITH_BROKER -DWITH_CJSON -DWITH_CONTROL -DWITH_EC -DWITH_EPOLL \
+	-DWITH_MEMORY_TRACKING -DWITH_PERSISTENCE -DWITH_SOCKS -DWITH_SYSTEMD \
+	-DWITH_SYS_TREE -DWITH_TLS -DWITH_TLS_PSK -DWITH_UNIX_SOCKETS -DWITH_WEBSOCKETS=WS_IS_BUILTIN
 LOCAL_CXXFLAGS:=$(CXXFLAGS) -g -Wall -Werror -pthread
 LOCAL_LDFLAGS:=$(LDFLAGS)
 LOCAL_LIBADD:=$(LIBADD) $(LIB_FUZZING_ENGINE) ${R}/src/mosquitto_broker.a -lssl -lcrypto -lcjson
@ -35,6 +39,11 @@ broker_fuzz_second_packet_with_init : broker_fuzz_second_packet.cpp broker_fuzz_
 	install $@ ${OUT}/$@
 	cp ${R}/fuzzing/corpora/broker_packet_seed_corpus.zip ${OUT}/$@_seed_corpus.zip

+broker_fuzz_read_handle : broker_fuzz_read_handle.cpp
+	$(CXX) $(LOCAL_CXXFLAGS) $(LOCAL_CPPFLAGS) $(LOCAL_LDFLAGS) -o $@ $^ $(LOCAL_LIBADD)
+	install $@ ${OUT}/$@
+	cp ${R}/fuzzing/corpora/broker_packet_seed_corpus.zip ${OUT}/$@_seed_corpus.zip
+
 broker_fuzz_test_config : broker_fuzz_test_config.cpp
 	$(CXX) $(LOCAL_CXXFLAGS) $(LOCAL_CPPFLAGS) $(LOCAL_LDFLAGS) -o $@ $^ $(LOCAL_LIBADD)
 	install $@ ${OUT}/$@
--- a/fuzzing/broker/broker_fuzz_read_handle.cpp
+++ b/fuzzing/broker/broker_fuzz_read_handle.cpp
@ -0,0 +1,70 @@
+/*
+Copyright (c) 2023 Cedalo GmbH
+
+All rights reserved. This program and the accompanying materials
+are made available under the terms of the Eclipse Public License 2.0
+and Eclipse Distribution License v1.0 which accompany this distribution.
+
+The Eclipse Public License is available at
+   https://www.eclipse.org/legal/epl-2.0/
+and the Eclipse Distribution License is available at
+  http://www.eclipse.org/org/documents/edl-v10.php.
+
+SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+
+Contributors:
+   Roger Light - initial implementation and documentation.
+*/
+
+#include <cstdio>
+#include <cstdint>
+#include <cstdlib>
+#include <cstring>
+#include <unistd.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "mosquitto_broker_internal.h"
+#include "mosquitto_internal.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+#define kMinInputLength 1
+#define kMaxInputLength 268435455U
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct mosquitto *context = NULL;
+	uint8_t *data_heap;
+
+	//if(size < kMinInputLength || size > kMaxInputLength){
+		//return 0;
+	//}
+
+	db.config = (struct mosquitto__config *)calloc(1, sizeof(struct mosquitto__config));
+	log__init(db.config);
+
+	data_heap = (uint8_t *)malloc(size);
+	memcpy(data_heap, data, size);
+
+
+	context = context__init();
+	context->state = mosq_cs_active;
+	context->in_packet.command = data_heap[0];
+	context->in_packet.payload = (uint8_t *)data_heap;
+	context->in_packet.packet_length = size;
+	context->in_packet.remaining_length = size-1;
+	context->in_packet.pos = 1;
+
+	handle__packet(context);
+
+	context__cleanup(context, true);
+
+	free(db.config);
+
+	return 0;
+}