diff --git a/.gitignore b/.gitignore index 1569c73e..9917aeca 100644 --- a/.gitignore +++ b/.gitignore @@ -46,7 +46,11 @@ examples/publish/basic-1 examples/publish/basic-websockets-1 fuzzing/broker/broker_fuzz_initial_packet +fuzzing/broker/broker_fuzz_initial_packet_with_init +fuzzing/broker/broker_fuzz_read_handle fuzzing/broker/broker_fuzz_second_packet +fuzzing/broker/broker_fuzz_second_packet_with_init +fuzzing/broker/broker_fuzz_test_config fuzzing/corpora/broker/* fuzzing/corpora/broker_packet_seed_corpus.zip fuzzing/corpora/client/* @@ -104,3 +108,5 @@ test/unit/out/ www/cache/ __pycache__ + +*.sync-conflict-* diff --git a/fuzzing/broker/Makefile b/fuzzing/broker/Makefile index 3db66473..1ca90433 100644 --- a/fuzzing/broker/Makefile +++ b/fuzzing/broker/Makefile @@ -6,9 +6,13 @@ FUZZERS:= \ broker_fuzz_second_packet \ broker_fuzz_initial_packet_with_init \ broker_fuzz_second_packet_with_init \ + broker_fuzz_read_handle \ broker_fuzz_test_config -LOCAL_CPPFLAGS:=$(CPPFLAGS) -I${R}/include/ +LOCAL_CPPFLAGS:=$(CPPFLAGS) -I${R}/include/ -I${R}/src -I${R}/lib -I${R} -I${R}/common \ + -DWITH_BRIDGE -DWITH_BROKER -DWITH_CJSON -DWITH_CONTROL -DWITH_EC -DWITH_EPOLL \ + -DWITH_MEMORY_TRACKING -DWITH_PERSISTENCE -DWITH_SOCKS -DWITH_SYSTEMD \ + -DWITH_SYS_TREE -DWITH_TLS -DWITH_TLS_PSK -DWITH_UNIX_SOCKETS -DWITH_WEBSOCKETS=WS_IS_BUILTIN LOCAL_CXXFLAGS:=$(CXXFLAGS) -g -Wall -Werror -pthread LOCAL_LDFLAGS:=$(LDFLAGS) LOCAL_LIBADD:=$(LIBADD) $(LIB_FUZZING_ENGINE) ${R}/src/mosquitto_broker.a -lssl -lcrypto -lcjson @@ -35,6 +39,11 @@ broker_fuzz_second_packet_with_init : broker_fuzz_second_packet.cpp broker_fuzz_ install $@ ${OUT}/$@ cp ${R}/fuzzing/corpora/broker_packet_seed_corpus.zip ${OUT}/$@_seed_corpus.zip +broker_fuzz_read_handle : broker_fuzz_read_handle.cpp + $(CXX) $(LOCAL_CXXFLAGS) $(LOCAL_CPPFLAGS) $(LOCAL_LDFLAGS) -o $@ $^ $(LOCAL_LIBADD) + install $@ ${OUT}/$@ + cp ${R}/fuzzing/corpora/broker_packet_seed_corpus.zip ${OUT}/$@_seed_corpus.zip + broker_fuzz_test_config : broker_fuzz_test_config.cpp $(CXX) $(LOCAL_CXXFLAGS) $(LOCAL_CPPFLAGS) $(LOCAL_LDFLAGS) -o $@ $^ $(LOCAL_LIBADD) install $@ ${OUT}/$@ diff --git a/fuzzing/broker/broker_fuzz_read_handle.cpp b/fuzzing/broker/broker_fuzz_read_handle.cpp new file mode 100644 index 00000000..f5514745 --- /dev/null +++ b/fuzzing/broker/broker_fuzz_read_handle.cpp @@ -0,0 +1,70 @@ +/* +Copyright (c) 2023 Cedalo GmbH + +All rights reserved. This program and the accompanying materials +are made available under the terms of the Eclipse Public License 2.0 +and Eclipse Distribution License v1.0 which accompany this distribution. + +The Eclipse Public License is available at + https://www.eclipse.org/legal/epl-2.0/ +and the Eclipse Distribution License is available at + http://www.eclipse.org/org/documents/edl-v10.php. + +SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + +Contributors: + Roger Light - initial implementation and documentation. +*/ + +#include +#include +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#include "mosquitto_broker_internal.h" +#include "mosquitto_internal.h" + +#ifdef __cplusplus +} +#endif + +#define kMinInputLength 1 +#define kMaxInputLength 268435455U + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + struct mosquitto *context = NULL; + uint8_t *data_heap; + + //if(size < kMinInputLength || size > kMaxInputLength){ + //return 0; + //} + + db.config = (struct mosquitto__config *)calloc(1, sizeof(struct mosquitto__config)); + log__init(db.config); + + data_heap = (uint8_t *)malloc(size); + memcpy(data_heap, data, size); + + + context = context__init(); + context->state = mosq_cs_active; + context->in_packet.command = data_heap[0]; + context->in_packet.payload = (uint8_t *)data_heap; + context->in_packet.packet_length = size; + context->in_packet.remaining_length = size-1; + context->in_packet.pos = 1; + + handle__packet(context); + + context__cleanup(context, true); + + free(db.config); + + return 0; +}