/src/mosquitto/fuzzing/broker/fuzz_packet_read_base.c

Source (jump to first uncovered line)
/*
Copyright (c) 2023 Cedalo GmbH

All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License 2.0
and Eclipse Distribution License v1.0 which accompany this distribution.

The Eclipse Public License is available at
   https://www.eclipse.org/legal/epl-2.0/
and the Eclipse Distribution License is available at
  http://www.eclipse.org/org/documents/edl-v10.php.

SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause

Contributors:
   Roger Light - initial implementation and documentation.
*/

#ifdef __cplusplus
extern "C" {
#endif

#include "fuzz_packet_read_base.h"
#include "mosquitto_broker_internal.h"
#include "mosquitto_internal.h"

#define kMinInputLength 3
#define kMaxInputLength 268435455U

int fuzz_packet_read_base(const uint8_t *data, size_t size, int (*packet_func)(struct mosquitto *))
{
  struct mosquitto *context = NULL;
  uint8_t *data_heap;
  struct mosquitto__listener listener;
  struct mosquitto__security_options secopts;
  struct mosquitto__bridge bridge;

  if(size < kMinInputLength || size > kMaxInputLength){
    return 0;
  }

  db.config = (struct mosquitto__config *)calloc(1, sizeof(struct mosquitto__config));
  log__init(db.config);

  memset(&listener, 0, sizeof(listener));
  memset(&bridge, 0, sizeof(bridge));
  memset(&secopts, 0, sizeof(secopts));

  context = context__init();
  if(!context) return 1;
  listener.security_options = &secopts;
  context->listener = &listener;
  context->bridge = &bridge;

  context->state = (enum mosquitto_client_state )data[0];
  context->protocol = (enum mosquitto__protocol )data[1];
  size -= 2;

  data_heap = (uint8_t *)malloc(size);
  if(!data_heap) return 1;

  memcpy(data_heap, &data[2], size);

  context->in_packet.command = data_heap[0];
  context->in_packet.payload = (uint8_t *)data_heap;
  context->in_packet.packet_length = (uint32_t )size; /* Safe cast, because we've already limited the size */
  context->in_packet.remaining_length = (uint32_t )(size-1);
  context->in_packet.pos = 1;

  if(fuzz_packet_read_init(context)){
    return 1;
  }
  packet_func(context);
  fuzz_packet_read_cleanup(context);

  context->bridge = NULL;
  context__cleanup(context, true);

  free(db.config);

  return 0;
}
#ifdef __cplusplus
}
#endif

Line	Count	Source (jump to first uncovered line)
1		/*
2		Copyright (c) 2023 Cedalo GmbH
3
4		All rights reserved. This program and the accompanying materials
5		are made available under the terms of the Eclipse Public License 2.0
6		and Eclipse Distribution License v1.0 which accompany this distribution.
7
8		The Eclipse Public License is available at
9		https://www.eclipse.org/legal/epl-2.0/
10		and the Eclipse Distribution License is available at
11		http://www.eclipse.org/org/documents/edl-v10.php.
12
13		SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
14
15		Contributors:
16		Roger Light - initial implementation and documentation.
17		*/
18
19		#ifdef __cplusplus
20		extern "C" {
21		#endif
22
23		#include "fuzz_packet_read_base.h"
24		#include "mosquitto_broker_internal.h"
25		#include "mosquitto_internal.h"
26
27	20.3k	#define kMinInputLength 3
28	10.1k	#define kMaxInputLength 268435455U
29
30		int fuzz_packet_read_base(const uint8_t data, size_t size, int (packet_func)(struct mosquitto *))
31	10.1k	{
32	10.1k	struct mosquitto *context = NULL;
33	10.1k	uint8_t *data_heap;
34	10.1k	struct mosquitto__listener listener;
35	10.1k	struct mosquitto__security_options secopts;
36	10.1k	struct mosquitto__bridge bridge;
37
38	10.1k	if(size < kMinInputLength \|\| size > kMaxInputLength){
39	12	return 0;
40	12	}
41
42	10.1k	db.config = (struct mosquitto__config *)calloc(1, sizeof(struct mosquitto__config));
43	10.1k	log__init(db.config);
44
45	10.1k	memset(&listener, 0, sizeof(listener));
46	10.1k	memset(&bridge, 0, sizeof(bridge));
47	10.1k	memset(&secopts, 0, sizeof(secopts));
48
49	10.1k	context = context__init();
50	10.1k	if(!context) return 1;
51	10.1k	listener.security_options = &secopts;
52	10.1k	context->listener = &listener;
53	10.1k	context->bridge = &bridge;
54
55	10.1k	context->state = (enum mosquitto_client_state )data[0];
56	10.1k	context->protocol = (enum mosquitto__protocol )data[1];
57	10.1k	size -= 2;
58
59	10.1k	data_heap = (uint8_t *)malloc(size);
60	10.1k	if(!data_heap) return 1;
61
62	10.1k	memcpy(data_heap, &data[2], size);
63
64	10.1k	context->in_packet.command = data_heap[0];
65	10.1k	context->in_packet.payload = (uint8_t *)data_heap;
66	10.1k	context->in_packet.packet_length = (uint32_t )size; /* Safe cast, because we've already limited the size */
67	10.1k	context->in_packet.remaining_length = (uint32_t )(size-1);
68	10.1k	context->in_packet.pos = 1;
69
70	10.1k	if(fuzz_packet_read_init(context)){
71	0	return 1;
72	0	}
73	10.1k	packet_func(context);
74	10.1k	fuzz_packet_read_cleanup(context);
75
76	10.1k	context->bridge = NULL;
77	10.1k	context__cleanup(context, true);
78
79	10.1k	free(db.config);
80
81	10.1k	return 0;
82	10.1k	}
83		#ifdef __cplusplus
84		}
85		#endif

Coverage Report

Created: 2025-08-26 06:48