/src/mosquitto/fuzzing/broker/fuzz_packet_read_base.c

Source
/*
Copyright (c) 2023 Cedalo GmbH

All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License 2.0
and Eclipse Distribution License v1.0 which accompany this distribution.

The Eclipse Public License is available at
   https://www.eclipse.org/legal/epl-2.0/
and the Eclipse Distribution License is available at
  http://www.eclipse.org/org/documents/edl-v10.php.

SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause

Contributors:
   Roger Light - initial implementation and documentation.
*/

#ifdef __cplusplus
extern "C" {
#endif

#include "fuzz_packet_read_base.h"
#include "mosquitto_broker_internal.h"
#include "mosquitto_internal.h"

#define kMinInputLength 3
#define kMaxInputLength 268435455U


int fuzz_packet_read_base(const uint8_t *data, size_t size, int (*packet_func)(struct mosquitto *))
{
  struct mosquitto *context = NULL;
  uint8_t *data_heap;
  struct mosquitto__listener listener;
  struct mosquitto__security_options secopts;

  if(size < kMinInputLength || size > kMaxInputLength){
    return 0;
  }

  db.config = (struct mosquitto__config *)calloc(1, sizeof(struct mosquitto__config));
  log__init(db.config);

  memset(&listener, 0, sizeof(listener));
  memset(&secopts, 0, sizeof(secopts));

  context = context__init();
  if(!context){
    return 1;
  }
  listener.security_options = &secopts;
  context->listener = &listener;
  context->bridge = (struct mosquitto__bridge *)calloc(1, sizeof(struct mosquitto__bridge));;

  context->state = (enum mosquitto_client_state )data[0];
  context->protocol = (enum mosquitto__protocol )data[1];
  size -= 2;

  data_heap = (uint8_t *)malloc(size);
  if(!data_heap){
    free(context->bridge);
    context->bridge = NULL;
    free(db.config);
    db.config = NULL;
    return 1;
  }

  memcpy(data_heap, &data[2], size);

  context->in_packet.command = data_heap[0];
  context->in_packet.payload = (uint8_t *)data_heap;
  context->in_packet.packet_length = (uint32_t )size; /* Safe cast, because we've already limited the size */
  context->in_packet.remaining_length = (uint32_t )(size-1);
  context->in_packet.pos = 1;

  if(fuzz_packet_read_init(context)){
    free(context->bridge);
    context->bridge = NULL;
    free(db.config);
    return 1;
  }
  packet_func(context);
  fuzz_packet_read_cleanup(context);

  free(context->bridge);
  context->bridge = NULL;

  context__cleanup(context, true);

  free(db.config);

  return 0;
}
#ifdef __cplusplus
}
#endif

Line	Count	Source
1		/*
2		Copyright (c) 2023 Cedalo GmbH
3
4		All rights reserved. This program and the accompanying materials
5		are made available under the terms of the Eclipse Public License 2.0
6		and Eclipse Distribution License v1.0 which accompany this distribution.
7
8		The Eclipse Public License is available at
9		https://www.eclipse.org/legal/epl-2.0/
10		and the Eclipse Distribution License is available at
11		http://www.eclipse.org/org/documents/edl-v10.php.
12
13		SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
14
15		Contributors:
16		Roger Light - initial implementation and documentation.
17		*/
18
19		#ifdef __cplusplus
20		extern "C" {
21		#endif
22
23		#include "fuzz_packet_read_base.h"
24		#include "mosquitto_broker_internal.h"
25		#include "mosquitto_internal.h"
26
27	15.6k	#define kMinInputLength 3
28	7.80k	#define kMaxInputLength 268435455U
29
30
31		int fuzz_packet_read_base(const uint8_t data, size_t size, int (packet_func)(struct mosquitto *))
32	7.81k	{
33	7.81k	struct mosquitto *context = NULL;
34	7.81k	uint8_t *data_heap;
35	7.81k	struct mosquitto__listener listener;
36	7.81k	struct mosquitto__security_options secopts;
37
38	7.81k	if(size < kMinInputLength \|\| size > kMaxInputLength){
39	10	return 0;
40	10	}
41
42	7.80k	db.config = (struct mosquitto__config *)calloc(1, sizeof(struct mosquitto__config));
43	7.80k	log__init(db.config);
44
45	7.80k	memset(&listener, 0, sizeof(listener));
46	7.80k	memset(&secopts, 0, sizeof(secopts));
47
48	7.80k	context = context__init();
49	7.80k	if(!context){
50	0	return 1;
51	0	}
52	7.80k	listener.security_options = &secopts;
53	7.80k	context->listener = &listener;
54	7.80k	context->bridge = (struct mosquitto__bridge *)calloc(1, sizeof(struct mosquitto__bridge));;
55
56	7.80k	context->state = (enum mosquitto_client_state )data[0];
57	7.80k	context->protocol = (enum mosquitto__protocol )data[1];
58	7.80k	size -= 2;
59
60	7.80k	data_heap = (uint8_t *)malloc(size);
61	7.80k	if(!data_heap){
62	0	free(context->bridge);
63	0	context->bridge = NULL;
64	0	free(db.config);
65	0	db.config = NULL;
66	0	return 1;
67	0	}
68
69	7.80k	memcpy(data_heap, &data[2], size);
70
71	7.80k	context->in_packet.command = data_heap[0];
72	7.80k	context->in_packet.payload = (uint8_t *)data_heap;
73	7.80k	context->in_packet.packet_length = (uint32_t )size; /* Safe cast, because we've already limited the size */
74	7.80k	context->in_packet.remaining_length = (uint32_t )(size-1);
75	7.80k	context->in_packet.pos = 1;
76
77	7.80k	if(fuzz_packet_read_init(context)){
78	0	free(context->bridge);
79	0	context->bridge = NULL;
80	0	free(db.config);
81	0	return 1;
82	0	}
83	7.80k	packet_func(context);
84	7.80k	fuzz_packet_read_cleanup(context);
85
86	7.80k	free(context->bridge);
87	7.80k	context->bridge = NULL;
88
89	7.80k	context__cleanup(context, true);
90
91	7.80k	free(db.config);
92
93	7.80k	return 0;
94	7.80k	}
95		#ifdef __cplusplus
96		}
97		#endif

Coverage Report

Created: 2025-11-28 06:23