Add fuzz mode by feeding a client from a file

This can be called by a fuzzer like afl-fuzz.

Add fuzz mode by feeding a client from a file
This can be called by a fuzzer like afl-fuzz.
Wiebe Cazemier
1 parent 6e92c053
Showing 8 changed files with 62 additions and 3 deletions
client.cpp
client.h
fuzztests/close.dat
fuzztests/connect-publish-close.dat
fuzztests/connect.dat
fuzztests/publish.dat
mainapp.cpp
mainapp.h
@@ -7,8 +7,9 @@
  
 #include "logger.h"
  
-Client::Client(int fd, ThreadData_p threadData, SSL *ssl, bool websocket, std::shared_ptr<Settings> settings) :
+Client::Client(int fd, ThreadData_p threadData, SSL *ssl, bool websocket, std::shared_ptr<Settings> settings, bool fuzzMode) :
     fd(fd),
+    fuzzMode(fuzzMode),
     initialBufferSize(settings->clientInitialBufferSize), // The client is constructed in the main thread, so we need to use its settings copy
     maxPacketSize(settings->maxPacketSize), // Same as initialBufferSize comment.
     ioWrapper(ssl, websocket, initialBufferSize, this),
@@ -264,6 +265,11 @@ void Client::resetBuffersIfEligible()
 // Call this from a place you know the writeBufMutex is locked, or we're still only doing SSL accept.
 void Client::setReadyForWriting(bool val)
 {
+#ifndef NDEBUG
+    if (fuzzMode)
+        return;
+#endif
+
     if (disconnecting)
         return;
  
@@ -286,6 +292,11 @@ void Client::setReadyForWriting(bool val)
  
 void Client::setReadyForReading(bool val)
 {
+#ifndef NDEBUG
+    if (fuzzMode)
+        return;
+#endif
+
     if (disconnecting)
         return;
  
@@ -29,6 +29,7 @@ class Client
     friend class IoWrapper;
  
     int fd;
+    bool fuzzMode = false;
  
     ProtocolVersion protocolVersion = ProtocolVersion::None;
  
@@ -70,7 +71,7 @@ class Client
     void setReadyForReading(bool val);
  
 public:
-    Client(int fd, ThreadData_p threadData, SSL *ssl, bool websocket, std::shared_ptr<Settings> settings);
+    Client(int fd, ThreadData_p threadData, SSL *ssl, bool websocket, std::shared_ptr<Settings> settings, bool fuzzMode=false);
     Client(const Client &other) = delete;
     Client(Client &&other) = delete;
     ~Client();
@@ -185,6 +185,9 @@ void MainApp::doHelp(const char *arg)
     puts(" -h, --help                           Print help");
     puts(" -c, --config-file <flashmq.conf>     Configuration file.");
     puts(" -t, --test-config                    Test configuration file.");
+#ifndef NDEBUG
+    puts(" -z, --fuzz-file <inputdata.dat>      For fuzzing, provides the bytes that would be sent by a client.");
+#endif
     puts(" -V, --version                        Show version");
     puts(" -l, --license                        Show license");
 }
@@ -256,6 +259,11 @@ void MainApp::queueKeepAliveCheckAtAllThreads()
     }
 }
  
+void MainApp::setFuzzFile(const std::string &fuzzFilePath)
+{
+    this->fuzzFilePath = fuzzFilePath;
+}
+
 void MainApp::initMainApp(int argc, char *argv[])
 {
     if (instance != nullptr)
@@ -266,17 +274,19 @@ void MainApp::initMainApp(int argc, char *argv[])
         {"help", no_argument, nullptr, 'h'},
         {"config-file", required_argument, nullptr, 'c'},
         {"test-config", no_argument, nullptr, 't'},
+        {"fuzz-file", required_argument, nullptr, 'z'},
         {"version", no_argument, nullptr, 'V'},
         {"license", no_argument, nullptr, 'l'},
         {nullptr, 0, nullptr, 0}
     };
  
     std::string configFile;
+    std::string fuzzFile;
  
     int option_index = 0;
     int opt;
     bool testConfig = false;
-    while((opt = getopt_long(argc, argv, "hc:Vlt", long_options, &option_index)) != -1)
+    while((opt = getopt_long(argc, argv, "hc:Vltz:", long_options, &option_index)) != -1)
     {
         switch(opt)
         {
@@ -289,6 +299,9 @@ void MainApp::initMainApp(int argc, char *argv[])
         case 'V':
             MainApp::showLicense();
             exit(0);
+        case 'z':
+            fuzzFile = optarg;
+            break;
         case 'h':
             MainApp::doHelp(argv[0]);
             exit(16);
@@ -325,6 +338,7 @@ void MainApp::initMainApp(int argc, char *argv[])
     }
  
     instance = new MainApp(configFile);
+    instance->setFuzzFile(fuzzFile);
 }
  
  
@@ -365,6 +379,37 @@ void MainApp::start()
         threads.push_back(t);
     }
  
+#ifndef NDEBUG
+    // I fuzzed using afl-fuzz. You need to compile it with their compiler.
+    if (!fuzzFilePath.empty())
+    {
+        int fd = open(fuzzFilePath.c_str(), O_RDONLY);
+
+        if (fd < 0)
+            return;
+
+        try
+        {
+            std::vector<MqttPacket> packetQueueIn;
+
+            Client_p client(new Client(fd, threads[0], nullptr, false, settings, true));
+            client->readFdIntoBuffer();
+            client->bufferToMqttPackets(packetQueueIn, client);
+
+            for (MqttPacket &packet : packetQueueIn)
+            {
+                packet.handle();
+            }
+        }
+        catch (ProtocolError &ex)
+        {
+            logger->logf(LOG_ERR, "Expected MqttPacket handling error: %s", ex.what());
+        }
+
+        running = false;
+    }
+#endif
+
     uint next_thread_index = 0;
  
     struct epoll_event events[MAX_EVENTS];
@@ -39,6 +39,7 @@ class MainApp
     std::shared_ptr<Settings> settings;
     std::list<std::shared_ptr<Listener>> listeners;
     std::mutex quitMutex;
+    std::string fuzzFilePath;
  
     Logger *logger = Logger::getInstance();
  
@@ -49,6 +50,7 @@ class MainApp
     int createListenSocket(const std::shared_ptr<Listener> &listener);
     void wakeUpThread();
     void queueKeepAliveCheckAtAllThreads();
+    void setFuzzFile(const std::string &fuzzFilePath);
  
     MainApp(const std::string &configFilePath);
 public: