libcommon topic matching fuzzer

Author: ralight

.gitignore

@@ -67,7 +67,6 @@ fuzzing/broker/broker_fuzz_read_handle
 fuzzing/broker/broker_fuzz_second_packet
 fuzzing/broker/broker_fuzz_second_packet_with_init
 fuzzing/broker/broker_fuzz_test_config
-
 fuzzing/corpora/broker/*
 fuzzing/corpora/broker_packet_seed_corpus.zip
 fuzzing/corpora/client/*
@@ -76,6 +75,13 @@ fuzzing/corpora/db_dump_seed_corpus.zip
 fuzzing/lib/lib_fuzz_pub_topic_check2
 fuzzing/lib/lib_fuzz_sub_topic_check2
 fuzzing/lib/lib_fuzz_utf8
+fuzzing/libcommon/libcommon_fuzz_pub_topic_check2
+fuzzing/libcommon/libcommon_fuzz_sub_topic_check2
+fuzzing/libcommon/libcommon_fuzz_topic_matching
+fuzzing/libcommon/libcommon_fuzz_topic_matching.pb.cc
+fuzzing/libcommon/libcommon_fuzz_topic_matching.pb.h
+fuzzing/libcommon/libcommon_fuzz_topic_tokenise
+fuzzing/libcommon/libcommon_fuzz_utf8
 fuzzing/plugins/dynamic-security/dynsec_fuzz_load
 
 lib/cpp/libmosquittopp.so*

fuzzing/libcommon/Makefile

@@ -6,13 +6,15 @@ include ${R}/fuzzing/config.mk
 FUZZERS:= \
 	libcommon_fuzz_pub_topic_check2 \
 	libcommon_fuzz_sub_topic_check2 \
+	libcommon_fuzz_topic_matching \
 	libcommon_fuzz_topic_tokenise \
 	libcommon_fuzz_utf8
 
-LOCAL_CPPFLAGS+=-I${R}/include/
+LOCAL_CPPFLAGS+=-I${R}/include/ -I/usr/local/include/libprotobuf-mutator
 LOCAL_CXXFLAGS+=-g -Wall -Werror -pthread
 LOCAL_LDFLAGS+=
 LOCAL_LIBADD+=$(LIB_FUZZING_ENGINE) -lssl -lcrypto ${R}/libcommon/libmosquitto_common.a -Wl,-Bstatic -largon2 -Wl,-Bdynamic
+PROTOBUF_LIBS=/usr/local/lib/libprotobuf-mutator-libfuzzer.a /usr/local/lib/libprotobuf-mutator.a
 
 all: $(FUZZERS)
 
@@ -24,6 +26,13 @@ libcommon_fuzz_sub_topic_check2 : libcommon_fuzz_sub_topic_check2.cpp
 	$(CXX) $(LOCAL_CXXFLAGS) $(LOCAL_CPPFLAGS) $(LOCAL_LDFLAGS) -o $@ $^ $(LOCAL_LIBADD)
 	install $@ ${OUT}/$@
 
+libcommon_fuzz_topic_matching : libcommon_fuzz_topic_matching.cpp libcommon_fuzz_topic_matching.pb.cc
+	$(CXX) $(LOCAL_CXXFLAGS) $(LOCAL_CPPFLAGS) $(LOCAL_LDFLAGS) -o $@ $^ $(LOCAL_LIBADD) $(PROTOBUF_LIBS)
+	install $@ ${OUT}/$@
+
+libcommon_fuzz_topic_matching.pb.cc : libcommon_fuzz_topic_matching.proto
+	protoc --cpp_out=. $^
+
 libcommon_fuzz_topic_tokenise : libcommon_fuzz_topic_tokenise.cpp
 	$(CXX) $(LOCAL_CXXFLAGS) $(LOCAL_CPPFLAGS) $(LOCAL_LDFLAGS) -o $@ $^ $(LOCAL_LIBADD)
 	install $@ ${OUT}/$@

fuzzing/libcommon/libcommon_fuzz_topic_matching.cpp

@@ -0,0 +1,28 @@
+#include "src/libfuzzer/libfuzzer_macro.h"
+
+#include "libcommon_fuzz_topic_matching.pb.h"
+#include "mosquitto.h"
+
+DEFINE_PROTO_FUZZER(const fuzz_topic_matches_sub::FuzzerInput& fuzzer_input)
+{
+	bool result;
+	const char *string1 = fuzzer_input.string1().c_str();
+	const char *string2 = fuzzer_input.string2().c_str();
+	const char *username = nullptr;
+	const char *clientid = nullptr;
+
+	if(fuzzer_input.has_username()){
+		username = fuzzer_input.username().c_str();
+	}
+	if(fuzzer_input.has_clientid()){
+		clientid = fuzzer_input.clientid().c_str();
+	}
+
+		//targeted_function_1(fuzzer_input.arg1(), fuzzer_input.arg2(), fuzzer_input.arg3());
+	mosquitto_topic_matches_sub(string1, string2, &result);
+	mosquitto_topic_matches_sub2(string1, strlen(string1), string2, strlen(string2), &result);
+	mosquitto_topic_matches_sub_with_pattern(string1, string2, clientid, username, &result);
+
+	mosquitto_sub_matches_acl(string1, string2, &result);
+	mosquitto_sub_matches_acl_with_pattern(string1, string2, clientid, username, &result);
+}

fuzzing/libcommon/libcommon_fuzz_topic_matching.proto

@@ -0,0 +1,10 @@
+syntax = "proto2";
+
+package fuzz_topic_matches_sub;
+
+message FuzzerInput {
+	required string string1 = 1;
+	required string string2 = 2;
+	optional string username = 3;
+	optional string clientid = 4;
+}

fuzzing/scripts/oss-fuzz-build.sh

@@ -21,7 +21,23 @@
 # Note that other dependencies, i.e. sqlite are not yet built because they are
 # only used by plugins and not currently otherwise used.
 cd ${SRC}/cJSON
-cmake -DBUILD_SHARED_LIBS=OFF -DENABLE_CJSON_TEST=OFF -DCMAKE_C_FLAGS=-fPIC .
+cmake \
+	-DBUILD_SHARED_LIBS=OFF \
+	-DCMAKE_C_FLAGS=-fPIC \
+	-DENABLE_CJSON_TEST=OFF \
+	.
+make
+make install
+
+cd ${SRC}/libprotobuf-mutator
+cmake \
+	-DCMAKE_C_COMPILER=clang \
+	-DCMAKE_CXX_COMPILER=clang++ \
+	-DCMAKE_BUILD_TYPE=Debug \
+	-DLIB_PROTO_MUTATOR_DOWNLOAD_PROTOBUF=ON \
+	-DLIB_PROTO_MUTATOR_EXAMPLES=OFF \
+	-DLIB_PROTO_MUTATOR_TESTING=OFF \
+	.
 make
 make install
 

fuzzing/scripts/oss-fuzz-dependencies.sh

@@ -20,5 +20,14 @@
 # Note that sqlite3 is required as a build dep of a plugin which is not
 # currently part of fuzz testing. Once it is part of fuzz testing, sqlite will
 # need to be built statically.
-apt-get update && apt-get install -y libargon2-dev libedit-dev libtool-bin make libmicrohttpd-dev libsqlite3-dev
+apt-get update && apt-get install -y \
+	libargon2-dev \
+	libedit-dev \
+	liblzma-dev \
+	libmicrohttpd-dev \
+	libsqlite3-dev \
+	libtool-bin \
+	make \
+	protobuf-compiler
+git clone https://github.com/google/libprotobuf-mutator ${SRC}/libprotobuf-mutator
 git clone https://github.com/ralight/cJSON ${SRC}/cJSON