Add libFuzzer-based broker fuzzing infrastructure and fix security issues identified through automated review and fuzz testing.

Author: dgarske

.github/workflows/Disabled/cifuzz.yml

@@ -0,0 +1,48 @@
+name: Fuzz Testing
+
+on:
+  schedule:
+    - cron: '0 4 * * 1'  # Weekly Monday 4am UTC
+  workflow_dispatch:       # Manual trigger
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Full fuzz run (weekly/manual) - 10 minutes
+          - name: fuzz-full
+            fuzz_time: 600
+            smoke_only: false
+          # Quick smoke test (PR) - 60 seconds
+          - name: fuzz-smoke
+            fuzz_time: 60
+            smoke_only: true
+
+    steps:
+      - name: Checkout wolfMQTT
+        uses: actions/checkout@v4
+
+      - name: ASLR workaround
+        run: sudo sysctl vm.mmap_rnd_bits=28
+
+      - name: Run fuzzer
+        if: ${{ !matrix.smoke_only || github.event_name == 'pull_request' }}
+        run: ./scripts/fuzz.sh ${{ matrix.fuzz_time }}
+
+      - name: Upload crash artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-crashes-${{ matrix.name }}
+          path: |
+            crash-*
+            oom-*
+            timeout-*
+          retention-days: 30
+          if-no-files-found: ignore

.github/workflows/fuzz.yml

@@ -125,3 +125,6 @@ examples/websocket/websocket_client
 !/IDE/Espressif/**/config.h
 
 src/mqtt_broker
+
+tests/fuzz/broker_fuzz
+tests/fuzz/corpus/

.gitignore

@@ -34,6 +34,7 @@ ACLOCAL_AMFLAGS= -I m4
 include src/include.am
 include wolfmqtt/include.am
 include examples/include.am
+include tests/include.am
 include scripts/include.am
 include IDE/include.am
 include cmake/include.am
@@ -56,6 +57,8 @@ test: check
 
 DISTCLEANFILES+= wolfmqtt-config
 
+clean-local:
+	-rm -rf tests/fuzz/corpus
 
 maintainer-clean-local:
 	-rm Makefile.in
@@ -118,3 +121,4 @@ dist-hook:
 	$(MKDIR_P) $(distdir)/examples/multithread
 	$(MKDIR_P) $(distdir)/examples/pub-sub
 	$(MKDIR_P) $(distdir)/examples/websocket
+	$(MKDIR_P) $(distdir)/tests/fuzz

Makefile.am

@@ -158,7 +158,7 @@ then
     test "$enable_v5" = "" && enable_v5=yes
     test "$enable_discb" = "" && enable_discb=yes
     test "$enable_mt" = "" && enable_mt=yes
-    test "$enable_" = "" && enable_=yes
+    test "$enable_broker" = "" && enable_broker=yes
 fi
 
 # TLS Support with wolfSSL
@@ -491,6 +491,14 @@ AM_CONDITIONAL([BUILD_MULTITHREAD], [test "x$ENABLED_MULTITHREAD" = "xyes"])
 AM_CONDITIONAL([BUILD_WEBSOCKET], [test "x$ENABLED_WEBSOCKET" = "xyes"])
 AM_CONDITIONAL([BUILD_BROKER], [test "x$ENABLED_BROKER" = "xyes"])
 
+# Fuzz target
+AC_ARG_ENABLE([fuzz],
+    [AS_HELP_STRING([--enable-fuzz],[Enable libFuzzer targets (default: disabled)])],
+    [ ENABLED_FUZZ=$enableval ],
+    [ ENABLED_FUZZ=no ]
+    )
+AM_CONDITIONAL([BUILD_FUZZ], [test "x$ENABLED_FUZZ" = "xyes"])
+
 
 
 # HARDEN FLAGS
@@ -619,3 +627,4 @@ echo "   * Multi-thread:              $ENABLED_MULTITHREAD"
 echo "   * Stress:                    $ENABLED_STRESS"
 echo "   * WebSocket:                 $ENABLED_WEBSOCKET"
 echo "   * Broker:                    $ENABLED_BROKER"
+echo "   * Fuzz:                      $ENABLED_FUZZ"

configure.ac

@@ -70,9 +70,10 @@ wait_for_file() {
     local file="$1"
     local timeout_sec="${2:-5}"
     local waited=0
-    while [ ! -f "$file" ] && [ $waited -lt $timeout_sec ]; do
+    local max_iters=$((timeout_sec * 10))
+    while [ ! -f "$file" ] && [ $waited -lt $max_iters ]; do
         sleep 0.1
-        waited=$(echo "$waited + 0.1" | bc)
+        waited=$((waited + 1))
     done
     [ -f "$file" ]
 }

scripts/broker.test

@@ -0,0 +1,60 @@
+#!/bin/bash
+# fuzz.sh - Build and run the wolfMQTT broker fuzzer
+#
+# Usage: ./scripts/fuzz.sh [seconds]
+#   seconds: fuzz duration (default: 60)
+#
+# Requires: clang with libFuzzer support
+
+set -e
+
+FUZZ_TIME=${1:-60}
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+ROOT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+cd "$ROOT_DIR"
+
+# Check for clang
+if ! command -v clang >/dev/null 2>&1; then
+    echo "Error: clang is required for fuzzing (libFuzzer)" >&2
+    exit 1
+fi
+
+# Generate configure if needed
+if [ ! -f ./configure ]; then
+    ./autogen.sh
+fi
+
+# Configure with fuzzer and address sanitizer
+CC=clang ./configure --enable-broker --enable-v5 --enable-fuzz \
+    --disable-tls --disable-examples \
+    CFLAGS="-fsanitize=fuzzer-no-link,address -fno-omit-frame-pointer -g -O1" \
+    LDFLAGS="-fsanitize=address"
+
+make -j$(nproc)
+
+# Generate seed corpus
+python3 tests/fuzz/gen_corpus.py
+
+# Run fuzzer
+echo "Fuzzing for ${FUZZ_TIME} seconds..."
+export ASAN_OPTIONS="detect_leaks=1:abort_on_error=1:symbolize=1"
+
+timeout "$FUZZ_TIME" \
+    ./tests/fuzz/broker_fuzz \
+        tests/fuzz/corpus/ \
+        -dict=tests/fuzz/mqtt.dict \
+        -max_len=4096 \
+        -timeout=10 \
+        -rss_limit_mb=2048 \
+        -print_final_stats=1 \
+    || FUZZ_RC=$?
+
+# timeout returns 124 on normal expiry, fuzzer returns 0 on no crash
+if [ "${FUZZ_RC:-0}" -eq 124 ] || [ "${FUZZ_RC:-0}" -eq 0 ]; then
+    echo "Fuzzer completed without crashes"
+else
+    echo "Fuzzer found crashes (exit code $FUZZ_RC)"
+    ls -la crash-* 2>/dev/null || true
+    exit 1
+fi

scripts/fuzz.sh

@@ -27,3 +27,5 @@ endif # BUILD_EXAMPLES
 if BUILD_BROKER
 dist_noinst_SCRIPTS += scripts/broker.test
 endif # BUILD_BROKER
+
+EXTRA_DIST += scripts/fuzz.sh

scripts/include.am

@@ -32,3 +32,4 @@ if BUILD_WEBSOCKET
 src_mqtt_broker_LDADD += -lwebsockets
 endif
 endif
+