Broker fuzzing

Author: dgarske

.github/workflows/Disabled/cifuzz.yml

@@ -0,0 +1,79 @@
+name: Fuzz Testing
+
+on:
+  schedule:
+    - cron: '0 4 * * 1'  # Weekly Monday 4am UTC
+  workflow_dispatch:       # Manual trigger
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Full fuzz run (weekly/manual) - 10 minutes
+          - name: fuzz-full
+            fuzz_time: 600
+            smoke_only: false
+          # Quick smoke test (PR) - 60 seconds
+          - name: fuzz-smoke
+            fuzz_time: 60
+            smoke_only: true
+
+    steps:
+      - name: Checkout wolfMQTT
+        uses: actions/checkout@v4
+
+      - name: ASLR workaround
+        run: sudo sysctl vm.mmap_rnd_bits=28
+
+      - name: Build fuzz target
+        run: |
+          ./autogen.sh
+          CC=clang ./configure --enable-broker --enable-v5 --enable-fuzz \
+            --disable-tls --disable-examples \
+            CFLAGS="-fsanitize=fuzzer-no-link,address -fno-omit-frame-pointer -g -O1" \
+            LDFLAGS="-fsanitize=address"
+          make -j$(nproc)
+
+      - name: Generate seed corpus
+        run: python3 src/fuzz/gen_corpus.py
+
+      - name: Run fuzzer
+        env:
+          ASAN_OPTIONS: "detect_leaks=1:abort_on_error=1:symbolize=1"
+        run: |
+          echo "Fuzzing for ${{ matrix.fuzz_time }} seconds..."
+          timeout ${{ matrix.fuzz_time }} \
+            ./src/fuzz/broker_fuzz \
+              src/fuzz/corpus/ \
+              -dict=src/fuzz/mqtt.dict \
+              -max_len=4096 \
+              -timeout=10 \
+              -rss_limit_mb=2048 \
+              -print_final_stats=1 \
+            || FUZZ_RC=$?
+          # timeout returns 124 on normal expiry, fuzzer returns 0 on no crash
+          if [ "${FUZZ_RC:-0}" -eq 124 ] || [ "${FUZZ_RC:-0}" -eq 0 ]; then
+            echo "Fuzzer completed without crashes"
+          else
+            echo "Fuzzer found crashes (exit code $FUZZ_RC)"
+            ls -la crash-* 2>/dev/null || true
+            exit 1
+          fi
+
+      - name: Upload crash artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-crashes-${{ matrix.name }}
+          path: |
+            crash-*
+            oom-*
+            timeout-*
+          retention-days: 30
+          if-no-files-found: ignore

.github/workflows/fuzz.yml

@@ -125,3 +125,4 @@ examples/websocket/websocket_client
 !/IDE/Espressif/**/config.h
 
 src/mqtt_broker
+src/fuzz/broker_fuzz

.gitignore

@@ -118,3 +118,4 @@ dist-hook:
 	$(MKDIR_P) $(distdir)/examples/multithread
 	$(MKDIR_P) $(distdir)/examples/pub-sub
 	$(MKDIR_P) $(distdir)/examples/websocket
+	$(MKDIR_P) $(distdir)/src/fuzz

Makefile.am

@@ -491,6 +491,14 @@ AM_CONDITIONAL([BUILD_MULTITHREAD], [test "x$ENABLED_MULTITHREAD" = "xyes"])
 AM_CONDITIONAL([BUILD_WEBSOCKET], [test "x$ENABLED_WEBSOCKET" = "xyes"])
 AM_CONDITIONAL([BUILD_BROKER], [test "x$ENABLED_BROKER" = "xyes"])
 
+# Fuzz target
+AC_ARG_ENABLE([fuzz],
+    [AS_HELP_STRING([--enable-fuzz],[Enable libFuzzer targets (default: disabled)])],
+    [ ENABLED_FUZZ=$enableval ],
+    [ ENABLED_FUZZ=no ]
+    )
+AM_CONDITIONAL([BUILD_FUZZ], [test "x$ENABLED_FUZZ" = "xyes"])
+
 
 
 # HARDEN FLAGS
@@ -619,3 +627,4 @@ echo "   * Multi-thread:              $ENABLED_MULTITHREAD"
 echo "   * Stress:                    $ENABLED_STRESS"
 echo "   * WebSocket:                 $ENABLED_WEBSOCKET"
 echo "   * Broker:                    $ENABLED_BROKER"
+echo "   * Fuzz:                      $ENABLED_FUZZ"

configure.ac

@@ -0,0 +1 @@
+corpus/