feat(mdns): Add fuzzing job with AFL++

Author: david-cermak

.github/workflows/mdns__host-tests.yml

@@ -68,3 +68,44 @@ jobs:
             diff -q $file /tmp/$file || exit 1
             echo "OK"
           done
+
+
+  fuzz_test:
+    if: contains(github.event.pull_request.labels.*.name, 'mdns-fuzz') || github.event_name == 'push'
+    name: Fuzzer tests for mdns lib
+    strategy:
+      matrix:
+        idf_ver: ["latest"]
+
+    runs-on: ubuntu-22.04
+    container: aflplusplus/aflplusplus
+    steps:
+      - name: Checkout esp-protocols
+        uses: actions/checkout@v4
+
+      - name: Checkout ESP-IDF
+        uses: actions/checkout@v4
+        with:
+          repository: espressif/esp-idf
+          path: idf
+          submodules: recursive
+
+      - name: Install Necessary Libs
+        run: |
+          apt-get update -y
+          apt-get install -y libbsd-dev
+
+      - name: Run AFL++
+        shell: bash
+        run: |
+          export IDF_PATH=$GITHUB_WORKSPACE/idf
+          cd components/mdns/tests/test_afl_fuzz_host/
+          make fuzz
+
+      - name: Upload Crash Artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-crashes
+          path: components/mdns/tests/test_afl_fuzz_host/out/default/crashes.tar.gz
+          if-no-files-found: ignore

components/mdns/mdns_receive.c

@@ -284,11 +284,11 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it
         }
 
         int name_len = _mdns_txt_item_name_get_len(data + i, partLen);
-        if (name_len < 0) {//invalid item (no name)
+        if (name_len < 0 || txt_num >= num_items) {  //invalid item (no name or more items than expected)
             i += partLen;
             continue;
         }
-        char *key = (char *)mdns_mem_malloc(name_len + 1);
+        char *key = (char *) mdns_mem_malloc(name_len + 1);
         if (!key) {
             HOOK_MALLOC_FAILED;
             goto handle_error;//error
@@ -305,7 +305,7 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it
 
         int new_value_len = partLen - name_len - 1;
         if (new_value_len > 0) {
-            char *value = (char *)mdns_mem_malloc(new_value_len + 1);
+            char *value = (char *) mdns_mem_malloc(new_value_len + 1);
             if (!value) {
                 HOOK_MALLOC_FAILED;
                 goto handle_error;//error
@@ -315,6 +315,8 @@ static void _mdns_result_txt_create(const uint8_t *data, size_t len, mdns_txt_it
             *value_len = new_value_len;
             i += new_value_len;
             t->value = value;
+        } else {
+            t->value = NULL;
         }
     }
 

components/mdns/mdns_utils.c

@@ -202,12 +202,12 @@ bool _mdns_service_match_instance(const mdns_service_t *srv, const char *instanc
 const char *_mdns_get_default_instance_name(void)
 {
     const char* instance = mdns_utils_get_instance();
-    if (mdns_utils_str_null_or_empty(instance)) {
+    if (!mdns_utils_str_null_or_empty(instance)) {
         return instance;
     }
 
     const char* host = mdns_utils_get_global_hostname();
-    if (mdns_utils_str_null_or_empty(host)) {
+    if (!mdns_utils_str_null_or_empty(host)) {
         return host;
     }
     return NULL;

components/mdns/tests/test_afl_fuzz_host/Makefile

@@ -1,7 +1,8 @@
 TEST_NAME=test
 FUZZ=afl-fuzz
 COMPONENTS_DIR=$(IDF_PATH)/components
-COMPILER_ICLUDE_DIR=$(shell echo `which xtensa-esp32-elf-gcc | xargs dirname | xargs dirname`/xtensa-esp32-elf)
+# Use ESP32 toolchain include path if available, otherwise fall back to system includes for host-based compilation
+COMPILER_INCLUDE_DIR=$(shell if command -v xtensa-esp32-elf-gcc >/dev/null 2>&1; then echo `which xtensa-esp32-elf-gcc | xargs dirname | xargs dirname`/xtensa-esp32-elf; else echo /usr; fi)
 
 CFLAGS=-g -Wno-unused-value -Wno-missing-declarations -Wno-pointer-bool-conversion -Wno-macro-redefined -Wno-int-to-void-pointer-cast -DHOOK_MALLOC_FAILED -DESP_EVENT_H_ -D__ESP_LOG_H__ \
                  -I. -I../.. -I../../include -I../../private_include -I ./build/config  \
@@ -34,7 +35,7 @@ CFLAGS=-g -Wno-unused-value -Wno-missing-declarations -Wno-pointer-bool-conversi
                  -I$(COMPONENTS_DIR)/soc/src/esp32/include \
                  -I$(COMPONENTS_DIR)/xtensa/include \
                  -I$(COMPONENTS_DIR)/xtensa/esp32/include \
-                 -I$(COMPILER_ICLUDE_DIR)/include
+                 -I$(COMPILER_INCLUDE_DIR)/include
 
 
 MDNS_C_DEPENDENCY_INJECTION=-include mdns_di.h
@@ -85,7 +86,18 @@ $(TEST_NAME): $(OBJECTS)
 	@$(LD)  $(OBJECTS) -o $@ $(LDLIBS)
 
 fuzz: $(TEST_NAME)
-	@$(FUZZ) -i "in" -o "out" -- ./$(TEST_NAME)
+	# timeout returns 124 if time limit is reached, original return code otherwise
+	# pass only if: fuzzing was running smoothly until timeout AND no crash found
+	@timeout 10m $(FUZZ) -i "in" -o "out" -- ./$(TEST_NAME) || \
+	if [ $$? -eq 124 ]; then \
+		if [ -n "$$(find out/default/crashes -type f 2>/dev/null)" ]; then \
+			echo "Crashes found!"; \
+			tar -czf out/default/crashes.tar.gz -C out/default crashes; \
+			exit 1; \
+		fi \
+	else \
+		exit 1; \
+	fi
 
 clean:
 	@rm -rf *.o *.SYM $(TEST_NAME) out

components/mdns/tests/test_afl_fuzz_host/esp32_mock.h

@@ -55,8 +55,7 @@
 
 #define pdMS_TO_TICKS(a) a
 #define xSemaphoreTake(s,d)        true
-#define xTaskDelete(a)
-#define vTaskDelete(a)             free(a)
+#define vTaskDelete(a)             free(NULL)
 #define xSemaphoreGive(s)
 #define xQueueCreateMutex(s)
 #define _mdns_pcb_init(a,b)         true
@@ -66,7 +65,7 @@
 #define vSemaphoreDelete(s)         free(s)
 #define queueQUEUE_TYPE_MUTEX       ( ( uint8_t ) 1U
 #define xTaskCreatePinnedToCore(a,b,c,d,e,f,g)     *(f) = malloc(1)
-#define xTaskCreateStaticPinnedToCore(a,b,c,d,e,f,g,h)     true
+#define xTaskCreateStaticPinnedToCore(a,b,c,d,e,f,g,h)     ((void*)1)
 #define vTaskDelay(m)               usleep((m)*0)
 #define esp_random()                (rand()%UINT32_MAX)
 

components/mdns/tests/test_afl_fuzz_host/test.c

@@ -81,30 +81,20 @@ static int mdns_test_service_txt_set(const char *service, const char *proto,  ui
 static int mdns_test_sub_service_add(const char *sub_name, const char *service_name, const char *proto, uint32_t port)
 {
     if (mdns_service_add(NULL, service_name, proto, port, NULL, 0)) {
-        // This is expected failure as the service thread is not running
+        return ESP_FAIL;
     }
-    mdns_action_t *a = NULL;
-    GetLastItem(&a);
-    mdns_test_execute_action(a);
 
     if (_mdns_get_service_item(service_name, proto, NULL) == NULL) {
         return ESP_FAIL;
     }
-    int ret = mdns_service_subtype_add_for_host(NULL, service_name, proto, NULL, sub_name);
-    a = NULL;
-    GetLastItem(&a);
-    mdns_test_execute_action(a);
-    return ret;
+    return mdns_service_subtype_add_for_host(NULL, service_name, proto, NULL, sub_name);
 }
 
 static int mdns_test_service_add(const char *service_name, const char *proto, uint32_t port)
 {
     if (mdns_service_add(NULL, service_name, proto, port, NULL, 0)) {
-        // This is expected failure as the service thread is not running
+        return ESP_FAIL;
     }
-    mdns_action_t *a = NULL;
-    GetLastItem(&a);
-    mdns_test_execute_action(a);
 
     if (_mdns_get_service_item(service_name, proto, NULL) == NULL) {
         return ESP_FAIL;
@@ -270,9 +260,6 @@ int main(int argc, char **argv)
     }
 #ifndef MDNS_NO_SERVICES
     mdns_service_remove_all();
-    mdns_action_t *a = NULL;
-    GetLastItem(&a);
-    mdns_test_execute_action(a);
 #endif
     ForceTaskDelete();
     mdns_free();