1 /* Copyright (c) 2020 Dovecot authors, see the included COPYING file */
2
3 #include "lib.h"
4 #include "fuzzer.h"
5 #include "istream.h"
6 #include "ioloop.h"
7 #include "smtp-server.h"
8
9 static struct {
10 struct istream *data_input;
11 } state = {
12 .data_input = NULL,
13 };
14
15 static int
server_cmd_rcpt(void * conn_ctx ATTR_UNUSED,struct smtp_server_cmd_ctx * cmd ATTR_UNUSED,struct smtp_server_recipient * rcpt ATTR_UNUSED)16 server_cmd_rcpt(void *conn_ctx ATTR_UNUSED,
17 struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
18 struct smtp_server_recipient *rcpt ATTR_UNUSED)
19 {
20 return 1;
21 }
22
23 static int
server_cmd_data_continue(void * conn_ctx ATTR_UNUSED,struct smtp_server_cmd_ctx * cmd,struct smtp_server_transaction * trans ATTR_UNUSED)24 server_cmd_data_continue(void *conn_ctx ATTR_UNUSED,
25 struct smtp_server_cmd_ctx *cmd,
26 struct smtp_server_transaction *trans ATTR_UNUSED)
27 {
28 struct istream *data_input = state.data_input;
29 const unsigned char *data;
30 size_t size;
31 ssize_t ret;
32
33 while ((ret = i_stream_read(data_input)) > 0 || ret == -2) {
34 data = i_stream_get_data(data_input, &size);
35 i_stream_skip(data_input, size);
36 if (!smtp_server_cmd_data_check_size(cmd))
37 return -1;
38 }
39
40 if (ret == 0)
41 return 0;
42 if (ret < 0 && data_input->stream_errno != 0) {
43 /* Client probably disconnected */
44 return -1;
45 }
46
47 smtp_server_reply_all(cmd, 250, "2.0.0", "Accepted");
48 return 1;
49 }
50
51 static int
server_cmd_data_begin(void * conn_ctx ATTR_UNUSED,struct smtp_server_cmd_ctx * cmd ATTR_UNUSED,struct smtp_server_transaction * trans ATTR_UNUSED,struct istream * data_input)52 server_cmd_data_begin(void *conn_ctx ATTR_UNUSED,
53 struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
54 struct smtp_server_transaction *trans ATTR_UNUSED,
55 struct istream *data_input)
56 {
57 state.data_input = data_input;
58 return 0;
59 }
60
server_connection_free(void * context)61 static void server_connection_free(void *context)
62 {
63 struct fuzzer_context *ctx = context;
64 io_loop_stop(ctx->ioloop);
65 }
66
test_server_continue(struct fuzzer_context * ctx)67 static void test_server_continue(struct fuzzer_context *ctx)
68 {
69 //instead of simple io_loop_stop so as to free input io
70 io_loop_stop_delayed(ctx->ioloop);
71 }
72
73 FUZZ_BEGIN_FD
74 {
75 struct smtp_server_connection *conn;
76 struct smtp_server_settings smtp_server_set = {
77 .max_client_idle_time_msecs = 500,
78 .max_pipelined_commands = 16,
79 .auth_optional = TRUE,
80 };
81 struct smtp_server_callbacks server_callbacks = {
82 .conn_cmd_rcpt = server_cmd_rcpt,
83 .conn_cmd_data_begin = server_cmd_data_begin,
84 .conn_cmd_data_continue = server_cmd_data_continue,
85 .conn_free = server_connection_free,
86 };
87 struct smtp_server *smtp_server = NULL;
88 struct timeout *to;
89
90 to = timeout_add_short(10, test_server_continue, &fuzz_ctx);
91 smtp_server = smtp_server_init(&smtp_server_set);
92
93 conn = smtp_server_connection_create(smtp_server, fuzz_ctx.fd, fuzz_ctx.fd, NULL, 0,
94 FALSE, NULL, &server_callbacks, &fuzz_ctx);
95 smtp_server_connection_start(conn);
96
97 io_loop_run(fuzz_ctx.ioloop);
98
99 smtp_server_deinit(&smtp_server);
100 timeout_remove(&to);
101 }
102 FUZZ_END
103