Skip to content

Latest commit

 

History

History

fuzz

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

Fuzzing NeoMutt

NeoMutt has some support for Fuzzing.

It's currently limited to two functions. Two that could be susceptible to remote attacks.

  • mutt_rfc822_read_header();
  • mutt_parse_part();

The fuzzing machinery uses a custom entry point to the code. This can be found in fuzz/address.c

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)

Build the Fuzzer

To build the fuzzer, we need to build with clang and pass some extra flags:

# Set some environment variables
export EXTRA_CFLAGS="-fsanitize=fuzzer"
export CXXFLAGS="$EXTRA_CFLAGS"
# Configure and build
./configure CC=clang --disable-doc --quiet --fuzzing
make CC=clang CXX=clang fuzz

Run the Fuzzer

The fuzzer can be run by simply:

fuzz/address-fuzz

or it can be run against our corpus of test cases:

# Run the fuzzer on the sample data
git clone https://github.com/neomutt/corpus-address.git
fuzz/address-fuzz corpus-address

To see some more options, run:

fuzz/address-fuzz -help=1

Adding the option -max_total_time=3600 will limit the run time to one hour.