1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#![no_main]
#![type_length_limit = "200000000"]
use std::{pin::Pin, sync::Arc};
use async_trait::async_trait;
use duplexify::Duplex;
use futures::{
executor,
io::{self, Cursor},
AsyncRead, AsyncReadExt, AsyncWrite,
};
use futures_test::io::AsyncReadTestExt;
use libfuzzer_sys::fuzz_target;
use smtp_message::{Email, EscapedDataReader, Reply, ReplyCode};
use smtp_server::{interact, reply, ConnectionMetadata, Decision, IsAlreadyTls, MailMetadata};
struct FuzzConfig;
#[async_trait]
impl smtp_server::Config for FuzzConfig {
type ConnectionUserMeta = ();
type MailUserMeta = ();
type Protocol = smtp_server::protocol::Smtp;
fn hostname(&self, _conn_meta: &ConnectionMetadata<()>) -> &str {
"test.example.org"
}
async fn new_mail(&self, _conn_meta: &mut ConnectionMetadata<()>) {}
async fn tls_accept<IO>(
&self,
_io: IO,
_conn_meta: &mut ConnectionMetadata<()>,
) -> io::Result<
duplexify::Duplex<Pin<Box<dyn Send + AsyncRead>>, Pin<Box<dyn Send + AsyncWrite>>>,
>
where
IO: 'static + Unpin + Send + AsyncRead + AsyncWrite,
{
Err(io::Error::new(
io::ErrorKind::InvalidInput,
"tls not implemented for fuzzing",
))
}
async fn filter_from(
&self,
from: Option<Email>,
_meta: &mut MailMetadata<()>,
_conn_meta: &mut ConnectionMetadata<()>,
) -> Decision<Option<Email>> {
if let Some(from) = from {
let loc = from.localpart.raw().as_bytes();
if loc.len() >= 2 && loc[0] > loc[1] {
Decision::Accept {
reply: reply::okay_from().convert(),
res: Some(from),
}
} else {
Decision::Reject {
reply: Reply {
code: ReplyCode::POLICY_REASON,
ecode: None,
text: vec!["forbidden user".into()],
},
}
}
} else {
Decision::Accept {
reply: reply::okay_from().convert(),
res: from,
}
}
}
async fn filter_to(
&self,
to: Email,
_meta: &mut MailMetadata<()>,
_conn_meta: &mut ConnectionMetadata<()>,
) -> Decision<Email> {
let loc = to.localpart.raw().as_bytes();
if loc.len() >= 2 && loc[0] > loc[1] {
Decision::Accept {
reply: reply::okay_to().convert(),
res: to,
}
} else {
Decision::Reject {
reply: Reply {
code: ReplyCode::POLICY_REASON,
ecode: None,
text: vec!["forbidden user".into()],
},
}
}
}
#[allow(clippy::needless_lifetimes)]
async fn handle_mail<'resp, R>(
&'resp self,
reader: &mut EscapedDataReader<'_, R>,
mail: MailMetadata<()>,
_conn_meta: &'resp mut ConnectionMetadata<()>,
) -> Decision<()>
where
R: Send + Unpin + AsyncRead,
{
let mut ignore = Vec::new();
if reader.read_to_end(&mut ignore).await.is_err() {
return Decision::Reject {
reply: Reply {
code: ReplyCode::POLICY_REASON,
ecode: None,
text: vec!["io error".into()],
},
};
}
reader.complete();
if mail.to.len() > 3 {
Decision::Reject {
reply: Reply {
code: ReplyCode::POLICY_REASON,
ecode: None,
text: vec!["too many recipients".into()],
},
}
} else {
Decision::Accept {
reply: reply::okay_mail().convert(),
res: (),
}
}
}
}
fuzz_target!(|data: &[u8]| {
if data.len() < 2 {
return;
}
let chunk_size = data[0] as u16 * 256 + data[1] as u16;
let reader = Cursor::new(data[2..].to_owned()).limited(chunk_size as usize);
let writer = io::sink();
let io = Duplex::new(reader, writer);
let _ignore_errors =
executor::block_on(interact(io, IsAlreadyTls::No, (), Arc::new(FuzzConfig)));
});