fuzz-tests: Add a test for peer_init_received()

Changelog-None: `peer_init_received()` in `connectd/peer_exchange_initmsg.{c, h}`
is responsible for handling `init` messages defined in BOLT #1. Since it deals
with untrusted input, add a test for it.

Author: Chandra Pratap

tests/fuzz/Makefile

@@ -36,6 +36,7 @@ FUZZ_COMMON_OBJS := \
 	common/daemon_conn.o				\
 	common/derive_basepoints.o			\
 	common/descriptor_checksum.o			\
+	common/dev_disconnect.o				\
 	common/features.o				\
 	common/fee_states.o				\
 	common/hash_u5.o				\
@@ -58,6 +59,7 @@ FUZZ_COMMON_OBJS := \
 	common/status_wiregen.o				\
 	common/utils.o					\
 	common/version.o				\
+	common/wire_error.o				\
 	wire/bolt12_wiregen.o				\
 	wire/fromwire.o					\
 	wire/onion_wiregen.o				\

tests/fuzz/fuzz-init_received.c

@@ -0,0 +1,169 @@
+/* This is a fuzz test for `peer_init_received()`, which is responsible for
+ * handling  BOLT #1 `init` messages. All this test essentially does in encode
+ * the fuzzer's input as the payload for a cryptographically valid 'init'
+ * message and pass it to this handler.
+ */
+#include "config.h"
+#include <fcntl.h>
+#include <ccan/ccan/io/io.h>
+#include <ccan/ccan/str/hex/hex.h>
+#include <common/setup.h>
+#include <common/utils.h>
+#include <tests/fuzz/libfuzz.h>
+
+static struct io_plan *test_write(struct io_conn *conn, const void *data,
+	size_t len, struct io_plan *(*next)(struct io_conn *, void *), void *arg);
+
+static struct io_plan *test_read(struct io_conn *conn, void *data, size_t len,
+	struct io_plan *(*next)(struct io_conn *, void *), void *arg);
+
+#undef io_write
+#define io_write(conn, data, len, cb, cb_arg)					\
+	test_write((conn),                                                      \
+		(data),                                                         \
+		(len),                                                          \
+		(struct io_plan *(*)(struct io_conn *, void *))(cb),            \
+		(void *)(cb_arg))
+
+#undef io_read
+#define io_read(conn, data, len, cb, cb_arg)					\
+	test_read((conn),							\
+		(data),                                                         \
+		(len),                                                          \
+		(struct io_plan *(*)(struct io_conn *, void *))(cb),            \
+		(void *)(cb_arg))
+
+#include "../../connectd/peer_exchange_initmsg.c"
+
+/* MOCKS START */
+bool address_routable(const struct wireaddr *wireaddr UNNEEDED,
+		      bool allow_localhost UNNEEDED)
+{ return false; }
+struct io_plan *peer_connected(struct io_conn *conn UNNEEDED,
+			       struct daemon *daemon UNNEEDED,
+			       const struct node_id *id UNNEEDED,
+			       const struct wireaddr_internal *addr UNNEEDED,
+			       const struct wireaddr *remote_addr UNNEEDED,
+			       struct crypto_state *cs UNNEEDED,
+			       const u8 *their_features TAKES UNNEEDED,
+			       enum is_websocket is_websocket UNNEEDED,
+			       bool incoming UNNEEDED)
+{	if (taken(their_features))
+		tal_steal(tmpctx, their_features);
+	return io_close(conn);
+}
+/* MOCKS END */
+
+/* Simulate writing and reading the supposed `init` messages to and
+ * from the peer using an in-memory buffer. This is a better workaround
+ * than returning `io_close(conn)`.
+ */
+#define IO_BUFFER_SIZE (1024 * 1024)
+static u8 io_buffer[IO_BUFFER_SIZE];
+static size_t io_buf_len = 0;
+static size_t io_buf_pos = 0;
+
+static struct io_plan *
+test_write(struct io_conn *conn, const void *data, size_t len,
+	struct io_plan *(*next)(struct io_conn *, void *), void *arg)
+{
+	/* append up to available space */
+	size_t space = IO_BUFFER_SIZE - io_buf_len;
+	size_t to_copy = len < space ? len : space;
+	memcpy(io_buffer + io_buf_len, data, to_copy);
+	io_buf_len += to_copy;
+	/* simulate as if all bytes were written */
+	return next(conn, arg);
+}
+
+static struct io_plan *
+test_read(struct io_conn *conn, void *data, size_t len,
+	struct io_plan *(*next)(struct io_conn *, void *), void *arg)
+{
+	/* read up to available data */
+	size_t available = io_buf_len - io_buf_pos;
+	size_t to_copy = len < available ? len : available;
+	if (to_copy > 0) {
+		memcpy(data, io_buffer + io_buf_pos, to_copy);
+		io_buf_pos += to_copy;
+	}
+	/* if buffer is exhausted, reset pointers */
+	if (io_buf_pos == io_buf_len)
+		io_buf_pos = io_buf_len = 0;
+    return next(conn, arg);
+}
+
+static struct secret secret_from_hex(const char *hex)
+{
+	struct secret secret;
+	hex += 2;
+	if (!hex_decode(hex, strlen(hex), &secret, sizeof(secret)))
+		abort();
+	return secret;
+}
+
+/* Encodes the given message. Stores the decrypting crypto_state in `cs`. */
+static u8 *encode_msg(const tal_t *ctx, const void *message, size_t size, struct crypto_state *cs)
+{
+	struct crypto_state cs_out, cs_in;
+	struct secret sk, rk, ck;
+	u16 len;
+
+	void *msg = tal_dup_arr(ctx, char, message, size, 0);
+
+	ck = secret_from_hex("0x919219dbb2920afa8db80f9a51787a840bcf111ed8d588caf9ab4be716e42b01");
+	sk = secret_from_hex("0x969ab31b4d288cedf6218839b27a3e2140827047f2c0f01bf5c04435d43511a9");
+	rk = secret_from_hex("0xbb9020b8965f4df047e07f955f3c4b88418984aadc5cdb35096b9ea8fa5c3442");
+
+	cs_out.sn = cs_out.rn = cs_in.sn = cs_in.rn = 0;
+	cs_out.sk = cs_in.rk = sk;
+	cs_out.rk = cs_in.sk = rk;
+	cs_out.s_ck = cs_out.r_ck = cs_in.s_ck = cs_in.r_ck = ck;
+
+	u8 *encoded_msg = cryptomsg_encrypt_msg(ctx, &cs_out, msg);
+
+	if (!cryptomsg_decrypt_header(&cs_in, encoded_msg, &len))
+			abort();
+
+	/* Trim header */
+	memmove(encoded_msg, encoded_msg + CRYPTOMSG_HDR_SIZE,
+			tal_bytelen(encoded_msg) - CRYPTOMSG_HDR_SIZE);
+	tal_resize(&encoded_msg, tal_bytelen(encoded_msg) - CRYPTOMSG_HDR_SIZE);
+
+	*cs = cs_in;
+	return encoded_msg;
+}
+
+static struct io_plan *do_nothing(struct io_conn *conn, void *side)
+{
+	return io_close(conn);
+}
+
+void init(int *argc, char ***argv)
+{
+	chainparams = chainparams_for_network("bitcoin");
+	common_setup("fuzzer");
+	int devnull = open("/dev/null", O_WRONLY);
+	status_setup_sync(devnull);
+}
+
+void run(const uint8_t *data, size_t size)
+{
+	struct io_conn *conn;
+	struct crypto_state cs;
+	struct early_peer *peer;
+	u8 *encoded_msg;
+
+	encoded_msg = encode_msg(tmpctx, data, size, &cs);
+	peer = tal(tmpctx, struct early_peer);
+	peer->cs = cs;
+	peer->msg = encoded_msg;
+	peer->incoming = true;
+	peer->daemon = talz(tmpctx, struct daemon);
+	peer->timeout = NULL;
+
+	conn = io_new_conn(tmpctx, -1, do_nothing, NULL);
+	peer_init_received(conn, peer);
+
+	clean_tmpctx();
+}