msgbuf: Define a separate msgbuf structure for encode/decode function

Define separate msgbuf structures to avoid casting away const-qualifiers
in the msgbuf constructor function:

* pldm_msgbuf_rw:

msgbuf: Define a separate msgbuf structure for encode/decode function

Define separate msgbuf structures to avoid casting away const-qualifiers
in the msgbuf constructor function:

* pldm_msgbuf_rw: for encode functions with non const-qualified buffer
* pldm_msgbuf_ro: for decode functions with const-qualified buffer

Further, use _Generic() to keep the API ergonomic while still yielding a
compile error when wrong msgbuf type is passed.

Change-Id: I71dbcb7996e9fb402b49870fce539a939c1497e5
Signed-off-by: John Chung <john.chung@arm.com>
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

msgbuf: Rework error handling to improve soundness

Design the implementation to uphold the invariant that a non-negative
remaining value implies the cursor pointer is valid, and that under
other con

msgbuf: Rework error handling to improve soundness

Design the implementation to uphold the invariant that a non-negative
remaining value implies the cursor pointer is valid, and that under
other conditions error values must be observed by the msgbuf user. The
former is tested with assertions in the implementation. The latter is
enforced by construction.

With this change, all msgbuf instances for which
pldm_msgbuf_init_errno() succeeds must be either completed or discarded
by calls to the pldm_msgbuf_complete*() or pldm_msgbuf_discard() APIs
respectively.

We then build on the properties that:

- pldm_msgbuf_init_errno() is marked with the warn_unused_result
function attribute

- pldm_msgbuf_init_errno() returns errors for invalid buffer
configurations

- The complete and discard APIs are marked with the warn_unused_result
function attribute

- The complete APIs test for negative remaining values and return an
error if encountered.

- The discard API propagates the provided error code

Together these provide the foundation to ensure that buffer access
errors are (eventually) detected.

A msgbuf object is always in one of the uninitialized, valid, invalid,
or completed states. The states are defined as follows:

- Uninitialized: Undefined values for remaining and cursor

- Valid: cursor points to a valid object, remaining is both non-negative
and describes a range contained within the object pointed to
by cursor

- Invalid: The value of remaining is negative. The value of cursor is
unspecified.

- Completed: the value of remaining is INTMAX_MIN and cursor is NULL

msgbuf instances must always be in the completed state by the time
their storage is reclaimed. To enforce this, PLDM_MSGBUF_DEFINE_P()
is introduced both to simplify definition of related variables, and
to exploit the compiler's 'cleanup' attribute. The cleanup function
associated with the msgbuf object asserts that the referenced object is
in the completed state.

From there, update the implementations of the msgbuf APIs such that
exceeding implementation type limits forces the msgbuf object to the
invalid state (in addition to returning an error value) to relieve the
caller from testing the result of all API invocations.

Change-Id: I4d78ddc5f567d4148f2f6d8f3e7570e97c316bbb
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

show more ...

libpldm: Add fuzzing for firmware FD responder

This includes a fuzz target fd-fuzz, and infrastructure to run with
either honggfuzz or AFL.

fd-fuzz-input1.dat was crafted from parts of a pldm firmw

libpldm: Add fuzzing for firmware FD responder

This includes a fuzz target fd-fuzz, and infrastructure to run with
either honggfuzz or AFL.

fd-fuzz-input1.dat was crafted from parts of a pldm firmware update
packet capture, as a seed to guide fuzzers.

Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Change-Id: I424761a29a22bc964201fd7bd94ddc09a6ac89df

show more ...