On Mon, Aug 05, 2019 at 07:11:06AM +0000, Oleinik, Alexander wrote:
> The direct receive function qtest_server_recv is directly invoked by the
> qtest client, when the server and client exist within the same process.
> 
> Signed-off-by: Alexander Oleinik <alxndr@bu.edu>
> ---
>  include/sysemu/qtest.h |  4 ++++
>  qtest.c                | 14 ++++++++++++++
>  2 files changed, 18 insertions(+)

qtest.c has two parts:
1. The qtest protocol handler
2. The chardev/qtest_init() code

This patch uses #ifdefs to leave most of the code unmodified, but this
is hacky since we need to pass around a NULL CharBackend pointer in
order to reuse the code.  There is a danger that someone will modify the
core code and operate on chr not knowing it will break fuzzing.

A cleaner approach is to refactor the qtest protocol handler code to be
transport-independent with a send(void *opaque, const char *str, size_t
len) function pointer provided by the actual transport.  That way the
core code doesn't know about CharBackend and can never accidentally
touch it.

One way of doing this is to introduce a global qtest_send() function
pointer and pass a void *opaque value through the core qtest protocol
handler code.

If you introduce a separate qtest-fuzz.c file then no #ifdefs are
necessary because the conditional compilation can be performed by
CONFIG_FUZZ in Makefile.objs:

  obj-$(CONFIG_FUZZ) += qtest-fuzz.o