beats [Core] integrate go-fuzz tests

Proposed commit message

Integrating go-fuzz fuzz tests.

WHY: the rationale/motivation for the changes

I reported multiple bugs on HackerOne in December 2024.

To my surprise, it's still on hold.

I used this method to find those bugs. My current plan for beats is to first get this PR merged, then integrate beats into oss-fuzz.

Where are the bug reports and patch?

I won't be reporting bugs here. Well, because I need my bounty.

Hackerone Report-id: 2875630 2880503 2874081 2874291

Checklist

[ ] My code follows the style guidelines of this project
[x] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[ ] I have made corresponding change to the default configuration files
[ ] I have added tests that prove my fix is effective or that my feature works
[ ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

How to test this PR locally

# Install libpcap-dev / libpcap-devel.
 
make test-fuzz

Use cases

Find panics (integer overflow, invalid memory access, null pointer), CPU spikes and memory leaks while parsing data.

With this, I found a lot of them in your network stack.

Jul 23 '25 19:07 pkillarjun

💚 CLA has been signed

Jul 23 '25 19:07 cla-checker-service[bot]

:robot: GitHub comments

Expand to view the GitHub comments

Just comment with:

run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

Jul 23 '25 19:07 github-actions[bot]

This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @pkillarjun? 🙏. For such, you'll need to label your PR with:

The upcoming major version of the Elastic Stack
The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed branches, such as:

backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
backport-active-all is the label that automatically backports to all active branches.
backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

Jul 23 '25 19:07 mergify[bot]

❌ Author of the following commits did not sign a Contributor Agreement: 6b29847, c6125ab, 22bc4ae, a499d7a, 41b0545

Please, read and sign the above mentioned agreement if you want to contribute to this project

Done, BTW I love modern web.

Jul 23 '25 19:07 pkillarjun

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

Jul 24 '25 11:07 elasticmachine

https://github.com/elastic/beats/pull/45525#discussion_r2228247983 https://github.com/elastic/beats/pull/45525#discussion_r2228248662 https://github.com/elastic/beats/pull/45525#discussion_r2228249188

If I get this correctly, patch for filebeat should be reverted.

Patch: Revert changes in filebeat

edit: I can do a git edit right now or we can wait until the review is completed.

Jul 24 '25 14:07 pkillarjun

If I get this correctly, patch for filebeat should be reverted.

@pkillarjun not sure I follow.

You addressed my comments in https://github.com/elastic/beats/pull/45525/commits/39c08d6eae526c570c2a406e459901091f91bda8

It's all good now.

However, a lot of changes in this PR involve parts of the code owned by multiple other teams. I'll let the code owners review this PR first before we run the CI and prepare it for merging.

Thanks again for your contribution!

Jul 24 '25 15:07 rdner

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

Jul 25 '25 08:07 elasticmachine

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

Jul 25 '25 08:07 elasticmachine

cc @nfritts @qcorporation @lalit-satapathy

Jul 25 '25 08:07 pierrehilbert

This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b hackerone upstream/hackerone
git merge upstream/main
git push upstream hackerone

Aug 04 '25 06:08 mergify[bot]

This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b hackerone upstream/hackerone
git merge upstream/main
git push upstream hackerone

We will do it at the end, with squash.

Aug 04 '25 12:08 pkillarjun

/test

Aug 05 '25 08:08 rdner

/test

Done https://github.com/elastic/beats/pull/45525/commits/30303b4f4c0f10df9bdb03fa60e4d44d1fdefb45

I have fixed the error in my changes; I won't be updating beat's code base for obvious reasons.

Aug 06 '25 04:08 pkillarjun

/test

Aug 06 '25 06:08 pierrehilbert

/test

Aug 07 '25 11:08 rdner

@ishleenk17 could you please take a look here?

Oct 31 '25 15:10 pierrehilbert

@lalit-satapathy we need someone from your team to review here

Nov 12 '25 14:11 pierrehilbert

The script sets fuzz tests with -fuzztime=600s (i.e., 10 minutes) each. While good for local dev, that could be heavy in CI. These would be run as part of CI as well ?

Nov 18 '25 17:11 ishleenk17

This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b hackerone upstream/hackerone
git merge upstream/main
git push upstream hackerone

Dec 08 '25 08:12 mergify[bot]