Fixes for MQTT broker found with fuzzing (add fuzzer to CI)

[dgarske]

Summary

Add libFuzzer-based broker fuzzing infrastructure and fix security issues identified through automated review and fuzz testing.

New Features

• Broker fuzzer harness (tests/fuzz/broker_fuzz.c): libFuzzer harness that mocks network callbacks to feed raw MQTT packets into the broker's accept/read/process path via MqttBroker_Step()
• Seed corpus generator (tests/fuzz/gen_corpus.py): Python script generating valid and malformed MQTT packets (CONNECT, PUBLISH, SUBSCRIBE, multi-packet sequences, edge cases) as seed inputs
• MQTT dictionary (tests/fuzz/mqtt.dict): libFuzzer dictionary with MQTT protocol constants for intelligent mutation
• Fuzz script (scripts/fuzz.sh): Reusable build-and-run script for local and CI use; accepts duration argument (e.g., ./scripts/fuzz.sh 60 for 60 seconds)
• CI workflow (.github/workflows/fuzz.yml): Weekly full run (10 min), PR smoke test (60s), with ASan and crash artifact upload

Security Fixes

• MqttEncode_String word16 truncation (mqtt_packet.c): Strings exceeding 65535 bytes caused a wrapped length prefix while copying full data, leading to protocol desynchronization. Added MQTT_MAX_UTF8_LEN validation per MQTT spec.
• LWT payload word16 truncation (mqtt_packet.c): MqttEncode_Connect added full total_len to remain_len but truncated to word16 in MqttEncode_Data, leaving uninitialized bytes in the packet. Added bounds check.
• Second CONNECT not rejected (mqtt_broker.c): A second CONNECT on an already-connected session overwrote client state without cleaning up subscriptions. Now disconnects per [MQTT-3.1.0-2].
• Wildcard chars in PUBLISH topic (mqtt_broker.c): PUBLISH topic names were not validated for + and # characters. Now rejects per [MQTT-3.3.2-2].
• Wildcard subscriptions match $ topics (mqtt_broker.c): BrokerTopicMatch did not filter $-prefixed topics from wildcard filters. Added guard per [MQTT-4.7.2].
• SN_Decode_Register off-by-one (mqtt_sn_packet.c): Null terminator wrote one byte past buffer end when total_len == rx_buf_len. Changed bounds check to >=.
• MqttDecode_Props VAR_INT leak (mqtt_packet.c): MQTT_DATA_TYPE_VAR_INT error path used return tmp bypassing property cleanup. Changed to rc = tmp; break; consistent with other error paths.
• V5 property leak on malformed CONNECT (mqtt_broker.c): Early return on decode failure leaked mc.props and lwt.props. Added cleanup before return.
• SN_Encode_Publish NULL checks (mqtt_sn_packet.c): Added NULL validation for topic_name and buffer pointers before XMEMCPY.

Bug Fixes

• BrokerTls_Init unused-function error (mqtt_broker.c): --enable-broker --enable-fuzz failed to compile because BrokerTls_Init/BrokerTls_Free were guarded by ENABLE_MQTT_TLS but only called when !WOLFMQTT_BROKER_CUSTOM_NET. Added matching guard.
• CI fuzz-full runs on PRs (fuzz.yml): smoke_only matrix variable was defined but never used. Added condition so full 10-minute run only triggers on schedule/dispatch.
• Redundant periodic reset (broker_fuzz.c): FUZZ_RESET_INTERVAL check was dead code since cleanup+init runs every iteration. Removed.

Test Plan

• make check — all 7 tests pass (--enable-broker --enable-all)
• ./scripts/fuzz.sh 60 — clean 60s run, no crashes (clang + ASan)
• make clean removes tests/fuzz/corpus/
• --enable-all non-fuzz build compiles cleanly

[embhorn]

Fantastic. Approved.