We published a small tool for fuzz testing MQTT servers/brokers:
https://github.com/F-Secure/mqtt_fuzzIt's very quick and dirty, and it does not even pretend to know about MQTT as a protocol. Instead, it plays back recorded MQTT messages, fuzzing them once in a while. It uses the Radamsa fuzzer to provide fuzz data. Even with this simple approach, I managed to find the first crash bug in five minutes.
As there might well be more findings hiding in the MQTT implementations out there, we're releasing the tool hoping that people would try to run it against their own implementations and perhaps this would increase the overall robustness of MQTT stacks. Specifically implementations in C/C++, or those have dependencies to components written in C/C++, would probably be good candidates to test.
If anyone can contribute more example MQTT messages - specifically those that are currently missing, or messages that have application-level payloads, I'd be happy to add them to the valid cases set. For example, if you can sniff a real-life MQTT session and add an issue on the GitHub project that has a pointer to the pcap file (including a written permission to publicly release and licence the data in the project), the coverage could be extended. A direct pull request to the project would also be happily accepted.
Cheers,
Antti