/src/open62541/tests/fuzz/fuzz_binary_message.cc

Source
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 *    Copyright 2019 (c) fortiss (Author: Stefan Profanter)
 */

#include <open62541/plugin/log_stdout.h>
#include <open62541/server_config_default.h>
#include <open62541/types.h>

#include "ua_server_internal.h"
#include "testing_networklayers.h"

#define RECEIVE_BUFFER_SIZE 65535

static void *
_removeServerComponent(void *application, UA_ServerComponent *sc) {
    UA_assert(sc->state == UA_LIFECYCLESTATE_STOPPED);
    sc->clear(sc);
    UA_free(sc);
    return NULL;
}

/*
** Main entry point.  The fuzzer invokes this function with each
** fuzzed input.
*/
extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    if(size <= 4)
        return 0;

    /* less debug output */
    UA_ServerConfig initialConfig;
    memset(&initialConfig, 0, sizeof(UA_ServerConfig));
    UA_StatusCode retval = UA_ServerConfig_setDefault(&initialConfig);
    initialConfig.allowEmptyVariables = UA_RULEHANDLING_ACCEPT;
    if(retval != UA_STATUSCODE_GOOD) {
        UA_ServerConfig_clean(&initialConfig);
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
                     "Could not generate the server config");
        return 0;
    }

    UA_Server *server = UA_Server_newWithConfig(&initialConfig);
    if(!server) {
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
                     "Could not create server instance using UA_Server_new");
        return 0;
    }

    // we need to copy the message because it will be freed in the processing function
    UA_ByteString msg = UA_BYTESTRING_NULL;
    retval = UA_ByteString_allocBuffer(&msg, size);
    if(retval != UA_STATUSCODE_GOOD) {
        UA_Server_delete(server);
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
                     "Could not allocate message buffer");
        return 0;
    }
    memcpy(msg.data, data, size);

    /* Remove all remaining server components (must be all stopped) */
    lockServer(server);
    ZIP_ITER(UA_ServerComponentTree, &server->serverComponents,
             _removeServerComponent, server);
    ZIP_INIT(&server->serverComponents);
    unlockServer(server);

    UA_ServerComponent *bpm = UA_BinaryProtocolManager_new(server);
    addServerComponent(server, bpm, NULL);

    void *ctx = NULL;
    serverNetworkCallback(&testConnectionManagerTCP, 0, bpm,
                          &ctx, UA_CONNECTIONSTATE_ESTABLISHED,
                          &UA_KEYVALUEMAP_NULL, msg);

    // if we got an invalid chunk, the message is not deleted, so delete it here
    UA_ByteString_clear(&msg);
    UA_Server_delete(server);
    return 0;
}

Line	Count	Source
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/.
4		*
5		* Copyright 2019 (c) fortiss (Author: Stefan Profanter)
6		*/
7
8		#include <open62541/plugin/log_stdout.h>
9		#include <open62541/server_config_default.h>
10		#include <open62541/types.h>
11
12		#include "ua_server_internal.h"
13		#include "testing_networklayers.h"
14
15		#define RECEIVE_BUFFER_SIZE 65535
16
17		static void *
18	741	_removeServerComponent(void application, UA_ServerComponent sc) {
19	741	UA_assert(sc->state == UA_LIFECYCLESTATE_STOPPED);
20	741	sc->clear(sc);
21	741	UA_free(sc);
22	741	return NULL;
23	741	}
24
25		/*
26		** Main entry point. The fuzzer invokes this function with each
27		** fuzzed input.
28		*/
29		extern "C" int
30	251	LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
31	251	if(size <= 4)
32	4	return 0;
33
34		/* less debug output */
35	247	UA_ServerConfig initialConfig;
36	247	memset(&initialConfig, 0, sizeof(UA_ServerConfig));
37	247	UA_StatusCode retval = UA_ServerConfig_setDefault(&initialConfig);
38	247	initialConfig.allowEmptyVariables = UA_RULEHANDLING_ACCEPT;
39	247	if(retval != UA_STATUSCODE_GOOD) {
40	0	UA_ServerConfig_clean(&initialConfig);
41	0	UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
42	0	"Could not generate the server config");
43	0	return 0;
44	0	}
45
46	247	UA_Server *server = UA_Server_newWithConfig(&initialConfig);
47	247	if(!server) {
48	0	UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
49	0	"Could not create server instance using UA_Server_new");
50	0	return 0;
51	0	}
52
53		// we need to copy the message because it will be freed in the processing function
54	247	UA_ByteString msg = UA_BYTESTRING_NULL;
55	247	retval = UA_ByteString_allocBuffer(&msg, size);
56	247	if(retval != UA_STATUSCODE_GOOD) {
57	0	UA_Server_delete(server);
58	0	UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
59	0	"Could not allocate message buffer");
60	0	return 0;
61	0	}
62	247	memcpy(msg.data, data, size);
63
64		/* Remove all remaining server components (must be all stopped) */
65	247	lockServer(server);
66	247	ZIP_ITER(UA_ServerComponentTree, &server->serverComponents,
67	247	_removeServerComponent, server);
68	247	ZIP_INIT(&server->serverComponents);
69	247	unlockServer(server);
70
71	247	UA_ServerComponent *bpm = UA_BinaryProtocolManager_new(server);
72	247	addServerComponent(server, bpm, NULL);
73
74	247	void *ctx = NULL;
75	247	serverNetworkCallback(&testConnectionManagerTCP, 0, bpm,
76	247	&ctx, UA_CONNECTIONSTATE_ESTABLISHED,
77	247	&UA_KEYVALUEMAP_NULL, msg);
78
79		// if we got an invalid chunk, the message is not deleted, so delete it here
80	247	UA_ByteString_clear(&msg);
81	247	UA_Server_delete(server);
82	247	return 0;
83	247	}

Coverage Report

Created: 2025-09-27 06:34