/src/open62541_15/tests/fuzz/fuzz_binary_message.cc

Source
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 *    Copyright 2019 (c) fortiss (Author: Stefan Profanter)
 */

#include <open62541/plugin/log_stdout.h>
#include <open62541/server_config_default.h>
#include <open62541/types.h>

#include "ua_server_internal.h"
#include "testing_networklayers.h"

#define RECEIVE_BUFFER_SIZE 65535

static void *
_removeServerComponent(void *application, UA_ServerComponent *sc) {
    UA_assert(sc->state == UA_LIFECYCLESTATE_STOPPED);
    sc->clear(sc);
    UA_free(sc);
    return NULL;
}

/*
** Main entry point.  The fuzzer invokes this function with each
** fuzzed input.
*/
extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    if(size <= 4)
        return 0;

    /* less debug output */
    UA_ServerConfig initialConfig;
    memset(&initialConfig, 0, sizeof(UA_ServerConfig));
    UA_StatusCode retval = UA_ServerConfig_setDefault(&initialConfig);
    initialConfig.allowEmptyVariables = UA_RULEHANDLING_ACCEPT;
    if(retval != UA_STATUSCODE_GOOD) {
        UA_ServerConfig_clean(&initialConfig);
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
                     "Could not generate the server config");
        return 0;
    }

    UA_Server *server = UA_Server_newWithConfig(&initialConfig);
    if(!server) {
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
                     "Could not create server instance using UA_Server_new");
        return 0;
    }

    // we need to copy the message because it will be freed in the processing function
    UA_ByteString msg = UA_BYTESTRING_NULL;
    retval = UA_ByteString_allocBuffer(&msg, size);
    if(retval != UA_STATUSCODE_GOOD) {
        UA_Server_delete(server);
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
                     "Could not allocate message buffer");
        return 0;
    }
    memcpy(msg.data, data, size);

    /* Remove all remaining server components (must be all stopped) */
    lockServer(server);
    ZIP_ITER(UA_ServerComponentTree, &server->serverComponents,
             _removeServerComponent, server);
    ZIP_INIT(&server->serverComponents);
    unlockServer(server);

    UA_ServerComponent *bpm = UA_BinaryProtocolManager_new(server);
    addServerComponent(server, bpm, NULL);

    void *ctx = NULL;
    UA_ConnectionManager *cm = TestConnectionManager_new("tcp", NULL);
    serverNetworkCallback(cm, 0, bpm,
                          &ctx, UA_CONNECTIONSTATE_ESTABLISHED,
                          &UA_KEYVALUEMAP_NULL, msg);
    cm->eventSource.free(&cm->eventSource);

    // if we got an invalid chunk, the message is not deleted, so delete it here
    UA_ByteString_clear(&msg);
    UA_Server_delete(server);
    return 0;
}

Line	Count	Source
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/.
4		*
5		* Copyright 2019 (c) fortiss (Author: Stefan Profanter)
6		*/
7
8		#include <open62541/plugin/log_stdout.h>
9		#include <open62541/server_config_default.h>
10		#include <open62541/types.h>
11
12		#include "ua_server_internal.h"
13		#include "testing_networklayers.h"
14
15		#define RECEIVE_BUFFER_SIZE 65535
16
17		static void *
18	717	_removeServerComponent(void application, UA_ServerComponent sc) {
19	717	UA_assert(sc->state == UA_LIFECYCLESTATE_STOPPED);
20	717	sc->clear(sc);
21	717	UA_free(sc);
22	717	return NULL;
23	717	}
24
25		/*
26		** Main entry point. The fuzzer invokes this function with each
27		** fuzzed input.
28		*/
29		extern "C" int
30	243	LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
31	243	if(size <= 4)
32	4	return 0;
33
34		/* less debug output */
35	239	UA_ServerConfig initialConfig;
36	239	memset(&initialConfig, 0, sizeof(UA_ServerConfig));
37	239	UA_StatusCode retval = UA_ServerConfig_setDefault(&initialConfig);
38	239	initialConfig.allowEmptyVariables = UA_RULEHANDLING_ACCEPT;
39	239	if(retval != UA_STATUSCODE_GOOD) {
40	0	UA_ServerConfig_clean(&initialConfig);
41	0	UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
42	0	"Could not generate the server config");
43	0	return 0;
44	0	}
45
46	239	UA_Server *server = UA_Server_newWithConfig(&initialConfig);
47	239	if(!server) {
48	0	UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
49	0	"Could not create server instance using UA_Server_new");
50	0	return 0;
51	0	}
52
53		// we need to copy the message because it will be freed in the processing function
54	239	UA_ByteString msg = UA_BYTESTRING_NULL;
55	239	retval = UA_ByteString_allocBuffer(&msg, size);
56	239	if(retval != UA_STATUSCODE_GOOD) {
57	0	UA_Server_delete(server);
58	0	UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
59	0	"Could not allocate message buffer");
60	0	return 0;
61	0	}
62	239	memcpy(msg.data, data, size);
63
64		/* Remove all remaining server components (must be all stopped) */
65	239	lockServer(server);
66	239	ZIP_ITER(UA_ServerComponentTree, &server->serverComponents,
67	239	_removeServerComponent, server);
68	239	ZIP_INIT(&server->serverComponents);
69	239	unlockServer(server);
70
71	239	UA_ServerComponent *bpm = UA_BinaryProtocolManager_new(server);
72	239	addServerComponent(server, bpm, NULL);
73
74	239	void *ctx = NULL;
75	239	UA_ConnectionManager *cm = TestConnectionManager_new("tcp", NULL);
76	239	serverNetworkCallback(cm, 0, bpm,
77	239	&ctx, UA_CONNECTIONSTATE_ESTABLISHED,
78	239	&UA_KEYVALUEMAP_NULL, msg);
79	239	cm->eventSource.free(&cm->eventSource);
80
81		// if we got an invalid chunk, the message is not deleted, so delete it here
82	239	UA_ByteString_clear(&msg);
83	239	UA_Server_delete(server);
84	239	return 0;
85	239	}

Coverage Report

Created: 2026-05-16 06:54