/src/open62541_15/tests/fuzz/fuzz_client.cc
Line | Count | Source |
1 | | /* This Source Code Form is subject to the terms of the Mozilla Public |
2 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. |
4 | | * |
5 | | */ |
6 | | |
7 | | #include <open62541/plugin/log_stdout.h> |
8 | | #include <open62541/client_config_default.h> |
9 | | #include <open62541/types.h> |
10 | | |
11 | | #include "ua_client_internal.h" |
12 | | |
13 | 48 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
14 | 48 | if(size < 10) |
15 | 12 | return 0; |
16 | | |
17 | 36 | UA_Client *client = UA_Client_new(); |
18 | 36 | if(!client) |
19 | 0 | return 0; |
20 | | |
21 | 36 | UA_ClientConfig *config = UA_Client_getConfig(client); |
22 | 36 | UA_ClientConfig_setDefault(config); |
23 | 36 | if(config->logging) |
24 | 36 | config->logging->log = NULL; // Disable logging |
25 | | |
26 | | // Manually set some states to allow processing responses |
27 | 36 | client->channel.state = UA_SECURECHANNELSTATE_OPEN; |
28 | 36 | client->sessionState = UA_SESSIONSTATE_ACTIVATED; |
29 | | |
30 | 36 | UA_MessageType messageType = (UA_MessageType)data[0]; |
31 | 36 | UA_UInt32 requestId = *(UA_UInt32*)&data[1]; |
32 | | |
33 | 36 | UA_ByteString message; |
34 | 36 | message.length = size - 5; |
35 | 36 | message.data = (UA_Byte*)UA_malloc(message.length); |
36 | 36 | memcpy(message.data, &data[5], message.length); |
37 | | |
38 | | // We need at least one async call to match the requestId |
39 | 36 | AsyncServiceCall *ac = (AsyncServiceCall*)UA_malloc(sizeof(AsyncServiceCall)); |
40 | 36 | ac->requestId = requestId; |
41 | 36 | ac->callback = NULL; |
42 | 36 | ac->responseType = &UA_TYPES[UA_TYPES_READRESPONSE]; // Just some type |
43 | 36 | ac->userdata = NULL; |
44 | 36 | ac->syncResponse = NULL; |
45 | 36 | LIST_INSERT_HEAD(&client->asyncServiceCalls, ac, pointers); |
46 | | |
47 | 36 | processServiceResponse(client, &client->channel, messageType, requestId, &message); |
48 | | |
49 | | // Cleanup |
50 | | // processServiceResponse might have removed 'ac' if it matched |
51 | 36 | AsyncServiceCall *ac2, *tmp; |
52 | 36 | LIST_FOREACH_SAFE(ac2, &client->asyncServiceCalls, pointers, tmp) { |
53 | 36 | LIST_REMOVE(ac2, pointers); |
54 | 36 | UA_free(ac2); |
55 | 36 | } |
56 | | |
57 | 36 | UA_ByteString_clear(&message); |
58 | 36 | UA_Client_delete(client); |
59 | 36 | return 0; |
60 | 36 | } |