Coverage Report

Created: 2026-06-30 06:45

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/open62541_15/tests/fuzz/fuzz_binary_message.cc
Line
Count
Source
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
4
 *
5
 *    Copyright 2019 (c) fortiss (Author: Stefan Profanter)
6
 */
7
8
#include <open62541/plugin/log_stdout.h>
9
#include <open62541/server_config_default.h>
10
#include <open62541/types.h>
11
12
#include "ua_server_internal.h"
13
#include "testing_networklayers.h"
14
15
#define RECEIVE_BUFFER_SIZE 65535
16
17
static void *
18
687
_removeServerComponent(void *application, UA_ServerComponent *sc) {
19
687
    UA_assert(sc->state == UA_LIFECYCLESTATE_STOPPED);
20
687
    sc->clear(sc);
21
687
    UA_free(sc);
22
687
    return NULL;
23
687
}
24
25
/*
26
** Main entry point.  The fuzzer invokes this function with each
27
** fuzzed input.
28
*/
29
extern "C" int
30
233
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
31
233
    if(size <= 4)
32
4
        return 0;
33
34
    /* less debug output */
35
229
    UA_ServerConfig initialConfig;
36
229
    memset(&initialConfig, 0, sizeof(UA_ServerConfig));
37
229
    UA_StatusCode retval = UA_ServerConfig_setDefault(&initialConfig);
38
229
    initialConfig.allowEmptyVariables = UA_RULEHANDLING_ACCEPT;
39
229
    if(retval != UA_STATUSCODE_GOOD) {
40
0
        UA_ServerConfig_clean(&initialConfig);
41
0
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
42
0
                     "Could not generate the server config");
43
0
        return 0;
44
0
    }
45
46
229
    UA_Server *server = UA_Server_newWithConfig(&initialConfig);
47
229
    if(!server) {
48
0
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
49
0
                     "Could not create server instance using UA_Server_new");
50
0
        return 0;
51
0
    }
52
53
    // we need to copy the message because it will be freed in the processing function
54
229
    UA_ByteString msg = UA_BYTESTRING_NULL;
55
229
    retval = UA_ByteString_allocBuffer(&msg, size);
56
229
    if(retval != UA_STATUSCODE_GOOD) {
57
0
        UA_Server_delete(server);
58
0
        UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_SERVER,
59
0
                     "Could not allocate message buffer");
60
0
        return 0;
61
0
    }
62
229
    memcpy(msg.data, data, size);
63
64
    /* Remove all remaining server components (must be all stopped) */
65
229
    lockServer(server);
66
229
    ZIP_ITER(UA_ServerComponentTree, &server->serverComponents,
67
229
             _removeServerComponent, server);
68
229
    ZIP_INIT(&server->serverComponents);
69
229
    unlockServer(server);
70
71
229
    UA_ServerComponent *bpm = UA_BinaryProtocolManager_new(server);
72
229
    addServerComponent(server, bpm, NULL);
73
74
229
    void *ctx = NULL;
75
229
    UA_ConnectionManager *cm = TestConnectionManager_new("tcp", NULL);
76
229
    serverNetworkCallback(cm, 0, bpm,
77
229
                          &ctx, UA_CONNECTIONSTATE_ESTABLISHED,
78
229
                          &UA_KEYVALUEMAP_NULL, msg);
79
229
    cm->eventSource.free(&cm->eventSource);
80
81
    // if we got an invalid chunk, the message is not deleted, so delete it here
82
229
    UA_ByteString_clear(&msg);
83
229
    UA_Server_delete(server);
84
229
    return 0;
85
229
}