Coverage Report

Created: 2026-06-30 06:45

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/open62541_15/tests/fuzz/fuzz_server_services.cc
Line
Count
Source
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
4
 *
5
 */
6
7
#include <open62541/plugin/log_stdout.h>
8
#include <open62541/server_config_default.h>
9
#include <open62541/types.h>
10
11
#include "ua_server_internal.h"
12
#include "ua_services.h"
13
14
typedef enum {
15
    SERVICE_FINDSERVERS = 0,
16
    SERVICE_GETENDPOINTS,
17
    SERVICE_REGISTERSERVER,
18
    SERVICE_REGISTERSERVER2,
19
    SERVICE_FINDSERVERSONNETWORK,
20
    SERVICE_CREATESESSION,
21
    SERVICE_ACTIVATESESSION,
22
    SERVICE_CLOSESESSION,
23
    SERVICE_CANCEL,
24
    SERVICE_CREATESUBSCRIPTION,
25
    SERVICE_MODIFYSUBSCRIPTION,
26
    SERVICE_SETPUBLISHINGMODE,
27
    SERVICE_DELETESUBSCRIPTIONS,
28
    SERVICE_CREATEMONITOREDITEMS,
29
    SERVICE_MODIFYMONITOREDITEMS,
30
    SERVICE_SETMONITORINGMODE,
31
    SERVICE_DELETEMONITOREDITEMS,
32
    SERVICE_COUNT
33
} ServiceType;
34
35
4.12k
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
36
4.12k
    if(size < 2)
37
2
        return 0;
38
39
4.12k
    UA_ServerConfig config;
40
4.12k
    memset(&config, 0, sizeof(UA_ServerConfig));
41
4.12k
    UA_StatusCode retval = UA_ServerConfig_setDefault(&config);
42
4.12k
    if(retval != UA_STATUSCODE_GOOD) {
43
0
        UA_ServerConfig_clean(&config);
44
0
        return 0;
45
0
    }
46
47
4.12k
    UA_Server *server = UA_Server_newWithConfig(&config);
48
4.12k
    if(!server) {
49
0
        UA_ServerConfig_clean(&config);
50
0
        return 0;
51
0
    }
52
53
4.12k
    UA_SecureChannel channel;
54
4.12k
    UA_SecureChannel_init(&channel);
55
4.12k
    channel.state = UA_SECURECHANNELSTATE_OPEN;
56
57
4.12k
    UA_Session session;
58
4.12k
    UA_Session_init(&session);
59
4.12k
    session.activated = true;
60
4.12k
    UA_NodeId_init(&session.sessionId);
61
4.12k
    session.sessionId.identifierType = UA_NODEIDTYPE_NUMERIC;
62
4.12k
    session.sessionId.identifier.numeric = 1;
63
64
    // Use the first byte to decide which service to call
65
4.12k
    uint8_t serviceChoice = data[0] % SERVICE_COUNT;
66
4.12k
    data++;
67
4.12k
    size--;
68
69
4.12k
    UA_ByteString msg = {size, (UA_Byte *) (void *) data};
70
71
4.12k
    switch((ServiceType)serviceChoice) {
72
265
        case SERVICE_FINDSERVERS: {
73
265
            UA_FindServersRequest request;
74
265
            UA_FindServersResponse response;
75
265
            UA_FindServersResponse_init(&response);
76
265
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_FINDSERVERSREQUEST], NULL) == UA_STATUSCODE_GOOD) {
77
165
                UA_LOCK(&server->serviceMutex);
78
165
                Service_FindServers(server, &session, &request, &response);
79
165
                UA_UNLOCK(&server->serviceMutex);
80
165
                UA_FindServersRequest_clear(&request);
81
165
            }
82
265
            UA_FindServersResponse_clear(&response);
83
265
            break;
84
0
        }
85
120
        case SERVICE_GETENDPOINTS: {
86
120
            UA_GetEndpointsRequest request;
87
120
            UA_GetEndpointsResponse response;
88
120
            UA_GetEndpointsResponse_init(&response);
89
120
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_GETENDPOINTSREQUEST], NULL) == UA_STATUSCODE_GOOD) {
90
35
                UA_LOCK(&server->serviceMutex);
91
35
                Service_GetEndpoints(server, &session, &request, &response);
92
35
                UA_UNLOCK(&server->serviceMutex);
93
35
                UA_GetEndpointsRequest_clear(&request);
94
35
            }
95
120
            UA_GetEndpointsResponse_clear(&response);
96
120
            break;
97
0
        }
98
0
#ifdef UA_ENABLE_DISCOVERY
99
91
        case SERVICE_REGISTERSERVER: {
100
91
            UA_RegisterServerRequest request;
101
91
            UA_RegisterServerResponse response;
102
91
            UA_RegisterServerResponse_init(&response);
103
91
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_REGISTERSERVERREQUEST], NULL) == UA_STATUSCODE_GOOD) {
104
3
                UA_LOCK(&server->serviceMutex);
105
3
                Service_RegisterServer(server, &session, &request, &response);
106
3
                UA_UNLOCK(&server->serviceMutex);
107
3
                UA_RegisterServerRequest_clear(&request);
108
3
            }
109
91
            UA_RegisterServerResponse_clear(&response);
110
91
            break;
111
0
        }
112
121
        case SERVICE_REGISTERSERVER2: {
113
121
            UA_RegisterServer2Request request;
114
121
            UA_RegisterServer2Response response;
115
121
            UA_RegisterServer2Response_init(&response);
116
121
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_REGISTERSERVER2REQUEST], NULL) == UA_STATUSCODE_GOOD) {
117
7
                UA_LOCK(&server->serviceMutex);
118
7
                Service_RegisterServer2(server, &session, &request, &response);
119
7
                UA_UNLOCK(&server->serviceMutex);
120
7
                UA_RegisterServer2Request_clear(&request);
121
7
            }
122
121
            UA_RegisterServer2Response_clear(&response);
123
121
            break;
124
0
        }
125
0
# ifdef UA_ENABLE_DISCOVERY_MULTICAST
126
57
        case SERVICE_FINDSERVERSONNETWORK: {
127
57
            UA_FindServersOnNetworkRequest request;
128
57
            UA_FindServersOnNetworkResponse response;
129
57
            UA_FindServersOnNetworkResponse_init(&response);
130
57
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_FINDSERVERSONNETWORKREQUEST], NULL) == UA_STATUSCODE_GOOD) {
131
2
                UA_LOCK(&server->serviceMutex);
132
2
                Service_FindServersOnNetwork(server, &session, &request, &response);
133
2
                UA_UNLOCK(&server->serviceMutex);
134
2
                UA_FindServersOnNetworkRequest_clear(&request);
135
2
            }
136
57
            UA_FindServersOnNetworkResponse_clear(&response);
137
57
            break;
138
0
        }
139
0
# endif
140
0
#endif
141
60
        case SERVICE_CREATESESSION: {
142
60
            UA_CreateSessionRequest request;
143
60
            UA_CreateSessionResponse response;
144
60
            UA_CreateSessionResponse_init(&response);
145
60
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_CREATESESSIONREQUEST], NULL) == UA_STATUSCODE_GOOD) {
146
0
                UA_LOCK(&server->serviceMutex);
147
0
                Service_CreateSession(server, &channel, &request, &response);
148
0
                UA_UNLOCK(&server->serviceMutex);
149
0
                UA_CreateSessionRequest_clear(&request);
150
0
            }
151
60
            UA_CreateSessionResponse_clear(&response);
152
60
            break;
153
0
        }
154
72
        case SERVICE_ACTIVATESESSION: {
155
72
            UA_ActivateSessionRequest request;
156
72
            UA_ActivateSessionResponse response;
157
72
            UA_ActivateSessionResponse_init(&response);
158
72
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_ACTIVATESESSIONREQUEST], NULL) == UA_STATUSCODE_GOOD) {
159
4
                UA_LOCK(&server->serviceMutex);
160
4
                Service_ActivateSession(server, &channel, &request, &response);
161
4
                UA_UNLOCK(&server->serviceMutex);
162
4
                UA_ActivateSessionRequest_clear(&request);
163
4
            }
164
72
            UA_ActivateSessionResponse_clear(&response);
165
72
            break;
166
0
        }
167
46
        case SERVICE_CLOSESESSION: {
168
46
            UA_CloseSessionRequest request;
169
46
            UA_CloseSessionResponse response;
170
46
            UA_CloseSessionResponse_init(&response);
171
46
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_CLOSESESSIONREQUEST], NULL) == UA_STATUSCODE_GOOD) {
172
6
                UA_LOCK(&server->serviceMutex);
173
6
                Service_CloseSession(server, &channel, &request, &response);
174
6
                UA_UNLOCK(&server->serviceMutex);
175
6
                UA_CloseSessionRequest_clear(&request);
176
6
            }
177
46
            UA_CloseSessionResponse_clear(&response);
178
46
            break;
179
0
        }
180
33
        case SERVICE_CANCEL: {
181
33
            UA_CancelRequest request;
182
33
            UA_CancelResponse response;
183
33
            UA_CancelResponse_init(&response);
184
33
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_CANCELREQUEST], NULL) == UA_STATUSCODE_GOOD) {
185
3
                UA_LOCK(&server->serviceMutex);
186
3
                Service_Cancel(server, &session, &request, &response);
187
3
                UA_UNLOCK(&server->serviceMutex);
188
3
                UA_CancelRequest_clear(&request);
189
3
            }
190
33
            UA_CancelResponse_clear(&response);
191
33
            break;
192
0
        }
193
0
#ifdef UA_ENABLE_SUBSCRIPTIONS
194
2.55k
        case SERVICE_CREATESUBSCRIPTION: {
195
2.55k
            UA_CreateSubscriptionRequest request;
196
2.55k
            UA_CreateSubscriptionResponse response;
197
2.55k
            UA_CreateSubscriptionResponse_init(&response);
198
2.55k
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_CREATESUBSCRIPTIONREQUEST], NULL) == UA_STATUSCODE_GOOD) {
199
347
                UA_LOCK(&server->serviceMutex);
200
347
                Service_CreateSubscription(server, &session, &request, &response);
201
347
                UA_UNLOCK(&server->serviceMutex);
202
347
                UA_CreateSubscriptionRequest_clear(&request);
203
347
            }
204
2.55k
            UA_CreateSubscriptionResponse_clear(&response);
205
2.55k
            break;
206
0
        }
207
53
        case SERVICE_MODIFYSUBSCRIPTION: {
208
53
            UA_ModifySubscriptionRequest request;
209
53
            UA_ModifySubscriptionResponse response;
210
53
            UA_ModifySubscriptionResponse_init(&response);
211
53
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_MODIFYSUBSCRIPTIONREQUEST], NULL) == UA_STATUSCODE_GOOD) {
212
5
                UA_LOCK(&server->serviceMutex);
213
5
                Service_ModifySubscription(server, &session, &request, &response);
214
5
                UA_UNLOCK(&server->serviceMutex);
215
5
                UA_ModifySubscriptionRequest_clear(&request);
216
5
            }
217
53
            UA_ModifySubscriptionResponse_clear(&response);
218
53
            break;
219
0
        }
220
54
        case SERVICE_SETPUBLISHINGMODE: {
221
54
            UA_SetPublishingModeRequest request;
222
54
            UA_SetPublishingModeResponse response;
223
54
            UA_SetPublishingModeResponse_init(&response);
224
54
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_SETPUBLISHINGMODEREQUEST], NULL) == UA_STATUSCODE_GOOD) {
225
26
                UA_LOCK(&server->serviceMutex);
226
26
                Service_SetPublishingMode(server, &session, &request, &response);
227
26
                UA_UNLOCK(&server->serviceMutex);
228
26
                UA_SetPublishingModeRequest_clear(&request);
229
26
            }
230
54
            UA_SetPublishingModeResponse_clear(&response);
231
54
            break;
232
0
        }
233
36
        case SERVICE_DELETESUBSCRIPTIONS: {
234
36
            UA_DeleteSubscriptionsRequest request;
235
36
            UA_DeleteSubscriptionsResponse response;
236
36
            UA_DeleteSubscriptionsResponse_init(&response);
237
36
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_DELETESUBSCRIPTIONSREQUEST], NULL) == UA_STATUSCODE_GOOD) {
238
22
                UA_LOCK(&server->serviceMutex);
239
22
                Service_DeleteSubscriptions(server, &session, &request, &response);
240
22
                UA_UNLOCK(&server->serviceMutex);
241
22
                UA_DeleteSubscriptionsRequest_clear(&request);
242
22
            }
243
36
            UA_DeleteSubscriptionsResponse_clear(&response);
244
36
            break;
245
0
        }
246
272
        case SERVICE_CREATEMONITOREDITEMS: {
247
272
            UA_CreateMonitoredItemsRequest request;
248
272
            UA_CreateMonitoredItemsResponse response;
249
272
            UA_CreateMonitoredItemsResponse_init(&response);
250
272
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_CREATEMONITOREDITEMSREQUEST], NULL) == UA_STATUSCODE_GOOD) {
251
103
                UA_LOCK(&server->serviceMutex);
252
103
                Service_CreateMonitoredItems(server, &session, &request, &response);
253
103
                UA_UNLOCK(&server->serviceMutex);
254
103
                UA_CreateMonitoredItemsRequest_clear(&request);
255
103
            }
256
272
            UA_CreateMonitoredItemsResponse_clear(&response);
257
272
            break;
258
0
        }
259
203
        case SERVICE_MODIFYMONITOREDITEMS: {
260
203
            UA_ModifyMonitoredItemsRequest request;
261
203
            UA_ModifyMonitoredItemsResponse response;
262
203
            UA_ModifyMonitoredItemsResponse_init(&response);
263
203
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_MODIFYMONITOREDITEMSREQUEST], NULL) == UA_STATUSCODE_GOOD) {
264
68
                UA_LOCK(&server->serviceMutex);
265
68
                Service_ModifyMonitoredItems(server, &session, &request, &response);
266
68
                UA_UNLOCK(&server->serviceMutex);
267
68
                UA_ModifyMonitoredItemsRequest_clear(&request);
268
68
            }
269
203
            UA_ModifyMonitoredItemsResponse_clear(&response);
270
203
            break;
271
0
        }
272
56
        case SERVICE_SETMONITORINGMODE: {
273
56
            UA_SetMonitoringModeRequest request;
274
56
            UA_SetMonitoringModeResponse response;
275
56
            UA_SetMonitoringModeResponse_init(&response);
276
56
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_SETMONITORINGMODEREQUEST], NULL) == UA_STATUSCODE_GOOD) {
277
2
                UA_LOCK(&server->serviceMutex);
278
2
                Service_SetMonitoringMode(server, &session, &request, &response);
279
2
                UA_UNLOCK(&server->serviceMutex);
280
2
                UA_SetMonitoringModeRequest_clear(&request);
281
2
            }
282
56
            UA_SetMonitoringModeResponse_clear(&response);
283
56
            break;
284
0
        }
285
30
        case SERVICE_DELETEMONITOREDITEMS: {
286
30
            UA_DeleteMonitoredItemsRequest request;
287
30
            UA_DeleteMonitoredItemsResponse response;
288
30
            UA_DeleteMonitoredItemsResponse_init(&response);
289
30
            if(UA_decodeBinary(&msg, &request, &UA_TYPES[UA_TYPES_DELETEMONITOREDITEMSREQUEST], NULL) == UA_STATUSCODE_GOOD) {
290
2
                UA_LOCK(&server->serviceMutex);
291
2
                Service_DeleteMonitoredItems(server, &session, &request, &response);
292
2
                UA_UNLOCK(&server->serviceMutex);
293
2
                UA_DeleteMonitoredItemsRequest_clear(&request);
294
2
            }
295
30
            UA_DeleteMonitoredItemsResponse_clear(&response);
296
30
            break;
297
0
        }
298
0
#endif
299
0
        default:
300
0
            break;
301
4.12k
    }
302
303
4.12k
    UA_LOCK(&server->serviceMutex);
304
4.12k
    UA_SecureChannel_clear(&channel);
305
4.12k
    UA_Session_clear(&session, server);
306
4.12k
    UA_UNLOCK(&server->serviceMutex);
307
4.12k
    UA_Server_delete(server);
308
4.12k
    return 0;
309
4.12k
}