UA_readNumberWithBase: 110| 573|UA_readNumberWithBase(const UA_Byte *buf, size_t buflen, UA_UInt32 *number, UA_Byte base) { 111| 573| UA_assert(buf); ------------------ | | 385| 573|# define UA_assert(ignore) assert(ignore) ------------------ | Branch (111:5): [True: 573, False: 0] ------------------ 112| 573| UA_assert(number); ------------------ | | 385| 573|# define UA_assert(ignore) assert(ignore) ------------------ | Branch (112:5): [True: 573, False: 0] ------------------ 113| 573| u32 n = 0; 114| 573| size_t progress = 0; 115| | /* read numbers until the end or a non-number character appears */ 116| 5.87M| while(progress < buflen) { ------------------ | Branch (116:11): [True: 5.87M, False: 267] ------------------ 117| 5.87M| u8 c = buf[progress]; 118| 5.87M| if(c >= '0' && c <= '9' && c <= '0' + (base-1)) ------------------ | Branch (118:12): [True: 5.87M, False: 189] | Branch (118:24): [True: 5.87M, False: 117] | Branch (118:36): [True: 5.87M, False: 0] ------------------ 119| 5.87M| n = (n * base) + c - '0'; 120| 306| else if(base > 9 && c >= 'a' && c <= 'z' && c <= 'a' + (base-11)) ------------------ | Branch (120:17): [True: 306, False: 0] | Branch (120:29): [True: 67, False: 239] | Branch (120:41): [True: 18, False: 49] | Branch (120:53): [True: 0, False: 18] ------------------ 121| 0| n = (n * base) + c-'a' + 10; 122| 306| else if(base > 9 && c >= 'A' && c <= 'Z' && c <= 'A' + (base-11)) ------------------ | Branch (122:17): [True: 306, False: 0] | Branch (122:29): [True: 94, False: 212] | Branch (122:41): [True: 16, False: 78] | Branch (122:53): [True: 0, False: 16] ------------------ 123| 0| n = (n * base) + c-'A' + 10; 124| 306| else 125| 306| break; 126| 5.87M| ++progress; 127| 5.87M| } 128| 573| *number = n; 129| 573| return progress; 130| 573|} UA_readNumber: 133| 573|UA_readNumber(const UA_Byte *buf, size_t buflen, UA_UInt32 *number) { 134| 573| return UA_readNumberWithBase(buf, buflen, number, 10); 135| 573|} UA_parseEndpointUrl: 146| 523| UA_UInt16 *outPort, UA_String *outPath) { 147| | /* Url must begin with "opc.tcp://" or opc.udp:// (if pubsub enabled) */ 148| 523| if(endpointUrl->length < 11) { ------------------ | Branch (148:8): [True: 7, False: 516] ------------------ 149| 7| return UA_STATUSCODE_BADTCPENDPOINTURLINVALID; ------------------ | | 499| 7|#define UA_STATUSCODE_BADTCPENDPOINTURLINVALID ((UA_StatusCode) 0x80830000) ------------------ 150| 7| } 151| | 152| | /* Which type of schema is this? */ 153| 516| unsigned schemaType = 0; 154| 1.36k| for(; schemaType < UA_SCHEMAS_SIZE; schemaType++) { ------------------ | | 137| 1.36k|#define UA_SCHEMAS_SIZE 4 ------------------ | Branch (154:11): [True: 1.27k, False: 95] ------------------ 155| 1.27k| if(strncmp((char*)endpointUrl->data, ------------------ | Branch (155:12): [True: 421, False: 850] ------------------ 156| 1.27k| schemas[schemaType], 157| 1.27k| strlen(schemas[schemaType])) == 0) 158| 421| break; 159| 1.27k| } 160| 516| if(schemaType == UA_SCHEMAS_SIZE) ------------------ | | 137| 516|#define UA_SCHEMAS_SIZE 4 ------------------ | Branch (160:8): [True: 95, False: 421] ------------------ 161| 95| return UA_STATUSCODE_BADTCPENDPOINTURLINVALID; ------------------ | | 499| 95|#define UA_STATUSCODE_BADTCPENDPOINTURLINVALID ((UA_StatusCode) 0x80830000) ------------------ 162| | 163| | /* Forward the current position until the first colon or slash */ 164| 421| size_t start = strlen(schemas[schemaType]); 165| 421| size_t curr = start; 166| 421| UA_Boolean ipv6 = false; 167| 421| if(endpointUrl->length > curr && endpointUrl->data[curr] == '[') { ------------------ | Branch (167:8): [True: 420, False: 1] | Branch (167:38): [True: 129, False: 291] ------------------ 168| | /* IPv6: opc.tcp://[2001:0db8:85a3::8a2e:0370:7334]:1234/path */ 169| 8.92M| for(; curr < endpointUrl->length; ++curr) { ------------------ | Branch (169:15): [True: 8.92M, False: 22] ------------------ 170| 8.92M| if(endpointUrl->data[curr] == ']') ------------------ | Branch (170:16): [True: 107, False: 8.92M] ------------------ 171| 107| break; 172| 8.92M| } 173| 129| if(curr == endpointUrl->length) ------------------ | Branch (173:12): [True: 22, False: 107] ------------------ 174| 22| return UA_STATUSCODE_BADTCPENDPOINTURLINVALID; ------------------ | | 499| 22|#define UA_STATUSCODE_BADTCPENDPOINTURLINVALID ((UA_StatusCode) 0x80830000) ------------------ 175| 107| curr++; 176| 107| ipv6 = true; 177| 292| } else { 178| | /* IPv4 or hostname: opc.tcp://something.something:1234/path */ 179| 1.10M| for(; curr < endpointUrl->length; ++curr) { ------------------ | Branch (179:15): [True: 1.10M, False: 51] ------------------ 180| 1.10M| if(endpointUrl->data[curr] == ':' || endpointUrl->data[curr] == '/') ------------------ | Branch (180:16): [True: 190, False: 1.10M] | Branch (180:50): [True: 51, False: 1.10M] ------------------ 181| 241| break; 182| 1.10M| } 183| 292| } 184| | 185| | /* Set the hostname */ 186| 399| if(ipv6) { ------------------ | Branch (186:8): [True: 107, False: 292] ------------------ 187| | /* Skip the ipv6 '[]' container for getaddrinfo() later */ 188| 107| outHostname->data = &endpointUrl->data[start+1]; 189| 107| outHostname->length = curr - (start+2); 190| 292| } else { 191| 292| outHostname->data = &endpointUrl->data[start]; 192| 292| outHostname->length = curr - start; 193| 292| } 194| | 195| | /* Empty string? */ 196| 399| if(outHostname->length == 0) ------------------ | Branch (196:8): [True: 222, False: 177] ------------------ 197| 222| outHostname->data = NULL; 198| | 199| | /* Already at the end */ 200| 399| if(curr == endpointUrl->length) ------------------ | Branch (200:8): [True: 90, False: 309] ------------------ 201| 90| return UA_STATUSCODE_GOOD; ------------------ | | 16| 90|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 202| | 203| | /* Set the port - and for ETH set the VID.PCP postfix in the outpath string. 204| | * We have to parse that externally. */ 205| 309| if(endpointUrl->data[curr] == ':') { ------------------ | Branch (205:8): [True: 222, False: 87] ------------------ 206| 222| if(++curr == endpointUrl->length) ------------------ | Branch (206:12): [True: 2, False: 220] ------------------ 207| 2| return UA_STATUSCODE_BADTCPENDPOINTURLINVALID; ------------------ | | 499| 2|#define UA_STATUSCODE_BADTCPENDPOINTURLINVALID ((UA_StatusCode) 0x80830000) ------------------ 208| | 209| | /* ETH schema */ 210| 220| if(schemaType == UA_ETH_SCHEMA_INDEX) { ------------------ | | 138| 220|#define UA_ETH_SCHEMA_INDEX 2 ------------------ | Branch (210:12): [True: 1, False: 219] ------------------ 211| 1| if(outPath != NULL) { ------------------ | Branch (211:16): [True: 1, False: 0] ------------------ 212| 1| outPath->data = &endpointUrl->data[curr]; 213| 1| outPath->length = endpointUrl->length - curr; 214| 1| } 215| 1| return UA_STATUSCODE_GOOD; ------------------ | | 16| 1|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 216| 1| } 217| | 218| 219| u32 largeNum; 219| 219| size_t progress = UA_readNumber(&endpointUrl->data[curr], 220| 219| endpointUrl->length - curr, &largeNum); 221| 219| if(progress == 0 || largeNum > 65535) ------------------ | Branch (221:12): [True: 51, False: 168] | Branch (221:29): [True: 52, False: 116] ------------------ 222| 103| return UA_STATUSCODE_BADTCPENDPOINTURLINVALID; ------------------ | | 499| 103|#define UA_STATUSCODE_BADTCPENDPOINTURLINVALID ((UA_StatusCode) 0x80830000) ------------------ 223| | /* Test if the end of a valid port was reached */ 224| 116| curr += progress; 225| 116| if(curr == endpointUrl->length || endpointUrl->data[curr] == '/') ------------------ | Branch (225:12): [True: 57, False: 59] | Branch (225:43): [True: 21, False: 38] ------------------ 226| 78| *outPort = (u16)largeNum; 227| 116| if(curr == endpointUrl->length) ------------------ | Branch (227:12): [True: 57, False: 59] ------------------ 228| 57| return UA_STATUSCODE_GOOD; ------------------ | | 16| 57|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 229| 116| } 230| | 231| | /* Set the path */ 232| 146| UA_assert(curr < endpointUrl->length); ------------------ | | 385| 146|# define UA_assert(ignore) assert(ignore) ------------------ | Branch (232:5): [True: 146, False: 0] ------------------ 233| 146| if(endpointUrl->data[curr] != '/') ------------------ | Branch (233:8): [True: 71, False: 75] ------------------ 234| 71| return UA_STATUSCODE_BADTCPENDPOINTURLINVALID; ------------------ | | 499| 71|#define UA_STATUSCODE_BADTCPENDPOINTURLINVALID ((UA_StatusCode) 0x80830000) ------------------ 235| 75| if(++curr == endpointUrl->length) ------------------ | Branch (235:8): [True: 11, False: 64] ------------------ 236| 11| return UA_STATUSCODE_GOOD; ------------------ | | 16| 11|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 237| 64| if(outPath != NULL) { ------------------ | Branch (237:8): [True: 64, False: 0] ------------------ 238| 64| outPath->data = &endpointUrl->data[curr]; 239| 64| outPath->length = endpointUrl->length - curr; 240| | 241| | /* Remove trailing slash from the path */ 242| 64| if(endpointUrl->data[endpointUrl->length - 1] == '/') ------------------ | Branch (242:12): [True: 11, False: 53] ------------------ 243| 11| outPath->length--; 244| | 245| | /* Empty string? */ 246| 64| if(outPath->length == 0) ------------------ | Branch (246:12): [True: 11, False: 53] ------------------ 247| 11| outPath->data = NULL; 248| 64| } 249| | 250| 64| return UA_STATUSCODE_GOOD; ------------------ | | 16| 64|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 251| 75|} UA_parseEndpointUrlEthernet: 255| 371| UA_UInt16 *vid, UA_Byte *pcp) { 256| | /* Url must begin with "opc.eth://" */ 257| 371| if(endpointUrl->length < 11) { ------------------ | Branch (257:8): [True: 6, False: 365] ------------------ 258| 6| return UA_STATUSCODE_BADINTERNALERROR; ------------------ | | 28| 6|#define UA_STATUSCODE_BADINTERNALERROR ((UA_StatusCode) 0x80020000) ------------------ 259| 6| } 260| 365| if(strncmp((char*) endpointUrl->data, "opc.eth://", 10) != 0) { ------------------ | Branch (260:8): [True: 89, False: 276] ------------------ 261| 89| return UA_STATUSCODE_BADINTERNALERROR; ------------------ | | 28| 89|#define UA_STATUSCODE_BADINTERNALERROR ((UA_StatusCode) 0x80020000) ------------------ 262| 89| } 263| | 264| | /* Where does the host address end? */ 265| 276| size_t curr = 10; 266| 1.10M| for(; curr < endpointUrl->length; ++curr) { ------------------ | Branch (266:11): [True: 1.10M, False: 18] ------------------ 267| 1.10M| if(endpointUrl->data[curr] == ':') { ------------------ | Branch (267:12): [True: 258, False: 1.10M] ------------------ 268| 258| break; 269| 258| } 270| 1.10M| } 271| | 272| | /* set host address */ 273| 276| target->data = &endpointUrl->data[10]; 274| 276| target->length = curr - 10; 275| 276| if(curr == endpointUrl->length) { ------------------ | Branch (275:8): [True: 18, False: 258] ------------------ 276| 18| return UA_STATUSCODE_GOOD; ------------------ | | 16| 18|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 277| 18| } 278| | 279| | /* Set VLAN */ 280| 258| u32 value = 0; 281| 258| curr++; /* skip ':' */ 282| 258| size_t progress = UA_readNumber(&endpointUrl->data[curr], 283| 258| endpointUrl->length - curr, &value); 284| 258| if(progress == 0 || value > 4096) { ------------------ | Branch (284:8): [True: 31, False: 227] | Branch (284:25): [True: 62, False: 165] ------------------ 285| 93| return UA_STATUSCODE_BADINTERNALERROR; ------------------ | | 28| 93|#define UA_STATUSCODE_BADINTERNALERROR ((UA_StatusCode) 0x80020000) ------------------ 286| 93| } 287| 165| curr += progress; 288| 165| if(curr == endpointUrl->length || endpointUrl->data[curr] == '.') { ------------------ | Branch (288:8): [True: 32, False: 133] | Branch (288:39): [True: 96, False: 37] ------------------ 289| 128| *vid = (UA_UInt16) value; 290| 128| } 291| 165| if(curr == endpointUrl->length) { ------------------ | Branch (291:8): [True: 32, False: 133] ------------------ 292| 32| return UA_STATUSCODE_GOOD; ------------------ | | 16| 32|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 293| 32| } 294| | 295| | /* Set priority */ 296| 133| if(endpointUrl->data[curr] != '.') { ------------------ | Branch (296:8): [True: 37, False: 96] ------------------ 297| 37| return UA_STATUSCODE_BADINTERNALERROR; ------------------ | | 28| 37|#define UA_STATUSCODE_BADINTERNALERROR ((UA_StatusCode) 0x80020000) ------------------ 298| 37| } 299| 96| curr++; /* skip '.' */ 300| 96| progress = UA_readNumber(&endpointUrl->data[curr], 301| 96| endpointUrl->length - curr, &value); 302| 96| if(progress == 0 || value > 7) { ------------------ | Branch (302:8): [True: 6, False: 90] | Branch (302:25): [True: 60, False: 30] ------------------ 303| 66| return UA_STATUSCODE_BADINTERNALERROR; ------------------ | | 28| 66|#define UA_STATUSCODE_BADINTERNALERROR ((UA_StatusCode) 0x80020000) ------------------ 304| 66| } 305| 30| curr += progress; 306| 30| if(curr != endpointUrl->length) { ------------------ | Branch (306:8): [True: 26, False: 4] ------------------ 307| 26| return UA_STATUSCODE_BADINTERNALERROR; ------------------ | | 28| 26|#define UA_STATUSCODE_BADINTERNALERROR ((UA_StatusCode) 0x80020000) ------------------ 308| 26| } 309| 4| *pcp = (UA_Byte) value; 310| | 311| 4| return UA_STATUSCODE_GOOD; ------------------ | | 16| 4|#define UA_STATUSCODE_GOOD ((UA_StatusCode) 0x00000000) ------------------ 312| 30|} UA_memoryManager_setLimitFromLast4Bytes: 161| 900|int UA_memoryManager_setLimitFromLast4Bytes(const uint8_t *data, size_t size) { 162| 900| UA_mallocSingleton = UA_memoryManager_malloc; 163| 900| UA_freeSingleton = UA_memoryManager_free; 164| 900| UA_callocSingleton = UA_memoryManager_calloc; 165| 900| UA_reallocSingleton = UA_memoryManager_realloc; 166| 900| if(size <4) ------------------ | Branch (166:8): [True: 2, False: 898] ------------------ 167| 2| return 0; 168| | // just cast the last 4 bytes to uint32 169| 898| const uint32_t *newLimit = (const uint32_t*)(uintptr_t)&(data[size-4]); 170| 898| uint32_t limit; 171| | // use memcopy to avoid asan complaining on misaligned memory 172| 898| memcpy(&limit, newLimit, sizeof(uint32_t)); 173| 898| memoryLimit = limit; 174| 898| return 1; 175| 900|} LLVMFuzzerTestOneInput: 42| 900|extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 43| | 44| 900| if (!UA_memoryManager_setLimitFromLast4Bytes(data, size)) ------------------ | Branch (44:9): [True: 2, False: 898] ------------------ 45| 2| return 0; 46| 898| size -= 4; 47| | 48| 898| if (size == 0) ------------------ | Branch (48:9): [True: 1, False: 897] ------------------ 49| 1| return 0; 50| | 51| | // use first byte to decide which function should be fuzzed 52| | 53| 897| const uint8_t select = data[0]; 54| | 55| 897| const uint8_t *newData = &data[1]; 56| 897| size_t newSize = size-1; 57| | 58| 897| switch(select) { 59| 523| case 0: ------------------ | Branch (59:9): [True: 523, False: 374] ------------------ 60| 523| return tortureParseEndpointUrl(newData, newSize); 61| 371| case 1: ------------------ | Branch (61:9): [True: 371, False: 526] ------------------ 62| 371| return tortureParseEndpointUrlEthernet(newData, newSize); 63| 3| default: ------------------ | Branch (63:9): [True: 3, False: 894] ------------------ 64| 3| return 0; 65| 897| } 66| | 67| 897|} fuzz_src_ua_util.cc:_ZL23tortureParseEndpointUrlPKhm: 14| 523|static int tortureParseEndpointUrl(const uint8_t *data, size_t size) { 15| 523| const UA_String endpointUrl = { 16| 523| size, (UA_Byte* )(void*)data 17| 523| }; 18| | 19| 523| UA_String hostname; 20| 523| UA_UInt16 port; 21| 523| UA_String path; 22| 523| UA_parseEndpointUrl(&endpointUrl, &hostname, &port, &path); 23| 523| return 0; 24| 523|} fuzz_src_ua_util.cc:_ZL31tortureParseEndpointUrlEthernetPKhm: 26| 371|static int tortureParseEndpointUrlEthernet(const uint8_t *data, size_t size) { 27| 371| const UA_String endpointUrl = { 28| 371| size, (UA_Byte* )(void*)data 29| 371| }; 30| | 31| 371| UA_String target; 32| 371| UA_UInt16 vid; 33| 371| UA_Byte prid; 34| 371| UA_parseEndpointUrlEthernet(&endpointUrl, &target, &vid, &prid); 35| 371| return 0; 36| 371|}