Home Explore Help
Sign In
opc-ua
/
open62541
Watch 2
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Ignore session token check for fuzzing

Stefan Profanter 6 years ago
parent
bc017d1493
commit
84d46ddefe
4 changed files with 15 additions and 2 deletions
Split View Show Diff Stats
  1. 5 0
      CMakeLists.txt
  2. 4 0
      src/server/ua_server_binary.c
  3. 4 0
      src/ua_securechannel.c
  4. 2 2
      tests/fuzz/CMakeLists.txt

+ 5 - 0
CMakeLists.txt
View File 

@@ -105,6 +105,11 @@ mark_as_advanced(UA_ENABLE_NONSTANDARD_UDP)
 
 option(UA_BUILD_EXAMPLES "Build example servers and clients" OFF)
 
 option(UA_BUILD_UNIT_TESTS "Build the unit tests" OFF)
 
 option(UA_BUILD_FUZZING "Build the fuzzing executables" OFF)
 
+mark_as_advanced(UA_BUILD_FUZZING)
 
+if (UA_BUILD_FUZZING)
 
+    # oss-fuzz already defines this by default
 
+    add_definitions(-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
 
+endif()
 
 option(UA_BUILD_OSS_FUZZ "Special build switch used in oss-fuzz" OFF)
 
 mark_as_advanced(UA_BUILD_OSS_FUZZ)
 
 option(UA_DEBUG_DUMP_PKGS "Dump every package received by the server as hexdump format" OFF)

+ 4 - 0
src/server/ua_server_binary.c
View File 

@@ -421,6 +421,7 @@ processMSG(UA_Server *server, UA_SecureChannel *channel,
 
     /* Set an anonymous, inactive session for services that need no session */
 
     UA_Session anonymousSession;
 
     if(!session) {
 
+		#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 
         if(sessionRequired) {
 
             UA_LOG_INFO_CHANNEL(server->config.logger, channel,
 
                                 "Service request %i without a valid session",
 
@@ -429,12 +430,14 @@ processMSG(UA_Server *server, UA_SecureChannel *channel,
 
             return sendServiceFault(channel, msg, requestPos, responseType,
 
                                     requestId, UA_STATUSCODE_BADSESSIONIDINVALID);
 
         }
 
+		#endif
 
         UA_Session_init(&anonymousSession);
 
         anonymousSession.sessionId = UA_NODEID_GUID(0, UA_GUID_NULL);
 
         anonymousSession.channel = channel;
 
         session = &anonymousSession;
 
     }
 
 
+	#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 
     /* Trying to use a non-activated session? */
 
     if(sessionRequired && !session->activated) {
 
         UA_LOG_INFO_SESSION(server->config.logger, session,
 
@@ -446,6 +449,7 @@ processMSG(UA_Server *server, UA_SecureChannel *channel,
 
         return sendServiceFault(channel, msg, requestPos, responseType,
 
                                 requestId, UA_STATUSCODE_BADSESSIONNOTACTIVATED);
 
     }
 
+	#endif
 
 
     /* The session is bound to another channel */
 
     if(session->channel != channel) {

+ 4 - 0
src/ua_securechannel.c
View File 

@@ -802,11 +802,13 @@ checkAsymHeader(UA_SecureChannel *const channel,
 
 static UA_StatusCode
 
 checkSymHeader(UA_SecureChannel *const channel,
 
                const UA_UInt32 tokenId) {
 
+    #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 
     if(tokenId != channel->securityToken.tokenId) {
 
         if(tokenId != channel->nextSecurityToken.tokenId)
 
             return UA_STATUSCODE_BADSECURECHANNELTOKENUNKNOWN;
 
         return UA_SecureChannel_revolveTokens(channel);
 
     }
 
+    #endif
 
 
     return UA_STATUSCODE_GOOD;
 
 }
 
@@ -823,10 +825,12 @@ UA_SecureChannel_processChunk(UA_SecureChannel *channel, UA_ByteString *chunk,
 
     if(retval != UA_STATUSCODE_GOOD)
 
         return retval;
 
 
+    #if !defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
 
     /* The wrong ChannelId. Non-opened channels have the id zero. */
 
     if(messageHeader.secureChannelId != channel->securityToken.channelId &&
 
        channel->state != UA_SECURECHANNELSTATE_FRESH)
 
         return UA_STATUSCODE_BADSECURECHANNELIDINVALID;
 
+    #endif
 
 
     UA_MessageType messageType = (UA_MessageType)
 
         (messageHeader.messageHeader.messageTypeAndChunkType & UA_BITMASK_MESSAGETYPE);

+ 2 - 2
tests/fuzz/CMakeLists.txt
View File 

@@ -20,8 +20,8 @@ if (NOT UA_BUILD_OSS_FUZZ)
 
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O1 -fsanitize=address")
 
         set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O1 -fsanitize=address")
 
     else()
 
-        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp")
 
-        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp")
 
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp")
 
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp")
 
     endif()
 
     set(LIBS Fuzzer)
 
     set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_RUNTIME_OUTPUT_DIRECTORY})