fuzz_binary_decode.cc 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112
  1. /* This Source Code Form is subject to the terms of the Mozilla Public
  2. * License, v. 2.0. If a copy of the MPL was not distributed with this
  3. * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
  4. #include <ua_types.h>
  5. #include "ua_server_internal.h"
  6. #include "ua_config_default.h"
  7. #include "ua_log_stdout.h"
  8. #include "ua_types_encoding_binary.h"
  9. static UA_Boolean tortureEncoding(const uint8_t *data, size_t size, size_t *newOffset) {
  10. *newOffset = 0;
  11. if (size <= 2)
  12. return UA_FALSE;
  13. // get some random type
  14. uint16_t typeIndex = (uint16_t)(data[0] | data[1] << 8);
  15. data += 2;
  16. size -= 2;
  17. if (typeIndex >= UA_TYPES_COUNT)
  18. return UA_FALSE;
  19. void *dst = UA_new(&UA_TYPES[typeIndex]);
  20. const UA_ByteString binary = {
  21. size, //length
  22. (UA_Byte *) (void *) data
  23. };
  24. UA_StatusCode ret = UA_decodeBinary(&binary, newOffset, dst, &UA_TYPES[typeIndex], NULL);
  25. if (ret == UA_STATUSCODE_GOOD) {
  26. // copy the datatype to test
  27. void *dstCopy = UA_new(&UA_TYPES[typeIndex]);
  28. UA_copy(dst, dstCopy, &UA_TYPES[typeIndex]);
  29. UA_delete(dstCopy, &UA_TYPES[typeIndex]);
  30. // now also test encoding
  31. UA_ByteString encoded;
  32. UA_ByteString_allocBuffer(&encoded, *newOffset);
  33. const UA_Byte *end = &encoded.data[*newOffset];
  34. UA_Byte *pos = encoded.data;
  35. ret = UA_encodeBinary(dst, &UA_TYPES[typeIndex], &pos, &end, NULL, NULL);
  36. if (ret == UA_STATUSCODE_GOOD) {
  37. // do nothing
  38. }
  39. UA_ByteString_deleteMembers(&encoded);
  40. }
  41. UA_delete(dst, &UA_TYPES[typeIndex]);
  42. return UA_TRUE;
  43. }
  44. static UA_Boolean tortureExtensionObject(const uint8_t *data, size_t size, size_t *newOffset) {
  45. *newOffset = 0;
  46. // check if there is still enough data to create an extension object
  47. // we need at least a nodeid.numeric which equals to 4 bytes
  48. if (size < 4)
  49. return UA_FALSE;
  50. UA_UInt32 identifier = (UA_UInt32)(data[0] | data[1] << 8 | data[2] << 16 | data[3] << 24);
  51. size-= 4;
  52. UA_NodeId objectId = UA_NODEID_NUMERIC(0, identifier);
  53. UA_ExtensionObject obj;
  54. UA_ExtensionObject_init(&obj);
  55. obj.encoding = UA_EXTENSIONOBJECT_ENCODED_BYTESTRING;
  56. obj.content.encoded.typeId = objectId;
  57. obj.content.encoded.body.length = size;
  58. obj.content.encoded.body.data = (UA_Byte*)(void*)data; // discard const. We are sure that we don't change it
  59. const UA_DataType *type = UA_findDataTypeByBinary(&obj.content.encoded.typeId);
  60. UA_StatusCode ret = UA_STATUSCODE_GOOD;
  61. if (type) {
  62. void *dstCopy = UA_new(type);
  63. ret = UA_decodeBinary(&obj.content.encoded.body, newOffset, dstCopy, type, NULL);
  64. if (ret == UA_STATUSCODE_GOOD) {
  65. UA_Variant var;
  66. UA_Variant_init(&var);
  67. UA_Variant_setScalar(&var, dstCopy, type);
  68. }
  69. UA_delete(dstCopy, type);
  70. }
  71. return ret==UA_STATUSCODE_GOOD;
  72. }
  73. /*
  74. ** Main entry point. The fuzzer invokes this function with each
  75. ** fuzzed input.
  76. */
  77. extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  78. size_t offset;
  79. if (!tortureEncoding(data, size, &offset)) {
  80. return 0;
  81. }
  82. if (offset >= size)
  83. return 0;
  84. tortureExtensionObject(&data[offset], size-offset, &offset);
  85. return 0;
  86. }