First test for fuzzing

tests/fuzz/binary.dict

@@ -0,0 +1,27 @@
+#
+# AFL dictionary for OPC UA messages
+# -----------------------------
+#
+#
+# Stefan Profanter <git@s.profanter.me>
+#
+
+# Message header for final message (see Spec Part 6, Table 26)
+
+header_msg_final="MSGF"
+header_err_final="ERRF"
+header_opn_final="OPNF"
+header_hel_final="HELF"
+header_ack_final="ACKF"
+header_clo_final="CLOF"
+
+# Message header for message chunk (see Spec Part 6, Table 26)
+
+header_msg_chunk="MSGC"
+header_err_chunk="ERRC"
+header_opn_chunk="OPNC"
+header_hel_chunk="HELC"
+header_ack_chunk="ACKC"
+header_clo_chunk="CLOC"
+
+# TODO add dict for Security Header and Sequence Header

tests/fuzz/fuzz_binary_message.c

@@ -0,0 +1,35 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+
+#include "fuzz_common.h"
+
+UA_Connection c;
+UA_ServerConfig config;
+UA_Server *server = NULL;
+UA_ByteString msg;
+
+/*
+** Main entry point.  The fuzzer invokes this function with each
+** fuzzed input.
+*/
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (server == NULL) {
+        c = createDummyConnection();
+        config = UA_ServerConfig_standard;
+        config.logger = UA_Log_Stdout;
+
+        // no freeing needed, fuzzer is killed or shuts down due to exception
+        server = UA_Server_new(config);
+    }
+
+    config.logger = UA_Log_Stdout;
+    msg.length = size;
+    msg.data = data;
+    UA_Boolean reallocated = UA_FALSE;
+    UA_StatusCode retval = UA_Connection_completeMessages(&c, &msg, &reallocated);
+    if(retval == UA_STATUSCODE_GOOD && msg.length > 0)
+        UA_Server_processBinaryMessage(server, &c, &msg);
+    return 0;
+}

tests/fuzz/fuzz_binary_message.options

@@ -0,0 +1,2 @@
+[libfuzzer]
+dict = binary.dict

tests/fuzz/fuzz_common.h

@@ -0,0 +1,62 @@
+//
+// Created by profanter on 18.07.17.
+// Copyright (c) 2017 fortiss GmbH. All rights reserved.
+//
+
+#ifndef OPEN62541_FUZZ_COMMON_H_H
+#define OPEN62541_FUZZ_COMMON_H_H
+
+#include "ua_server.h"
+#include "ua_server_internal.h"
+#include "ua_config_standard.h"
+#include "ua_log_stdout.h"
+#include "ua_plugin_log.h"
+
+static UA_StatusCode
+dummyGetSendBuffer(UA_Connection *connection, size_t length, UA_ByteString *buf) {
+    buf->data = malloc(length);
+    buf->length = length;
+    return UA_STATUSCODE_GOOD;
+}
+
+static void
+dummyReleaseSendBuffer(UA_Connection *connection, UA_ByteString *buf) {
+    free(buf->data);
+}
+
+static UA_StatusCode
+dummySend(UA_Connection *connection, UA_ByteString *buf) {
+    UA_ByteString_deleteMembers(buf);
+    return UA_STATUSCODE_GOOD;
+}
+
+static void
+dummyReleaseRecvBuffer(UA_Connection *connection, UA_ByteString *buf) {
+    return;
+}
+
+static void
+dummyClose(UA_Connection *connection) {
+    return;
+}
+
+
+UA_Connection createDummyConnection(void) {
+    UA_Connection c;
+    c.state = UA_CONNECTION_ESTABLISHED;
+    c.localConf = UA_ConnectionConfig_standard;
+    c.remoteConf = UA_ConnectionConfig_standard;
+    c.channel = NULL;
+    c.sockfd = 0;
+    c.handle = NULL;
+    c.incompleteMessage = UA_BYTESTRING_NULL;
+    c.getSendBuffer = dummyGetSendBuffer;
+    c.releaseSendBuffer = dummyReleaseSendBuffer;
+    c.send = dummySend;
+    c.recv = NULL;
+    c.releaseRecvBuffer = dummyReleaseRecvBuffer;
+    c.close = dummyClose;
+    return c;
+}
+
+#endif //OPEN62541_FUZZ_COMMON_H_H