From 4cacbe7c811faea6c87097a4ddffa99ec5ff071f Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Wed, 27 Jul 2022 18:46:04 +0100
Subject: [PATCH] - added more targets for libfuzzer

---
 fuzz/fuzz_goose_subscriber.c          | 34 ++++++++++++
 fuzz/fuzz_mms_server_decode_mms_pdu.c | 74 +++++++++++++++++++++++++++
 fuzz/fuzz_pres_userdata.c             | 18 +++++++
 3 files changed, 126 insertions(+)
 create mode 100644 fuzz/fuzz_goose_subscriber.c
 create mode 100644 fuzz/fuzz_mms_server_decode_mms_pdu.c
 create mode 100644 fuzz/fuzz_pres_userdata.c

diff --git a/fuzz/fuzz_goose_subscriber.c b/fuzz/fuzz_goose_subscriber.c
new file mode 100644
index 00000000..7d5e9811
--- /dev/null
+++ b/fuzz/fuzz_goose_subscriber.c
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "goose_receiver.h"
+#include "goose_subscriber.h"
+#include "hal_thread.h"
+
+static void
+test_GooseSubscriberWithFixedLengthEncoding_gooseListener(GooseSubscriber subscriber, void* parameter)
+{
+}
+
+int LLVMFuzzerTestOneInput(const char* data, size_t size)
+{
+    GooseReceiver receiver = GooseReceiver_create();
+
+    GooseSubscriber subscriber = GooseSubscriber_create("KEMASIMLD1/LLN0$GO$PingPRVDO", NULL);
+
+    uint8_t dstMac[6] = {0x01,0x0c,0xcd,0x01,0x00,0xee};
+    GooseSubscriber_setDstMac(subscriber, dstMac);
+    GooseSubscriber_setAppId(subscriber, 4656);
+
+    GooseSubscriber_setListener(subscriber, test_GooseSubscriberWithFixedLengthEncoding_gooseListener, NULL);
+
+    GooseReceiver_addSubscriber(receiver, subscriber);
+
+    GooseReceiver_startThreadless(receiver);
+
+    GooseReceiver_handleMessage(receiver, data, size);
+
+    GooseReceiver_stop(receiver);
+
+    GooseReceiver_destroy(receiver);
+}
\ No newline at end of file
diff --git a/fuzz/fuzz_mms_server_decode_mms_pdu.c b/fuzz/fuzz_mms_server_decode_mms_pdu.c
new file mode 100644
index 00000000..3a442af3
--- /dev/null
+++ b/fuzz/fuzz_mms_server_decode_mms_pdu.c
@@ -0,0 +1,74 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "iec61850_server.h"
+#include "iec61850_client.h"
+#include "iso_presentation.h"
+
+static IedModel*
+setupModel1()
+{
+    IedModel* model = IedModel_create("testmodel");
+
+    LogicalDevice* lDevice1 = LogicalDevice_create("SENSORS", model);
+
+    LogicalNode* lln0 = LogicalNode_create("LLN0", lDevice1);
+
+    DataObject* lln0_mod = CDC_ENS_create("Mod", (ModelNode*) lln0, 0);
+    DataObject* lln0_health = CDC_ENS_create("Health", (ModelNode*) lln0, 0);
+
+    /* Add a temperature sensor LN */
+    LogicalNode* ttmp1 = LogicalNode_create("TTMP1", lDevice1);
+    DataObject* ttmp1_tmpsv = CDC_SAV_create("TmpSv", (ModelNode*) ttmp1, 0, false);
+
+    DataAttribute* temperatureValue = (DataAttribute*) ModelNode_getChild((ModelNode*) ttmp1_tmpsv, "instMag.f");
+    DataAttribute* temperatureTimestamp = (DataAttribute*) ModelNode_getChild((ModelNode*) ttmp1_tmpsv, "t");
+
+    /* Add a voltage transient LN */
+    LogicalNode*  qvtr1 = LogicalNode_create("QVTR1", lDevice1);
+
+    DataObject* qvtr1_varStr = CDC_SPS_create("VarStr", (ModelNode*) qvtr1, 0);
+    DataObject* qvtr1_evtCnt = CDC_HST_create("EvtCnt", (ModelNode*) qvtr1, 0, 10);
+
+    DataSet* dataSet = DataSet_create("events", lln0);
+    DataSetEntry_create(dataSet, "TTMP1$MX$TmpSv$instMag$f", -1, NULL);
+
+    uint8_t rptOptions = RPT_OPT_SEQ_NUM | RPT_OPT_TIME_STAMP | RPT_OPT_REASON_FOR_INCLUSION;
+
+    ReportControlBlock_create("events01", lln0, "events01", false, NULL, 1, TRG_OPT_DATA_CHANGED, rptOptions, 50, 0);
+    ReportControlBlock_create("events02", lln0, "events02", false, NULL, 1, TRG_OPT_DATA_UPDATE | TRG_OPT_INTEGRITY, rptOptions, 50, 0);
+
+    return model;
+}
+
+int LLVMFuzzerTestOneInput(const char *data, size_t size)
+{
+    IedModel* model = setupModel1();
+
+    IedServer iedServer = IedServer_create(model);
+
+    IedServer_start(iedServer, 10002);
+
+	IedClientError error;
+
+	IedConnection con = IedConnection_create();
+
+	IedConnection_connect(con, &error, "localhost", 10002);
+
+    MmsConnection mmsCon = IedConnection_getMmsConnection(con);
+
+    MmsError mmsError;
+
+    MmsConnection_sendRawData(mmsCon, &mmsError, (uint8_t*) data, size);
+
+	IedConnection_close(con);
+
+	IedConnection_destroy(con);
+
+    IedServer_stop(iedServer);
+    IedServer_destroy(iedServer);
+
+    IedModel_destroy(model);
+
+    return 0;
+}
diff --git a/fuzz/fuzz_pres_userdata.c b/fuzz/fuzz_pres_userdata.c
new file mode 100644
index 00000000..f1e6482f
--- /dev/null
+++ b/fuzz/fuzz_pres_userdata.c
@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "iec61850_server.h"
+#include "iso_presentation.h"
+
+int LLVMFuzzerTestOneInput(const char *data, size_t size) {
+    IsoPresentation pres;
+
+    ByteBuffer byteBuffer;
+    byteBuffer.buffer = (uint8_t*) data;
+    byteBuffer.maxSize = size;
+    byteBuffer.size = size;
+
+    int res = IsoPresentation_parseAcceptMessage(&pres, &byteBuffer);
+
+    return 0;
+}