1 /*
2  * Copyright 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "hci/fuzz/hci_layer_fuzz_client.h"
18 
19 #include "fuzz/helpers.h"
20 #include "hci/class_of_device.h"
21 
22 namespace bluetooth {
23 namespace hci {
24 namespace fuzz {
25 using bluetooth::fuzz::GetArbitraryBytes;
26 using bluetooth::hci::AclView;
27 
28 const ModuleFactory HciLayerFuzzClient::Factory =
__anoneb0483af0102() 29         ModuleFactory([]() { return new HciLayerFuzzClient(); });
30 
Start()31 void HciLayerFuzzClient::Start() {
32   hci_ = GetDependency<hci::HciLayer>();
33   aclDevNull_ = new os::fuzz::DevNullQueue<AclView>(hci_->GetAclQueueEnd(), GetHandler());
34   aclDevNull_->Start();
35   aclInject_ = new os::fuzz::FuzzInjectQueue<AclBuilder>(hci_->GetAclQueueEnd(), GetHandler());
36 
37   // Can't do security right now, due to the Encryption Change conflict between ACL manager &
38   // security security_interface_ = hci_->GetSecurityInterface(common::Bind([](EventView){}),
39   // GetHandler());
40   le_security_interface_ = hci_->GetLeSecurityInterface(GetHandler()->Bind([](LeMetaEventView) {}));
41   acl_connection_interface_ = hci_->GetAclConnectionInterface(
42           GetHandler()->Bind([](EventView) {}), GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}),
43           GetHandler()->Bind([](Address, ClassOfDevice) {}),
44           GetHandler()->Bind([](hci::ErrorCode, uint16_t, uint8_t, uint16_t, uint16_t) {}));
45   le_acl_connection_interface_ = hci_->GetLeAclConnectionInterface(
46           GetHandler()->Bind([](LeMetaEventView) {}),
47           GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}),
48           GetHandler()->Bind([](hci::ErrorCode, uint16_t, uint8_t, uint16_t, uint16_t) {}));
49   le_advertising_interface_ =
50           hci_->GetLeAdvertisingInterface(GetHandler()->Bind([](LeMetaEventView) {}));
51   le_scanning_interface_ = hci_->GetLeScanningInterface(GetHandler()->Bind([](LeMetaEventView) {}));
52   distance_measurement_interface_ =
53           hci_->GetDistanceMeasurementInterface(GetHandler()->Bind([](LeMetaEventView) {}));
54 }
55 
Stop()56 void HciLayerFuzzClient::Stop() {
57   aclDevNull_->Stop();
58   delete aclDevNull_;
59   delete aclInject_;
60 }
61 
injectArbitrary(FuzzedDataProvider & fdp)62 void HciLayerFuzzClient::injectArbitrary(FuzzedDataProvider& fdp) {
63   const uint8_t action = fdp.ConsumeIntegralInRange(0, 8);
64   switch (action) {
65     case 1:
66       injectAclData(GetArbitraryBytes(&fdp));
67       break;
68     case 2:
69       injectHciCommand(GetArbitraryBytes(&fdp));
70       break;
71     case 3:
72       // TODO: injectSecurityCommand(GetArbitraryBytes(&fdp));
73       break;
74     case 4:
75       injectLeSecurityCommand(GetArbitraryBytes(&fdp));
76       break;
77     case 5:
78       injectAclConnectionCommand(GetArbitraryBytes(&fdp));
79       break;
80     case 6:
81       injectLeAclConnectionCommand(GetArbitraryBytes(&fdp));
82       break;
83     case 7:
84       injectLeAdvertisingCommand(GetArbitraryBytes(&fdp));
85       break;
86     case 8:
87       injectLeScanningCommand(GetArbitraryBytes(&fdp));
88       break;
89   }
90 }
91 
injectAclData(std::vector<uint8_t> data)92 void HciLayerFuzzClient::injectAclData(std::vector<uint8_t> data) {
93   hci::AclView aclPacket = hci::AclView::FromBytes(data);
94   if (!aclPacket.IsValid()) {
95     return;
96   }
97 
98   aclInject_->Inject(AclBuilder::FromView(aclPacket));
99 }
100 
injectHciCommand(std::vector<uint8_t> data)101 void HciLayerFuzzClient::injectHciCommand(std::vector<uint8_t> data) {
102   inject_command<CommandView, CommandBuilder>(data, hci_);
103 }
104 
injectSecurityCommand(std::vector<uint8_t> data)105 void HciLayerFuzzClient::injectSecurityCommand(std::vector<uint8_t> data) {
106   inject_command<SecurityCommandView, SecurityCommandBuilder>(data, security_interface_);
107 }
108 
injectLeSecurityCommand(std::vector<uint8_t> data)109 void HciLayerFuzzClient::injectLeSecurityCommand(std::vector<uint8_t> data) {
110   inject_command<LeSecurityCommandView, LeSecurityCommandBuilder>(data, le_security_interface_);
111 }
112 
injectAclConnectionCommand(std::vector<uint8_t> data)113 void HciLayerFuzzClient::injectAclConnectionCommand(std::vector<uint8_t> data) {
114   inject_command<AclCommandView, AclCommandBuilder>(data, acl_connection_interface_);
115 }
116 
injectLeAclConnectionCommand(std::vector<uint8_t> data)117 void HciLayerFuzzClient::injectLeAclConnectionCommand(std::vector<uint8_t> data) {
118   inject_command<AclCommandView, AclCommandBuilder>(data, le_acl_connection_interface_);
119 }
120 
injectLeAdvertisingCommand(std::vector<uint8_t> data)121 void HciLayerFuzzClient::injectLeAdvertisingCommand(std::vector<uint8_t> data) {
122   inject_command<LeAdvertisingCommandView, LeAdvertisingCommandBuilder>(data,
123                                                                         le_advertising_interface_);
124 }
125 
injectLeScanningCommand(std::vector<uint8_t> data)126 void HciLayerFuzzClient::injectLeScanningCommand(std::vector<uint8_t> data) {
127   inject_command<LeScanningCommandView, LeScanningCommandBuilder>(data, le_scanning_interface_);
128 }
129 
130 }  // namespace fuzz
131 }  // namespace hci
132 }  // namespace bluetooth
133