1*93fdb564SMilanka Ringwald #include <stdint.h> 2*93fdb564SMilanka Ringwald #include <stddef.h> 3*93fdb564SMilanka Ringwald 4*93fdb564SMilanka Ringwald #include "ble/gatt_client.h" 5*93fdb564SMilanka Ringwald #include "btstack_run_loop_posix.h" 6*93fdb564SMilanka Ringwald #include "btstack_memory.h" 7*93fdb564SMilanka Ringwald 8*93fdb564SMilanka Ringwald static void (*packet_handler)(uint8_t packet_type, uint8_t *packet, uint16_t size); 9*93fdb564SMilanka Ringwald 10*93fdb564SMilanka Ringwald static int hci_transport_fuzz_set_baudrate(uint32_t baudrate){ 11*93fdb564SMilanka Ringwald return 0; 12*93fdb564SMilanka Ringwald } 13*93fdb564SMilanka Ringwald 14*93fdb564SMilanka Ringwald static int hci_transport_fuzz_can_send_now(uint8_t packet_type){ 15*93fdb564SMilanka Ringwald return 1; 16*93fdb564SMilanka Ringwald } 17*93fdb564SMilanka Ringwald 18*93fdb564SMilanka Ringwald static int hci_transport_fuzz_send_packet(uint8_t packet_type, uint8_t * packet, int size){ 19*93fdb564SMilanka Ringwald return 0; 20*93fdb564SMilanka Ringwald } 21*93fdb564SMilanka Ringwald 22*93fdb564SMilanka Ringwald static void hci_transport_fuzz_init(const void * transport_config){ 23*93fdb564SMilanka Ringwald } 24*93fdb564SMilanka Ringwald 25*93fdb564SMilanka Ringwald static int hci_transport_fuzz_open(void){ 26*93fdb564SMilanka Ringwald return 0; 27*93fdb564SMilanka Ringwald } 28*93fdb564SMilanka Ringwald 29*93fdb564SMilanka Ringwald static int hci_transport_fuzz_close(void){ 30*93fdb564SMilanka Ringwald return 0; 31*93fdb564SMilanka Ringwald } 32*93fdb564SMilanka Ringwald 33*93fdb564SMilanka Ringwald static void hci_transport_fuzz_register_packet_handler(void (*handler)(uint8_t packet_type, uint8_t *packet, uint16_t size)){ 34*93fdb564SMilanka Ringwald packet_handler = handler; 35*93fdb564SMilanka Ringwald } 36*93fdb564SMilanka Ringwald 37*93fdb564SMilanka Ringwald static const hci_transport_t hci_transport_fuzz = { 38*93fdb564SMilanka Ringwald /* const char * name; */ "FUZZ", 39*93fdb564SMilanka Ringwald /* void (*init) (const void *transport_config); */ &hci_transport_fuzz_init, 40*93fdb564SMilanka Ringwald /* int (*open)(void); */ &hci_transport_fuzz_open, 41*93fdb564SMilanka Ringwald /* int (*close)(void); */ &hci_transport_fuzz_close, 42*93fdb564SMilanka Ringwald /* void (*register_packet_handler)(void (*handler)(...); */ &hci_transport_fuzz_register_packet_handler, 43*93fdb564SMilanka Ringwald /* int (*can_send_packet_now)(uint8_t packet_type); */ &hci_transport_fuzz_can_send_now, 44*93fdb564SMilanka Ringwald /* int (*send_packet)(...); */ &hci_transport_fuzz_send_packet, 45*93fdb564SMilanka Ringwald /* int (*set_baudrate)(uint32_t baudrate); */ &hci_transport_fuzz_set_baudrate, 46*93fdb564SMilanka Ringwald /* void (*reset_link)(void); */ NULL, 47*93fdb564SMilanka Ringwald /* void (*set_sco_config)(uint16_t voice_setting, int num_connections); */ NULL, 48*93fdb564SMilanka Ringwald }; 49*93fdb564SMilanka Ringwald 50*93fdb564SMilanka Ringwald static void gatt_client_packet_handler(uint8_t packet_type, uint16_t handle, uint8_t *packet, uint16_t size){ 51*93fdb564SMilanka Ringwald } 52*93fdb564SMilanka Ringwald 53*93fdb564SMilanka Ringwald int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 54*93fdb564SMilanka Ringwald 55*93fdb564SMilanka Ringwald const hci_con_handle_t ble_handle = 0x0005; 56*93fdb564SMilanka Ringwald 57*93fdb564SMilanka Ringwald static bool gatt_client_initiated = false; 58*93fdb564SMilanka Ringwald if (!gatt_client_initiated){ 59*93fdb564SMilanka Ringwald btstack_memory_init(); 60*93fdb564SMilanka Ringwald btstack_run_loop_init(btstack_run_loop_posix_get_instance()); 61*93fdb564SMilanka Ringwald // init hci, simulate connection 62*93fdb564SMilanka Ringwald hci_init(&hci_transport_fuzz, NULL); 63*93fdb564SMilanka Ringwald hci_setup_test_connections_fuzz(); 64*93fdb564SMilanka Ringwald 65*93fdb564SMilanka Ringwald gatt_client_init(); 66*93fdb564SMilanka Ringwald gatt_client_initiated = true; 67*93fdb564SMilanka Ringwald } 68*93fdb564SMilanka Ringwald 69*93fdb564SMilanka Ringwald // TODO: use first byte of random data to pick gatt_client request / set gatt client state 70*93fdb564SMilanka Ringwald // then, only use dat from second byte as response 71*93fdb564SMilanka Ringwald gatt_client_discover_primary_services(gatt_client_packet_handler, ble_handle); 72*93fdb564SMilanka Ringwald 73*93fdb564SMilanka Ringwald // send test response 74*93fdb564SMilanka Ringwald gatt_client_att_packet_handler_fuzz(ATT_DATA_PACKET, ble_handle, (uint8_t *) data, size); 75*93fdb564SMilanka Ringwald return 0; 76*93fdb564SMilanka Ringwald } 77