xref: /btstack/test/fuzz/fuzz_gatt_client.c (revision 93fdb564bf5c29ebce6a8bcd7598ffecc113ee8d) 
1 #include <stdint.h>
2 #include <stddef.h>
3 
4 #include "ble/gatt_client.h"
5 #include "btstack_run_loop_posix.h"
6 #include "btstack_memory.h"
7 
8 static  void (*packet_handler)(uint8_t packet_type, uint8_t *packet, uint16_t size);
9 
10 static int hci_transport_fuzz_set_baudrate(uint32_t baudrate){
11     return 0;
12 }
13 
14 static int hci_transport_fuzz_can_send_now(uint8_t packet_type){
15     return 1;
16 }
17 
18 static int hci_transport_fuzz_send_packet(uint8_t packet_type, uint8_t * packet, int size){
19     return 0;
20 }
21 
22 static void hci_transport_fuzz_init(const void * transport_config){
23 }
24 
25 static int hci_transport_fuzz_open(void){
26     return 0;
27 }
28 
29 static int hci_transport_fuzz_close(void){
30     return 0;
31 }
32 
33 static void hci_transport_fuzz_register_packet_handler(void (*handler)(uint8_t packet_type, uint8_t *packet, uint16_t size)){
34     packet_handler = handler;
35 }
36 
37 static const hci_transport_t hci_transport_fuzz = {
38         /* const char * name; */                                        "FUZZ",
39         /* void   (*init) (const void *transport_config); */            &hci_transport_fuzz_init,
40         /* int    (*open)(void); */                                     &hci_transport_fuzz_open,
41         /* int    (*close)(void); */                                    &hci_transport_fuzz_close,
42         /* void   (*register_packet_handler)(void (*handler)(...); */   &hci_transport_fuzz_register_packet_handler,
43         /* int    (*can_send_packet_now)(uint8_t packet_type); */       &hci_transport_fuzz_can_send_now,
44         /* int    (*send_packet)(...); */                               &hci_transport_fuzz_send_packet,
45         /* int    (*set_baudrate)(uint32_t baudrate); */                &hci_transport_fuzz_set_baudrate,
46         /* void   (*reset_link)(void); */                               NULL,
47         /* void   (*set_sco_config)(uint16_t voice_setting, int num_connections); */ NULL,
48 };
49 
50 static void gatt_client_packet_handler(uint8_t packet_type, uint16_t handle, uint8_t *packet, uint16_t size){
51 }
52 
53 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
54 
55     const hci_con_handle_t ble_handle = 0x0005;
56 
57     static bool gatt_client_initiated = false;
58     if (!gatt_client_initiated){
59         btstack_memory_init();
60         btstack_run_loop_init(btstack_run_loop_posix_get_instance());
61         // init hci, simulate connection
62         hci_init(&hci_transport_fuzz, NULL);
63         hci_setup_test_connections_fuzz();
64 
65         gatt_client_init();
66         gatt_client_initiated = true;
67     }
68 
69     // TODO: use first byte of random data to pick gatt_client request / set gatt client state
70     // then, only use dat from second byte as response
71     gatt_client_discover_primary_services(gatt_client_packet_handler, ble_handle);
72 
73     // send test response
74     gatt_client_att_packet_handler_fuzz(ATT_DATA_PACKET, ble_handle, (uint8_t *) data, size);
75     return 0;
76 }
77