1 #include <stdint.h> 2 #include <stddef.h> 3 #include <stdio.h> 4 5 #include <btstack_util.h> 6 #include <btstack.h> 7 #include <btstack_run_loop_posix.h> 8 #include "hci.h" 9 10 static void (*packet_handler)(uint8_t packet_type, uint8_t *packet, uint16_t size); 11 12 static int hci_transport_fuzz_set_baudrate(uint32_t baudrate){ 13 return 0; 14 } 15 16 static int hci_transport_fuzz_can_send_now(uint8_t packet_type){ 17 return 1; 18 } 19 20 static int hci_transport_fuzz_send_packet(uint8_t packet_type, uint8_t * packet, int size){ 21 return 0; 22 } 23 24 static void hci_transport_fuzz_init(const void * transport_config){ 25 } 26 27 static int hci_transport_fuzz_open(void){ 28 return 0; 29 } 30 31 static int hci_transport_fuzz_close(void){ 32 return 0; 33 } 34 35 static void hci_transport_fuzz_register_packet_handler(void (*handler)(uint8_t packet_type, uint8_t *packet, uint16_t size)){ 36 packet_handler = handler; 37 } 38 39 static const hci_transport_t hci_transport_fuzz = { 40 /* const char * name; */ "FUZZ", 41 /* void (*init) (const void *transport_config); */ &hci_transport_fuzz_init, 42 /* int (*open)(void); */ &hci_transport_fuzz_open, 43 /* int (*close)(void); */ &hci_transport_fuzz_close, 44 /* void (*register_packet_handler)(void (*handler)(...); */ &hci_transport_fuzz_register_packet_handler, 45 /* int (*can_send_packet_now)(uint8_t packet_type); */ &hci_transport_fuzz_can_send_now, 46 /* int (*send_packet)(...); */ &hci_transport_fuzz_send_packet, 47 /* int (*set_baudrate)(uint32_t baudrate); */ &hci_transport_fuzz_set_baudrate, 48 /* void (*reset_link)(void); */ NULL, 49 /* void (*set_sco_config)(uint16_t voice_setting, int num_connections); */ NULL, 50 }; 51 52 static void l2cap_packet_handler(uint8_t packet_type, uint8_t *packet, uint16_t size){ 53 switch (packet_type) { 54 case HCI_EVENT_PACKET: 55 break; 56 case HCI_SCO_DATA_PACKET: 57 break; 58 case HCI_ACL_DATA_PACKET: 59 break; 60 default: 61 break; 62 } 63 } 64 65 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 66 static int initialized = 0; 67 if (initialized == 0){ 68 initialized = 1; 69 btstack_memory_init(); 70 btstack_run_loop_init(btstack_run_loop_posix_get_instance()); 71 } 72 73 hci_init(&hci_transport_fuzz, NULL); 74 if (size < 3) return 0; 75 uint8_t packet_type = (data[0] & 3) + 1; // only 1-4 76 size--; 77 data++; 78 uint8_t packet[1000]; 79 switch (packet_type){ 80 case HCI_EVENT_PACKET: 81 packet[0] = data[0]; 82 size--; 83 data++; 84 if (size > 255) return 0; 85 packet[1] = size; 86 memcpy(&packet[2], data, size); 87 (*packet_handler)(packet_type, packet, size + 2); 88 break; 89 case HCI_SCO_DATA_PACKET: 90 packet[0] = data[0]; 91 packet[1] = data[1]; 92 size-=2; 93 data+=2; 94 if (size > 255) return 0; 95 packet[2] = size; 96 memcpy(&packet[3], data, size); 97 (*packet_handler)(packet_type, packet, size + 3); 98 break; 99 case HCI_ACL_DATA_PACKET: 100 packet[0] = data[0]; 101 packet[1] = data[1]; 102 size-=2; 103 data+=2; 104 if (size > (sizeof(packet) - 4)) return 0; 105 little_endian_store_16(packet, 2, size); 106 memcpy(&packet[4], data, size); 107 (*packet_handler)(packet_type, packet, size + 4); 108 break; 109 default: 110 return 0; 111 } 112 // teardown 113 hci_free_connections_fuzz(); 114 return 0; 115 } 116