xref: /btstack/test/fuzz/fuzz_hci_transport_h4.c (revision 1872d633b5f2ab394e3a3d79dc75791647f40b60) 
1 #include <stdint.h>
2 #include <stddef.h>
3 #include <stdio.h>
4 
5 #include <btstack_util.h>
6 #include "hci_transport.h"
7 #include "hci_transport_h4.h"
8 
9 static hci_transport_config_uart_t config = {
10         HCI_TRANSPORT_CONFIG_UART,
11         115200,
12         0,  // main baudrate
13         1,  // flow control
14         NULL,
15 };
16 
17 static uint8_t * read_request_buffer;
18 static uint32_t  read_request_len;
19 
20 static void (*block_received)(void);
21 
btstack_uart_fuzz_init(const btstack_uart_config_t * config)22 static int btstack_uart_fuzz_init(const btstack_uart_config_t * config){
23     return 0;
24 }
25 
btstack_uart_fuzz_open(void)26 static int btstack_uart_fuzz_open(void){
27     return 0;
28 }
29 
btstack_uart_fuzz_close(void)30 static int btstack_uart_fuzz_close(void){
31     return 0;
32 }
33 
btstack_uart_fuzz_set_block_received(void (* block_handler)(void))34 static void btstack_uart_fuzz_set_block_received( void (*block_handler)(void)){
35     block_received = block_handler;
36 }
37 
btstack_uart_fuzz_set_block_sent(void (* block_handler)(void))38 static void btstack_uart_fuzz_set_block_sent( void (*block_handler)(void)){
39 }
40 
btstack_uart_fuzz_set_wakeup_handler(void (* the_wakeup_handler)(void))41 static void btstack_uart_fuzz_set_wakeup_handler( void (*the_wakeup_handler)(void)){
42 }
43 
btstack_uart_fuzz_set_parity(int parity)44 static int btstack_uart_fuzz_set_parity(int parity){
45     return 0;
46 }
47 
btstack_uart_fuzz_send_block(const uint8_t * data,uint16_t size)48 static void btstack_uart_fuzz_send_block(const uint8_t *data, uint16_t size){
49 }
50 
btstack_uart_fuzz_receive_block(uint8_t * buffer,uint16_t len)51 static void btstack_uart_fuzz_receive_block(uint8_t *buffer, uint16_t len){
52     read_request_buffer = buffer;
53     read_request_len = len;
54 }
55 
btstack_uart_fuzz_set_baudrate(uint32_t baudrate)56 static int btstack_uart_fuzz_set_baudrate(uint32_t baudrate){
57     return 0;
58 }
59 
btstack_uart_fuzz_get_supported_sleep_modes(void)60 static int btstack_uart_fuzz_get_supported_sleep_modes(void){
61     return BTSTACK_UART_SLEEP_MASK_RTS_HIGH_WAKE_ON_CTS_PULSE;
62 }
63 
btstack_uart_fuzz_set_sleep(btstack_uart_sleep_mode_t sleep_mode)64 static void btstack_uart_fuzz_set_sleep(btstack_uart_sleep_mode_t sleep_mode){
65 }
66 
67 btstack_uart_block_t uart_driver = {
68         /* int  (*init)(hci_transport_config_uart_t * config); */         &btstack_uart_fuzz_init,
69         /* int  (*open)(void); */                                         &btstack_uart_fuzz_open,
70         /* int  (*close)(void); */                                        &btstack_uart_fuzz_close,
71         /* void (*set_block_received)(void (*handler)(void)); */          &btstack_uart_fuzz_set_block_received,
72         /* void (*set_block_sent)(void (*handler)(void)); */              &btstack_uart_fuzz_set_block_sent,
73         /* int  (*set_baudrate)(uint32_t baudrate); */                    &btstack_uart_fuzz_set_baudrate,
74         /* int  (*set_parity)(int parity); */                             &btstack_uart_fuzz_set_parity,
75         /* int  (*set_flowcontrol)(int flowcontrol); */                   NULL,
76         /* void (*receive_block)(uint8_t *buffer, uint16_t len); */       &btstack_uart_fuzz_receive_block,
77         /* void (*send_block)(const uint8_t *buffer, uint16_t length); */ &btstack_uart_fuzz_send_block,
78         /* int (*get_supported_sleep_modes); */                           &btstack_uart_fuzz_get_supported_sleep_modes,
79         /* void (*set_sleep)(btstack_uart_sleep_mode_t sleep_mode); */    &btstack_uart_fuzz_set_sleep,
80         /* void (*set_wakeup_handler)(void (*handler)(void)); */          &btstack_uart_fuzz_set_wakeup_handler,
81 };
82 
packet_handler(uint8_t packet_type,uint8_t * packet,uint16_t size)83 static void packet_handler(uint8_t packet_type, uint8_t *packet, uint16_t size){
84     switch (packet_type) {
85         case HCI_EVENT_PACKET:
86             if (size < 2) __builtin_trap();
87             if ((2 + packet[1]) != size)__builtin_trap();
88             break;
89         case HCI_SCO_DATA_PACKET:
90             if (size < 3) __builtin_trap();
91             if ((3 + packet[2]) != size)__builtin_trap();
92             break;
93         case HCI_ACL_DATA_PACKET:
94             if (size < 3) __builtin_trap();
95             if ((4 + little_endian_read_16( packet, 2)) != size)__builtin_trap();
96             break;
97         default:
98             __builtin_trap();
99             break;
100     }
101 }
102 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)103 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
104     const hci_transport_t * transport = hci_transport_h4_instance(&uart_driver);
105     read_request_len = 0;
106     transport->init(&config);
107     transport->register_packet_handler(&packet_handler);
108     transport->open();
109     while (size > 0){
110         if (read_request_len == 0) __builtin_trap();
111 
112         uint16_t bytes_to_feed = btstack_min(read_request_len, size);
113         memcpy(read_request_buffer, data, bytes_to_feed);
114         size -= bytes_to_feed;
115         data += bytes_to_feed;
116         (*block_received)();
117     }
118     return 0;
119 }
120