11f805efeSMatthias Ringwald #include <stdint.h>
21f805efeSMatthias Ringwald #include <stddef.h>
31f805efeSMatthias Ringwald #include <stdio.h>
41f805efeSMatthias Ringwald
51f805efeSMatthias Ringwald #include <btstack_util.h>
61f805efeSMatthias Ringwald #include "hci_transport.h"
7*1872d633SMatthias Ringwald #include "hci_transport_h4.h"
81f805efeSMatthias Ringwald
91f805efeSMatthias Ringwald static hci_transport_config_uart_t config = {
101f805efeSMatthias Ringwald HCI_TRANSPORT_CONFIG_UART,
111f805efeSMatthias Ringwald 115200,
121f805efeSMatthias Ringwald 0, // main baudrate
131f805efeSMatthias Ringwald 1, // flow control
141f805efeSMatthias Ringwald NULL,
151f805efeSMatthias Ringwald };
161f805efeSMatthias Ringwald
171f805efeSMatthias Ringwald static uint8_t * read_request_buffer;
181f805efeSMatthias Ringwald static uint32_t read_request_len;
191f805efeSMatthias Ringwald
201f805efeSMatthias Ringwald static void (*block_received)(void);
211f805efeSMatthias Ringwald
btstack_uart_fuzz_init(const btstack_uart_config_t * config)221f805efeSMatthias Ringwald static int btstack_uart_fuzz_init(const btstack_uart_config_t * config){
231f805efeSMatthias Ringwald return 0;
241f805efeSMatthias Ringwald }
251f805efeSMatthias Ringwald
btstack_uart_fuzz_open(void)261f805efeSMatthias Ringwald static int btstack_uart_fuzz_open(void){
271f805efeSMatthias Ringwald return 0;
281f805efeSMatthias Ringwald }
291f805efeSMatthias Ringwald
btstack_uart_fuzz_close(void)301f805efeSMatthias Ringwald static int btstack_uart_fuzz_close(void){
311f805efeSMatthias Ringwald return 0;
321f805efeSMatthias Ringwald }
331f805efeSMatthias Ringwald
btstack_uart_fuzz_set_block_received(void (* block_handler)(void))341f805efeSMatthias Ringwald static void btstack_uart_fuzz_set_block_received( void (*block_handler)(void)){
351f805efeSMatthias Ringwald block_received = block_handler;
361f805efeSMatthias Ringwald }
371f805efeSMatthias Ringwald
btstack_uart_fuzz_set_block_sent(void (* block_handler)(void))381f805efeSMatthias Ringwald static void btstack_uart_fuzz_set_block_sent( void (*block_handler)(void)){
391f805efeSMatthias Ringwald }
401f805efeSMatthias Ringwald
btstack_uart_fuzz_set_wakeup_handler(void (* the_wakeup_handler)(void))411f805efeSMatthias Ringwald static void btstack_uart_fuzz_set_wakeup_handler( void (*the_wakeup_handler)(void)){
421f805efeSMatthias Ringwald }
431f805efeSMatthias Ringwald
btstack_uart_fuzz_set_parity(int parity)441f805efeSMatthias Ringwald static int btstack_uart_fuzz_set_parity(int parity){
451f805efeSMatthias Ringwald return 0;
461f805efeSMatthias Ringwald }
471f805efeSMatthias Ringwald
btstack_uart_fuzz_send_block(const uint8_t * data,uint16_t size)481f805efeSMatthias Ringwald static void btstack_uart_fuzz_send_block(const uint8_t *data, uint16_t size){
491f805efeSMatthias Ringwald }
501f805efeSMatthias Ringwald
btstack_uart_fuzz_receive_block(uint8_t * buffer,uint16_t len)511f805efeSMatthias Ringwald static void btstack_uart_fuzz_receive_block(uint8_t *buffer, uint16_t len){
521f805efeSMatthias Ringwald read_request_buffer = buffer;
531f805efeSMatthias Ringwald read_request_len = len;
541f805efeSMatthias Ringwald }
551f805efeSMatthias Ringwald
btstack_uart_fuzz_set_baudrate(uint32_t baudrate)561f805efeSMatthias Ringwald static int btstack_uart_fuzz_set_baudrate(uint32_t baudrate){
571f805efeSMatthias Ringwald return 0;
581f805efeSMatthias Ringwald }
591f805efeSMatthias Ringwald
btstack_uart_fuzz_get_supported_sleep_modes(void)601f805efeSMatthias Ringwald static int btstack_uart_fuzz_get_supported_sleep_modes(void){
611f805efeSMatthias Ringwald return BTSTACK_UART_SLEEP_MASK_RTS_HIGH_WAKE_ON_CTS_PULSE;
621f805efeSMatthias Ringwald }
631f805efeSMatthias Ringwald
btstack_uart_fuzz_set_sleep(btstack_uart_sleep_mode_t sleep_mode)641f805efeSMatthias Ringwald static void btstack_uart_fuzz_set_sleep(btstack_uart_sleep_mode_t sleep_mode){
651f805efeSMatthias Ringwald }
661f805efeSMatthias Ringwald
671f805efeSMatthias Ringwald btstack_uart_block_t uart_driver = {
681f805efeSMatthias Ringwald /* int (*init)(hci_transport_config_uart_t * config); */ &btstack_uart_fuzz_init,
691f805efeSMatthias Ringwald /* int (*open)(void); */ &btstack_uart_fuzz_open,
701f805efeSMatthias Ringwald /* int (*close)(void); */ &btstack_uart_fuzz_close,
711f805efeSMatthias Ringwald /* void (*set_block_received)(void (*handler)(void)); */ &btstack_uart_fuzz_set_block_received,
721f805efeSMatthias Ringwald /* void (*set_block_sent)(void (*handler)(void)); */ &btstack_uart_fuzz_set_block_sent,
731f805efeSMatthias Ringwald /* int (*set_baudrate)(uint32_t baudrate); */ &btstack_uart_fuzz_set_baudrate,
741f805efeSMatthias Ringwald /* int (*set_parity)(int parity); */ &btstack_uart_fuzz_set_parity,
751f805efeSMatthias Ringwald /* int (*set_flowcontrol)(int flowcontrol); */ NULL,
761f805efeSMatthias Ringwald /* void (*receive_block)(uint8_t *buffer, uint16_t len); */ &btstack_uart_fuzz_receive_block,
771f805efeSMatthias Ringwald /* void (*send_block)(const uint8_t *buffer, uint16_t length); */ &btstack_uart_fuzz_send_block,
781f805efeSMatthias Ringwald /* int (*get_supported_sleep_modes); */ &btstack_uart_fuzz_get_supported_sleep_modes,
791f805efeSMatthias Ringwald /* void (*set_sleep)(btstack_uart_sleep_mode_t sleep_mode); */ &btstack_uart_fuzz_set_sleep,
801f805efeSMatthias Ringwald /* void (*set_wakeup_handler)(void (*handler)(void)); */ &btstack_uart_fuzz_set_wakeup_handler,
811f805efeSMatthias Ringwald };
821f805efeSMatthias Ringwald
packet_handler(uint8_t packet_type,uint8_t * packet,uint16_t size)831f805efeSMatthias Ringwald static void packet_handler(uint8_t packet_type, uint8_t *packet, uint16_t size){
841f805efeSMatthias Ringwald switch (packet_type) {
851f805efeSMatthias Ringwald case HCI_EVENT_PACKET:
861f805efeSMatthias Ringwald if (size < 2) __builtin_trap();
871f805efeSMatthias Ringwald if ((2 + packet[1]) != size)__builtin_trap();
881f805efeSMatthias Ringwald break;
891f805efeSMatthias Ringwald case HCI_SCO_DATA_PACKET:
901f805efeSMatthias Ringwald if (size < 3) __builtin_trap();
911f805efeSMatthias Ringwald if ((3 + packet[2]) != size)__builtin_trap();
921f805efeSMatthias Ringwald break;
931f805efeSMatthias Ringwald case HCI_ACL_DATA_PACKET:
941f805efeSMatthias Ringwald if (size < 3) __builtin_trap();
951f805efeSMatthias Ringwald if ((4 + little_endian_read_16( packet, 2)) != size)__builtin_trap();
961f805efeSMatthias Ringwald break;
971f805efeSMatthias Ringwald default:
981f805efeSMatthias Ringwald __builtin_trap();
991f805efeSMatthias Ringwald break;
1001f805efeSMatthias Ringwald }
1011f805efeSMatthias Ringwald }
1021f805efeSMatthias Ringwald
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)1031f805efeSMatthias Ringwald int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
1041f805efeSMatthias Ringwald const hci_transport_t * transport = hci_transport_h4_instance(&uart_driver);
1051f805efeSMatthias Ringwald read_request_len = 0;
1061f805efeSMatthias Ringwald transport->init(&config);
1071f805efeSMatthias Ringwald transport->register_packet_handler(&packet_handler);
1081f805efeSMatthias Ringwald transport->open();
1091f805efeSMatthias Ringwald while (size > 0){
1101f805efeSMatthias Ringwald if (read_request_len == 0) __builtin_trap();
1111f805efeSMatthias Ringwald
1121f805efeSMatthias Ringwald uint16_t bytes_to_feed = btstack_min(read_request_len, size);
1131f805efeSMatthias Ringwald memcpy(read_request_buffer, data, bytes_to_feed);
1141f805efeSMatthias Ringwald size -= bytes_to_feed;
1151f805efeSMatthias Ringwald data += bytes_to_feed;
1161f805efeSMatthias Ringwald (*block_received)();
1171f805efeSMatthias Ringwald }
1181f805efeSMatthias Ringwald return 0;
1191f805efeSMatthias Ringwald }
120