1 #include <stdint.h> 2 #include <stddef.h> 3 #include <stdio.h> 4 5 #include <btstack_util.h> 6 #include "hci_transport.h" 7 #include "hci_transport_h4.h" 8 9 static hci_transport_config_uart_t config = { 10 HCI_TRANSPORT_CONFIG_UART, 11 115200, 12 0, // main baudrate 13 1, // flow control 14 NULL, 15 }; 16 17 static uint8_t * read_request_buffer; 18 static uint32_t read_request_len; 19 20 static void (*block_received)(void); 21 22 static int btstack_uart_fuzz_init(const btstack_uart_config_t * config){ 23 return 0; 24 } 25 26 static int btstack_uart_fuzz_open(void){ 27 return 0; 28 } 29 30 static int btstack_uart_fuzz_close(void){ 31 return 0; 32 } 33 34 static void btstack_uart_fuzz_set_block_received( void (*block_handler)(void)){ 35 block_received = block_handler; 36 } 37 38 static void btstack_uart_fuzz_set_block_sent( void (*block_handler)(void)){ 39 } 40 41 static void btstack_uart_fuzz_set_wakeup_handler( void (*the_wakeup_handler)(void)){ 42 } 43 44 static int btstack_uart_fuzz_set_parity(int parity){ 45 return 0; 46 } 47 48 static void btstack_uart_fuzz_send_block(const uint8_t *data, uint16_t size){ 49 } 50 51 static void btstack_uart_fuzz_receive_block(uint8_t *buffer, uint16_t len){ 52 read_request_buffer = buffer; 53 read_request_len = len; 54 } 55 56 static int btstack_uart_fuzz_set_baudrate(uint32_t baudrate){ 57 return 0; 58 } 59 60 static int btstack_uart_fuzz_get_supported_sleep_modes(void){ 61 return BTSTACK_UART_SLEEP_MASK_RTS_HIGH_WAKE_ON_CTS_PULSE; 62 } 63 64 static void btstack_uart_fuzz_set_sleep(btstack_uart_sleep_mode_t sleep_mode){ 65 } 66 67 btstack_uart_block_t uart_driver = { 68 /* int (*init)(hci_transport_config_uart_t * config); */ &btstack_uart_fuzz_init, 69 /* int (*open)(void); */ &btstack_uart_fuzz_open, 70 /* int (*close)(void); */ &btstack_uart_fuzz_close, 71 /* void (*set_block_received)(void (*handler)(void)); */ &btstack_uart_fuzz_set_block_received, 72 /* void (*set_block_sent)(void (*handler)(void)); */ &btstack_uart_fuzz_set_block_sent, 73 /* int (*set_baudrate)(uint32_t baudrate); */ &btstack_uart_fuzz_set_baudrate, 74 /* int (*set_parity)(int parity); */ &btstack_uart_fuzz_set_parity, 75 /* int (*set_flowcontrol)(int flowcontrol); */ NULL, 76 /* void (*receive_block)(uint8_t *buffer, uint16_t len); */ &btstack_uart_fuzz_receive_block, 77 /* void (*send_block)(const uint8_t *buffer, uint16_t length); */ &btstack_uart_fuzz_send_block, 78 /* int (*get_supported_sleep_modes); */ &btstack_uart_fuzz_get_supported_sleep_modes, 79 /* void (*set_sleep)(btstack_uart_sleep_mode_t sleep_mode); */ &btstack_uart_fuzz_set_sleep, 80 /* void (*set_wakeup_handler)(void (*handler)(void)); */ &btstack_uart_fuzz_set_wakeup_handler, 81 }; 82 83 static void packet_handler(uint8_t packet_type, uint8_t *packet, uint16_t size){ 84 switch (packet_type) { 85 case HCI_EVENT_PACKET: 86 if (size < 2) __builtin_trap(); 87 if ((2 + packet[1]) != size)__builtin_trap(); 88 break; 89 case HCI_SCO_DATA_PACKET: 90 if (size < 3) __builtin_trap(); 91 if ((3 + packet[2]) != size)__builtin_trap(); 92 break; 93 case HCI_ACL_DATA_PACKET: 94 if (size < 3) __builtin_trap(); 95 if ((4 + little_endian_read_16( packet, 2)) != size)__builtin_trap(); 96 break; 97 default: 98 __builtin_trap(); 99 break; 100 } 101 } 102 103 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 104 const hci_transport_t * transport = hci_transport_h4_instance(&uart_driver); 105 read_request_len = 0; 106 transport->init(&config); 107 transport->register_packet_handler(&packet_handler); 108 transport->open(); 109 while (size > 0){ 110 if (read_request_len == 0) __builtin_trap(); 111 112 uint16_t bytes_to_feed = btstack_min(read_request_len, size); 113 memcpy(read_request_buffer, data, bytes_to_feed); 114 size -= bytes_to_feed; 115 data += bytes_to_feed; 116 (*block_received)(); 117 } 118 return 0; 119 } 120