1 #include <stdint.h>
2 #include <stddef.h>
3 #include <stdio.h>
4
5 #include <btstack_util.h>
6 #include <btstack.h>
7 #include <btstack_run_loop_posix.h>
8 #include "hci.h"
9
10 static hci_connection_t hci_connection;
11
12 static btstack_linked_list_t hci_connections;
13
14 static btstack_packet_handler_t acl_packet_handler;
15 static btstack_packet_handler_t event_packet_handler;
16
17 static uint8_t outgoing_buffer[2000];
18 static bool outgoing_reserved;
19
20 void l2cap_setup_test_channels_fuzz(void);
21 void l2cap_free_channels_fuzz(void);
22
hci_add_event_handler(btstack_packet_callback_registration_t * callback_handler)23 void hci_add_event_handler(btstack_packet_callback_registration_t * callback_handler){
24 event_packet_handler = callback_handler->callback;
25 }
26
hci_register_acl_packet_handler(btstack_packet_handler_t handler)27 void hci_register_acl_packet_handler(btstack_packet_handler_t handler){
28 acl_packet_handler = handler;
29 }
30
hci_can_send_acl_packet_now(hci_con_handle_t con_handle)31 bool hci_can_send_acl_packet_now(hci_con_handle_t con_handle){
32 return true;
33 }
34
hci_connection_for_bd_addr_and_type(const bd_addr_t addr,bd_addr_type_t addr_type)35 hci_connection_t * hci_connection_for_bd_addr_and_type(const bd_addr_t addr, bd_addr_type_t addr_type){
36 return &hci_connection;
37 }
38
hci_connection_for_handle(hci_con_handle_t con_handle)39 hci_connection_t * hci_connection_for_handle(hci_con_handle_t con_handle){
40 return &hci_connection;
41 }
42
gap_connectable_control(uint8_t enable)43 void gap_connectable_control(uint8_t enable){
44 }
45
hci_remote_features_query(hci_con_handle_t con_handle)46 void hci_remote_features_query(hci_con_handle_t con_handle){
47 }
48
hci_disconnect_security_block(hci_con_handle_t con_handle)49 void hci_disconnect_security_block(hci_con_handle_t con_handle){
50 }
51
gap_request_security_level(hci_con_handle_t con_handle,gap_security_level_t requested_level)52 void gap_request_security_level(hci_con_handle_t con_handle, gap_security_level_t requested_level){
53 }
54
gap_set_minimal_service_security_level(gap_security_level_t security_level)55 void gap_set_minimal_service_security_level(gap_security_level_t security_level){
56 }
57
hci_connections_get_iterator(btstack_linked_list_iterator_t * it)58 void hci_connections_get_iterator(btstack_linked_list_iterator_t *it){
59 btstack_linked_list_iterator_init(it, &hci_connections);
60 }
61
hci_is_le_connection_type(bd_addr_type_t address_type)62 bool hci_is_le_connection_type(bd_addr_type_t address_type){
63 switch (address_type){
64 case BD_ADDR_TYPE_LE_PUBLIC:
65 case BD_ADDR_TYPE_LE_RANDOM:
66 case BD_ADDR_TYPE_LE_PUBLIC_IDENTITY:
67 case BD_ADDR_TYPE_LE_RANDOM_IDENTITY:
68 return true;
69 default:
70 return false;
71 }
72 }
73
hci_non_flushable_packet_boundary_flag_supported(void)74 bool hci_non_flushable_packet_boundary_flag_supported(void){
75 return true;
76 }
77
hci_automatic_flush_timeout(void)78 uint16_t hci_automatic_flush_timeout(void){
79 return 0;
80 }
81
hci_can_send_prepared_acl_packet_now(hci_con_handle_t con_handle)82 bool hci_can_send_prepared_acl_packet_now(hci_con_handle_t con_handle) {
83 return true;
84 }
85
hci_can_send_acl_classic_packet_now(void)86 bool hci_can_send_acl_classic_packet_now(void){
87 return true;
88 }
89
hci_can_send_acl_le_packet_now(void)90 bool hci_can_send_acl_le_packet_now(void){
91 return true;
92 }
93
hci_can_send_command_packet_now(void)94 bool hci_can_send_command_packet_now(void){
95 return true;
96 }
97
hci_send_cmd(const hci_cmd_t * cmd,...)98 uint8_t hci_send_cmd(const hci_cmd_t * cmd, ...){
99 return ERROR_CODE_SUCCESS;
100 }
101
hci_usable_acl_packet_types(void)102 uint16_t hci_usable_acl_packet_types(void){
103 return 0;
104 }
105
hci_get_allow_role_switch(void)106 uint8_t hci_get_allow_role_switch(void){
107 return true;
108 }
109
hci_reserve_packet_buffer(void)110 void hci_reserve_packet_buffer(void){
111 outgoing_reserved = true;
112 }
113
hci_release_packet_buffer(void)114 void hci_release_packet_buffer(void){
115 outgoing_reserved = false;
116 }
117
hci_is_packet_buffer_reserved(void)118 bool hci_is_packet_buffer_reserved(void){
119 return outgoing_reserved;
120 }
121
hci_get_outgoing_packet_buffer(void)122 uint8_t* hci_get_outgoing_packet_buffer(void){
123 return outgoing_buffer;
124 }
125
hci_send_acl_packet_buffer(int size)126 uint8_t hci_send_acl_packet_buffer(int size){
127 outgoing_reserved = false;
128 return ERROR_CODE_SUCCESS;
129 }
130
hci_max_acl_data_packet_length(void)131 uint16_t hci_max_acl_data_packet_length(void){
132 return 100;
133 }
134
hci_authentication_active_for_handle(hci_con_handle_t handle)135 bool hci_authentication_active_for_handle(hci_con_handle_t handle){
136 return false;
137 }
138
gap_drop_link_key_for_bd_addr(bd_addr_t addr)139 void gap_drop_link_key_for_bd_addr(bd_addr_t addr){
140 }
141
gap_get_connection_parameter_range(le_connection_parameter_range_t * range)142 void gap_get_connection_parameter_range(le_connection_parameter_range_t * range){
143 memset(range, 0, sizeof(le_connection_parameter_range_t));
144 }
145
gap_authorization_state(hci_con_handle_t con_handle)146 authorization_state_t gap_authorization_state(hci_con_handle_t con_handle){
147 return AUTHORIZATION_GRANTED;
148 }
149
150 // TODO: use fuzzer input for level
gap_connection_parameter_range_included(le_connection_parameter_range_t * existing_range,uint16_t le_conn_interval_min,uint16_t le_conn_interval_max,uint16_t le_conn_latency,uint16_t le_supervision_timeout)151 int gap_connection_parameter_range_included(le_connection_parameter_range_t * existing_range, uint16_t le_conn_interval_min, uint16_t le_conn_interval_max, uint16_t le_conn_latency, uint16_t le_supervision_timeout){
152 return true;
153 }
154
155 // TODO: use fuzzer input for level
gap_secure_connection(hci_con_handle_t con_handle)156 bool gap_secure_connection(hci_con_handle_t con_handle){
157 return true;
158 }
159
160 // TODO: use fuzzer input for level
gap_get_secure_connections_only_mode(void)161 bool gap_get_secure_connections_only_mode(void){
162 return false;
163 }
164
165 // TODO: use fuzzer input for level
gap_get_connection_type(hci_con_handle_t connection_handle)166 gap_connection_type_t gap_get_connection_type(hci_con_handle_t connection_handle){
167 return GAP_CONNECTION_ACL;
168 }
169
170 // TODO: use fuzzer input for level
gap_get_security_level(void)171 gap_security_level_t gap_get_security_level(void){
172 return LEVEL_4;
173 }
174
175 // TODO: use fuzzer input for level
gap_security_level(hci_con_handle_t con_handle)176 gap_security_level_t gap_security_level(hci_con_handle_t con_handle){
177 return LEVEL_4;
178 }
179
180 // TODO: use fuzzer input for level
gap_get_security_mode(void)181 gap_security_mode_t gap_get_security_mode(void){
182 return GAP_SECURITY_MODE_4;
183 }
184
185 // TODO: use fuzzer input for level
hci_remote_features_available(hci_con_handle_t handle)186 bool hci_remote_features_available(hci_con_handle_t handle){
187 return true;
188 }
189
190 // TODO: use fuzzer input for level
gap_ssp_supported_on_both_sides(hci_con_handle_t handle)191 bool gap_ssp_supported_on_both_sides(hci_con_handle_t handle){
192 return true;
193 }
194
195 // TODO: use fuzzer input for level
gap_encryption_key_size(hci_con_handle_t con_handle)196 uint8_t gap_encryption_key_size(hci_con_handle_t con_handle){
197 return 16;
198 }
199
200 // TODO: use fuzzer input for level
gap_authenticated(hci_con_handle_t con_handle)201 bool gap_authenticated(hci_con_handle_t con_handle){
202 return true;
203 }
204
205 // SM
sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler)206 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){
207 }
sm_request_pairing(hci_con_handle_t con_handle)208 void sm_request_pairing(hci_con_handle_t con_handle){
209 }
210
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)211 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
212 static int initialized = 0;
213 if (initialized == 0){
214 initialized = 1;
215 btstack_run_loop_init(btstack_run_loop_posix_get_instance());
216 hci_connection.con_handle = 0x0000;
217 }
218
219 btstack_memory_init();
220
221 // prepare test data
222 if (size < 5) return 0;
223 uint8_t packet_type = (data[0] & 1) ? HCI_EVENT_PACKET : HCI_ACL_DATA_PACKET;
224 uint16_t connection_handle = ((data[0] >> 2) & 0x07); // 0x0000 - 0x0007
225 uint8_t pb_or_ps = (data[0] >> 5) & 0x003; // 0x00-0x03
226 uint16_t cid;
227 switch (data[1] & 3){
228 case 0:
229 cid = 1;
230 break;
231 case 1:
232 cid = 0x41;
233 break;
234 case 2:
235 cid = 0x42;
236 break;
237 case 3:
238 cid = 0x43;
239 break;
240 }
241 size -= 3;
242 data += 3;
243 uint8_t packet[1000];
244 uint16_t packet_len;
245 switch (packet_type){
246 case HCI_EVENT_PACKET:
247 packet[0] = data[0];
248 size--;
249 data++;
250 if (size > 255) return 0;
251 packet[1] = size;
252 memcpy(&packet[2], data, size);
253 packet_len = size + 2;
254 break;
255 case HCI_ACL_DATA_PACKET:
256 little_endian_store_16(packet, 0, (pb_or_ps << 12) | connection_handle);
257 little_endian_store_16(packet, 2, size + 4);
258 little_endian_store_16(packet, 4, size);
259 little_endian_store_16(packet, 6, cid);
260 if (size > (sizeof(packet) - 8)) return 0;
261 memcpy(&packet[8], data, size);
262 packet_len = size + 8;
263 break;
264 default:
265 return 0;
266 }
267
268 // init hci mock
269 outgoing_reserved = false;
270 hci_connections = (btstack_linked_item_t*) &hci_connection;
271
272 // init l2cap
273 l2cap_init();
274 l2cap_setup_test_channels_fuzz();
275
276 // deliver test data
277 switch (packet_type){
278 case HCI_EVENT_PACKET:
279 (*event_packet_handler)(packet_type, 0, packet, packet_len);
280 break;
281 case HCI_ACL_DATA_PACKET:
282 (*acl_packet_handler)(packet_type, 0, packet, packet_len);
283 break;
284 default:
285 return 0;
286 }
287
288 // teardown
289 l2cap_free_channels_fuzz();
290
291 btstack_memory_deinit();
292
293 return 0;
294 }
295