168894c74SMatthias Ringwald #include <stdint.h>
268894c74SMatthias Ringwald #include <stddef.h>
368894c74SMatthias Ringwald #include <stdio.h>
468894c74SMatthias Ringwald
568894c74SMatthias Ringwald #include <btstack_util.h>
668894c74SMatthias Ringwald #include <btstack.h>
768894c74SMatthias Ringwald #include <btstack_run_loop_posix.h>
868894c74SMatthias Ringwald #include "hci.h"
968894c74SMatthias Ringwald
1068894c74SMatthias Ringwald static hci_connection_t hci_connection;
1168894c74SMatthias Ringwald
1268894c74SMatthias Ringwald static btstack_linked_list_t hci_connections;
1368894c74SMatthias Ringwald
1468894c74SMatthias Ringwald static btstack_packet_handler_t acl_packet_handler;
1568894c74SMatthias Ringwald static btstack_packet_handler_t event_packet_handler;
1668894c74SMatthias Ringwald
1768894c74SMatthias Ringwald static uint8_t outgoing_buffer[2000];
1868894c74SMatthias Ringwald static bool outgoing_reserved;
1968894c74SMatthias Ringwald
2068894c74SMatthias Ringwald void l2cap_setup_test_channels_fuzz(void);
2168894c74SMatthias Ringwald void l2cap_free_channels_fuzz(void);
2268894c74SMatthias Ringwald
hci_add_event_handler(btstack_packet_callback_registration_t * callback_handler)2368894c74SMatthias Ringwald void hci_add_event_handler(btstack_packet_callback_registration_t * callback_handler){
2468894c74SMatthias Ringwald event_packet_handler = callback_handler->callback;
2568894c74SMatthias Ringwald }
2668894c74SMatthias Ringwald
hci_register_acl_packet_handler(btstack_packet_handler_t handler)2768894c74SMatthias Ringwald void hci_register_acl_packet_handler(btstack_packet_handler_t handler){
2868894c74SMatthias Ringwald acl_packet_handler = handler;
2968894c74SMatthias Ringwald }
3068894c74SMatthias Ringwald
hci_can_send_acl_packet_now(hci_con_handle_t con_handle)3168894c74SMatthias Ringwald bool hci_can_send_acl_packet_now(hci_con_handle_t con_handle){
3268894c74SMatthias Ringwald return true;
3368894c74SMatthias Ringwald }
3468894c74SMatthias Ringwald
hci_connection_for_bd_addr_and_type(const bd_addr_t addr,bd_addr_type_t addr_type)3568894c74SMatthias Ringwald hci_connection_t * hci_connection_for_bd_addr_and_type(const bd_addr_t addr, bd_addr_type_t addr_type){
3668894c74SMatthias Ringwald return &hci_connection;
3768894c74SMatthias Ringwald }
3868894c74SMatthias Ringwald
hci_connection_for_handle(hci_con_handle_t con_handle)3968894c74SMatthias Ringwald hci_connection_t * hci_connection_for_handle(hci_con_handle_t con_handle){
4068894c74SMatthias Ringwald return &hci_connection;
4168894c74SMatthias Ringwald }
4268894c74SMatthias Ringwald
gap_connectable_control(uint8_t enable)4368894c74SMatthias Ringwald void gap_connectable_control(uint8_t enable){
4468894c74SMatthias Ringwald }
4568894c74SMatthias Ringwald
hci_remote_features_query(hci_con_handle_t con_handle)4668894c74SMatthias Ringwald void hci_remote_features_query(hci_con_handle_t con_handle){
4768894c74SMatthias Ringwald }
4868894c74SMatthias Ringwald
hci_disconnect_security_block(hci_con_handle_t con_handle)4968894c74SMatthias Ringwald void hci_disconnect_security_block(hci_con_handle_t con_handle){
5068894c74SMatthias Ringwald }
5168894c74SMatthias Ringwald
gap_request_security_level(hci_con_handle_t con_handle,gap_security_level_t requested_level)5268894c74SMatthias Ringwald void gap_request_security_level(hci_con_handle_t con_handle, gap_security_level_t requested_level){
5368894c74SMatthias Ringwald }
5468894c74SMatthias Ringwald
gap_set_minimal_service_security_level(gap_security_level_t security_level)5568894c74SMatthias Ringwald void gap_set_minimal_service_security_level(gap_security_level_t security_level){
5668894c74SMatthias Ringwald }
5768894c74SMatthias Ringwald
hci_connections_get_iterator(btstack_linked_list_iterator_t * it)5868894c74SMatthias Ringwald void hci_connections_get_iterator(btstack_linked_list_iterator_t *it){
5968894c74SMatthias Ringwald btstack_linked_list_iterator_init(it, &hci_connections);
6068894c74SMatthias Ringwald }
6168894c74SMatthias Ringwald
hci_is_le_connection_type(bd_addr_type_t address_type)6268894c74SMatthias Ringwald bool hci_is_le_connection_type(bd_addr_type_t address_type){
6368894c74SMatthias Ringwald switch (address_type){
6468894c74SMatthias Ringwald case BD_ADDR_TYPE_LE_PUBLIC:
6568894c74SMatthias Ringwald case BD_ADDR_TYPE_LE_RANDOM:
6668894c74SMatthias Ringwald case BD_ADDR_TYPE_LE_PUBLIC_IDENTITY:
6768894c74SMatthias Ringwald case BD_ADDR_TYPE_LE_RANDOM_IDENTITY:
6868894c74SMatthias Ringwald return true;
6968894c74SMatthias Ringwald default:
7068894c74SMatthias Ringwald return false;
7168894c74SMatthias Ringwald }
7268894c74SMatthias Ringwald }
7368894c74SMatthias Ringwald
hci_non_flushable_packet_boundary_flag_supported(void)7468894c74SMatthias Ringwald bool hci_non_flushable_packet_boundary_flag_supported(void){
7568894c74SMatthias Ringwald return true;
7668894c74SMatthias Ringwald }
7768894c74SMatthias Ringwald
hci_automatic_flush_timeout(void)7868894c74SMatthias Ringwald uint16_t hci_automatic_flush_timeout(void){
7968894c74SMatthias Ringwald return 0;
8068894c74SMatthias Ringwald }
8168894c74SMatthias Ringwald
hci_can_send_prepared_acl_packet_now(hci_con_handle_t con_handle)8268894c74SMatthias Ringwald bool hci_can_send_prepared_acl_packet_now(hci_con_handle_t con_handle) {
8368894c74SMatthias Ringwald return true;
8468894c74SMatthias Ringwald }
8568894c74SMatthias Ringwald
hci_can_send_acl_classic_packet_now(void)8668894c74SMatthias Ringwald bool hci_can_send_acl_classic_packet_now(void){
8768894c74SMatthias Ringwald return true;
8868894c74SMatthias Ringwald }
8968894c74SMatthias Ringwald
hci_can_send_acl_le_packet_now(void)9068894c74SMatthias Ringwald bool hci_can_send_acl_le_packet_now(void){
9168894c74SMatthias Ringwald return true;
9268894c74SMatthias Ringwald }
9368894c74SMatthias Ringwald
hci_can_send_command_packet_now(void)9468894c74SMatthias Ringwald bool hci_can_send_command_packet_now(void){
9568894c74SMatthias Ringwald return true;
9668894c74SMatthias Ringwald }
9768894c74SMatthias Ringwald
hci_send_cmd(const hci_cmd_t * cmd,...)9868894c74SMatthias Ringwald uint8_t hci_send_cmd(const hci_cmd_t * cmd, ...){
9968894c74SMatthias Ringwald return ERROR_CODE_SUCCESS;
10068894c74SMatthias Ringwald }
10168894c74SMatthias Ringwald
hci_usable_acl_packet_types(void)10268894c74SMatthias Ringwald uint16_t hci_usable_acl_packet_types(void){
10368894c74SMatthias Ringwald return 0;
10468894c74SMatthias Ringwald }
10568894c74SMatthias Ringwald
hci_get_allow_role_switch(void)10668894c74SMatthias Ringwald uint8_t hci_get_allow_role_switch(void){
10768894c74SMatthias Ringwald return true;
10868894c74SMatthias Ringwald }
10968894c74SMatthias Ringwald
hci_reserve_packet_buffer(void)110*dde28e18SMatthias Ringwald void hci_reserve_packet_buffer(void){
11168894c74SMatthias Ringwald outgoing_reserved = true;
11268894c74SMatthias Ringwald }
11368894c74SMatthias Ringwald
hci_release_packet_buffer(void)11468894c74SMatthias Ringwald void hci_release_packet_buffer(void){
11568894c74SMatthias Ringwald outgoing_reserved = false;
11668894c74SMatthias Ringwald }
11768894c74SMatthias Ringwald
hci_is_packet_buffer_reserved(void)11868894c74SMatthias Ringwald bool hci_is_packet_buffer_reserved(void){
11968894c74SMatthias Ringwald return outgoing_reserved;
12068894c74SMatthias Ringwald }
12168894c74SMatthias Ringwald
hci_get_outgoing_packet_buffer(void)12268894c74SMatthias Ringwald uint8_t* hci_get_outgoing_packet_buffer(void){
12368894c74SMatthias Ringwald return outgoing_buffer;
12468894c74SMatthias Ringwald }
12568894c74SMatthias Ringwald
hci_send_acl_packet_buffer(int size)12668894c74SMatthias Ringwald uint8_t hci_send_acl_packet_buffer(int size){
12768894c74SMatthias Ringwald outgoing_reserved = false;
12868894c74SMatthias Ringwald return ERROR_CODE_SUCCESS;
12968894c74SMatthias Ringwald }
13068894c74SMatthias Ringwald
hci_max_acl_data_packet_length(void)13168894c74SMatthias Ringwald uint16_t hci_max_acl_data_packet_length(void){
13268894c74SMatthias Ringwald return 100;
13368894c74SMatthias Ringwald }
13468894c74SMatthias Ringwald
hci_authentication_active_for_handle(hci_con_handle_t handle)13568894c74SMatthias Ringwald bool hci_authentication_active_for_handle(hci_con_handle_t handle){
13668894c74SMatthias Ringwald return false;
13768894c74SMatthias Ringwald }
13868894c74SMatthias Ringwald
gap_drop_link_key_for_bd_addr(bd_addr_t addr)13968894c74SMatthias Ringwald void gap_drop_link_key_for_bd_addr(bd_addr_t addr){
14068894c74SMatthias Ringwald }
14168894c74SMatthias Ringwald
gap_get_connection_parameter_range(le_connection_parameter_range_t * range)14268894c74SMatthias Ringwald void gap_get_connection_parameter_range(le_connection_parameter_range_t * range){
14368894c74SMatthias Ringwald memset(range, 0, sizeof(le_connection_parameter_range_t));
14468894c74SMatthias Ringwald }
14568894c74SMatthias Ringwald
gap_authorization_state(hci_con_handle_t con_handle)14668894c74SMatthias Ringwald authorization_state_t gap_authorization_state(hci_con_handle_t con_handle){
14768894c74SMatthias Ringwald return AUTHORIZATION_GRANTED;
14868894c74SMatthias Ringwald }
14968894c74SMatthias Ringwald
15068894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_connection_parameter_range_included(le_connection_parameter_range_t * existing_range,uint16_t le_conn_interval_min,uint16_t le_conn_interval_max,uint16_t le_conn_latency,uint16_t le_supervision_timeout)15168894c74SMatthias Ringwald int gap_connection_parameter_range_included(le_connection_parameter_range_t * existing_range, uint16_t le_conn_interval_min, uint16_t le_conn_interval_max, uint16_t le_conn_latency, uint16_t le_supervision_timeout){
15268894c74SMatthias Ringwald return true;
15368894c74SMatthias Ringwald }
15468894c74SMatthias Ringwald
15568894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_secure_connection(hci_con_handle_t con_handle)15668894c74SMatthias Ringwald bool gap_secure_connection(hci_con_handle_t con_handle){
15768894c74SMatthias Ringwald return true;
15868894c74SMatthias Ringwald }
15968894c74SMatthias Ringwald
16068894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_get_secure_connections_only_mode(void)16168894c74SMatthias Ringwald bool gap_get_secure_connections_only_mode(void){
16268894c74SMatthias Ringwald return false;
16368894c74SMatthias Ringwald }
16468894c74SMatthias Ringwald
16568894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_get_connection_type(hci_con_handle_t connection_handle)16668894c74SMatthias Ringwald gap_connection_type_t gap_get_connection_type(hci_con_handle_t connection_handle){
16768894c74SMatthias Ringwald return GAP_CONNECTION_ACL;
16868894c74SMatthias Ringwald }
16968894c74SMatthias Ringwald
17068894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_get_security_level(void)17168894c74SMatthias Ringwald gap_security_level_t gap_get_security_level(void){
17268894c74SMatthias Ringwald return LEVEL_4;
17368894c74SMatthias Ringwald }
17468894c74SMatthias Ringwald
17568894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_security_level(hci_con_handle_t con_handle)17668894c74SMatthias Ringwald gap_security_level_t gap_security_level(hci_con_handle_t con_handle){
17768894c74SMatthias Ringwald return LEVEL_4;
17868894c74SMatthias Ringwald }
17968894c74SMatthias Ringwald
18068894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_get_security_mode(void)18168894c74SMatthias Ringwald gap_security_mode_t gap_get_security_mode(void){
18268894c74SMatthias Ringwald return GAP_SECURITY_MODE_4;
18368894c74SMatthias Ringwald }
18468894c74SMatthias Ringwald
18568894c74SMatthias Ringwald // TODO: use fuzzer input for level
hci_remote_features_available(hci_con_handle_t handle)18668894c74SMatthias Ringwald bool hci_remote_features_available(hci_con_handle_t handle){
18768894c74SMatthias Ringwald return true;
18868894c74SMatthias Ringwald }
18968894c74SMatthias Ringwald
19068894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_ssp_supported_on_both_sides(hci_con_handle_t handle)19168894c74SMatthias Ringwald bool gap_ssp_supported_on_both_sides(hci_con_handle_t handle){
19268894c74SMatthias Ringwald return true;
19368894c74SMatthias Ringwald }
19468894c74SMatthias Ringwald
19568894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_encryption_key_size(hci_con_handle_t con_handle)19668894c74SMatthias Ringwald uint8_t gap_encryption_key_size(hci_con_handle_t con_handle){
19768894c74SMatthias Ringwald return 16;
19868894c74SMatthias Ringwald }
19968894c74SMatthias Ringwald
20068894c74SMatthias Ringwald // TODO: use fuzzer input for level
gap_authenticated(hci_con_handle_t con_handle)20168894c74SMatthias Ringwald bool gap_authenticated(hci_con_handle_t con_handle){
20268894c74SMatthias Ringwald return true;
20368894c74SMatthias Ringwald }
20468894c74SMatthias Ringwald
20568894c74SMatthias Ringwald // SM
sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler)20668894c74SMatthias Ringwald void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){
20768894c74SMatthias Ringwald }
sm_request_pairing(hci_con_handle_t con_handle)20868894c74SMatthias Ringwald void sm_request_pairing(hci_con_handle_t con_handle){
20968894c74SMatthias Ringwald }
21068894c74SMatthias Ringwald
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)21168894c74SMatthias Ringwald int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
21268894c74SMatthias Ringwald static int initialized = 0;
21368894c74SMatthias Ringwald if (initialized == 0){
21468894c74SMatthias Ringwald initialized = 1;
21568894c74SMatthias Ringwald btstack_run_loop_init(btstack_run_loop_posix_get_instance());
21668894c74SMatthias Ringwald hci_connection.con_handle = 0x0000;
21768894c74SMatthias Ringwald }
21868894c74SMatthias Ringwald
219e3ea1200SMatthias Ringwald btstack_memory_init();
220e3ea1200SMatthias Ringwald
22168894c74SMatthias Ringwald // prepare test data
22268894c74SMatthias Ringwald if (size < 5) return 0;
22368894c74SMatthias Ringwald uint8_t packet_type = (data[0] & 1) ? HCI_EVENT_PACKET : HCI_ACL_DATA_PACKET;
22468894c74SMatthias Ringwald uint16_t connection_handle = ((data[0] >> 2) & 0x07); // 0x0000 - 0x0007
22568894c74SMatthias Ringwald uint8_t pb_or_ps = (data[0] >> 5) & 0x003; // 0x00-0x03
22668894c74SMatthias Ringwald uint16_t cid;
22768894c74SMatthias Ringwald switch (data[1] & 3){
22868894c74SMatthias Ringwald case 0:
22968894c74SMatthias Ringwald cid = 1;
23068894c74SMatthias Ringwald break;
23168894c74SMatthias Ringwald case 1:
23268894c74SMatthias Ringwald cid = 0x41;
23368894c74SMatthias Ringwald break;
23468894c74SMatthias Ringwald case 2:
23568894c74SMatthias Ringwald cid = 0x42;
23668894c74SMatthias Ringwald break;
23768894c74SMatthias Ringwald case 3:
23868894c74SMatthias Ringwald cid = 0x43;
23968894c74SMatthias Ringwald break;
24068894c74SMatthias Ringwald }
24168894c74SMatthias Ringwald size -= 3;
24268894c74SMatthias Ringwald data += 3;
24368894c74SMatthias Ringwald uint8_t packet[1000];
24468894c74SMatthias Ringwald uint16_t packet_len;
24568894c74SMatthias Ringwald switch (packet_type){
24668894c74SMatthias Ringwald case HCI_EVENT_PACKET:
24768894c74SMatthias Ringwald packet[0] = data[0];
24868894c74SMatthias Ringwald size--;
24968894c74SMatthias Ringwald data++;
25068894c74SMatthias Ringwald if (size > 255) return 0;
25168894c74SMatthias Ringwald packet[1] = size;
25268894c74SMatthias Ringwald memcpy(&packet[2], data, size);
25368894c74SMatthias Ringwald packet_len = size + 2;
25468894c74SMatthias Ringwald break;
25568894c74SMatthias Ringwald case HCI_ACL_DATA_PACKET:
25668894c74SMatthias Ringwald little_endian_store_16(packet, 0, (pb_or_ps << 12) | connection_handle);
25768894c74SMatthias Ringwald little_endian_store_16(packet, 2, size + 4);
25868894c74SMatthias Ringwald little_endian_store_16(packet, 4, size);
25968894c74SMatthias Ringwald little_endian_store_16(packet, 6, cid);
26068894c74SMatthias Ringwald if (size > (sizeof(packet) - 8)) return 0;
26168894c74SMatthias Ringwald memcpy(&packet[8], data, size);
26268894c74SMatthias Ringwald packet_len = size + 8;
26368894c74SMatthias Ringwald break;
26468894c74SMatthias Ringwald default:
26568894c74SMatthias Ringwald return 0;
26668894c74SMatthias Ringwald }
26768894c74SMatthias Ringwald
26868894c74SMatthias Ringwald // init hci mock
26968894c74SMatthias Ringwald outgoing_reserved = false;
27068894c74SMatthias Ringwald hci_connections = (btstack_linked_item_t*) &hci_connection;
27168894c74SMatthias Ringwald
27268894c74SMatthias Ringwald // init l2cap
27368894c74SMatthias Ringwald l2cap_init();
27468894c74SMatthias Ringwald l2cap_setup_test_channels_fuzz();
27568894c74SMatthias Ringwald
27668894c74SMatthias Ringwald // deliver test data
27768894c74SMatthias Ringwald switch (packet_type){
27868894c74SMatthias Ringwald case HCI_EVENT_PACKET:
27968894c74SMatthias Ringwald (*event_packet_handler)(packet_type, 0, packet, packet_len);
28068894c74SMatthias Ringwald break;
28168894c74SMatthias Ringwald case HCI_ACL_DATA_PACKET:
28268894c74SMatthias Ringwald (*acl_packet_handler)(packet_type, 0, packet, packet_len);
28368894c74SMatthias Ringwald break;
28468894c74SMatthias Ringwald default:
28568894c74SMatthias Ringwald return 0;
28668894c74SMatthias Ringwald }
28768894c74SMatthias Ringwald
28868894c74SMatthias Ringwald // teardown
28968894c74SMatthias Ringwald l2cap_free_channels_fuzz();
290e3ea1200SMatthias Ringwald
291e3ea1200SMatthias Ringwald btstack_memory_deinit();
292e3ea1200SMatthias Ringwald
29368894c74SMatthias Ringwald return 0;
29468894c74SMatthias Ringwald }
295