1 #include <stdint.h> 2 #include <stddef.h> 3 #include <stdio.h> 4 5 #include <btstack_util.h> 6 #include <btstack.h> 7 #include <btstack_run_loop_posix.h> 8 #include "hci.h" 9 10 static hci_connection_t hci_connection; 11 12 static btstack_linked_list_t hci_connections; 13 14 static btstack_packet_handler_t acl_packet_handler; 15 static btstack_packet_handler_t event_packet_handler; 16 17 static uint8_t outgoing_buffer[2000]; 18 static bool outgoing_reserved; 19 20 void l2cap_setup_test_channels_fuzz(void); 21 void l2cap_free_channels_fuzz(void); 22 23 void hci_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 24 event_packet_handler = callback_handler->callback; 25 } 26 27 void hci_register_acl_packet_handler(btstack_packet_handler_t handler){ 28 acl_packet_handler = handler; 29 } 30 31 bool hci_can_send_acl_packet_now(hci_con_handle_t con_handle){ 32 return true; 33 } 34 35 hci_connection_t * hci_connection_for_bd_addr_and_type(const bd_addr_t addr, bd_addr_type_t addr_type){ 36 return &hci_connection; 37 } 38 39 hci_connection_t * hci_connection_for_handle(hci_con_handle_t con_handle){ 40 return &hci_connection; 41 } 42 43 void gap_connectable_control(uint8_t enable){ 44 } 45 46 void hci_remote_features_query(hci_con_handle_t con_handle){ 47 } 48 49 void hci_disconnect_security_block(hci_con_handle_t con_handle){ 50 } 51 52 void gap_request_security_level(hci_con_handle_t con_handle, gap_security_level_t requested_level){ 53 } 54 55 void gap_set_minimal_service_security_level(gap_security_level_t security_level){ 56 } 57 58 void hci_connections_get_iterator(btstack_linked_list_iterator_t *it){ 59 btstack_linked_list_iterator_init(it, &hci_connections); 60 } 61 62 bool hci_is_le_connection_type(bd_addr_type_t address_type){ 63 switch (address_type){ 64 case BD_ADDR_TYPE_LE_PUBLIC: 65 case BD_ADDR_TYPE_LE_RANDOM: 66 case BD_ADDR_TYPE_LE_PUBLIC_IDENTITY: 67 case BD_ADDR_TYPE_LE_RANDOM_IDENTITY: 68 return true; 69 default: 70 return false; 71 } 72 } 73 74 bool hci_non_flushable_packet_boundary_flag_supported(void){ 75 return true; 76 } 77 78 uint16_t hci_automatic_flush_timeout(void){ 79 return 0; 80 } 81 82 bool hci_can_send_prepared_acl_packet_now(hci_con_handle_t con_handle) { 83 return true; 84 } 85 86 bool hci_can_send_acl_classic_packet_now(void){ 87 return true; 88 } 89 90 bool hci_can_send_acl_le_packet_now(void){ 91 return true; 92 } 93 94 bool hci_can_send_command_packet_now(void){ 95 return true; 96 } 97 98 uint8_t hci_send_cmd(const hci_cmd_t * cmd, ...){ 99 return ERROR_CODE_SUCCESS; 100 } 101 102 uint16_t hci_usable_acl_packet_types(void){ 103 return 0; 104 } 105 106 uint8_t hci_get_allow_role_switch(void){ 107 return true; 108 } 109 110 bool hci_reserve_packet_buffer(void){ 111 outgoing_reserved = true; 112 return true; 113 } 114 115 void hci_release_packet_buffer(void){ 116 outgoing_reserved = false; 117 } 118 119 bool hci_is_packet_buffer_reserved(void){ 120 return outgoing_reserved; 121 } 122 123 uint8_t* hci_get_outgoing_packet_buffer(void){ 124 return outgoing_buffer; 125 } 126 127 uint8_t hci_send_acl_packet_buffer(int size){ 128 outgoing_reserved = false; 129 return ERROR_CODE_SUCCESS; 130 } 131 132 uint16_t hci_max_acl_data_packet_length(void){ 133 return 100; 134 } 135 136 bool hci_authentication_active_for_handle(hci_con_handle_t handle){ 137 return false; 138 } 139 140 void gap_drop_link_key_for_bd_addr(bd_addr_t addr){ 141 } 142 143 void gap_get_connection_parameter_range(le_connection_parameter_range_t * range){ 144 memset(range, 0, sizeof(le_connection_parameter_range_t)); 145 } 146 147 authorization_state_t gap_authorization_state(hci_con_handle_t con_handle){ 148 return AUTHORIZATION_GRANTED; 149 } 150 151 // TODO: use fuzzer input for level 152 int gap_connection_parameter_range_included(le_connection_parameter_range_t * existing_range, uint16_t le_conn_interval_min, uint16_t le_conn_interval_max, uint16_t le_conn_latency, uint16_t le_supervision_timeout){ 153 return true; 154 } 155 156 // TODO: use fuzzer input for level 157 bool gap_secure_connection(hci_con_handle_t con_handle){ 158 return true; 159 } 160 161 // TODO: use fuzzer input for level 162 bool gap_get_secure_connections_only_mode(void){ 163 return false; 164 } 165 166 // TODO: use fuzzer input for level 167 gap_connection_type_t gap_get_connection_type(hci_con_handle_t connection_handle){ 168 return GAP_CONNECTION_ACL; 169 } 170 171 // TODO: use fuzzer input for level 172 gap_security_level_t gap_get_security_level(void){ 173 return LEVEL_4; 174 } 175 176 // TODO: use fuzzer input for level 177 gap_security_level_t gap_security_level(hci_con_handle_t con_handle){ 178 return LEVEL_4; 179 } 180 181 // TODO: use fuzzer input for level 182 gap_security_mode_t gap_get_security_mode(void){ 183 return GAP_SECURITY_MODE_4; 184 } 185 186 // TODO: use fuzzer input for level 187 bool hci_remote_features_available(hci_con_handle_t handle){ 188 return true; 189 } 190 191 // TODO: use fuzzer input for level 192 bool gap_ssp_supported_on_both_sides(hci_con_handle_t handle){ 193 return true; 194 } 195 196 // TODO: use fuzzer input for level 197 uint8_t gap_encryption_key_size(hci_con_handle_t con_handle){ 198 return 16; 199 } 200 201 // TODO: use fuzzer input for level 202 bool gap_authenticated(hci_con_handle_t con_handle){ 203 return true; 204 } 205 206 // SM 207 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){ 208 } 209 void sm_request_pairing(hci_con_handle_t con_handle){ 210 } 211 212 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 213 static int initialized = 0; 214 if (initialized == 0){ 215 initialized = 1; 216 btstack_run_loop_init(btstack_run_loop_posix_get_instance()); 217 hci_connection.con_handle = 0x0000; 218 } 219 220 btstack_memory_init(); 221 222 // prepare test data 223 if (size < 5) return 0; 224 uint8_t packet_type = (data[0] & 1) ? HCI_EVENT_PACKET : HCI_ACL_DATA_PACKET; 225 uint16_t connection_handle = ((data[0] >> 2) & 0x07); // 0x0000 - 0x0007 226 uint8_t pb_or_ps = (data[0] >> 5) & 0x003; // 0x00-0x03 227 uint16_t cid; 228 switch (data[1] & 3){ 229 case 0: 230 cid = 1; 231 break; 232 case 1: 233 cid = 0x41; 234 break; 235 case 2: 236 cid = 0x42; 237 break; 238 case 3: 239 cid = 0x43; 240 break; 241 } 242 size -= 3; 243 data += 3; 244 uint8_t packet[1000]; 245 uint16_t packet_len; 246 switch (packet_type){ 247 case HCI_EVENT_PACKET: 248 packet[0] = data[0]; 249 size--; 250 data++; 251 if (size > 255) return 0; 252 packet[1] = size; 253 memcpy(&packet[2], data, size); 254 packet_len = size + 2; 255 break; 256 case HCI_ACL_DATA_PACKET: 257 little_endian_store_16(packet, 0, (pb_or_ps << 12) | connection_handle); 258 little_endian_store_16(packet, 2, size + 4); 259 little_endian_store_16(packet, 4, size); 260 little_endian_store_16(packet, 6, cid); 261 if (size > (sizeof(packet) - 8)) return 0; 262 memcpy(&packet[8], data, size); 263 packet_len = size + 8; 264 break; 265 default: 266 return 0; 267 } 268 269 // init hci mock 270 outgoing_reserved = false; 271 hci_connections = (btstack_linked_item_t*) &hci_connection; 272 273 // init l2cap 274 l2cap_init(); 275 l2cap_setup_test_channels_fuzz(); 276 277 // deliver test data 278 switch (packet_type){ 279 case HCI_EVENT_PACKET: 280 (*event_packet_handler)(packet_type, 0, packet, packet_len); 281 break; 282 case HCI_ACL_DATA_PACKET: 283 (*acl_packet_handler)(packet_type, 0, packet, packet_len); 284 break; 285 default: 286 return 0; 287 } 288 289 // teardown 290 l2cap_free_channels_fuzz(); 291 292 btstack_memory_deinit(); 293 294 return 0; 295 } 296