1 #include <stdint.h>
2 #include <stddef.h>
3 #include <stdio.h>
4
5 #include <btstack_util.h>
6 #include <btstack.h>
7 #include <btstack_run_loop_posix.h>
8 #include "hci.h"
9
10 static hci_connection_t hci_connection;
11
12 static btstack_linked_list_t hci_connections;
13
14 static btstack_packet_handler_t acl_packet_handler;
15 static btstack_packet_handler_t event_packet_handler;
16
17 static uint8_t outgoing_buffer[2000];
18 static bool outgoing_reserved;
19
20 void l2cap_setup_test_channels_fuzz(void);
21 void l2cap_free_channels_fuzz(void);
22 l2cap_channel_t * l2cap_get_dynamic_channel_fuzz(void);
23
hci_add_event_handler(btstack_packet_callback_registration_t * callback_handler)24 void hci_add_event_handler(btstack_packet_callback_registration_t * callback_handler){
25 event_packet_handler = callback_handler->callback;
26 }
27
hci_register_acl_packet_handler(btstack_packet_handler_t handler)28 void hci_register_acl_packet_handler(btstack_packet_handler_t handler){
29 acl_packet_handler = handler;
30 }
31
hci_can_send_acl_packet_now(hci_con_handle_t con_handle)32 bool hci_can_send_acl_packet_now(hci_con_handle_t con_handle){
33 return true;
34 }
35
hci_connection_for_bd_addr_and_type(const bd_addr_t addr,bd_addr_type_t addr_type)36 hci_connection_t * hci_connection_for_bd_addr_and_type(const bd_addr_t addr, bd_addr_type_t addr_type){
37 return &hci_connection;
38 }
39
hci_connection_for_handle(hci_con_handle_t con_handle)40 hci_connection_t * hci_connection_for_handle(hci_con_handle_t con_handle){
41 return &hci_connection;
42 }
43
gap_connectable_control(uint8_t enable)44 void gap_connectable_control(uint8_t enable){
45 }
46
hci_remote_features_query(hci_con_handle_t con_handle)47 void hci_remote_features_query(hci_con_handle_t con_handle){
48 }
49
hci_disconnect_security_block(hci_con_handle_t con_handle)50 void hci_disconnect_security_block(hci_con_handle_t con_handle){
51 }
52
gap_request_security_level(hci_con_handle_t con_handle,gap_security_level_t requested_level)53 void gap_request_security_level(hci_con_handle_t con_handle, gap_security_level_t requested_level){
54 }
55
gap_set_minimal_service_security_level(gap_security_level_t security_level)56 void gap_set_minimal_service_security_level(gap_security_level_t security_level){
57 }
58
hci_connections_get_iterator(btstack_linked_list_iterator_t * it)59 void hci_connections_get_iterator(btstack_linked_list_iterator_t *it){
60 btstack_linked_list_iterator_init(it, &hci_connections);
61 }
62
hci_is_le_connection_type(bd_addr_type_t address_type)63 bool hci_is_le_connection_type(bd_addr_type_t address_type){
64 switch (address_type){
65 case BD_ADDR_TYPE_LE_PUBLIC:
66 case BD_ADDR_TYPE_LE_RANDOM:
67 case BD_ADDR_TYPE_LE_PUBLIC_IDENTITY:
68 case BD_ADDR_TYPE_LE_RANDOM_IDENTITY:
69 return true;
70 default:
71 return false;
72 }
73 }
74
hci_non_flushable_packet_boundary_flag_supported(void)75 bool hci_non_flushable_packet_boundary_flag_supported(void){
76 return true;
77 }
78
hci_automatic_flush_timeout(void)79 uint16_t hci_automatic_flush_timeout(void){
80 return 0;
81 }
82
hci_can_send_prepared_acl_packet_now(hci_con_handle_t con_handle)83 bool hci_can_send_prepared_acl_packet_now(hci_con_handle_t con_handle) {
84 return true;
85 }
86
hci_can_send_acl_classic_packet_now(void)87 bool hci_can_send_acl_classic_packet_now(void){
88 return true;
89 }
90
hci_can_send_acl_le_packet_now(void)91 bool hci_can_send_acl_le_packet_now(void){
92 return true;
93 }
94
hci_can_send_command_packet_now(void)95 bool hci_can_send_command_packet_now(void){
96 return true;
97 }
98
hci_send_cmd(const hci_cmd_t * cmd,...)99 uint8_t hci_send_cmd(const hci_cmd_t * cmd, ...){
100 return ERROR_CODE_SUCCESS;
101 }
102
hci_usable_acl_packet_types(void)103 uint16_t hci_usable_acl_packet_types(void){
104 return 0;
105 }
106
hci_get_allow_role_switch(void)107 uint8_t hci_get_allow_role_switch(void){
108 return true;
109 }
110
hci_reserve_packet_buffer(void)111 void hci_reserve_packet_buffer(void){
112 outgoing_reserved = true;
113 }
114
hci_release_packet_buffer(void)115 void hci_release_packet_buffer(void){
116 outgoing_reserved = false;
117 }
118
hci_is_packet_buffer_reserved(void)119 bool hci_is_packet_buffer_reserved(void){
120 return outgoing_reserved;
121 }
122
hci_get_outgoing_packet_buffer(void)123 uint8_t* hci_get_outgoing_packet_buffer(void){
124 return outgoing_buffer;
125 }
126
hci_send_acl_packet_buffer(int size)127 uint8_t hci_send_acl_packet_buffer(int size){
128 outgoing_reserved = false;
129 return ERROR_CODE_SUCCESS;
130 }
131
hci_max_acl_data_packet_length(void)132 uint16_t hci_max_acl_data_packet_length(void){
133 return 100;
134 }
135
hci_authentication_active_for_handle(hci_con_handle_t handle)136 bool hci_authentication_active_for_handle(hci_con_handle_t handle){
137 return false;
138 }
139
gap_drop_link_key_for_bd_addr(bd_addr_t addr)140 void gap_drop_link_key_for_bd_addr(bd_addr_t addr){
141 }
142
gap_get_connection_parameter_range(le_connection_parameter_range_t * range)143 void gap_get_connection_parameter_range(le_connection_parameter_range_t * range){
144 memset(range, 0, sizeof(le_connection_parameter_range_t));
145 }
146
gap_authorization_state(hci_con_handle_t con_handle)147 authorization_state_t gap_authorization_state(hci_con_handle_t con_handle){
148 return AUTHORIZATION_GRANTED;
149 }
150
151 // TODO: use fuzzer input for level
gap_connection_parameter_range_included(le_connection_parameter_range_t * existing_range,uint16_t le_conn_interval_min,uint16_t le_conn_interval_max,uint16_t le_conn_latency,uint16_t le_supervision_timeout)152 int gap_connection_parameter_range_included(le_connection_parameter_range_t * existing_range, uint16_t le_conn_interval_min, uint16_t le_conn_interval_max, uint16_t le_conn_latency, uint16_t le_supervision_timeout){
153 return true;
154 }
155
156 // TODO: use fuzzer input for level
gap_secure_connection(hci_con_handle_t con_handle)157 bool gap_secure_connection(hci_con_handle_t con_handle){
158 return true;
159 }
160
161 // TODO: use fuzzer input for level
gap_get_secure_connections_only_mode(void)162 bool gap_get_secure_connections_only_mode(void){
163 return false;
164 }
165
166 // TODO: use fuzzer input for level
gap_get_connection_type(hci_con_handle_t connection_handle)167 gap_connection_type_t gap_get_connection_type(hci_con_handle_t connection_handle){
168 return GAP_CONNECTION_ACL;
169 }
170
171 // TODO: use fuzzer input for level
gap_get_security_level(void)172 gap_security_level_t gap_get_security_level(void){
173 return LEVEL_4;
174 }
175
176 // TODO: use fuzzer input for level
gap_security_level(hci_con_handle_t con_handle)177 gap_security_level_t gap_security_level(hci_con_handle_t con_handle){
178 return LEVEL_4;
179 }
180
181 // TODO: use fuzzer input for level
gap_get_security_mode(void)182 gap_security_mode_t gap_get_security_mode(void){
183 return GAP_SECURITY_MODE_4;
184 }
185
186 // TODO: use fuzzer input for level
hci_remote_features_available(hci_con_handle_t handle)187 bool hci_remote_features_available(hci_con_handle_t handle){
188 return true;
189 }
190
191 // TODO: use fuzzer input for level
gap_ssp_supported_on_both_sides(hci_con_handle_t handle)192 bool gap_ssp_supported_on_both_sides(hci_con_handle_t handle){
193 return true;
194 }
195
196 // TODO: use fuzzer input for level
gap_encryption_key_size(hci_con_handle_t con_handle)197 uint8_t gap_encryption_key_size(hci_con_handle_t con_handle){
198 return 16;
199 }
200
201 // TODO: use fuzzer input for level
gap_authenticated(hci_con_handle_t con_handle)202 bool gap_authenticated(hci_con_handle_t con_handle){
203 return true;
204 }
205
206 // SM
sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler)207 void sm_add_event_handler(btstack_packet_callback_registration_t * callback_handler){
208 }
sm_request_pairing(hci_con_handle_t con_handle)209 void sm_request_pairing(hci_con_handle_t con_handle){
210 }
211
fuzzer_l2cap_handler(uint8_t packet_type,uint16_t channel,uint8_t * packet,uint16_t size)212 static void fuzzer_l2cap_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size) {
213
214 // A Connection Request was received.
215 btstack_assert(false);
216
217 if (packet_type == HCI_EVENT_PACKET) {
218 if (hci_event_packet_get_type(packet) == L2CAP_EVENT_INCOMING_CONNECTION) {
219 uint16_t l2cap_cid = l2cap_event_incoming_connection_get_local_cid(packet);
220 l2cap_accept_connection(l2cap_cid);
221 }
222 }
223 }
224
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)225 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
226 static int initialized = 0;
227 if (initialized == 0){
228 initialized = 1;
229 btstack_run_loop_init(btstack_run_loop_posix_get_instance());
230 hci_connection.con_handle = 0x0000;
231 }
232
233 btstack_memory_init();
234
235 // prepare ACL packet
236 if (size < 1) return 0;
237 uint8_t pb_or_ps = (data[0] >> 5) & 0x003; // Packet Boundary field: 0x00-0x03
238 uint16_t cid = L2CAP_CID_SIGNALING; // Signaling Packet
239 size -= 1;
240 data += 1;
241 uint8_t packet[1000];
242 uint16_t packet_len;
243 little_endian_store_16(packet, 0, (pb_or_ps << 12) | hci_connection.con_handle);
244 little_endian_store_16(packet, 2, size + 4);
245 little_endian_store_16(packet, 4, size);
246 little_endian_store_16(packet, 6, cid);
247 if (size > (sizeof(packet) - 8)) return 0;
248 memcpy(&packet[8], data, size);
249 packet_len = size + 8;
250
251 // init hci mock
252 outgoing_reserved = false;
253 hci_connections = (btstack_linked_item_t*) &hci_connection;
254
255 // init l2cap
256 l2cap_init();
257 l2cap_register_service(&fuzzer_l2cap_handler, 0x1001, 100, LEVEL_0);
258
259 // deliver test data
260 (*acl_packet_handler)(HCI_ACL_DATA_PACKET, 0, packet, packet_len);
261
262 if (l2cap_get_dynamic_channel_fuzz() != NULL){
263 // A new channel was created!
264 btstack_assert(false);
265 }
266
267 // teardown
268 l2cap_unregister_service(0x1001);
269
270 btstack_memory_deinit();
271
272 return 0;
273 }
274