1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
18 #define BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
19 
20 #include <fuzzer/FuzzedDataProvider.h>
21 #include <vector>
22 #include "a2dp_api.h"
23 #include "osi/include/allocator.h"
24 #include "raw_address.h"
25 #include "stack/a2dp/a2dp_int.h"
26 
27 #include "fuzzers/a2dp/a2dpFuzzHelpers.h"
28 #include "fuzzers/common/commonFuzzHelpers.h"
29 #include "fuzzers/sdp/sdpFuzzFunctions.h"
30 
31 #define MAX_STR_LEN 4096
32 
33 /* This is a vector of lambda functions the fuzzer will pull from.
34  *  This is done so new functions can be added to the fuzzer easily
35  *  without requiring modifications to the main fuzzer file. This also
36  *  allows multiple fuzzers to include this file, if functionality is needed.
37  */
38 std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = {
39     // Init
40     [](FuzzedDataProvider*) -> void {
41       // Re-init zeros out memory containing some pointers.
42       // Free the db first to prevent memleaks
43       if (a2dp_cb.find.p_db) {
44         osi_free(a2dp_cb.find.p_db);
45       }
46 
47       // Attempt re-initializations mid-run.
48       A2DP_Init();
49     },
50 
51     // A2DP_AddRecord
52     [](FuzzedDataProvider* fdp) -> void {
53       std::vector<char> p_service_name =
54           fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
55       std::vector<char> p_provider_name =
56           fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
57       A2DP_AddRecord(fdp->ConsumeIntegral<uint16_t>(), p_service_name.data(),
58                      p_provider_name.data(), fdp->ConsumeIntegral<uint16_t>(),
59                      // This should be a val returned by SDP_CreateRecord
60                      getArbitraryVectorElement(fdp, sdp_record_handles, true));
61     },
62 
63     // A2DP_FindService
64     [](FuzzedDataProvider* fdp) -> void {
65       tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp);
66       const RawAddress bd_addr = generateRawAddress(fdp);
67       A2DP_FindService(fdp->ConsumeIntegral<uint16_t>(), bd_addr, &p_db,
68                        a2dp_find_callback);
69     },
70 
71     // A2DP_GetAvdtpVersion
72     [](FuzzedDataProvider*) -> void { A2DP_GetAvdtpVersion(); },
73 
74     // A2DP_SetTraceLevel
75     [](FuzzedDataProvider* fdp) -> void {
76       // Expected val is [0-5], 0xff but other values are supported so fuzz all
77       A2DP_SetTraceLevel(fdp->ConsumeIntegral<uint8_t>());
78     },
79 
80     // A2DP_BitsSet
81     [](FuzzedDataProvider* fdp) -> void {
82       A2DP_BitsSet(fdp->ConsumeIntegral<uint64_t>());
83     },
84 
85     // SDP Calls
86     [](FuzzedDataProvider* fdp) -> void {
87       callArbitraryFunction(fdp, sdp_operations);
88     }};
89 
90 #endif  // BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
91