1 /*
2  * Copyright 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "hci/fuzz/hci_layer_fuzz_client.h"
18 #include "fuzz/helpers.h"
19 
20 namespace bluetooth {
21 namespace hci {
22 namespace fuzz {
23 using bluetooth::fuzz::GetArbitraryBytes;
24 using bluetooth::hci::AclView;
25 
__anonfaf923630102() 26 const ModuleFactory HciLayerFuzzClient::Factory = ModuleFactory([]() { return new HciLayerFuzzClient(); });
27 
Start()28 void HciLayerFuzzClient::Start() {
29   hci_ = GetDependency<hci::HciLayer>();
30   aclDevNull_ = new os::fuzz::DevNullQueue<AclView>(hci_->GetAclQueueEnd(), GetHandler());
31   aclDevNull_->Start();
32   aclInject_ = new os::fuzz::FuzzInjectQueue<AclBuilder>(hci_->GetAclQueueEnd(), GetHandler());
33 
34   // Can't do security right now, due to the Encryption Change conflict between ACL manager & security
35   // security_interface_ = hci_->GetSecurityInterface(common::Bind([](EventView){}), GetHandler());
36   le_security_interface_ = hci_->GetLeSecurityInterface(GetHandler()->Bind([](LeMetaEventView) {}));
37   acl_connection_interface_ = hci_->GetAclConnectionInterface(
38       GetHandler()->Bind([](EventView) {}),
39       GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}),
40       GetHandler()->Bind([](hci::ErrorCode, uint16_t, uint8_t, uint16_t, uint16_t) {}));
41   le_acl_connection_interface_ = hci_->GetLeAclConnectionInterface(
42       GetHandler()->Bind([](LeMetaEventView) {}),
43       GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}),
44       GetHandler()->Bind([](hci::ErrorCode, uint16_t, uint8_t, uint16_t, uint16_t) {}));
45   le_advertising_interface_ = hci_->GetLeAdvertisingInterface(GetHandler()->Bind([](LeMetaEventView) {}));
46   le_scanning_interface_ = hci_->GetLeScanningInterface(GetHandler()->Bind([](LeMetaEventView) {}));
47 }
48 
Stop()49 void HciLayerFuzzClient::Stop() {
50   aclDevNull_->Stop();
51   delete aclDevNull_;
52   delete aclInject_;
53 }
54 
injectArbitrary(FuzzedDataProvider & fdp)55 void HciLayerFuzzClient::injectArbitrary(FuzzedDataProvider& fdp) {
56   const uint8_t action = fdp.ConsumeIntegralInRange(0, 8);
57   switch (action) {
58     case 1:
59       injectAclData(GetArbitraryBytes(&fdp));
60       break;
61     case 2:
62       injectHciCommand(GetArbitraryBytes(&fdp));
63       break;
64     case 3:
65       // TODO: injectSecurityCommand(GetArbitraryBytes(&fdp));
66       break;
67     case 4:
68       injectLeSecurityCommand(GetArbitraryBytes(&fdp));
69       break;
70     case 5:
71       injectAclConnectionCommand(GetArbitraryBytes(&fdp));
72       break;
73     case 6:
74       injectLeAclConnectionCommand(GetArbitraryBytes(&fdp));
75       break;
76     case 7:
77       injectLeAdvertisingCommand(GetArbitraryBytes(&fdp));
78       break;
79     case 8:
80       injectLeScanningCommand(GetArbitraryBytes(&fdp));
81       break;
82   }
83 }
84 
injectAclData(std::vector<uint8_t> data)85 void HciLayerFuzzClient::injectAclData(std::vector<uint8_t> data) {
86   hci::AclView aclPacket = hci::AclView::FromBytes(data);
87   if (!aclPacket.IsValid()) {
88     return;
89   }
90 
91   aclInject_->Inject(AclBuilder::FromView(aclPacket));
92 }
93 
injectHciCommand(std::vector<uint8_t> data)94 void HciLayerFuzzClient::injectHciCommand(std::vector<uint8_t> data) {
95   inject_command<CommandView, CommandBuilder>(data, hci_);
96 }
97 
injectSecurityCommand(std::vector<uint8_t> data)98 void HciLayerFuzzClient::injectSecurityCommand(std::vector<uint8_t> data) {
99   inject_command<SecurityCommandView, SecurityCommandBuilder>(data, security_interface_);
100 }
101 
injectLeSecurityCommand(std::vector<uint8_t> data)102 void HciLayerFuzzClient::injectLeSecurityCommand(std::vector<uint8_t> data) {
103   inject_command<LeSecurityCommandView, LeSecurityCommandBuilder>(data, le_security_interface_);
104 }
105 
injectAclConnectionCommand(std::vector<uint8_t> data)106 void HciLayerFuzzClient::injectAclConnectionCommand(std::vector<uint8_t> data) {
107   inject_command<AclCommandView, AclCommandBuilder>(data, acl_connection_interface_);
108 }
109 
injectLeAclConnectionCommand(std::vector<uint8_t> data)110 void HciLayerFuzzClient::injectLeAclConnectionCommand(std::vector<uint8_t> data) {
111   inject_command<AclCommandView, AclCommandBuilder>(data, le_acl_connection_interface_);
112 }
113 
injectLeAdvertisingCommand(std::vector<uint8_t> data)114 void HciLayerFuzzClient::injectLeAdvertisingCommand(std::vector<uint8_t> data) {
115   inject_command<LeAdvertisingCommandView, LeAdvertisingCommandBuilder>(data, le_advertising_interface_);
116 }
117 
injectLeScanningCommand(std::vector<uint8_t> data)118 void HciLayerFuzzClient::injectLeScanningCommand(std::vector<uint8_t> data) {
119   inject_command<LeScanningCommandView, LeScanningCommandBuilder>(data, le_scanning_interface_);
120 }
121 
122 }  // namespace fuzz
123 }  // namespace hci
124 }  // namespace bluetooth
125