1 /*
2  * Copyright 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "hci/fuzz/hci_layer_fuzz_client.h"
18 
19 #include "fuzz/helpers.h"
20 #include "hci/class_of_device.h"
21 
22 namespace bluetooth {
23 namespace hci {
24 namespace fuzz {
25 using bluetooth::fuzz::GetArbitraryBytes;
26 using bluetooth::hci::AclView;
27 
__anon4aabe7f90102() 28 const ModuleFactory HciLayerFuzzClient::Factory = ModuleFactory([]() { return new HciLayerFuzzClient(); });
29 
Start()30 void HciLayerFuzzClient::Start() {
31   hci_ = GetDependency<hci::HciLayer>();
32   aclDevNull_ = new os::fuzz::DevNullQueue<AclView>(hci_->GetAclQueueEnd(), GetHandler());
33   aclDevNull_->Start();
34   aclInject_ = new os::fuzz::FuzzInjectQueue<AclBuilder>(hci_->GetAclQueueEnd(), GetHandler());
35 
36   // Can't do security right now, due to the Encryption Change conflict between ACL manager & security
37   // security_interface_ = hci_->GetSecurityInterface(common::Bind([](EventView){}), GetHandler());
38   le_security_interface_ = hci_->GetLeSecurityInterface(GetHandler()->Bind([](LeMetaEventView) {}));
39   acl_connection_interface_ = hci_->GetAclConnectionInterface(
40       GetHandler()->Bind([](EventView) {}),
41       GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}),
42       GetHandler()->Bind([](Address, ClassOfDevice) {}),
43       GetHandler()->Bind([](hci::ErrorCode, uint16_t, uint8_t, uint16_t, uint16_t) {}));
44   le_acl_connection_interface_ = hci_->GetLeAclConnectionInterface(
45       GetHandler()->Bind([](LeMetaEventView) {}),
46       GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}),
47       GetHandler()->Bind([](hci::ErrorCode, uint16_t, uint8_t, uint16_t, uint16_t) {}));
48   le_advertising_interface_ = hci_->GetLeAdvertisingInterface(GetHandler()->Bind([](LeMetaEventView) {}));
49   le_scanning_interface_ = hci_->GetLeScanningInterface(GetHandler()->Bind([](LeMetaEventView) {}));
50   distance_measurement_interface_ =
51       hci_->GetDistanceMeasurementInterface(GetHandler()->Bind([](LeMetaEventView) {}));
52 }
53 
Stop()54 void HciLayerFuzzClient::Stop() {
55   aclDevNull_->Stop();
56   delete aclDevNull_;
57   delete aclInject_;
58 }
59 
injectArbitrary(FuzzedDataProvider & fdp)60 void HciLayerFuzzClient::injectArbitrary(FuzzedDataProvider& fdp) {
61   const uint8_t action = fdp.ConsumeIntegralInRange(0, 8);
62   switch (action) {
63     case 1:
64       injectAclData(GetArbitraryBytes(&fdp));
65       break;
66     case 2:
67       injectHciCommand(GetArbitraryBytes(&fdp));
68       break;
69     case 3:
70       // TODO: injectSecurityCommand(GetArbitraryBytes(&fdp));
71       break;
72     case 4:
73       injectLeSecurityCommand(GetArbitraryBytes(&fdp));
74       break;
75     case 5:
76       injectAclConnectionCommand(GetArbitraryBytes(&fdp));
77       break;
78     case 6:
79       injectLeAclConnectionCommand(GetArbitraryBytes(&fdp));
80       break;
81     case 7:
82       injectLeAdvertisingCommand(GetArbitraryBytes(&fdp));
83       break;
84     case 8:
85       injectLeScanningCommand(GetArbitraryBytes(&fdp));
86       break;
87   }
88 }
89 
injectAclData(std::vector<uint8_t> data)90 void HciLayerFuzzClient::injectAclData(std::vector<uint8_t> data) {
91   hci::AclView aclPacket = hci::AclView::FromBytes(data);
92   if (!aclPacket.IsValid()) {
93     return;
94   }
95 
96   aclInject_->Inject(AclBuilder::FromView(aclPacket));
97 }
98 
injectHciCommand(std::vector<uint8_t> data)99 void HciLayerFuzzClient::injectHciCommand(std::vector<uint8_t> data) {
100   inject_command<CommandView, CommandBuilder>(data, hci_);
101 }
102 
injectSecurityCommand(std::vector<uint8_t> data)103 void HciLayerFuzzClient::injectSecurityCommand(std::vector<uint8_t> data) {
104   inject_command<SecurityCommandView, SecurityCommandBuilder>(data, security_interface_);
105 }
106 
injectLeSecurityCommand(std::vector<uint8_t> data)107 void HciLayerFuzzClient::injectLeSecurityCommand(std::vector<uint8_t> data) {
108   inject_command<LeSecurityCommandView, LeSecurityCommandBuilder>(data, le_security_interface_);
109 }
110 
injectAclConnectionCommand(std::vector<uint8_t> data)111 void HciLayerFuzzClient::injectAclConnectionCommand(std::vector<uint8_t> data) {
112   inject_command<AclCommandView, AclCommandBuilder>(data, acl_connection_interface_);
113 }
114 
injectLeAclConnectionCommand(std::vector<uint8_t> data)115 void HciLayerFuzzClient::injectLeAclConnectionCommand(std::vector<uint8_t> data) {
116   inject_command<AclCommandView, AclCommandBuilder>(data, le_acl_connection_interface_);
117 }
118 
injectLeAdvertisingCommand(std::vector<uint8_t> data)119 void HciLayerFuzzClient::injectLeAdvertisingCommand(std::vector<uint8_t> data) {
120   inject_command<LeAdvertisingCommandView, LeAdvertisingCommandBuilder>(data, le_advertising_interface_);
121 }
122 
injectLeScanningCommand(std::vector<uint8_t> data)123 void HciLayerFuzzClient::injectLeScanningCommand(std::vector<uint8_t> data) {
124   inject_command<LeScanningCommandView, LeScanningCommandBuilder>(data, le_scanning_interface_);
125 }
126 
127 }  // namespace fuzz
128 }  // namespace hci
129 }  // namespace bluetooth
130