1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "hci/fuzz/fuzz_hci_layer.h"
18 
19 #include "fuzz/helpers.h"
20 #include "hci/class_of_device.h"
21 
22 namespace bluetooth {
23 namespace hci {
24 namespace fuzz {
25 
26 using bluetooth::common::ContextualCallback;
27 using bluetooth::fuzz::GetArbitraryBytes;
28 using bluetooth::fuzz::InvokeIfValid;
29 
GetSecurityInterface(ContextualCallback<void (hci::EventView)>)30 hci::SecurityInterface* FuzzHciLayer::GetSecurityInterface(
31     ContextualCallback<void(hci::EventView)> /* event_handler */) {
32   return &security_interface_;
33 }
34 
GetLeSecurityInterface(ContextualCallback<void (hci::LeMetaEventView)>)35 hci::LeSecurityInterface* FuzzHciLayer::GetLeSecurityInterface(
36     ContextualCallback<void(hci::LeMetaEventView)> /* event_handler */) {
37   return &le_security_interface_;
38 }
39 
GetAclConnectionInterface(ContextualCallback<void (hci::EventView)>,ContextualCallback<void (uint16_t,hci::ErrorCode)>,ContextualCallback<void (Address,ClassOfDevice)>,ContextualCallback<void (hci::ErrorCode,uint16_t,uint8_t version,uint16_t manufacturer_name,uint16_t sub_version)>)40 hci::AclConnectionInterface* FuzzHciLayer::GetAclConnectionInterface(
41     ContextualCallback<void(hci::EventView)> /* event_handler */,
42     ContextualCallback<void(uint16_t, hci::ErrorCode)> /* on_disconnect */,
43     ContextualCallback<void(Address, ClassOfDevice)> /* on_connection_request */,
44     ContextualCallback<void(
45         hci::ErrorCode,
46         uint16_t,
47         uint8_t version,
48         uint16_t manufacturer_name,
49         uint16_t sub_version)>
50     /* on_read_remote_version */) {
51   return &acl_connection_interface_;
52 }
53 
GetLeAclConnectionInterface(ContextualCallback<void (hci::LeMetaEventView)>,ContextualCallback<void (uint16_t,hci::ErrorCode)>,ContextualCallback<void (hci::ErrorCode,uint16_t,uint8_t version,uint16_t manufacturer_name,uint16_t sub_version)>)54 hci::LeAclConnectionInterface* FuzzHciLayer::GetLeAclConnectionInterface(
55     ContextualCallback<void(hci::LeMetaEventView)> /* event_handler */,
56     ContextualCallback<void(uint16_t, hci::ErrorCode)> /* on_disconnect */,
57     ContextualCallback<void(
58         hci::ErrorCode,
59         uint16_t,
60         uint8_t version,
61         uint16_t manufacturer_name,
62         uint16_t sub_version)>
63     /* on_read_remote_version */) {
64   return &le_acl_connection_interface_;
65 }
66 
GetLeAdvertisingInterface(ContextualCallback<void (hci::LeMetaEventView)>)67 hci::LeAdvertisingInterface* FuzzHciLayer::GetLeAdvertisingInterface(
68     ContextualCallback<void(hci::LeMetaEventView)> /* event_handler */) {
69   return &le_advertising_interface_;
70 }
71 
GetLeScanningInterface(ContextualCallback<void (hci::LeMetaEventView)>)72 hci::LeScanningInterface* FuzzHciLayer::GetLeScanningInterface(
73     ContextualCallback<void(hci::LeMetaEventView)> /* event_handler */) {
74   return &le_scanning_interface_;
75 }
76 
GetLeIsoInterface(ContextualCallback<void (hci::LeMetaEventView)>)77 hci::LeIsoInterface* FuzzHciLayer::GetLeIsoInterface(
78     ContextualCallback<void(hci::LeMetaEventView)> /* event_handler */) {
79   return &le_iso_interface_;
80 }
81 
GetDistanceMeasurementInterface(ContextualCallback<void (hci::LeMetaEventView)>)82 hci::DistanceMeasurementInterface* FuzzHciLayer::GetDistanceMeasurementInterface(
83     ContextualCallback<void(hci::LeMetaEventView)> /* event_handler */) {
84   return &distance_measurement_interface_;
85 }
86 
Start()87 void FuzzHciLayer::Start() {
88   acl_dev_null_ = new os::fuzz::DevNullQueue<AclBuilder>(acl_queue_.GetDownEnd(), GetHandler());
89   acl_dev_null_->Start();
90   acl_inject_ = new os::fuzz::FuzzInjectQueue<AclView>(acl_queue_.GetDownEnd(), GetHandler());
91 }
92 
Stop()93 void FuzzHciLayer::Stop() {
94   acl_dev_null_->Stop();
95   delete acl_dev_null_;
96   delete acl_inject_;
97 }
98 
injectArbitrary(FuzzedDataProvider & fdp)99 void FuzzHciLayer::injectArbitrary(FuzzedDataProvider& fdp) {
100   const uint8_t action = fdp.ConsumeIntegralInRange(0, 13);
101   switch (action) {
102     case 1:
103       injectAclData(GetArbitraryBytes(&fdp));
104       break;
105     case 2:
106       injectCommandComplete(GetArbitraryBytes(&fdp));
107       break;
108     case 3:
109       injectCommandStatus(GetArbitraryBytes(&fdp));
110       break;
111     case 4:
112       injectEvent(fdp);
113       break;
114     case 5:
115       injectLeEvent(fdp);
116       break;
117     case 6:
118       injectSecurityEvent(GetArbitraryBytes(&fdp));
119       break;
120     case 7:
121       injectLeSecurityEvent(GetArbitraryBytes(&fdp));
122       break;
123     case 8:
124       injectAclEvent(GetArbitraryBytes(&fdp));
125       break;
126     case 9:
127       injectAclDisconnect(fdp);
128       break;
129     case 10:
130       injectLeAclEvent(GetArbitraryBytes(&fdp));
131       break;
132     case 11:
133       injectLeAclDisconnect(fdp);
134       break;
135     case 12:
136       injectLeAdvertisingEvent(GetArbitraryBytes(&fdp));
137       break;
138     case 13:
139       injectLeScanningEvent(GetArbitraryBytes(&fdp));
140       break;
141   }
142 }
143 
injectAclData(std::vector<uint8_t> data)144 void FuzzHciLayer::injectAclData(std::vector<uint8_t> data) {
145   CONSTRUCT_VALID_UNIQUE_OTHERWISE_BAIL(hci::AclView, packet, data);
146   acl_inject_->Inject(std::move(packet));
147 }
148 
injectCommandComplete(std::vector<uint8_t> data)149 void FuzzHciLayer::injectCommandComplete(std::vector<uint8_t> data) {
150   InvokeIfValid<hci::CommandCompleteView>(std::move(on_command_complete_), data);
151 }
152 
injectCommandStatus(std::vector<uint8_t> data)153 void FuzzHciLayer::injectCommandStatus(std::vector<uint8_t> data) {
154   InvokeIfValid<hci::CommandStatusView>(std::move(on_command_status_), data);
155 }
156 
injectEvent(FuzzedDataProvider & fdp)157 void FuzzHciLayer::injectEvent(FuzzedDataProvider& fdp) {
158   auto handler_pair = event_handlers_.find(static_cast<EventCode>(fdp.ConsumeIntegral<uint8_t>()));
159   if (handler_pair != event_handlers_.end()) {
160     InvokeIfValid<EventView>(handler_pair->second, GetArbitraryBytes(&fdp));
161   }
162 }
163 
injectLeEvent(FuzzedDataProvider & fdp)164 void FuzzHciLayer::injectLeEvent(FuzzedDataProvider& fdp) {
165   auto handler_pair = le_event_handlers_.find(static_cast<SubeventCode>(fdp.ConsumeIntegral<uint8_t>()));
166   if (handler_pair != le_event_handlers_.end()) {
167     InvokeIfValid<LeMetaEventView>(handler_pair->second, GetArbitraryBytes(&fdp));
168   }
169 }
170 
injectSecurityEvent(std::vector<uint8_t> data)171 void FuzzHciLayer::injectSecurityEvent(std::vector<uint8_t> data) {
172   InvokeIfValid<EventView>(security_event_handler_, data);
173 }
174 
injectLeSecurityEvent(std::vector<uint8_t> data)175 void FuzzHciLayer::injectLeSecurityEvent(std::vector<uint8_t> data) {
176   InvokeIfValid<LeMetaEventView>(le_security_event_handler_, data);
177 }
178 
injectAclEvent(std::vector<uint8_t> data)179 void FuzzHciLayer::injectAclEvent(std::vector<uint8_t> data) {
180   InvokeIfValid<EventView>(acl_event_handler_, data);
181 }
182 
injectAclDisconnect(FuzzedDataProvider & fdp)183 void FuzzHciLayer::injectAclDisconnect(FuzzedDataProvider& fdp) {
184   if (acl_on_disconnect_) {
185     acl_on_disconnect_(
186         fdp.ConsumeIntegral<uint16_t>(),
187         static_cast<hci::ErrorCode>(fdp.ConsumeIntegral<uint8_t>()));
188   }
189 }
190 
injectLeAclEvent(std::vector<uint8_t> data)191 void FuzzHciLayer::injectLeAclEvent(std::vector<uint8_t> data) {
192   InvokeIfValid<LeMetaEventView>(le_acl_event_handler_, data);
193 }
194 
injectLeAclDisconnect(FuzzedDataProvider & fdp)195 void FuzzHciLayer::injectLeAclDisconnect(FuzzedDataProvider& fdp) {
196   if (le_acl_on_disconnect_) {
197     le_acl_on_disconnect_(
198         fdp.ConsumeIntegral<uint16_t>(),
199         static_cast<hci::ErrorCode>(fdp.ConsumeIntegral<uint8_t>()));
200   }
201 }
202 
injectLeAdvertisingEvent(std::vector<uint8_t> data)203 void FuzzHciLayer::injectLeAdvertisingEvent(std::vector<uint8_t> data) {
204   InvokeIfValid<LeMetaEventView>(le_advertising_event_handler_, data);
205 }
206 
injectLeScanningEvent(std::vector<uint8_t> data)207 void FuzzHciLayer::injectLeScanningEvent(std::vector<uint8_t> data) {
208   InvokeIfValid<LeMetaEventView>(le_scanning_event_handler_, data);
209 }
210 
injectLeIsoEvent(std::vector<uint8_t> data)211 void FuzzHciLayer::injectLeIsoEvent(std::vector<uint8_t> data) {
212   InvokeIfValid<LeMetaEventView>(le_iso_event_handler_, data);
213 }
214 
__anonaaceee5b0102() 215 const ModuleFactory FuzzHciLayer::Factory = ModuleFactory([]() { return new FuzzHciLayer(); });
216 
217 }  // namespace fuzz
218 }  // namespace hci
219 }  // namespace bluetooth
220