1 /* 2 * Copyright 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <fuzzer/FuzzedDataProvider.h> 20 21 #include <vector> 22 23 #include "fuzz/helpers.h" 24 #include "hci/class_of_device.h" 25 #include "hci/command_interface.h" 26 #include "hci/hci_layer.h" 27 #include "os/fuzz/dev_null_queue.h" 28 #include "os/fuzz/fuzz_inject_queue.h" 29 #include "os/log.h" 30 31 namespace bluetooth { 32 namespace hci { 33 namespace fuzz { 34 35 template <typename T> 36 class FuzzCommandInterface : public CommandInterface<T> { 37 public: EnqueueCommand(std::unique_ptr<T>,common::ContextualOnceCallback<void (hci::CommandCompleteView)>)38 void EnqueueCommand( 39 std::unique_ptr<T> /* command */, 40 common::ContextualOnceCallback<void(hci::CommandCompleteView)> /* on_complete */) override {} 41 EnqueueCommand(std::unique_ptr<T>,common::ContextualOnceCallback<void (hci::CommandStatusView)>)42 void EnqueueCommand( 43 std::unique_ptr<T> /* command */, 44 common::ContextualOnceCallback<void(hci::CommandStatusView)> /* on_status */) override {} 45 }; 46 47 class FuzzHciLayer : public HciLayer { 48 public: TurnOnAutoReply(FuzzedDataProvider * fdp)49 void TurnOnAutoReply(FuzzedDataProvider* fdp) { 50 auto_reply_fdp = fdp; 51 } 52 TurnOffAutoReply()53 void TurnOffAutoReply() { 54 auto_reply_fdp = nullptr; 55 } 56 EnqueueCommand(std::unique_ptr<hci::CommandBuilder>,common::ContextualOnceCallback<void (hci::CommandCompleteView)> on_complete)57 void EnqueueCommand( 58 std::unique_ptr<hci::CommandBuilder> /* command */, 59 common::ContextualOnceCallback<void(hci::CommandCompleteView)> on_complete) override { 60 on_command_complete_ = std::move(on_complete); 61 if (auto_reply_fdp != nullptr) { 62 injectCommandComplete(bluetooth::fuzz::GetArbitraryBytes(auto_reply_fdp)); 63 } 64 } 65 EnqueueCommand(std::unique_ptr<CommandBuilder>,common::ContextualOnceCallback<void (hci::CommandStatusView)> on_status)66 void EnqueueCommand( 67 std::unique_ptr<CommandBuilder> /* command */, 68 common::ContextualOnceCallback<void(hci::CommandStatusView)> on_status) override { 69 on_command_status_ = std::move(on_status); 70 if (auto_reply_fdp != nullptr) { 71 injectCommandStatus(bluetooth::fuzz::GetArbitraryBytes(auto_reply_fdp)); 72 } 73 } 74 GetAclQueueEnd()75 common::BidiQueueEnd<hci::AclBuilder, hci::AclView>* GetAclQueueEnd() override { 76 return acl_queue_.GetUpEnd(); 77 } 78 GetIsoQueueEnd()79 common::BidiQueueEnd<hci::IsoBuilder, hci::IsoView>* GetIsoQueueEnd() override { 80 return iso_queue_.GetUpEnd(); 81 } 82 GetScoQueueEnd()83 common::BidiQueueEnd<hci::ScoBuilder, hci::ScoView>* GetScoQueueEnd() override { 84 return sco_queue_.GetUpEnd(); 85 } 86 RegisterEventHandler(hci::EventCode event,common::ContextualCallback<void (hci::EventView)> handler)87 void RegisterEventHandler(hci::EventCode event, common::ContextualCallback<void(hci::EventView)> handler) override { 88 event_handlers_[event] = handler; 89 } 90 UnregisterEventHandler(hci::EventCode event)91 void UnregisterEventHandler(hci::EventCode event) override { 92 auto it = event_handlers_.find(event); 93 if (it != event_handlers_.end()) { 94 event_handlers_.erase(it); 95 } 96 } 97 RegisterLeEventHandler(hci::SubeventCode event,common::ContextualCallback<void (hci::LeMetaEventView)> handler)98 void RegisterLeEventHandler(hci::SubeventCode event, 99 common::ContextualCallback<void(hci::LeMetaEventView)> handler) override { 100 le_event_handlers_[event] = handler; 101 } 102 UnregisterLeEventHandler(hci::SubeventCode event)103 void UnregisterLeEventHandler(hci::SubeventCode event) override { 104 auto it = le_event_handlers_.find(event); 105 if (it != le_event_handlers_.end()) { 106 le_event_handlers_.erase(it); 107 } 108 } 109 110 hci::SecurityInterface* GetSecurityInterface(common::ContextualCallback<void(hci::EventView)> event_handler) override; 111 112 hci::LeSecurityInterface* GetLeSecurityInterface( 113 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 114 115 hci::AclConnectionInterface* GetAclConnectionInterface( 116 common::ContextualCallback<void(hci::EventView)> event_handler, 117 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> on_disconnect, 118 common::ContextualCallback<void(Address, ClassOfDevice)> on_connection_request, 119 common::ContextualCallback<void( 120 hci::ErrorCode hci_status, uint16_t, uint8_t, uint16_t, uint16_t)> on_read_remote_version) 121 override; PutAclConnectionInterface()122 void PutAclConnectionInterface() override {} 123 124 hci::LeAclConnectionInterface* GetLeAclConnectionInterface( 125 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler, 126 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> on_disconnect, 127 common::ContextualCallback<void(hci::ErrorCode hci_status, uint16_t, uint8_t, uint16_t, uint16_t)> 128 on_read_remote_version) override; PutLeAclConnectionInterface()129 void PutLeAclConnectionInterface() override {} 130 131 hci::LeAdvertisingInterface* GetLeAdvertisingInterface( 132 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 133 134 hci::LeScanningInterface* GetLeScanningInterface( 135 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 136 137 hci::LeIsoInterface* GetLeIsoInterface(common::ContextualCallback<void(LeMetaEventView)> event_handler) override; 138 139 hci::DistanceMeasurementInterface* GetDistanceMeasurementInterface( 140 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 141 142 void injectArbitrary(FuzzedDataProvider& fdp); 143 ToString()144 std::string ToString() const override { 145 return "FuzzHciLayer"; 146 } 147 148 static const ModuleFactory Factory; 149 150 protected: ListDependencies(ModuleList *)151 void ListDependencies(ModuleList* /* list */) const override {} 152 void Start() override; 153 void Stop() override; 154 155 private: 156 void injectAclData(std::vector<uint8_t> data); 157 158 void injectCommandComplete(std::vector<uint8_t> data); 159 void injectCommandStatus(std::vector<uint8_t> data); 160 161 void injectEvent(FuzzedDataProvider& fdp); 162 void injectLeEvent(FuzzedDataProvider& fdp); 163 164 void injectSecurityEvent(std::vector<uint8_t> data); 165 void injectLeSecurityEvent(std::vector<uint8_t> data); 166 167 void injectAclEvent(std::vector<uint8_t> data); 168 void injectAclDisconnect(FuzzedDataProvider& fdp); 169 void injectLeAclEvent(std::vector<uint8_t> data); 170 void injectLeAclDisconnect(FuzzedDataProvider& fdp); 171 172 void injectLeAdvertisingEvent(std::vector<uint8_t> data); 173 174 void injectLeScanningEvent(std::vector<uint8_t> data); 175 void injectLeIsoEvent(std::vector<uint8_t> data); 176 177 FuzzedDataProvider* auto_reply_fdp; 178 179 common::BidiQueue<hci::AclView, hci::AclBuilder> acl_queue_{3}; 180 common::BidiQueue<hci::ScoView, hci::ScoBuilder> sco_queue_{3}; 181 common::BidiQueue<hci::IsoView, hci::IsoBuilder> iso_queue_{3}; 182 os::fuzz::DevNullQueue<AclBuilder>* acl_dev_null_; 183 os::fuzz::FuzzInjectQueue<AclView>* acl_inject_; 184 185 FuzzCommandInterface<AclCommandBuilder> acl_connection_interface_{}; 186 FuzzCommandInterface<AclCommandBuilder> le_acl_connection_interface_{}; 187 FuzzCommandInterface<SecurityCommandBuilder> security_interface_{}; 188 FuzzCommandInterface<LeSecurityCommandBuilder> le_security_interface_{}; 189 FuzzCommandInterface<LeAdvertisingCommandBuilder> le_advertising_interface_{}; 190 FuzzCommandInterface<LeScanningCommandBuilder> le_scanning_interface_{}; 191 FuzzCommandInterface<LeIsoCommandBuilder> le_iso_interface_{}; 192 FuzzCommandInterface<DistanceMeasurementCommandBuilder> distance_measurement_interface_{}; 193 194 common::ContextualOnceCallback<void(hci::CommandCompleteView)> on_command_complete_; 195 common::ContextualOnceCallback<void(hci::CommandStatusView)> on_command_status_; 196 197 std::map<hci::EventCode, common::ContextualCallback<void(hci::EventView)>> event_handlers_; 198 std::map<hci::SubeventCode, common::ContextualCallback<void(hci::LeMetaEventView)>> le_event_handlers_; 199 200 common::ContextualCallback<void(hci::EventView)> security_event_handler_; 201 common::ContextualCallback<void(hci::LeMetaEventView)> le_security_event_handler_; 202 common::ContextualCallback<void(hci::EventView)> acl_event_handler_; 203 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> acl_on_disconnect_; 204 common::ContextualCallback<void(hci::LeMetaEventView)> le_acl_event_handler_; 205 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> le_acl_on_disconnect_; 206 common::ContextualCallback<void(hci::LeMetaEventView)> le_advertising_event_handler_; 207 common::ContextualCallback<void(hci::LeMetaEventView)> le_scanning_event_handler_; 208 common::ContextualCallback<void(hci::LeMetaEventView)> le_iso_event_handler_; 209 }; 210 211 } // namespace fuzz 212 } // namespace hci 213 } // namespace bluetooth 214