Loading system/gd/hal/fuzz/fuzz_hci_hal.cc +19 −22 Original line number Diff line number Diff line Loading @@ -41,50 +41,47 @@ void FuzzHciHal::sendHciCommand(HciPacket packet) { waiting_for_status_ = waiting_opcode_ == hci::OpCode::RESET; } bool FuzzHciHal::is_currently_valid_event(packet::PacketView<packet::kLittleEndian> packet) { void FuzzHciHal::injectHciEvent(std::vector<uint8_t> data) { auto packet = packet::PacketView<packet::kLittleEndian>(std::make_shared<std::vector<uint8_t>>(data)); hci::EventPacketView event = hci::EventPacketView::Create(packet); if (!event.IsValid()) { return false; return; } hci::CommandCompleteView complete = hci::CommandCompleteView::Create(event); if (complete.IsValid()) { if (waiting_for_status_ || complete.GetCommandOpCode() != waiting_opcode_) { return false; return; } } else if (!waiting_for_status_) { return false; return; } hci::CommandStatusView status = hci::CommandStatusView::Create(event); if (status.IsValid()) { if (!waiting_for_status_ || status.GetCommandOpCode() != waiting_opcode_) { return false; return; } } else if (waiting_for_status_) { return false; return; } return true; callbacks_->hciEventReceived(data); } int FuzzHciHal::injectFuzzInput(const uint8_t* data, size_t size) { const uint8_t separator[] = {0xDE, 0xAD, 0xBE, 0xEF}; auto inputs = ::bluetooth::fuzz::SplitInput(data, size, separator, sizeof(separator)); for (auto const& sdata : inputs) { auto packet = packet::PacketView<packet::kLittleEndian>(std::make_shared<std::vector<uint8_t>>(sdata)); void FuzzHciHal::injectAcl(std::vector<uint8_t> data) { auto packet = packet::PacketView<packet::kLittleEndian>(std::make_shared<std::vector<uint8_t>>(data)); hci::AclPacketView aclPacket = hci::AclPacketView::Create(packet); if (aclPacket.IsValid()) { callbacks_->aclDataReceived(sdata); if (!aclPacket.IsValid()) { return; } if (is_currently_valid_event(packet)) { callbacks_->hciEventReceived(sdata); callbacks_->aclDataReceived(data); } void FuzzHciHal::waitForHandler() { sentinel_work_item_.WaitUntilFinishedOn(GetHandler()); } return 0; } } // namespace fuzz } // namespace hal Loading system/gd/hal/fuzz/fuzz_hci_hal.h +3 −2 Original line number Diff line number Diff line Loading @@ -33,7 +33,9 @@ class FuzzHciHal : public HciHal { void sendAclData(HciPacket packet) override {} void sendScoData(HciPacket packet) override {} int injectFuzzInput(const uint8_t* data, size_t size); void injectAcl(std::vector<uint8_t> data); void injectHciEvent(std::vector<uint8_t> data); void waitForHandler(); std::string ToString() const override { return "HciHalFuzz"; Loading @@ -47,7 +49,6 @@ class FuzzHciHal : public HciHal { private: HciHalCallbacks* callbacks_; ::bluetooth::fuzz::SentinelWorkItem sentinel_work_item_; bool is_currently_valid_event(packet::PacketView<packet::kLittleEndian> packet); hci::OpCode waiting_opcode_; bool waiting_for_status_; }; Loading system/gd/hci/fuzz/hci_layer_fuzz_test.cc +18 −2 Original line number Diff line number Diff line Loading @@ -21,21 +21,37 @@ #include "hci/hci_layer.h" #include "module.h" #include <fuzzer/FuzzedDataProvider.h> using bluetooth::TestModuleRegistry; using bluetooth::hal::HciHal; using bluetooth::hal::fuzz::FuzzHciHal; using bluetooth::hci::fuzz::DevNullHci; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider dataProvider(data, size); static TestModuleRegistry moduleRegistry = TestModuleRegistry(); FuzzHciHal* fuzzHal = new FuzzHciHal(); moduleRegistry.InjectTestModule(&HciHal::Factory, fuzzHal); moduleRegistry.Start<DevNullHci>(&moduleRegistry.GetTestThread()); fuzzHal->injectFuzzInput(data, size); while (dataProvider.remaining_bytes() > 0) { const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 2); switch (action) { case 1: fuzzHal->injectAcl(dataProvider.ConsumeBytes<uint8_t>(dataProvider.ConsumeIntegral<size_t>())); break; case 2: fuzzHal->injectHciEvent(dataProvider.ConsumeBytes<uint8_t>(dataProvider.ConsumeIntegral<size_t>())); break; } } // TODO replace with something more general in thread/reactor fuzzHal->waitForHandler(); moduleRegistry.StopAll(); return 0; } Loading
system/gd/hal/fuzz/fuzz_hci_hal.cc +19 −22 Original line number Diff line number Diff line Loading @@ -41,50 +41,47 @@ void FuzzHciHal::sendHciCommand(HciPacket packet) { waiting_for_status_ = waiting_opcode_ == hci::OpCode::RESET; } bool FuzzHciHal::is_currently_valid_event(packet::PacketView<packet::kLittleEndian> packet) { void FuzzHciHal::injectHciEvent(std::vector<uint8_t> data) { auto packet = packet::PacketView<packet::kLittleEndian>(std::make_shared<std::vector<uint8_t>>(data)); hci::EventPacketView event = hci::EventPacketView::Create(packet); if (!event.IsValid()) { return false; return; } hci::CommandCompleteView complete = hci::CommandCompleteView::Create(event); if (complete.IsValid()) { if (waiting_for_status_ || complete.GetCommandOpCode() != waiting_opcode_) { return false; return; } } else if (!waiting_for_status_) { return false; return; } hci::CommandStatusView status = hci::CommandStatusView::Create(event); if (status.IsValid()) { if (!waiting_for_status_ || status.GetCommandOpCode() != waiting_opcode_) { return false; return; } } else if (waiting_for_status_) { return false; return; } return true; callbacks_->hciEventReceived(data); } int FuzzHciHal::injectFuzzInput(const uint8_t* data, size_t size) { const uint8_t separator[] = {0xDE, 0xAD, 0xBE, 0xEF}; auto inputs = ::bluetooth::fuzz::SplitInput(data, size, separator, sizeof(separator)); for (auto const& sdata : inputs) { auto packet = packet::PacketView<packet::kLittleEndian>(std::make_shared<std::vector<uint8_t>>(sdata)); void FuzzHciHal::injectAcl(std::vector<uint8_t> data) { auto packet = packet::PacketView<packet::kLittleEndian>(std::make_shared<std::vector<uint8_t>>(data)); hci::AclPacketView aclPacket = hci::AclPacketView::Create(packet); if (aclPacket.IsValid()) { callbacks_->aclDataReceived(sdata); if (!aclPacket.IsValid()) { return; } if (is_currently_valid_event(packet)) { callbacks_->hciEventReceived(sdata); callbacks_->aclDataReceived(data); } void FuzzHciHal::waitForHandler() { sentinel_work_item_.WaitUntilFinishedOn(GetHandler()); } return 0; } } // namespace fuzz } // namespace hal Loading
system/gd/hal/fuzz/fuzz_hci_hal.h +3 −2 Original line number Diff line number Diff line Loading @@ -33,7 +33,9 @@ class FuzzHciHal : public HciHal { void sendAclData(HciPacket packet) override {} void sendScoData(HciPacket packet) override {} int injectFuzzInput(const uint8_t* data, size_t size); void injectAcl(std::vector<uint8_t> data); void injectHciEvent(std::vector<uint8_t> data); void waitForHandler(); std::string ToString() const override { return "HciHalFuzz"; Loading @@ -47,7 +49,6 @@ class FuzzHciHal : public HciHal { private: HciHalCallbacks* callbacks_; ::bluetooth::fuzz::SentinelWorkItem sentinel_work_item_; bool is_currently_valid_event(packet::PacketView<packet::kLittleEndian> packet); hci::OpCode waiting_opcode_; bool waiting_for_status_; }; Loading
system/gd/hci/fuzz/hci_layer_fuzz_test.cc +18 −2 Original line number Diff line number Diff line Loading @@ -21,21 +21,37 @@ #include "hci/hci_layer.h" #include "module.h" #include <fuzzer/FuzzedDataProvider.h> using bluetooth::TestModuleRegistry; using bluetooth::hal::HciHal; using bluetooth::hal::fuzz::FuzzHciHal; using bluetooth::hci::fuzz::DevNullHci; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider dataProvider(data, size); static TestModuleRegistry moduleRegistry = TestModuleRegistry(); FuzzHciHal* fuzzHal = new FuzzHciHal(); moduleRegistry.InjectTestModule(&HciHal::Factory, fuzzHal); moduleRegistry.Start<DevNullHci>(&moduleRegistry.GetTestThread()); fuzzHal->injectFuzzInput(data, size); while (dataProvider.remaining_bytes() > 0) { const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 2); switch (action) { case 1: fuzzHal->injectAcl(dataProvider.ConsumeBytes<uint8_t>(dataProvider.ConsumeIntegral<size_t>())); break; case 2: fuzzHal->injectHciEvent(dataProvider.ConsumeBytes<uint8_t>(dataProvider.ConsumeIntegral<size_t>())); break; } } // TODO replace with something more general in thread/reactor fuzzHal->waitForHandler(); moduleRegistry.StopAll(); return 0; }
