Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 13ce8d1a authored by Kris Alder's avatar Kris Alder
Browse files

system/stack/fuzzers: split client and server portions of fuzzers 

We should fuzz only one of these at a time (and choose based on the
fuzzer-provided input) because:

1. it's unlikely a single input will meaningfully use both paths
2. a crash/bug on the first (server) path will prevent the second
   (client) path from triggering

We could split this into separate targets, but there's a lot of shared
setup and teardown logic.

Bug: 335257114
Test: m gatt-fuzzer, m sdp-fuzzer
Test: built and ran both fuzz targets
Flag: EXEMPT, fuzzing-only change
Change-Id: Ia1fd5b5d70bf6b58f1ab38d3da4a4c8673d1ec1b
parent a2bc3f09

system/stack/fuzzers/gatt_fuzzer.cc

+11 −7
Original line number Diff line number Diff line
@@ -222,12 +222,11 @@ static void ServerCleanup() { 
  gatt_free();

}



static void FuzzAsServer(const uint8_t* data, size_t size) {

static void FuzzAsServer(FuzzedDataProvider& fdp) {

  ServerInit();

  fixed_chnl_reg.pL2CA_FixedConn_Cb(L2CAP_ATT_CID, kDummyAddr, true, 0,

                                    BT_TRANSPORT_LE);



  FuzzedDataProvider fdp(data, size);

  while (fdp.remaining_bytes() > 0) {

    auto size = fdp.ConsumeIntegralInRange<uint16_t>(0, kMaxPacketSize);

    auto bytes = fdp.ConsumeBytes<uint8_t>(size);
@@ -252,12 +251,11 @@ static void ClientCleanup() { 
  gatt_free();

}



static void FuzzAsClient(const uint8_t* data, size_t size) {

static void FuzzAsClient(FuzzedDataProvider& fdp) {

  ClientInit();

  fixed_chnl_reg.pL2CA_FixedConn_Cb(L2CAP_ATT_CID, kDummyAddr, true, 0,

                                    BT_TRANSPORT_LE);



  FuzzedDataProvider fdp(data, size);

  while (fdp.remaining_bytes() > 0) {

    auto op = fdp.ConsumeIntegral<uint8_t>();

    switch (op) {
@@ -313,10 +311,16 @@ static void FuzzAsClient(const uint8_t* data, size_t size) { 
  ClientCleanup();

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

  auto fakes = std::make_unique<Fakes>();



  FuzzAsServer(Data, Size);

  FuzzAsClient(Data, Size);

  FuzzedDataProvider fdp(data, size);



  if (fdp.ConsumeBool()) {

    FuzzAsServer(fdp);

  } else {

    FuzzAsClient(fdp);

  }



  return 0;

}

system/stack/fuzzers/sdp_fuzzer.cc

+11 −7
Original line number Diff line number Diff line
@@ -147,8 +147,7 @@ class Fakes { 


}  // namespace



static void FuzzAsServer(const uint8_t* data, size_t size) {

  FuzzedDataProvider fdp(data, size);

static void FuzzAsServer(FuzzedDataProvider& fdp) {

  std::vector<std::vector<uint8_t>> attrs;



  sdp_init();
@@ -191,8 +190,7 @@ static void FuzzAsServer(const uint8_t* data, size_t size) { 
  sdp_free();

}



static void FuzzAsClient(const uint8_t* data, size_t size) {

  FuzzedDataProvider fdp(data, size);

static void FuzzAsClient(FuzzedDataProvider& fdp) {

  std::shared_ptr<tSDP_DISCOVERY_DB> p_db(

      (tSDP_DISCOVERY_DB*)malloc(SDP_DB_SIZE), free);
@@ -246,10 +244,16 @@ static void FuzzAsClient(const uint8_t* data, size_t size) { 
  sdp_free();

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

  auto fakes = std::make_unique<Fakes>();



  FuzzAsServer(Data, Size);

  FuzzAsClient(Data, Size);

  FuzzedDataProvider fdp(data, size);



  if (fdp.ConsumeBool()) {

    FuzzAsServer(fdp);

  } else {

    FuzzAsClient(fdp);

  }



  return 0;

}