Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1bb6d6b8 authored by Elena Petrova's avatar Elena Petrova Committed by Gerrit Code Review
Browse files

Merge changes I98bf33c4,I23871d2c 

* changes:
  Bluetooth: a2dp: fuzzer: fix UAF in the fuzzer
  Bluetooth: sdp: a2dp fuzzer coverage improvement
parents 65c10671 019e10a0

system/stack/test/fuzzers/a2dp/a2dpFuzzFunctions.h

+8 −4
Original line number Diff line number Diff line
@@ -54,7 +54,9 @@ std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = { 
          fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);

      std::vector<char> p_provider_name =

          fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);

      A2DP_AddRecord(fdp->ConsumeIntegral<uint16_t>(), p_service_name.data(),

      uint16_t service_uuid = fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE

                                                 : UUID_SERVCLASS_AUDIO_SINK;

      A2DP_AddRecord(service_uuid, p_service_name.data(),

                     p_provider_name.data(), fdp->ConsumeIntegral<uint16_t>(),

                     // This should be a val returned by SDP_CreateRecord

                     getArbitraryVectorElement(fdp, sdp_record_handles, true));
@@ -62,10 +64,12 @@ std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = { 


    // A2DP_FindService

    [](FuzzedDataProvider* fdp) -> void {

      tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp);

      std::vector<uint16_t> attr_list;

      tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp, attr_list);

      const RawAddress bd_addr = generateRawAddress(fdp);

      A2DP_FindService(fdp->ConsumeIntegral<uint16_t>(), bd_addr, &p_db,

                       a2dp_find_callback);

      uint16_t service_uuid = fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE

                                                 : UUID_SERVCLASS_AUDIO_SINK;

      A2DP_FindService(service_uuid, bd_addr, &p_db, a2dp_find_callback);

    },



    // A2DP_GetAvdtpVersion

system/stack/test/fuzzers/a2dp/a2dpFuzzHelpers.h

+3 −2
Original line number Diff line number Diff line
@@ -32,8 +32,9 @@ 


#define MAX_DB_SIZE 4096



tA2DP_SDP_DB_PARAMS generateDBParams(FuzzedDataProvider* fdp) {

  std::vector<uint16_t> attr_list = generateArbitraryAttrList(fdp);

tA2DP_SDP_DB_PARAMS generateDBParams(FuzzedDataProvider* fdp,

                                     std::vector<uint16_t>& attr_list) {

  attr_list = generateArbitraryAttrList(fdp);



  tA2DP_SDP_DB_PARAMS db_params;

  db_params.db_len = fdp->ConsumeIntegralInRange<uint32_t>(0, MAX_DB_SIZE);

system/stack/test/fuzzers/sdp/sdpFuzzHelpers.h

+2 −1
Original line number Diff line number Diff line
@@ -124,7 +124,8 @@ std::shared_ptr<tSDP_DISC_ATTR> generateArbitrarySdpDiscAttr( 
  sdp_disc_attr_vect.push_back(new_attr);



  new_attr->p_next_attr = generateArbitrarySdpDiscAttr(fdp, true).get();

  new_attr->attr_id = fdp->ConsumeIntegral<uint16_t>();

  new_attr->attr_id = fdp->ConsumeBool() ? ATTR_ID_BT_PROFILE_DESC_LIST

                                         : fdp->ConsumeIntegral<uint16_t>();

  new_attr->attr_len_type =

      fdp->ConsumeBool() ? 16 : fdp->ConsumeIntegral<uint16_t>();

  new_attr->attr_value = generateArbitrarySdpDiscAttrVal(fdp);