Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 56965b19 authored by Myles Watson's avatar Myles Watson Committed by Zhechen Yan
Browse files

Never fire timers in HCI fuzz 


Bug: 295314777
Test: mma -j32
Flag: EXEMPT, fuzz-only change
Change-Id: I1618505dcdb5a5c2415a718c7b4ee9963e88a1b6
parent 44f449e0

system/gd/hci/fuzz/hci_layer_fuzz_test.cc

+2 −8
Original line number Diff line number Diff line
@@ -31,28 +31,22 @@ using bluetooth::fuzz::GetArbitraryBytes; 
using bluetooth::hal::HciHal;

using bluetooth::hal::fuzz::FuzzHciHal;

using bluetooth::hci::fuzz::HciLayerFuzzClient;

using bluetooth::os::fake_timer::fake_timerfd_advance;

using bluetooth::os::fake_timer::fake_timerfd_cap_at;

using bluetooth::os::fake_timer::fake_timerfd_reset;



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

  FuzzedDataProvider dataProvider(data, size);

  fake_timerfd_cap_at(1999);  // prevent command timeouts



  static FuzzTestModuleRegistry moduleRegistry = FuzzTestModuleRegistry();

  FuzzHciHal* fuzzHal = moduleRegistry.Inject<FuzzHciHal>(&HciHal::Factory);

  HciLayerFuzzClient* fuzzClient = moduleRegistry.Start<HciLayerFuzzClient>();



  while (dataProvider.remaining_bytes() > 0) {

    const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 5);

    const uint8_t action = dataProvider.ConsumeIntegralInRange(1, 2);

    switch (action) {

      case 1:

        fake_timerfd_advance(dataProvider.ConsumeIntegral<uint64_t>());

        break;

      case 2:

        fuzzHal->injectArbitrary(dataProvider);

        break;

      case 3:

      case 2:

        fuzzClient->injectArbitrary(dataProvider);

        break;

    }