Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7b2f30d1 authored by Elena Petrova's avatar Elena Petrova
Browse files

Bluetooth: sdp: a2dp fuzzer coverage improvement 

Improve fuzzing coverage by resolving the most prominent
early back-offs by the fuzzer.

A2DP is only accepting two distinct values for
service_uuid, and because the argument is uint16
this api is left unexplored by the fuzzer.

Similar goes for attr_id, although there are many more
acceptable values, having ATTR_ID_BT_PROFILE_DESC_LIST
appear more often helps unlock the use of complex
structures within SDP attributes database.

Bug: 257060629
Test: fuzzer builds and runs
Change-Id: I23871d2c15054eaf56ccc25519954b4885cfcfd9
parent aea515f1

system/stack/test/fuzzers/a2dp/a2dpFuzzFunctions.h

+6 −3
Original line number Diff line number Diff line
@@ -54,7 +54,9 @@ std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = { 
          fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);

      std::vector<char> p_provider_name =

          fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);

      A2DP_AddRecord(fdp->ConsumeIntegral<uint16_t>(), p_service_name.data(),

      uint16_t service_uuid = fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE

                                                 : UUID_SERVCLASS_AUDIO_SINK;

      A2DP_AddRecord(service_uuid, p_service_name.data(),

                     p_provider_name.data(), fdp->ConsumeIntegral<uint16_t>(),

                     // This should be a val returned by SDP_CreateRecord

                     getArbitraryVectorElement(fdp, sdp_record_handles, true));
@@ -64,8 +66,9 @@ std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = { 
    [](FuzzedDataProvider* fdp) -> void {

      tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp);

      const RawAddress bd_addr = generateRawAddress(fdp);

      A2DP_FindService(fdp->ConsumeIntegral<uint16_t>(), bd_addr, &p_db,

                       a2dp_find_callback);

      uint16_t service_uuid = fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE

                                                 : UUID_SERVCLASS_AUDIO_SINK;

      A2DP_FindService(service_uuid, bd_addr, &p_db, a2dp_find_callback);

    },



    // A2DP_GetAvdtpVersion

system/stack/test/fuzzers/sdp/sdpFuzzHelpers.h

+2 −1
Original line number Diff line number Diff line
@@ -124,7 +124,8 @@ std::shared_ptr<tSDP_DISC_ATTR> generateArbitrarySdpDiscAttr( 
  sdp_disc_attr_vect.push_back(new_attr);



  new_attr->p_next_attr = generateArbitrarySdpDiscAttr(fdp, true).get();

  new_attr->attr_id = fdp->ConsumeIntegral<uint16_t>();

  new_attr->attr_id = fdp->ConsumeBool() ? ATTR_ID_BT_PROFILE_DESC_LIST

                                         : fdp->ConsumeIntegral<uint16_t>();

  new_attr->attr_len_type =

      fdp->ConsumeBool() ? 16 : fdp->ConsumeIntegral<uint16_t>();

  new_attr->attr_value = generateArbitrarySdpDiscAttrVal(fdp);