Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 82fc4cf9 authored by Zach Johnson's avatar Zach Johnson
Browse files

Add fuzzing for remaining HciLayer events 

Test: fuzz/run --host acl_manager
Change-Id: I17e7c9b4221992ff984811faae7c19b2859f8bc5
parent c0a96373

system/gd/hci/fuzz/fuzz_hci_layer.cc

+59 −1
Original line number Diff line number Diff line
@@ -70,7 +70,7 @@ void FuzzHciLayer::Stop() { 
}



void FuzzHciLayer::injectArbitrary(FuzzedDataProvider& fdp) {

  const uint8_t action = fdp.ConsumeIntegralInRange(0, 5);

  const uint8_t action = fdp.ConsumeIntegralInRange(0, 13);

  switch (action) {

    case 1:

      injectAclData(GetArbitraryBytes(&fdp));
@@ -87,6 +87,30 @@ void FuzzHciLayer::injectArbitrary(FuzzedDataProvider& fdp) { 
    case 5:

      injectLeEvent(fdp);

      break;

    case 6:

      injectSecurityEvent(GetArbitraryBytes(&fdp));

      break;

    case 7:

      injectLeSecurityEvent(GetArbitraryBytes(&fdp));

      break;

    case 8:

      injectAclEvent(GetArbitraryBytes(&fdp));

      break;

    case 9:

      injectAclDisconnect(fdp);

      break;

    case 10:

      injectLeAclEvent(GetArbitraryBytes(&fdp));

      break;

    case 11:

      injectLeAclDisconnect(fdp);

      break;

    case 12:

      injectLeAdvertisingEvent(GetArbitraryBytes(&fdp));

      break;

    case 13:

      injectLeScanningEvent(GetArbitraryBytes(&fdp));

      break;

  }

}
@@ -117,6 +141,40 @@ void FuzzHciLayer::injectLeEvent(FuzzedDataProvider& fdp) { 
  }

}



void FuzzHciLayer::injectSecurityEvent(std::vector<uint8_t> data) {

  InvokeIfValid<EventPacketView>(security_event_handler_, data);

}



void FuzzHciLayer::injectLeSecurityEvent(std::vector<uint8_t> data) {

  InvokeIfValid<LeMetaEventView>(le_security_event_handler_, data);

}



void FuzzHciLayer::injectAclEvent(std::vector<uint8_t> data) {

  InvokeIfValid<EventPacketView>(acl_event_handler_, data);

}



void FuzzHciLayer::injectAclDisconnect(FuzzedDataProvider& fdp) {

  acl_on_disconnect_.InvokeIfNotEmpty(fdp.ConsumeIntegral<uint16_t>(),

                                      static_cast<hci::ErrorCode>(fdp.ConsumeIntegral<uint8_t>()));

}



void FuzzHciLayer::injectLeAclEvent(std::vector<uint8_t> data) {

  InvokeIfValid<LeMetaEventView>(le_acl_event_handler_, data);

}



void FuzzHciLayer::injectLeAclDisconnect(FuzzedDataProvider& fdp) {

  le_acl_on_disconnect_.InvokeIfNotEmpty(fdp.ConsumeIntegral<uint16_t>(),

                                         static_cast<hci::ErrorCode>(fdp.ConsumeIntegral<uint8_t>()));

}



void FuzzHciLayer::injectLeAdvertisingEvent(std::vector<uint8_t> data) {

  InvokeIfValid<LeMetaEventView>(le_advertising_event_handler_, data);

}



void FuzzHciLayer::injectLeScanningEvent(std::vector<uint8_t> data) {

  InvokeIfValid<LeMetaEventView>(le_scanning_event_handler_, data);

}



const ModuleFactory FuzzHciLayer::Factory = ModuleFactory([]() { return new FuzzHciLayer(); });



}  // namespace fuzz

system/gd/hci/fuzz/fuzz_hci_layer.h

+23 −0
Original line number Diff line number Diff line
@@ -128,11 +128,25 @@ class FuzzHciLayer : public HciLayer { 


 private:

  void injectAclData(std::vector<uint8_t> data);



  void injectCommandComplete(std::vector<uint8_t> data);

  void injectCommandStatus(std::vector<uint8_t> data);



  void injectEvent(FuzzedDataProvider& fdp);

  void injectLeEvent(FuzzedDataProvider& fdp);



  void injectSecurityEvent(std::vector<uint8_t> data);

  void injectLeSecurityEvent(std::vector<uint8_t> data);



  void injectAclEvent(std::vector<uint8_t> data);

  void injectAclDisconnect(FuzzedDataProvider& fdp);

  void injectLeAclEvent(std::vector<uint8_t> data);

  void injectLeAclDisconnect(FuzzedDataProvider& fdp);



  void injectLeAdvertisingEvent(std::vector<uint8_t> data);



  void injectLeScanningEvent(std::vector<uint8_t> data);



  FuzzedDataProvider* auto_reply_fdp;



  common::BidiQueue<hci::AclPacketView, hci::AclPacketBuilder> acl_queue_{3};
@@ -151,6 +165,15 @@ class FuzzHciLayer : public HciLayer { 


  std::map<hci::EventCode, common::ContextualCallback<void(hci::EventPacketView)>> event_handlers_;

  std::map<hci::SubeventCode, common::ContextualCallback<void(hci::LeMetaEventView)>> le_event_handlers_;



  common::ContextualCallback<void(hci::EventPacketView)> security_event_handler_;

  common::ContextualCallback<void(hci::LeMetaEventView)> le_security_event_handler_;

  common::ContextualCallback<void(hci::EventPacketView)> acl_event_handler_;

  common::ContextualCallback<void(uint16_t, hci::ErrorCode)> acl_on_disconnect_;

  common::ContextualCallback<void(hci::LeMetaEventView)> le_acl_event_handler_;

  common::ContextualCallback<void(uint16_t, hci::ErrorCode)> le_acl_on_disconnect_;

  common::ContextualCallback<void(hci::LeMetaEventView)> le_advertising_event_handler_;

  common::ContextualCallback<void(hci::LeMetaEventView)> le_scanning_event_handler_;

};



}  // namespace fuzz