1 /*
2  * Copyright 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "hci/fuzz/hci_layer_fuzz_client.h"
18 #include "fuzz/helpers.h"
19 
20 namespace bluetooth {
21 namespace hci {
22 namespace fuzz {
23 using bluetooth::fuzz::GetArbitraryBytes;
24 using bluetooth::hci::AclPacketView;
25 
__anonfaf923630102() 26 const ModuleFactory HciLayerFuzzClient::Factory = ModuleFactory([]() { return new HciLayerFuzzClient(); });
27 
Start()28 void HciLayerFuzzClient::Start() {
29   hci_ = GetDependency<hci::HciLayer>();
30   aclDevNull_ = new os::fuzz::DevNullQueue<AclPacketView>(hci_->GetAclQueueEnd(), GetHandler());
31   aclDevNull_->Start();
32   aclInject_ = new os::fuzz::FuzzInjectQueue<AclPacketBuilder>(hci_->GetAclQueueEnd(), GetHandler());
33 
34   // Can't do security right now, due to the Encryption Change conflict between ACL manager & security
35   // security_interface_ = hci_->GetSecurityInterface(common::Bind([](EventPacketView){}), GetHandler());
36   le_security_interface_ = hci_->GetLeSecurityInterface(GetHandler()->Bind([](LeMetaEventView) {}));
37   acl_connection_interface_ = hci_->GetAclConnectionInterface(GetHandler()->Bind([](EventPacketView) {}),
38                                                               GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}));
39   le_acl_connection_interface_ = hci_->GetLeAclConnectionInterface(GetHandler()->Bind([](LeMetaEventView) {}),
40                                                                    GetHandler()->Bind([](uint16_t, hci::ErrorCode) {}));
41   le_advertising_interface_ = hci_->GetLeAdvertisingInterface(GetHandler()->Bind([](LeMetaEventView) {}));
42   le_scanning_interface_ = hci_->GetLeScanningInterface(GetHandler()->Bind([](LeMetaEventView) {}));
43 }
44 
Stop()45 void HciLayerFuzzClient::Stop() {
46   aclDevNull_->Stop();
47   delete aclDevNull_;
48   delete aclInject_;
49 }
50 
injectArbitrary(FuzzedDataProvider & fdp)51 void HciLayerFuzzClient::injectArbitrary(FuzzedDataProvider& fdp) {
52   const uint8_t action = fdp.ConsumeIntegralInRange(0, 8);
53   switch (action) {
54     case 1:
55       injectAclData(GetArbitraryBytes(&fdp));
56       break;
57     case 2:
58       injectHciCommand(GetArbitraryBytes(&fdp));
59       break;
60     case 3:
61       // TODO: injectSecurityCommand(GetArbitraryBytes(&fdp));
62       break;
63     case 4:
64       injectLeSecurityCommand(GetArbitraryBytes(&fdp));
65       break;
66     case 5:
67       injectAclConnectionCommand(GetArbitraryBytes(&fdp));
68       break;
69     case 6:
70       injectLeAclConnectionCommand(GetArbitraryBytes(&fdp));
71       break;
72     case 7:
73       injectLeAdvertisingCommand(GetArbitraryBytes(&fdp));
74       break;
75     case 8:
76       injectLeScanningCommand(GetArbitraryBytes(&fdp));
77       break;
78   }
79 }
80 
injectAclData(std::vector<uint8_t> data)81 void HciLayerFuzzClient::injectAclData(std::vector<uint8_t> data) {
82   hci::AclPacketView aclPacket = hci::AclPacketView::FromBytes(data);
83   if (!aclPacket.IsValid()) {
84     return;
85   }
86 
87   aclInject_->Inject(AclPacketBuilder::FromView(aclPacket));
88 }
89 
injectHciCommand(std::vector<uint8_t> data)90 void HciLayerFuzzClient::injectHciCommand(std::vector<uint8_t> data) {
91   inject_command<CommandPacketView, CommandPacketBuilder>(data, hci_);
92 }
93 
injectSecurityCommand(std::vector<uint8_t> data)94 void HciLayerFuzzClient::injectSecurityCommand(std::vector<uint8_t> data) {
95   inject_command<SecurityCommandView, SecurityCommandBuilder>(data, security_interface_);
96 }
97 
injectLeSecurityCommand(std::vector<uint8_t> data)98 void HciLayerFuzzClient::injectLeSecurityCommand(std::vector<uint8_t> data) {
99   inject_command<LeSecurityCommandView, LeSecurityCommandBuilder>(data, le_security_interface_);
100 }
101 
injectAclConnectionCommand(std::vector<uint8_t> data)102 void HciLayerFuzzClient::injectAclConnectionCommand(std::vector<uint8_t> data) {
103   inject_command<ConnectionManagementCommandView, ConnectionManagementCommandBuilder>(data, acl_connection_interface_);
104 }
105 
injectLeAclConnectionCommand(std::vector<uint8_t> data)106 void HciLayerFuzzClient::injectLeAclConnectionCommand(std::vector<uint8_t> data) {
107   inject_command<LeConnectionManagementCommandView, LeConnectionManagementCommandBuilder>(data,
108                                                                                           le_acl_connection_interface_);
109 }
110 
injectLeAdvertisingCommand(std::vector<uint8_t> data)111 void HciLayerFuzzClient::injectLeAdvertisingCommand(std::vector<uint8_t> data) {
112   inject_command<LeAdvertisingCommandView, LeAdvertisingCommandBuilder>(data, le_advertising_interface_);
113 }
114 
injectLeScanningCommand(std::vector<uint8_t> data)115 void HciLayerFuzzClient::injectLeScanningCommand(std::vector<uint8_t> data) {
116   inject_command<LeScanningCommandView, LeScanningCommandBuilder>(data, le_scanning_interface_);
117 }
118 
119 }  // namespace fuzz
120 }  // namespace hci
121 }  // namespace bluetooth
122