1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "softbusbroadcast_fuzzer.h"
17 #include "softbus_broadcast_manager.h"
18 #include "softbus_ble_utils.h"
19 #include "softbus_ble_gatt_public.h"
20
21 #include <cstddef>
22 #include <type_traits>
23 #include <securec.h>
24
25 #include "softbus_adapter_mem.h"
26 #include "softbus_error_code.h"
27
28 #define MIN_DATA_LEN 50
29
30 #define BC_INTERNAL 48
31 #define BC_ADV_TX_POWER_DEFAULT (-6)
32 #define SERVICE_UUID 0xFDEE
33 #define BC_ADV_FLAG 0x2
34 #define MANUFACTURE_COMPANY_ID 0x027D
35 #define ADV_DATA_MAX_LEN 24
36 #define RESP_DATA_MAX_LEN 26
37 #define BROADCAST_MAX_LEN (ADV_DATA_MAX_LEN + RESP_DATA_MAX_LEN)
38 #define FILTER_SIZE 1
39
40 namespace OHOS {
41
42 const uint8_t *BASE_FUZZ_DATA = nullptr;
43 size_t g_baseFuzzSize = 0;
44 size_t g_baseFuzzPos;
45
GetData()46 template <class T> T GetData()
47 {
48 T object{};
49 size_t objectSize = sizeof(object);
50 if (BASE_FUZZ_DATA == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
51 return object;
52 }
53 errno_t ret = memcpy_s(&object, objectSize, BASE_FUZZ_DATA + g_baseFuzzPos, objectSize);
54 if (ret != EOK) {
55 return {};
56 }
57 g_baseFuzzPos += objectSize;
58 return object;
59 }
60
GetDataArray()61 template <class T> T* GetDataArray()
62 {
63 const size_t outSize = sizeof(T);
64 const size_t outLength = g_baseFuzzSize / outSize;
65
66 size_t allocSize = outLength * outSize;
67 if constexpr (std::is_same_v<T, char>) {
68 allocSize += outSize;
69 }
70
71 T* array = static_cast<T*>(malloc(allocSize));
72 if (BASE_FUZZ_DATA == nullptr || array == nullptr) {
73 return nullptr;
74 }
75
76 errno_t ret = memcpy_s(array, allocSize, BASE_FUZZ_DATA, outLength * outSize);
77 if (ret != EOK) {
78 free(array);
79 return nullptr;
80 }
81
82 if constexpr (std::is_same_v<T, char>) {
83 array[outLength] = '\0';
84 }
85
86 return array;
87 }
88
GetDataArray(T * dst,size_t dstLength)89 template <class T> void GetDataArray(T *dst, size_t dstLength)
90 {
91 size_t dstLen = dstLength * sizeof(T);
92 size_t copyLen = (g_baseFuzzSize < dstLen) ? g_baseFuzzSize : dstLen;
93 errno_t ret = memcpy_s(dst, dstLen, BASE_FUZZ_DATA, copyLen);
94 if (ret != EOK) {
95 return;
96 }
97 if (copyLen < dstLen) {
98 ret = memset_s(static_cast<uint8_t*>(dst) + copyLen, dstLen, 0, dstLen - copyLen);
99 if (ret != EOK) {
100 return;
101 }
102 }
103 }
104
BuildBroadcastParam(const uint8_t * data,size_t size,BroadcastParam * param)105 static int32_t BuildBroadcastParam(const uint8_t* data, size_t size, BroadcastParam *param)
106 {
107 g_baseFuzzPos = 0;
108 param->minInterval = GetData<int32_t>() % BC_INTERNAL;
109 param->maxInterval = GetData<int32_t>() % BC_INTERNAL;
110 param->advType = GetData<uint8_t>() % SOFTBUS_BC_ADV_DIRECT_IND_LOW;
111 param->ownAddrType = GetData<uint8_t>() % SOFTBUS_BC_RANDOM_STATIC_IDENTITY_ADDRESS;
112 param->peerAddrType = GetData<uint8_t>() % SOFTBUS_BC_RANDOM_STATIC_IDENTITY_ADDRESS;
113 param->channelMap = GetData<int32_t>();
114 param->txPower = BC_ADV_TX_POWER_DEFAULT;
115 param->advFilterPolicy = GetData<uint8_t>();
116 param->isSupportRpa = GetData<bool>();
117 param->duration = GetData<int32_t>();
118
119 if (memcpy_s(param->ownIrk, BC_IRK_LEN, data, BC_IRK_LEN) != EOK) {
120 return SOFTBUS_MEM_ERR;
121 }
122 if (memcpy_s(param->ownUdidHash, BC_UDID_HASH_LEN, data, BC_UDID_HASH_LEN) != EOK) {
123 return SOFTBUS_MEM_ERR;
124 }
125 return SOFTBUS_OK;
126 }
127
DestroyBleConfigAdvData(BroadcastPacket * packet)128 static void DestroyBleConfigAdvData(BroadcastPacket *packet)
129 {
130 SoftBusFree(packet->bcData.payload);
131 SoftBusFree(packet->rspData.payload);
132 packet->bcData.payload = nullptr;
133 packet->rspData.payload = nullptr;
134 }
135
BuildBroadcastPacket(const uint8_t * data,size_t size,BroadcastPacket * packet)136 static int32_t BuildBroadcastPacket(const uint8_t* data, size_t size, BroadcastPacket *packet)
137 {
138 packet->isSupportFlag = true;
139 packet->flag = BC_ADV_FLAG;
140 packet->bcData.type = BC_DATA_TYPE_SERVICE;
141 packet->bcData.id = SERVICE_UUID;
142 packet->rspData.type = BC_DATA_TYPE_MANUFACTURER;
143 packet->rspData.id = MANUFACTURE_COMPANY_ID;
144
145 packet->bcData.payload = (uint8_t *)SoftBusCalloc(ADV_DATA_MAX_LEN);
146 if (packet->bcData.payload == nullptr) {
147 return SOFTBUS_MALLOC_ERR;
148 }
149 packet->bcData.payloadLen = (size > ADV_DATA_MAX_LEN) ? ADV_DATA_MAX_LEN : size;
150 if (memcpy_s(packet->bcData.payload, ADV_DATA_MAX_LEN, data, packet->bcData.payloadLen) != EOK) {
151 SoftBusFree(packet->bcData.payload);
152 packet->rspData.payload = nullptr;
153 return SOFTBUS_MEM_ERR;
154 }
155
156 packet->rspData.payloadLen = (BROADCAST_MAX_LEN - packet->bcData.payloadLen > RESP_DATA_MAX_LEN) ?
157 RESP_DATA_MAX_LEN : (BROADCAST_MAX_LEN - packet->bcData.payloadLen);
158 if (packet->rspData.payloadLen == 0) {
159 packet->rspData.payload = nullptr;
160 return SOFTBUS_OK;
161 }
162 packet->rspData.payload = (uint8_t *)SoftBusCalloc(RESP_DATA_MAX_LEN);
163 if (packet->rspData.payload == nullptr) {
164 SoftBusFree(packet->bcData.payload);
165 packet->bcData.payload = nullptr;
166 return SOFTBUS_MALLOC_ERR;
167 }
168 if (memcpy_s(&packet->rspData.payload[0], RESP_DATA_MAX_LEN, data, packet->rspData.payloadLen) != EOK) {
169 DestroyBleConfigAdvData(packet);
170 return SOFTBUS_MEM_ERR;
171 }
172 return SOFTBUS_OK;
173 }
174
BuildScanParam()175 static BcScanParams BuildScanParam()
176 {
177 g_baseFuzzPos = 0;
178 BcScanParams scanParam;
179 scanParam.scanInterval = SOFTBUS_BC_SCAN_INTERVAL_P2;
180 scanParam.scanWindow = SOFTBUS_BC_SCAN_WINDOW_P2;
181 scanParam.scanType = GetData<bool>();
182 scanParam.scanPhy = GetData<uint8_t>() % SOFTBUS_BC_SCAN_PHY_CODED;
183 scanParam.scanFilterPolicy = GetData<uint8_t>() % SOFTBUS_BC_SCAN_FILTER_POLICY_ONLY_WHITE_LIST_AND_RPA;
184 return scanParam;
185 }
186
BuildScanFilter()187 static BcScanFilter BuildScanFilter()
188 {
189 g_baseFuzzPos = 0;
190 BcScanFilter scanFilter;
191 scanFilter.advIndReport = GetData<bool>();
192 scanFilter.serviceUuid = GetData<uint16_t>();
193 scanFilter.serviceDataLength = GetData<uint32_t>();
194 scanFilter.manufactureId = GetData<uint16_t>();
195 scanFilter.manufactureDataLength = GetData<uint32_t>();
196 scanFilter.filterIndex = GetData<uint8_t>();
197 scanFilter.address = GetDataArray<int8_t>();
198 scanFilter.deviceName = GetDataArray<int8_t>();
199 scanFilter.serviceData = GetDataArray<uint8_t>();
200 scanFilter.serviceDataMask = GetDataArray<uint8_t>();
201 scanFilter.manufactureData = GetDataArray<uint8_t>();
202 scanFilter.manufactureDataMask = GetDataArray<uint8_t>();
203 return scanFilter;
204 }
205
BuildBleScanNativeFilter()206 static BleScanNativeFilter BuildBleScanNativeFilter()
207 {
208 g_baseFuzzPos = 0;
209 BleScanNativeFilter nativeFilter;
210 nativeFilter.serviceUuidLength = GetData<unsigned int>();
211 nativeFilter.serviceDataLength = GetData<unsigned int>();
212 nativeFilter.manufactureDataLength = GetData<unsigned int>();
213 nativeFilter.manufactureId = GetData<unsigned short>();
214 nativeFilter.advIndReport = GetData<bool>();
215 nativeFilter.filterIndex = GetData<uint8_t>();
216 nativeFilter.address = GetDataArray<char>();
217 nativeFilter.deviceName = GetDataArray<char>();
218 nativeFilter.serviceUuid = GetDataArray<unsigned char>();
219 nativeFilter.serviceUuidMask = GetDataArray<unsigned char>();
220 nativeFilter.serviceData = GetDataArray<unsigned char>();
221 nativeFilter.serviceDataMask = GetDataArray<unsigned char>();
222 nativeFilter.manufactureData = GetDataArray<unsigned char>();
223 nativeFilter.manufactureDataMask = GetDataArray<unsigned char>();
224 return nativeFilter;
225 }
226
BuildSoftbusBroadcastPayload()227 static SoftbusBroadcastPayload BuildSoftbusBroadcastPayload()
228 {
229 g_baseFuzzPos = 0;
230 SoftbusBroadcastPayload payload;
231 size_t enumRange = BROADCAST_DATA_TYPE_BUTT - BROADCAST_DATA_TYPE_SERVICE + 1;
232 uint8_t adjustedValue = GetData<uint8_t>() % enumRange;
233 payload.type = (SoftbusBcDataType)adjustedValue;
234 payload.id = GetData<uint16_t>();
235 payload.payloadLen = g_baseFuzzSize;
236 payload.payload = GetDataArray<uint8_t>();
237 return payload;
238 }
239
BuildLpBroadcastParam(const uint8_t * data,size_t size,LpBroadcastParam * lpBcParam)240 static int32_t BuildLpBroadcastParam(const uint8_t* data, size_t size, LpBroadcastParam *lpBcParam)
241 {
242 g_baseFuzzPos = 0;
243 lpBcParam->bcHandle = GetData<int32_t>();
244 int32_t ret = BuildBroadcastParam(data, size, &lpBcParam->bcParam);
245 if (ret != SOFTBUS_OK) {
246 return ret;
247 }
248 ret = BuildBroadcastPacket(data, size, &lpBcParam->packet);
249 if (ret != SOFTBUS_OK) {
250 return ret;
251 }
252
253 return SOFTBUS_OK;
254 }
255
BuildLpScanParam()256 static LpScanParam BuildLpScanParam()
257 {
258 LpScanParam lpScanParam;
259 lpScanParam.scanParam = BuildScanParam();
260
261 return lpScanParam;
262 }
263
BleAdvEnableCallback(int32_t channel,int32_t status)264 static void BleAdvEnableCallback(int32_t channel, int32_t status)
265 {
266 (void)channel;
267 (void)status;
268 }
269
BleAdvDisableCallback(int32_t channel,int32_t status)270 static void BleAdvDisableCallback(int32_t channel, int32_t status)
271 {
272 (void)channel;
273 (void)status;
274 }
275
BleAdvDataCallback(int32_t channel,int32_t status)276 static void BleAdvDataCallback(int32_t channel, int32_t status)
277 {
278 (void)channel;
279 (void)status;
280 }
281
BleAdvUpdateCallback(int32_t channel,int32_t status)282 static void BleAdvUpdateCallback(int32_t channel, int32_t status)
283 {
284 (void)channel;
285 (void)status;
286 }
287
288 static BroadcastCallback g_advCallback = {
289 .OnStartBroadcastingCallback = BleAdvEnableCallback,
290 .OnStopBroadcastingCallback = BleAdvDisableCallback,
291 .OnUpdateBroadcastingCallback = BleAdvUpdateCallback,
292 .OnSetBroadcastingCallback = BleAdvDataCallback,
293 };
294
BleOnScanStart(int32_t listenerId,int32_t status)295 static void BleOnScanStart(int32_t listenerId, int32_t status)
296 {
297 (void)listenerId;
298 (void)status;
299 }
300
BleOnScanStop(int32_t listenerId,int32_t status)301 static void BleOnScanStop(int32_t listenerId, int32_t status)
302 {
303 (void)listenerId;
304 (void)status;
305 }
306
BleScanResultCallback(int32_t listenerId,const BroadcastReportInfo * reportInfo)307 static void BleScanResultCallback(int32_t listenerId, const BroadcastReportInfo *reportInfo)
308 {
309 (void)listenerId;
310 (void)reportInfo;
311 }
312
313 static ScanCallback g_scanListener = {
314 .OnStartScanCallback = BleOnScanStart,
315 .OnStopScanCallback = BleOnScanStop,
316 .OnReportScanDataCallback = BleScanResultCallback,
317 };
318
StartBroadcastingFuzzTest(int32_t bcId,const uint8_t * data,size_t size)319 void StartBroadcastingFuzzTest(int32_t bcId, const uint8_t* data, size_t size)
320 {
321 BroadcastParam param;
322 BuildBroadcastParam(data, size, ¶m);
323 BroadcastPacket packet;
324 BuildBroadcastPacket(data, size, &packet);
325
326 StartBroadcasting(bcId, ¶m, &packet);
327 DestroyBleConfigAdvData(&packet);
328 }
329
UpdateBroadcastingFuzzTest(int32_t bcId,const uint8_t * data,size_t size)330 void UpdateBroadcastingFuzzTest(int32_t bcId, const uint8_t* data, size_t size)
331 {
332 BroadcastParam param;
333 BuildBroadcastParam(data, size, ¶m);
334 BroadcastPacket packet;
335 BuildBroadcastPacket(data, size, &packet);
336
337 UpdateBroadcasting(bcId, ¶m, &packet);
338 DestroyBleConfigAdvData(&packet);
339 }
340
SetBroadcastingDataFuzzTest(int32_t bcId,const uint8_t * data,size_t size)341 void SetBroadcastingDataFuzzTest(int32_t bcId, const uint8_t* data, size_t size)
342 {
343 BroadcastPacket packet;
344 BuildBroadcastPacket(data, size, &packet);
345
346 SetBroadcastingData(bcId, &packet);
347 DestroyBleConfigAdvData(&packet);
348 }
349
StopBroadcastingFuzzTest(int32_t bcId)350 void StopBroadcastingFuzzTest(int32_t bcId)
351 {
352 StopBroadcasting(bcId);
353 }
354
StartScanFuzzTest(int32_t listenerId)355 void StartScanFuzzTest(int32_t listenerId)
356 {
357 BcScanParams scanParam = BuildScanParam();
358
359 StartScan(listenerId, &scanParam);
360 }
361
StopScanFuzzTest(int32_t listenerId)362 void StopScanFuzzTest(int32_t listenerId)
363 {
364 StopScan(listenerId);
365 }
366
BroadcastSetAdvDeviceParamFuzzTest(int32_t listenerId,const uint8_t * data,size_t size)367 void BroadcastSetAdvDeviceParamFuzzTest(int32_t listenerId, const uint8_t* data, size_t size)
368 {
369 g_baseFuzzPos = 0;
370 uint8_t type = GetData<uint8_t>();
371 LpScanParam lpScanParam = BuildLpScanParam();
372 lpScanParam.listenerId = listenerId;
373 LpBroadcastParam lpBcParam;
374 BuildLpBroadcastParam(data, size, &lpBcParam);
375
376 BroadcastSetAdvDeviceParam(static_cast<LpServerType>(type), &lpBcParam, &lpScanParam);
377 DestroyBleConfigAdvData(&lpBcParam.packet);
378 }
379
BroadcastGetBroadcastHandleFuzzTest(int32_t bcId)380 void BroadcastGetBroadcastHandleFuzzTest(int32_t bcId)
381 {
382 g_baseFuzzPos = 0;
383 int32_t bcHandle = GetData<int32_t>();
384
385 BroadcastGetBroadcastHandle(bcId, &bcHandle);
386 }
387
BroadcastSetScanReportChannelToLpDeviceFuzzTest(int32_t listenerId)388 void BroadcastSetScanReportChannelToLpDeviceFuzzTest(int32_t listenerId)
389 {
390 g_baseFuzzPos = 0;
391 bool enable = GetData<bool>();
392
393 BroadcastSetScanReportChannelToLpDevice(listenerId, enable);
394 }
395
BroadcastSetLpAdvParamFuzzTest()396 void BroadcastSetLpAdvParamFuzzTest()
397 {
398 g_baseFuzzPos = 0;
399 int32_t duration = GetData<int32_t>();
400 int32_t maxExtAdvEvents = GetData<int32_t>();
401 int32_t window = GetData<int32_t>();
402 int32_t interval = GetData<int32_t>();
403 int32_t lpAdvBCHandle = GetData<int32_t>();
404
405 BroadcastSetLpAdvParam(duration, maxExtAdvEvents, window, interval, lpAdvBCHandle);
406 }
407
SetBroadcastingParamFuzzTest(int32_t bcId,const uint8_t * data,size_t size)408 void SetBroadcastingParamFuzzTest(int32_t bcId, const uint8_t* data, size_t size)
409 {
410 BroadcastParam param;
411 BuildBroadcastParam(data, size, ¶m);
412
413 SetBroadcastingParam(bcId, ¶m);
414 }
415
SetScanFilterFuzzTest(int32_t listenerId)416 void SetScanFilterFuzzTest(int32_t listenerId)
417 {
418 g_baseFuzzPos = 0;
419 uint8_t filterNum = GetData<uint8_t>();
420 BcScanFilter scanFilter = BuildScanFilter();
421
422 SetScanFilter(listenerId, &scanFilter, filterNum);
423 }
424
GetScanFilterFuzzTest(int32_t listenerId)425 void GetScanFilterFuzzTest(int32_t listenerId)
426 {
427 g_baseFuzzPos = 0;
428 uint8_t filterNum = GetData<uint8_t>();
429 BcScanFilter *scanFilterRef = nullptr;
430
431 GetScanFilter(listenerId, &scanFilterRef, &filterNum);
432 }
433
QueryBroadcastStatusFuzzTest(int32_t bcId)434 void QueryBroadcastStatusFuzzTest(int32_t bcId)
435 {
436 int32_t *status = GetDataArray<int32_t>();
437
438 QueryBroadcastStatus(bcId, status);
439 }
440
BtStatusToSoftBusFuzzTest()441 void BtStatusToSoftBusFuzzTest()
442 {
443 size_t enumRange = OHOS_BT_STATUS_DUPLICATED_ADDR - OHOS_BT_STATUS_SUCCESS + 1;
444 uint8_t adjustedValue = GetData<uint8_t>() % enumRange;
445
446 BtStatusToSoftBus((BtStatus)adjustedValue);
447 }
448
SoftbusAdvParamToBtFuzzTest()449 void SoftbusAdvParamToBtFuzzTest()
450 {
451 g_baseFuzzPos = 0;
452 SoftbusBroadcastParam param;
453 param.advType = GetData<uint8_t>();
454 param.advFilterPolicy = GetData<uint8_t>();
455 param.ownAddrType = GetData<uint8_t>();
456 param.peerAddrType = GetData<uint8_t>();
457 param.txPower = GetData<int8_t>();
458 param.isSupportRpa = GetData<bool>();
459 param.peerAddr = GetData<SoftbusMacAddr>();
460 param.localAddr = GetData<SoftbusMacAddr>();
461 param.minInterval = GetData<int32_t>();
462 param.maxInterval = GetData<int32_t>();
463 param.channelMap = GetData<int32_t>();
464 param.duration = GetData<int32_t>();
465 GetDataArray<uint8_t>(param.ownIrk, SOFTBUS_IRK_LEN);
466 GetDataArray<uint8_t>(param.ownUdidHash, SOFTBUS_UDID_HASH_LEN);
467
468 BleAdvParams advParams;
469 param.minInterval = GetData<int>();
470 param.maxInterval = GetData<int>();
471 param.advType = GetData<BleAdvType>();
472 param.ownAddrType = GetData<unsigned char>();
473 param.peerAddrType = GetData<unsigned char>();
474 param.channelMap = GetData<int>();
475 param.advFilterPolicy = GetData<BleAdvFilter>();
476 param.txPower = GetData<int>();
477 param.duration = GetData<int>();
478 GetDataArray<unsigned char>(param.peerAddr.addr, OHOS_BD_ADDR_LEN);
479
480 SoftbusAdvParamToBt(¶m, &advParams);
481 }
482
BtScanResultToSoftbusFuzzTest()483 void BtScanResultToSoftbusFuzzTest()
484 {
485 BtScanResultData src;
486 src.eventType = GetData<unsigned char>();
487 src.dataStatus = GetData<unsigned char>();
488 src.addrType = GetData<unsigned char>();
489 src.addr = GetData<BdAddr>();
490 src.primaryPhy = GetData<unsigned char>();
491 src.secondaryPhy = GetData<unsigned char>();
492 src.advSid = GetData<unsigned char>();
493 src.txPower = GetData<char>();
494 src.rssi = GetData<char>();
495 src.periodicAdvInterval = GetData<unsigned short>();
496 src.directAddrType = GetData<unsigned char>();
497 src.directAddr = GetData<BdAddr>();
498 src.advLen = GetData<unsigned char>();
499 src.advData = GetDataArray<unsigned char>();
500 SoftBusBcScanResult dst;
501 dst.eventType = GetData<uint8_t>();
502 dst.dataStatus = GetData<uint8_t>();
503 dst.primaryPhy = GetData<uint8_t>();
504 dst.secondaryPhy = GetData<uint8_t>();
505 dst.advSid = GetData<uint8_t>();
506 dst.txPower = GetData<int8_t>();
507 dst.rssi = GetData<int8_t>();
508 dst.addrType = GetData<uint8_t>();
509 dst.addr = GetData<SoftbusMacAddr>();
510 dst.data.isSupportFlag = GetData<bool>();
511 dst.data.flag = GetData<uint8_t>();
512 GetDataArray<uint8_t>(dst.localName, SOFTBUS_LOCAL_NAME_LEN_MAX);
513 dst.deviceName = GetDataArray<int8_t>();
514 dst.data.bcData = BuildSoftbusBroadcastPayload();
515 dst.data.rspData = BuildSoftbusBroadcastPayload();
516
517 BtScanResultToSoftbus(&src, &dst);
518 }
519
SoftbusSetManufactureFilterFuzzTest()520 void SoftbusSetManufactureFilterFuzzTest()
521 {
522 BleScanNativeFilter nativeFilter = BuildBleScanNativeFilter();
523
524 SoftbusSetManufactureFilter(&nativeFilter, FILTER_SIZE);
525 }
526
FreeBtFilterFuzzTest()527 void FreeBtFilterFuzzTest()
528 {
529 BleScanNativeFilter nativeFilter = BuildBleScanNativeFilter();
530
531 FreeBtFilter(&nativeFilter, FILTER_SIZE);
532 }
533
GetBtScanModeFuzzTest()534 void GetBtScanModeFuzzTest()
535 {
536 uint16_t scanInterval = GetData<uint16_t>();
537 uint16_t scanWindow = GetData<uint16_t>();
538
539 GetBtScanMode(scanInterval, scanWindow);
540 }
541
AssembleAdvDataFuzzTest()542 void AssembleAdvDataFuzzTest()
543 {
544 uint16_t dataLen = GetData<uint16_t>();
545 SoftbusBroadcastData data;
546 data.flag = GetData<uint8_t>();
547 data.bcData = BuildSoftbusBroadcastPayload();
548 data.rspData = BuildSoftbusBroadcastPayload();
549
550 AssembleAdvData(&data, &dataLen);
551 }
552
AssembleRspDataFuzzTest()553 void AssembleRspDataFuzzTest()
554 {
555 SoftbusBroadcastPayload payload = BuildSoftbusBroadcastPayload();
556 uint16_t dataLen = GetData<uint16_t>();
557
558 AssembleRspData(&payload, &dataLen);
559 }
560
ParseScanResultFuzzTest()561 void ParseScanResultFuzzTest()
562 {
563 SoftBusBcScanResult dst;
564 dst.eventType = GetData<uint8_t>();
565 dst.dataStatus = GetData<uint8_t>();
566 dst.primaryPhy = GetData<uint8_t>();
567 dst.secondaryPhy = GetData<uint8_t>();
568 dst.advSid = GetData<uint8_t>();
569 dst.txPower = GetData<int8_t>();
570 dst.rssi = GetData<int8_t>();
571 dst.addrType = GetData<uint8_t>();
572 dst.addr = GetData<SoftbusMacAddr>();
573 dst.data.isSupportFlag = GetData<bool>();
574 dst.data.flag = GetData<uint8_t>();
575 GetDataArray<uint8_t>(dst.localName, SOFTBUS_LOCAL_NAME_LEN_MAX);
576 dst.deviceName = GetDataArray<int8_t>();
577 dst.data.bcData = BuildSoftbusBroadcastPayload();
578 dst.data.rspData = BuildSoftbusBroadcastPayload();
579 uint8_t *data = GetDataArray<uint8_t>();
580
581 ParseScanResult(data, g_baseFuzzSize, &dst);
582 }
583
DumpSoftbusAdapterDataFuzzTest()584 void DumpSoftbusAdapterDataFuzzTest()
585 {
586 char *description = GetDataArray<char>();
587 uint8_t *data = GetDataArray<uint8_t>();
588 DumpSoftbusAdapterData(description, data, g_baseFuzzSize);
589 }
590 } // OHOS namespace
591
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)592 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
593 {
594 if (size < MIN_DATA_LEN) {
595 return 0;
596 }
597 OHOS::BASE_FUZZ_DATA = data;
598 OHOS::g_baseFuzzSize = size;
599
600 int32_t listenerId = -1;
601 int32_t bcId = -1;
602
603 InitBroadcastMgr();
604 RegisterBroadcaster(BROADCAST_PROTOCOL_BLE, SRV_TYPE_DIS, &bcId, &OHOS::g_advCallback);
605 RegisterScanListener(BROADCAST_PROTOCOL_BLE, SRV_TYPE_DIS, &listenerId, &OHOS::g_scanListener);
606
607 OHOS::StartBroadcastingFuzzTest(bcId, data, size);
608 OHOS::UpdateBroadcastingFuzzTest(bcId, data, size);
609 OHOS::SetBroadcastingDataFuzzTest(bcId, data, size);
610 OHOS::StopBroadcastingFuzzTest(bcId);
611 OHOS::StartScanFuzzTest(listenerId);
612 OHOS::StopScanFuzzTest(listenerId);
613 OHOS::BroadcastSetAdvDeviceParamFuzzTest(listenerId, data, size);
614 OHOS::BroadcastGetBroadcastHandleFuzzTest(bcId);
615 OHOS::BroadcastSetScanReportChannelToLpDeviceFuzzTest(listenerId);
616 OHOS::BroadcastSetLpAdvParamFuzzTest();
617 OHOS::SetBroadcastingParamFuzzTest(bcId, data, size);
618 OHOS::GetScanFilterFuzzTest(listenerId);
619 OHOS::QueryBroadcastStatusFuzzTest(bcId);
620 OHOS::BtStatusToSoftBusFuzzTest();
621 OHOS::SoftbusAdvParamToBtFuzzTest();
622 OHOS::BtScanResultToSoftbusFuzzTest();
623 OHOS::GetBtScanModeFuzzTest();
624 OHOS::AssembleAdvDataFuzzTest();
625 OHOS::AssembleRspDataFuzzTest();
626 OHOS::ParseScanResultFuzzTest();
627 OHOS::DumpSoftbusAdapterDataFuzzTest();
628
629 UnRegisterScanListener(listenerId);
630 UnRegisterBroadcaster(bcId);
631 DeInitBroadcastMgr();
632 return 0;
633 }
634