1 /*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "transserverproxyextern_fuzzer.h"
17
18 #include <chrono>
19 #include <fuzzer/FuzzedDataProvider.h>
20 #include <thread>
21 #include "securec.h"
22
23 #include "fuzz_data_generator.h"
24 #include "softbus_adapter_mem.h"
25 #include "trans_server_proxy.h"
26
27 #define LOOP_SLEEP_MILLS 100
28
29 namespace OHOS {
30 class TransServerProxyExternTestEnv {
31 public:
TransServerProxyExternTestEnv()32 TransServerProxyExternTestEnv()
33 {
34 isInited_ = false;
35 (void)TransServerProxyInit();
36 isInited_ = true;
37 }
38
~TransServerProxyExternTestEnv()39 ~TransServerProxyExternTestEnv()
40 {
41 isInited_ = false;
42 TransServerProxyDeInit();
43 }
44
IsInited(void) const45 bool IsInited(void) const
46 {
47 return isInited_;
48 }
49
50 private:
51 volatile bool isInited_;
52 };
53
TransServerProxyDeInitTest(const uint8_t * data,size_t size)54 void TransServerProxyDeInitTest(const uint8_t *data, size_t size)
55 {
56 (void)data;
57 (void)size;
58 TransServerProxyDeInit();
59 }
60
TestDataSwitch(const uint8_t * data,size_t size)61 static uint8_t *TestDataSwitch(const uint8_t *data, size_t size)
62 {
63 if (data == nullptr || size < sizeof(int32_t)) {
64 return nullptr;
65 }
66 uint8_t *dataWithEndCharacter = static_cast<uint8_t *>(SoftBusCalloc(size + 1));
67 if (dataWithEndCharacter == nullptr) {
68 return nullptr;
69 }
70 if (memcpy_s(dataWithEndCharacter, size, data, size) != EOK) {
71 SoftBusFree(dataWithEndCharacter);
72 return nullptr;
73 }
74 return dataWithEndCharacter;
75 }
76
ServerIpcCreateSessionServerTest(const uint8_t * data,size_t size)77 void ServerIpcCreateSessionServerTest(const uint8_t *data, size_t size)
78 {
79 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
80 if (dataWithEndCharacter == nullptr) {
81 return;
82 }
83 char *pkgName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
84 char *sessionName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
85
86 (void)ServerIpcCreateSessionServer(pkgName, sessionName, 1);
87 (void)ServerIpcCreateSessionServer(nullptr, sessionName, 1);
88 (void)ServerIpcCreateSessionServer(pkgName, nullptr, 1);
89 (void)ServerIpcCreateSessionServer(nullptr, nullptr, 1);
90 SoftBusFree(dataWithEndCharacter);
91 }
92
ServerIpcRemoveSessionServerTest(const uint8_t * data,size_t size)93 void ServerIpcRemoveSessionServerTest(const uint8_t *data, size_t size)
94 {
95 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
96 if (dataWithEndCharacter == nullptr) {
97 return;
98 }
99 char *pkgName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
100 char *sessionName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
101
102 (void)ServerIpcRemoveSessionServer(pkgName, sessionName, 1);
103 (void)ServerIpcRemoveSessionServer(nullptr, sessionName, 1);
104 (void)ServerIpcRemoveSessionServer(pkgName, nullptr, 1);
105 (void)ServerIpcRemoveSessionServer(nullptr, nullptr, 1);
106 SoftBusFree(dataWithEndCharacter);
107 }
108
InitSessionAttribute(const uint8_t * data,size_t size,SessionAttribute * sessionAttr)109 static void InitSessionAttribute(const uint8_t *data, size_t size, SessionAttribute *sessionAttr)
110 {
111 DataGenerator::Write(data, size);
112 GenerateInt32(sessionAttr->dataType);
113 GenerateInt32(sessionAttr->attr.streamAttr.streamType);
114 DataGenerator::Clear();
115 }
116
InitSessionParam(const uint8_t * data,size_t size,SessionParam * sessionParam,SessionAttribute * sessionAttr)117 static void InitSessionParam(
118 const uint8_t *data, size_t size, SessionParam *sessionParam, SessionAttribute *sessionAttr)
119 {
120 bool boolParam = (size % 2 == 0) ? true : false;
121 char *charParam = boolParam ? const_cast<char *>(reinterpret_cast<const char *>(data)) : nullptr;
122
123 sessionParam->sessionName = charParam;
124 sessionParam->peerSessionName = charParam;
125 sessionParam->peerDeviceId = charParam;
126 sessionParam->groupId = charParam;
127 sessionParam->attr = sessionAttr;
128 DataGenerator::Write(data, size);
129 sessionParam->sessionId = 0;
130 GenerateInt32(sessionParam->sessionId);
131 DataGenerator::Clear();
132 sessionParam->isQosLane = boolParam;
133 sessionParam->isAsync = boolParam;
134 }
135
ServerIpcOpenSessionTest(const uint8_t * data,size_t size)136 void ServerIpcOpenSessionTest(const uint8_t *data, size_t size)
137 {
138 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
139 if (dataWithEndCharacter == nullptr) {
140 return;
141 }
142 DataGenerator::Write(data, size);
143 TransInfo transInfo = { 0 };
144 GenerateInt32(transInfo.channelId);
145 GenerateInt32(transInfo.channelType);
146 DataGenerator::Clear();
147
148 SessionAttribute sessionAttr = { 0 };
149 InitSessionAttribute(dataWithEndCharacter, size, &sessionAttr);
150
151 SessionParam sessionParam = { 0 };
152 InitSessionParam(dataWithEndCharacter, size, &sessionParam, &sessionAttr);
153
154 (void)ServerIpcOpenSession(&sessionParam, &transInfo);
155 SoftBusFree(dataWithEndCharacter);
156 }
157
ServerIpcOpenAuthSessionTest(const uint8_t * data,size_t size)158 void ServerIpcOpenAuthSessionTest(const uint8_t *data, size_t size)
159 {
160 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
161 if (dataWithEndCharacter == nullptr) {
162 return;
163 }
164 char *sessionName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
165 ConnectionAddr connectionAddr;
166 connectionAddr.type = CONNECTION_ADDR_SESSION;
167 DataGenerator::Write(data, size);
168 connectionAddr.info.session.sessionId = 0;
169 connectionAddr.info.session.channelId = 0;
170 connectionAddr.info.session.type = 0;
171 GenerateInt32(connectionAddr.info.session.sessionId);
172 GenerateInt32(connectionAddr.info.session.channelId);
173 GenerateInt32(connectionAddr.info.session.type);
174 (void)ServerIpcOpenAuthSession(sessionName, &connectionAddr);
175 (void)ServerIpcOpenAuthSession(nullptr, &connectionAddr);
176 (void)ServerIpcOpenAuthSession(sessionName, nullptr);
177 (void)ServerIpcOpenAuthSession(nullptr, nullptr);
178 SoftBusFree(dataWithEndCharacter);
179 DataGenerator::Clear();
180 }
181
ServerIpcNotifyAuthSuccessTest(const uint8_t * data,size_t size)182 void ServerIpcNotifyAuthSuccessTest(const uint8_t *data, size_t size)
183 {
184 if (data == nullptr || size < sizeof(int32_t)) {
185 return;
186 }
187 DataGenerator::Write(data, size);
188 int32_t channelId = 0;
189 int32_t channelType = 0;
190 GenerateInt32(channelId);
191 GenerateInt32(channelType);
192
193 (void)ServerIpcNotifyAuthSuccess(channelId, channelType);
194 DataGenerator::Clear();
195 }
196
ServerIpcCloseChannelTest(const uint8_t * data,size_t size)197 void ServerIpcCloseChannelTest(const uint8_t *data, size_t size)
198 {
199 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
200 if (dataWithEndCharacter == nullptr) {
201 return;
202 }
203 char *sessionName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
204 DataGenerator::Write(data, size);
205 int32_t channelId = 0;
206 int32_t channelType = 0;
207 GenerateInt32(channelId);
208 GenerateInt32(channelType);
209
210 (void)ServerIpcCloseChannel(sessionName, channelId, channelType);
211 SoftBusFree(dataWithEndCharacter);
212 DataGenerator::Clear();
213 }
214
ServerIpcCloseChannelWithStatisticsTest(const uint8_t * data,size_t size)215 void ServerIpcCloseChannelWithStatisticsTest(const uint8_t *data, size_t size)
216 {
217 if (data == nullptr || size < sizeof(uint64_t)) {
218 return;
219 }
220
221 DataGenerator::Write(data, size);
222 int32_t channelId = 0;
223 int32_t channelType = 0;
224 uint64_t laneId = 0;
225 GenerateInt32(channelId);
226 GenerateInt32(channelType);
227 GenerateUint64(laneId);
228
229 (void)ServerIpcCloseChannelWithStatistics(channelId, channelType, laneId, data, size);
230 DataGenerator::Clear();
231 }
232
ServerIpcReleaseResourcesTest(const uint8_t * data,size_t size)233 void ServerIpcReleaseResourcesTest(const uint8_t *data, size_t size)
234 {
235 if (data == nullptr || size < sizeof(int32_t)) {
236 return;
237 }
238 DataGenerator::Write(data, size);
239 int32_t channelId = 0;
240 GenerateInt32(channelId);
241
242 (void)ServerIpcReleaseResources(channelId);
243 DataGenerator::Clear();
244 }
245
ServerIpcSendMessageTest(const uint8_t * data,size_t size)246 void ServerIpcSendMessageTest(const uint8_t *data, size_t size)
247 {
248 if (data == nullptr || size < sizeof(int32_t)) {
249 return;
250 }
251
252 DataGenerator::Write(data, size);
253 int32_t channelId = 0;
254 int32_t channelType = 0;
255 int32_t msgType = 0;
256 GenerateInt32(channelId);
257 GenerateInt32(channelType);
258 GenerateInt32(msgType);
259
260 (void)ServerIpcSendMessage(channelId, channelType, data, size, msgType);
261 DataGenerator::Clear();
262 }
263
ServerIpcQosReportTest(const uint8_t * data,size_t size)264 void ServerIpcQosReportTest(const uint8_t *data, size_t size)
265 {
266 if (data == nullptr || size < sizeof(int32_t)) {
267 return;
268 }
269
270 DataGenerator::Write(data, size);
271 int32_t channelId = 0;
272 int32_t channelType = 0;
273 int32_t appType = 0;
274 int32_t quality = 0;
275 GenerateInt32(channelId);
276 GenerateInt32(channelType);
277 GenerateInt32(appType);
278 GenerateInt32(quality);
279
280 (void)ServerIpcQosReport(channelId, channelType, appType, quality);
281 DataGenerator::Clear();
282 }
283
ServerIpcStreamStatsTest(const uint8_t * data,size_t size)284 void ServerIpcStreamStatsTest(const uint8_t *data, size_t size)
285 {
286 if (data == nullptr || size < sizeof(uint32_t)) {
287 return;
288 }
289 DataGenerator::Write(data, size);
290 int32_t channelId = 0;
291 int32_t channelType = 0;
292 StreamSendStats streamSendStats;
293 GenerateInt32(channelId);
294 GenerateInt32(channelType);
295 GenerateUint32(streamSendStats.costTimeStatsCnt[FRAME_COST_LT10MS]);
296 GenerateUint32(streamSendStats.sendBitRateStatsCnt[FRAME_BIT_RATE_LT3M]);
297 (void)ServerIpcStreamStats(channelId, channelType, &streamSendStats);
298 DataGenerator::Clear();
299 }
300
ServerIpcRippleStatsTest(const uint8_t * data,size_t size)301 void ServerIpcRippleStatsTest(const uint8_t *data, size_t size)
302 {
303 if (data == nullptr || size < sizeof(int32_t)) {
304 return;
305 }
306 DataGenerator::Write(data, size);
307 int32_t channelId = 0;
308 int32_t channelType = 0;
309 GenerateInt32(channelId);
310 GenerateInt32(channelType);
311 TrafficStats trafficStats;
312 trafficStats.stats[0] = 't';
313 trafficStats.stats[1] = 'e';
314 (void)ServerIpcRippleStats(channelId, channelType, &trafficStats);
315 DataGenerator::Clear();
316 }
317
ServerIpcGrantPermissionTest(const uint8_t * data,size_t size)318 void ServerIpcGrantPermissionTest(const uint8_t *data, size_t size)
319 {
320 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
321 if (dataWithEndCharacter == nullptr) {
322 return;
323 }
324 DataGenerator::Write(data, size);
325 int32_t uid = 0;
326 int32_t pid = 0;
327 GenerateInt32(uid);
328 GenerateInt32(pid);
329 char *sessionName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
330
331 (void)ServerIpcGrantPermission(uid, pid, sessionName);
332 (void)ServerIpcGrantPermission(uid, pid, nullptr);
333 SoftBusFree(dataWithEndCharacter);
334 DataGenerator::Clear();
335 }
336
ServerIpcRemovePermissionTest(const uint8_t * data,size_t size)337 void ServerIpcRemovePermissionTest(const uint8_t *data, size_t size)
338 {
339 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
340 if (dataWithEndCharacter == nullptr) {
341 return;
342 }
343 char *sessionName = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
344
345 (void)ServerIpcRemovePermission(sessionName);
346 (void)ServerIpcRemovePermission(nullptr);
347 SoftBusFree(dataWithEndCharacter);
348 }
349
ServerIpcEvaluateQosTest(const uint8_t * data,size_t size)350 void ServerIpcEvaluateQosTest(const uint8_t *data, size_t size)
351 {
352 uint8_t *dataWithEndCharacter = TestDataSwitch(data, size);
353 if (dataWithEndCharacter == nullptr) {
354 return;
355 }
356 char *peerNetworkId = const_cast<char *>(reinterpret_cast<const char *>(dataWithEndCharacter));
357 TransDataType dataType = *(reinterpret_cast<const TransDataType *>(dataWithEndCharacter));
358 QosTV qosTv = {
359 .qos = *(reinterpret_cast<const QosType *>(dataWithEndCharacter)),
360 };
361 DataGenerator::Write(data, size);
362 GenerateInt32(qosTv.value);
363 uint32_t qosCount = 1;
364
365 (void)ServerIpcEvaluateQos(peerNetworkId, dataType, &qosTv, qosCount);
366 (void)ServerIpcEvaluateQos(nullptr, dataType, &qosTv, qosCount);
367 SoftBusFree(dataWithEndCharacter);
368 DataGenerator::Clear();
369 }
370
ServerIpcNotifyAuthSuccessTest(FuzzedDataProvider & provider)371 void ServerIpcNotifyAuthSuccessTest(FuzzedDataProvider &provider)
372 {
373 int32_t channelId = provider.ConsumeIntegral<int32_t>();
374 int32_t channelType = provider.ConsumeIntegral<int32_t>();
375
376 (void)ServerIpcNotifyAuthSuccess(channelId, channelType);
377 }
378
ServerIpcPrivilegeCloseChannelTest(FuzzedDataProvider & provider)379 void ServerIpcPrivilegeCloseChannelTest(FuzzedDataProvider &provider)
380 {
381 uint64_t tokenId = provider.ConsumeIntegral<uint64_t>();
382 int32_t pid = provider.ConsumeIntegral<int32_t>();
383 std::string providerData = provider.ConsumeBytesAsString(UINT8_MAX - 1);
384 char peerNetworkId[UINT8_MAX] = { 0 };
385 if (strcpy_s(peerNetworkId, UINT8_MAX, providerData.c_str()) != EOK) {
386 return;
387 }
388
389 (void)ServerIpcPrivilegeCloseChannel(tokenId, pid, peerNetworkId);
390 (void)ServerIpcPrivilegeCloseChannel(tokenId, pid, nullptr);
391 }
392
ServerIpcOpenBrProxyTest(FuzzedDataProvider & provider)393 void ServerIpcOpenBrProxyTest(FuzzedDataProvider &provider)
394 {
395 std::string providerData = provider.ConsumeBytesAsString(UINT8_MAX - 1);
396 char brMac[UINT8_MAX] = { 0 };
397 if (strcpy_s(brMac, UINT8_MAX, providerData.c_str()) != EOK) {
398 return;
399 }
400 providerData = provider.ConsumeBytesAsString(UINT8_MAX - 1);
401 char uuid[UINT8_MAX] = { 0 };
402 if (strcpy_s(uuid, UINT8_MAX, providerData.c_str()) != EOK) {
403 return;
404 }
405
406 (void)ServerIpcOpenBrProxy(brMac, uuid);
407 (void)ServerIpcOpenBrProxy(brMac, nullptr);
408 (void)ServerIpcOpenBrProxy(nullptr, uuid);
409 }
410
ServerIpcCloseBrProxyTest(FuzzedDataProvider & provider)411 void ServerIpcCloseBrProxyTest(FuzzedDataProvider &provider)
412 {
413 int32_t channelId = provider.ConsumeIntegral<int32_t>();
414
415 (void)ServerIpcCloseBrProxy(channelId);
416 }
417
ServerIpcSendBrProxyDataTest(FuzzedDataProvider & provider)418 void ServerIpcSendBrProxyDataTest(FuzzedDataProvider &provider)
419 {
420 int32_t channelId = provider.ConsumeIntegral<int32_t>();
421 uint32_t dataLen = provider.ConsumeIntegral<uint32_t>();
422 std::string providerData = provider.ConsumeBytesAsString(UINT8_MAX - 1);
423 char data[UINT8_MAX] = { 0 };
424 if (strcpy_s(data, UINT8_MAX, providerData.c_str()) != EOK) {
425 return;
426 }
427
428 (void)ServerIpcSendBrProxyData(channelId, data, dataLen);
429 }
430
ServerIpcSetListenerStateTest(FuzzedDataProvider & provider)431 void ServerIpcSetListenerStateTest(FuzzedDataProvider &provider)
432 {
433 int32_t channelId = provider.ConsumeIntegral<int32_t>();
434 int32_t type = provider.ConsumeIntegral<int32_t>();
435 bool CbEnabled = provider.ConsumeIntegral<bool>();
436
437 (void)ServerIpcSetListenerState(channelId, type, CbEnabled);
438 }
439
ServerIpcIsProxyChannelEnabledTest(FuzzedDataProvider & provider)440 void ServerIpcIsProxyChannelEnabledTest(FuzzedDataProvider &provider)
441 {
442 int32_t uid = provider.ConsumeIntegral<int32_t>();
443 bool isEnable = provider.ConsumeIntegral<bool>();
444
445 (void)ServerIpcIsProxyChannelEnabled(uid, &isEnable);
446 }
447
ServerIpcRegisterPushHookTest()448 void ServerIpcRegisterPushHookTest()
449 {
450 ServerIpcRegisterPushHook();
451 TransServerProxyClear();
452 }
453 } // namespace OHOS
454
455 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)456 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
457 {
458 static OHOS::TransServerProxyExternTestEnv env;
459 if (!env.IsInited()) {
460 return 0;
461 }
462
463 /* Run your code on data */
464 FuzzedDataProvider provider(data, size);
465 OHOS::TransServerProxyDeInitTest(data, size);
466 OHOS::ServerIpcCreateSessionServerTest(data, size);
467 OHOS::ServerIpcRemoveSessionServerTest(data, size);
468 OHOS::ServerIpcOpenSessionTest(data, size);
469 OHOS::ServerIpcOpenAuthSessionTest(data, size);
470 OHOS::ServerIpcCloseChannelTest(data, size);
471 OHOS::ServerIpcCloseChannelWithStatisticsTest(data, size);
472 OHOS::ServerIpcReleaseResourcesTest(data, size);
473 OHOS::ServerIpcSendMessageTest(data, size);
474 OHOS::ServerIpcQosReportTest(data, size);
475 OHOS::ServerIpcStreamStatsTest(data, size);
476 OHOS::ServerIpcRippleStatsTest(data, size);
477 OHOS::ServerIpcGrantPermissionTest(data, size);
478 OHOS::ServerIpcRemovePermissionTest(data, size);
479 OHOS::ServerIpcEvaluateQosTest(data, size);
480 OHOS::ServerIpcNotifyAuthSuccessTest(provider);
481 OHOS::ServerIpcPrivilegeCloseChannelTest(provider);
482 OHOS::ServerIpcOpenBrProxyTest(provider);
483 OHOS::ServerIpcCloseBrProxyTest(provider);
484 OHOS::ServerIpcSendBrProxyDataTest(provider);
485 OHOS::ServerIpcSetListenerStateTest(provider);
486 OHOS::ServerIpcIsProxyChannelEnabledTest(provider);
487 OHOS::ServerIpcRegisterPushHookTest();
488 std::this_thread::sleep_for(std::chrono::milliseconds(LOOP_SLEEP_MILLS));
489 return 0;
490 }
491