1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "blesendmanager_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <cstring>
21 #include <fuzzer/FuzzedDataProvider.h>
22 #include <string>
23
24 #define private public
25 #include "ble_send_manager.h"
26 #undef private
27 #include "mechbody_controller_log.h"
28 #include "securec.h"
29
30 namespace OHOS {
31 using namespace OHOS::MechBodyController;
32 using namespace OHOS::Bluetooth;
33 namespace {
34 const std::string TAG = "BleSendManager";
35 const std::string TARGET_DEVICE_NAME = "";
36 std::unique_ptr<std::thread> delayThread;
37
38 UUID SERVICE_UUID = UUID::FromString("15f1e600-a277-43fc-a484-dd39ef8a9100"); // GATT Service uuid
39 UUID MECHBODY_CHARACTERISTIC_WRITE_UUID = UUID::FromString("15f1e602-a277-43fc-a484-dd39ef8a9100"); // write uuid
40 UUID MECHBODY_CHARACTERISTIC_NOTIFY_UUID = UUID::FromString("15f1e603-a277-43fc-a484-dd39ef8a9100"); // notify uuid
41 BleSendManager& bleSendManager = BleSendManager::GetInstance();
42 }
43
OnConnectionStateChangedFuzzTest(const uint8_t * data,size_t size)44 void OnConnectionStateChangedFuzzTest(const uint8_t *data, size_t size)
45 {
46 if ((data == nullptr) || (size == 0)) {
47 return;
48 }
49
50 FuzzedDataProvider fdp(data, size);
51 int connectionState = fdp.ConsumeIntegral<int>();
52 int ret = fdp.ConsumeIntegral<int>();
53 std::string address = fdp.ConsumeRandomLengthString();
54 BluetoothRemoteDevice device(address, 1);
55 BleSendManager& bleSendManager = BleSendManager::GetInstance();
56 bleSendManager.gattClient_ = std::make_shared<GattClient>(device);
57
58 auto bleGattClientCallBack = std::make_shared<BleGattClientCallback>();
59 if (bleGattClientCallBack == nullptr) {
60 return;
61 }
62 bleGattClientCallBack->OnConnectionStateChanged(connectionState, ret);
63 }
64
OnServicesDiscoveredFuzzTest(const uint8_t * data,size_t size)65 void OnServicesDiscoveredFuzzTest(const uint8_t *data, size_t size)
66 {
67 if ((data == nullptr) || (size == 0)) {
68 return;
69 }
70
71 FuzzedDataProvider fdp(data, size);
72 int status = fdp.ConsumeIntegral<int>();
73 std::string address = fdp.ConsumeRandomLengthString();
74 BluetoothRemoteDevice device(address, 1);
75 BleSendManager& bleSendManager = BleSendManager::GetInstance();
76 bleSendManager.gattClient_ = std::make_shared<GattClient>(device);
77
78 auto bleGattClientCallBack = std::make_shared<BleGattClientCallback>();
79 if (bleGattClientCallBack == nullptr) {
80 return;
81 }
82 bleGattClientCallBack->OnServicesDiscovered(status);
83 }
84
OnSetNotifyCharacteristicFuzzTest(const uint8_t * data,size_t size)85 void OnSetNotifyCharacteristicFuzzTest(const uint8_t *data, size_t size)
86 {
87 if ((data == nullptr) || (size == 0)) {
88 return;
89 }
90
91 FuzzedDataProvider fdp(data, size);
92 BleSendManager& bleSendManager = BleSendManager::GetInstance();
93 int status = fdp.ConsumeIntegral<int>();
94 std::string address = fdp.ConsumeRandomLengthString();
95 bleSendManager.handle_ = fdp.ConsumeIntegral<uint16_t>();
96 bleSendManager.permissions_ = fdp.ConsumeIntegral<int32_t>();
97 bleSendManager.properties_ = fdp.ConsumeIntegral<int32_t>();
98 BluetoothRemoteDevice device(address, 1);
99 bleSendManager.gattClient_ = std::make_shared<GattClient>(device);
100 GattCharacteristic characteristic = GattCharacteristic(MECHBODY_CHARACTERISTIC_WRITE_UUID,
101 bleSendManager.handle_, bleSendManager.permissions_, bleSendManager.properties_);
102
103 auto bleGattClientCallBack = std::make_shared<BleGattClientCallback>();
104 if (bleGattClientCallBack == nullptr) {
105 return;
106 }
107 bleGattClientCallBack->OnSetNotifyCharacteristic(characteristic, status);
108 }
109
OnCharacteristicChangedFuzzTest(const uint8_t * data,size_t size)110 void OnCharacteristicChangedFuzzTest(const uint8_t *data, size_t size)
111 {
112 if ((data == nullptr) || (size == 0)) {
113 return;
114 }
115
116 FuzzedDataProvider fdp(data, size);
117 BleSendManager& bleSendManager = BleSendManager::GetInstance();
118 bleSendManager.handle_ = fdp.ConsumeIntegral<uint16_t>();
119 bleSendManager.permissions_ = fdp.ConsumeIntegral<int32_t>();
120 bleSendManager.properties_ = fdp.ConsumeIntegral<int32_t>();
121 GattCharacteristic characteristic = GattCharacteristic(MECHBODY_CHARACTERISTIC_WRITE_UUID,
122 bleSendManager.handle_, bleSendManager.permissions_, bleSendManager.properties_);
123
124 auto bleGattClientCallBack = std::make_shared<BleGattClientCallback>();
125 if (bleGattClientCallBack == nullptr) {
126 return;
127 }
128 bleGattClientCallBack->OnCharacteristicChanged(characteristic);
129 }
130
OnCharacteristicWriteResultFuzzTest(const uint8_t * data,size_t size)131 void OnCharacteristicWriteResultFuzzTest(const uint8_t *data, size_t size)
132 {
133 if ((data == nullptr) || (size == 0)) {
134 return;
135 }
136
137 FuzzedDataProvider fdp(data, size);
138 BleSendManager& bleSendManager = BleSendManager::GetInstance();
139 bleSendManager.handle_ = fdp.ConsumeIntegral<uint16_t>();
140 bleSendManager.permissions_ = fdp.ConsumeIntegral<int32_t>();
141 bleSendManager.properties_ = fdp.ConsumeIntegral<int32_t>();
142 int ret = fdp.ConsumeIntegral<int>();
143 GattCharacteristic characteristic = GattCharacteristic(MECHBODY_CHARACTERISTIC_WRITE_UUID,
144 bleSendManager.handle_, bleSendManager.permissions_, bleSendManager.properties_);
145
146 auto bleGattClientCallBack = std::make_shared<BleGattClientCallback>();
147 if (bleGattClientCallBack == nullptr) {
148 return;
149 }
150 bleGattClientCallBack->OnCharacteristicWriteResult(characteristic, ret);
151 }
152
OnReceiveFuzzTest(const uint8_t * data,size_t size)153 void OnReceiveFuzzTest(const uint8_t *data, size_t size)
154 {
155 if ((data == nullptr) || (size == 0)) {
156 return;
157 }
158
159 FuzzedDataProvider fdp(data, size);
160 uint8_t dataLen = fdp.ConsumeIntegral<uint8_t>();
161 uint8_t dataInput[dataLen];
162 for (uint8_t i = 0; i < dataLen; i++) {
163 dataInput[i] = fdp.ConsumeIntegral<uint8_t>();
164 }
165 uint8_t *dataInputPtr = dataInput;
166
167 BleSendManager& bleSendManager = BleSendManager::GetInstance();
168 bleSendManager.OnReceive(dataInputPtr, size);
169 }
170
OnGattReadyFuzzTest(const uint8_t * data,size_t size)171 void OnGattReadyFuzzTest(const uint8_t *data, size_t size)
172 {
173 if ((data == nullptr) || (size == 0)) {
174 return;
175 }
176
177 BleSendManager& bleSendManager = BleSendManager::GetInstance();
178 MechInfo mechInfo;
179 FuzzedDataProvider fdp(data, size);
180 std::string macHash = fdp.ConsumeRandomLengthString();
181 std::string mechName = fdp.ConsumeRandomLengthString();
182 mechInfo.mechName = mechName;
183 bleSendManager.OnGattReady(mechInfo);
184 }
185
OnScanCallbackFuzzTest(const uint8_t * data,size_t size)186 void OnScanCallbackFuzzTest(const uint8_t *data, size_t size)
187 {
188 if ((data == nullptr) || (size == 0)) {
189 return;
190 }
191
192 BleScanResult result;
193 FuzzedDataProvider fdp(data, size);
194 std::string name = fdp.ConsumeRandomLengthString();
195 result.name_ = name;
196
197 BleSendManager& bleSendManager = BleSendManager::GetInstance();
198 bleSendManager.OnScanCallback(result);
199 }
200
MechbodyGattcConnectFuzzTest(const uint8_t * data,size_t size)201 void MechbodyGattcConnectFuzzTest(const uint8_t *data, size_t size)
202 {
203 if ((data == nullptr) || (size == 0)) {
204 return;
205 }
206
207 FuzzedDataProvider fdp(data, size);
208 std::string mac = fdp.ConsumeRandomLengthString();
209 std::string deviceName = fdp.ConsumeRandomLengthString();
210
211 BleSendManager& bleSendManager = BleSendManager::GetInstance();
212 bleSendManager.MechbodyGattcConnect(mac, deviceName);
213 }
214
MechbodyGattcDisconnectFuzzTest(const uint8_t * data,size_t size)215 void MechbodyGattcDisconnectFuzzTest(const uint8_t *data, size_t size)
216 {
217 if ((data == nullptr) || (size == 0)) {
218 return;
219 }
220
221 FuzzedDataProvider fdp(data, size);
222 std::string address = fdp.ConsumeRandomLengthString();
223 BluetoothRemoteDevice device(address, 1);
224
225 BleSendManager& bleSendManager = BleSendManager::GetInstance();
226 MechInfo mechInfo;
227 bleSendManager.MechbodyGattcDisconnect(mechInfo);
228 bleSendManager.gattClient_ = std::make_shared<GattClient>(device);
229 bleSendManager.MechbodyGattcDisconnect(mechInfo);
230 }
231
MechbodyGattcWriteCharacteristicFuzzTest(const uint8_t * data,size_t size)232 void MechbodyGattcWriteCharacteristicFuzzTest(const uint8_t *data, size_t size)
233 {
234 if ((data == nullptr) || (size == 0)) {
235 return;
236 }
237
238 FuzzedDataProvider fdp(data, size);
239 uint32_t dataLen = fdp.ConsumeIntegral<uint8_t>();
240 uint8_t dataInput[dataLen];
241 for (uint32_t i = 0; i < dataLen; i++) {
242 dataInput[i] = fdp.ConsumeIntegral<uint8_t>();
243 }
244 uint8_t *dataInputPtr = dataInput;
245 std::string address = fdp.ConsumeRandomLengthString();
246 BluetoothRemoteDevice device(address, 1);
247
248 BleSendManager& bleSendManager = BleSendManager::GetInstance();
249 bleSendManager.gattClient_ = std::make_shared<GattClient>(device);
250 bleSendManager.MechbodyGattcWriteCharacteristic(dataInputPtr, dataLen);
251 bleSendManager.MechbodyGattcWriteCharacteristic(nullptr, dataLen);
252 }
253
SendDataFuzzTest(const uint8_t * data,size_t size)254 void SendDataFuzzTest(const uint8_t *data, size_t size)
255 {
256 if ((data == nullptr) || (size == 0)) {
257 return;
258 }
259
260 FuzzedDataProvider fdp(data, size);
261 uint32_t dataLen = fdp.ConsumeIntegral<uint8_t>();
262 uint8_t dataInput[dataLen];
263 for (uint32_t i = 0; i < dataLen; i++) {
264 dataInput[i] = fdp.ConsumeIntegral<uint8_t>();
265 }
266 uint8_t *dataInputPtr = dataInput;
267
268 BleSendManager& bleSendManager = BleSendManager::GetInstance();
269 bleSendManager.SendData(dataInputPtr, dataLen);
270 bleSendManager.SendData(nullptr, dataLen);
271 }
272
OnScanCallbackBleCentralManagerCallbackImplFuzzTest(const uint8_t * data,size_t size)273 void OnScanCallbackBleCentralManagerCallbackImplFuzzTest(const uint8_t *data, size_t size)
274 {
275 if ((data == nullptr) || (size == 0)) {
276 return;
277 }
278
279 BleScanResult result;
280 FuzzedDataProvider fdp(data, size);
281 std::string name = fdp.ConsumeRandomLengthString();
282 result.name_ = name;
283
284 std::shared_ptr<BleCentralManagerCallbackImpl> bleCentralManagerCallback =
285 std::make_shared<BleCentralManagerCallbackImpl>();
286 bleCentralManagerCallback->OnScanCallback(result);
287 }
288
OnGattDisconnectFuzzTest(const uint8_t * data,size_t size)289 void OnGattDisconnectFuzzTest(const uint8_t *data, size_t size)
290 {
291 if ((data == nullptr) || (size == 0)) {
292 return;
293 }
294
295 MechInfo mechInfo;
296 FuzzedDataProvider fdp(data, size);
297 std::string macHash = fdp.ConsumeRandomLengthString();
298 std::string mechName = fdp.ConsumeRandomLengthString();
299 mechInfo.mechName = mechName;
300
301 BleSendManager& bleSendManager = BleSendManager::GetInstance();
302 bleSendManager.OnGattDisconnect(mechInfo);
303 }
304 }
305
306 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)307 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
308 {
309 /* Run your code on data */
310 OHOS::OnConnectionStateChangedFuzzTest(data, size);
311 OHOS::OnServicesDiscoveredFuzzTest(data, size);
312 OHOS::OnSetNotifyCharacteristicFuzzTest(data, size);
313 OHOS::OnCharacteristicChangedFuzzTest(data, size);
314 OHOS::OnCharacteristicWriteResultFuzzTest(data, size);
315 OHOS::OnReceiveFuzzTest(data, size);
316 OHOS::OnGattReadyFuzzTest(data, size);
317 OHOS::OnScanCallbackFuzzTest(data, size);
318 OHOS::MechbodyGattcConnectFuzzTest(data, size);
319 OHOS::MechbodyGattcDisconnectFuzzTest(data, size);
320 OHOS::MechbodyGattcWriteCharacteristicFuzzTest(data, size);
321 OHOS::SendDataFuzzTest(data, size);
322 OHOS::OnScanCallbackBleCentralManagerCallbackImplFuzzTest(data, size);
323 OHOS::OnGattDisconnectFuzzTest(data, size);
324 return 0;
325 }