1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18 #include <fuzzer/FuzzedDataProvider.h>
19
20 #include "btcore/include/property.h"
21 #include "types/bluetooth/uuid.h"
22 #include "types/raw_address.h"
23
24 using bluetooth::Uuid;
25
26 constexpr int32_t kRandomStringLength = 256;
27
28 class BTCorePropertyFuzzer {
29 public:
30 void process(const uint8_t* data, size_t size);
31
32 private:
33 std::unique_ptr<FuzzedDataProvider> mFdp = nullptr;
34 };
35
process(const uint8_t * data,size_t size)36 void BTCorePropertyFuzzer::process(const uint8_t* data, size_t size) {
37 mFdp = std::make_unique<FuzzedDataProvider>(data, size);
38 uint8_t addr[RawAddress::kLength];
39 mFdp->ConsumeData(addr, sizeof(uint8_t) * RawAddress::kLength);
40 RawAddress btAddress = {addr};
41 bt_property_t* property = property_new_addr(&btAddress);
42 property_as_addr(property);
43 property_free(property);
44
45 bt_device_class_t deviceClass = {{mFdp->ConsumeIntegral<uint8_t>(),
46 mFdp->ConsumeIntegral<uint8_t>(),
47 mFdp->ConsumeIntegral<uint8_t>()}};
48 property = property_new_device_class(&deviceClass);
49
50 const bt_device_class_t* pDeviceClass = property_as_device_class(property);
51 (void)device_class_to_int(pDeviceClass);
52 property_free(property);
53
54 bt_device_type_t deviceType =
55 (bt_device_type_t)(mFdp->ConsumeIntegral<uint32_t>());
56 property = property_new_device_type(deviceType);
57 (void)property_as_device_type(property);
58 property_free(property);
59
60 uint32_t timeout = mFdp->ConsumeIntegral<uint32_t>();
61 property = property_new_discoverable_timeout(timeout);
62 (void)property_as_discoverable_timeout(property);
63 property_free(property);
64
65 std::string name = mFdp->ConsumeRandomLengthString(kRandomStringLength);
66 property = property_new_name(name.c_str());
67 (void)property_as_name(property);
68 property_free(property);
69
70 int8_t rssi = mFdp->ConsumeIntegral<int8_t>();
71 property = property_new_rssi(rssi);
72 (void)property_as_rssi(property);
73 property_free(property);
74
75 bt_scan_mode_t mode = (bt_scan_mode_t)(mFdp->ConsumeIntegral<uint32_t>());
76 property = property_new_scan_mode(mode);
77 (void)property_as_scan_mode(property);
78 property_free(property);
79
80 size_t uuidSize = sizeof(uint8_t) * bluetooth::Uuid::kNumBytes128;
81 uint8_t uuid[bluetooth::Uuid::kNumBytes128];
82 mFdp->ConsumeData(uuid, uuidSize);
83 Uuid uuidBE = Uuid::From128BitBE(uuid);
84 property = property_new_uuids(&uuidBE, 1);
85 size_t uuidCount;
86 (void)property_as_uuids(property, &uuidCount);
87 property_free(property);
88
89 mFdp->ConsumeData(uuid, uuidSize);
90 Uuid uuidLE = Uuid::From128BitLE(uuid);
91 Uuid uuids[] = {uuidBE, uuidLE};
92 bt_property_t* propertySrc = property_new_uuids(uuids, std::size(uuids));
93 bt_property_t propertyDest;
94 (void)property_copy(&propertyDest, propertySrc);
95 property_free(propertySrc);
96 }
97
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)98 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
99 BTCorePropertyFuzzer btCorePropertyFuzzer;
100 btCorePropertyFuzzer.process(data, size);
101 return 0;
102 }
103