src/connectivity/bluetooth/core/bt-host/l2cap/bredr_dynamic_channel_registry_fuzztest.cc - fuchsia - Git at Google

 // Copyright 2020 The Fuchsia Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include <fuzzer/FuzzedDataProvider.h>
 #include <pw_async/fake_dispatcher.h>
 #include <pw_random/fuzzer.h>

 #include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/common/byte_buffer.h"
 #include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/hci-spec/protocol.h"
 #include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/l2cap/bredr_dynamic_channel.h"
 #include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/l2cap/bredr_signaling_channel.h"
 #include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/l2cap/fake_channel.h"

 constexpr static bt::hci_spec::ConnectionHandle kTestHandle = 0x0001;

 bt::l2cap::ChannelParameters ConsumeChannelParameters(
     FuzzedDataProvider& provider) {
   bt::l2cap::ChannelParameters params;

   bool use_defaults = provider.ConsumeBool();
   if (use_defaults) {
     return params;
   }

   params.mode = provider.ConsumeBool()
                     ? bt::l2cap::RetransmissionAndFlowControlMode::kBasic
                     : bt::l2cap::RetransmissionAndFlowControlMode::
                           kEnhancedRetransmission;
   params.max_rx_sdu_size = provider.ConsumeIntegral<uint16_t>();
   return params;
 }

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   FuzzedDataProvider provider(data, size);
   pw::random::FuzzerRandomGenerator rng(&provider);
   bt::set_random_generator(&rng);

   // Dispatcher needed for signaling channel response timeout.
   pw::async::test::FakeDispatcher dispatcher;

   auto fake_chan = std::make_unique<bt::l2cap::testing::FakeChannel>(
       bt::l2cap::kSignalingChannelId,
       bt::l2cap::kSignalingChannelId,
       kTestHandle,
       bt::LinkType::kACL);

   bt::l2cap::internal::BrEdrSignalingChannel sig_chan(
       fake_chan->GetWeakPtr(),
       pw::bluetooth::emboss::ConnectionRole::CENTRAL,
       dispatcher);

   auto open_cb = [](auto chan) {};
   auto close_cb = [](auto chan) {};
   auto service_chan_cb = [](auto chan) {};

   auto service_cb = [&](auto psm) {
     // Reject some PSMs.
     if (provider.ConsumeBool()) {
       return std::optional<
           bt::l2cap::internal::DynamicChannelRegistry::ServiceInfo>();
     }

     auto params = ConsumeChannelParameters(provider);
     return std::optional(
         bt::l2cap::internal::DynamicChannelRegistry::ServiceInfo(
             params, service_chan_cb));
   };
   bt::l2cap::internal::BrEdrDynamicChannelRegistry registry(
       &sig_chan,
       close_cb,
       service_cb,
       /*random_channel_ids=*/true);

   while (provider.remaining_bytes() > 0) {
     // Receive an l2cap packet.
     uint16_t data_size = provider.ConsumeIntegral<uint16_t>();
     auto packet = provider.ConsumeBytes<uint8_t>(data_size);
     fake_chan->Receive(bt::BufferView(packet.data(), packet.size()));

     if (provider.ConsumeBool()) {
       registry.OpenOutbound(
           bt::l2cap::kAVDTP, ConsumeChannelParameters(provider), open_cb);
     }

     if (provider.ConsumeBool()) {
       dispatcher.RunFor(std::chrono::seconds(1));
     }
   }

   bt::set_random_generator(nullptr);
   return 0;
 }
	// Copyright 2020 The Fuchsia Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include <fuzzer/FuzzedDataProvider.h>
	#include <pw_async/fake_dispatcher.h>
	#include <pw_random/fuzzer.h>

	#include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/common/byte_buffer.h"
	#include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/hci-spec/protocol.h"
	#include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/l2cap/bredr_dynamic_channel.h"
	#include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/l2cap/bredr_signaling_channel.h"
	#include "src/connectivity/bluetooth/core/bt-host/public/pw_bluetooth_sapphire/internal/host/l2cap/fake_channel.h"

	constexpr static bt::hci_spec::ConnectionHandle kTestHandle = 0x0001;

	bt::l2cap::ChannelParameters ConsumeChannelParameters(
	FuzzedDataProvider& provider) {
	bt::l2cap::ChannelParameters params;

	bool use_defaults = provider.ConsumeBool();
	if (use_defaults) {
	return params;
	}

	params.mode = provider.ConsumeBool()
	? bt::l2cap::RetransmissionAndFlowControlMode::kBasic
	: bt::l2cap::RetransmissionAndFlowControlMode::
	kEnhancedRetransmission;
	params.max_rx_sdu_size = provider.ConsumeIntegral<uint16_t>();
	return params;
	}

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
	FuzzedDataProvider provider(data, size);
	pw::random::FuzzerRandomGenerator rng(&provider);
	bt::set_random_generator(&rng);

	// Dispatcher needed for signaling channel response timeout.
	pw::async::test::FakeDispatcher dispatcher;

	auto fake_chan = std::make_unique<bt::l2cap::testing::FakeChannel>(
	bt::l2cap::kSignalingChannelId,
	bt::l2cap::kSignalingChannelId,
	kTestHandle,
	bt::LinkType::kACL);

	bt::l2cap::internal::BrEdrSignalingChannel sig_chan(
	fake_chan->GetWeakPtr(),
	pw::bluetooth::emboss::ConnectionRole::CENTRAL,
	dispatcher);

	auto open_cb = [](auto chan) {};
	auto close_cb = [](auto chan) {};
	auto service_chan_cb = [](auto chan) {};

	auto service_cb = [&](auto psm) {
	// Reject some PSMs.
	if (provider.ConsumeBool()) {
	return std::optional<
	bt::l2cap::internal::DynamicChannelRegistry::ServiceInfo>();
	}

	auto params = ConsumeChannelParameters(provider);
	return std::optional(
	bt::l2cap::internal::DynamicChannelRegistry::ServiceInfo(
	params, service_chan_cb));
	};
	bt::l2cap::internal::BrEdrDynamicChannelRegistry registry(
	&sig_chan,
	close_cb,
	service_cb,
	/random_channel_ids=/true);

	while (provider.remaining_bytes() > 0) {
	// Receive an l2cap packet.
	uint16_t data_size = provider.ConsumeIntegral<uint16_t>();
	auto packet = provider.ConsumeBytes<uint8_t>(data_size);
	fake_chan->Receive(bt::BufferView(packet.data(), packet.size()));

	if (provider.ConsumeBool()) {
	registry.OpenOutbound(
	bt::l2cap::kAVDTP, ConsumeChannelParameters(provider), open_cb);
	}

	if (provider.ConsumeBool()) {
	dispatcher.RunFor(std::chrono::seconds(1));
	}
	}

	bt::set_random_generator(nullptr);
	return 0;
	}