1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
/*
* Copyright 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
#define BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
#include <fuzzer/FuzzedDataProvider.h>
#include <vector>
#include "a2dp_api.h"
#include "osi/include/allocator.h"
#include "raw_address.h"
#include "stack/a2dp/a2dp_int.h"
#include "fuzzers/a2dp/a2dpFuzzHelpers.h"
#include "fuzzers/common/commonFuzzHelpers.h"
#include "fuzzers/sdp/sdpFuzzFunctions.h"
#define MAX_STR_LEN 4096
/* This is a vector of lambda functions the fuzzer will pull from.
* This is done so new functions can be added to the fuzzer easily
* without requiring modifications to the main fuzzer file. This also
* allows multiple fuzzers to include this file, if functionality is needed.
*/
std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = {
// Init
[](FuzzedDataProvider*) -> void {
// Re-init zeros out memory containing some pointers.
// Free the db first to prevent memleaks
if (a2dp_cb.find.p_db) {
osi_free(a2dp_cb.find.p_db);
}
// Attempt re-initializations mid-run.
A2DP_Init();
},
// A2DP_AddRecord
[](FuzzedDataProvider* fdp) -> void {
std::vector<char> p_service_name =
fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
std::vector<char> p_provider_name =
fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
A2DP_AddRecord(fdp->ConsumeIntegral<uint16_t>(), p_service_name.data(),
p_provider_name.data(), fdp->ConsumeIntegral<uint16_t>(),
// This should be a val returned by SDP_CreateRecord
getArbitraryVectorElement(fdp, sdp_record_handles, true));
},
// A2DP_FindService
[](FuzzedDataProvider* fdp) -> void {
tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp);
const RawAddress bd_addr = generateRawAddress(fdp);
A2DP_FindService(fdp->ConsumeIntegral<uint16_t>(), bd_addr, &p_db,
a2dp_find_callback);
},
// A2DP_GetAvdtpVersion
[](FuzzedDataProvider*) -> void { A2DP_GetAvdtpVersion(); },
// A2DP_SetTraceLevel
[](FuzzedDataProvider* fdp) -> void {
// Expected val is [0-5], 0xff but other values are supported so fuzz all
A2DP_SetTraceLevel(fdp->ConsumeIntegral<uint8_t>());
},
// A2DP_BitsSet
[](FuzzedDataProvider* fdp) -> void {
A2DP_BitsSet(fdp->ConsumeIntegral<uint64_t>());
},
// SDP Calls
[](FuzzedDataProvider* fdp) -> void {
callArbitraryFunction(fdp, sdp_operations);
}};
#endif // BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
|
