1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
18 #define BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
19 
20 #include <fuzzer/FuzzedDataProvider.h>
21 
22 #include <vector>
23 
24 #include "a2dp_api.h"
25 #include "base/functional/bind.h"
26 #include "fuzzers/a2dp/a2dpFuzzHelpers.h"
27 #include "fuzzers/common/commonFuzzHelpers.h"
28 #include "fuzzers/sdp/sdpFuzzFunctions.h"
29 #include "osi/include/allocator.h"
30 #include "raw_address.h"
31 #include "stack/a2dp/a2dp_int.h"
32 #include "stack/include/bt_uuid16.h"
33 
34 #define MAX_STR_LEN 4096
35 
36 /* This is a vector of lambda functions the fuzzer will pull from.
37  *  This is done so new functions can be added to the fuzzer easily
38  *  without requiring modifications to the main fuzzer file. This also
39  *  allows multiple fuzzers to include this file, if functionality is needed.
40  */
41 std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = {
42     // Init
43     [](FuzzedDataProvider*) -> void {
44       // Re-init zeros out memory containing some pointers.
45       // Free the db first to prevent memleaks
46       if (a2dp_cb.find.p_db) {
47         osi_free(a2dp_cb.find.p_db);
48       }
49 
50       // Attempt re-initializations mid-run.
51       A2DP_Init();
52     },
53 
54     // A2DP_AddRecord
55     [](FuzzedDataProvider* fdp) -> void {
56       std::vector<char> p_service_name =
57           fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
58       std::vector<char> p_provider_name =
59           fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
60       uint16_t service_uuid = fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE
61                                                  : UUID_SERVCLASS_AUDIO_SINK;
62       A2DP_AddRecord(service_uuid, p_service_name.data(),
63                      p_provider_name.data(), fdp->ConsumeIntegral<uint16_t>(),
64                      // This should be a val returned by SDP_CreateRecord
65                      getArbitraryVectorElement(fdp, sdp_record_handles, true));
66     },
67 
68     // A2DP_FindService
69     [](FuzzedDataProvider* fdp) -> void {
70       std::vector<uint16_t> attr_list;
71       tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp, attr_list);
72       const RawAddress bd_addr = generateRawAddress(fdp);
73       uint16_t service_uuid = fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE
74                                                  : UUID_SERVCLASS_AUDIO_SINK;
75       A2DP_FindService(service_uuid, bd_addr, &p_db,
76                        base::Bind(a2dp_find_callback));
77     },
78 
79     // A2DP_GetAvdtpVersion
80     [](FuzzedDataProvider*) -> void { A2DP_GetAvdtpVersion(); },
81 
82     // A2DP_BitsSet
83     [](FuzzedDataProvider* fdp) -> void {
84       A2DP_BitsSet(fdp->ConsumeIntegral<uint64_t>());
85     },
86 
87     // SDP Calls
88     [](FuzzedDataProvider* fdp) -> void {
89       callArbitraryFunction(fdp, sdp_operations);
90     }};
91 
92 #endif  // BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
93