1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
18 #define BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
19 
20 #include <fuzzer/FuzzedDataProvider.h>
21 
22 #include <vector>
23 
24 #include "a2dp_api.h"
25 #include "base/functional/bind.h"
26 #include "fuzzers/a2dp/a2dpFuzzHelpers.h"
27 #include "fuzzers/common/commonFuzzHelpers.h"
28 #include "fuzzers/sdp/sdpFuzzFunctions.h"
29 #include "osi/include/allocator.h"
30 #include "stack/a2dp/a2dp_int.h"
31 #include "stack/include/bt_uuid16.h"
32 #include "types/raw_address.h"
33 
34 #define MAX_STR_LEN 4096
35 
36 /* This is a vector of lambda functions the fuzzer will pull from.
37  *  This is done so new functions can be added to the fuzzer easily
38  *  without requiring modifications to the main fuzzer file. This also
39  *  allows multiple fuzzers to include this file, if functionality is needed.
40  */
41 std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = {
42         // Init
43         [](FuzzedDataProvider*) -> void {
44           // Re-init zeros out memory containing some pointers.
45           // Free the db first to prevent memleaks
46           if (a2dp_cb.find.p_db) {
47             osi_free(a2dp_cb.find.p_db);
48           }
49 
50           // Attempt re-initializations mid-run.
51           A2DP_Init();
52         },
53 
54         // A2DP_AddRecord
55         [](FuzzedDataProvider* fdp) -> void {
56           std::vector<char> p_service_name = fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
57           std::vector<char> p_provider_name = fdp->ConsumeBytesWithTerminator<char>(MAX_STR_LEN);
58           uint16_t service_uuid =
59                   fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE : UUID_SERVCLASS_AUDIO_SINK;
60           A2DP_AddRecord(service_uuid, p_service_name.data(), p_provider_name.data(),
61                          fdp->ConsumeIntegral<uint16_t>(),
62                          // This should be a val returned by SDP_CreateRecord
63                          getArbitraryVectorElement(fdp, sdp_record_handles, true));
64         },
65 
66         // A2DP_FindService
67         [](FuzzedDataProvider* fdp) -> void {
68           std::vector<uint16_t> attr_list;
69           tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp, attr_list);
70           const RawAddress bd_addr = generateRawAddress(fdp);
71           uint16_t service_uuid =
72                   fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE : UUID_SERVCLASS_AUDIO_SINK;
73           A2DP_FindService(service_uuid, bd_addr, &p_db, base::Bind(a2dp_find_callback));
74         },
75 
76         // A2DP_GetAvdtpVersion
77         [](FuzzedDataProvider*) -> void { A2DP_GetAvdtpVersion(); },
78 
79         // A2DP_BitsSet
80         [](FuzzedDataProvider* fdp) -> void { A2DP_BitsSet(fdp->ConsumeIntegral<uint64_t>()); },
81 
82         // SDP Calls
83         [](FuzzedDataProvider* fdp) -> void { callArbitraryFunction(fdp, sdp_operations); }};
84 
85 #endif  // BT_STACK_FUZZ_A2DP_FUNCTIONS_H_
86