test/fuzz: test hci_transport_h4

2025-02-20 18:40:31 +00:00 · 2020-01-19 00:44:02 +01:00 · 2020-01-19 00:44:02 +01:00 · 1f805efefd
commit 1f805efefd
parent 8c7252e203
6 changed files with 307 additions and 0 deletions
--- a/test/fuzz/.gitignore
+++ b/test/fuzz/.gitignore
@ -0,0 +1,4 @@
+build
+Makefile
+cmake-build-debug
+cmake_install.cmake
--- a/test/fuzz/CMakeLists.txt
+++ b/test/fuzz/CMakeLists.txt
@ -0,0 +1,118 @@
+cmake_minimum_required (VERSION 3.5)
+
+set(CMAKE_C_COMPILER clang)
+set(CMAKE_CXX_COMPILER clang)
+
+project(BTstack)
+
+include_directories(../../3rd-party/micro-ecc)
+include_directories(../../3rd-party/bluedroid/decoder/include)
+include_directories(../../3rd-party/bluedroid/encoder/include)
+include_directories(../../3rd-party/md5)
+include_directories(../../3rd-party/hxcmod-player)
+include_directories(../../3rd-party/hxcmod-player/mod)
+include_directories(../../3rd-party/lwip/core/src/include)
+include_directories(../../3rd-party/lwip/dhcp-server)
+include_directories(../../3rd-party/rijndael)
+include_directories(../../3rd-party/yxml)
+include_directories(../../3rd-party/tinydir)
+include_directories(../../src)
+include_directories(../../platform/posix)
+include_directories(../../platform/embedded)
+include_directories(../../platform/lwip)
+include_directories(../../platform/lwip/port)
+include_directories(.)
+
+file(GLOB SOURCES_SRC       "../../src/*.c" "../../example/sco_demo_util.c")
+file(GLOB SOURCES_BLE       "../../src/ble/*.c")
+file(GLOB SOURCES_GATT      "../../src/ble/gatt-service/*.c")
+file(GLOB SOURCES_CLASSIC   "../../src/classic/*.c")
+file(GLOB SOURCES_MESH      "../../src/mesh/*.c")
+file(GLOB SOURCES_BLUEDROID "../../3rd-party/bluedroid/encoder/srce/*.c" "../../3rd-party/bluedroid/decoder/srce/*.c")
+file(GLOB SOURCES_MD5       "../../3rd-party/md5/md5.c")
+file(GLOB SOURCES_UECC      "../../3rd-party/micro-ecc/uECC.c")
+file(GLOB SOURCES_YXML      "../../3rd-party/yxml/yxml.c")
+file(GLOB SOURCES_HXCMOD    "../../3rd-party/hxcmod-player/*.c"  "../../3rd-party/hxcmod-player/mods/*.c")
+file(GLOB SOURCES_RIJNDAEL  "../../3rd-party/rijndael/rijndael.c")
+file(GLOB SOURCES_POSIX     "../../platform/posix/*.c")
+file(GLOB SOURCES_LIBUSB    "../../port/libusb/*.c" "../../platform/libusb/*.c")
+
+set(LWIP_CORE_SRC
+        ../../3rd-party/lwip/core/src/core/def.c
+        ../../3rd-party/lwip/core/src/core/inet_chksum.c
+        ../../3rd-party/lwip/core/src/core/init.c
+        ../../3rd-party/lwip/core/src/core/ip.c
+        ../../3rd-party/lwip/core/src/core/mem.c
+        ../../3rd-party/lwip/core/src/core/memp.c
+        ../../3rd-party/lwip/core/src/core/netif.c
+        ../../3rd-party/lwip/core/src/core/pbuf.c
+        ../../3rd-party/lwip/core/src/core/tcp.c
+        ../../3rd-party/lwip/core/src/core/tcp_in.c
+        ../../3rd-party/lwip/core/src/core/tcp_out.c
+        ../../3rd-party/lwip/core/src/core/timeouts.c
+        ../../3rd-party/lwip/core/src/core/udp.c
+        )
+set (LWIP_IPV4_SRC
+        ../../3rd-party/lwip/core/src/core/ipv4/acd.c
+        ../../3rd-party/lwip/core/src/core/ipv4/dhcp.c
+        ../../3rd-party/lwip/core/src/core/ipv4/etharp.c
+        ../../3rd-party/lwip/core/src/core/ipv4/icmp.c
+        ../../3rd-party/lwip/core/src/core/ipv4/ip4.c
+        ../../3rd-party/lwip/core/src/core/ipv4/ip4_addr.c
+        ../../3rd-party/lwip/core/src/core/ipv4/ip4_frag.c
+        )
+set (LWIP_NETIF_SRC
+        ../../3rd-party/lwip/core/src/netif/ethernet.c
+        )
+set (LWIP_HTTPD
+        ../../3rd-party/lwip/core/src/apps/http/altcp_proxyconnect.c
+        ../../3rd-party/lwip/core/src/apps/http/fs.c
+        ../../3rd-party/lwip/core/src/apps/http/httpd.c
+        )
+set (LWIP_DHCPD
+        ../../3rd-party/lwip/dhcp-server/dhserver.c
+        )
+set (LWIP_PORT
+        ../../platform/lwip/port/sys_arch.c
+        ../../platform/lwip/bnep_lwip.c
+        )
+
+set (SOURCES_LWIP ${LWIP_CORE_SRC} ${LWIP_IPV4_SRC} ${LWIP_NETIF_SRC} ${LWIP_HTTPD} ${LWIP_DHCPD} ${LWIP_PORT})
+
+file(GLOB SOURCES_BLE_OFF "../../src/ble/le_device_db_memory.c")
+list(REMOVE_ITEM SOURCES_BLE   ${SOURCES_BLE_OFF})
+
+file(GLOB SOURCES_POSIX_OFF "../../platform/posix/le_device_db_fs.c")
+list(REMOVE_ITEM SOURCES_POSIX ${SOURCES_POSIX_OFF})
+
+set(SOURCES
+        ${SOURCES_MD5}
+        ${SOURCES_YXML}
+        ${SOURCES_BLUEDROID}
+        ${SOURCES_POSIX}
+        ${SOURCES_RIJNDAEL}
+        ${SOURCES_SRC}
+        ${SOURCES_BLE}
+        ${SOURCES_GATT}
+        ${SOURCES_MESH}
+        ${SOURCES_CLASSIC}
+        ${SOURCES_UECC}
+        ${SOURCES_HXCMOD}
+        )
+list(SORT SOURCES)
+
+# create static lib
+add_library(btstack STATIC ${SOURCES})
+
+# create fuzz targets
+file(GLOB TARGETS_C "fuzz_*.c")
+
+add_compile_options( -fsanitize=fuzzer,address)
+add_link_options( -fsanitize=fuzzer,address)
+
+# create targets
+foreach(TARGET_FILE ${TARGETS_C})
+    get_filename_component(EXAMPLE ${TARGET_FILE} NAME_WE)
+    add_executable(${EXAMPLE} ${TARGET_FILE} )
+    target_link_libraries(${EXAMPLE} btstack)
+endforeach(TARGET_FILE)
--- a/test/fuzz/Dockerfile
+++ b/test/fuzz/Dockerfile
@ -0,0 +1,7 @@
+# Baseimage Debin
+FROM debian
+
+# Install clang, cmake, ninja
+RUN apt-get update
+RUN apt-get install -y clang cmake ninja-build
+
--- a/test/fuzz/btstack_config.h
+++ b/test/fuzz/btstack_config.h
@ -0,0 +1,55 @@
+//
+// btstack_config.h for test/fuzz
+//
+
+#ifndef __BTSTACK_CONFIG
+#define __BTSTACK_CONFIG
+
+// Port related features
+#define HAVE_MALLOC
+#define HAVE_POSIX_FILE_IO
+#define HAVE_BTSTACK_STDIN
+#define HAVE_POSIX_TIME
+
+// BTstack features that can be enabled
+#define ENABLE_BLE
+#define ENABLE_CLASSIC
+#define ENABLE_HFP_WIDE_BAND_SPEECH
+#define ENABLE_LE_CENTRAL
+#define ENABLE_LE_PERIPHERAL
+#define ENABLE_LE_SECURE_CONNECTIONS
+#define ENABLE_LE_DATA_CHANNELS
+#define ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS
+#define ENABLE_LE_DATA_LENGTH_EXTENSION
+#define ENABLE_ATT_DELAYED_RESPONSE
+//#define ENABLE_LOG_ERROR
+//#define ENABLE_LOG_INFO
+#define ENABLE_SCO_OVER_HCI
+#define ENABLE_SDP_DES_DUMP
+#define ENABLE_L2CAP_ENHANCED_RETRANSMISSION_MODE
+#define ENABLE_SOFTWARE_AES128
+
+// BTstack configuration. buffers, sizes, ...
+#define HCI_ACL_PAYLOAD_SIZE (1691 + 4)
+#define HCI_INCOMING_PRE_BUFFER_SIZE 14 // sizeof BNEP header, avoid memcpy
+
+#define NVM_NUM_DEVICE_DB_ENTRIES      20
+
+// Mesh Configuration
+#define ENABLE_MESH
+#define ENABLE_MESH_ADV_BEARER
+#define ENABLE_MESH_GATT_BEARER
+#define ENABLE_MESH_PB_ADV
+#define ENABLE_MESH_PB_GATT
+#define ENABLE_MESH_PROXY_SERVER
+#define ENABLE_MESH_PROVISIONER
+
+#define MAX_NR_MESH_TRANSPORT_KEYS    16
+#define MAX_NR_MESH_VIRTUAL_ADDRESSES 16
+#define MAX_NR_MESH_SUBNETS            2
+
+// allow for one NetKey update
+#define MAX_NR_MESH_NETWORK_KEYS      (MAX_NR_MESH_SUBNETS+1)
+
+#endif
+
--- a/test/fuzz/debian-fuzz-env.sh
+++ b/test/fuzz/debian-fuzz-env.sh
@ -0,0 +1,5 @@
+#!/bin/sh
+DIR=`dirname $0`
+BTSTACK_ROOT=`realpath $DIR/../..`
+docker run --rm -ti -v $BTSTACK_ROOT:/btstack  -w /btstack/test/fuzz fuzz
+
--- a/test/fuzz/fuzz_hci_transport_h4.c
+++ b/test/fuzz/fuzz_hci_transport_h4.c
@ -0,0 +1,118 @@
+#include <stdint.h>
+#include <stddef.h>
+#include <stdio.h>
+
+#include <btstack_util.h>
+#include "hci_transport.h"
+
+static hci_transport_config_uart_t config = {
+        HCI_TRANSPORT_CONFIG_UART,
+        115200,
+        0,  // main baudrate
+        1,  // flow control
+        NULL,
+};
+
+static uint8_t * read_request_buffer;
+static uint32_t  read_request_len;
+
+static void (*block_received)(void);
+
+static int btstack_uart_fuzz_init(const btstack_uart_config_t * config){
+    return 0;
+}
+
+static int btstack_uart_fuzz_open(void){
+    return 0;
+}
+
+static int btstack_uart_fuzz_close(void){
+    return 0;
+}
+
+static void btstack_uart_fuzz_set_block_received( void (*block_handler)(void)){
+    block_received = block_handler;
+}
+
+static void btstack_uart_fuzz_set_block_sent( void (*block_handler)(void)){
+}
+
+static void btstack_uart_fuzz_set_wakeup_handler( void (*the_wakeup_handler)(void)){
+}
+
+static int btstack_uart_fuzz_set_parity(int parity){
+    return 0;
+}
+
+static void btstack_uart_fuzz_send_block(const uint8_t *data, uint16_t size){
+}
+
+static void btstack_uart_fuzz_receive_block(uint8_t *buffer, uint16_t len){
+    read_request_buffer = buffer;
+    read_request_len = len;
+}
+
+static int btstack_uart_fuzz_set_baudrate(uint32_t baudrate){
+    return 0;
+}
+
+static int btstack_uart_fuzz_get_supported_sleep_modes(void){
+    return BTSTACK_UART_SLEEP_MASK_RTS_HIGH_WAKE_ON_CTS_PULSE;
+}
+
+static void btstack_uart_fuzz_set_sleep(btstack_uart_sleep_mode_t sleep_mode){
+}
+
+btstack_uart_block_t uart_driver = {
+        /* int  (*init)(hci_transport_config_uart_t * config); */         &btstack_uart_fuzz_init,
+        /* int  (*open)(void); */                                         &btstack_uart_fuzz_open,
+        /* int  (*close)(void); */                                        &btstack_uart_fuzz_close,
+        /* void (*set_block_received)(void (*handler)(void)); */          &btstack_uart_fuzz_set_block_received,
+        /* void (*set_block_sent)(void (*handler)(void)); */              &btstack_uart_fuzz_set_block_sent,
+        /* int  (*set_baudrate)(uint32_t baudrate); */                    &btstack_uart_fuzz_set_baudrate,
+        /* int  (*set_parity)(int parity); */                             &btstack_uart_fuzz_set_parity,
+        /* int  (*set_flowcontrol)(int flowcontrol); */                   NULL,
+        /* void (*receive_block)(uint8_t *buffer, uint16_t len); */       &btstack_uart_fuzz_receive_block,
+        /* void (*send_block)(const uint8_t *buffer, uint16_t length); */ &btstack_uart_fuzz_send_block,
+        /* int (*get_supported_sleep_modes); */                           &btstack_uart_fuzz_get_supported_sleep_modes,
+        /* void (*set_sleep)(btstack_uart_sleep_mode_t sleep_mode); */    &btstack_uart_fuzz_set_sleep,
+        /* void (*set_wakeup_handler)(void (*handler)(void)); */          &btstack_uart_fuzz_set_wakeup_handler,
+};
+
+static void packet_handler(uint8_t packet_type, uint8_t *packet, uint16_t size){
+    switch (packet_type) {
+        case HCI_EVENT_PACKET:
+            if (size < 2) __builtin_trap();
+            if ((2 + packet[1]) != size)__builtin_trap();
+            break;
+        case HCI_SCO_DATA_PACKET:
+            if (size < 3) __builtin_trap();
+            if ((3 + packet[2]) != size)__builtin_trap();
+            break;
+        case HCI_ACL_DATA_PACKET:
+            if (size < 3) __builtin_trap();
+            if ((4 + little_endian_read_16( packet, 2)) != size)__builtin_trap();
+            break;
+        default:
+            __builtin_trap();
+            break;
+    }
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    const hci_transport_t * transport = hci_transport_h4_instance(&uart_driver);
+    read_request_len = 0;
+    transport->init(&config);
+    transport->register_packet_handler(&packet_handler);
+    transport->open();
+    while (size > 0){
+        if (read_request_len == 0) __builtin_trap();
+
+        uint16_t bytes_to_feed = btstack_min(read_request_len, size);
+        memcpy(read_request_buffer, data, bytes_to_feed);
+        size -= bytes_to_feed;
+        data += bytes_to_feed;
+        (*block_received)();
+    }
+    return 0;
+}