mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-03-28 08:37:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

test/fuzz: prepare for avrcp fuzzing

Browse Source
This commit is contained in:
Matthias Ringwald 2020-07-25 18:54:26 +02:00
parent 12f3b2bdfb
commit 697b823e5f
5 changed files with 30 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/classic/avrcp.c
View File

@ -630,7 +630,7 @@ static avrcp_connection_t * avrcp_handle_incoming_connection_for_role(avrcp_role
return connection;
}
static void avrcp_handle_open_connection_for_role( avrcp_connection_t * connection, uint16_t local_cid, uint16_t l2cap_mtu){
static void avrcp_handle_open_connection(avrcp_connection_t * connection, uint16_t local_cid, uint16_t l2cap_mtu){
connection->l2cap_signaling_cid = local_cid;
connection->l2cap_mtu = l2cap_mtu;
connection->incoming_declined = false;
@ -758,8 +758,8 @@ static void avrcp_packet_handler(uint8_t packet_type, uint16_t channel, uint8_t
switch (status){
case ERROR_CODE_SUCCESS:
avrcp_handle_open_connection_for_role(connection_target, local_cid, l2cap_mtu);
avrcp_handle_open_connection_for_role(connection_controller, local_cid, l2cap_mtu);
avrcp_handle_open_connection(connection_target, local_cid, l2cap_mtu);
avrcp_handle_open_connection(connection_controller, local_cid, l2cap_mtu);
avrcp_emit_connection_established(connection_controller->avrcp_cid, event_addr, status);
return;
case L2CAP_CONNECTION_RESPONSE_RESULT_REFUSED_RESOURCES:
@ -925,3 +925,18 @@ void avrcp_register_packet_handler(btstack_packet_handler_t callback){
btstack_assert(callback != NULL);
avrcp_callback = callback;
}
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
#define FUZZ_CID 0x44
static bd_addr_t remote_addr = { 0x33, 0x33, 0x33, 0x33, 0x33, 0x33 };
void avrcp_init_fuzz(void){
// setup avrcp connections for cid
avrcp_connection_t * connection_controller = avrcp_create_connection(AVRCP_CONTROLLER, remote_addr);
avrcp_connection_t * connection_target = avrcp_create_connection(AVRCP_TARGET, remote_addr);
avrcp_handle_open_connection(connection_controller, FUZZ_CID, 999);
avrcp_handle_open_connection(connection_target, FUZZ_CID, 999);
}
void avrcp_packet_handler_fuzz(uint8_t *packet, uint16_t size){
avrcp_packet_handler(L2CAP_DATA_PACKET, FUZZ_CID, packet, size);
}
#endif

6
src/classic/avrcp.h
View File

@ -685,6 +685,12 @@ void avrcp_browsing_register_controller_packet_handler(btstack_packet_handler_t
void avrcp_browsing_register_target_packet_handler(btstack_packet_handler_t callback);
void avrcp_browsing_request_can_send_now(avrcp_browsing_connection_t * connection, uint16_t l2cap_cid);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
void avrcp_init_fuzz(void);
void avrcp_packet_handler_fuzz(uint8_t *packet, uint16_t size);
#endif
#if defined __cplusplus
}
#endif

4
src/classic/avrcp_controller.c
View File

@ -467,7 +467,9 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
uint8_t operands[20];
uint8_t opcode;
int pos = 3;
if (size < 6u) return;
avrcp_command_type_t ctype = (avrcp_command_type_t) packet[pos++];
uint8_t byte_value = packet[pos++];
avrcp_subunit_type_t subunit_type = (avrcp_subunit_type_t) (byte_value >> 3);

5
src/classic/avrcp_target.c
View File

@ -748,9 +748,8 @@ static uint8_t avrcp_is_receive_pass_through_cmd(uint8_t operation_id){
}
static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connection_t * connection, uint8_t *packet, uint16_t size){
UNUSED(connection);
UNUSED(packet);
UNUSED(size);
if (size < 6u) return;
uint16_t pid = 0;
uint8_t transport_header = packet[0];

1
test/fuzz/btstack_config.h
View File

@ -36,6 +36,7 @@
#define HCI_ACL_PAYLOAD_SIZE (1691 + 4)
#define HCI_INCOMING_PRE_BUFFER_SIZE 14 // sizeof BNEP header, avoid memcpy
#define NVM_NUM_LINK_KEYS 16
#define NVM_NUM_DEVICE_DB_ENTRIES 20
// Mesh Configuration