| /* |
| * Copyright 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| // Authors: corbin.souffrant@leviathansecurity.com |
| // brian.balling@leviathansecurity.com |
| |
| #include <fuzzer/FuzzedDataProvider.h> |
| #include <helpers.h> |
| #include <pdx/client_channel.h> |
| #include <pdx/service.h> |
| #include <pdx/service_dispatcher.h> |
| #include <stddef.h> |
| #include <stdint.h> |
| #include <sys/eventfd.h> |
| #include <thread> |
| |
| using namespace android::pdx; |
| |
| // Dispatch fuzzer entry point. This fuzzer creates a ServiceDispatcher |
| // and creates an endpoint that returns fuzzed messages that are passed |
| // to the ReceiveAndDispatch and DispatchLoop functions. |
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| eventfd_t wakeup_val = 1; |
| FuzzedDataProvider fdp = FuzzedDataProvider(data, size); |
| |
| // Endpoint is only used to be immediately wrapped as a unique_ptr, |
| // so it is ok to be using a raw ptr and new here without freeing. |
| FuzzEndpoint* endpoint = new FuzzEndpoint(&fdp); |
| std::unique_ptr<ServiceDispatcher> dispatcher = ServiceDispatcher::Create(); |
| std::shared_ptr<Channel> channel(nullptr); |
| std::shared_ptr<Client> client(nullptr); |
| std::shared_ptr<Service> service( |
| new Service("FuzzService", std::unique_ptr<Endpoint>(endpoint))); |
| |
| service->SetChannel(0, std::shared_ptr<Channel>(channel)); |
| dispatcher->AddService(service); |
| |
| // Dispatcher blocks, so needs to run in its own thread. |
| std::thread run_dispatcher([&]() { |
| uint8_t opt = 0; |
| |
| // Right now the only operations block, so the while loop is pointless |
| // but leaving it in, just in case that ever changes. |
| while (fdp.remaining_bytes() > sizeof(MessageInfo)) { |
| opt = fdp.ConsumeIntegral<uint8_t>() % dispatcher_operations.size(); |
| dispatcher_operations[opt](dispatcher, &fdp); |
| } |
| }); |
| |
| // Continuously wake up the epoll so the dispatcher can run. |
| while (fdp.remaining_bytes() > sizeof(MessageInfo)) { |
| eventfd_write(endpoint->epoll_fd(), wakeup_val); |
| } |
| |
| // Cleanup the dispatcher and thread. |
| dispatcher->SetCanceled(true); |
| if (run_dispatcher.joinable()) |
| run_dispatcher.join(); |
| dispatcher->RemoveService(service); |
| |
| return 0; |
| } |