13 #include "libmctp-i2c.h"
14 #include "libmctp-sizes.h"
15 #include "libmctp-alloc.h"
39 	size_t len;  member
45 	struct fuzz_buf *ctrl;  member
56 static struct fuzz_buf *fuzz_buf_new(const void *data, size_t len)  in fuzz_buf_new()  argument
59 	buf->pos = 0;  in fuzz_buf_new()
60 	buf->len = len;  in fuzz_buf_new()
61 	buf->data = data;  in fuzz_buf_new()
65 static const void *fuzz_buf_extract(struct fuzz_buf *buf, size_t len)  in fuzz_buf_extract()  argument
67 	if (buf->pos + len > buf->len) {  in fuzz_buf_extract()
71 	const void *ret = &buf->data[buf->pos];  in fuzz_buf_extract()
72 	buf->pos += len;  in fuzz_buf_extract()
95 	const uint8_t *v = fuzz_buf_extract(ctx->ctrl, sizeof(uint8_t));  in fuzz_chance()
104 static int fuzz_i2c_tx(const void *buf, size_t len, void *c)  in fuzz_i2c_tx()  argument
108 	(void)len;  in fuzz_i2c_tx()
111 		return -EBUSY;  in fuzz_i2c_tx()
118 			   void *c, void *msg, size_t len)  in fuzz_i2c_rxmsg()  argument
126 	(void)len;  in fuzz_i2c_rxmsg()
131 	uint32_t len;  in do_rx()  local
132 	if (!fuzz_buf_extract_u32(ctx->ctrl, &len)) {  in do_rx()
133 		ctx->done = true;  in do_rx()
137 	if (len > MAX_RECEIVE) {  in do_rx()
138 		ctx->done = true;  in do_rx()
142 	const uint8_t *data = fuzz_buf_extract(ctx->input, len);  in do_rx()
144 		ctx->done = true;  in do_rx()
148 	mctp_i2c_rx(ctx->i2c, data, len);  in do_rx()
155 	const uint8_t *e = fuzz_buf_extract(ctx->ctrl, sizeof(uint8_t));  in do_tx()
157 		ctx->done = true;  in do_tx()
163 	/* `t` generates the dest eid in owner case, or tag in non-owner case */  in do_tx()
164 	const uint8_t *t = fuzz_buf_extract(ctx->ctrl, sizeof(uint8_t));  in do_tx()
166 		ctx->done = true;  in do_tx()
170 	uint32_t len;  in do_tx()  local
171 	if (!fuzz_buf_extract_u32(ctx->ctrl, &len)) {  in do_tx()
172 		ctx->done = true;  in do_tx()
175 	len = len % (MAX_SEND + 1);  in do_tx()
177 	uint8_t *fake_send_data = __mctp_msg_alloc(len, ctx->mctp);  in do_tx()
179 	mctp_i2c_tx_poll(ctx->i2c);  in do_tx()
185 		rc = mctp_message_tx_request(ctx->mctp, dest, fake_send_data,  in do_tx()
186 					     len, &tag);  in do_tx()
192 		mctp_message_tx_alloced(ctx->mctp, eid, tag_owner, tag,  in do_tx()
193 					fake_send_data, len);  in do_tx()
203 	if (fuzz_buf_extract_u32(ctx->ctrl, &s)) {  in fuzz_now()
207 	uint64_t prev = ctx->now;  in fuzz_now()
208 	ctx->now += step;  in fuzz_now()
210 	assert(ctx->now >= prev);  in fuzz_now()
211 	return ctx->now;  in fuzz_now()
214 int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)  in LLVMFuzzerTestOneInput()  argument
219 	if (len < FUZZCTRL_SIZE) {  in LLVMFuzzerTestOneInput()
224 		.ctrl = fuzz_buf_new(input, FUZZCTRL_SIZE),  in LLVMFuzzerTestOneInput()
226 				      len - FUZZCTRL_SIZE),  in LLVMFuzzerTestOneInput()
233 	ctx->i2c = malloc(MCTP_SIZEOF_BINDING_I2C);  in LLVMFuzzerTestOneInput()
234 	mctp_i2c_setup(ctx->i2c, OWN_I2C_ADDR, fuzz_i2c_tx, ctx);  in LLVMFuzzerTestOneInput()
235 	ctx->mctp = mctp_init();  in LLVMFuzzerTestOneInput()
236 	mctp_register_bus(ctx->mctp, mctp_binding_i2c_core(ctx->i2c), OWN_EID);  in LLVMFuzzerTestOneInput()
237 	mctp_set_rx_all(ctx->mctp, fuzz_i2c_rxmsg, ctx);  in LLVMFuzzerTestOneInput()
238 	mctp_set_now_op(ctx->mctp, fuzz_now, ctx);  in LLVMFuzzerTestOneInput()
240 	while (!ctx->done) {  in LLVMFuzzerTestOneInput()
248 	mctp_destroy(ctx->mctp);  in LLVMFuzzerTestOneInput()
249 	free(ctx->i2c);  in LLVMFuzzerTestOneInput()
250 	free(ctx->ctrl);  in LLVMFuzzerTestOneInput()
251 	free(ctx->input);  in LLVMFuzzerTestOneInput()
283 		ssize_t len = read(STDIN_FILENO, buf, sizeof(buf));  in run_standalone()  local
284 		if (len <= 0) {  in run_standalone()
287 		LLVMFuzzerTestOneInput(buf, len);  in run_standalone()
302 		size_t len = __AFL_FUZZ_TESTCASE_LEN;  in main()  local
303 		LLVMFuzzerTestOneInput(buf, len);  in main()