* @file fuzz_csi_serialize.c
* @brief libFuzzer target for csi_serialize_frame() (ADR-061 Layer 6).
*
* Takes fuzz input and constructs wifi_csi_info_t structs with random
* field values including extreme boundaries. Verifies that
* csi_serialize_frame() never crashes, triggers ASAN, or causes UBSAN.
*
* Build (Linux/macOS with clang):
* make fuzz_serialize
*
* Run:
* ./fuzz_serialize corpus/ -max_len=2048
*/
#include "esp_stubs.h"
#include "nvs_config.h"
nvs_config_t g_nvs_config;
#include "csi_collector.h"
#include <stdint.h>
#include <stddef.h>
#include <string.h>
#include <stdlib.h>
* Helper: read a value from the fuzz data, advancing the cursor.
* Returns 0 if insufficient data remains.
*/
static size_t fuzz_read(const uint8_t **data, size_t *size,
void *out, size_t n)
{
if (*size < n) {
memset(out, 0, n);
return 0;
}
memcpy(out, *data, n);
*data += n;
*size -= n;
return n;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
if (size < 8) {
return 0;
}
const uint8_t *cursor = data;
size_t remaining = size;
uint8_t test_case;
int16_t iq_len_raw;
int8_t rssi;
uint8_t channel;
int8_t noise_floor;
uint8_t out_buf_scale;
fuzz_read(&cursor, &remaining, &test_case, 1);
fuzz_read(&cursor, &remaining, &iq_len_raw, 2);
fuzz_read(&cursor, &remaining, &rssi, 1);
fuzz_read(&cursor, &remaining, &channel, 1);
fuzz_read(&cursor, &remaining, &noise_floor, 1);
fuzz_read(&cursor, &remaining, &out_buf_scale, 1);
wifi_csi_info_t info;
memset(&info, 0, sizeof(info));
info.rx_ctrl.rssi = rssi;
info.rx_ctrl.channel = channel & 0x0F;
info.rx_ctrl.noise_floor = noise_floor;
uint16_t iq_len;
if (iq_len_raw < 0) {
iq_len = 0;
} else if (iq_len_raw > (int16_t)remaining) {
iq_len = (uint16_t)remaining;
} else {
iq_len = (uint16_t)iq_len_raw;
}
int8_t iq_buf[CSI_MAX_FRAME_SIZE];
if (iq_len > 0 && remaining > 0) {
uint16_t copy = (iq_len > remaining) ? (uint16_t)remaining : iq_len;
memcpy(iq_buf, cursor, copy);
if (copy < iq_len) {
memset(iq_buf + copy, 0, iq_len - copy);
}
info.buf = iq_buf;
} else {
info.buf = iq_buf;
memset(iq_buf, 0, sizeof(iq_buf));
}
info.len = (int16_t)iq_len;
uint8_t out_buf[CSI_MAX_FRAME_SIZE + 64];
size_t out_len;
if (out_buf_scale == 0) {
out_len = 0;
} else if (out_buf_scale < 20) {
out_len = (size_t)out_buf_scale;
} else {
out_len = sizeof(out_buf);
}
size_t result = csi_serialize_frame(&info, out_buf, out_len);
if (result > out_len) {
__builtin_trap();
}
if (test_case & 0x01) {
result = csi_serialize_frame(NULL, out_buf, sizeof(out_buf));
if (result != 0) {
__builtin_trap();
}
}
if (test_case & 0x02) {
result = csi_serialize_frame(&info, NULL, sizeof(out_buf));
if (result != 0) {
__builtin_trap();
}
}
if (test_case & 0x04) {
wifi_csi_info_t null_iq_info = info;
null_iq_info.buf = NULL;
result = csi_serialize_frame(&null_iq_info, out_buf, sizeof(out_buf));
if (result != 0) {
__builtin_trap();
}
}
if (test_case & 0x08) {
wifi_csi_info_t extreme_info = info;
extreme_info.buf = iq_buf;
extreme_info.rx_ctrl.channel = 0;
csi_serialize_frame(&extreme_info, out_buf, sizeof(out_buf));
extreme_info.rx_ctrl.channel = 15;
csi_serialize_frame(&extreme_info, out_buf, sizeof(out_buf));
}
if (test_case & 0x10) {
wifi_csi_info_t rssi_info = info;
rssi_info.buf = iq_buf;
rssi_info.rx_ctrl.rssi = -128;
csi_serialize_frame(&rssi_info, out_buf, sizeof(out_buf));
rssi_info.rx_ctrl.rssi = 127;
csi_serialize_frame(&rssi_info, out_buf, sizeof(out_buf));
}
if (test_case & 0x20) {
wifi_csi_info_t zero_info = info;
zero_info.buf = iq_buf;
zero_info.len = 0;
result = csi_serialize_frame(&zero_info, out_buf, sizeof(out_buf));
if (result != 0 && result != CSI_HEADER_SIZE) {
}
}
if (test_case & 0x40) {
wifi_csi_info_t hdr_info = info;
hdr_info.buf = iq_buf;
hdr_info.len = 4;
uint8_t tight_buf[CSI_HEADER_SIZE + 4];
result = csi_serialize_frame(&hdr_info, tight_buf, sizeof(tight_buf));
if (result > sizeof(tight_buf)) {
__builtin_trap();
}
}
return 0;
}