1 #include "fuzz.h"
2 #include "gki_int.h"
3 
4 #define MODULE_NAME "nfc_nci_fuzzer"
5 const char fuzzer_name[] = MODULE_NAME;
6 
7 enum {
8   SUB_TYPE_DUMMY,
9 
10   SUB_TYPE_MAX
11 };
12 
resp_cback(tNFC_RESPONSE_EVT event,tNFC_RESPONSE * p_data)13 static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) {
14   FUZZLOG(MODULE_NAME ": event=0x%02x, p_data=%p", event, p_data);
15 }
16 
nfc_vs_cback(tNFC_VS_EVT event,uint16_t len,uint8_t * data)17 static void nfc_vs_cback(tNFC_VS_EVT event, uint16_t len, uint8_t* data) {
18   FUZZLOG(MODULE_NAME ": event=0x%02x, data=%p", event,
19           BytesToHex(data, len).c_str());
20 }
21 
nfc_rf_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)22 static void nfc_rf_cback(uint8_t conn_id, tNFC_CONN_EVT event,
23                          tNFC_CONN* p_data) {
24   FUZZLOG(MODULE_NAME ": rf_cback, conn_id=%d, event=0x%02x", conn_id, event);
25 
26   if (event == NFC_DATA_CEVT) {
27     if (p_data->data.p_data) {
28       GKI_freebuf(p_data->data.p_data);
29       p_data->data.p_data = nullptr;
30     }
31   }
32 }
33 
nfc_hci_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)34 static void nfc_hci_cback(uint8_t conn_id, tNFC_CONN_EVT event,
35                           tNFC_CONN* p_data) {
36   FUZZLOG(MODULE_NAME ": hci_cback, conn_id=%d, event=0x%02x", conn_id, event);
37 
38   if (event == NFC_DATA_CEVT) {
39     if (p_data->data.p_data) {
40       GKI_freebuf(p_data->data.p_data);
41       p_data->data.p_data = nullptr;
42     }
43   }
44 }
45 
46 extern void hal_inject_event(uint8_t hal_evt, tHAL_NFC_STATUS status);
47 extern bool hal_inject_data(const uint8_t* p_data, uint16_t data_len);
48 extern tHAL_NFC_ENTRY* get_hal_func_entries();
49 
50 extern uint8_t nci_snd_core_reset(uint8_t reset_type);
51 extern void GKI_shutdown();
52 
53 extern tGKI_CB gki_cb;
Fuzz_Init(Fuzz_Context &)54 static bool Fuzz_Init(Fuzz_Context& /*ctx*/) {
55   GKI_init();
56   gki_cb.os.thread_id[NFC_TASK] = pthread_self();
57 
58   NFC_Init(get_hal_func_entries());
59   NFC_Enable(resp_cback);
60 
61   NFC_RegVSCback(true, nfc_vs_cback);
62   NFC_SetStaticRfCback(nfc_rf_cback);
63   NFC_SetStaticHciCback(nfc_hci_cback);
64 
65   nfc_set_state(NFC_STATE_CORE_INIT);
66   nci_snd_core_reset(NCI_RESET_TYPE_RESET_CFG);
67   return true;
68 }
69 
Fuzz_Deinit(Fuzz_Context &)70 static void Fuzz_Deinit(Fuzz_Context& /*ctx*/) {
71   nfc_task_shutdown_nfcc();
72   GKI_shutdown();
73 }
74 
Fuzz_Run(Fuzz_Context & ctx)75 static void Fuzz_Run(Fuzz_Context& ctx) {
76   for (auto it = ctx.Data.cbegin(); it != ctx.Data.cend(); ++it) {
77     hal_inject_data(it->data(), it->size());
78   }
79 }
80 
Fuzz_FixPackets(std::vector<bytes_t> & Packets,uint)81 void Fuzz_FixPackets(std::vector<bytes_t>& Packets, uint /*Seed*/) {
82   for (auto it = Packets.begin(); it != Packets.end(); ++it) {
83     // NCI packets should have at least 2 bytes.
84     if (it->size() < 2) {
85       it->resize(2);
86     }
87   }
88 }
89 
Fuzz_RunPackets(const std::vector<bytes_t> & Packets)90 void Fuzz_RunPackets(const std::vector<bytes_t>& Packets) {
91   Fuzz_Context ctx(SUB_TYPE_DUMMY, Packets);
92   if (Fuzz_Init(ctx)) {
93     Fuzz_Run(ctx);
94   }
95 
96   Fuzz_Deinit(ctx);
97 }
98