• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "wlan_fuzzer.h"
17 
18 #include "hdf_log.h"
19 #include "v1_0/iwlan_interface.h"
20 #include "v1_0/wlan_types.h"
21 #include "wifi_hal_base_feature.h"
22 #include "wlan_callback_impl.h"
23 
24 #define HDF_LOG_TAG HDF_WIFI_CORE
25 
26 namespace OHOS {
27 namespace WIFI {
28 constexpr size_t THRESHOLD = 10;
29 constexpr int32_t OFFSET = 4;
30 const char *g_wlanServiceName = "wlan_interface_service";
31 const uint32_t ETH_ADDR_LEN = 6;
32 const int32_t WLAN_MAX_NUM_STA_WITH_AP = 4;
33 const int32_t wlanType = PROTOCOL_80211_IFTYPE_AP;
34 struct HdfFeatureInfo ifeature;
35 struct IWlanInterface *g_wlanObj = nullptr;
36 uint32_t num = 0;
37 
38 enum  WlanCmdId {
39     CMD_WLAN_INTERFACE_GET_ASSCOCIATED_STAS,
40     CMD_WLAN_INTERFACE_GET_DEVICE_MAC_ADDRESS,
41 };
42 
Convert2Uint32(const uint8_t * ptr)43 uint32_t Convert2Uint32(const uint8_t *ptr)
44 {
45     if (ptr == nullptr) {
46         return 0;
47     }
48     /*
49      * Move the 0th digit 24 to the left, the first digit 16 to the left, the second digit 8 to the left,
50      * and the third digit no left
51      */
52     return (ptr[0] << 24) | (ptr[1] << 16) | (ptr[2] << 8) | (ptr[3]);
53 }
54 
WlanFucSwitch(struct IWlanInterface * interface,uint32_t cmd,const uint8_t * rawData)55 static void WlanFucSwitch(struct IWlanInterface *interface, uint32_t cmd, const uint8_t *rawData)
56 {
57     switch (cmd) {
58         case CMD_WLAN_INTERFACE_GET_ASSCOCIATED_STAS: {
59             struct HdfStaInfo staInfo[WLAN_MAX_NUM_STA_WITH_AP] = {{0}};
60             uint32_t staInfoLen = WLAN_MAX_NUM_STA_WITH_AP;
61             ifeature.ifName = const_cast<char *>(reinterpret_cast<const char *>(rawData));
62             ifeature.type = *const_cast<int32_t *>(reinterpret_cast<const int32_t *>(rawData));
63             interface->GetAssociatedStas(interface, &ifeature, staInfo, &staInfoLen, &num);
64             break;
65         }
66         case CMD_WLAN_INTERFACE_GET_DEVICE_MAC_ADDRESS: {
67             uint8_t mac[ETH_ADDR_LEN] = {0};
68             uint32_t macLen = ETH_ADDR_LEN;
69             ifeature.ifName = const_cast<char *>(reinterpret_cast<const char *>(rawData));
70             ifeature.type = *const_cast<int32_t *>(reinterpret_cast<const int32_t *>(rawData));
71             interface->GetDeviceMacAddress(interface, &ifeature, mac, &macLen,
72                 *const_cast<uint8_t *>(reinterpret_cast<const uint8_t *>(rawData)));
73             break;
74         }
75         default:
76             break;
77     }
78 }
79 
DoSomethingInterestingWithMyAPI(const uint8_t * rawData,size_t size)80 bool DoSomethingInterestingWithMyAPI(const uint8_t *rawData, size_t size)
81 {
82     (void)size;
83 
84     if (rawData == nullptr) {
85         return false;
86     }
87     bool result = false;
88     uint32_t cmd = Convert2Uint32(rawData);
89     rawData = rawData + OFFSET;
90 
91     g_wlanObj = IWlanInterfaceGetInstance(g_wlanServiceName, false);
92     if (g_wlanObj == nullptr) {
93         HDF_LOGE("%{public}s: g_wlanObj is null", __FUNCTION__);
94         return result;
95     }
96 
97     int32_t ret = g_wlanObj->Start(g_wlanObj);
98     if (ret != HDF_SUCCESS) {
99         HDF_LOGE("%{public}s: Start failed! ret=%{public}d", __FUNCTION__, ret);
100         IWlanInterfaceReleaseInstance(g_wlanServiceName, g_wlanObj, false);
101         return result;
102     }
103 
104     ret = g_wlanObj->CreateFeature(g_wlanObj, wlanType, &ifeature);
105     if (ret != HDF_SUCCESS) {
106         HDF_LOGE("%{public}s: CreateFeature failed! ret=%{public}d", __FUNCTION__, ret);
107         ret = g_wlanObj->Stop(g_wlanObj);
108         if (ret != HDF_SUCCESS) {
109             HDF_LOGE("%{public}s: Stop failed! ret=%{public}d", __FUNCTION__, ret);
110         }
111         IWlanInterfaceReleaseInstance(g_wlanServiceName, g_wlanObj, false);
112         return false;
113     }
114 
115     WlanFucSwitch(g_wlanObj, cmd, rawData);
116 
117     ret = g_wlanObj->DestroyFeature(g_wlanObj, &ifeature);
118     if (ret != HDF_SUCCESS) {
119         HDF_LOGE("%{public}s: DestroyFeature failed! ret=%{public}d", __FUNCTION__, ret);
120         result = false;
121     }
122 
123     ret = g_wlanObj->Stop(g_wlanObj);
124     if (ret != HDF_SUCCESS) {
125         HDF_LOGE("%{public}s: Stop failed! ret=%{public}d", __FUNCTION__, ret);
126         result = false;
127     }
128 
129     IWlanInterfaceReleaseInstance(g_wlanServiceName, g_wlanObj, false);
130     return result;
131 }
132 } // namespace WIFI
133 } // namespace OHOS
134 
135 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)136 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
137 {
138     if (size < OHOS::WIFI::THRESHOLD) {
139         return 0;
140     }
141 
142     /* Run your code on data */
143     OHOS::WIFI::DoSomethingInterestingWithMyAPI(data, size);
144     return 0;
145 }
146