1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "setradiostate_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <thread>
21
22 #define private public
23 #include "addcoreservicetoken_fuzzer.h"
24 #include "core_service.h"
25 #include "get_network_search_info_callback.h"
26 #include "napi_util.h"
27 #include "set_nr_option_mode_callback.h"
28 #include "set_preferred_network_callback.h"
29 #include "set_radio_state_callback.h"
30 #include "system_ability_definition.h"
31 #include "tel_event_handler.h"
32 #include "unistd.h"
33 #include "tel_ril_manager.h"
34
35 using namespace OHOS::Telephony;
36 namespace OHOS {
37 static bool g_isInited = false;
38 constexpr int32_t SLOT_NUM = 2;
39 constexpr int32_t IMS_TYPE = 3;
40 constexpr int32_t NR_MODE = 4;
41 constexpr int32_t NETWORK_MODE = 7;
42
IsServiceInited()43 bool IsServiceInited()
44 {
45 if (!g_isInited) {
46 DelayedSingleton<CoreService>::GetInstance()->OnStart();
47 if (DelayedSingleton<CoreService>::GetInstance()->GetServiceRunningState() ==
48 static_cast<int32_t>(ServiceRunningState::STATE_RUNNING)) {
49 g_isInited = true;
50 }
51 }
52 return g_isInited;
53 }
54
SetRadioState(const uint8_t * data,size_t size)55 void SetRadioState(const uint8_t *data, size_t size)
56 {
57 if (!IsServiceInited()) {
58 return;
59 }
60
61 MessageParcel dataMessageParcel;
62 std::unique_ptr<SetRadioStateCallback> callbackWrap = std::make_unique<SetRadioStateCallback>(nullptr);
63 if (callbackWrap == nullptr) {
64 return;
65 }
66 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
67 dataMessageParcel.WriteInt32(slotId);
68 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
69 MessageParcel reply;
70 DelayedSingleton<CoreService>::GetInstance()->OnSetRadioState(dataMessageParcel, reply);
71 }
72
GetRadioState(const uint8_t * data,size_t size)73 void GetRadioState(const uint8_t *data, size_t size)
74 {
75 if (!IsServiceInited()) {
76 return;
77 }
78
79 MessageParcel dataMessageParcel;
80 std::unique_ptr<SetRadioStateCallback> callbackWrap = std::make_unique<SetRadioStateCallback>(nullptr);
81 if (callbackWrap == nullptr) {
82 return;
83 }
84 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
85 dataMessageParcel.WriteInt32(slotId);
86 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
87 MessageParcel reply;
88 DelayedSingleton<CoreService>::GetInstance()->OnGetRadioState(dataMessageParcel, reply);
89 }
90
SetNrOptionMode(const uint8_t * data,size_t size)91 void SetNrOptionMode(const uint8_t *data, size_t size)
92 {
93 if (!IsServiceInited()) {
94 return;
95 }
96
97 MessageParcel dataMessageParcel;
98 std::unique_ptr<SetRadioStateCallback> callbackWrap = std::make_unique<SetRadioStateCallback>(nullptr);
99 if (callbackWrap == nullptr) {
100 return;
101 }
102 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
103 int32_t nrMode = static_cast<int32_t>(*data % NR_MODE);
104 dataMessageParcel.WriteInt32(slotId);
105 dataMessageParcel.WriteInt32(nrMode);
106 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
107 MessageParcel reply;
108 DelayedSingleton<CoreService>::GetInstance()->OnSetNrOptionMode(dataMessageParcel, reply);
109 }
110
GetNrOptionMode(const uint8_t * data,size_t size)111 void GetNrOptionMode(const uint8_t *data, size_t size)
112 {
113 if (!IsServiceInited()) {
114 return;
115 }
116
117 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
118 DelayedSingleton<CoreService>::GetInstance()->GetNrOptionMode(slotId, nullptr);
119 }
120
GetNetworkSearchInformation(const uint8_t * data,size_t size)121 void GetNetworkSearchInformation(const uint8_t *data, size_t size)
122 {
123 if (!IsServiceInited()) {
124 return;
125 }
126
127 MessageParcel dataMessageParcel;
128 std::unique_ptr<GetNetworkSearchInfoCallback> callbackWrap =
129 std::make_unique<GetNetworkSearchInfoCallback>(nullptr);
130 if (callbackWrap == nullptr) {
131 return;
132 }
133 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
134 dataMessageParcel.WriteInt32(slotId);
135 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
136 MessageParcel reply;
137 DelayedSingleton<CoreService>::GetInstance()->OnGetNetworkSearchInformation(dataMessageParcel, reply);
138 }
139
SetNetworkSelectionMode(const uint8_t * data,size_t size)140 void SetNetworkSelectionMode(const uint8_t *data, size_t size)
141 {
142 if (!IsServiceInited()) {
143 return;
144 }
145
146 MessageParcel dataMessageParcel;
147 std::unique_ptr<GetNetworkSearchInfoCallback> callbackWrap =
148 std::make_unique<GetNetworkSearchInfoCallback>(nullptr);
149 if (callbackWrap == nullptr) {
150 return;
151 }
152 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
153 int32_t selectionMode = static_cast<int32_t>(*data + sizeof(int32_t));
154 dataMessageParcel.WriteInt32(slotId);
155 dataMessageParcel.WriteInt32(selectionMode);
156 dataMessageParcel.WriteBool(false);
157 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
158 MessageParcel reply;
159 DelayedSingleton<CoreService>::GetInstance()->OnSetNetworkSelectionMode(dataMessageParcel, reply);
160 }
161
SetPreferredNetwork(const uint8_t * data,size_t size)162 void SetPreferredNetwork(const uint8_t *data, size_t size)
163 {
164 if (!IsServiceInited()) {
165 return;
166 }
167
168 MessageParcel dataMessageParcel;
169 std::unique_ptr<SetPreferredNetworkCallback> callbackWrap = std::make_unique<SetPreferredNetworkCallback>(nullptr);
170 if (callbackWrap == nullptr) {
171 return;
172 }
173 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
174 int32_t networkMode = static_cast<int32_t>(*data % NETWORK_MODE);
175 dataMessageParcel.WriteInt32(slotId);
176 dataMessageParcel.WriteInt32(networkMode);
177 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
178 MessageParcel reply;
179 DelayedSingleton<CoreService>::GetInstance()->OnSetPreferredNetwork(dataMessageParcel, reply);
180 }
181
SetVoiceCallForwarding(const uint8_t * data,size_t size)182 void SetVoiceCallForwarding(const uint8_t *data, size_t size)
183 {
184 if (!IsServiceInited()) {
185 return;
186 }
187
188 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
189 MessageParcel dataMessageParcel;
190 dataMessageParcel.WriteInt32(slotId);
191 dataMessageParcel.WriteBool(true);
192 std::string number(reinterpret_cast<const char *>(data), size);
193 dataMessageParcel.WriteString(number);
194 dataMessageParcel.WriteBuffer(data, size);
195 dataMessageParcel.RewindRead(0);
196 MessageParcel reply;
197 DelayedSingleton<CoreService>::GetInstance()->OnSetVoiceCallForwarding(dataMessageParcel, reply);
198 }
199
GetMaxSimCount(const uint8_t * data,size_t size)200 void GetMaxSimCount(const uint8_t *data, size_t size)
201 {
202 if (!IsServiceInited()) {
203 return;
204 }
205
206 MessageParcel dataMessageParcel;
207 dataMessageParcel.WriteBuffer(data, size);
208 dataMessageParcel.RewindRead(0);
209 MessageParcel reply;
210 DelayedSingleton<CoreService>::GetInstance()->OnGetMaxSimCount(dataMessageParcel, reply);
211 }
212
GetImsRegStatus(const uint8_t * data,size_t size)213 void GetImsRegStatus(const uint8_t *data, size_t size)
214 {
215 if (!IsServiceInited()) {
216 return;
217 }
218
219 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
220 MessageParcel dataMessageParcel;
221 dataMessageParcel.WriteInt32(slotId);
222 int32_t imsRegType = static_cast<int32_t>(*data % IMS_TYPE);
223 dataMessageParcel.WriteInt32(imsRegType);
224 dataMessageParcel.WriteBuffer(data, size);
225 dataMessageParcel.RewindRead(0);
226 MessageParcel reply;
227 DelayedSingleton<CoreService>::GetInstance()->OnGetImsRegStatus(dataMessageParcel, reply);
228 }
229
GetCellLocation(const uint8_t * data,size_t size)230 void GetCellLocation(const uint8_t *data, size_t size)
231 {
232 if (!IsServiceInited()) {
233 return;
234 }
235
236 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
237 MessageParcel dataMessageParcel;
238 dataMessageParcel.WriteInt32(slotId);
239 dataMessageParcel.WriteBuffer(data, size);
240 dataMessageParcel.RewindRead(0);
241 MessageParcel reply;
242 DelayedSingleton<CoreService>::GetInstance()->OnGetCellLocation(dataMessageParcel, reply);
243 }
244
RegisterImsRegInfoCallback(const uint8_t * data,size_t size)245 void RegisterImsRegInfoCallback(const uint8_t *data, size_t size)
246 {
247 if (!IsServiceInited()) {
248 return;
249 }
250
251 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
252 int32_t imsRegType = static_cast<int32_t>(*data % IMS_TYPE);
253 MessageParcel dataMessageParcel;
254 dataMessageParcel.WriteInt32(slotId);
255 dataMessageParcel.WriteInt32(imsRegType);
256 dataMessageParcel.WriteBuffer(data, size);
257 dataMessageParcel.RewindRead(0);
258 MessageParcel reply;
259 DelayedSingleton<CoreService>::GetInstance()->OnRegisterImsRegInfoCallback(dataMessageParcel, reply);
260 }
261
UnRegisterImsRegInfoCallback(const uint8_t * data,size_t size)262 void UnRegisterImsRegInfoCallback(const uint8_t *data, size_t size)
263 {
264 if (!IsServiceInited()) {
265 return;
266 }
267
268 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
269 int32_t imsRegType = static_cast<int32_t>(*data % IMS_TYPE);
270 MessageParcel dataMessageParcel;
271 dataMessageParcel.WriteInt32(slotId);
272 dataMessageParcel.WriteInt32(imsRegType);
273 dataMessageParcel.WriteBuffer(data, size);
274 dataMessageParcel.RewindRead(0);
275 MessageParcel reply;
276 DelayedSingleton<CoreService>::GetInstance()->OnUnregisterImsRegInfoCallback(dataMessageParcel, reply);
277 }
278
GetSimOperatorNumeric(const uint8_t * data,size_t size)279 void GetSimOperatorNumeric(const uint8_t *data, size_t size)
280 {
281 if (!IsServiceInited()) {
282 return;
283 }
284
285 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
286 MessageParcel dataMessageParcel;
287 dataMessageParcel.WriteInt32(slotId);
288 dataMessageParcel.WriteBuffer(data, size);
289 dataMessageParcel.RewindRead(0);
290 MessageParcel reply;
291 DelayedSingleton<CoreService>::GetInstance()->OnGetSimOperatorNumeric(dataMessageParcel, reply);
292 }
293
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)294 void DoSomethingInterestingWithMyAPI(const uint8_t *data, size_t size)
295 {
296 if (data == nullptr || size == 0) {
297 return;
298 }
299
300 SetRadioState(data, size);
301 GetRadioState(data, size);
302 SetNrOptionMode(data, size);
303 GetNrOptionMode(data, size);
304 GetNetworkSearchInformation(data, size);
305 SetNetworkSelectionMode(data, size);
306 SetPreferredNetwork(data, size);
307 SetVoiceCallForwarding(data, size);
308 GetMaxSimCount(data, size);
309 GetImsRegStatus(data, size);
310 GetCellLocation(data, size);
311 RegisterImsRegInfoCallback(data, size);
312 UnRegisterImsRegInfoCallback(data, size);
313 GetSimOperatorNumeric(data, size);
314 auto telRilManager = std::static_pointer_cast<TelRilManager>(
315 DelayedSingleton<CoreService>::GetInstance()->telRilManager_);
316 if (telRilManager == nullptr || telRilManager->handler_ == nullptr) {
317 return;
318 }
319 telRilManager->handler_->ClearFfrt(false);
320 telRilManager->handler_->queue_ = nullptr;
321 return;
322 }
323 } // namespace OHOS
324
325 /* Fuzzer entry point */
LLVMFuzzerInitialize(int * argc,char *** argv)326 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
327 {
328 OHOS::AddCoreServiceTokenFuzzer token;
329 return 0;
330 }
331
332 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)333 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
334 {
335 /* Run your code on data */
336 OHOS::DoSomethingInterestingWithMyAPI(data, size);
337 OHOS::DelayedSingleton<CoreService>::DestroyInstance();
338 return 0;
339 }
340