1 #include "fuzz.h"
2
3 #define MODULE_NAME "nfc_rw_fuzzer"
4
5 const char fuzzer_name[] = MODULE_NAME;
6
7 extern void Type1_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
8 extern void Type2_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
9 extern void Type3_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
10 extern void Type4_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
11 extern void Type5_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
12 extern void Mfc_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
13
14 extern void Type1_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
15 extern void Type2_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
16 extern void Type3_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
17 extern void Type4_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
18 extern void Type5_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
19 extern void Mfc_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
20
Fuzz_FixPackets(std::vector<bytes_t> & Packets,uint Seed)21 void Fuzz_FixPackets(std::vector<bytes_t>& Packets, uint Seed) {
22 if (Packets.size() < 2) {
23 // At least two packets, first one is the control packet
24 Packets.resize(2);
25 }
26
27 auto& ctrl = Packets[0];
28 if (ctrl.size() != 2) {
29 ctrl.resize(2);
30 ctrl[0] = (Seed >> 16) & 0xFF;
31 ctrl[1] = (Seed >> 24) & 0xFF;
32 }
33
34 uint8_t FuzzType = ctrl[0] % Fuzz_TypeMax;
35 uint8_t FuzzSubType = ctrl[1];
36
37 switch (FuzzType) {
38 case Fuzz_Type1:
39 Type1_FixPackets(FuzzSubType, Packets);
40 break;
41
42 case Fuzz_Type2:
43 Type2_FixPackets(FuzzSubType, Packets);
44 break;
45
46 case Fuzz_Type3:
47 Type3_FixPackets(FuzzSubType, Packets);
48 break;
49
50 case Fuzz_Type4:
51 Type4_FixPackets(FuzzSubType, Packets);
52 break;
53 case Fuzz_Type5:
54 Type5_FixPackets(FuzzSubType, Packets);
55 break;
56 case Fuzz_Mfc:
57 Mfc_FixPackets(FuzzSubType, Packets);
58 break;
59
60 default:
61 FUZZLOG("Unknown fuzz type %hhu", FuzzType);
62 break;
63 }
64 }
65
Fuzz_RunPackets(const std::vector<bytes_t> & Packets)66 void Fuzz_RunPackets(const std::vector<bytes_t>& Packets) {
67 if (Packets.size() < 2) {
68 return;
69 }
70
71 auto& ctrl = Packets[0];
72 if (ctrl.size() < 2) {
73 return;
74 }
75
76 uint8_t FuzzType = ctrl[0] % Fuzz_TypeMax;
77 uint8_t FuzzSubType = ctrl[1];
78
79 FUZZLOG("Fuzzing Type%u tag", (uint)(FuzzType + 1));
80
81 switch (FuzzType) {
82 case Fuzz_Type1:
83 Type1_Fuzz(FuzzSubType, Packets);
84 break;
85
86 case Fuzz_Type2:
87 Type2_Fuzz(FuzzSubType, Packets);
88 break;
89
90 case Fuzz_Type3:
91 Type3_Fuzz(FuzzSubType, Packets);
92 break;
93
94 case Fuzz_Type4:
95 Type4_Fuzz(FuzzSubType, Packets);
96 break;
97
98 case Fuzz_Type5:
99 Type5_Fuzz(FuzzSubType, Packets);
100 break;
101
102 case Fuzz_Mfc:
103 Mfc_Fuzz(FuzzSubType, Packets);
104 break;
105
106 default:
107 FUZZLOG("Unknown fuzz type: %hhu", FuzzType);
108 break;
109 }
110 }
111