1 #include "fuzz.h"
2 #include "gki_int.h"
3
4 #define MODULE_NAME "nfc_nci_fuzzer"
5 const char fuzzer_name[] = MODULE_NAME;
6
7 enum {
8 SUB_TYPE_DUMMY,
9
10 SUB_TYPE_MAX
11 };
12
resp_cback(tNFC_RESPONSE_EVT event,tNFC_RESPONSE * p_data)13 static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) {
14 FUZZLOG(MODULE_NAME ": event=0x%02x, p_data=%p", event, p_data);
15 }
16
nfc_vs_cback(tNFC_VS_EVT event,uint16_t len,uint8_t * data)17 static void nfc_vs_cback(tNFC_VS_EVT event, uint16_t len, uint8_t* data) {
18 FUZZLOG(MODULE_NAME ": event=0x%02x, data=%p", event,
19 BytesToHex(data, len).c_str());
20 }
21
nfc_rf_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)22 static void nfc_rf_cback(uint8_t conn_id, tNFC_CONN_EVT event,
23 tNFC_CONN* p_data) {
24 FUZZLOG(MODULE_NAME ": rf_cback, conn_id=%d, event=0x%02x", conn_id, event);
25
26 if (event == NFC_DATA_CEVT) {
27 if (p_data->data.p_data) {
28 GKI_freebuf(p_data->data.p_data);
29 p_data->data.p_data = nullptr;
30 }
31 }
32 }
33
nfc_hci_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)34 static void nfc_hci_cback(uint8_t conn_id, tNFC_CONN_EVT event,
35 tNFC_CONN* p_data) {
36 FUZZLOG(MODULE_NAME ": hci_cback, conn_id=%d, event=0x%02x", conn_id, event);
37
38 if (event == NFC_DATA_CEVT) {
39 if (p_data->data.p_data) {
40 GKI_freebuf(p_data->data.p_data);
41 p_data->data.p_data = nullptr;
42 }
43 }
44 }
45
46 extern void hal_inject_event(uint8_t hal_evt, tHAL_NFC_STATUS status);
47 extern bool hal_inject_data(const uint8_t* p_data, uint16_t data_len);
48 extern tHAL_NFC_ENTRY* get_hal_func_entries();
49
50 extern uint8_t nci_snd_core_reset(uint8_t reset_type);
51 extern void GKI_shutdown();
52
53 extern tGKI_CB gki_cb;
Fuzz_Init(Fuzz_Context &)54 static bool Fuzz_Init(Fuzz_Context& /*ctx*/) {
55 GKI_init();
56 gki_cb.os.thread_id[NFC_TASK] = pthread_self();
57
58 NFC_Init(get_hal_func_entries());
59 NFC_Enable(resp_cback);
60
61 NFC_RegVSCback(true, nfc_vs_cback);
62 NFC_SetStaticRfCback(nfc_rf_cback);
63 NFC_SetStaticHciCback(nfc_hci_cback);
64
65 nfc_set_state(NFC_STATE_CORE_INIT);
66 nci_snd_core_reset(NCI_RESET_TYPE_RESET_CFG);
67 return true;
68 }
69
Fuzz_Deinit(Fuzz_Context &)70 static void Fuzz_Deinit(Fuzz_Context& /*ctx*/) {
71 nfc_task_shutdown_nfcc();
72 GKI_shutdown();
73 }
74
Fuzz_Run(Fuzz_Context & ctx)75 static void Fuzz_Run(Fuzz_Context& ctx) {
76 for (auto it = ctx.Data.cbegin(); it != ctx.Data.cend(); ++it) {
77 hal_inject_data(it->data(), it->size());
78 }
79 }
80
Fuzz_FixPackets(std::vector<bytes_t> & Packets,uint)81 void Fuzz_FixPackets(std::vector<bytes_t>& Packets, uint /*Seed*/) {
82 for (auto it = Packets.begin(); it != Packets.end(); ++it) {
83 // NCI packets should have at least 2 bytes.
84 if (it->size() < 2) {
85 it->resize(2);
86 }
87 }
88 }
89
Fuzz_RunPackets(const std::vector<bytes_t> & Packets)90 void Fuzz_RunPackets(const std::vector<bytes_t>& Packets) {
91 Fuzz_Context ctx(SUB_TYPE_DUMMY, Packets);
92 if (Fuzz_Init(ctx)) {
93 Fuzz_Run(ctx);
94 }
95
96 Fuzz_Deinit(ctx);
97 }
98