1*7eba2f3bSAndroid Build Coastguard Worker #include "fuzz.h"
2*7eba2f3bSAndroid Build Coastguard Worker #include "gki_int.h"
3*7eba2f3bSAndroid Build Coastguard Worker
4*7eba2f3bSAndroid Build Coastguard Worker #define MODULE_NAME "nfc_nci_fuzzer"
5*7eba2f3bSAndroid Build Coastguard Worker const char fuzzer_name[] = MODULE_NAME;
6*7eba2f3bSAndroid Build Coastguard Worker
7*7eba2f3bSAndroid Build Coastguard Worker enum {
8*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_DUMMY,
9*7eba2f3bSAndroid Build Coastguard Worker
10*7eba2f3bSAndroid Build Coastguard Worker SUB_TYPE_MAX
11*7eba2f3bSAndroid Build Coastguard Worker };
12*7eba2f3bSAndroid Build Coastguard Worker
resp_cback(tNFC_RESPONSE_EVT event,tNFC_RESPONSE * p_data)13*7eba2f3bSAndroid Build Coastguard Worker static void resp_cback(tNFC_RESPONSE_EVT event, tNFC_RESPONSE* p_data) {
14*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": event=0x%02x, p_data=%p", event, p_data);
15*7eba2f3bSAndroid Build Coastguard Worker }
16*7eba2f3bSAndroid Build Coastguard Worker
nfc_vs_cback(tNFC_VS_EVT event,uint16_t len,uint8_t * data)17*7eba2f3bSAndroid Build Coastguard Worker static void nfc_vs_cback(tNFC_VS_EVT event, uint16_t len, uint8_t* data) {
18*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": event=0x%02x, data=%p", event,
19*7eba2f3bSAndroid Build Coastguard Worker BytesToHex(data, len).c_str());
20*7eba2f3bSAndroid Build Coastguard Worker }
21*7eba2f3bSAndroid Build Coastguard Worker
nfc_rf_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)22*7eba2f3bSAndroid Build Coastguard Worker static void nfc_rf_cback(uint8_t conn_id, tNFC_CONN_EVT event,
23*7eba2f3bSAndroid Build Coastguard Worker tNFC_CONN* p_data) {
24*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": rf_cback, conn_id=%d, event=0x%02x", conn_id, event);
25*7eba2f3bSAndroid Build Coastguard Worker
26*7eba2f3bSAndroid Build Coastguard Worker if (event == NFC_DATA_CEVT) {
27*7eba2f3bSAndroid Build Coastguard Worker if (p_data->data.p_data) {
28*7eba2f3bSAndroid Build Coastguard Worker GKI_freebuf(p_data->data.p_data);
29*7eba2f3bSAndroid Build Coastguard Worker p_data->data.p_data = nullptr;
30*7eba2f3bSAndroid Build Coastguard Worker }
31*7eba2f3bSAndroid Build Coastguard Worker }
32*7eba2f3bSAndroid Build Coastguard Worker }
33*7eba2f3bSAndroid Build Coastguard Worker
nfc_hci_cback(uint8_t conn_id,tNFC_CONN_EVT event,tNFC_CONN * p_data)34*7eba2f3bSAndroid Build Coastguard Worker static void nfc_hci_cback(uint8_t conn_id, tNFC_CONN_EVT event,
35*7eba2f3bSAndroid Build Coastguard Worker tNFC_CONN* p_data) {
36*7eba2f3bSAndroid Build Coastguard Worker FUZZLOG(MODULE_NAME ": hci_cback, conn_id=%d, event=0x%02x", conn_id, event);
37*7eba2f3bSAndroid Build Coastguard Worker
38*7eba2f3bSAndroid Build Coastguard Worker if (event == NFC_DATA_CEVT) {
39*7eba2f3bSAndroid Build Coastguard Worker if (p_data->data.p_data) {
40*7eba2f3bSAndroid Build Coastguard Worker GKI_freebuf(p_data->data.p_data);
41*7eba2f3bSAndroid Build Coastguard Worker p_data->data.p_data = nullptr;
42*7eba2f3bSAndroid Build Coastguard Worker }
43*7eba2f3bSAndroid Build Coastguard Worker }
44*7eba2f3bSAndroid Build Coastguard Worker }
45*7eba2f3bSAndroid Build Coastguard Worker
46*7eba2f3bSAndroid Build Coastguard Worker extern void hal_inject_event(uint8_t hal_evt, tHAL_NFC_STATUS status);
47*7eba2f3bSAndroid Build Coastguard Worker extern bool hal_inject_data(const uint8_t* p_data, uint16_t data_len);
48*7eba2f3bSAndroid Build Coastguard Worker extern tHAL_NFC_ENTRY* get_hal_func_entries();
49*7eba2f3bSAndroid Build Coastguard Worker
50*7eba2f3bSAndroid Build Coastguard Worker extern uint8_t nci_snd_core_reset(uint8_t reset_type);
51*7eba2f3bSAndroid Build Coastguard Worker extern void GKI_shutdown();
52*7eba2f3bSAndroid Build Coastguard Worker
53*7eba2f3bSAndroid Build Coastguard Worker extern tGKI_CB gki_cb;
Fuzz_Init(Fuzz_Context &)54*7eba2f3bSAndroid Build Coastguard Worker static bool Fuzz_Init(Fuzz_Context& /*ctx*/) {
55*7eba2f3bSAndroid Build Coastguard Worker GKI_init();
56*7eba2f3bSAndroid Build Coastguard Worker gki_cb.os.thread_id[NFC_TASK] = pthread_self();
57*7eba2f3bSAndroid Build Coastguard Worker
58*7eba2f3bSAndroid Build Coastguard Worker NFC_Init(get_hal_func_entries());
59*7eba2f3bSAndroid Build Coastguard Worker NFC_Enable(resp_cback);
60*7eba2f3bSAndroid Build Coastguard Worker
61*7eba2f3bSAndroid Build Coastguard Worker NFC_RegVSCback(true, nfc_vs_cback);
62*7eba2f3bSAndroid Build Coastguard Worker NFC_SetStaticRfCback(nfc_rf_cback);
63*7eba2f3bSAndroid Build Coastguard Worker NFC_SetStaticHciCback(nfc_hci_cback);
64*7eba2f3bSAndroid Build Coastguard Worker
65*7eba2f3bSAndroid Build Coastguard Worker nfc_set_state(NFC_STATE_CORE_INIT);
66*7eba2f3bSAndroid Build Coastguard Worker nci_snd_core_reset(NCI_RESET_TYPE_RESET_CFG);
67*7eba2f3bSAndroid Build Coastguard Worker return true;
68*7eba2f3bSAndroid Build Coastguard Worker }
69*7eba2f3bSAndroid Build Coastguard Worker
Fuzz_Deinit(Fuzz_Context &)70*7eba2f3bSAndroid Build Coastguard Worker static void Fuzz_Deinit(Fuzz_Context& /*ctx*/) {
71*7eba2f3bSAndroid Build Coastguard Worker nfc_task_shutdown_nfcc();
72*7eba2f3bSAndroid Build Coastguard Worker GKI_shutdown();
73*7eba2f3bSAndroid Build Coastguard Worker }
74*7eba2f3bSAndroid Build Coastguard Worker
Fuzz_Run(Fuzz_Context & ctx)75*7eba2f3bSAndroid Build Coastguard Worker static void Fuzz_Run(Fuzz_Context& ctx) {
76*7eba2f3bSAndroid Build Coastguard Worker for (auto it = ctx.Data.cbegin(); it != ctx.Data.cend(); ++it) {
77*7eba2f3bSAndroid Build Coastguard Worker hal_inject_data(it->data(), it->size());
78*7eba2f3bSAndroid Build Coastguard Worker }
79*7eba2f3bSAndroid Build Coastguard Worker }
80*7eba2f3bSAndroid Build Coastguard Worker
Fuzz_FixPackets(std::vector<bytes_t> & Packets,uint)81*7eba2f3bSAndroid Build Coastguard Worker void Fuzz_FixPackets(std::vector<bytes_t>& Packets, uint /*Seed*/) {
82*7eba2f3bSAndroid Build Coastguard Worker for (auto it = Packets.begin(); it != Packets.end(); ++it) {
83*7eba2f3bSAndroid Build Coastguard Worker // NCI packets should have at least 2 bytes.
84*7eba2f3bSAndroid Build Coastguard Worker if (it->size() < 2) {
85*7eba2f3bSAndroid Build Coastguard Worker it->resize(2);
86*7eba2f3bSAndroid Build Coastguard Worker }
87*7eba2f3bSAndroid Build Coastguard Worker }
88*7eba2f3bSAndroid Build Coastguard Worker }
89*7eba2f3bSAndroid Build Coastguard Worker
Fuzz_RunPackets(const std::vector<bytes_t> & Packets)90*7eba2f3bSAndroid Build Coastguard Worker void Fuzz_RunPackets(const std::vector<bytes_t>& Packets) {
91*7eba2f3bSAndroid Build Coastguard Worker Fuzz_Context ctx(SUB_TYPE_DUMMY, Packets);
92*7eba2f3bSAndroid Build Coastguard Worker if (Fuzz_Init(ctx)) {
93*7eba2f3bSAndroid Build Coastguard Worker Fuzz_Run(ctx);
94*7eba2f3bSAndroid Build Coastguard Worker }
95*7eba2f3bSAndroid Build Coastguard Worker
96*7eba2f3bSAndroid Build Coastguard Worker Fuzz_Deinit(ctx);
97*7eba2f3bSAndroid Build Coastguard Worker }
98