xref: /aosp_15_r20/system/nfc/src/fuzzers/ce/main.cc (revision 7eba2f3b06c51ae21384f6a4f14577b668a869b3) 
1*7eba2f3bSAndroid Build Coastguard Worker #include "fuzz.h"
2*7eba2f3bSAndroid Build Coastguard Worker 
3*7eba2f3bSAndroid Build Coastguard Worker #define MODULE_NAME "nfc_ce_fuzzer"
4*7eba2f3bSAndroid Build Coastguard Worker 
5*7eba2f3bSAndroid Build Coastguard Worker const char fuzzer_name[] = MODULE_NAME;
6*7eba2f3bSAndroid Build Coastguard Worker 
7*7eba2f3bSAndroid Build Coastguard Worker extern void Type3_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
8*7eba2f3bSAndroid Build Coastguard Worker extern void Type4_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
9*7eba2f3bSAndroid Build Coastguard Worker 
10*7eba2f3bSAndroid Build Coastguard Worker extern void Type3_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
11*7eba2f3bSAndroid Build Coastguard Worker extern void Type4_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
12*7eba2f3bSAndroid Build Coastguard Worker 
Fuzz_FixPackets(std::vector<bytes_t> & Packets,uint Seed)13*7eba2f3bSAndroid Build Coastguard Worker void Fuzz_FixPackets(std::vector<bytes_t>& Packets, uint Seed) {
14*7eba2f3bSAndroid Build Coastguard Worker   if (Packets.size() < 2) {
15*7eba2f3bSAndroid Build Coastguard Worker     // At least two packets, first one is the control packet
16*7eba2f3bSAndroid Build Coastguard Worker     Packets.resize(2);
17*7eba2f3bSAndroid Build Coastguard Worker   }
18*7eba2f3bSAndroid Build Coastguard Worker 
19*7eba2f3bSAndroid Build Coastguard Worker   auto& ctrl = Packets[0];
20*7eba2f3bSAndroid Build Coastguard Worker   if (ctrl.size() != 2) {
21*7eba2f3bSAndroid Build Coastguard Worker     ctrl.resize(2);
22*7eba2f3bSAndroid Build Coastguard Worker     ctrl[0] = (Seed >> 16) & 0xFF;
23*7eba2f3bSAndroid Build Coastguard Worker     ctrl[1] = (Seed >> 24) & 0xFF;
24*7eba2f3bSAndroid Build Coastguard Worker   }
25*7eba2f3bSAndroid Build Coastguard Worker 
26*7eba2f3bSAndroid Build Coastguard Worker   uint8_t FuzzType = ctrl[0] % Fuzz_TypeMax;
27*7eba2f3bSAndroid Build Coastguard Worker   uint8_t FuzzSubType = ctrl[1];
28*7eba2f3bSAndroid Build Coastguard Worker 
29*7eba2f3bSAndroid Build Coastguard Worker   switch (FuzzType) {
30*7eba2f3bSAndroid Build Coastguard Worker     case Fuzz_Type3:
31*7eba2f3bSAndroid Build Coastguard Worker       Type3_FixPackets(FuzzSubType, Packets);
32*7eba2f3bSAndroid Build Coastguard Worker       break;
33*7eba2f3bSAndroid Build Coastguard Worker 
34*7eba2f3bSAndroid Build Coastguard Worker     case Fuzz_Type4:
35*7eba2f3bSAndroid Build Coastguard Worker       Type4_FixPackets(FuzzSubType, Packets);
36*7eba2f3bSAndroid Build Coastguard Worker       break;
37*7eba2f3bSAndroid Build Coastguard Worker 
38*7eba2f3bSAndroid Build Coastguard Worker     default:
39*7eba2f3bSAndroid Build Coastguard Worker       FUZZLOG("Unknown fuzz type %hhu", FuzzType);
40*7eba2f3bSAndroid Build Coastguard Worker       break;
41*7eba2f3bSAndroid Build Coastguard Worker   }
42*7eba2f3bSAndroid Build Coastguard Worker }
43*7eba2f3bSAndroid Build Coastguard Worker 
Fuzz_RunPackets(const std::vector<bytes_t> & Packets)44*7eba2f3bSAndroid Build Coastguard Worker void Fuzz_RunPackets(const std::vector<bytes_t>& Packets) {
45*7eba2f3bSAndroid Build Coastguard Worker   if (Packets.size() < 2) {
46*7eba2f3bSAndroid Build Coastguard Worker     return;
47*7eba2f3bSAndroid Build Coastguard Worker   }
48*7eba2f3bSAndroid Build Coastguard Worker 
49*7eba2f3bSAndroid Build Coastguard Worker   auto& ctrl = Packets[0];
50*7eba2f3bSAndroid Build Coastguard Worker   if (ctrl.size() < 2) {
51*7eba2f3bSAndroid Build Coastguard Worker     return;
52*7eba2f3bSAndroid Build Coastguard Worker   }
53*7eba2f3bSAndroid Build Coastguard Worker 
54*7eba2f3bSAndroid Build Coastguard Worker   uint8_t FuzzType = ctrl[0] % Fuzz_TypeMax;
55*7eba2f3bSAndroid Build Coastguard Worker   uint8_t FuzzSubType = ctrl[1];
56*7eba2f3bSAndroid Build Coastguard Worker 
57*7eba2f3bSAndroid Build Coastguard Worker   FUZZLOG("Fuzzing Type%u tag", (uint)(FuzzType + 1));
58*7eba2f3bSAndroid Build Coastguard Worker 
59*7eba2f3bSAndroid Build Coastguard Worker   switch (FuzzType) {
60*7eba2f3bSAndroid Build Coastguard Worker     case Fuzz_Type3:
61*7eba2f3bSAndroid Build Coastguard Worker       Type3_Fuzz(FuzzSubType, Packets);
62*7eba2f3bSAndroid Build Coastguard Worker       break;
63*7eba2f3bSAndroid Build Coastguard Worker 
64*7eba2f3bSAndroid Build Coastguard Worker     case Fuzz_Type4:
65*7eba2f3bSAndroid Build Coastguard Worker       Type4_Fuzz(FuzzSubType, Packets);
66*7eba2f3bSAndroid Build Coastguard Worker       break;
67*7eba2f3bSAndroid Build Coastguard Worker 
68*7eba2f3bSAndroid Build Coastguard Worker     default:
69*7eba2f3bSAndroid Build Coastguard Worker       FUZZLOG("Unknown fuzz type: %hhu", FuzzType);
70*7eba2f3bSAndroid Build Coastguard Worker       break;
71*7eba2f3bSAndroid Build Coastguard Worker   }
72*7eba2f3bSAndroid Build Coastguard Worker }
73