1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "setradiostate_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <thread>
21
22 #define private public
23 #include "addcoreservicetoken_fuzzer.h"
24 #include "core_service.h"
25 #include "get_network_search_info_callback.h"
26 #include "napi_util.h"
27 #include "set_nr_option_mode_callback.h"
28 #include "set_preferred_network_callback.h"
29 #include "set_radio_state_callback.h"
30 #include "system_ability_definition.h"
31 #include "tel_event_handler.h"
32 #include "unistd.h"
33
34 using namespace OHOS::Telephony;
35 namespace OHOS {
36 static bool g_isInited = false;
37 constexpr int32_t SLOT_NUM = 2;
38 constexpr int32_t IMS_TYPE = 3;
39 constexpr int32_t NR_MODE = 4;
40 constexpr int32_t NETWORK_MODE = 7;
41
IsServiceInited()42 bool IsServiceInited()
43 {
44 if (!g_isInited) {
45 DelayedSingleton<CoreService>::GetInstance()->OnStart();
46 if (DelayedSingleton<CoreService>::GetInstance()->GetServiceRunningState() ==
47 static_cast<int32_t>(ServiceRunningState::STATE_RUNNING)) {
48 g_isInited = true;
49 }
50 }
51 return g_isInited;
52 }
53
SetRadioState(const uint8_t * data,size_t size)54 void SetRadioState(const uint8_t *data, size_t size)
55 {
56 if (!IsServiceInited()) {
57 return;
58 }
59
60 MessageParcel dataMessageParcel;
61 std::unique_ptr<SetRadioStateCallback> callbackWrap = std::make_unique<SetRadioStateCallback>(nullptr);
62 if (callbackWrap == nullptr) {
63 return;
64 }
65 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
66 dataMessageParcel.WriteInt32(slotId);
67 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
68 MessageParcel reply;
69 DelayedSingleton<CoreService>::GetInstance()->OnSetRadioState(dataMessageParcel, reply);
70 }
71
GetRadioState(const uint8_t * data,size_t size)72 void GetRadioState(const uint8_t *data, size_t size)
73 {
74 if (!IsServiceInited()) {
75 return;
76 }
77
78 MessageParcel dataMessageParcel;
79 std::unique_ptr<SetRadioStateCallback> callbackWrap = std::make_unique<SetRadioStateCallback>(nullptr);
80 if (callbackWrap == nullptr) {
81 return;
82 }
83 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
84 dataMessageParcel.WriteInt32(slotId);
85 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
86 MessageParcel reply;
87 DelayedSingleton<CoreService>::GetInstance()->OnGetRadioState(dataMessageParcel, reply);
88 }
89
SetNrOptionMode(const uint8_t * data,size_t size)90 void SetNrOptionMode(const uint8_t *data, size_t size)
91 {
92 if (!IsServiceInited()) {
93 return;
94 }
95
96 MessageParcel dataMessageParcel;
97 std::unique_ptr<SetRadioStateCallback> callbackWrap = std::make_unique<SetRadioStateCallback>(nullptr);
98 if (callbackWrap == nullptr) {
99 return;
100 }
101 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
102 int32_t nrMode = static_cast<int32_t>(*data % NR_MODE);
103 dataMessageParcel.WriteInt32(slotId);
104 dataMessageParcel.WriteInt32(nrMode);
105 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
106 MessageParcel reply;
107 DelayedSingleton<CoreService>::GetInstance()->OnSetNrOptionMode(dataMessageParcel, reply);
108 }
109
GetNrOptionMode(const uint8_t * data,size_t size)110 void GetNrOptionMode(const uint8_t *data, size_t size)
111 {
112 if (!IsServiceInited()) {
113 return;
114 }
115
116 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
117 DelayedSingleton<CoreService>::GetInstance()->GetNrOptionMode(slotId, nullptr);
118 }
119
GetNetworkSearchInformation(const uint8_t * data,size_t size)120 void GetNetworkSearchInformation(const uint8_t *data, size_t size)
121 {
122 if (!IsServiceInited()) {
123 return;
124 }
125
126 MessageParcel dataMessageParcel;
127 std::unique_ptr<GetNetworkSearchInfoCallback> callbackWrap =
128 std::make_unique<GetNetworkSearchInfoCallback>(nullptr);
129 if (callbackWrap == nullptr) {
130 return;
131 }
132 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
133 dataMessageParcel.WriteInt32(slotId);
134 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
135 MessageParcel reply;
136 DelayedSingleton<CoreService>::GetInstance()->OnGetNetworkSearchInformation(dataMessageParcel, reply);
137 }
138
SetNetworkSelectionMode(const uint8_t * data,size_t size)139 void SetNetworkSelectionMode(const uint8_t *data, size_t size)
140 {
141 if (!IsServiceInited()) {
142 return;
143 }
144
145 MessageParcel dataMessageParcel;
146 std::unique_ptr<GetNetworkSearchInfoCallback> callbackWrap =
147 std::make_unique<GetNetworkSearchInfoCallback>(nullptr);
148 if (callbackWrap == nullptr) {
149 return;
150 }
151 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
152 int32_t selectionMode = static_cast<int32_t>(*data + sizeof(int32_t));
153 dataMessageParcel.WriteInt32(slotId);
154 dataMessageParcel.WriteInt32(selectionMode);
155 dataMessageParcel.WriteBool(false);
156 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
157 MessageParcel reply;
158 DelayedSingleton<CoreService>::GetInstance()->OnSetNetworkSelectionMode(dataMessageParcel, reply);
159 }
160
SetPreferredNetwork(const uint8_t * data,size_t size)161 void SetPreferredNetwork(const uint8_t *data, size_t size)
162 {
163 if (!IsServiceInited()) {
164 return;
165 }
166
167 MessageParcel dataMessageParcel;
168 std::unique_ptr<SetPreferredNetworkCallback> callbackWrap = std::make_unique<SetPreferredNetworkCallback>(nullptr);
169 if (callbackWrap == nullptr) {
170 return;
171 }
172 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
173 int32_t networkMode = static_cast<int32_t>(*data % NETWORK_MODE);
174 dataMessageParcel.WriteInt32(slotId);
175 dataMessageParcel.WriteInt32(networkMode);
176 dataMessageParcel.WriteRemoteObject(callbackWrap.release()->AsObject().GetRefPtr());
177 MessageParcel reply;
178 DelayedSingleton<CoreService>::GetInstance()->OnSetPreferredNetwork(dataMessageParcel, reply);
179 }
180
SetVoiceCallForwarding(const uint8_t * data,size_t size)181 void SetVoiceCallForwarding(const uint8_t *data, size_t size)
182 {
183 if (!IsServiceInited()) {
184 return;
185 }
186
187 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
188 MessageParcel dataMessageParcel;
189 dataMessageParcel.WriteInt32(slotId);
190 dataMessageParcel.WriteBool(true);
191 std::string number(reinterpret_cast<const char *>(data), size);
192 dataMessageParcel.WriteString(number);
193 dataMessageParcel.WriteBuffer(data, size);
194 dataMessageParcel.RewindRead(0);
195 MessageParcel reply;
196 DelayedSingleton<CoreService>::GetInstance()->OnSetVoiceCallForwarding(dataMessageParcel, reply);
197 }
198
GetMaxSimCount(const uint8_t * data,size_t size)199 void GetMaxSimCount(const uint8_t *data, size_t size)
200 {
201 if (!IsServiceInited()) {
202 return;
203 }
204
205 MessageParcel dataMessageParcel;
206 dataMessageParcel.WriteBuffer(data, size);
207 dataMessageParcel.RewindRead(0);
208 MessageParcel reply;
209 DelayedSingleton<CoreService>::GetInstance()->OnGetMaxSimCount(dataMessageParcel, reply);
210 }
211
GetImsRegStatus(const uint8_t * data,size_t size)212 void GetImsRegStatus(const uint8_t *data, size_t size)
213 {
214 if (!IsServiceInited()) {
215 return;
216 }
217
218 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
219 MessageParcel dataMessageParcel;
220 dataMessageParcel.WriteInt32(slotId);
221 int32_t imsRegType = static_cast<int32_t>(*data % IMS_TYPE);
222 dataMessageParcel.WriteInt32(imsRegType);
223 dataMessageParcel.WriteBuffer(data, size);
224 dataMessageParcel.RewindRead(0);
225 MessageParcel reply;
226 DelayedSingleton<CoreService>::GetInstance()->OnGetImsRegStatus(dataMessageParcel, reply);
227 }
228
GetCellLocation(const uint8_t * data,size_t size)229 void GetCellLocation(const uint8_t *data, size_t size)
230 {
231 if (!IsServiceInited()) {
232 return;
233 }
234
235 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
236 MessageParcel dataMessageParcel;
237 dataMessageParcel.WriteInt32(slotId);
238 dataMessageParcel.WriteBuffer(data, size);
239 dataMessageParcel.RewindRead(0);
240 MessageParcel reply;
241 DelayedSingleton<CoreService>::GetInstance()->OnGetCellLocation(dataMessageParcel, reply);
242 }
243
RegisterImsRegInfoCallback(const uint8_t * data,size_t size)244 void RegisterImsRegInfoCallback(const uint8_t *data, size_t size)
245 {
246 if (!IsServiceInited()) {
247 return;
248 }
249
250 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
251 int32_t imsRegType = static_cast<int32_t>(*data % IMS_TYPE);
252 MessageParcel dataMessageParcel;
253 dataMessageParcel.WriteInt32(slotId);
254 dataMessageParcel.WriteInt32(imsRegType);
255 dataMessageParcel.WriteBuffer(data, size);
256 dataMessageParcel.RewindRead(0);
257 MessageParcel reply;
258 DelayedSingleton<CoreService>::GetInstance()->OnRegisterImsRegInfoCallback(dataMessageParcel, reply);
259 }
260
UnRegisterImsRegInfoCallback(const uint8_t * data,size_t size)261 void UnRegisterImsRegInfoCallback(const uint8_t *data, size_t size)
262 {
263 if (!IsServiceInited()) {
264 return;
265 }
266
267 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
268 int32_t imsRegType = static_cast<int32_t>(*data % IMS_TYPE);
269 MessageParcel dataMessageParcel;
270 dataMessageParcel.WriteInt32(slotId);
271 dataMessageParcel.WriteInt32(imsRegType);
272 dataMessageParcel.WriteBuffer(data, size);
273 dataMessageParcel.RewindRead(0);
274 MessageParcel reply;
275 DelayedSingleton<CoreService>::GetInstance()->OnUnregisterImsRegInfoCallback(dataMessageParcel, reply);
276 }
277
GetSimOperatorNumeric(const uint8_t * data,size_t size)278 void GetSimOperatorNumeric(const uint8_t *data, size_t size)
279 {
280 if (!IsServiceInited()) {
281 return;
282 }
283
284 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
285 MessageParcel dataMessageParcel;
286 dataMessageParcel.WriteInt32(slotId);
287 dataMessageParcel.WriteBuffer(data, size);
288 dataMessageParcel.RewindRead(0);
289 MessageParcel reply;
290 DelayedSingleton<CoreService>::GetInstance()->OnGetSimOperatorNumeric(dataMessageParcel, reply);
291 }
292
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)293 void DoSomethingInterestingWithMyAPI(const uint8_t *data, size_t size)
294 {
295 if (data == nullptr || size == 0) {
296 return;
297 }
298
299 SetRadioState(data, size);
300 GetRadioState(data, size);
301 SetNrOptionMode(data, size);
302 GetNrOptionMode(data, size);
303 GetNetworkSearchInformation(data, size);
304 SetNetworkSelectionMode(data, size);
305 SetPreferredNetwork(data, size);
306 SetVoiceCallForwarding(data, size);
307 GetMaxSimCount(data, size);
308 GetImsRegStatus(data, size);
309 GetCellLocation(data, size);
310 RegisterImsRegInfoCallback(data, size);
311 UnRegisterImsRegInfoCallback(data, size);
312 GetSimOperatorNumeric(data, size);
313 auto telRilManager = DelayedSingleton<CoreService>::GetInstance()->telRilManager_;
314 if (telRilManager == nullptr || telRilManager->handler_ == nullptr) {
315 return;
316 }
317 telRilManager->handler_->ClearFfrt(false);
318 telRilManager->handler_->queue_ = nullptr;
319 return;
320 }
321 } // namespace OHOS
322
323 /* Fuzzer entry point */
LLVMFuzzerInitialize(int * argc,char *** argv)324 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
325 {
326 OHOS::AddCoreServiceTokenFuzzer token;
327 return 0;
328 }
329
330 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)331 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
332 {
333 /* Run your code on data */
334 OHOS::DoSomethingInterestingWithMyAPI(data, size);
335 OHOS::DelayedSingleton<CoreService>::DestroyInstance();
336 return 0;
337 }
338