1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "ap_fuzzer.h"
17 #include "wlan_common_fuzzer.h"
18
19 namespace OHOS {
20 namespace WIFI {
21 constexpr size_t THRESHOLD = 10;
22 const char *g_wlanServiceName = "wlan_interface_service";
23 const int32_t WLAN_MAX_NUM_STA_WITH_AP = 4;
24 const int32_t wlanType = PROTOCOL_80211_IFTYPE_AP;
25 struct IWlanInterface *g_wlanObj = nullptr;
26 uint32_t num = 0;
27
FuzzGetAssociatedStas(struct IWlanInterface * interface,const uint8_t * rawData)28 void FuzzGetAssociatedStas(struct IWlanInterface *interface, const uint8_t *rawData)
29 {
30 struct HdfFeatureInfo feature;
31 struct HdfStaInfo staInfo[WLAN_MAX_NUM_STA_WITH_AP] = {{0}};
32 uint32_t staInfoLen = WLAN_MAX_NUM_STA_WITH_AP;
33 feature.type = *const_cast<int32_t *>(reinterpret_cast<const int32_t *>(rawData));
34 feature.ifName = const_cast<char *>(reinterpret_cast<const char *>(rawData));
35
36 interface->GetAssociatedStas(interface, &feature, staInfo, &staInfoLen, &num);
37 HDF_LOGI("%{public}s: success", __FUNCTION__);
38 }
39
FuzzSetCountryCode(struct IWlanInterface * interface,const uint8_t * rawData)40 void FuzzSetCountryCode(struct IWlanInterface *interface, const uint8_t *rawData)
41 {
42 const char *mac = reinterpret_cast<const char *>(rawData);
43 uint32_t macLen = *const_cast<int32_t *>(reinterpret_cast<const int32_t *>(rawData));
44 struct HdfFeatureInfo feature;
45 feature.ifName = const_cast<char *>(reinterpret_cast<const char *>(rawData));
46 feature.type = *const_cast<uint32_t *>(reinterpret_cast<const uint32_t *>(rawData));
47
48 interface->SetCountryCode(interface, &feature, mac, macLen);
49 HDF_LOGI("%{public}s: success", __FUNCTION__);
50 }
51
FuzzGetApBandwidth(struct IWlanInterface * interface,const uint8_t * rawData)52 void FuzzGetApBandwidth(struct IWlanInterface *interface, const uint8_t *rawData)
53 {
54 const char *ifName = const_cast<char *>(reinterpret_cast<const char *>(rawData));
55 uint8_t bandwidth;
56 interface->GetApBandwidth(interface, ifName, &bandwidth);
57 HDF_LOGI("%{public}s: success", __FUNCTION__);
58 }
59
60 static FuzzWlanFuncs g_fuzzWlanFuncs[] = {
61 FuzzGetAssociatedStas,
62 FuzzSetCountryCode,
63 FuzzGetApBandwidth,
64 FuzzGetChipId,
65 FuzzGetDeviceMacAddress,
66 FuzzGetFeatureType,
67 FuzzGetFreqsWithBand,
68 FuzzGetNetworkIfaceName,
69 FuzzSetMacAddress,
70 FuzzSetTxPower,
71 FuzzGetPowerMode,
72 FuzzSetPowerMode,
73 FuzzGetIfNamesByChipId,
74 FuzzResetDriver,
75 FuzzStartChannelMeas,
76 FuzzSetProjectionScreenParam,
77 FuzzWifiSendCmdIoctl,
78 FuzzGetFeatureByIfName,
79 FuzzGetStaInfo,
80 FuzzGetChannelMeasResult,
81 FuzzResetToFactoryMacAddress,
82 };
83
FuncToOptimal(struct IWlanInterface * interface,uint32_t cmdId,const uint8_t * data)84 static void FuncToOptimal(struct IWlanInterface *interface, uint32_t cmdId, const uint8_t *data)
85 {
86 FuzzWlanFuncs fuzzWlanFunc = g_fuzzWlanFuncs[cmdId];
87 if (fuzzWlanFunc != nullptr) {
88 fuzzWlanFunc(interface, data);
89 }
90 return;
91 }
92
DoSomethingInterestingWithMyAPI(const uint8_t * rawData,size_t size)93 bool DoSomethingInterestingWithMyAPI(const uint8_t *rawData, size_t size)
94 {
95 struct HdfFeatureInfo ifeature;
96 bool result = false;
97
98 if (rawData == nullptr || size == 0) {
99 return false;
100 }
101 uint32_t cmdId = Convert2Uint32(rawData) % ((sizeof(g_fuzzWlanFuncs) / sizeof(g_fuzzWlanFuncs[0])));
102 g_wlanObj = IWlanInterfaceGetInstance(g_wlanServiceName, false);
103 if (g_wlanObj == nullptr) {
104 HDF_LOGE("%{public}s: g_wlanObj is null", __FUNCTION__);
105 return result;
106 }
107 uint32_t dataSize = size - OFFSET;
108 uint8_t *tmpRawData = reinterpret_cast<uint8_t *>(OsalMemCalloc(dataSize + 1));
109 if (tmpRawData == nullptr) {
110 HDF_LOGE("%{public}s: OsalMemCalloc failed!", __FUNCTION__);
111 return result;
112 }
113 int32_t ret = g_wlanObj->Start(g_wlanObj);
114 if (ret != HDF_SUCCESS) {
115 HDF_LOGE("%{public}s: Start failed! ret=%{public}d", __FUNCTION__, ret);
116 OsalMemFree(tmpRawData);
117 return result;
118 }
119 do {
120 if (PreProcessRawData(rawData, size, tmpRawData, dataSize + 1) != true) {
121 break;
122 }
123 ret = g_wlanObj->CreateFeature(g_wlanObj, wlanType, &ifeature);
124 if (ret != HDF_SUCCESS) {
125 HDF_LOGE("%{public}s: CreateFeature failed! ret=%{public}d", __FUNCTION__, ret);
126 break;
127 }
128 FuncToOptimal(g_wlanObj, cmdId, tmpRawData);
129 ret = g_wlanObj->DestroyFeature(g_wlanObj, &ifeature);
130 if (ret != HDF_SUCCESS) {
131 HDF_LOGE("%{public}s: DestroyFeature failed! ret=%{public}d", __FUNCTION__, ret);
132 break;
133 }
134 result = true;
135 } while (false);
136 ret = g_wlanObj->Stop(g_wlanObj);
137 if (ret != HDF_SUCCESS) {
138 HDF_LOGE("%{public}s: Stop failed! ret=%{public}d", __FUNCTION__, ret);
139 result = false;
140 }
141 IWlanInterfaceReleaseInstance(g_wlanServiceName, g_wlanObj, false);
142 OsalMemFree(tmpRawData);
143 return result;
144 }
145 } // namespace WIFI
146 } // namespace OHOS
147
148 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)149 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
150 {
151 if (size < OHOS::WIFI::THRESHOLD) {
152 return 0;
153 }
154
155 /* Run your code on data */
156 OHOS::WIFI::DoSomethingInterestingWithMyAPI(data, size);
157 return 0;
158 }
159