1 #include "fuzz.h"
2
3 #define MODULE_NAME "nfc_ce_fuzzer"
4
5 const char fuzzer_name[] = MODULE_NAME;
6
7 extern void Type3_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
8 extern void Type4_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets);
9
10 extern void Type3_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
11 extern void Type4_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets);
12
Fuzz_FixPackets(std::vector<bytes_t> & Packets,uint Seed)13 void Fuzz_FixPackets(std::vector<bytes_t>& Packets, uint Seed) {
14 if (Packets.size() < 2) {
15 // At least two packets, first one is the control packet
16 Packets.resize(2);
17 }
18
19 auto& ctrl = Packets[0];
20 if (ctrl.size() != 2) {
21 ctrl.resize(2);
22 ctrl[0] = (Seed >> 16) & 0xFF;
23 ctrl[1] = (Seed >> 24) & 0xFF;
24 }
25
26 uint8_t FuzzType = ctrl[0] % Fuzz_TypeMax;
27 uint8_t FuzzSubType = ctrl[1];
28
29 switch (FuzzType) {
30 case Fuzz_Type3:
31 Type3_FixPackets(FuzzSubType, Packets);
32 break;
33
34 case Fuzz_Type4:
35 Type4_FixPackets(FuzzSubType, Packets);
36 break;
37
38 default:
39 FUZZLOG("Unknown fuzz type %hhu", FuzzType);
40 break;
41 }
42 }
43
Fuzz_RunPackets(const std::vector<bytes_t> & Packets)44 void Fuzz_RunPackets(const std::vector<bytes_t>& Packets) {
45 if (Packets.size() < 2) {
46 return;
47 }
48
49 auto& ctrl = Packets[0];
50 if (ctrl.size() < 2) {
51 return;
52 }
53
54 uint8_t FuzzType = ctrl[0] % Fuzz_TypeMax;
55 uint8_t FuzzSubType = ctrl[1];
56
57 FUZZLOG("Fuzzing Type%u tag", (uint)(FuzzType + 1));
58
59 switch (FuzzType) {
60 case Fuzz_Type3:
61 Type3_Fuzz(FuzzSubType, Packets);
62 break;
63
64 case Fuzz_Type4:
65 Type4_Fuzz(FuzzSubType, Packets);
66 break;
67
68 default:
69 FUZZLOG("Unknown fuzz type: %hhu", FuzzType);
70 break;
71 }
72 }
73