Goal is to implement "ping" on MFC the same as PN533 does. This patch implements MFC re-selection, but do not take care about authentication; this means this will have side effect while you are authenticated on a MFC block.
Commit 54729fb458 removed some dead code spotted by Coverity
but it had as effect to trigger a gcc warning, which prefers to see all enum in a switch rather than dead code:
pn53x.c: In function 'pn53x_InJumpForDEP':
pn53x.c:2552:5: warning: enumeration value 'NBR_UNDEFINED' not handled in switch [-Wswitch]
pn53x.c:2552:5: warning: enumeration value 'NBR_847' not handled in switch [-Wswitch]
So both switches were merged, which slightly optimizes the code for speed.
Problem reported by Coverity:
CID 1090321 (#1 of 1): Unchecked return value (CHECKED_RETURN)
unchecked_value: No check of the return value of "pn53x_set_property_bool(pnd, NP_INFINITE_SELECT, true)".
Note that this could happen e.g. if a fake PN533 sends malicious frames over USB
CID 1090329 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
overflow_sink: Overflowed or truncated value (or a value computed from an overflowed or truncated value) "res" used as return value.
Problem reported by Coverity:
dead_error_condition: The switch value "nbr" cannot be "NBR_UNDEFINED".
CID 1090326 (#1 of 2): Logically dead code (DEADCODE)
dead_error_begin: Execution cannot reach this statement "case NBR_UNDEFINED:".
CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
11. overrun-buffer-arg: Overrunning array "pnti->nai.abtUid" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "pnti->nai.szUidLen" (which evaluates to 12).
as Coverity fails seeing that szTargetTypes will always be = 0 in the case believed to lead to reading unitialized data in apttTargetTypes.
CID 1090347 (#1 of 1): Uninitialized scalar variable (UNINIT)
4. uninit_use_in_call: Using uninitialized element of array "apttTargetTypes" when calling "pn53x_InAutoPoll(struct nfc_device *, pn53x_target_type const *, size_t const, uint8_t const, uint8_t const, nfc_target *, int const)".
A buffer overflow could occur is a triple-size UID card was read with a PN531.
Moreover the way cascade tags were removed was just wrong.
Problem reported by Coverity
CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
10. overrun-buffer-arg: Overrunning buffer pointed to by "&pnti->nai.abtUid[5]" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "7UL".
Coverity reported a read out of bounds but actually the real problem if PN531 and triple-size UID will already occur at
memcpy(pnti->nai.abtUid, pbtRawData, pnti->nai.szUidLen); where abtUid is of size 10 and szUidLen of size 12
The switch case has a default rule and a return in every cases. So the
code after the switch will never be executed.
Problem reported by thei Coverity tool
CID 1090408 (#1 of 1): Structurally dead code (UNREACHABLE)unreachable:
This code cannot be reached: "if (pn53x_current_target_ne...".
acr122s.c:331:3: warning: Null pointer passed as an argument to a 'nonnull' parameter
memcpy(buf, data, data_size);
^ ~~~~
pn53x.c:3138:3: warning: Null pointer passed as an argument to a 'nonnull' parameter
memcpy(CHIP_DATA(pnd)->current_target, pnt, sizeof(nfc_target));
^ ~~~
pn53x.c:85:57: warning: Result of 'malloc' is converted to a pointer of type 'nfc_modulation_type', which is incompatible with sizeof operand type 'nfc_modulation'
CHIP_DATA(pnd)->supported_modulation_as_initiator = malloc(sizeof(nfc_modulation) * 9);
^~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
