Problem reported by Coverity:
CID 1091328 (#1 of 1): Out-of-bounds access (OVERRUN)
overrun-buffer-arg: Overrunning buffer pointed to by "&abtTxBuf[6]" of 271 bytes by passing it to a function which accesses it at byte offset 271 using argument "szData" (which evaluates to 266).
Problem reported by Coverity
CID 1090319 (#1 of 1): Unchecked return value (CHECKED_RETURN)
unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_EASY_FRAMING, nt.nti.nai.btSak & 0x20)".
CID 1090320 (#1 of 1): Unchecked return value (CHECKED_RETURN)
unchecked_value: No check of the return value of "nfc_device_set_property_bool(dev, NP_HANDLE_CRC, false)".
CID 1090324 (#1 of 2): Unchecked return value (CHECKED_RETURN)
unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_ACTIVATE_FIELD, true)".
CID 1090325 (#1 of 1): Unchecked return value (CHECKED_RETURN)
unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_AUTO_ISO14443_4, false)".
CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
11. overrun-buffer-arg: Overrunning array "pnti->nai.abtUid" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "pnti->nai.szUidLen" (which evaluates to 12).
as Coverity fails seeing that szTargetTypes will always be = 0 in the case believed to lead to reading unitialized data in apttTargetTypes.
CID 1090347 (#1 of 1): Uninitialized scalar variable (UNINIT)
4. uninit_use_in_call: Using uninitialized element of array "apttTargetTypes" when calling "pn53x_InAutoPoll(struct nfc_device *, pn53x_target_type const *, size_t const, uint8_t const, uint8_t const, nfc_target *, int const)".
source could be larger than destination
Problem reported by Coverity
CID 1090342 (#1 of 1): Unbounded source buffer (STRING_SIZE)
10. string_size: Passing string "envvar" of unknown size to "strcpy(char * restrict, char const * restrict)", which expects a string of a particular size.
Problems reported by Coverity:
CID 1090335 (#1 of 1): Resource leak (RESOURCE_LEAK)
24. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
CID 1090336 (#1 of 1): Resource leak (RESOURCE_LEAK)
10. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
CID 1090337 (#1 of 1): Resource leak (RESOURCE_LEAK)
21. leaked_storage: Variable "i2cPorts" going out of scope leaks the storage it points to.
CID 1090338 (#1 of 1): Resource leak (RESOURCE_LEAK)
21. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
CID 1090339 (#1 of 1): Resource leak (RESOURCE_LEAK)
23. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
Actually the second part of the condition guaranteed that an out-of-bound read would never occur but now code is neater.
It was: for (j = 0; (j < "too_large_bound") && (const_ca[i].saklist[j] >= 0); j++)
Problem reported by Coverity
CID 1090332 (#1 of 1): Out-of-bounds read (OVERRUN)
67. overrun-local: Overrunning array "const_ca[i].saklist" of 8 4-byte elements at element index 31 (byte offset 124) using index "j" (which evaluates to 31).
A buffer overflow could occur is a triple-size UID card was read with a PN531.
Moreover the way cascade tags were removed was just wrong.
Problem reported by Coverity
CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
10. overrun-buffer-arg: Overrunning buffer pointed to by "&pnti->nai.abtUid[5]" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "7UL".
Coverity reported a read out of bounds but actually the real problem if PN531 and triple-size UID will already occur at
memcpy(pnti->nai.abtUid, pbtRawData, pnti->nai.szUidLen); where abtUid is of size 10 and szUidLen of size 12
nfc_exit(context); was called 2 times
CID 1090348 (#1 of 1): Use after free (USE_AFTER_FREE)53. deref_arg:
Calling "nfc_exit(nfc_context *)" dereferences freed pointer "context".
(The dereference is assumed on the basis of the 'nonnull' parameter
attribute.)
The switch case has a default rule and a return in every cases. So the
code after the switch will never be executed.
Problem reported by thei Coverity tool
CID 1090408 (#1 of 1): Structurally dead code (UNREACHABLE)unreachable:
This code cannot be reached: "if (pn53x_current_target_ne...".
kFreeBSD use cuaX as uart device.
This supports the kFreeBSD in Debian, and fix failure to build.
Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Fix for:
examples/Makefile.am:79: warning: source file
'doc/quick_start_example1.c' is in a subdirectory,
examples/Makefile.am:79: but option 'subdir-objects' is disabled
acr122_usb.c:237:3: warning: Function call argument is an uninitialized value
LOG_HEX(NFC_LOG_GROUP_COM, "TX", abtTx, szTx);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../libnfc/log.h:107:7: note: expanded from macro 'LOG_HEX'
snprintf (__acBuf + __szBuf, sizeof(__acBuf) - __szBuf, "%02x ",((uint8_t *)(pbtData))[__szPos]); \
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maybe a side effect of the #pragma pack not properly understood by the static analyser
but anyway acr122_usb_frame_template is also used the same way to initialize the other frames
acr122s.c:196:23: warning: The left operand of '<<' is a garbage value
size_t frame_size = FRAME_SIZE(frame);
^ ~~~~~~
acr122s.c:76:24: note: expanded from macro 'FRAME_SIZE'
^
acr122s.c:74:47: note: expanded from macro 'APDU_SIZE'
acr122s.c:331:3: warning: Null pointer passed as an argument to a 'nonnull' parameter
memcpy(buf, data, data_size);
^ ~~~~
pn53x.c:3138:3: warning: Null pointer passed as an argument to a 'nonnull' parameter
memcpy(CHIP_DATA(pnd)->current_target, pnt, sizeof(nfc_target));
^ ~~~
pn53x.c:85:57: warning: Result of 'malloc' is converted to a pointer of type 'nfc_modulation_type', which is incompatible with sizeof operand type 'nfc_modulation'
CHIP_DATA(pnd)->supported_modulation_as_initiator = malloc(sizeof(nfc_modulation) * 9);
^~~~~~ ~~~~~~~~~~~~~~~~~~~~~~