Problem reported by Coverity:
CID 1091328 (#1 of 1): Out-of-bounds access (OVERRUN)
overrun-buffer-arg: Overrunning buffer pointed to by "&abtTxBuf[6]" of 271 bytes by passing it to a function which accesses it at byte offset 271 using argument "szData" (which evaluates to 266).
CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
11. overrun-buffer-arg: Overrunning array "pnti->nai.abtUid" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "pnti->nai.szUidLen" (which evaluates to 12).
as Coverity fails seeing that szTargetTypes will always be = 0 in the case believed to lead to reading unitialized data in apttTargetTypes.
CID 1090347 (#1 of 1): Uninitialized scalar variable (UNINIT)
4. uninit_use_in_call: Using uninitialized element of array "apttTargetTypes" when calling "pn53x_InAutoPoll(struct nfc_device *, pn53x_target_type const *, size_t const, uint8_t const, uint8_t const, nfc_target *, int const)".
source could be larger than destination
Problem reported by Coverity
CID 1090342 (#1 of 1): Unbounded source buffer (STRING_SIZE)
10. string_size: Passing string "envvar" of unknown size to "strcpy(char * restrict, char const * restrict)", which expects a string of a particular size.
Problems reported by Coverity:
CID 1090335 (#1 of 1): Resource leak (RESOURCE_LEAK)
24. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
CID 1090336 (#1 of 1): Resource leak (RESOURCE_LEAK)
10. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
CID 1090337 (#1 of 1): Resource leak (RESOURCE_LEAK)
21. leaked_storage: Variable "i2cPorts" going out of scope leaks the storage it points to.
CID 1090338 (#1 of 1): Resource leak (RESOURCE_LEAK)
21. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
CID 1090339 (#1 of 1): Resource leak (RESOURCE_LEAK)
23. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
Actually the second part of the condition guaranteed that an out-of-bound read would never occur but now code is neater.
It was: for (j = 0; (j < "too_large_bound") && (const_ca[i].saklist[j] >= 0); j++)
Problem reported by Coverity
CID 1090332 (#1 of 1): Out-of-bounds read (OVERRUN)
67. overrun-local: Overrunning array "const_ca[i].saklist" of 8 4-byte elements at element index 31 (byte offset 124) using index "j" (which evaluates to 31).
A buffer overflow could occur is a triple-size UID card was read with a PN531.
Moreover the way cascade tags were removed was just wrong.
Problem reported by Coverity
CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
10. overrun-buffer-arg: Overrunning buffer pointed to by "&pnti->nai.abtUid[5]" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "7UL".
Coverity reported a read out of bounds but actually the real problem if PN531 and triple-size UID will already occur at
memcpy(pnti->nai.abtUid, pbtRawData, pnti->nai.szUidLen); where abtUid is of size 10 and szUidLen of size 12
The switch case has a default rule and a return in every cases. So the
code after the switch will never be executed.
Problem reported by thei Coverity tool
CID 1090408 (#1 of 1): Structurally dead code (UNREACHABLE)unreachable:
This code cannot be reached: "if (pn53x_current_target_ne...".
kFreeBSD use cuaX as uart device.
This supports the kFreeBSD in Debian, and fix failure to build.
Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@debian.org>
acr122_usb.c:237:3: warning: Function call argument is an uninitialized value
LOG_HEX(NFC_LOG_GROUP_COM, "TX", abtTx, szTx);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../libnfc/log.h:107:7: note: expanded from macro 'LOG_HEX'
snprintf (__acBuf + __szBuf, sizeof(__acBuf) - __szBuf, "%02x ",((uint8_t *)(pbtData))[__szPos]); \
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maybe a side effect of the #pragma pack not properly understood by the static analyser
but anyway acr122_usb_frame_template is also used the same way to initialize the other frames
acr122s.c:196:23: warning: The left operand of '<<' is a garbage value
size_t frame_size = FRAME_SIZE(frame);
^ ~~~~~~
acr122s.c:76:24: note: expanded from macro 'FRAME_SIZE'
^
acr122s.c:74:47: note: expanded from macro 'APDU_SIZE'
acr122s.c:331:3: warning: Null pointer passed as an argument to a 'nonnull' parameter
memcpy(buf, data, data_size);
^ ~~~~
pn53x.c:3138:3: warning: Null pointer passed as an argument to a 'nonnull' parameter
memcpy(CHIP_DATA(pnd)->current_target, pnt, sizeof(nfc_target));
^ ~~~
pn53x.c:85:57: warning: Result of 'malloc' is converted to a pointer of type 'nfc_modulation_type', which is incompatible with sizeof operand type 'nfc_modulation'
CHIP_DATA(pnd)->supported_modulation_as_initiator = malloc(sizeof(nfc_modulation) * 9);
^~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
ACR122U:
Through PCSC we couldn't send APDUs to the reader if there was no card
but now that we communicate directly with the reader, we can send APDUs
even if there is no card, so we don't need the Escape mechanism anymore
Test if SW1 is 0x61 (means more bytes have to be read) before using SW2 as length.
Update issue 251
The driver now check that Status Word (SW1) is equals to 0x61 (more data available) before using SW2 as length.
If SW is not as expected, it show SW1 and SW2.
