1. 27 Jan, 2014 2 commits
  2. 08 Dec, 2013 6 commits
  3. 06 Dec, 2013 1 commit
  4. 02 Dec, 2013 1 commit
  5. 11 Nov, 2013 3 commits
  6. 01 Oct, 2013 5 commits
  7. 22 Sep, 2013 17 commits
    • Philippe Teuwen's avatar
      Revert "Check data from getenv("LIBNFC_LOG_LEVEL") and config file" · 252f590d
      Philippe Teuwen authored
      This reverts commit 846189b6.
      It didn't solve Coverity somplain and it broke bitfield support of log_level
      252f590d
    • Philippe Teuwen's avatar
      Check data from getenv("LIBNFC_LOG_LEVEL") and config file · 846189b6
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090344 (#1 of 1): Use of untrusted string value (TAINTED_STRING)
      . tainted_string: Passing tainted string "res->log_level" to "log_init(nfc_context const *)", which cannot accept tainted data.[show details]
      846189b6
    • Philippe Teuwen's avatar
      driver acr122_usb: fix dead code issue · 9bb568b7
      Philippe Teuwen authored
      Redundant result check leading to dead code was probably indicative
      of a missing return value check of acr122_usb_send_apdu()
      
      Problem reported by Coverity:
        at_least: At condition "res < 0", the value of "res" must be at least 12.
        cannot_single: At condition "res < 0", the value of "res" cannot be equal to -6.
        dead_error_condition: The condition "res < 0" cannot be true.
      CID 1090327 (#1 of 1): Logically dead code (DEADCODE)
        dead_error_begin: Execution cannot reach this statement "acr122_usb_ack(pnd);".
      9bb568b7
    • Philippe Teuwen's avatar
      nfc-read-forum-tag3: avoid passing large struct as parameter · 117b58f5
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090334 (#1 of 1): Big parameter passed by value (PASS_BY_VALUE)
        pass_by_value: Passing parameter nt of type nfc_target const (size 291 bytes) by value.
      117b58f5
    • Philippe Teuwen's avatar
      Fix unharmful warning · 4a918591
      Philippe Teuwen authored
      Commit 54729fb4 removed some dead code spotted by Coverity
      but it had as effect to trigger a gcc warning, which prefers to see all enum in a switch rather than dead code:
      
      pn53x.c: In function 'pn53x_InJumpForDEP':
      pn53x.c:2552:5: warning: enumeration value 'NBR_UNDEFINED' not handled in switch [-Wswitch]
      pn53x.c:2552:5: warning: enumeration value 'NBR_847' not handled in switch [-Wswitch]
      
      So both switches were merged, which slightly optimizes the code for speed.
      4a918591
    • Philippe Teuwen's avatar
      verify return of pn53x_set_property_bool() · 7cb8fd38
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090321 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "pn53x_set_property_bool(pnd, NP_INFINITE_SELECT, true)".
      7cb8fd38
    • Philippe Teuwen's avatar
      pn53x_usb driver: verify return of pn53x_build_frame() · 2e51318b
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090322 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "pn53x_build_frame(abtFrame, &szFrame, pbtData, szData)".
      2e51318b
    • Philippe Teuwen's avatar
      Fix possible overflow · 90160d65
      Philippe Teuwen authored
      Note that this could happen e.g. if a fake PN533 sends malicious frames over USB
      
      CID 1090329 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
        overflow_sink: Overflowed or truncated value (or a value computed from an overflowed or truncated value) "res" used as return value.
      90160d65
    • Philippe Teuwen's avatar
      Remove dead code · 618ca1e9
      Philippe Teuwen authored
      Problem reported by Coverity:
      at_most: At condition "io_res < 0", the value of "io_res" must be at most -1.
      dead_error_condition: The condition "io_res < 0" must be true.
      CID 1090328 (#1 of 1): Logically dead code (DEADCODE)
        dead_error_line: Execution cannot reach this expression "0" inside statement "return (io_res < 0) ? io_re...".
      618ca1e9
    • Philippe Teuwen's avatar
      Remove dead code · 54729fb4
      Philippe Teuwen authored
      Problem reported by Coverity:
        dead_error_condition: The switch value "nbr" cannot be "NBR_UNDEFINED".
        CID 1090326 (#1 of 2): Logically dead code (DEADCODE)
        dead_error_begin: Execution cannot reach this statement "case NBR_UNDEFINED:".
      54729fb4
    • Philippe Teuwen's avatar
      nfc-relay-picc: sleep() expects unsigned int · cedbefb8
      Philippe Teuwen authored
      This avoids Coverity being unhappy that only lower bound was defined, well I hope
      
      lower_bounds: Checking lower bounds of signed scalar "waiting_time" by "waiting_time > 0".
      CID 1090343 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR)
        tainted_data: Passing tainted variable "waiting_time" to a tainted sink.
        sleep(waiting_time);
      cedbefb8
    • Philippe Teuwen's avatar
      nfc-mfclassic: verify return of nfc_initiator_select_passive_target() · 61884967
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090323 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_initiator_select_passive_target(pnd, nmMifare, nt.nti.nai.abtUid, nt.nti.nai.szUidLen, NULL)".
      61884967
    • Philippe Teuwen's avatar
      Verify return of nfc_device_set_property_bool() · a4f466df
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090325 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_AUTO_ISO14443_4, false)".
      a4f466df
    • Philippe Teuwen's avatar
      pn53x-sam: fix truncated stdio return value · e2135dba
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090318 (#1 of 1): Truncated stdio return value (CHAR_IO)
      char_io: Assigning the return value of "getchar(void)" to char "input" truncates its value
      e2135dba
    • Philippe Teuwen's avatar
      nfc-emulate-forum-tag4: fix TOCTOU · 679897d0
      Philippe Teuwen authored
      Hopefully fix TOCTOU by calling fopen() before stat()
      
      At least this should prevent Coverity to complain about it:
      CID 1090346 (#1 of 1): Time of check time of use (TOCTOU)
        fs_check_call: Calling function "stat(char const *, struct stat *)" to perform check on "filename".
        toctou: Calling function "fopen(char const * restrict, char const * restrict)" that uses "filename" after a check function. This can cause a time-of-check, time-of-use race condition.
      
      Note that it seems pretty hard to avoid completely:
      https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use#Preventing_TOCTTOU
      679897d0
    • Philippe Teuwen's avatar
      nfc-read-forum-tag3: remove redundant error · feb5f37a
      Philippe Teuwen authored
      switch case was redundant as getopt was already telling the issue:
      
        nfc-read-forum-tag3: option requires an argument -- 'o'
        Option -o requires an argument.
      
      This fixes also a problem reported by Coverity about missing break:
      
      CID 1090330 (#1 of 1): Missing break in switch (MISSING_BREAK)
        unterminated_case: This case (value 63) is not terminated by a 'break' statement.
      feb5f37a
    • Philippe Teuwen's avatar
      uart.c: check return of read() · 70048a0b
      Philippe Teuwen authored
      Fix warning
      uart.c:146:3: warning: ignoring return value of 'read', declared with attribute warn_unused_result [-Wunused-result]
      
      Also reported by Coverity:
      CID undefined (#1 of 1): Ignoring number of bytes read (CHECKED_RETURN)
        check_return: "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
      70048a0b
  8. 21 Sep, 2013 3 commits
    • Philippe Teuwen's avatar
      Fix strcpy into fixed size buffer in conf.c · b5d76a32
      Philippe Teuwen authored
      Problem reported by Coverity:
      
      CID 1090340 (#1 of 2): Copy into fixed size buffer (STRING_OVERFLOW)
        fixed_size_dest: You might overrun the 256 byte fixed-size string "context->user_defined_devices[context->user_defined_device_count - 1U].name" by copying "value" without checking the length.
        parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
      CID 1090340 (#2 of 2): Copy into fixed size buffer (STRING_OVERFLOW)[select issue]
      b5d76a32
    • Philippe Teuwen's avatar
      Fix out-of-bounds access in driver acr122_pcsc · d9854cfd
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1091328 (#1 of 1): Out-of-bounds access (OVERRUN)
        overrun-buffer-arg: Overrunning buffer pointed to by "&abtTxBuf[6]" of 271 bytes by passing it to a function which accesses it at byte offset 271 using argument "szData" (which evaluates to 266).
      d9854cfd
    • Philippe Teuwen's avatar
      Verify return of nfc_device_set_property_bool() · d9b531f5
      Philippe Teuwen authored
      Problem reported by Coverity
      CID 1090319 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_EASY_FRAMING, nt.nti.nai.btSak & 0x20)".
      CID 1090320 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(dev, NP_HANDLE_CRC, false)".
      CID 1090324 (#1 of 2): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_ACTIVATE_FIELD, true)".
      CID 1090325 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_AUTO_ISO14443_4, false)".
      d9b531f5
  9. 19 Sep, 2013 2 commits
    • Philippe Teuwen's avatar
      Changing conditions to avoid Coverity to complain in artificial situations · ddf58f2d
      Philippe Teuwen authored
      CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
      11. overrun-buffer-arg: Overrunning array "pnti->nai.abtUid" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "pnti->nai.szUidLen" (which evaluates to 12).
      ddf58f2d
    • Philippe Teuwen's avatar
      Initialize array to keep Coverity happy · a5e7dec7
      Philippe Teuwen authored
      as Coverity fails seeing that szTargetTypes will always be = 0 in the case believed to lead to reading unitialized data in apttTargetTypes.
      
      CID 1090347 (#1 of 1): Uninitialized scalar variable (UNINIT)
      4. uninit_use_in_call: Using uninitialized element of array "apttTargetTypes" when calling "pn53x_InAutoPoll(struct nfc_device *, pn53x_target_type const *, size_t const, uint8_t const, uint8_t const, nfc_target *, int const)".
      a5e7dec7