1. 22 Sep, 2013 5 commits
    • Philippe Teuwen's avatar
      Verify return of nfc_device_set_property_bool() · a4f466df
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090325 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_AUTO_ISO14443_4, false)".
      a4f466df
    • Philippe Teuwen's avatar
      pn53x-sam: fix truncated stdio return value · e2135dba
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1090318 (#1 of 1): Truncated stdio return value (CHAR_IO)
      char_io: Assigning the return value of "getchar(void)" to char "input" truncates its value
      e2135dba
    • Philippe Teuwen's avatar
      nfc-emulate-forum-tag4: fix TOCTOU · 679897d0
      Philippe Teuwen authored
      Hopefully fix TOCTOU by calling fopen() before stat()
      
      At least this should prevent Coverity to complain about it:
      CID 1090346 (#1 of 1): Time of check time of use (TOCTOU)
        fs_check_call: Calling function "stat(char const *, struct stat *)" to perform check on "filename".
        toctou: Calling function "fopen(char const * restrict, char const * restrict)" that uses "filename" after a check function. This can cause a time-of-check, time-of-use race condition.
      
      Note that it seems pretty hard to avoid completely:
      https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use#Preventing_TOCTTOU
      679897d0
    • Philippe Teuwen's avatar
      nfc-read-forum-tag3: remove redundant error · feb5f37a
      Philippe Teuwen authored
      switch case was redundant as getopt was already telling the issue:
      
        nfc-read-forum-tag3: option requires an argument -- 'o'
        Option -o requires an argument.
      
      This fixes also a problem reported by Coverity about missing break:
      
      CID 1090330 (#1 of 1): Missing break in switch (MISSING_BREAK)
        unterminated_case: This case (value 63) is not terminated by a 'break' statement.
      feb5f37a
    • Philippe Teuwen's avatar
      uart.c: check return of read() · 70048a0b
      Philippe Teuwen authored
      Fix warning
      uart.c:146:3: warning: ignoring return value of 'read', declared with attribute warn_unused_result [-Wunused-result]
      
      Also reported by Coverity:
      CID undefined (#1 of 1): Ignoring number of bytes read (CHECKED_RETURN)
        check_return: "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
      70048a0b
  2. 21 Sep, 2013 3 commits
    • Philippe Teuwen's avatar
      Fix strcpy into fixed size buffer in conf.c · b5d76a32
      Philippe Teuwen authored
      Problem reported by Coverity:
      
      CID 1090340 (#1 of 2): Copy into fixed size buffer (STRING_OVERFLOW)
        fixed_size_dest: You might overrun the 256 byte fixed-size string "context->user_defined_devices[context->user_defined_device_count - 1U].name" by copying "value" without checking the length.
        parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
      CID 1090340 (#2 of 2): Copy into fixed size buffer (STRING_OVERFLOW)[select issue]
      b5d76a32
    • Philippe Teuwen's avatar
      Fix out-of-bounds access in driver acr122_pcsc · d9854cfd
      Philippe Teuwen authored
      Problem reported by Coverity:
      CID 1091328 (#1 of 1): Out-of-bounds access (OVERRUN)
        overrun-buffer-arg: Overrunning buffer pointed to by "&abtTxBuf[6]" of 271 bytes by passing it to a function which accesses it at byte offset 271 using argument "szData" (which evaluates to 266).
      d9854cfd
    • Philippe Teuwen's avatar
      Verify return of nfc_device_set_property_bool() · d9b531f5
      Philippe Teuwen authored
      Problem reported by Coverity
      CID 1090319 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_EASY_FRAMING, nt.nti.nai.btSak & 0x20)".
      CID 1090320 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(dev, NP_HANDLE_CRC, false)".
      CID 1090324 (#1 of 2): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_ACTIVATE_FIELD, true)".
      CID 1090325 (#1 of 1): Unchecked return value (CHECKED_RETURN)
        unchecked_value: No check of the return value of "nfc_device_set_property_bool(pnd, NP_AUTO_ISO14443_4, false)".
      d9b531f5
  3. 19 Sep, 2013 9 commits
    • Philippe Teuwen's avatar
      Changing conditions to avoid Coverity to complain in artificial situations · ddf58f2d
      Philippe Teuwen authored
      CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
      11. overrun-buffer-arg: Overrunning array "pnti->nai.abtUid" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "pnti->nai.szUidLen" (which evaluates to 12).
      ddf58f2d
    • Philippe Teuwen's avatar
      Initialize array to keep Coverity happy · a5e7dec7
      Philippe Teuwen authored
      as Coverity fails seeing that szTargetTypes will always be = 0 in the case believed to lead to reading unitialized data in apttTargetTypes.
      
      CID 1090347 (#1 of 1): Uninitialized scalar variable (UNINIT)
      4. uninit_use_in_call: Using uninitialized element of array "apttTargetTypes" when calling "pn53x_InAutoPoll(struct nfc_device *, pn53x_target_type const *, size_t const, uint8_t const, uint8_t const, nfc_target *, int const)".
      a5e7dec7
    • Philippe Teuwen's avatar
      Fix unbounded source buffer · 30fdf1d9
      Philippe Teuwen authored
      source could be larger than destination
      
      Problem reported by Coverity
      CID 1090342 (#1 of 1): Unbounded source buffer (STRING_SIZE)
      10. string_size: Passing string "envvar" of unknown size to "strcpy(char * restrict, char const * restrict)", which expects a string of a particular size.
      30fdf1d9
    • Philippe Teuwen's avatar
      9240770a
    • Philippe Teuwen's avatar
      Fix memory leak · 3d040d73
      Philippe Teuwen authored
      Problems reported by Coverity:
      
      CID 1090335 (#1 of 1): Resource leak (RESOURCE_LEAK)
      24. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
      
      CID 1090336 (#1 of 1): Resource leak (RESOURCE_LEAK)
      10. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
      
      CID 1090337 (#1 of 1): Resource leak (RESOURCE_LEAK)
      21. leaked_storage: Variable "i2cPorts" going out of scope leaks the storage it points to.
      
      CID 1090338 (#1 of 1): Resource leak (RESOURCE_LEAK)
      21. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
      
      CID 1090339 (#1 of 1): Resource leak (RESOURCE_LEAK)
      23. leaked_storage: Variable "acPorts" going out of scope leaks the storage it points to.
      3d040d73
    • Philippe Teuwen's avatar
      Fix warning about out-of-bound read · b6b63f10
      Philippe Teuwen authored
      Actually the second part of the condition guaranteed that an out-of-bound read would never occur but now code is neater.
      It was:  for (j = 0; (j < "too_large_bound") && (const_ca[i].saklist[j] >= 0); j++)
      
      Problem reported by Coverity
      CID 1090332 (#1 of 1): Out-of-bounds read (OVERRUN)
      67. overrun-local: Overrunning array "const_ca[i].saklist" of 8 4-byte elements at element index 31 (byte offset 124) using index "j" (which evaluates to 31).
      b6b63f10
    • Philippe Teuwen's avatar
      Fix buffer overflow and fix triple-size UID reported by PN531 · 3e7dab1e
      Philippe Teuwen authored
      A buffer overflow could occur is a triple-size UID card was read with a PN531.
      Moreover the way cascade tags were removed was just wrong.
      
      Problem reported by Coverity
      CID 1090331 (#1 of 1): Out-of-bounds access (OVERRUN)
      10. overrun-buffer-arg: Overrunning buffer pointed to by "&pnti->nai.abtUid[5]" of 10 bytes by passing it to a function which accesses it at byte offset 11 using argument "7UL".
      
      Coverity reported a read out of bounds but actually the real problem if PN531 and triple-size UID will already occur at
          memcpy(pnti->nai.abtUid, pbtRawData, pnti->nai.szUidLen); where abtUid is of size 10 and szUidLen of size 12
      3e7dab1e
    • Ludovic Rousseau's avatar
      Fix use after free bug · 107b4ece
      Ludovic Rousseau authored
      nfc_exit(context); was called 2 times
      
      CID 1090348 (#1 of 1): Use after free (USE_AFTER_FREE)53. deref_arg:
      Calling "nfc_exit(nfc_context *)" dereferences freed pointer "context".
      (The dereference is assumed on the basis of the 'nonnull' parameter
      attribute.)
      107b4ece
    • Ludovic Rousseau's avatar
      Remove dead code · 967f6e56
      Ludovic Rousseau authored
      The switch case has a default rule and a return in every cases. So the
      code after the switch will never be executed.
      
      Problem reported by thei Coverity tool
      CID 1090408 (#1 of 1): Structurally dead code (UNREACHABLE)unreachable:
      This code cannot be reached: "if (pn53x_current_target_ne...".
      967f6e56
  4. 10 Sep, 2013 3 commits
  5. 09 Sep, 2013 1 commit
  6. 07 Sep, 2013 1 commit
  7. 03 Sep, 2013 8 commits
  8. 31 Aug, 2013 3 commits
  9. 29 Aug, 2013 7 commits