FIX: coverty scan reveals some resourceleaks and overruns, which is supposed to...

/armsrc/des.c   overflow 7 instead of 6
/client/cmdlfhitag.c  overflows traclen
/client/util.c   sprint_bin_break  overflows.
/client/cmdhficlass.c   need to free memory after malloc.

ADD:  RotateRight macro in util.h

diff --git a/armsrc/des.c b/armsrc/des.c
index e72ebb2af5b18a138bb4f97d8e0f5771a8f86150..1ff041843e60aadbda8e65148562d765373d4cc3 100644 (file)
--- a/armsrc/des.c
+++ b/armsrc/des.c
@@ -274,7 +274,7 @@ uint32_t des_f(uint32_t r, uint8_t* kr){
        uint64_t data;
        uint8_t *sbp; /* sboxpointer */ 
        permute((uint8_t*)e_permtab, (uint8_t*)&r, (uint8_t*)&data);
-       for(i=0; i<7; ++i)
+       for(i=0; i<6; ++i)
                ((uint8_t*)&data)[i] ^= kr[i];
        
        /* Sbox substitution */

diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c
index ffcd719efadb4d5b4dc6bc6bc73643eaac314021..75c45444a7996566cc34ff9bbc85fba000244e4c 100644 (file)
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@@ -409,6 +409,7 @@ int CmdHFiClassDecrypt(const char *Cmd) {
 
        saveFile(outfilename,"bin", decrypted, blocknum*8);
 
+       free(decrypted);
        return 0;
 }
 

diff --git a/client/cmdlfhitag.c b/client/cmdlfhitag.c
index 36220643d3b6ab0e4819ea0feedd9c4cce52ca22..bd2e47a8fbd34a62ac837ac8c8c77e40a58dbfdf 100644 (file)
--- a/client/cmdlfhitag.c
+++ b/client/cmdlfhitag.c
@@ -71,7 +71,7 @@ int CmdLFHitagList(const char *Cmd)
 
        for (;;) {
   
-               if(i > traceLen) { break; }
+               if(i >= traceLen) { break; }
 
                bool isResponse;
                int timestamp = *((uint32_t *)(got+i));

diff --git a/client/util.c b/client/util.c
index a3672130685ba7e838e51efefb7979dd4719b42d..de6443cfcd7ab48a3c927c91b6f884f32ad3171d 100644 (file)
--- a/client/util.c
+++ b/client/util.c
@@ -137,7 +137,7 @@ char *sprint_bin_break(const uint8_t *data, const size_t len, const uint8_t brea
 
        size_t in_index = 0;
        // loop through the out_index to make sure we don't go too far
-       for (size_t out_index=0; out_index < max_len; out_index++) {
+       for (size_t out_index=0; out_index < max_len-2; out_index++) {
                // set character
                sprintf(tmp++, "%u", data[in_index]);
                // check if a line break is needed and we have room to print it in our array
@@ -463,11 +463,9 @@ void binarraytobinstring(char *target, char *source,  int length)
 uint8_t GetParity( uint8_t *bits, uint8_t type, int length)
 {
     int x;
-
-    for(x= 0 ; length > 0 ; --length)
+    for( x = 0 ; length > 0 ; --length)
         x += bits[length - 1];
     x %= 2;
-
     return x ^ type;
 }
 
@@ -503,7 +501,8 @@ uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits) {
        return tmp;
 }
 
-// RotateLeft - Ultralight, Desfire
+// RotateLeft - Ultralight, Desfire, works on byte level
+// 00-01-02  >> 01-02-00
 void rol(uint8_t *data, const size_t len){
     uint8_t first = data[0];
     for (size_t i = 0; i < len-1; i++) {

diff --git a/client/util.h b/client/util.h
index 446ec88216b7e1785e7154dcc97f553485a1471e..12f1592974b05b981307053dc196803be4e643f7 100644 (file)
--- a/client/util.h
+++ b/client/util.h
@@ -17,6 +17,9 @@
 #include <time.h>
 #include "data.h"
 
+#ifndef ROTR
+# define ROTR(x,n) (((uintmax_t)(x) >> (n)) | ((uintmax_t)(x) << ((sizeof(x) * 8) - (n))))
+#endif
 #ifndef MIN
 # define MIN(a, b) (((a) < (b)) ? (a) : (b))
 #endif