From bf8243475b51549bbf68a505ff6dd5c5a4a28de4 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Tue, 20 Jun 2017 18:25:08 -0400 Subject: [PATCH 1/1] some coverity fixes plus fix fdx help (#328) * coverity fixes cmdhflegic- indications are the i in calls to data_buf[i] could = 1052 and overflow the array. cmdhfmfhard - +1 to add space for string null terminator - should we add the 0 terminator value too? reveng.c - memory leak util.c - fix potential overflow of array buf[] util_posix.c - possible integer overflow * fix help errors * fix sprint_hex_ascii again and this function is not even used anywhere... yet... --- client/cmdhflegic.c | 2 +- client/cmdhfmfhard.c | 2 +- client/cmdlffdx.c | 6 +++--- client/reveng/reveng.c | 1 + client/util.c | 7 ++++--- client/util_posix.c | 2 +- 6 files changed, 11 insertions(+), 9 deletions(-) diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 777f524f..493256a9 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -59,7 +59,7 @@ int CmdLegicDecode(const char *Cmd) int crc = 0; int wrp = 0; int wrc = 0; - uint8_t data_buf[1052]; // receiver buffer + uint8_t data_buf[1053]; // receiver buffer char out_string[3076]; // just use big buffer - bad practice char token_type[4]; diff --git a/client/cmdhfmfhard.c b/client/cmdhfmfhard.c index b5eabb82..85b772e4 100644 --- a/client/cmdhfmfhard.c +++ b/client/cmdhfmfhard.c @@ -247,7 +247,7 @@ static void init_bitflip_bitarrays(void) #endif char state_files_path[strlen(get_my_executable_directory()) + strlen(STATE_FILES_DIRECTORY) + strlen(STATE_FILE_TEMPLATE) + 1]; - char state_file_name[strlen(STATE_FILE_TEMPLATE)]; + char state_file_name[strlen(STATE_FILE_TEMPLATE)+1]; for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) { num_effective_bitflips[odd_even] = 0; diff --git a/client/cmdlffdx.c b/client/cmdlffdx.c index 234db59f..006ffd56 100644 --- a/client/cmdlffdx.c +++ b/client/cmdlffdx.c @@ -47,7 +47,7 @@ static int CmdHelp(const char *Cmd); int usage_lf_fdx_clone(void){ PrintAndLog("Clone a FDX-B animal tag to a T55x7 tag."); - PrintAndLog("Usage: lf animal clone [h] "); + PrintAndLog("Usage: lf fdx clone [h] "); PrintAndLog("Options:"); PrintAndLog(" h : This help"); PrintAndLog(" : Country id"); @@ -66,13 +66,13 @@ int usage_lf_fdx_sim(void) { PrintAndLog("Enables simulation of FDX-B animal tag"); PrintAndLog("Simulation runs until the button is pressed or another USB command is issued."); PrintAndLog(""); - PrintAndLog("Usage: lf animal sim [h] "); + PrintAndLog("Usage: lf fdx sim [h] "); PrintAndLog("Options:"); PrintAndLog(" h : This help"); PrintAndLog(" : Country ID"); PrintAndLog(" : Animal ID"); PrintAndLog(""); - PrintAndLog("Sample: lf animal sim 999 112233"); + PrintAndLog("Sample: lf fdx sim 999 112233"); return 0; } // clearing the topbit needed for the preambl detection. diff --git a/client/reveng/reveng.c b/client/reveng/reveng.c index 3c6da126..dd50987c 100644 --- a/client/reveng/reveng.c +++ b/client/reveng/reveng.c @@ -257,6 +257,7 @@ engini(int *resc, model_t **result, const poly_t divisor, int flags, int args, c palloc(&apoly, dlen); calini(resc, result, divisor, flags, apoly, args, argpolys); pfree(&apoly); + free(mat); return; } diff --git a/client/util.c b/client/util.c index 0a92f15a..38dd3a12 100644 --- a/client/util.c +++ b/client/util.c @@ -193,13 +193,14 @@ char *sprint_hex_ascii(const uint8_t *data, const size_t len) { static char buf[1024]; char *tmp = buf; memset(buf, 0x00, 1024); - size_t max_len = (len > 1010) ? 1010 : len; - + size_t max_len = (len > 255) ? 255 : len; + // max 255 bytes * 3 + 2 characters = 767 in buffer sprintf(tmp, "%s| ", sprint_hex(data, max_len) ); size_t i = 0; size_t pos = (max_len * 3)+2; - while(i < max_len){ + // add another 255 characters ascii = 1020 characters of buffer used + while(i < max_len) { char c = data[i]; if ( (c < 32) || (c == 127)) c = '.'; diff --git a/client/util_posix.c b/client/util_posix.c index 382f6a60..dd3d714c 100644 --- a/client/util_posix.c +++ b/client/util_posix.c @@ -31,7 +31,7 @@ static void nsleep(uint64_t n) { } void msleep(uint32_t n) { - nsleep(1000000 * n); + nsleep(1000000 * (uint64_t)n); } #endif // _WIN32 -- 2.39.5