FIX: coverity scan found some bugs in EMV code. These are the fixes to:

-CID 141293 - missing va_end call -CID 141290 - return var not always given a value -CID 141289 - array out of bounds write. off by one. -CID 141288 - dead code because of CID 141287 -CID 141287 - wrong mask -CID 141286 - wrong mask value
2025-03-20 20:18:17 +08:00 · 2017-02-15 02:44:34 +01:00 · 2017-02-15 02:44:34 +01:00 · 1bfbe92a53
commit 1bfbe92a53
parent dd015c5915
2 changed files with 113 additions and 112 deletions
--- a/armsrc/emvcmd.c
+++ b/armsrc/emvcmd.c
@ -171,7 +171,7 @@ int EMV_PaywaveTransaction()
        cardMode = VISA_FDDA;
    }
    else if((currentcard.tag_9F66[0] & 0x80) == 0x80) {
-        if((currentcard.tag_9F66[1] & 0x80) == 1) { //CVN17
+        if((currentcard.tag_9F66[1] & 0x80) == 0x80) { //CVN17
            cardMode = VISA_CVN17;
        } else {
            cardMode = VISA_DCVV; 
--- a/armsrc/emvutil.c
+++ b/armsrc/emvutil.c
@ -42,7 +42,7 @@ int emv_lookuptag(uint8_t* tag, emvtags *currentcard, uint8_t* outputval, uint8_
 {
    //loop through tag and return the appropriate value
    uint8_t returnedtag[255]; 
-    uint8_t returnedlength; 
+    uint8_t returnedlength = 0; 
    memset(returnedtag, 0x00, sizeof(returnedtag)); 
    if(!memcmp(tag, "\x4F\x00",2)){
         memcpy(&returnedtag, currentcard->tag_4F,  currentcard->tag_4F_len);
@ -231,25 +231,25 @@ int emv_lookuptag(uint8_t* tag, emvtags *currentcard, uint8_t* outputval, uint8_
 			returnedlength = currentcard->tag_9F0B_len; goto exitfunction;}
        else if(*(tag+1) == 0x0D){ 
 			memcpy(&returnedtag, currentcard->tag_9F0D,  sizeof(currentcard->tag_9F0D));
-             returnedlength = sizeof(currentcard->tag_9F0D);goto exitfunction;}
+			returnedlength = sizeof(currentcard->tag_9F0D); goto exitfunction;}
        else if(*(tag+1) == 0x0E){ 
 			memcpy(&returnedtag, currentcard->tag_9F0E,  sizeof(currentcard->tag_9F0E));
-             returnedlength = sizeof(currentcard->tag_9F0E);goto exitfunction;}
+			returnedlength = sizeof(currentcard->tag_9F0E); goto exitfunction;}
        else if(*(tag+1) == 0x0F){ 
 			memcpy(&returnedtag, currentcard->tag_9F0F,  sizeof(currentcard->tag_9F0F));
-             returnedlength = sizeof(currentcard->tag_9F0F);goto exitfunction;}
+			returnedlength = sizeof(currentcard->tag_9F0F); goto exitfunction;}
        else if(*(tag+1) == 0x10){ 
 			memcpy(&returnedtag, currentcard->tag_9F10,  currentcard->tag_9F10_len);
-             returnedlength = currentcard->tag_9F10_len;goto exitfunction;}
+			returnedlength = currentcard->tag_9F10_len; goto exitfunction;}
        else if(*(tag+1) == 0x11){ 
 			memcpy(&returnedtag, currentcard->tag_9F11,  sizeof(currentcard->tag_9F11));
-             returnedlength = sizeof(currentcard->tag_9F11);goto exitfunction;}
+			returnedlength = sizeof(currentcard->tag_9F11); goto exitfunction;}
        else if(*(tag+1) == 0x12){ 
 			memcpy(&returnedtag, currentcard->tag_9F12,  currentcard->tag_9F12_len);
-             returnedlength = currentcard->tag_9F12_len;goto exitfunction;}
+			returnedlength = currentcard->tag_9F12_len; goto exitfunction;}
        else if(*(tag+1) == 0x1A){ 
 			memcpy(&returnedtag, currentcard->tag_9F1A,  sizeof(currentcard->tag_9F1A));
-            goto exitfunction;}
+			returnlength = sizeof(currentcard->tag_9F1A); goto exitfunction;}
        else if(*(tag+1) == 0x1F){ 
 			memcpy(&returnedtag, currentcard->tag_9F1F,  currentcard->tag_9F1F_len);
 			returnedlength = currentcard->tag_9F1F_len; goto exitfunction;}
@ -259,10 +259,10 @@ int emv_lookuptag(uint8_t* tag, emvtags *currentcard, uint8_t* outputval, uint8_
        else if(*(tag+1) == 0x34){ 
 			memcpy(&returnedtag, currentcard->tag_9F34,  sizeof(currentcard->tag_9F34));
 			returnedlength = sizeof(currentcard->tag_9F34); goto exitfunction;}
-else if(*(tag+1) == 0x35){ 
+		else if(*(tag+1) == 0x35){ 
 			memcpy(&returnedtag, currentcard->tag_9F35,  sizeof(currentcard->tag_9F35));
 			returnedlength = sizeof(currentcard->tag_9F35); goto exitfunction;}
-else if(*(tag+1) == 0x37){ 
+		else if(*(tag+1) == 0x37){ 
 			memcpy(&returnedtag, currentcard->tag_9F37,  sizeof(currentcard->tag_9F37));
 			returnedlength = sizeof(currentcard->tag_9F37);goto exitfunction;}
        else if(*(tag+1) == 0x38){ 
@ -295,7 +295,7 @@ else if(*(tag+1) == 0x37){
        else if(*(tag+1) == 0x4C){ 
 			memcpy(&returnedtag, currentcard->tag_9F4C,  sizeof(currentcard->tag_9F4C));
 			returnedlength = sizeof(currentcard->tag_9F4C); goto exitfunction;}
-else if(*(tag+1) == 0x60){ 
+		else if(*(tag+1) == 0x60){ 
 			memcpy(&returnedtag, currentcard->tag_9F60,  sizeof(currentcard->tag_9F60));
 			returnedlength = sizeof(currentcard->tag_9F60);goto exitfunction;}
        else if(*(tag+1) == 0x61){ 
@ -826,6 +826,7 @@ int emv_generatetemplate(uint8_t* templateval,emvtags* currentcard, uint8_t* ret
    } 
    encode_ber_tlv_item(templateval, strlen((const char*) templateval), bufferval, counter, returnedval, &encodedlen);   
    *returnedlen = encodedlen; 
+	va_end(arguments);
    return 0;
 }

@ -1388,7 +1389,7 @@ int emv_getprocessingoptions(uint8_t* pdol, uint8_t pdol_len, void* data)
    processingCmd[6] = pdol_len;
    if(pdol_len > 0){ 
        memcpy(&(processingCmd[7]), pdol, pdol_len);}
-    processingCmd[processingCmd_len] = 0x00; 
+    processingCmd[processingCmd_len-1] = 0x00; 
    return iso14_apdu(processingCmd, processingCmd_len, data);
 }

@ -1513,7 +1514,7 @@ int emv_decodeCVM(uint8_t* CVM, uint8_t CVMlen)
            if((CVM[counter] & 0x3F) == 0x30){
                Dbprintf("Signature (paper)");
            }  
-            if((CVM[counter] & 0x3F) == 0x40){
+            if((CVM[counter] & 0x7F) == 0x40){ // iceman, wrong masked used? changed from 0x3f -> 0x7f
                Dbprintf("No CVM required");
            }
            counter +=2;