Bug Summary

File:src/lib/libusbhid/parse.c
Warning:line 560, column 5
Value stored to 'report_id' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name parse.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libusbhid/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/lib/libusbhid -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libusbhid/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libusbhid/parse.c
1/* $OpenBSD: parse.c,v 1.12 2020/06/05 00:51:56 jsg Exp $ */
2/* $NetBSD: parse.c,v 1.2 2001/12/29 20:44:22 augustss Exp $ */
3
4/*
5 * Copyright (c) 1999, 2001 Lennart Augustsson <augustss@netbsd.org>
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30#include <stdlib.h>
31#include <string.h>
32
33#include <dev/usb/usb.h>
34#include <dev/usb/usbhid.h>
35
36#include "usbhid.h"
37#include "usbvar.h"
38
39#define MAXUSAGE100 100
40#define MAXPUSH4 4
41#define MAXID64 64
42#define ITEMTYPES3 3
43
44struct hid_pos_data {
45 int32_t rid;
46 uint32_t pos[ITEMTYPES3];
47};
48
49struct hid_data {
50 const uint8_t *start;
51 const uint8_t *end;
52 const uint8_t *p;
53 struct hid_item cur[MAXPUSH4];
54 struct hid_pos_data last_pos[MAXID64];
55 uint32_t pos[ITEMTYPES3];
56 int32_t usages_min[MAXUSAGE100];
57 int32_t usages_max[MAXUSAGE100];
58 int32_t usage_last; /* last seen usage */
59 uint32_t loc_size; /* last seen size */
60 uint32_t loc_count; /* last seen count */
61 uint8_t kindset; /* we have 5 kinds so 8 bits are enough */
62 uint8_t pushlevel; /* current pushlevel */
63 uint8_t ncount; /* end usage item count */
64 uint8_t icount; /* current usage item count */
65 uint8_t nusage; /* end "usages_min/max" index */
66 uint8_t iusage; /* current "usages_min/max" index */
67 uint8_t ousage; /* current "usages_min/max" offset */
68 uint8_t susage; /* usage set flags */
69 int32_t reportid; /* requested report ID */
70 struct hid_item savedcoll; /* save coll until we know the ID */
71 uint8_t hassavedcoll;
72};
73
74static void
75hid_clear_local(hid_item_t *c)
76{
77
78 c->usage = 0;
79 c->usage_minimum = 0;
80 c->usage_maximum = 0;
81 c->designator_index = 0;
82 c->designator_minimum = 0;
83 c->designator_maximum = 0;
84 c->string_index = 0;
85 c->string_minimum = 0;
86 c->string_maximum = 0;
87 c->set_delimiter = 0;
88}
89
90static void
91hid_switch_rid(struct hid_data *s, struct hid_item *c, int32_t next_rID)
92{
93 uint8_t i, j;
94
95 /* check for same report ID - optimise */
96
97 if (c->report_ID == next_rID)
98 return;
99
100 /* save current position for current rID */
101
102 if (c->report_ID == 0) {
103 i = 0;
104 } else {
105 for (i = 1; i != MAXID64; i++) {
106 if (s->last_pos[i].rid == c->report_ID)
107 break;
108 if (s->last_pos[i].rid == 0)
109 break;
110 }
111 }
112 if (i != MAXID64) {
113 s->last_pos[i].rid = c->report_ID;
114 for (j = 0; j < ITEMTYPES3; j++)
115 s->last_pos[i].pos[j] = s->pos[j];
116 }
117
118 /* store next report ID */
119
120 c->report_ID = next_rID;
121
122 /* lookup last position for next rID */
123
124 if (next_rID == 0) {
125 i = 0;
126 } else {
127 for (i = 1; i != MAXID64; i++) {
128 if (s->last_pos[i].rid == next_rID)
129 break;
130 if (s->last_pos[i].rid == 0)
131 break;
132 }
133 }
134 if (i != MAXID64) {
135 s->last_pos[i].rid = next_rID;
136 for (j = 0; j < ITEMTYPES3; j++)
137 s->pos[j] = s->last_pos[i].pos[j];
138 } else {
139 for (j = 0; j < ITEMTYPES3; j++)
140 s->pos[j] = 0; /* Out of RID entries. */
141 }
142}
143
144hid_data_t
145hid_start_parse(report_desc_t d, int kindset, int id)
146{
147 struct hid_data *s;
148
149 s = calloc(1, sizeof *s);
150 if (s == NULL((void *)0))
151 return (NULL((void *)0));
152 s->start = s->p = d->data;
153 s->end = d->data + d->size;
154 s->kindset = kindset;
155 s->reportid = id;
156 s->hassavedcoll = 0;
157 return (s);
158}
159
160void
161hid_end_parse(hid_data_t s)
162{
163
164 if (s == NULL((void *)0))
165 return;
166
167 free(s);
168}
169
170static uint8_t
171hid_get_byte(struct hid_data *s, const uint16_t wSize)
172{
173 const uint8_t *ptr;
174 uint8_t retval;
175
176 ptr = s->p;
177
178 /* check if end is reached */
179 if (ptr == s->end)
180 return (0);
181
182 /* read out a byte */
183 retval = *ptr;
184
185 /* check if data pointer can be advanced by "wSize" bytes */
186 if ((s->end - ptr) < wSize)
187 ptr = s->end;
188 else
189 ptr += wSize;
190
191 /* update pointer */
192 s->p = ptr;
193
194 return (retval);
195}
196
197#define REPORT_SAVED_COLLdo { if (s->hassavedcoll) { *h = s->savedcoll; h->report_ID
= c->report_ID; s->hassavedcoll = 0; return (1); } } while
(0) \
198 do { \
199 if (s->hassavedcoll) { \
200 *h = s->savedcoll; \
201 h->report_ID = c->report_ID; \
202 s->hassavedcoll = 0; \
203 return (1); \
204 } \
205 } while(0)
206
207static int
208hid_get_item_raw(hid_data_t s, hid_item_t *h)
209{
210 hid_item_t nc, *c;
211 unsigned int bTag, bType, bSize;
212 int32_t mask;
213 int32_t dval;
214
215 if (s == NULL((void *)0))
216 return (0);
217
218 if (s->pushlevel >= MAXPUSH4)
219 return (0);
220
221 c = &s->cur[s->pushlevel];
222
223 top:
224 /* check if there is an array of items */
225 if (s->icount < s->ncount) {
226 REPORT_SAVED_COLLdo { if (s->hassavedcoll) { *h = s->savedcoll; h->report_ID
= c->report_ID; s->hassavedcoll = 0; return (1); } } while
(0);
227 /* get current usage */
228 if (s->iusage < s->nusage) {
229 dval = s->usages_min[s->iusage] + s->ousage;
230 c->usage = dval;
231 s->usage_last = dval;
232 if (dval == s->usages_max[s->iusage]) {
233 s->iusage ++;
234 s->ousage = 0;
235 } else {
236 s->ousage ++;
237 }
238 } else {
239 /* Using last usage */
240 dval = s->usage_last;
241 }
242 s->icount ++;
243 /*
244 * Only copy HID item, increment position and return
245 * if correct kindset!
246 */
247 if (s->kindset & (1 << c->kind)) {
248 *h = *c;
249 h->pos = s->pos[c->kind];
250 s->pos[c->kind] += c->report_size * c->report_count;
251 return (1);
252 }
253 }
254
255 /* reset state variables */
256 s->icount = 0;
257 s->ncount = 0;
258 s->iusage = 0;
259 s->nusage = 0;
260 s->susage = 0;
261 s->ousage = 0;
262 hid_clear_local(c);
263
264 /* get next item */
265 while (s->p != s->end) {
266
267 bSize = hid_get_byte(s, 1);
268 if (bSize == 0xfe) {
269 /* long item */
270 bSize = hid_get_byte(s, 1);
271 bSize |= hid_get_byte(s, 1) << 8;
272 bTag = hid_get_byte(s, 1);
273 bType = 0xff; /* XXX what should it be */
274 } else {
275 /* short item */
276 bTag = bSize >> 4;
277 bType = (bSize >> 2) & 3;
278 bSize &= 3;
279 if (bSize == 3)
280 bSize = 4;
281 }
282
283 switch(bSize) {
284 case 0:
285 dval = 0;
286 mask = 0;
287 break;
288 case 1:
289 dval = (int8_t)hid_get_byte(s, 1);
290 mask = 0xFF;
291 break;
292 case 2:
293 dval = hid_get_byte(s, 1);
294 dval |= hid_get_byte(s, 1) << 8;
295 dval = (int16_t)dval;
296 mask = 0xFFFF;
297 break;
298 case 4:
299 dval = hid_get_byte(s, 1);
300 dval |= hid_get_byte(s, 1) << 8;
301 dval |= hid_get_byte(s, 1) << 16;
302 dval |= hid_get_byte(s, 1) << 24;
303 mask = 0xFFFFFFFF;
304 break;
305 default:
306 dval = hid_get_byte(s, bSize);
307 continue;
308 }
309
310 switch (bType) {
311 case 0: /* Main */
312 switch (bTag) {
313 case 8: /* Input */
314 c->kind = hid_input;
315 c->flags = dval;
316 ret:
317 c->report_count = s->loc_count;
318 c->report_size = s->loc_size;
319
320 if (c->flags & HIO_VARIABLE0x002) {
321 /* range check usage count */
322 if (c->report_count > 255) {
323 s->ncount = 255;
324 } else
325 s->ncount = c->report_count;
326
327 /*
328 * The "top" loop will return
329 * one and one item:
330 */
331 c->report_count = 1;
332 c->usage_minimum = 0;
333 c->usage_maximum = 0;
334 } else {
335 s->ncount = 1;
336 }
337 goto top;
338
339 case 9: /* Output */
340 c->kind = hid_output;
341 c->flags = dval;
342 goto ret;
343 case 10: /* Collection */
344 c->kind = hid_collection;
345 c->collection = dval;
346 c->collevel++;
347 c->usage = s->usage_last;
348 nc = *c;
349 if (s->hassavedcoll) {
350 *h = s->savedcoll;
351 h->report_ID = nc.report_ID;
352 s->savedcoll = nc;
353 return (1);
354 } else {
355 s->hassavedcoll = 1;
356 s->savedcoll = nc;
357 }
358 goto top;
359 case 11: /* Feature */
360 c->kind = hid_feature;
361 c->flags = dval;
362 goto ret;
363 case 12: /* End collection */
364 REPORT_SAVED_COLLdo { if (s->hassavedcoll) { *h = s->savedcoll; h->report_ID
= c->report_ID; s->hassavedcoll = 0; return (1); } } while
(0);
365 c->kind = hid_endcollection;
366 if (c->collevel == 0) {
367 /* Invalid end collection. */
368 return (0);
369 }
370 c->collevel--;
371 *h = *c;
372 return (1);
373 default:
374 break;
375 }
376 break;
377
378 case 1: /* Global */
379 switch (bTag) {
380 case 0:
381 c->_usage_page = dval << 16;
382 break;
383 case 1:
384 c->logical_minimum = dval;
385 break;
386 case 2:
387 c->logical_maximum = dval;
388 break;
389 case 3:
390 c->physical_minimum = dval;
391 break;
392 case 4:
393 c->physical_maximum = dval;
394 break;
395 case 5:
396 c->unit_exponent = dval;
397 break;
398 case 6:
399 c->unit = dval;
400 break;
401 case 7:
402 /* mask because value is unsigned */
403 s->loc_size = dval & mask;
404 break;
405 case 8:
406 hid_switch_rid(s, c, dval & mask);
407 break;
408 case 9:
409 /* mask because value is unsigned */
410 s->loc_count = dval & mask;
411 break;
412 case 10: /* Push */
413 if (s->pushlevel < MAXPUSH4 - 1) {
414 s->pushlevel++;
415 s->cur[s->pushlevel] = *c;
416 /* store size and count */
417 c->report_size = s->loc_size;
418 c->report_count = s->loc_count;
419 /* update current item pointer */
420 c = &s->cur[s->pushlevel];
421 }
422 break;
423 case 11: /* Pop */
424 if (s->pushlevel > 0) {
425 s->pushlevel--;
426 c = &s->cur[s->pushlevel];
427 /* restore size and count */
428 s->loc_size = c->report_size;
429 s->loc_count = c->report_count;
430 c->report_size = 0;
431 c->report_count = 0;
432 }
433 break;
434 default:
435 break;
436 }
437 break;
438 case 2: /* Local */
439 switch (bTag) {
440 case 0:
441 if (bSize != 4)
442 dval = (dval & mask) | c->_usage_page;
443
444 /* set last usage, in case of a collection */
445 s->usage_last = dval;
446
447 if (s->nusage < MAXUSAGE100) {
448 s->usages_min[s->nusage] = dval;
449 s->usages_max[s->nusage] = dval;
450 s->nusage ++;
451 }
452 /* else XXX */
453
454 /* clear any pending usage sets */
455 s->susage = 0;
456 break;
457 case 1:
458 s->susage |= 1;
459
460 if (bSize != 4)
461 dval = (dval & mask) | c->_usage_page;
462 c->usage_minimum = dval;
463
464 goto check_set;
465 case 2:
466 s->susage |= 2;
467
468 if (bSize != 4)
469 dval = (dval & mask) | c->_usage_page;
470 c->usage_maximum = dval;
471
472 check_set:
473 if (s->susage != 3)
474 break;
475
476 /* sanity check */
477 if ((s->nusage < MAXUSAGE100) &&
478 (c->usage_minimum <= c->usage_maximum)) {
479 /* add usage range */
480 s->usages_min[s->nusage] =
481 c->usage_minimum;
482 s->usages_max[s->nusage] =
483 c->usage_maximum;
484 s->nusage ++;
485 }
486 /* else XXX */
487
488 s->susage = 0;
489 break;
490 case 3:
491 c->designator_index = dval;
492 break;
493 case 4:
494 c->designator_minimum = dval;
495 break;
496 case 5:
497 c->designator_maximum = dval;
498 break;
499 case 7:
500 c->string_index = dval;
501 break;
502 case 8:
503 c->string_minimum = dval;
504 break;
505 case 9:
506 c->string_maximum = dval;
507 break;
508 case 10:
509 c->set_delimiter = dval;
510 break;
511 default:
512 break;
513 }
514 break;
515 default:
516 break;
517 }
518 }
519 return (0);
520}
521
522int
523hid_get_item(hid_data_t s, hid_item_t *h)
524{
525 int r;
526
527 for (;;) {
528 r = hid_get_item_raw(s, h);
529 if (r <= 0 || s->reportid == -1 || h->report_ID == s->reportid)
530 break;
531 }
532 return (r);
533}
534
535int
536hid_report_size(report_desc_t r, enum hid_kind k, int id)
537{
538 struct hid_data *d;
539 struct hid_item h;
540 uint32_t temp;
541 uint32_t hpos;
542 uint32_t lpos;
543 int report_id = 0;
544
545 hpos = 0;
546 lpos = 0xFFFFFFFF;
547
548 memset(&h, 0, sizeof h);
549 for (d = hid_start_parse(r, 1 << k, id); hid_get_item(d, &h); ) {
550 if (h.kind == k) {
551 /* compute minimum */
552 if (lpos > h.pos)
553 lpos = h.pos;
554 /* compute end position */
555 temp = h.pos + (h.report_size * h.report_count);
556 /* compute maximum */
557 if (hpos < temp)
558 hpos = temp;
559 if (h.report_ID != 0)
560 report_id = 1;
Value stored to 'report_id' is never read
561 }
562 }
563 hid_end_parse(d);
564
565 /* safety check - can happen in case of currupt descriptors */
566 if (lpos > hpos)
567 temp = 0;
568 else
569 temp = hpos - lpos;
570
571 /* No extra byte for the reportID because the kernel skips it. */
572 return ((temp + 7) / 8);
573}
574
575int
576hid_locate(report_desc_t desc, unsigned int u, enum hid_kind k,
577 hid_item_t *h, int id)
578{
579 struct hid_data *d;
580
581 for (d = hid_start_parse(desc, 1 << k, id); hid_get_item(d, h); ) {
582 if (h->kind == k && !(h->flags & HIO_CONST0x001) && h->usage == u) {
583 hid_end_parse(d);
584 return (1);
585 }
586 }
587 hid_end_parse(d);
588 h->report_size = 0;
589 return (0);
590}