The following issues were found
drivers/net/wireless/ath/ath11k/debugfs_htt_stats.c
57 issues
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
u8 i;
u16 index = 0;
char data[HTT_MAX_STRING_LEN] = {0};
tag_len = tag_len >> 2;
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_STATS_STRING_TLV:");
Reported by FlawFinder.
Line: 193
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char urrn_stats[HTT_MAX_STRING_LEN] = {0};
u16 num_elems = min_t(u16, (tag_len >> 2), HTT_TX_PDEV_MAX_URRN_STATS);
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_TX_PDEV_STATS_URRN_TLV_V:");
ARRAY_TO_STRING(urrn_stats, htt_stats_buf->urrn_stats, num_elems);
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char flush_errs[HTT_MAX_STRING_LEN] = {0};
u16 num_elems = min_t(u16, (tag_len >> 2), HTT_TX_PDEV_MAX_FLUSH_REASON_STATS);
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_TX_PDEV_STATS_FLUSH_TLV_V:");
ARRAY_TO_STRING(flush_errs, htt_stats_buf->flush_errs, num_elems);
Reported by FlawFinder.
Line: 243
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char sifs_status[HTT_MAX_STRING_LEN] = {0};
u16 num_elems = min_t(u16, (tag_len >> 2), HTT_TX_PDEV_MAX_SIFS_BURST_STATS);
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_TX_PDEV_STATS_SIFS_TLV_V:");
ARRAY_TO_STRING(sifs_status, htt_stats_buf->sifs_status, num_elems);
Reported by FlawFinder.
Line: 269
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char phy_errs[HTT_MAX_STRING_LEN] = {0};
u16 num_elems = min_t(u16, (tag_len >> 2), HTT_TX_PDEV_MAX_PHY_ERR_STATS);
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_TX_PDEV_STATS_PHY_ERR_TLV_V:");
ARRAY_TO_STRING(phy_errs, htt_stats_buf->phy_errs, num_elems);
Reported by FlawFinder.
Line: 294
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char sifs_hist_status[HTT_MAX_STRING_LEN] = {0};
u16 num_elems = min_t(u16, (tag_len >> 2), HTT_TX_PDEV_MAX_SIFS_BURST_HIST_STATS);
len += HTT_DBG_OUT(buf + len, buf_len - len,
"HTT_TX_PDEV_STATS_SIFS_HIST_TLV_V:");
Reported by FlawFinder.
Line: 356
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char tried_mpdu_cnt_hist[HTT_MAX_STRING_LEN] = {0};
u32 num_elements = ((tag_len - sizeof(htt_stats_buf->hist_bin_size)) >> 2);
u32 required_buffer_size = HTT_MAX_PRINT_CHAR_PER_ELEM * num_elements;
len += HTT_DBG_OUT(buf + len, buf_len - len,
"HTT_TX_PDEV_STATS_TRIED_MPDU_CNT_HIST_TLV_V:");
Reported by FlawFinder.
Line: 391
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char hw_intr_name[HTT_STATS_MAX_HW_INTR_NAME_LEN + 1] = {0};
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_HW_STATS_INTR_MISC_TLV:");
memcpy(hw_intr_name, &(htt_stats_buf->hw_intr_name[0]),
HTT_STATS_MAX_HW_INTR_NAME_LEN);
len += HTT_DBG_OUT(buf + len, buf_len - len, "hw_intr_name = %s ", hw_intr_name);
Reported by FlawFinder.
Line: 394
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char hw_intr_name[HTT_STATS_MAX_HW_INTR_NAME_LEN + 1] = {0};
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_HW_STATS_INTR_MISC_TLV:");
memcpy(hw_intr_name, &(htt_stats_buf->hw_intr_name[0]),
HTT_STATS_MAX_HW_INTR_NAME_LEN);
len += HTT_DBG_OUT(buf + len, buf_len - len, "hw_intr_name = %s ", hw_intr_name);
len += HTT_DBG_OUT(buf + len, buf_len - len, "mask = %u",
htt_stats_buf->mask);
len += HTT_DBG_OUT(buf + len, buf_len - len, "count = %u\n",
Reported by FlawFinder.
Line: 418
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf = stats_req->buf;
u32 len = stats_req->buf_len;
u32 buf_len = ATH11K_HTT_STATS_BUF_SIZE;
char hw_module_name[HTT_STATS_MAX_HW_MODULE_NAME_LEN + 1] = {0};
len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_HW_STATS_WD_TIMEOUT_TLV:");
memcpy(hw_module_name, &(htt_stats_buf->hw_module_name[0]),
HTT_STATS_MAX_HW_MODULE_NAME_LEN);
len += HTT_DBG_OUT(buf + len, buf_len - len, "hw_module_name = %s ",
Reported by FlawFinder.
drivers/staging/rtl8192e/rtllib_rx.c
57 issues
Line: 284
Column: 32
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
/* Called only as a tasklet (software IRQ), by rtllib_rx */
static inline int
rtllib_rx_frame_decrypt(struct rtllib_device *ieee, struct sk_buff *skb,
struct lib80211_crypt_data *crypt)
{
struct rtllib_hdr_4addr *hdr;
int res, hdrlen;
if (crypt == NULL || crypt->ops->decrypt_mpdu == NULL)
Reported by FlawFinder.
Line: 325
Column: 49
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
/* Called only as a tasklet (software IRQ), by rtllib_rx */
static inline int
rtllib_rx_frame_decrypt_msdu(struct rtllib_device *ieee, struct sk_buff *skb,
int keyidx, struct lib80211_crypt_data *crypt)
{
struct rtllib_hdr_4addr *hdr;
int res, hdrlen;
if (crypt == NULL || crypt->ops->decrypt_msdu == NULL)
Reported by FlawFinder.
Line: 1044
Column: 33
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
}
static int rtllib_rx_get_crypt(struct rtllib_device *ieee, struct sk_buff *skb,
struct lib80211_crypt_data **crypt, size_t hdrlen)
{
struct rtllib_hdr_4addr *hdr = (struct rtllib_hdr_4addr *)skb->data;
u16 fc = le16_to_cpu(hdr->frame_ctl);
int idx = 0;
Reported by FlawFinder.
Line: 1054
Column: 29
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (skb->len >= hdrlen + 3)
idx = skb->data[hdrlen + 3] >> 6;
*crypt = ieee->crypt_info.crypt[idx];
/* allow NULL decrypt to indicate an station specific override
* for default encryption
*/
if (*crypt && ((*crypt)->ops == NULL ||
(*crypt)->ops->decrypt_mpdu == NULL))
Reported by FlawFinder.
Line: 1058
Column: 8
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
/* allow NULL decrypt to indicate an station specific override
* for default encryption
*/
if (*crypt && ((*crypt)->ops == NULL ||
(*crypt)->ops->decrypt_mpdu == NULL))
*crypt = NULL;
if (!*crypt && (fc & RTLLIB_FCTL_WEP)) {
/* This seems to be triggered by some (multicast?)
Reported by FlawFinder.
Line: 1058
Column: 20
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
/* allow NULL decrypt to indicate an station specific override
* for default encryption
*/
if (*crypt && ((*crypt)->ops == NULL ||
(*crypt)->ops->decrypt_mpdu == NULL))
*crypt = NULL;
if (!*crypt && (fc & RTLLIB_FCTL_WEP)) {
/* This seems to be triggered by some (multicast?)
Reported by FlawFinder.
Line: 1059
Column: 12
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
* for default encryption
*/
if (*crypt && ((*crypt)->ops == NULL ||
(*crypt)->ops->decrypt_mpdu == NULL))
*crypt = NULL;
if (!*crypt && (fc & RTLLIB_FCTL_WEP)) {
/* This seems to be triggered by some (multicast?)
* frames from other than current BSS, so just drop the
Reported by FlawFinder.
Line: 1062
Column: 9
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
(*crypt)->ops->decrypt_mpdu == NULL))
*crypt = NULL;
if (!*crypt && (fc & RTLLIB_FCTL_WEP)) {
/* This seems to be triggered by some (multicast?)
* frames from other than current BSS, so just drop the
* frames silently instead of filling system log with
* these reports.
*/
Reported by FlawFinder.
Line: 1080
Column: 37
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
static int rtllib_rx_decrypt(struct rtllib_device *ieee, struct sk_buff *skb,
struct rtllib_rx_stats *rx_stats,
struct lib80211_crypt_data *crypt, size_t hdrlen)
{
struct rtllib_hdr_4addr *hdr;
int keyidx = 0;
u16 fc, sc;
u8 frag;
Reported by FlawFinder.
Line: 1097
Column: 46
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
else
ieee->need_sw_enc = 0;
keyidx = rtllib_rx_frame_decrypt(ieee, skb, crypt);
if (ieee->host_decrypt && (fc & RTLLIB_FCTL_WEP) && (keyidx < 0)) {
netdev_info(ieee->dev, "%s: decrypt frame error\n", __func__);
return -1;
}
Reported by FlawFinder.
drivers/net/can/flexcan.c
57 issues
Line: 370
Column: 8
CWE codes:
120
20
struct imx_sc_ipc *sc_ipc_handle;
/* Read and Write APIs */
u32 (*read)(void __iomem *addr);
void (*write)(u32 val, void __iomem *addr);
};
static const struct flexcan_devtype_data fsl_p1010_devtype_data = {
.quirks = FLEXCAN_QUIRK_BROKEN_WERR_STATE |
Reported by FlawFinder.
Line: 519
Column: 30
CWE codes:
120
20
struct flexcan_regs __iomem *regs = priv->regs;
unsigned int timeout = FLEXCAN_TIMEOUT_US / 10;
while (timeout-- && !(priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK))
udelay(10);
if (!(priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK))
return -ETIMEDOUT;
Reported by FlawFinder.
Line: 522
Column: 14
CWE codes:
120
20
while (timeout-- && !(priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK))
udelay(10);
if (!(priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK))
return -ETIMEDOUT;
return 0;
}
Reported by FlawFinder.
Line: 533
Column: 29
CWE codes:
120
20
struct flexcan_regs __iomem *regs = priv->regs;
unsigned int timeout = FLEXCAN_TIMEOUT_US / 10;
while (timeout-- && (priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK))
udelay(10);
if (priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK)
return -ETIMEDOUT;
Reported by FlawFinder.
Line: 536
Column: 12
CWE codes:
120
20
while (timeout-- && (priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK))
udelay(10);
if (priv->read(®s->mcr) & FLEXCAN_MCR_LPM_ACK)
return -ETIMEDOUT;
return 0;
}
Reported by FlawFinder.
Line: 547
Column: 18
CWE codes:
120
20
struct flexcan_regs __iomem *regs = priv->regs;
u32 reg_mcr;
reg_mcr = priv->read(®s->mcr);
if (enable)
reg_mcr |= FLEXCAN_MCR_WAK_MSK;
else
reg_mcr &= ~FLEXCAN_MCR_WAK_MSK;
Reported by FlawFinder.
Line: 580
Column: 18
CWE codes:
120
20
u32 reg_mcr;
int ret;
reg_mcr = priv->read(®s->mcr);
reg_mcr |= FLEXCAN_MCR_SLF_WAK;
priv->write(reg_mcr, ®s->mcr);
/* enable stop request */
if (priv->devtype_data->quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW) {
Reported by FlawFinder.
Line: 613
Column: 18
CWE codes:
120
20
1 << priv->stm.req_bit, 0);
}
reg_mcr = priv->read(®s->mcr);
reg_mcr &= ~FLEXCAN_MCR_SLF_WAK;
priv->write(reg_mcr, ®s->mcr);
return flexcan_low_power_exit_ack(priv);
}
Reported by FlawFinder.
Line: 678
Column: 14
CWE codes:
120
20
struct flexcan_regs __iomem *regs = priv->regs;
u32 reg;
reg = priv->read(®s->mcr);
reg &= ~FLEXCAN_MCR_MDIS;
priv->write(reg, ®s->mcr);
return flexcan_low_power_exit_ack(priv);
}
Reported by FlawFinder.
Line: 690
Column: 14
CWE codes:
120
20
struct flexcan_regs __iomem *regs = priv->regs;
u32 reg;
reg = priv->read(®s->mcr);
reg |= FLEXCAN_MCR_MDIS;
priv->write(reg, ®s->mcr);
return flexcan_low_power_enter_ack(priv);
}
Reported by FlawFinder.
tools/lib/traceevent/event-parse.c
57 issues
Line: 5951
CWE codes:
908
if (!next)
cmdline = tep->cmdlines;
while (cmdline < tep->cmdlines + tep->cmdline_count) {
if (strcmp(cmdline->comm, comm) == 0)
return cmdline;
cmdline++;
}
return NULL;
Reported by Cppcheck.
Line: 51
Column: 35
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
continue; \
\
if (event) \
warning("[%s:%s] " fmt, event->system, \
event->name, ##__VA_ARGS__); \
else \
warning(fmt, ##__VA_ARGS__); \
} while (0)
Reported by FlawFinder.
Line: 983
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (!*tok)
strcpy(newtok, buf);
else
strcat(newtok, buf);
*tok = newtok;
return 0;
Reported by FlawFinder.
Line: 985
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (!*tok)
strcpy(newtok, buf);
else
strcat(newtok, buf);
*tok = newtok;
return 0;
}
Reported by FlawFinder.
Line: 1414
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
new_buf = realloc(*buf, strlen(*buf) + strlen(delim) + strlen(str) + 1);
if (!new_buf)
return -1;
strcat(new_buf, delim);
strcat(new_buf, str);
*buf = new_buf;
return 0;
}
Reported by FlawFinder.
Line: 1415
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (!new_buf)
return -1;
strcat(new_buf, delim);
strcat(new_buf, str);
*buf = new_buf;
return 0;
}
static int event_read_fields(struct tep_event *event, struct tep_format_field **fields)
Reported by FlawFinder.
Line: 3613
Column: 39
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (tep->last_event &&
strcmp(tep->last_event->name, name) == 0 &&
(!sys || strcmp(tep->last_event->system, sys) == 0))
return tep->last_event;
for (i = 0; i < tep->nr_events; i++) {
event = tep->events[i];
if (strcmp(event->name, name) == 0) {
Reported by FlawFinder.
Line: 3621
Column: 22
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (strcmp(event->name, name) == 0) {
if (!sys)
break;
if (strcmp(event->system, sys) == 0)
break;
}
}
if (i == tep->nr_events)
event = NULL;
Reported by FlawFinder.
Line: 6250
Column: 22
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (res)
return res;
res = strcmp((*ea)->system, (*eb)->system);
if (res)
return res;
return events_id_cmp(a, b);
}
Reported by FlawFinder.
Line: 6250
Column: 37
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (res)
return res;
res = strcmp((*ea)->system, (*eb)->system);
if (res)
return res;
return events_id_cmp(a, b);
}
Reported by FlawFinder.
drivers/usb/host/uhci-debug.c
55 issues
Line: 51
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u32 status, token;
status = td_status(uhci, td);
out += sprintf(out, "%*s[%p] link (%08x) ", space, "", td,
hc32_to_cpu(uhci, td->link));
out += sprintf(out, "e%d %s%s%s%s%s%s%s%s%s%sLength=%x ",
((status >> 27) & 3),
(status & TD_CTRL_SPD) ? "SPD " : "",
(status & TD_CTRL_LS) ? "LS " : "",
Reported by FlawFinder.
Line: 53
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
status = td_status(uhci, td);
out += sprintf(out, "%*s[%p] link (%08x) ", space, "", td,
hc32_to_cpu(uhci, td->link));
out += sprintf(out, "e%d %s%s%s%s%s%s%s%s%s%sLength=%x ",
((status >> 27) & 3),
(status & TD_CTRL_SPD) ? "SPD " : "",
(status & TD_CTRL_LS) ? "LS " : "",
(status & TD_CTRL_IOC) ? "IOC " : "",
(status & TD_CTRL_ACTIVE) ? "Active " : "",
Reported by FlawFinder.
Line: 85
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
}
out += sprintf(out, "MaxLen=%x DT%d EndPt=%x Dev=%x, PID=%x(%s) ",
token >> 21,
((token >> 19) & 1),
(token >> 15) & 15,
(token >> 8) & 127,
(token & 0xff),
Reported by FlawFinder.
Line: 113
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
out += sprintf(out, "urb [%p] ", urbp->urb);
out += sprintf(out, "qh [%p] ", urbp->qh);
out += sprintf(out, "Dev=%d ", usb_pipedevice(urbp->urb->pipe));
out += sprintf(out, "EP=%x(%s) ", usb_pipeendpoint(urbp->urb->pipe),
(usb_pipein(urbp->urb->pipe) ? "IN" : "OUT"));
if (out - buf > len)
goto done;
switch (usb_pipetype(urbp->urb->pipe)) {
Reported by FlawFinder.
Line: 126
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case PIPE_CONTROL: ptype = "CTL"; break;
}
out += sprintf(out, "%s%s", ptype, (urbp->fsbr ? " FSBR" : ""));
out += sprintf(out, " Actlen=%d%s", urbp->urb->actual_length,
(urbp->qh->type == USB_ENDPOINT_XFER_CONTROL ?
"-8" : ""));
if (urbp->urb->unlinked)
Reported by FlawFinder.
Line: 127
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
out += sprintf(out, "%s%s", ptype, (urbp->fsbr ? " FSBR" : ""));
out += sprintf(out, " Actlen=%d%s", urbp->urb->actual_length,
(urbp->qh->type == USB_ENDPOINT_XFER_CONTROL ?
"-8" : ""));
if (urbp->urb->unlinked)
out += sprintf(out, " Unlinked=%d", urbp->urb->unlinked);
Reported by FlawFinder.
Line: 142
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
list_for_each_entry(td, &urbp->td_list, list) {
if (urbp->qh->type != USB_ENDPOINT_XFER_ISOC &&
(++i <= 10 || debug > 2)) {
out += sprintf(out, "%*s%d: ", space + 2, "", i);
out += uhci_show_td(uhci, td, out,
len - (out - buf), 0);
if (out - buf > len)
goto tail;
} else {
Reported by FlawFinder.
Line: 155
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
}
if (nactive + ninactive > 0)
out += sprintf(out,
"%*s[skipped %d inactive and %d active TDs]\n",
space, "", ninactive, nactive);
done:
if (out - buf > len)
out += sprintf(out, " ...\n");
Reported by FlawFinder.
Line: 181
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
default: qtype = "Skel" ; break;
}
out += sprintf(out, "%*s[%p] %s QH link (%08x) element (%08x)\n",
space, "", qh, qtype,
hc32_to_cpu(uhci, qh->link),
hc32_to_cpu(uhci, element));
if (qh->type == USB_ENDPOINT_XFER_ISOC)
out += sprintf(out,
Reported by FlawFinder.
Line: 186
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
hc32_to_cpu(uhci, qh->link),
hc32_to_cpu(uhci, element));
if (qh->type == USB_ENDPOINT_XFER_ISOC)
out += sprintf(out,
"%*s period %d phase %d load %d us, frame %x desc [%p]\n",
space, "", qh->period, qh->phase, qh->load,
qh->iso_frame, qh->iso_packet_desc);
else if (qh->type == USB_ENDPOINT_XFER_INT)
out += sprintf(out, "%*s period %d phase %d load %d us\n",
Reported by FlawFinder.
drivers/scsi/hpsa.c
55 issues
Line: 995
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct reply_queue_buffer *rq = &h->reply_queue[q];
if (h->transMethod & CFGTBL_Trans_io_accel1)
return h->access.command_completed(h, q);
if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
return h->access.command_completed(h, q);
if ((rq->head[rq->current_entry] & 1) == rq->wraparound) {
Reported by FlawFinder.
Line: 998
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return h->access.command_completed(h, q);
if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
return h->access.command_completed(h, q);
if ((rq->head[rq->current_entry] & 1) == rq->wraparound) {
a = rq->head[rq->current_entry];
rq->current_entry++;
atomic_dec(&h->commands_outstanding);
Reported by FlawFinder.
Line: 1175
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
break;
default:
set_performant_mode(h, c, reply_queue);
h->access.submit_command(h, c);
}
}
static void enqueue_cmd_and_start_io(struct ctlr_info *h, struct CommandList *c)
{
Reported by FlawFinder.
Line: 6089
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
reset_type = HPSA_PHYS_TARGET_RESET;
sprintf(msg, "resetting %s",
reset_type == HPSA_DEVICE_RESET_MSG ? "logical " : "physical ");
hpsa_show_dev_msg(KERN_WARNING, h, dev, msg);
/*
* wait to see if any commands will complete before sending reset
Reported by FlawFinder.
Line: 6111
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
rc = FAILED;
sprintf(msg, "reset %s %s",
reset_type == HPSA_DEVICE_RESET_MSG ? "logical " : "physical ",
rc == SUCCESS ? "completed successfully" : "failed");
hpsa_show_dev_msg(KERN_WARNING, h, dev, msg);
return_reset_status:
Reported by FlawFinder.
Line: 6937
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q)
{
return h->access.command_completed(h, q);
}
static inline bool interrupt_pending(struct ctlr_info *h)
{
return h->access.intr_pending(h);
Reported by FlawFinder.
Line: 6942
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline bool interrupt_pending(struct ctlr_info *h)
{
return h->access.intr_pending(h);
}
static inline long interrupt_not_for_us(struct ctlr_info *h)
{
return (h->access.intr_pending(h) == 0) ||
Reported by FlawFinder.
Line: 6947
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline long interrupt_not_for_us(struct ctlr_info *h)
{
return (h->access.intr_pending(h) == 0) ||
(h->interrupts_enabled == 0);
}
static inline int bad_tag(struct ctlr_info *h, u32 tag_index,
u32 raw_tag)
Reported by FlawFinder.
Line: 7555
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
*legacy_board = false;
for (i = 0; i < ARRAY_SIZE(products); i++)
if (*board_id == products[i].board_id) {
if (products[i].access != &SA5A_access &&
products[i].access != &SA5B_access)
return i;
dev_warn(&pdev->dev,
"legacy board ID: 0x%08x\n",
*board_id);
Reported by FlawFinder.
Line: 7556
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (i = 0; i < ARRAY_SIZE(products); i++)
if (*board_id == products[i].board_id) {
if (products[i].access != &SA5A_access &&
products[i].access != &SA5B_access)
return i;
dev_warn(&pdev->dev,
"legacy board ID: 0x%08x\n",
*board_id);
if (legacy_board)
Reported by FlawFinder.
net/iucv/af_iucv.c
54 issues
Line: 38
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define VERSION "1.2"
static char iucv_userid[80];
static struct proto iucv_proto = {
.name = "AF_IUCV",
.owner = THIS_MODULE,
.obj_size = sizeof(struct iucv_sock),
Reported by FlawFinder.
Line: 102
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void high_nmcpy(unsigned char *dst, char *src)
{
memcpy(dst, src, 8);
}
static inline void low_nmcpy(unsigned char *dst, char *src)
{
memcpy(&dst[8], src, 8);
Reported by FlawFinder.
Line: 107
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void low_nmcpy(unsigned char *dst, char *src)
{
memcpy(&dst[8], src, 8);
}
/**
* iucv_msg_length() - Returns the length of an iucv message.
* @msg: Pointer to struct iucv_message, MUST NOT be NULL
Reported by FlawFinder.
Line: 215
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (confirm_recv)
phs_hdr->flags = phs_hdr->flags | AF_IUCV_FLAG_WIN;
}
memcpy(phs_hdr->destUserID, iucv->dst_user_id, 8);
memcpy(phs_hdr->destAppName, iucv->dst_name, 8);
memcpy(phs_hdr->srcUserID, iucv->src_user_id, 8);
memcpy(phs_hdr->srcAppName, iucv->src_name, 8);
ASCEBC(phs_hdr->destUserID, sizeof(phs_hdr->destUserID));
ASCEBC(phs_hdr->destAppName, sizeof(phs_hdr->destAppName));
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phs_hdr->flags = phs_hdr->flags | AF_IUCV_FLAG_WIN;
}
memcpy(phs_hdr->destUserID, iucv->dst_user_id, 8);
memcpy(phs_hdr->destAppName, iucv->dst_name, 8);
memcpy(phs_hdr->srcUserID, iucv->src_user_id, 8);
memcpy(phs_hdr->srcAppName, iucv->src_name, 8);
ASCEBC(phs_hdr->destUserID, sizeof(phs_hdr->destUserID));
ASCEBC(phs_hdr->destAppName, sizeof(phs_hdr->destAppName));
ASCEBC(phs_hdr->srcUserID, sizeof(phs_hdr->srcUserID));
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(phs_hdr->destUserID, iucv->dst_user_id, 8);
memcpy(phs_hdr->destAppName, iucv->dst_name, 8);
memcpy(phs_hdr->srcUserID, iucv->src_user_id, 8);
memcpy(phs_hdr->srcAppName, iucv->src_name, 8);
ASCEBC(phs_hdr->destUserID, sizeof(phs_hdr->destUserID));
ASCEBC(phs_hdr->destAppName, sizeof(phs_hdr->destAppName));
ASCEBC(phs_hdr->srcUserID, sizeof(phs_hdr->srcUserID));
ASCEBC(phs_hdr->srcAppName, sizeof(phs_hdr->srcAppName));
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(phs_hdr->destUserID, iucv->dst_user_id, 8);
memcpy(phs_hdr->destAppName, iucv->dst_name, 8);
memcpy(phs_hdr->srcUserID, iucv->src_user_id, 8);
memcpy(phs_hdr->srcAppName, iucv->src_name, 8);
ASCEBC(phs_hdr->destUserID, sizeof(phs_hdr->destUserID));
ASCEBC(phs_hdr->destAppName, sizeof(phs_hdr->destAppName));
ASCEBC(phs_hdr->srcUserID, sizeof(phs_hdr->srcUserID));
ASCEBC(phs_hdr->srcAppName, sizeof(phs_hdr->srcAppName));
if (imsg)
Reported by FlawFinder.
Line: 224
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ASCEBC(phs_hdr->srcUserID, sizeof(phs_hdr->srcUserID));
ASCEBC(phs_hdr->srcAppName, sizeof(phs_hdr->srcAppName));
if (imsg)
memcpy(&phs_hdr->iucv_hdr, imsg, sizeof(struct iucv_message));
skb->dev = iucv->hs_dev;
if (!skb->dev) {
err = -ENODEV;
goto err_free;
Reported by FlawFinder.
Line: 335
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Terminate an IUCV path */
static void iucv_sever_path(struct sock *sk, int with_user_data)
{
unsigned char user_data[16];
struct iucv_sock *iucv = iucv_sk(sk);
struct iucv_path *path = iucv->path;
if (iucv->path) {
iucv->path = NULL;
Reported by FlawFinder.
Line: 554
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __iucv_auto_name(struct iucv_sock *iucv)
{
char name[12];
sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
while (__iucv_get_sock_by_name(name)) {
sprintf(name, "%08x",
atomic_inc_return(&iucv_sk_list.autobind_name));
Reported by FlawFinder.
tools/perf/scripts/python/check-perf-trace.py
54 issues
Line: 18
Column: 1
sys.path.append(os.environ['PERF_EXEC_PATH'] + \
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from Core import *
from perf_trace_context import *
unhandled = autodict()
def trace_begin():
Reported by Pylint.
Line: 19
Column: 1
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from Core import *
from perf_trace_context import *
unhandled = autodict()
def trace_begin():
print("trace_begin")
Reported by Pylint.
Line: 21
Column: 13
from Core import *
from perf_trace_context import *
unhandled = autodict()
def trace_begin():
print("trace_begin")
pass
Reported by Pylint.
Line: 38
Column: 20
print_uncommon(context)
print("vec=%s" % (symbol_str("irq__softirq_entry", "vec", vec)))
def kmem__kmalloc(event_name, context, common_cpu,
common_secs, common_nsecs, common_pid, common_comm,
common_callchain, call_site, ptr, bytes_req, bytes_alloc,
gfp_flags):
Reported by Pylint.
Line: 52
Column: 3
print("call_site=%u, ptr=%u, bytes_req=%u, "
"bytes_alloc=%u, gfp_flags=%s" %
(call_site, ptr, bytes_req, bytes_alloc,
flag_str("kmem__kmalloc", "gfp_flags", gfp_flags)))
def trace_unhandled(event_name, context, event_fields_dict):
try:
unhandled[event_name] += 1
except TypeError:
Reported by Pylint.
Line: 69
Column: 4
def print_uncommon(context):
print("common_preempt_count=%d, common_flags=%s, "
"common_lock_depth=%d, " %
(common_pc(context), trace_flag_str(common_flags(context)),
common_lock_depth(context)))
def print_unhandled():
keys = unhandled.keys()
if not keys:
Reported by Pylint.
Line: 69
Column: 24
def print_uncommon(context):
print("common_preempt_count=%d, common_flags=%s, "
"common_lock_depth=%d, " %
(common_pc(context), trace_flag_str(common_flags(context)),
common_lock_depth(context)))
def print_unhandled():
keys = unhandled.keys()
if not keys:
Reported by Pylint.
Line: 69
Column: 39
def print_uncommon(context):
print("common_preempt_count=%d, common_flags=%s, "
"common_lock_depth=%d, " %
(common_pc(context), trace_flag_str(common_flags(context)),
common_lock_depth(context)))
def print_unhandled():
keys = unhandled.keys()
if not keys:
Reported by Pylint.
Line: 70
Column: 3
print("common_preempt_count=%d, common_flags=%s, "
"common_lock_depth=%d, " %
(common_pc(context), trace_flag_str(common_flags(context)),
common_lock_depth(context)))
def print_unhandled():
keys = unhandled.keys()
if not keys:
return
Reported by Pylint.
Line: 18
Column: 1
sys.path.append(os.environ['PERF_EXEC_PATH'] + \
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from Core import *
from perf_trace_context import *
unhandled = autodict()
def trace_begin():
Reported by Pylint.
lib/vsprintf.c
54 issues
Line: 1363
CWE codes:
908
*p++ = temp[digits];
if (i < 3)
*p++ = '.';
index += step;
}
*p = '\0';
return p;
}
Reported by Cppcheck.
Line: 1694
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
return buf;
va_copy(va, *va_fmt->va);
buf += vsnprintf(buf, end > buf ? end - buf : 0, va_fmt->fmt, va);
va_end(va);
return buf;
}
Reported by FlawFinder.
Line: 1791
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*p++ = isascii(c) && isprint(c) ? c : '.';
}
strcpy(p, *fourcc & BIT(31) ? " big-endian" : " little-endian");
p += strlen(p);
*p++ = ' ';
*p++ = '(';
p = special_hex_number(p, output + sizeof(output) - 2, *fourcc, sizeof(u32));
Reported by FlawFinder.
Line: 2727
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
*
* If you're not already dealing with a va_list consider using snprintf().
*/
int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
{
unsigned long long num;
char *str, *end;
struct printf_spec spec = {0};
Reported by FlawFinder.
Line: 2879
Column: 15
CWE codes:
134
Suggestion:
Use a constant for the format specification
return str-buf;
}
EXPORT_SYMBOL(vsnprintf);
/**
* vscnprintf - Format a string and place it in a buffer
* @buf: The buffer to place the result into
* @size: The size of the buffer, including the trailing null space
Reported by FlawFinder.
Line: 2900
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
{
int i;
i = vsnprintf(buf, size, fmt, args);
if (likely(i < size))
return i;
if (size != 0)
return size - 1;
Reported by FlawFinder.
Line: 2924
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
*
* See the vsnprintf() documentation for format string extensions over C99.
*/
int snprintf(char *buf, size_t size, const char *fmt, ...)
{
va_list args;
int i;
va_start(args, fmt);
Reported by FlawFinder.
Line: 2930
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
int i;
va_start(args, fmt);
i = vsnprintf(buf, size, fmt, args);
va_end(args);
return i;
}
EXPORT_SYMBOL(snprintf);
Reported by FlawFinder.
Line: 2935
Column: 15
CWE codes:
134
Suggestion:
Use a constant for the format specification
return i;
}
EXPORT_SYMBOL(snprintf);
/**
* scnprintf - Format a string and place it in a buffer
* @buf: The buffer to place the result into
* @size: The size of the buffer, including the trailing null space
Reported by FlawFinder.
Line: 2975
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
*
* See the vsnprintf() documentation for format string extensions over C99.
*/
int vsprintf(char *buf, const char *fmt, va_list args)
{
return vsnprintf(buf, INT_MAX, fmt, args);
}
EXPORT_SYMBOL(vsprintf);
Reported by FlawFinder.
drivers/net/wireless/ath/wcn36xx/smd.c
53 issues
Line: 381
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* contains bssid and ieee80211_sta contains mac.
*/
if (NL80211_IFTYPE_STATION == vif->type)
memcpy(&sta_params->mac, vif->addr, ETH_ALEN);
else
memcpy(&sta_params->bssid, vif->addr, ETH_ALEN);
sta_params->encrypt_type = vif_priv->encrypt_type;
sta_params->short_preamble_supported = true;
Reported by FlawFinder.
Line: 383
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (NL80211_IFTYPE_STATION == vif->type)
memcpy(&sta_params->mac, vif->addr, ETH_ALEN);
else
memcpy(&sta_params->bssid, vif->addr, ETH_ALEN);
sta_params->encrypt_type = vif_priv->encrypt_type;
sta_params->short_preamble_supported = true;
sta_params->rifs_mode = 0;
Reported by FlawFinder.
Line: 400
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sta) {
sta_priv = wcn36xx_sta_to_priv(sta);
if (NL80211_IFTYPE_STATION == vif->type)
memcpy(&sta_params->bssid, sta->addr, ETH_ALEN);
else
memcpy(&sta_params->mac, sta->addr, ETH_ALEN);
sta_params->wmm_enabled = sta->wme;
sta_params->max_sp_len = sta->max_sp;
sta_params->aid = sta_priv->aid;
Reported by FlawFinder.
Line: 402
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (NL80211_IFTYPE_STATION == vif->type)
memcpy(&sta_params->bssid, sta->addr, ETH_ALEN);
else
memcpy(&sta_params->mac, sta->addr, ETH_ALEN);
sta_params->wmm_enabled = sta->wme;
sta_params->max_sp_len = sta->max_sp;
sta_params->aid = sta_priv->aid;
wcn36xx_smd_set_sta_ht_params(sta, sta_params);
memcpy(&sta_params->supported_rates, &sta_priv->supported_rates,
Reported by FlawFinder.
Line: 407
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sta_params->max_sp_len = sta->max_sp;
sta_params->aid = sta_priv->aid;
wcn36xx_smd_set_sta_ht_params(sta, sta_params);
memcpy(&sta_params->supported_rates, &sta_priv->supported_rates,
sizeof(struct wcn36xx_hal_supported_rates));
} else {
wcn36xx_set_default_rates((struct wcn36xx_hal_supported_rates *)
&sta_params->supported_rates);
wcn36xx_smd_set_sta_default_ht_params(sta_params);
Reported by FlawFinder.
Line: 473
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define PREPARE_HAL_BUF(send_buf, msg_body) \
do { \
memset(send_buf, 0, msg_body.header.len); \
memcpy(send_buf, &msg_body, sizeof(msg_body)); \
} while (0) \
#define PREPARE_HAL_PTT_MSG_BUF(send_buf, p_msg_body) \
do { \
memcpy(send_buf, p_msg_body, p_msg_body->header.len); \
Reported by FlawFinder.
Line: 478
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define PREPARE_HAL_PTT_MSG_BUF(send_buf, p_msg_body) \
do { \
memcpy(send_buf, p_msg_body, p_msg_body->header.len); \
} while (0)
static int wcn36xx_smd_rsp_status_check(void *buf, size_t len)
{
struct wcn36xx_fw_msg_status_rsp *rsp;
Reported by FlawFinder.
Line: 539
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Add load NV request message header */
memcpy(wcn->hal_buf, &msg_body, sizeof(msg_body));
/* Add NV body itself */
memcpy(wcn->hal_buf + sizeof(msg_body),
&nv_d->table + fm_offset,
msg_body.nv_img_buffer_size);
Reported by FlawFinder.
Line: 542
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(wcn->hal_buf, &msg_body, sizeof(msg_body));
/* Add NV body itself */
memcpy(wcn->hal_buf + sizeof(msg_body),
&nv_d->table + fm_offset,
msg_body.nv_img_buffer_size);
ret = wcn36xx_smd_send_and_wait(wcn, msg_body.header.len);
if (ret)
Reported by FlawFinder.
Line: 578
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (WCN36XX_FW_MSG_RESULT_SUCCESS != rsp->start_rsp_params.status)
return -EIO;
memcpy(wcn->crm_version, rsp->start_rsp_params.crm_version,
WCN36XX_HAL_VERSION_LENGTH);
memcpy(wcn->wlan_version, rsp->start_rsp_params.wlan_version,
WCN36XX_HAL_VERSION_LENGTH);
/* null terminate the strings, just in case */
Reported by FlawFinder.