The following issues were found
drivers/net/usb/hso.c
13 issues
Line: 341
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
static char name[255];
sprintf(name, "hso[%d:%s]", line_count, func_name);
print_hex_dump_bytes(name, DUMP_PREFIX_NONE, buf, len);
}
#define DUMP(buf_, len_) \
dbg_dump(__LINE__, __func__, (unsigned char *)buf_, len_)
Reported by FlawFinder.
Line: 505
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
}
return sprintf(buf, "%s\n", port_name);
}
static DEVICE_ATTR_RO(hsotype);
static struct attribute *hso_serial_dev_attrs[] = {
&dev_attr_hsotype.attr,
Reported by FlawFinder.
Line: 2079
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
}
if ((hso_dev->port_spec & HSO_PORT_MASK) == HSO_PORT_NETWORK) {
sprintf(port_dev, "%s", dev2net(hso_dev)->net->name);
} else
sprintf(port_dev, "/dev/%s%d", tty_filename,
dev2ser(hso_dev)->minor);
dev_dbg(&hso_dev->interface->dev, "HSO: Found %s port %s\n",
Reported by FlawFinder.
Line: 2081
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if ((hso_dev->port_spec & HSO_PORT_MASK) == HSO_PORT_NETWORK) {
sprintf(port_dev, "%s", dev2net(hso_dev)->net->name);
} else
sprintf(port_dev, "/dev/%s%d", tty_filename,
dev2ser(hso_dev)->minor);
dev_dbg(&hso_dev->interface->dev, "HSO: Found %s port %s\n",
port_type, port_dev);
}
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hso_device *parent;
struct net_device *net;
struct rfkill *rfkill;
char name[24];
struct usb_endpoint_descriptor *in_endp;
struct usb_endpoint_descriptor *out_endp;
struct urb *mux_bulk_rx_urb_pool[MUX_BULK_RX_BUF_COUNT];
Reported by FlawFinder.
Line: 339
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void dbg_dump(int line_count, const char *func_name, unsigned char *buf,
unsigned int len)
{
static char name[255];
sprintf(name, "hso[%d:%s]", line_count, func_name);
print_hex_dump_bytes(name, DUMP_PREFIX_NONE, buf, len);
}
Reported by FlawFinder.
Line: 785
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* log if asked */
DUMP1(skb->data, skb->len);
/* Copy it from kernel memory to OUR memory */
memcpy(odev->mux_bulk_tx_buf, skb->data, skb->len);
hso_dbg(0x1, "len: %d/%d\n", skb->len, MUX_BULK_TX_BUF_SIZE);
/* Fill in the URB for shipping it out. */
usb_fill_bulk_urb(odev->mux_bulk_tx_urb,
odev->parent->usb,
Reported by FlawFinder.
Line: 861
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
odev->rx_buf_missing) ? count : odev->
rx_buf_missing;
memcpy(((unsigned char *)(&odev->rx_ip_hdr)) +
odev->rx_buf_size, ip_pkt + buffer_offset,
temp_bytes);
odev->rx_buf_size += temp_bytes;
buffer_offset += temp_bytes;
Reported by FlawFinder.
Line: 1347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!tx_bytes)
goto out;
memcpy(serial->tx_buffer + serial->tx_buffer_count, buf, tx_bytes);
serial->tx_buffer_count += tx_bytes;
out:
spin_unlock_irqrestore(&serial->serial_lock, flags);
Reported by FlawFinder.
Line: 1555
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* note the counters on entry
*/
spin_lock_irq(&serial->serial_lock);
memcpy(&cprev, &tiocmget->icount, sizeof(struct uart_icount));
spin_unlock_irq(&serial->serial_lock);
add_wait_queue(&tiocmget->waitq, &wait);
for (;;) {
spin_lock_irq(&serial->serial_lock);
memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
Reported by FlawFinder.
scripts/kallsyms.c
13 issues
Line: 243
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sym->addr = addr;
sym->len = len;
sym->sym[0] = type;
strcpy(sym_name(sym), name);
sym->percpu_absolute = 0;
return sym;
}
Reported by FlawFinder.
Line: 67
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int token_profit[0x10000];
/* the table that holds the result of the compression */
static unsigned char best_table[256][2];
static unsigned char best_table_len[256];
static void usage(void)
{
Reported by FlawFinder.
Line: 68
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* the table that holds the result of the compression */
static unsigned char best_table[256][2];
static unsigned char best_table_len[256];
static void usage(void)
{
fprintf(stderr, "Usage: kallsyms [--all-symbols] "
Reported by FlawFinder.
Line: 200
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct sym_entry *read_symbol(FILE *in)
{
char name[500], type;
unsigned long long addr;
unsigned int len;
struct sym_entry *sym;
int rc;
Reported by FlawFinder.
Line: 392
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int i, k, off;
unsigned int best_idx[256];
unsigned int *markers;
char buf[KSYM_NAME_LEN];
printf("#include <asm/bitsperlong.h>\n");
printf("#if BITS_PER_LONG == 64\n");
printf("#define PTR .quad\n");
printf("#define ALGN .balign 8\n");
Reported by FlawFinder.
Line: 146
Column: 26
CWE codes:
126
return true;
for (p = ignored_prefixes; *p; p++)
if (!strncmp(name, *p, strlen(*p)))
return true;
for (p = ignored_suffixes; *p; p++) {
int l = strlen(name) - strlen(*p);
Reported by FlawFinder.
Line: 150
Column: 26
CWE codes:
126
return true;
for (p = ignored_suffixes; *p; p++) {
int l = strlen(name) - strlen(*p);
if (l >= 0 && !strcmp(name + l, *p))
return true;
}
Reported by FlawFinder.
Line: 150
Column: 11
CWE codes:
126
return true;
for (p = ignored_suffixes; *p; p++) {
int l = strlen(name) - strlen(*p);
if (l >= 0 && !strcmp(name + l, *p))
return true;
}
Reported by FlawFinder.
Line: 206
Column: 7
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
struct sym_entry *sym;
int rc;
rc = fscanf(in, "%llx %c %499s\n", &addr, &type, name);
if (rc != 3) {
if (rc != EOF && fgets(name, 500, in) == NULL)
fprintf(stderr, "Read error or end of file.\n");
return NULL;
}
Reported by FlawFinder.
Line: 212
Column: 6
CWE codes:
126
fprintf(stderr, "Read error or end of file.\n");
return NULL;
}
if (strlen(name) >= KSYM_NAME_LEN) {
fprintf(stderr, "Symbol %s too long for kallsyms (%zu >= %d).\n"
"Please increase KSYM_NAME_LEN both in kernel and kallsyms.c\n",
name, strlen(name), KSYM_NAME_LEN);
return NULL;
}
Reported by FlawFinder.
drivers/net/usb/ax88179_178a.c
13 issues
Line: 610
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(data, (u8 *)eeprom_buff + (eeprom->offset & 1), eeprom->len);
kfree(eeprom_buff);
return 0;
}
static int
Reported by FlawFinder.
Line: 663
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy((u8 *)eeprom_buff + (eeprom->offset & 1), data, eeprom->len);
for (i = first_word; i <= last_word; i++) {
netdev_dbg(net, "write to EEPROM at offset 0x%02x, data 0x%04x\n",
i, eeprom_buff[i - first_word]);
ret = ax88179_write_cmd(dev, AX_ACCESS_EEPROM, i, 1, 2,
Reported by FlawFinder.
Line: 1018
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(net->dev_addr, addr->sa_data, ETH_ALEN);
/* Set the MAC address */
ret = ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_NODE_ID, ETH_ALEN,
ETH_ALEN, net->dev_addr);
if (ret < 0)
Reported by FlawFinder.
Line: 1313
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (is_valid_ether_addr(mac)) {
memcpy(dev->net->dev_addr, mac, ETH_ALEN);
} else {
netdev_info(dev->net, "invalid MAC address, using random\n");
eth_hw_addr_random(dev->net);
}
Reported by FlawFinder.
Line: 1351
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Read MAC address from DTB or asix chip */
ax88179_get_mac_addr(dev);
memcpy(dev->net->perm_addr, dev->net->dev_addr, ETH_ALEN);
/* RX bulk configuration */
memcpy(tmp, &AX88179_BULKIN_SIZE[0], 5);
ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_RX_BULKIN_QCTRL, 5, 5, tmp);
Reported by FlawFinder.
Line: 1354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dev->net->perm_addr, dev->net->dev_addr, ETH_ALEN);
/* RX bulk configuration */
memcpy(tmp, &AX88179_BULKIN_SIZE[0], 5);
ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_RX_BULKIN_QCTRL, 5, 5, tmp);
dev->rx_urb_size = 1024 * 20;
*tmp = 0x34;
Reported by FlawFinder.
Line: 1592
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mode |= AX_MEDIUM_JUMBO_EN;
if (link_sts & AX_USB_SS)
memcpy(tmp, &AX88179_BULKIN_SIZE[0], 5);
else if (link_sts & AX_USB_HS)
memcpy(tmp, &AX88179_BULKIN_SIZE[1], 5);
else
memcpy(tmp, &AX88179_BULKIN_SIZE[3], 5);
} else if (GMII_PHY_PHYSR_100 == (tmp16 & GMII_PHY_PHYSR_SMASK)) {
Reported by FlawFinder.
Line: 1594
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (link_sts & AX_USB_SS)
memcpy(tmp, &AX88179_BULKIN_SIZE[0], 5);
else if (link_sts & AX_USB_HS)
memcpy(tmp, &AX88179_BULKIN_SIZE[1], 5);
else
memcpy(tmp, &AX88179_BULKIN_SIZE[3], 5);
} else if (GMII_PHY_PHYSR_100 == (tmp16 & GMII_PHY_PHYSR_SMASK)) {
mode |= AX_MEDIUM_PS;
Reported by FlawFinder.
Line: 1596
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (link_sts & AX_USB_HS)
memcpy(tmp, &AX88179_BULKIN_SIZE[1], 5);
else
memcpy(tmp, &AX88179_BULKIN_SIZE[3], 5);
} else if (GMII_PHY_PHYSR_100 == (tmp16 & GMII_PHY_PHYSR_SMASK)) {
mode |= AX_MEDIUM_PS;
if (link_sts & (AX_USB_SS | AX_USB_HS))
memcpy(tmp, &AX88179_BULKIN_SIZE[2], 5);
Reported by FlawFinder.
Line: 1601
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mode |= AX_MEDIUM_PS;
if (link_sts & (AX_USB_SS | AX_USB_HS))
memcpy(tmp, &AX88179_BULKIN_SIZE[2], 5);
else
memcpy(tmp, &AX88179_BULKIN_SIZE[3], 5);
} else {
memcpy(tmp, &AX88179_BULKIN_SIZE[3], 5);
}
Reported by FlawFinder.
drivers/s390/net/ctcm_sysfs.c
13 issues
Line: 88
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
p = sbuf;
p += sprintf(p, " Device FSM state: %s\n",
fsm_getstate_str(priv->fsm));
p += sprintf(p, " RX channel FSM state: %s\n",
fsm_getstate_str(priv->channel[CTCM_READ]->fsm));
p += sprintf(p, " TX channel FSM state: %s\n",
fsm_getstate_str(priv->channel[CTCM_WRITE]->fsm));
Reported by FlawFinder.
Line: 90
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p += sprintf(p, " Device FSM state: %s\n",
fsm_getstate_str(priv->fsm));
p += sprintf(p, " RX channel FSM state: %s\n",
fsm_getstate_str(priv->channel[CTCM_READ]->fsm));
p += sprintf(p, " TX channel FSM state: %s\n",
fsm_getstate_str(priv->channel[CTCM_WRITE]->fsm));
p += sprintf(p, " Max. TX buffer used: %ld\n",
priv->channel[WRITE]->prof.maxmulti);
Reported by FlawFinder.
Line: 92
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fsm_getstate_str(priv->fsm));
p += sprintf(p, " RX channel FSM state: %s\n",
fsm_getstate_str(priv->channel[CTCM_READ]->fsm));
p += sprintf(p, " TX channel FSM state: %s\n",
fsm_getstate_str(priv->channel[CTCM_WRITE]->fsm));
p += sprintf(p, " Max. TX buffer used: %ld\n",
priv->channel[WRITE]->prof.maxmulti);
p += sprintf(p, " Max. chained SKBs: %ld\n",
priv->channel[WRITE]->prof.maxcqueue);
Reported by FlawFinder.
Line: 186
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!cgdev)
return -ENODEV;
return sprintf(buf, "%s\n",
ctcm_type[cgdev->cdev[0]->id.driver_info]);
}
static DEVICE_ATTR(buffer, 0644, ctcm_buffer_show, ctcm_buffer_write);
static DEVICE_ATTR(protocol, 0644, ctcm_proto_show, ctcm_proto_store);
Reported by FlawFinder.
Line: 31
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "%d\n", priv->buffer_size);
}
static ssize_t ctcm_buffer_write(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 94
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fsm_getstate_str(priv->channel[CTCM_READ]->fsm));
p += sprintf(p, " TX channel FSM state: %s\n",
fsm_getstate_str(priv->channel[CTCM_WRITE]->fsm));
p += sprintf(p, " Max. TX buffer used: %ld\n",
priv->channel[WRITE]->prof.maxmulti);
p += sprintf(p, " Max. chained SKBs: %ld\n",
priv->channel[WRITE]->prof.maxcqueue);
p += sprintf(p, " TX single write ops: %ld\n",
priv->channel[WRITE]->prof.doios_single);
Reported by FlawFinder.
Line: 96
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fsm_getstate_str(priv->channel[CTCM_WRITE]->fsm));
p += sprintf(p, " Max. TX buffer used: %ld\n",
priv->channel[WRITE]->prof.maxmulti);
p += sprintf(p, " Max. chained SKBs: %ld\n",
priv->channel[WRITE]->prof.maxcqueue);
p += sprintf(p, " TX single write ops: %ld\n",
priv->channel[WRITE]->prof.doios_single);
p += sprintf(p, " TX multi write ops: %ld\n",
priv->channel[WRITE]->prof.doios_multi);
Reported by FlawFinder.
Line: 98
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
priv->channel[WRITE]->prof.maxmulti);
p += sprintf(p, " Max. chained SKBs: %ld\n",
priv->channel[WRITE]->prof.maxcqueue);
p += sprintf(p, " TX single write ops: %ld\n",
priv->channel[WRITE]->prof.doios_single);
p += sprintf(p, " TX multi write ops: %ld\n",
priv->channel[WRITE]->prof.doios_multi);
p += sprintf(p, " Netto bytes written: %ld\n",
priv->channel[WRITE]->prof.txlen);
Reported by FlawFinder.
Line: 100
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
priv->channel[WRITE]->prof.maxcqueue);
p += sprintf(p, " TX single write ops: %ld\n",
priv->channel[WRITE]->prof.doios_single);
p += sprintf(p, " TX multi write ops: %ld\n",
priv->channel[WRITE]->prof.doios_multi);
p += sprintf(p, " Netto bytes written: %ld\n",
priv->channel[WRITE]->prof.txlen);
p += sprintf(p, " Max. TX IO-time: %u\n",
jiffies_to_usecs(priv->channel[WRITE]->prof.tx_time));
Reported by FlawFinder.
Line: 102
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
priv->channel[WRITE]->prof.doios_single);
p += sprintf(p, " TX multi write ops: %ld\n",
priv->channel[WRITE]->prof.doios_multi);
p += sprintf(p, " Netto bytes written: %ld\n",
priv->channel[WRITE]->prof.txlen);
p += sprintf(p, " Max. TX IO-time: %u\n",
jiffies_to_usecs(priv->channel[WRITE]->prof.tx_time));
printk(KERN_INFO "Statistics for %s:\n%s",
Reported by FlawFinder.
scripts/kconfig/conf.c
13 issues
Line: 111
CWE codes:
908
seed = (now.tv_sec + 1) * (now.tv_usec + 1);
}
printf("KCONFIG_SEED=0x%X\n", seed);
srand(seed);
}
static bool randomize_choice_values(struct symbol *csym)
{
Reported by Cppcheck.
Line: 112
CWE codes:
908
}
printf("KCONFIG_SEED=0x%X\n", seed);
srand(seed);
}
static bool randomize_choice_values(struct symbol *csym)
{
struct property *prop;
Reported by Cppcheck.
Line: 91
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
char *env;
bool seed_set = false;
env = getenv("KCONFIG_SEED");
if (env && *env) {
char *endp;
seed = strtol(env, &endp, 0);
if (*endp == '\0')
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
}
printf("KCONFIG_SEED=0x%X\n", seed);
srand(seed);
}
static bool randomize_choice_values(struct symbol *csym)
{
struct property *prop;
Reported by FlawFinder.
Line: 187
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (mode == def_random) {
int n, p[3];
char *env = getenv("KCONFIG_PROBABILITY");
n = 0;
while (env && *env) {
char *endp;
int tmp = strtol(env, &endp, 10);
Reported by FlawFinder.
Line: 739
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
tty_stdio = isatty(0) && isatty(1);
while ((opt = getopt_long(ac, av, "hs", long_opts, NULL)) != -1) {
switch (opt) {
case 'h':
conf_usage(progname);
exit(1);
break;
Reported by FlawFinder.
Line: 809
Column: 10
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
case allmodconfig:
case alldefconfig:
case randconfig:
name = getenv("KCONFIG_ALLCONFIG");
if (!name)
break;
if ((strcmp(name, "") != 0) && (strcmp(name, "1") != 0)) {
if (conf_read_simple(name, S_DEF_USER)) {
fprintf(stderr,
Reported by FlawFinder.
Line: 842
Column: 10
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
if (sync_kconfig) {
name = getenv("KCONFIG_NOSILENTUPDATE");
if (name && *name) {
if (conf_get_changed()) {
fprintf(stderr,
"\n*** The configuration requires explicit update.\n\n");
return 1;
Reported by FlawFinder.
Line: 45
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int tty_stdio;
static int sync_kconfig;
static int conf_cnt;
static char line[PATH_MAX];
static struct menu *rootEntry;
static void print_help(struct menu *menu)
{
struct gstr help = str_new();
Reported by FlawFinder.
Line: 536
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!line[0])
cnt = def;
else if (isdigit(line[0]))
cnt = atoi(line);
else
continue;
break;
default:
break;
Reported by FlawFinder.
fs/gfs2/lock_dlm.c
13 issues
Line: 1066
CWE codes:
476
max_jid = 0;
for (i = 0; i < num_slots; i++) {
if (max_jid < slots[i].slot - 1)
max_jid = slots[i].slot - 1;
}
old_size = ls->ls_recover_size;
new_size = old_size;
Reported by Cppcheck.
Line: 263
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lm_lockstruct *ls = &gl->gl_name.ln_sbd->sd_lockstruct;
int req;
u32 lkf;
char strname[GDLM_STRNAME_BYTES] = "";
req = make_mode(gl->gl_name.ln_sbd, req_state);
lkf = make_flags(gl, flags, req);
gfs2_glstats_inc(gl, GFS2_LKS_DCOUNT);
gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT);
Reported by FlawFinder.
Line: 473
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *lvb_bits)
{
__le32 gen;
memcpy(lvb_bits, ls->ls_control_lvb, GDLM_LVB_SIZE);
memcpy(&gen, lvb_bits, sizeof(__le32));
*lvb_gen = le32_to_cpu(gen);
}
static void control_lvb_write(struct lm_lockstruct *ls, uint32_t lvb_gen,
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 gen;
memcpy(lvb_bits, ls->ls_control_lvb, GDLM_LVB_SIZE);
memcpy(&gen, lvb_bits, sizeof(__le32));
*lvb_gen = le32_to_cpu(gen);
}
static void control_lvb_write(struct lm_lockstruct *ls, uint32_t lvb_gen,
char *lvb_bits)
Reported by FlawFinder.
Line: 482
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *lvb_bits)
{
__le32 gen;
memcpy(ls->ls_control_lvb, lvb_bits, GDLM_LVB_SIZE);
gen = cpu_to_le32(lvb_gen);
memcpy(ls->ls_control_lvb, &gen, sizeof(__le32));
}
static int all_jid_bits_clear(char *lvb)
Reported by FlawFinder.
Line: 484
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__le32 gen;
memcpy(ls->ls_control_lvb, lvb_bits, GDLM_LVB_SIZE);
gen = cpu_to_le32(lvb_gen);
memcpy(ls->ls_control_lvb, &gen, sizeof(__le32));
}
static int all_jid_bits_clear(char *lvb)
{
return !memchr_inv(lvb + JID_BITMAP_OFFSET, 0,
Reported by FlawFinder.
Line: 525
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int num, struct dlm_lksb *lksb, char *name)
{
struct lm_lockstruct *ls = &sdp->sd_lockstruct;
char strname[GDLM_STRNAME_BYTES];
int error, status;
memset(strname, 0, GDLM_STRNAME_BYTES);
snprintf(strname, GDLM_STRNAME_BYTES, "%8x%16x", LM_TYPE_NONDISK, num);
Reported by FlawFinder.
Line: 1086
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
spin_lock(&ls->ls_recover_spin);
memcpy(submit, ls->ls_recover_submit, old_size * sizeof(uint32_t));
memcpy(result, ls->ls_recover_result, old_size * sizeof(uint32_t));
kfree(ls->ls_recover_submit);
kfree(ls->ls_recover_result);
ls->ls_recover_submit = submit;
ls->ls_recover_result = result;
Reported by FlawFinder.
Line: 1087
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&ls->ls_recover_spin);
memcpy(submit, ls->ls_recover_submit, old_size * sizeof(uint32_t));
memcpy(result, ls->ls_recover_result, old_size * sizeof(uint32_t));
kfree(ls->ls_recover_submit);
kfree(ls->ls_recover_result);
ls->ls_recover_submit = submit;
ls->ls_recover_result = result;
ls->ls_recover_size = new_size;
Reported by FlawFinder.
Line: 1249
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gdlm_mount(struct gfs2_sbd *sdp, const char *table)
{
struct lm_lockstruct *ls = &sdp->sd_lockstruct;
char cluster[GFS2_LOCKNAME_LEN];
const char *fsname;
uint32_t flags;
int error, ops_result;
/*
Reported by FlawFinder.
include/net/iucv/af_iucv.h
13 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sa_family_t siucv_family;
unsigned short siucv_port; /* Reserved */
unsigned int siucv_addr; /* Reserved */
char siucv_nodeid[8]; /* Reserved */
char siucv_user_id[8]; /* Guest User Id */
char siucv_name[8]; /* Application Name */
};
Reported by FlawFinder.
Line: 49
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short siucv_port; /* Reserved */
unsigned int siucv_addr; /* Reserved */
char siucv_nodeid[8]; /* Reserved */
char siucv_user_id[8]; /* Guest User Id */
char siucv_name[8]; /* Application Name */
};
/* Common socket structures and functions */
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int siucv_addr; /* Reserved */
char siucv_nodeid[8]; /* Reserved */
char siucv_user_id[8]; /* Guest User Id */
char siucv_name[8]; /* Application Name */
};
/* Common socket structures and functions */
struct sock_msg_q {
Reported by FlawFinder.
Line: 73
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 version;
u8 flags;
u16 window;
char destNodeID[8];
char destUserID[8];
char destAppName[16];
char srcNodeID[8];
char srcUserID[8];
char srcAppName[16]; /* => 70 bytes */
Reported by FlawFinder.
Line: 74
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 flags;
u16 window;
char destNodeID[8];
char destUserID[8];
char destAppName[16];
char srcNodeID[8];
char srcUserID[8];
char srcAppName[16]; /* => 70 bytes */
struct iucv_message iucv_hdr; /* => 33 bytes */
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 window;
char destNodeID[8];
char destUserID[8];
char destAppName[16];
char srcNodeID[8];
char srcUserID[8];
char srcAppName[16]; /* => 70 bytes */
struct iucv_message iucv_hdr; /* => 33 bytes */
u8 pad; /* total 104 bytes */
Reported by FlawFinder.
Line: 76
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char destNodeID[8];
char destUserID[8];
char destAppName[16];
char srcNodeID[8];
char srcUserID[8];
char srcAppName[16]; /* => 70 bytes */
struct iucv_message iucv_hdr; /* => 33 bytes */
u8 pad; /* total 104 bytes */
} __packed;
Reported by FlawFinder.
Line: 77
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char destUserID[8];
char destAppName[16];
char srcNodeID[8];
char srcUserID[8];
char srcAppName[16]; /* => 70 bytes */
struct iucv_message iucv_hdr; /* => 33 bytes */
u8 pad; /* total 104 bytes */
} __packed;
Reported by FlawFinder.
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char destAppName[16];
char srcNodeID[8];
char srcUserID[8];
char srcAppName[16]; /* => 70 bytes */
struct iucv_message iucv_hdr; /* => 33 bytes */
u8 pad; /* total 104 bytes */
} __packed;
static inline struct af_iucv_trans_hdr *iucv_trans_hdr(struct sk_buff *skb)
Reported by FlawFinder.
Line: 115
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iucv_sock {
struct sock sk;
char src_user_id[8];
char src_name[8];
char dst_user_id[8];
char dst_name[8];
struct list_head accept_q;
spinlock_t accept_q_lock;
Reported by FlawFinder.
fs/gfs2/ops_fstype.c
13 issues
Line: 215
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sb->sb_root_dir.no_addr = be64_to_cpu(str->sb_root_dir.no_addr);
sb->sb_root_dir.no_formal_ino = be64_to_cpu(str->sb_root_dir.no_formal_ino);
memcpy(sb->sb_lockproto, str->sb_lockproto, GFS2_LOCKNAME_LEN);
memcpy(sb->sb_locktable, str->sb_locktable, GFS2_LOCKNAME_LEN);
memcpy(&s->s_uuid, str->sb_uuid, 16);
}
/**
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sb->sb_root_dir.no_formal_ino = be64_to_cpu(str->sb_root_dir.no_formal_ino);
memcpy(sb->sb_lockproto, str->sb_lockproto, GFS2_LOCKNAME_LEN);
memcpy(sb->sb_locktable, str->sb_locktable, GFS2_LOCKNAME_LEN);
memcpy(&s->s_uuid, str->sb_uuid, 16);
}
/**
* gfs2_read_super - Read the gfs2 super block from disk
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(sb->sb_lockproto, str->sb_lockproto, GFS2_LOCKNAME_LEN);
memcpy(sb->sb_locktable, str->sb_locktable, GFS2_LOCKNAME_LEN);
memcpy(&s->s_uuid, str->sb_uuid, 16);
}
/**
* gfs2_read_super - Read the gfs2 super block from disk
* @sdp: The GFS2 super block
Reported by FlawFinder.
Line: 569
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct gfs2_inode *dip = GFS2_I(sdp->sd_jindex);
struct qstr name;
char buf[20];
struct gfs2_jdesc *jd;
int error;
name.name = buf;
Reported by FlawFinder.
Line: 584
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (error)
break;
name.len = sprintf(buf, "journal%u", sdp->sd_journals);
name.hash = gfs2_disk_hash(name.name, name.len);
error = gfs2_dir_check(sdp->sd_jindex, &name, NULL);
if (error == -ENOENT) {
error = 0;
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int error = 0;
struct inode *master = d_inode(sdp->sd_master_dir);
struct inode *pn = NULL;
char buf[30];
struct gfs2_jdesc *jd;
struct gfs2_inode *ip;
sdp->sd_statfs_inode = gfs2_lookup_simple(master, "statfs");
if (IS_ERR(sdp->sd_statfs_inode)) {
Reported by FlawFinder.
Line: 674
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
error = -ENOMEM;
goto free_local;
}
sprintf(buf, "statfs_change%u", jd->jd_jid);
lsi->si_sc_inode = gfs2_lookup_simple(pn, buf);
if (IS_ERR(lsi->si_sc_inode)) {
error = PTR_ERR(lsi->si_sc_inode);
fs_err(sdp, "can't find local \"sc\" file#%u: %d\n",
jd->jd_jid, error);
Reported by FlawFinder.
Line: 923
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int init_per_node(struct gfs2_sbd *sdp, int undo)
{
struct inode *pn = NULL;
char buf[30];
int error = 0;
struct gfs2_inode *ip;
struct inode *master = d_inode(sdp->sd_master_dir);
if (sdp->sd_args.ar_spectator)
Reported by FlawFinder.
Line: 941
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return error;
}
sprintf(buf, "quota_change%u", sdp->sd_jdesc->jd_jid);
sdp->sd_qc_inode = gfs2_lookup_simple(pn, buf);
if (IS_ERR(sdp->sd_qc_inode)) {
error = PTR_ERR(sdp->sd_qc_inode);
fs_err(sdp, "can't find local \"qc\" file: %d\n", error);
goto fail_ut_i;
Reported by FlawFinder.
Line: 1083
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void gfs2_online_uevent(struct gfs2_sbd *sdp)
{
struct super_block *sb = sdp->sd_vfs;
char ro[20];
char spectator[20];
char *envp[] = { ro, spectator, NULL };
sprintf(ro, "RDONLY=%d", sb_rdonly(sb));
sprintf(spectator, "SPECTATOR=%d", sdp->sd_args.ar_spectator ? 1 : 0);
kobject_uevent_env(&sdp->sd_kobj, KOBJ_ONLINE, envp);
Reported by FlawFinder.
drivers/s390/char/vmlogrdr.c
13 issues
Line: 63
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* by one user at the same time.
*/
struct vmlogrdr_priv_t {
char system_service[8];
char internal_name[8];
char recording_name[8];
struct iucv_path *path;
int connection_established;
int iucv_path_severed;
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct vmlogrdr_priv_t {
char system_service[8];
char internal_name[8];
char recording_name[8];
struct iucv_path *path;
int connection_established;
int iucv_path_severed;
struct iucv_message local_interrupt_buffer;
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vmlogrdr_priv_t {
char system_service[8];
char internal_name[8];
char recording_name[8];
struct iucv_path *path;
int connection_established;
int iucv_path_severed;
struct iucv_message local_interrupt_buffer;
atomic_t receive_ready;
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the usage count
*/
spin_lock(&logptr->priv_lock);
memcpy(&logptr->local_interrupt_buffer, msg, sizeof(*msg));
atomic_inc(&logptr->receive_ready);
spin_unlock(&logptr->priv_lock);
wake_up_interruptible(&read_wait_queue);
}
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int vmlogrdr_get_recording_class_AB(void)
{
static const char cp_command[] = "QUERY COMMAND RECORDING ";
char cp_response[80];
char *tail;
int len,i;
cpcmd(cp_command, cp_response, sizeof(cp_response), NULL);
len = strnlen(cp_response,sizeof(cp_response));
Reported by FlawFinder.
Line: 248
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int action, int purge)
{
char cp_command[80];
char cp_response[160];
char *onoff, *qid_string;
int rc;
onoff = ((action == 1) ? "ON" : "OFF");
Reported by FlawFinder.
Line: 249
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char cp_command[80];
char cp_response[160];
char *onoff, *qid_string;
int rc;
onoff = ((action == 1) ? "ON" : "OFF");
qid_string = ((recording_class_AB == 1) ? " QID * " : "");
Reported by FlawFinder.
Line: 466
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* now add the fence */
atomic_dec(&priv->receive_ready);
buffer = priv->buffer + user_data_count;
memcpy(buffer, FENCE, sizeof(FENCE));
user_data_count += sizeof(FENCE);
}
priv->remaining = user_data_count;
}
Reported by FlawFinder.
Line: 535
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct vmlogrdr_priv_t *priv = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", priv->autopurge);
}
static DEVICE_ATTR(autopurge, 0644, vmlogrdr_autopurge_show,
vmlogrdr_autopurge_store);
Reported by FlawFinder.
Line: 548
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char * buf, size_t count)
{
char cp_command[80];
char cp_response[80];
struct vmlogrdr_priv_t *priv = dev_get_drvdata(dev);
if (buf[0] != '1')
return -EINVAL;
Reported by FlawFinder.
drivers/net/wan/hdlc_ppp.c
13 issues
Line: 476
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* HDLC and CP headers stripped from skb */
#if DEBUG_CP
if (cp->code < CP_CODES)
sprintf(debug_buffer, "[%s id 0x%X]", code_names[cp->code],
cp->id);
else
sprintf(debug_buffer, "[code %u id 0x%X]", cp->code, cp->id);
ptr = debug_buffer + strlen(debug_buffer);
for (i = 0; i < min_t(unsigned int, len, DEBUG_CP); i++) {
Reported by FlawFinder.
Line: 40
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CP_TERM_ACK, CP_CODE_REJ, LCP_PROTO_REJ, LCP_ECHO_REQ, LCP_ECHO_REPLY,
LCP_DISC_REQ, CP_CODES};
#if DEBUG_CP
static const char *const code_names[CP_CODES] = {
"0", "ConfReq", "ConfAck", "ConfNak", "ConfRej", "TermReq",
"TermAck", "CodeRej", "ProtoRej", "EchoReq", "EchoReply", "Discard"
};
static char debug_buffer[64 + 3 * DEBUG_CP];
Reported by FlawFinder.
Line: 45
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"TermAck", "CodeRej", "ProtoRej", "EchoReq", "EchoReply", "Discard"
};
static char debug_buffer[64 + 3 * DEBUG_CP];
#endif
enum {LCP_OPTION_MRU = 1, LCP_OPTION_ACCM, LCP_OPTION_MAGIC = 5};
struct hdlc_header {
Reported by FlawFinder.
Line: 90
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SCN = 0x200, STR = 0x400, STA = 0x800, SCJ = 0x1000};
#if DEBUG_STATE
static const char *const state_names[STATES] = {
"Closed", "Stopped", "Stopping", "ReqSent", "AckRecv", "AckSent",
"Opened"
};
static const char *const event_names[EVENTS] = {
Reported by FlawFinder.
Line: 95
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Opened"
};
static const char *const event_names[EVENTS] = {
"Start", "Stop", "TO+", "TO-", "RCR+", "RCR-", "RCA", "RCN",
"RTR", "RTA", "RUC", "RXJ+", "RXJ-"
};
#endif
Reported by FlawFinder.
Line: 242
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ptr = debug_buffer;
*ptr = '\x0';
for (i = 0; i < min_t(unsigned int, magic_len + len, DEBUG_CP); i++) {
sprintf(ptr, " %02X", skb->data[sizeof(struct cp_header) + i]);
ptr += strlen(ptr);
}
printk(KERN_DEBUG "%s: TX %s [%s id 0x%X]%s\n", dev->name,
proto_name(pid), code_names[code], id, debug_buffer);
#endif
Reported by FlawFinder.
Line: 399
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(valid_accm)))
continue;
if (!rej_len) { /* NAK it */
memcpy(out + nak_len, valid_accm,
sizeof(valid_accm));
nak_len += sizeof(valid_accm);
continue;
}
break;
Reported by FlawFinder.
Line: 414
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
/* reject this option */
memcpy(out + rej_len, opt, opt[1]);
rej_len += opt[1];
}
if (rej_len)
ppp_cp_event(dev, pid, RCR_BAD, CP_CONF_REJ, id, rej_len, out);
Reported by FlawFinder.
Line: 479
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(debug_buffer, "[%s id 0x%X]", code_names[cp->code],
cp->id);
else
sprintf(debug_buffer, "[code %u id 0x%X]", cp->code, cp->id);
ptr = debug_buffer + strlen(debug_buffer);
for (i = 0; i < min_t(unsigned int, len, DEBUG_CP); i++) {
sprintf(ptr, " %02X", skb->data[i]);
ptr += strlen(ptr);
}
Reported by FlawFinder.
Line: 482
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(debug_buffer, "[code %u id 0x%X]", cp->code, cp->id);
ptr = debug_buffer + strlen(debug_buffer);
for (i = 0; i < min_t(unsigned int, len, DEBUG_CP); i++) {
sprintf(ptr, " %02X", skb->data[i]);
ptr += strlen(ptr);
}
printk(KERN_DEBUG "%s: RX %s %s\n", dev->name, proto_name(pid),
debug_buffer);
#endif
Reported by FlawFinder.