The following issues were found
fs/cifs/fs_context.c
12 issues
Line: 566
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*/
while (options && options[0] == ',') {
len = strlen(key);
strcpy(key + len, options);
options = strchr(options, ',');
if (options)
*options++ = 0;
}
Reported by FlawFinder.
Line: 318
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int
smb3_fs_context_dup(struct smb3_fs_context *new_ctx, struct smb3_fs_context *ctx)
{
memcpy(new_ctx, ctx, sizeof(*ctx));
new_ctx->prepath = NULL;
new_ctx->mount_options = NULL;
new_ctx->nodename = NULL;
new_ctx->username = NULL;
new_ctx->password = NULL;
Reported by FlawFinder.
Line: 429
Column: 27
CWE codes:
126
if (!*p)
continue;
if (strncasecmp(p, key, strlen(key)))
continue;
nval = strchr(p, '=');
if (nval) {
if (nval == p)
continue;
Reported by FlawFinder.
Line: 565
Column: 10
CWE codes:
126
* character to the deliminator
*/
while (options && options[0] == ',') {
len = strlen(key);
strcpy(key + len, options);
options = strchr(options, ',');
if (options)
*options++ = 0;
}
Reported by FlawFinder.
Line: 579
Column: 10
CWE codes:
126
if (value == key)
continue;
*value++ = 0;
len = strlen(value);
}
ret = vfs_parse_fs_string(fc, key, value, len);
if (ret < 0)
break;
Reported by FlawFinder.
Line: 620
Column: 6
CWE codes:
126
}
/* make sure UNC has a share name */
if (strlen(ctx->UNC) < 3 || !strchr(ctx->UNC + 3, '\\')) {
cifs_errorf(fc, "Malformed UNC. Unable to find share name.\n");
return -ENOENT;
}
if (!ctx->got_ip) {
Reported by FlawFinder.
Line: 1093
Column: 7
CWE codes:
126
case Opt_user:
kfree(ctx->username);
ctx->username = NULL;
if (strlen(param->string) == 0) {
/* null user, ie. anonymous authentication */
ctx->nullauth = 1;
break;
}
Reported by FlawFinder.
Line: 1113
Column: 7
CWE codes:
126
case Opt_pass:
kfree(ctx->password);
ctx->password = NULL;
if (strlen(param->string) == 0)
break;
ctx->password = kstrdup(param->string, GFP_KERNEL);
if (ctx->password == NULL) {
cifs_errorf(fc, "OOM when copying password string\n");
Reported by FlawFinder.
Line: 1123
Column: 7
CWE codes:
126
}
break;
case Opt_ip:
if (strlen(param->string) == 0) {
ctx->got_ip = false;
break;
}
if (!cifs_convert_address((struct sockaddr *)&ctx->dstaddr,
param->string,
Reported by FlawFinder.
Line: 1129
Column: 8
CWE codes:
126
}
if (!cifs_convert_address((struct sockaddr *)&ctx->dstaddr,
param->string,
strlen(param->string))) {
pr_err("bad ip= option (%s)\n", param->string);
goto cifs_parse_mount_err;
}
ctx->got_ip = true;
break;
Reported by FlawFinder.
fs/cifs/file.c
12 issues
Line: 2069
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
continue;
if (fsuid_only && !uid_eq(open_file->uid, current_fsuid()))
continue;
if (with_delete && !(open_file->fid.access & DELETE))
continue;
if (OPEN_FMODE(open_file->f_flags) & FMODE_WRITE) {
if (!open_file->invalidHandle) {
/* found a good writable file */
cifsFileInfo_get(open_file);
Reported by FlawFinder.
Line: 179
Column: 20
CWE codes:
362
struct TCP_Server_Info *server = tcon->ses->server;
struct cifs_open_parms oparms;
if (!server->ops->open)
return -ENOSYS;
desired_access = cifs_convert_flags(f_flags);
/*********************************************************************
Reported by FlawFinder.
Line: 232
Column: 20
CWE codes:
362
oparms.fid = fid;
oparms.reconnect = false;
rc = server->ops->open(xid, &oparms, oplock, buf);
if (rc)
goto out;
/* TODO: Add support for calling posix query info but with passing in fid */
Reported by FlawFinder.
Line: 446
Column: 27
CWE codes:
362
struct super_block *sb = inode->i_sb;
struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
struct cifs_fid fid;
struct cifs_pending_open open;
bool oplock_break_cancelled;
spin_lock(&tcon->open_file_lock);
spin_lock(&cifsi->open_file_lock);
spin_lock(&cifs_file->file_info_lock);
Reported by FlawFinder.
Line: 464
Column: 56
CWE codes:
362
server->ops->get_lease_key(inode, &fid);
/* store open in pending opens to make sure we don't miss lease break */
cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open);
/* remove it from the lists */
list_del(&cifs_file->flist);
list_del(&cifs_file->tlist);
atomic_dec(&tcon->num_local_opens);
Reported by FlawFinder.
Line: 505
Column: 25
CWE codes:
362
if (oplock_break_cancelled)
cifs_done_oplock_break(cifsi);
cifs_del_pending_open(&open);
if (offload)
queue_work(fileinfo_put_wq, &cifs_file->put);
else
cifsFileInfo_put_final(cifs_file);
Reported by FlawFinder.
Line: 528
Column: 27
CWE codes:
362
const char *full_path;
bool posix_open_ok = false;
struct cifs_fid fid;
struct cifs_pending_open open;
xid = get_xid();
cifs_sb = CIFS_SB(inode->i_sb);
if (unlikely(cifs_forced_shutdown(cifs_sb))) {
Reported by FlawFinder.
Line: 611
Column: 38
CWE codes:
362
if (server->ops->get_lease_key)
server->ops->get_lease_key(inode, &fid);
cifs_add_pending_open(&fid, tlink, &open);
if (!posix_open_ok) {
if (server->ops->get_lease_key)
server->ops->get_lease_key(inode, &fid);
Reported by FlawFinder.
Line: 620
Column: 27
CWE codes:
362
rc = cifs_nt_open(full_path, inode, cifs_sb, tcon,
file->f_flags, &oplock, &fid, xid);
if (rc) {
cifs_del_pending_open(&open);
goto out;
}
}
cfile = cifs_new_fileinfo(&fid, file, tlink, oplock);
Reported by FlawFinder.
Line: 629
Column: 26
CWE codes:
362
if (cfile == NULL) {
if (server->ops->close)
server->ops->close(xid, tcon, &fid);
cifs_del_pending_open(&open);
rc = -ENOMEM;
goto out;
}
cifs_fscache_set_inode_cookie(inode, file);
Reported by FlawFinder.
fs/cifs/smb2transport.c
12 issues
Line: 111
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* to an existing session, use the master connection
* session key
*/
memcpy(key, ses->smb3signingkey, SMB3_SIGN_KEY_SIZE);
goto out;
}
/*
* Otherwise, use the channel key.
Reported by FlawFinder.
Line: 122
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ses->chan_count; i++) {
chan = ses->chans + i;
if (chan->server == server) {
memcpy(key, chan->signkey, SMB3_SIGN_KEY_SIZE);
goto out;
}
}
cifs_dbg(VFS,
Reported by FlawFinder.
Line: 214
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool allocate_crypto)
{
int rc;
unsigned char smb2_signature[SMB2_HMACSHA256_SIZE];
unsigned char *sigptr = smb2_signature;
struct kvec *iov = rqst->rq_iov;
struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)iov[0].iov_base;
struct cifs_ses *ses;
struct shash_desc *shash;
Reported by FlawFinder.
Line: 284
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = __cifs_calc_signature(&drqst, server, sigptr, shash);
if (!rc)
memcpy(shdr->Signature, sigptr, SMB2_SIGNATURE_SIZE);
out:
if (allocate_crypto)
cifs_free_hash(&hash, &sdesc);
if (ses)
Reported by FlawFinder.
Line: 302
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 L128[4] = {0, 0, 0, 128};
__u8 L256[4] = {0, 0, 1, 0};
int rc = 0;
unsigned char prfhash[SMB2_HMACSHA256_SIZE];
unsigned char *hashptr = prfhash;
struct TCP_Server_Info *server = ses->server;
memset(prfhash, 0x0, SMB2_HMACSHA256_SIZE);
memset(key, 0x0, key_size);
Reported by FlawFinder.
Line: 376
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto smb3signkey_ret;
}
memcpy(key, hashptr, key_size);
smb3signkey_ret:
return rc;
}
Reported by FlawFinder.
Line: 427
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc)
return rc;
memcpy(ses->chans[0].signkey, ses->smb3signingkey,
SMB3_SIGN_KEY_SIZE);
rc = generate_key(ses, ptriplet->encryption.label,
ptriplet->encryption.context,
ses->smb3encryptionkey,
Reported by FlawFinder.
Line: 535
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool allocate_crypto)
{
int rc;
unsigned char smb3_signature[SMB2_CMACAES_SIZE];
unsigned char *sigptr = smb3_signature;
struct kvec *iov = rqst->rq_iov;
struct smb2_sync_hdr *shdr = (struct smb2_sync_hdr *)iov[0].iov_base;
struct shash_desc *shash;
struct crypto_shash *hash;
Reported by FlawFinder.
Line: 602
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = __cifs_calc_signature(&drqst, server, sigptr, shash);
if (!rc)
memcpy(shdr->Signature, sigptr, SMB2_SIGNATURE_SIZE);
out:
if (allocate_crypto)
cifs_free_hash(&hash, &sdesc);
return rc;
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
smb2_verify_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
{
unsigned int rc;
char server_response_sig[SMB2_SIGNATURE_SIZE];
struct smb2_sync_hdr *shdr =
(struct smb2_sync_hdr *)rqst->rq_iov[0].iov_base;
if ((shdr->Command == SMB2_NEGOTIATE) ||
(shdr->Command == SMB2_SESSION_SETUP) ||
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
12 issues
Line: 1217
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!found)
sprintf(name, "%pM Gigabit Ethernet", adapter->mac_addr);
else
sprintf(name, "%pM: %s" , adapter->mac_addr,
qlcnic_boards[i].short_name);
}
static void
qlcnic_check_options(struct qlcnic_adapter *adapter)
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(netdev->dev_addr, mac_addr, ETH_ALEN);
memcpy(adapter->mac_addr, netdev->dev_addr, netdev->addr_len);
/* set station address */
if (!is_valid_ether_addr(netdev->dev_addr))
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
memcpy(netdev->dev_addr, mac_addr, ETH_ALEN);
memcpy(adapter->mac_addr, netdev->dev_addr, netdev->addr_len);
/* set station address */
if (!is_valid_ether_addr(netdev->dev_addr))
dev_warn(&pdev->dev, "Bad MAC address %pM.\n",
Reported by FlawFinder.
Line: 358
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
qlcnic_delete_adapter_mac(adapter);
memcpy(adapter->mac_addr, addr->sa_data, netdev->addr_len);
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
qlcnic_set_multi(adapter->netdev);
if (test_bit(__QLCNIC_DEV_UP, &adapter->state)) {
netif_device_attach(netdev);
Reported by FlawFinder.
Line: 359
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qlcnic_delete_adapter_mac(adapter);
memcpy(adapter->mac_addr, addr->sa_data, netdev->addr_len);
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
qlcnic_set_multi(adapter->netdev);
if (test_bit(__QLCNIC_DEV_UP, &adapter->state)) {
netif_device_attach(netdev);
qlcnic_napi_enable(adapter);
Reported by FlawFinder.
Line: 466
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EOPNOTSUPP;
ppid->id_len = sizeof(ahw->phys_port_id);
memcpy(ppid->id, ahw->phys_port_id, ppid->id_len);
return 0;
}
static int qlcnic_udp_tunnel_sync(struct net_device *dev, unsigned int table)
Reported by FlawFinder.
Line: 1047
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
adapter->npars[j].min_bw = pci_info[i].tx_min_bw;
adapter->npars[j].max_bw = pci_info[i].tx_max_bw;
memcpy(&adapter->npars[j].mac, &pci_info[i].mac, ETH_ALEN);
j++;
}
/* Update eSwitch status for adapters without per port eSwitch
* configuration capability
Reported by FlawFinder.
Line: 1215
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (!found)
sprintf(name, "%pM Gigabit Ethernet", adapter->mac_addr);
else
sprintf(name, "%pM: %s" , adapter->mac_addr,
qlcnic_boards[i].short_name);
}
Reported by FlawFinder.
Line: 2447
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct qlcnic_adapter *adapter = NULL;
struct qlcnic_hardware_context *ahw;
int err, pci_using_dac = -1;
char board_name[QLCNIC_MAX_BOARD_NAME_LEN + 19]; /* MAC + ": " + name */
err = pci_enable_device(pdev);
if (err)
return err;
Reported by FlawFinder.
Line: 3971
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int queue_type)
{
struct net_device *netdev = adapter->netdev;
char buf[8];
if (queue_type == QLCNIC_RX_QUEUE)
strcpy(buf, "SDS");
else
strcpy(buf, "Tx");
Reported by FlawFinder.
drivers/block/drbd/drbd_main.c
12 issues
Line: 751
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (apv >= 88)
strcpy(p->verify_alg, nc->verify_alg);
if (apv >= 89)
strcpy(p->csums_alg, nc->csums_alg);
rcu_read_unlock();
return drbd_send_command(peer_device, sock, cmd, size, NULL, 0);
Reported by FlawFinder.
Line: 753
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (apv >= 88)
strcpy(p->verify_alg, nc->verify_alg);
if (apv >= 89)
strcpy(p->csums_alg, nc->csums_alg);
rcu_read_unlock();
return drbd_send_command(peer_device, sock, cmd, size, NULL, 0);
}
Reported by FlawFinder.
Line: 797
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
p->conn_flags = cpu_to_be32(cf);
if (connection->agreed_pro_version >= 87)
strcpy(p->integrity_alg, nc->integrity_alg);
rcu_read_unlock();
return __conn_send_command(connection, sock, cmd, size, NULL, 0);
}
Reported by FlawFinder.
Line: 3808
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (buildtag[0] == 0) {
#ifdef MODULE
sprintf(buildtag, "srcversion: %-24s", THIS_MODULE->srcversion);
#else
buildtag[0] = 'b';
#endif
}
Reported by FlawFinder.
Line: 100
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int drbd_minor_count = DRBD_MINOR_COUNT_DEF;
/* Module parameter for setting the user mode helper program
* to run. Default is /sbin/drbdadm */
char drbd_usermode_helper[80] = "/sbin/drbdadm";
module_param_named(minor_count, drbd_minor_count, uint, 0444);
module_param_string(usermode_helper, drbd_usermode_helper, sizeof(drbd_usermode_helper), 0644);
/* in 2.6.x, our device mapping and config info contains our virtual gendisks
* as member "struct gendisk *vdisk;"
Reported by FlawFinder.
Line: 1749
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (digest_size > 0 && digest_size <= 64) {
/* 64 byte, 512 bit, is the largest digest size
* currently supported in kernel crypto. */
unsigned char digest[64];
drbd_csum_bio(peer_device->connection->integrity_tfm, req->master_bio, digest);
if (memcmp(p + 1, digest, digest_size)) {
drbd_warn(device,
"Digest mismatch, buffer modified by upper layers during write: %llus +%u\n",
(unsigned long long)req->i.sector, req->i.size);
Reported by FlawFinder.
Line: 2023
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void drbd_set_my_capacity(struct drbd_device *device, sector_t size)
{
char ppb[10];
set_capacity_and_notify(device->vdisk, size);
drbd_info(device, "size = %s (%llu KB)\n",
ppsize(ppb, size>>1), (unsigned long long)size>>1);
Reported by FlawFinder.
Line: 2737
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
disk->first_minor = minor;
disk->minors = 1;
disk->fops = &drbd_ops;
sprintf(disk->disk_name, "drbd%d", minor);
disk->private_data = device;
blk_queue_write_cache(disk->queue, true, true);
/* Setting the max_hw_sectors to an odd value of 8kibyte here
This triggers a max_bio_size message upon first attach or connect */
Reported by FlawFinder.
Line: 3804
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* DRBD built from external sources has here a reference to the
git hash of the source code. */
static char buildtag[38] = "\0uilt-in";
if (buildtag[0] == 0) {
#ifdef MODULE
sprintf(buildtag, "srcversion: %-24s", THIS_MODULE->srcversion);
#else
Reported by FlawFinder.
Line: 725
Column: 6
CWE codes:
126
size = apv <= 87 ? sizeof(struct p_rs_param)
: apv == 88 ? sizeof(struct p_rs_param)
+ strlen(nc->verify_alg) + 1
: apv <= 94 ? sizeof(struct p_rs_param_89)
: /* apv >= 95 */ sizeof(struct p_rs_param_95);
cmd = apv >= 89 ? P_SYNC_PARAM89 : P_SYNC_PARAM;
Reported by FlawFinder.
drivers/input/keyboard/atkbd.c
12 issues
Line: 209
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *dev;
/* Written only during init */
char name[64];
char phys[32];
unsigned short id;
unsigned short keycode[ATKBD_KEYMAP_SIZE];
DECLARE_BITMAP(force_release_mask, ATKBD_KEYMAP_SIZE);
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Written only during init */
char name[64];
char phys[32];
unsigned short id;
unsigned short keycode[ATKBD_KEYMAP_SIZE];
DECLARE_BITMAP(force_release_mask, ATKBD_KEYMAP_SIZE);
unsigned char set;
Reported by FlawFinder.
Line: 601
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int atkbd_set_leds(struct atkbd *atkbd)
{
struct input_dev *dev = atkbd->dev;
unsigned char param[2];
param[0] = (test_bit(LED_SCROLLL, dev->led) ? 1 : 0)
| (test_bit(LED_NUML, dev->led) ? 2 : 0)
| (test_bit(LED_CAPSL, dev->led) ? 4 : 0);
if (ps2_command(&atkbd->ps2dev, param, ATKBD_CMD_SETLEDS))
Reported by FlawFinder.
Line: 766
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int atkbd_probe(struct atkbd *atkbd)
{
struct ps2dev *ps2dev = &atkbd->ps2dev;
unsigned char param[2];
/*
* Some systems, where the bit-twiddling when testing the io-lines of the
* controller may confuse the keyboard need a full reset of the keyboard. On
* these systems the BIOS also usually doesn't do it for us.
Reported by FlawFinder.
Line: 833
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int atkbd_select_set(struct atkbd *atkbd, int target_set, int allow_extra)
{
struct ps2dev *ps2dev = &atkbd->ps2dev;
unsigned char param[2];
atkbd->extra = false;
/*
* For known special keyboards we can go ahead and set the correct set.
* We check for NCD PS/2 Sun, NorthGate OmniKey 101 and
Reported by FlawFinder.
Line: 894
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int atkbd_reset_state(struct atkbd *atkbd)
{
struct ps2dev *ps2dev = &atkbd->ps2dev;
unsigned char param[1];
/*
* Set the LEDs to a predefined state (all off).
*/
Reported by FlawFinder.
Line: 1434
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t atkbd_show_extra(struct atkbd *atkbd, char *buf)
{
return sprintf(buf, "%d\n", atkbd->extra ? 1 : 0);
}
static ssize_t atkbd_set_extra(struct atkbd *atkbd, const char *buf, size_t count)
{
struct input_dev *old_dev, *new_dev;
Reported by FlawFinder.
Line: 1522
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t atkbd_show_scroll(struct atkbd *atkbd, char *buf)
{
return sprintf(buf, "%d\n", atkbd->scroll ? 1 : 0);
}
static ssize_t atkbd_set_scroll(struct atkbd *atkbd, const char *buf, size_t count)
{
struct input_dev *old_dev, *new_dev;
Reported by FlawFinder.
Line: 1570
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t atkbd_show_set(struct atkbd *atkbd, char *buf)
{
return sprintf(buf, "%d\n", atkbd->set);
}
static ssize_t atkbd_set_set(struct atkbd *atkbd, const char *buf, size_t count)
{
struct input_dev *old_dev, *new_dev;
Reported by FlawFinder.
Line: 1625
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t atkbd_show_softrepeat(struct atkbd *atkbd, char *buf)
{
return sprintf(buf, "%d\n", atkbd->softrepeat ? 1 : 0);
}
static ssize_t atkbd_set_softrepeat(struct atkbd *atkbd, const char *buf, size_t count)
{
struct input_dev *old_dev, *new_dev;
Reported by FlawFinder.
fs/cifs/cifs_uniupr.h
12 issues
Line: 12
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* Latin upper case
*/
signed char CifsUniUpperTable[512] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 000-00f */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 010-01f */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 020-02f */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 030-03f */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 040-04f */
Reported by FlawFinder.
Line: 48
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Upper case range - Greek */
static signed char UniCaseRangeU03a0[47] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -38, -37, -37, -37, /* 3a0-3af */
0, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, /* 3b0-3bf */
-32, -32, -31, -32, -32, -32, -32, -32, -32, -32, -32, -32, -64,
-63, -63,
};
Reported by FlawFinder.
Line: 56
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Upper case range - Cyrillic */
static signed char UniCaseRangeU0430[48] = {
-32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, /* 430-43f */
-32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, /* 440-44f */
0, -80, -80, -80, -80, -80, -80, -80, -80, -80, -80, -80, -80, 0, -80, -80, /* 450-45f */
};
Reported by FlawFinder.
Line: 63
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Upper case range - Extended cyrillic */
static signed char UniCaseRangeU0490[61] = {
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 490-49f */
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 4a0-4af */
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 4b0-4bf */
0, 0, -1, 0, -1, 0, 0, 0, -1, 0, 0, 0, -1,
};
Reported by FlawFinder.
Line: 71
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Upper case range - Extended latin and greek */
static signed char UniCaseRangeU1e00[509] = {
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e00-1e0f */
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e10-1e1f */
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e20-1e2f */
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e30-1e3f */
0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, 0, -1, /* 1e40-1e4f */
Reported by FlawFinder.
Line: 107
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Upper case range - Wide latin */
static signed char UniCaseRangeUff40[27] = {
0, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32, /* ff40-ff4f */
-32, -32, -32, -32, -32, -32, -32, -32, -32, -32, -32,
};
/*
Reported by FlawFinder.
Line: 129
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* Latin lower case
*/
signed char CifsUniLowerTable[512] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 000-00f */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 010-01f */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 020-02f */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 030-03f */
0, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, /* 040-04f */
Reported by FlawFinder.
Line: 165
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Lower case range - Greek */
static signed char UniCaseRangeL0380[44] = {
0, 0, 0, 0, 0, 0, 38, 0, 37, 37, 37, 0, 64, 0, 63, 63, /* 380-38f */
0, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, /* 390-39f */
32, 32, 0, 32, 32, 32, 32, 32, 32, 32, 32, 32,
};
Reported by FlawFinder.
Line: 172
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Lower case range - Cyrillic */
static signed char UniCaseRangeL0400[48] = {
0, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 0, 80, 80, /* 400-40f */
32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, /* 410-41f */
32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, /* 420-42f */
};
Reported by FlawFinder.
Line: 179
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* Lower case range - Extended cyrillic */
static signed char UniCaseRangeL0490[60] = {
1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 490-49f */
1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 4a0-4af */
1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, /* 4b0-4bf */
0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1,
};
Reported by FlawFinder.
drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c
12 issues
Line: 2929
vega12_check_smc_update_required_for_display_configuration,
.power_off_asic = vega12_power_off_asic,
.disable_smc_firmware_ctf = vega12_thermal_disable_alert,
#if 0
.set_power_profile_state = vega12_set_power_profile_state,
.get_sclk_od = vega12_get_sclk_od,
.set_sclk_od = vega12_set_sclk_od,
.get_mclk_od = vega12_get_mclk_od,
.set_mclk_od = vega12_set_mclk_od,
Reported by Cppcheck.
Line: 2150
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret);
size += sprintf(buf + size, "Current ppfeatures: 0x%016llx\n", features_enabled);
size += sprintf(buf + size, "%-19s %-22s %s\n",
output_title[0],
output_title[1],
output_title[2]);
for (i = 0; i < GNLD_FEATURES_MAX; i++) {
size += sprintf(buf + size, "%-19s 0x%016llx %6s\n",
Reported by FlawFinder.
Line: 2155
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
output_title[1],
output_title[2]);
for (i = 0; i < GNLD_FEATURES_MAX; i++) {
size += sprintf(buf + size, "%-19s 0x%016llx %6s\n",
ppfeature_name[i],
1ULL << i,
(features_enabled & (1ULL << i)) ? "Y" : "N");
}
Reported by FlawFinder.
Line: 2259
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"Attempt to get gfx clk levels Failed!",
return -1);
for (i = 0; i < clocks.num_levels; i++)
size += sprintf(buf + size, "%d: %uMhz %s\n",
i, clocks.data[i].clocks_in_khz / 1000,
(clocks.data[i].clocks_in_khz / 1000 == now / 100) ? "*" : "");
break;
case PP_MCLK:
Reported by FlawFinder.
Line: 2275
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"Attempt to get memory clk levels Failed!",
return -1);
for (i = 0; i < clocks.num_levels; i++)
size += sprintf(buf + size, "%d: %uMhz %s\n",
i, clocks.data[i].clocks_in_khz / 1000,
(clocks.data[i].clocks_in_khz / 1000 == now / 100) ? "*" : "");
break;
case PP_SOCCLK:
Reported by FlawFinder.
Line: 2293
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"Attempt to get soc clk levels Failed!",
return -1);
for (i = 0; i < clocks.num_levels; i++)
size += sprintf(buf + size, "%d: %uMhz %s\n",
i, clocks.data[i].clocks_in_khz / 1000,
(clocks.data[i].clocks_in_khz / 1000 == now) ? "*" : "");
break;
case PP_DCEFCLK:
Reported by FlawFinder.
Line: 2311
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"Attempt to get dcef clk levels Failed!",
return -1);
for (i = 0; i < clocks.num_levels; i++)
size += sprintf(buf + size, "%d: %uMhz %s\n",
i, clocks.data[i].clocks_in_khz / 1000,
(clocks.data[i].clocks_in_khz / 1000 == now) ? "*" : "");
break;
case PP_PCIE:
Reported by FlawFinder.
Line: 769
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vega12_init_dpm_state(&(dpm_table->dpm_state));
/* save a copy of the default DPM table */
memcpy(&(data->golden_dpm_table), &(data->dpm_table),
sizeof(struct vega12_dpm_table));
return 0;
}
Reported by FlawFinder.
Line: 840
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
NULL);
}
memcpy(pp_table, pptable_information->smc_pptable, sizeof(PPTable_t));
result = smum_smc_table_manager(hwmgr,
(uint8_t *)pp_table, TABLE_PPTABLE, false);
PP_ASSERT_WITH_CODE(!result,
"Failed to upload PPtable!", return result);
Reported by FlawFinder.
Line: 1377
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (metrics_table)
memcpy(metrics_table, &data->metrics_table, sizeof(SmuMetrics_t));
return ret;
}
static int vega12_get_gpu_power(struct pp_hwmgr *hwmgr, uint32_t *query)
Reported by FlawFinder.
drivers/atm/nicstar.c
12 issues
Line: 818
CWE codes:
476
static void ns_init_card_error(ns_dev *card, int error)
{
if (error >= 17) {
writel(0x00000000, card->membase + CFG);
}
if (error >= 16) {
struct sk_buff *iovb;
while ((iovb = skb_dequeue(&card->iovpool.queue)) != NULL)
dev_kfree_skb_any(iovb);
Reported by Cppcheck.
Line: 172
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
static struct timer_list ns_timer;
static char *mac[NS_MAX_CARDS];
module_param_array(mac, charp, NULL, 0);
MODULE_LICENSE("GPL");
/* Functions */
Reported by FlawFinder.
Line: 2062
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i == 1 && ns_rsqe_eopdu(rsqe))
*((u32 *) sb->data) |= 0x00000002;
skb_put(sb, NS_AAL0_HEADER);
memcpy(skb_tail_pointer(sb), cell, ATM_CELL_PAYLOAD);
skb_put(sb, ATM_CELL_PAYLOAD);
ATM_SKB(sb)->vcc = vcc;
__net_timestamp(sb);
vcc->push(vcc, sb);
atomic_inc(&vcc->stats->rx);
Reported by FlawFinder.
Line: 2421
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
card = (ns_dev *) dev->dev_data;
stat = readl(card->membase + STAT);
if (!left--)
return sprintf(page, "Pool count min init max \n");
if (!left--)
return sprintf(page, "Small %5d %5d %5d %5d \n",
ns_stat_sfbqc_get(stat), card->sbnr.min,
card->sbnr.init, card->sbnr.max);
if (!left--)
Reported by FlawFinder.
Line: 2423
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!left--)
return sprintf(page, "Pool count min init max \n");
if (!left--)
return sprintf(page, "Small %5d %5d %5d %5d \n",
ns_stat_sfbqc_get(stat), card->sbnr.min,
card->sbnr.init, card->sbnr.max);
if (!left--)
return sprintf(page, "Large %5d %5d %5d %5d \n",
ns_stat_lfbqc_get(stat), card->lbnr.min,
Reported by FlawFinder.
Line: 2427
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ns_stat_sfbqc_get(stat), card->sbnr.min,
card->sbnr.init, card->sbnr.max);
if (!left--)
return sprintf(page, "Large %5d %5d %5d %5d \n",
ns_stat_lfbqc_get(stat), card->lbnr.min,
card->lbnr.init, card->lbnr.max);
if (!left--)
return sprintf(page, "Huge %5d %5d %5d %5d \n",
card->hbpool.count, card->hbnr.min,
Reported by FlawFinder.
Line: 2431
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ns_stat_lfbqc_get(stat), card->lbnr.min,
card->lbnr.init, card->lbnr.max);
if (!left--)
return sprintf(page, "Huge %5d %5d %5d %5d \n",
card->hbpool.count, card->hbnr.min,
card->hbnr.init, card->hbnr.max);
if (!left--)
return sprintf(page, "Iovec %5d %5d %5d %5d \n",
card->iovpool.count, card->iovnr.min,
Reported by FlawFinder.
Line: 2435
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
card->hbpool.count, card->hbnr.min,
card->hbnr.init, card->hbnr.max);
if (!left--)
return sprintf(page, "Iovec %5d %5d %5d %5d \n",
card->iovpool.count, card->iovnr.min,
card->iovnr.init, card->iovnr.max);
if (!left--) {
int retval;
retval =
Reported by FlawFinder.
Line: 2441
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!left--) {
int retval;
retval =
sprintf(page, "Interrupt counter: %u \n", card->intcnt);
card->intcnt = 0;
return retval;
}
#if 0
/* Dump 25.6 Mbps PHY registers */
Reported by FlawFinder.
Line: 2461
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
phy_regs[i] = readl(card->membase + DR0) & 0x000000FF;
}
return sprintf(page, "PHY regs: 0x%02X 0x%02X 0x%02X 0x%02X \n",
phy_regs[0], phy_regs[1], phy_regs[2],
phy_regs[3]);
}
#endif /* 0 - Dump 25.6 Mbps PHY registers */
#if 0
Reported by FlawFinder.
drivers/platform/chrome/cros_ec_lpc.c
12 issues
Line: 43
Column: 7
CWE codes:
120
20
* the 8-bit checksum of all bytes written.
*/
struct lpc_driver_ops {
u8 (*read)(unsigned int offset, unsigned int length, u8 *dest);
u8 (*write)(unsigned int offset, unsigned int length, const u8 *msg);
};
static struct lpc_driver_ops cros_ec_lpc_ops = { };
Reported by FlawFinder.
Line: 132
Column: 25
CWE codes:
120
20
usleep_range(200, 300);
do {
if (!(cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_CMD, 1, &data) &
EC_LPC_STATUS_BUSY_MASK))
return 0;
usleep_range(100, 200);
} while (time_before(jiffies, one_second));
Reported by FlawFinder.
Line: 165
Column: 32
CWE codes:
120
20
}
/* Check result */
msg->result = cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_DATA, 1, &sum);
ret = cros_ec_check_result(ec, msg);
if (ret)
goto done;
/* Read back response */
Reported by FlawFinder.
Line: 172
Column: 24
CWE codes:
120
20
/* Read back response */
dout = (u8 *)&response;
sum = cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_PACKET, sizeof(response),
dout);
msg->result = response.result;
if (response.data_len > msg->insize) {
Reported by FlawFinder.
Line: 186
Column: 25
CWE codes:
120
20
}
/* Read response and process checksum */
sum += cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_PACKET +
sizeof(response), response.data_len,
msg->data);
if (sum) {
dev_err(ec->dev,
Reported by FlawFinder.
Line: 247
Column: 32
CWE codes:
120
20
}
/* Check result */
msg->result = cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_DATA, 1, &sum);
ret = cros_ec_check_result(ec, msg);
if (ret)
goto done;
/* Read back args */
Reported by FlawFinder.
Line: 253
Column: 18
CWE codes:
120
20
goto done;
/* Read back args */
cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_ARGS, sizeof(args), (u8 *)&args);
if (args.data_size > msg->insize) {
dev_err(ec->dev,
"packet too long (%d bytes, expected %d)",
args.data_size, msg->insize);
Reported by FlawFinder.
Line: 267
Column: 25
CWE codes:
120
20
sum = msg->command + args.flags + args.command_version + args.data_size;
/* Read response and update checksum */
sum += cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_PARAM, args.data_size,
msg->data);
/* Verify checksum */
if (args.checksum != sum) {
dev_err(ec->dev,
Reported by FlawFinder.
Line: 298
Column: 19
CWE codes:
120
20
/* fixed length */
if (bytes) {
cros_ec_lpc_ops.read(EC_LPC_ADDR_MEMMAP + offset, bytes, s);
return bytes;
}
/* string */
for (; i < EC_MEMMAP_SIZE; i++, s++) {
Reported by FlawFinder.