The following issues were found
kernel/ksysfs.c
12 issues
Line: 43
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t uevent_helper_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", uevent_helper);
}
static ssize_t uevent_helper_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 34
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t uevent_seqnum_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%llu\n", (unsigned long long)uevent_seqnum);
}
KERNEL_ATTR_RO(uevent_seqnum);
#ifdef CONFIG_UEVENT_HELPER
/* uevent helper program, used during early boot */
Reported by FlawFinder.
Line: 51
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (count+1 > UEVENT_HELPER_PATH_LEN)
return -ENOENT;
memcpy(uevent_helper, buf, count);
uevent_helper[count] = '\0';
if (count && uevent_helper[count-1] == '\n')
uevent_helper[count-1] = '\0';
return count;
}
Reported by FlawFinder.
Line: 64
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t profiling_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", prof_on);
}
static ssize_t profiling_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 95
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t kexec_loaded_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", !!kexec_image);
}
KERNEL_ATTR_RO(kexec_loaded);
static ssize_t kexec_crash_loaded_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 102
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t kexec_crash_loaded_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", kexec_crash_loaded());
}
KERNEL_ATTR_RO(kexec_crash_loaded);
static ssize_t kexec_crash_size_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 109
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t kexec_crash_size_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%zu\n", crash_get_memory_size());
}
static ssize_t kexec_crash_size_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 134
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct kobj_attribute *attr, char *buf)
{
phys_addr_t vmcore_base = paddr_vmcoreinfo_note();
return sprintf(buf, "%pa %x\n", &vmcore_base,
(unsigned int)VMCOREINFO_NOTE_SIZE);
}
KERNEL_ATTR_RO(vmcoreinfo);
#endif /* CONFIG_CRASH_CORE */
Reported by FlawFinder.
Line: 145
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fscaps_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", file_caps_enabled);
}
KERNEL_ATTR_RO(fscaps);
#ifndef CONFIG_TINY_RCU
int rcu_expedited;
Reported by FlawFinder.
Line: 154
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t rcu_expedited_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", READ_ONCE(rcu_expedited));
}
static ssize_t rcu_expedited_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/media/usb/pvrusb2/pvrusb2-hdw.c
12 issues
Line: 1468
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = 0;
for (address = 0; address < fwsize; address += 0x800) {
memcpy(fw_ptr, fw_entry->data + address, 0x800);
ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address,
0, fw_ptr, 0x800, HZ);
}
trace_firmware("Upload done, releasing device's CPU");
Reported by FlawFinder.
Line: 1591
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (fw_done = 0; fw_done < fw_len;) {
bcnt = fw_len - fw_done;
if (bcnt > FIRMWARE_CHUNK_SIZE) bcnt = FIRMWARE_CHUNK_SIZE;
memcpy(fw_ptr, fw_entry->data + fw_done, bcnt);
/* Usbsnoop log shows that we must swap bytes... */
/* Some background info: The data being swapped here is a
firmware image destined for the mpeg encoder chip that
lives at the other end of a USB endpoint. The encoder
chip always talks in 32 bit chunks and its storage is
Reported by FlawFinder.
Line: 1861
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pvr2_hdw_setup_std(struct pvr2_hdw *hdw)
{
char buf[40];
unsigned int bcnt;
v4l2_std_id std1,std2,std3;
std1 = get_default_standard(hdw);
std3 = std1 ? 0 : hdw->hdw_desc->default_std_mask;
Reported by FlawFinder.
Line: 2975
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pvr2_ctrl *cptr;
int value;
int commit_flag = hdw->force_dirty;
char buf[100];
unsigned int bcnt,ccnt;
for (idx = 0; idx < hdw->control_cnt; idx++) {
cptr = hdw->controls + idx;
if (!cptr->info->is_dirty) continue;
Reported by FlawFinder.
Line: 3274
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
LOCK_TAKE(hdw->big_lock);
stat = pvr2_hdw_check_cropcap(hdw);
if (!stat) {
memcpy(pp, &hdw->cropcap_info, sizeof(hdw->cropcap_info));
}
LOCK_GIVE(hdw->big_lock);
return stat;
}
Reported by FlawFinder.
Line: 3288
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdw->tuner_signal_stale) {
pvr2_hdw_status_poll(hdw);
}
memcpy(vtp,&hdw->tuner_signal_info,sizeof(struct v4l2_tuner));
} while (0); LOCK_GIVE(hdw->big_lock);
return 0;
}
Reported by FlawFinder.
Line: 3495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offs + cnt > hdw->fw_size) cnt = hdw->fw_size - offs;
memcpy(buf,hdw->fw_buffer+offs,cnt);
pvr2_trace(PVR2_TRACE_FIRMWARE,
"Read firmware data offs=%d cnt=%d",
offs,cnt);
ret = cnt;
Reported by FlawFinder.
Line: 3629
Column: 36
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
hdw->cmd_debug_state = 1;
if (write_len && write_data)
hdw->cmd_debug_code = ((unsigned char *)write_data)[0];
else
hdw->cmd_debug_code = 0;
hdw->cmd_debug_write_len = write_len;
hdw->cmd_debug_read_len = read_len;
Reported by FlawFinder.
Line: 3648
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Transfer write data to internal buffer */
for (idx = 0; idx < write_len; idx++) {
hdw->ctl_write_buffer[idx] =
((unsigned char *)write_data)[idx];
}
/* Initiate a write request */
usb_fill_bulk_urb(hdw->ctl_write_urb,
hdw->usb_dev,
usb_sndbulkpipe(hdw->usb_dev,
Reported by FlawFinder.
Line: 3789
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
/* Transfer retrieved data out from internal buffer */
for (idx = 0; idx < read_len; idx++) {
((unsigned char *)read_data)[idx] =
hdw->ctl_read_buffer[idx];
}
}
done:
Reported by FlawFinder.
drivers/virtio/virtio_mmio.c
12 issues
Line: 168
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (len) {
case 1:
b = readb(base + offset);
memcpy(buf, &b, sizeof b);
break;
case 2:
w = cpu_to_le16(readw(base + offset));
memcpy(buf, &w, sizeof w);
break;
Reported by FlawFinder.
Line: 172
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 2:
w = cpu_to_le16(readw(base + offset));
memcpy(buf, &w, sizeof w);
break;
case 4:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
break;
Reported by FlawFinder.
Line: 176
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 4:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
break;
case 8:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
l = cpu_to_le32(ioread32(base + offset + sizeof l));
Reported by FlawFinder.
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 8:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
l = cpu_to_le32(ioread32(base + offset + sizeof l));
memcpy(buf + sizeof l, &l, sizeof l);
break;
default:
BUG();
Reported by FlawFinder.
Line: 182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
l = cpu_to_le32(ioread32(base + offset + sizeof l));
memcpy(buf + sizeof l, &l, sizeof l);
break;
default:
BUG();
}
}
Reported by FlawFinder.
Line: 210
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (len) {
case 1:
memcpy(&b, buf, sizeof b);
writeb(b, base + offset);
break;
case 2:
memcpy(&w, buf, sizeof w);
writew(le16_to_cpu(w), base + offset);
Reported by FlawFinder.
Line: 214
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writeb(b, base + offset);
break;
case 2:
memcpy(&w, buf, sizeof w);
writew(le16_to_cpu(w), base + offset);
break;
case 4:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
Reported by FlawFinder.
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writew(le16_to_cpu(w), base + offset);
break;
case 4:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
break;
case 8:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
Reported by FlawFinder.
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writel(le32_to_cpu(l), base + offset);
break;
case 8:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
memcpy(&l, buf + sizeof l, sizeof l);
writel(le32_to_cpu(l), base + offset + sizeof l);
break;
default:
Reported by FlawFinder.
Line: 224
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 8:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
memcpy(&l, buf + sizeof l, sizeof l);
writel(le32_to_cpu(l), base + offset + sizeof l);
break;
default:
BUG();
}
Reported by FlawFinder.
kernel/params.c
12 issues
Line: 855
CWE codes:
570
struct module_kobject *mk;
int err;
for (vattr = __start___modver; vattr < __stop___modver; vattr++) {
mk = locate_module_kobject(vattr->module_name);
if (mk) {
err = sysfs_create_file(&mk->kobj, &vattr->mattr.attr);
WARN_ON_ONCE(err);
kobject_uevent(&mk->kobj, KOBJ_ADD);
Reported by Cppcheck.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*(char **)kp->arg = kmalloc_parameter(strlen(val)+1);
if (!*(char **)kp->arg)
return -ENOMEM;
strcpy(*(char **)kp->arg, val);
} else
*(const char **)kp->arg = val;
return 0;
}
Reported by FlawFinder.
Line: 501
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
kp->name, kps->maxlen-1);
return -ENOSPC;
}
strcpy(kps->string, val);
return 0;
}
EXPORT_SYMBOL(param_set_copystring);
int param_get_string(char *buffer, const struct kernel_param *kp)
Reported by FlawFinder.
Line: 302
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_bool(char *buffer, const struct kernel_param *kp)
{
/* Y and N chosen as being relatively non-coder friendly */
return sprintf(buffer, "%c\n", *(bool *)kp->arg ? 'Y' : 'N');
}
EXPORT_SYMBOL(param_get_bool);
const struct kernel_param_ops param_ops_bool = {
.flags = KERNEL_PARAM_OPS_FL_NOARG,
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_invbool(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%c\n", (*(bool *)kp->arg) ? 'N' : 'Y');
}
EXPORT_SYMBOL(param_get_invbool);
const struct kernel_param_ops param_ops_invbool = {
.set = param_set_invbool,
Reported by FlawFinder.
Line: 426
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* nul-terminate and parse */
save = val[len];
((char *)val)[len] = '\0';
check_kparam_locked(mod);
ret = set(val, &kp);
if (ret != 0)
return ret;
Reported by FlawFinder.
Line: 816
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct kernel_param *kp;
unsigned int name_len;
char modname[MODULE_NAME_LEN];
for (kp = __start___param; kp < __stop___param; kp++) {
char *dot;
if (kp->perm == 0)
Reported by FlawFinder.
Line: 827
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dot = strchr(kp->name, '.');
if (!dot) {
/* This happens for core_param() */
strcpy(modname, "kernel");
name_len = 0;
} else {
name_len = dot - kp->name + 1;
strlcpy(modname, kp->name, name_len);
}
Reported by FlawFinder.
Line: 97
Column: 24
CWE codes:
126
bool parameq(const char *a, const char *b)
{
return parameqn(a, b, strlen(a)+1);
}
static bool param_check_unsafe(const struct kernel_param *kp)
{
if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
Reported by FlawFinder.
Line: 248
Column: 6
CWE codes:
126
int param_set_charp(const char *val, const struct kernel_param *kp)
{
if (strlen(val) > 1024) {
pr_err("%s: string parameter too long\n", kp->name);
return -ENOSPC;
}
maybe_kfree_parameter(*(char **)kp->arg);
Reported by FlawFinder.
fs/cifs/fs_context.c
12 issues
Line: 566
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*/
while (options && options[0] == ',') {
len = strlen(key);
strcpy(key + len, options);
options = strchr(options, ',');
if (options)
*options++ = 0;
}
Reported by FlawFinder.
Line: 318
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int
smb3_fs_context_dup(struct smb3_fs_context *new_ctx, struct smb3_fs_context *ctx)
{
memcpy(new_ctx, ctx, sizeof(*ctx));
new_ctx->prepath = NULL;
new_ctx->mount_options = NULL;
new_ctx->nodename = NULL;
new_ctx->username = NULL;
new_ctx->password = NULL;
Reported by FlawFinder.
Line: 429
Column: 27
CWE codes:
126
if (!*p)
continue;
if (strncasecmp(p, key, strlen(key)))
continue;
nval = strchr(p, '=');
if (nval) {
if (nval == p)
continue;
Reported by FlawFinder.
Line: 565
Column: 10
CWE codes:
126
* character to the deliminator
*/
while (options && options[0] == ',') {
len = strlen(key);
strcpy(key + len, options);
options = strchr(options, ',');
if (options)
*options++ = 0;
}
Reported by FlawFinder.
Line: 579
Column: 10
CWE codes:
126
if (value == key)
continue;
*value++ = 0;
len = strlen(value);
}
ret = vfs_parse_fs_string(fc, key, value, len);
if (ret < 0)
break;
Reported by FlawFinder.
Line: 620
Column: 6
CWE codes:
126
}
/* make sure UNC has a share name */
if (strlen(ctx->UNC) < 3 || !strchr(ctx->UNC + 3, '\\')) {
cifs_errorf(fc, "Malformed UNC. Unable to find share name.\n");
return -ENOENT;
}
if (!ctx->got_ip) {
Reported by FlawFinder.
Line: 1093
Column: 7
CWE codes:
126
case Opt_user:
kfree(ctx->username);
ctx->username = NULL;
if (strlen(param->string) == 0) {
/* null user, ie. anonymous authentication */
ctx->nullauth = 1;
break;
}
Reported by FlawFinder.
Line: 1113
Column: 7
CWE codes:
126
case Opt_pass:
kfree(ctx->password);
ctx->password = NULL;
if (strlen(param->string) == 0)
break;
ctx->password = kstrdup(param->string, GFP_KERNEL);
if (ctx->password == NULL) {
cifs_errorf(fc, "OOM when copying password string\n");
Reported by FlawFinder.
Line: 1123
Column: 7
CWE codes:
126
}
break;
case Opt_ip:
if (strlen(param->string) == 0) {
ctx->got_ip = false;
break;
}
if (!cifs_convert_address((struct sockaddr *)&ctx->dstaddr,
param->string,
Reported by FlawFinder.
Line: 1129
Column: 8
CWE codes:
126
}
if (!cifs_convert_address((struct sockaddr *)&ctx->dstaddr,
param->string,
strlen(param->string))) {
pr_err("bad ip= option (%s)\n", param->string);
goto cifs_parse_mount_err;
}
ctx->got_ip = true;
break;
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/dvbsky.c
12 issues
Line: 47
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&d->usb_mutex);
if (wlen != 0)
memcpy(state->obuf, wbuf, wlen);
ret = dvb_usbv2_generic_rw_locked(d, state->obuf, wlen,
state->ibuf, rlen);
if (!ret && (rlen != 0))
Reported by FlawFinder.
Line: 53
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->ibuf, rlen);
if (!ret && (rlen != 0))
memcpy(rbuf, state->ibuf, rlen);
mutex_unlock(&d->usb_mutex);
return ret;
}
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret;
mutex_lock(&d->usb_mutex);
memcpy(state->obuf, obuf_pre, 3);
ret = dvb_usbv2_generic_write_locked(d, state->obuf, 3);
if (!ret && onoff) {
msleep(20);
memcpy(state->obuf, obuf_post, 3);
ret = dvb_usbv2_generic_write_locked(d, state->obuf, 3);
Reported by FlawFinder.
Line: 71
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = dvb_usbv2_generic_write_locked(d, state->obuf, 3);
if (!ret && onoff) {
msleep(20);
memcpy(state->obuf, obuf_post, 3);
ret = dvb_usbv2_generic_write_locked(d, state->obuf, 3);
}
mutex_unlock(&d->usb_mutex);
return ret;
}
Reported by FlawFinder.
Line: 133
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = dvbsky_usb_generic_rw(d, obuf, 4,
ibuf, msg[0].len + 1);
if (!ret)
memcpy(msg[0].buf, &ibuf[1], msg[0].len);
} else {
/* write */
obuf[0] = 0x08;
obuf[1] = msg[0].addr;
obuf[2] = msg[0].len;
Reported by FlawFinder.
Line: 139
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
obuf[0] = 0x08;
obuf[1] = msg[0].addr;
obuf[2] = msg[0].len;
memcpy(&obuf[3], msg[0].buf, msg[0].len);
ret = dvbsky_usb_generic_rw(d, obuf,
msg[0].len + 3, ibuf, 1);
}
} else {
if ((msg[0].len > 60) || (msg[1].len > 60)) {
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
obuf[1] = msg[0].len;
obuf[2] = msg[1].len;
obuf[3] = msg[0].addr;
memcpy(&obuf[4], msg[0].buf, msg[0].len);
ret = dvbsky_usb_generic_rw(d, obuf,
msg[0].len + 4, ibuf, msg[1].len + 1);
if (!ret)
memcpy(msg[1].buf, &ibuf[1], msg[1].len);
}
Reported by FlawFinder.
Line: 160
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = dvbsky_usb_generic_rw(d, obuf,
msg[0].len + 4, ibuf, msg[1].len + 1);
if (!ret)
memcpy(msg[1].buf, &ibuf[1], msg[1].len);
}
i2c_error:
mutex_unlock(&d->i2c_mutex);
return (ret) ? ret : num;
}
Reported by FlawFinder.
Line: 252
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
};
if (i2c_transfer(&d->i2c_adap, msg, 2) == 2)
memcpy(mac, ibuf, 6);
return 0;
}
static int dvbsky_usb_read_status(struct dvb_frontend *fe,
Reported by FlawFinder.
Line: 345
Column: 42
CWE codes:
120
20
return state->fe_set_voltage(fe, voltage);
}
static int dvbsky_ci_ctrl(void *priv, u8 read, int addr,
u8 data, int *mem)
{
struct dvb_usb_device *d = priv;
int ret = 0;
u8 command[4], respond[2], command_size, respond_size;
Reported by FlawFinder.
drivers/video/fbdev/matrox/matroxfb_base.h
12 issues
Line: 465
Column: 28
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct matrox_bios bios;
struct {
struct matrox_pll_limits pixel;
struct matrox_pll_limits system;
struct matrox_pll_limits video;
} limits;
struct {
struct matrox_pll_cache pixel;
struct matrox_pll_cache system;
Reported by FlawFinder.
Line: 470
Column: 27
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} limits;
struct {
struct matrox_pll_cache pixel;
struct matrox_pll_cache system;
struct matrox_pll_cache video;
} cache;
struct {
struct {
unsigned int video;
Reported by FlawFinder.
Line: 476
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct {
struct {
unsigned int video;
unsigned int system;
} pll;
struct {
u_int32_t opt;
u_int32_t opt2;
u_int32_t opt3;
Reported by FlawFinder.
Line: 266
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct matrox_hw_state {
u_int32_t MXoptionReg;
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
Reported by FlawFinder.
Line: 267
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct matrox_hw_state {
u_int32_t MXoptionReg;
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
Reported by FlawFinder.
Line: 269
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
Reported by FlawFinder.
Line: 270
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
Reported by FlawFinder.
Line: 271
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
Reported by FlawFinder.
Line: 272
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
Reported by FlawFinder.
Line: 274
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
/* TVOut only */
struct mavenregs maven;
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx4/main.c
12 issues
Line: 1166
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mlx4_dev *mdev = info->dev;
char type[8];
sprintf(type, "%s",
(mdev->caps.port_type[info->port] == MLX4_PORT_TYPE_IB) ?
"ib" : "eth");
if (mdev->caps.possible_type[info->port] == MLX4_PORT_TYPE_AUTO)
sprintf(buf, "auto (%s)\n", type);
else
Reported by FlawFinder.
Line: 1170
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
(mdev->caps.port_type[info->port] == MLX4_PORT_TYPE_IB) ?
"ib" : "eth");
if (mdev->caps.possible_type[info->port] == MLX4_PORT_TYPE_AUTO)
sprintf(buf, "auto (%s)\n", type);
else
sprintf(buf, "%s\n", type);
return strlen(buf);
}
Reported by FlawFinder.
Line: 1172
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mdev->caps.possible_type[info->port] == MLX4_PORT_TYPE_AUTO)
sprintf(buf, "auto (%s)\n", type);
else
sprintf(buf, "%s\n", type);
return strlen(buf);
}
static int __set_port_type(struct mlx4_port_info *info,
Reported by FlawFinder.
Line: 1164
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlx4_port_info *info = container_of(attr, struct mlx4_port_info,
port_attr);
struct mlx4_dev *mdev = info->dev;
char type[8];
sprintf(type, "%s",
(mdev->caps.port_type[info->port] == MLX4_PORT_TYPE_IB) ?
"ib" : "eth");
if (mdev->caps.possible_type[info->port] == MLX4_PORT_TYPE_AUTO)
Reported by FlawFinder.
Line: 1319
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mdev->caps.port_type[info->port] == MLX4_PORT_TYPE_ETH)
mlx4_warn(mdev, "port level mtu is only used for IB ports\n");
sprintf(buf, "%d\n",
ibta_mtu_to_int(mdev->caps.port_ib_mtu[info->port]));
return strlen(buf);
}
static ssize_t set_port_ib_mtu(struct device *dev,
Reported by FlawFinder.
Line: 3060
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
info->base_qpn = mlx4_get_base_qpn(dev, port);
}
sprintf(info->dev_name, "mlx4_port%d", port);
info->port_attr.attr.name = info->dev_name;
if (mlx4_is_mfunc(dev)) {
info->port_attr.attr.mode = 0444;
} else {
info->port_attr.attr.mode = 0644;
Reported by FlawFinder.
Line: 3079
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return err;
}
sprintf(info->dev_mtu_name, "mlx4_port%d_mtu", port);
info->port_mtu_attr.attr.name = info->dev_mtu_name;
if (mlx4_is_mfunc(dev)) {
info->port_mtu_attr.attr.mode = 0444;
} else {
info->port_mtu_attr.attr.mode = 0644;
Reported by FlawFinder.
Line: 4228
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pci_dev_data = priv->pci_dev_data;
total_vfs = dev->persist->num_vfs;
memcpy(nvfs, dev->persist->nvfs, sizeof(dev->persist->nvfs));
if (reload)
mlx4_devlink_param_load_driverinit_values(devlink);
err = mlx4_load_one(pdev, pci_dev_data, total_vfs, nvfs, priv, 1);
if (err) {
Reported by FlawFinder.
Line: 4356
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mlx4_err(dev, "%s was called\n", __func__);
total_vfs = dev->persist->num_vfs;
memcpy(nvfs, dev->persist->nvfs, sizeof(dev->persist->nvfs));
mutex_lock(&persist->interface_state_mutex);
if (!(persist->interface_state & MLX4_INTERFACE_STATE_UP)) {
err = mlx4_load_one(pdev, priv->pci_dev_data, total_vfs, nvfs,
priv, 1);
Reported by FlawFinder.
Line: 4425
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mlx4_err(dev, "resume was called\n");
total_vfs = dev->persist->num_vfs;
memcpy(nvfs, dev->persist->nvfs, sizeof(dev->persist->nvfs));
mutex_lock(&persist->interface_state_mutex);
if (!(persist->interface_state & MLX4_INTERFACE_STATE_UP)) {
ret = mlx4_load_one(pdev, priv->pci_dev_data, total_vfs,
nvfs, priv, 1);
Reported by FlawFinder.
crypto/ansi_cprng.c
12 issues
Line: 41
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct prng_context {
spinlock_t prng_lock;
unsigned char rand_data[DEFAULT_BLK_SZ];
unsigned char last_rand_data[DEFAULT_BLK_SZ];
unsigned char DT[DEFAULT_BLK_SZ];
unsigned char I[DEFAULT_BLK_SZ];
unsigned char V[DEFAULT_BLK_SZ];
u32 rand_data_valid;
Reported by FlawFinder.
Line: 42
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct prng_context {
spinlock_t prng_lock;
unsigned char rand_data[DEFAULT_BLK_SZ];
unsigned char last_rand_data[DEFAULT_BLK_SZ];
unsigned char DT[DEFAULT_BLK_SZ];
unsigned char I[DEFAULT_BLK_SZ];
unsigned char V[DEFAULT_BLK_SZ];
u32 rand_data_valid;
struct crypto_cipher *tfm;
Reported by FlawFinder.
Line: 43
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spinlock_t prng_lock;
unsigned char rand_data[DEFAULT_BLK_SZ];
unsigned char last_rand_data[DEFAULT_BLK_SZ];
unsigned char DT[DEFAULT_BLK_SZ];
unsigned char I[DEFAULT_BLK_SZ];
unsigned char V[DEFAULT_BLK_SZ];
u32 rand_data_valid;
struct crypto_cipher *tfm;
u32 flags;
Reported by FlawFinder.
Line: 44
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char rand_data[DEFAULT_BLK_SZ];
unsigned char last_rand_data[DEFAULT_BLK_SZ];
unsigned char DT[DEFAULT_BLK_SZ];
unsigned char I[DEFAULT_BLK_SZ];
unsigned char V[DEFAULT_BLK_SZ];
u32 rand_data_valid;
struct crypto_cipher *tfm;
u32 flags;
};
Reported by FlawFinder.
Line: 45
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char last_rand_data[DEFAULT_BLK_SZ];
unsigned char DT[DEFAULT_BLK_SZ];
unsigned char I[DEFAULT_BLK_SZ];
unsigned char V[DEFAULT_BLK_SZ];
u32 rand_data_valid;
struct crypto_cipher *tfm;
u32 flags;
};
Reported by FlawFinder.
Line: 84
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
{
int i;
unsigned char tmp[DEFAULT_BLK_SZ];
unsigned char *output = NULL;
dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
ctx);
Reported by FlawFinder.
Line: 106
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Start by encrypting the counter value
* This gives us an intermediate value I
*/
memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
output = ctx->I;
hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
break;
case 1:
Reported by FlawFinder.
Line: 140
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->flags |= PRNG_NEED_RESET;
return -EINVAL;
}
memcpy(ctx->last_rand_data, ctx->rand_data,
DEFAULT_BLK_SZ);
/*
* Lastly xor the random data with I
* and encrypt that to obtain a new secret vector V
Reported by FlawFinder.
Line: 253
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (ctx->rand_data_valid > 0)
goto empty_rbuf;
memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ);
ctx->rand_data_valid += DEFAULT_BLK_SZ;
ptr += DEFAULT_BLK_SZ;
}
/*
Reported by FlawFinder.
Line: 292
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
klen = DEFAULT_PRNG_KSZ;
if (V)
memcpy(ctx->V, V, DEFAULT_BLK_SZ);
else
memcpy(ctx->V, DEFAULT_V_SEED, DEFAULT_BLK_SZ);
if (DT)
memcpy(ctx->DT, DT, DEFAULT_BLK_SZ);
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
12 issues
Line: 365
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct flow_match_ipv4_addrs match;
flow_rule_match_ipv4_addrs(rule, &match);
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
src_ipv4_src_ipv6.ipv4_layout.ipv4),
&match.mask->src, sizeof(match.mask->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
src_ipv4_src_ipv6.ipv4_layout.ipv4),
&match.key->src, sizeof(match.key->src));
Reported by FlawFinder.
Line: 368
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
src_ipv4_src_ipv6.ipv4_layout.ipv4),
&match.mask->src, sizeof(match.mask->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
src_ipv4_src_ipv6.ipv4_layout.ipv4),
&match.key->src, sizeof(match.key->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
dst_ipv4_dst_ipv6.ipv4_layout.ipv4),
&match.mask->dst, sizeof(match.mask->dst));
Reported by FlawFinder.
Line: 371
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
src_ipv4_src_ipv6.ipv4_layout.ipv4),
&match.key->src, sizeof(match.key->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
dst_ipv4_dst_ipv6.ipv4_layout.ipv4),
&match.mask->dst, sizeof(match.mask->dst));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
dst_ipv4_dst_ipv6.ipv4_layout.ipv4),
&match.key->dst, sizeof(match.key->dst));
Reported by FlawFinder.
Line: 374
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
dst_ipv4_dst_ipv6.ipv4_layout.ipv4),
&match.mask->dst, sizeof(match.mask->dst));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
dst_ipv4_dst_ipv6.ipv4_layout.ipv4),
&match.key->dst, sizeof(match.key->dst));
}
if (addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS) {
Reported by FlawFinder.
Line: 383
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct flow_match_ipv6_addrs match;
flow_rule_match_ipv6_addrs(rule, &match);
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
src_ipv4_src_ipv6.ipv6_layout.ipv6),
&match.mask->src, sizeof(match.mask->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
src_ipv4_src_ipv6.ipv6_layout.ipv6),
&match.key->src, sizeof(match.key->src));
Reported by FlawFinder.
Line: 386
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
src_ipv4_src_ipv6.ipv6_layout.ipv6),
&match.mask->src, sizeof(match.mask->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
src_ipv4_src_ipv6.ipv6_layout.ipv6),
&match.key->src, sizeof(match.key->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
Reported by FlawFinder.
Line: 390
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_ipv4_src_ipv6.ipv6_layout.ipv6),
&match.key->src, sizeof(match.key->src));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
&match.mask->dst, sizeof(match.mask->dst));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
&match.key->dst, sizeof(match.key->dst));
Reported by FlawFinder.
Line: 393
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
&match.mask->dst, sizeof(match.mask->dst));
memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
&match.key->dst, sizeof(match.key->dst));
}
if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_PORTS)) {
Reported by FlawFinder.
Line: 1043
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
goto err_set;
memcpy(&entry->tuple_nat, &entry->tuple, sizeof(entry->tuple));
err = mlx5_tc_ct_rule_to_tuple_nat(&entry->tuple_nat, flow_rule);
if (err)
goto err_set;
spin_lock_bh(&ct_priv->ht_lock);
Reported by FlawFinder.
Line: 1799
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pre_ct_attr = ct_flow->pre_ct_attr;
memcpy(pre_ct_attr, attr, attr_sz);
memcpy(ct_flow->post_ct_attr, attr, attr_sz);
/* Modify the original rule's action to fwd and modify, leave decap */
pre_ct_attr->action = attr->action & MLX5_FLOW_CONTEXT_ACTION_DECAP;
pre_ct_attr->action |= MLX5_FLOW_CONTEXT_ACTION_FWD_DEST |
Reported by FlawFinder.