The following issues were found
drivers/net/wireless/intel/iwlwifi/dvm/lib.c
11 issues
Line: 286
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
priv->bt_enable_flag = basic.flags;
if (priv->bt_full_concurrent)
memcpy(basic.bt3_lookup_table, iwlagn_concurrent_lookup,
sizeof(iwlagn_concurrent_lookup));
else
memcpy(basic.bt3_lookup_table, iwlagn_def_3w_lookup,
sizeof(iwlagn_def_3w_lookup));
Reported by FlawFinder.
Line: 289
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(basic.bt3_lookup_table, iwlagn_concurrent_lookup,
sizeof(iwlagn_concurrent_lookup));
else
memcpy(basic.bt3_lookup_table, iwlagn_def_3w_lookup,
sizeof(iwlagn_def_3w_lookup));
IWL_DEBUG_COEX(priv, "BT coex %s in %s mode\n",
basic.flags ? "active" : "disabled",
priv->bt_full_concurrent ?
Reported by FlawFinder.
Line: 298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"full concurrency" : "3-wire");
if (priv->lib->bt_params->bt_session_2) {
memcpy(&bt_cmd_v2.basic, &basic,
sizeof(basic));
ret = iwl_dvm_send_cmd_pdu(priv, REPLY_BT_CONFIG,
0, sizeof(bt_cmd_v2), &bt_cmd_v2);
} else {
memcpy(&bt_cmd_v1.basic, &basic,
Reported by FlawFinder.
Line: 303
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = iwl_dvm_send_cmd_pdu(priv, REPLY_BT_CONFIG,
0, sizeof(bt_cmd_v2), &bt_cmd_v2);
} else {
memcpy(&bt_cmd_v1.basic, &basic,
sizeof(basic));
ret = iwl_dvm_send_cmd_pdu(priv, REPLY_BT_CONFIG,
0, sizeof(bt_cmd_v1), &bt_cmd_v1);
}
if (ret)
Reported by FlawFinder.
Line: 925
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ieee80211_get_tkip_p1k_iv(key, seq.tkip.iv32, p1k);
iwlagn_convert_p1k(p1k, data->tkip->tx.p1k);
memcpy(data->tkip->mic_keys.tx,
&key->key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY],
IWLAGN_MIC_KEY_SIZE);
rx_mic_key = data->tkip->mic_keys.rx_unicast;
} else {
Reported by FlawFinder.
Line: 957
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur_rx_iv32 + 1, p1k);
iwlagn_convert_p1k(p1k, rx_p1ks[1].p1k);
memcpy(rx_mic_key,
&key->key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY],
IWLAGN_MIC_KEY_SIZE);
data->use_tkip = true;
data->use_rsc_tsc = true;
Reported by FlawFinder.
Line: 1023
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < wowlan->n_patterns; i++) {
int mask_len = DIV_ROUND_UP(wowlan->patterns[i].pattern_len, 8);
memcpy(&pattern_cmd->patterns[i].mask,
wowlan->patterns[i].mask, mask_len);
memcpy(&pattern_cmd->patterns[i].pattern,
wowlan->patterns[i].pattern,
wowlan->patterns[i].pattern_len);
pattern_cmd->patterns[i].mask_size = mask_len;
Reported by FlawFinder.
Line: 1025
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&pattern_cmd->patterns[i].mask,
wowlan->patterns[i].mask, mask_len);
memcpy(&pattern_cmd->patterns[i].pattern,
wowlan->patterns[i].pattern,
wowlan->patterns[i].pattern_len);
pattern_cmd->patterns[i].mask_size = mask_len;
pattern_cmd->patterns[i].pattern_size =
wowlan->patterns[i].pattern_len;
Reported by FlawFinder.
Line: 1132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
goto out;
memcpy(&ctx->staging, &rxon, sizeof(rxon));
ret = iwlagn_commit_rxon(priv, ctx);
if (ret)
goto out;
ret = iwl_power_update_mode(priv, true);
Reported by FlawFinder.
Line: 1185
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (priv->have_rekey_data) {
memset(&kek_kck_cmd, 0, sizeof(kek_kck_cmd));
memcpy(kek_kck_cmd.kck, priv->kck, NL80211_KCK_LEN);
kek_kck_cmd.kck_len = cpu_to_le16(NL80211_KCK_LEN);
memcpy(kek_kck_cmd.kek, priv->kek, NL80211_KEK_LEN);
kek_kck_cmd.kek_len = cpu_to_le16(NL80211_KEK_LEN);
kek_kck_cmd.replay_ctr = priv->replay_ctr;
Reported by FlawFinder.
drivers/scsi/hpsa.h
11 issues
Line: 188
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
# define MEMQ_MODE_INT 3
unsigned int msix_vectors;
int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
struct access_method access;
/* queue and queue Info */
unsigned int Qdepth;
unsigned int maxSG;
spinlock_t lock;
Reported by FlawFinder.
Line: 669
Column: 24
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct board_type {
u32 board_id;
char *product_name;
struct access_method *access;
};
#endif /* HPSA_H */
Reported by FlawFinder.
Line: 65
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hpsa_scsi_dev_t {
unsigned int devtype;
int bus, target, lun; /* as presented to the OS */
unsigned char scsi3addr[8]; /* as presented to the HW */
u8 physical_device : 1;
u8 expose_device;
u8 removed : 1; /* device is marked for death */
u8 was_removed : 1; /* device actually removed */
#define RAID_CTLR_LUNID "\0\0\0\0\0\0\0\0"
Reported by FlawFinder.
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 removed : 1; /* device is marked for death */
u8 was_removed : 1; /* device actually removed */
#define RAID_CTLR_LUNID "\0\0\0\0\0\0\0\0"
unsigned char device_id[16]; /* from inquiry pg. 0x83 */
u64 sas_address;
u64 eli; /* from report diags. */
unsigned char vendor[8]; /* bytes 8-15 of inquiry data */
unsigned char model[16]; /* bytes 16-31 of inquiry data */
unsigned char rev; /* byte 2 of inquiry data */
Reported by FlawFinder.
Line: 74
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char device_id[16]; /* from inquiry pg. 0x83 */
u64 sas_address;
u64 eli; /* from report diags. */
unsigned char vendor[8]; /* bytes 8-15 of inquiry data */
unsigned char model[16]; /* bytes 16-31 of inquiry data */
unsigned char rev; /* byte 2 of inquiry data */
unsigned char raid_level; /* from inquiry page 0xC1 */
unsigned char volume_offline; /* discovered via TUR or VPD */
u16 queue_depth; /* max queue_depth for this device */
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 sas_address;
u64 eli; /* from report diags. */
unsigned char vendor[8]; /* bytes 8-15 of inquiry data */
unsigned char model[16]; /* bytes 16-31 of inquiry data */
unsigned char rev; /* byte 2 of inquiry data */
unsigned char raid_level; /* from inquiry page 0xC1 */
unsigned char volume_offline; /* discovered via TUR or VPD */
u16 queue_depth; /* max queue_depth for this device */
atomic_t commands_outstanding; /* track commands sent to device */
Reported by FlawFinder.
Line: 141
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 expand_priority;
u8 host_sdb_asic_fix;
u8 pdpi_burst_from_host_disabled;
char software_name[64];
char hardware_name[32];
u8 bridge_revision;
u8 snapshot_priority;
u32 os_specific;
u8 post_prompt_timeout;
Reported by FlawFinder.
Line: 142
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 host_sdb_asic_fix;
u8 pdpi_burst_from_host_disabled;
char software_name[64];
char hardware_name[32];
u8 bridge_revision;
u8 snapshot_priority;
u32 os_specific;
u8 post_prompt_timeout;
u8 automatic_drive_slamming;
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ctlr_info {
unsigned int *reply_map;
int ctlr;
char devname[8];
char *product_name;
struct pci_dev *pdev;
u32 board_id;
u64 sas_address;
void __iomem *vaddr;
Reported by FlawFinder.
Line: 258
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int remove_in_progress;
/* Address of h->q[x] is passed to intr handler to know which queue */
u8 q[MAX_REPLY_QUEUES];
char intrname[MAX_REPLY_QUEUES][16]; /* "hpsa0-msix00" names */
u32 TMFSupportFlags; /* cache what task mgmt funcs are supported. */
#define HPSATMF_BITS_SUPPORTED (1 << 0)
#define HPSATMF_PHYS_LUN_RESET (1 << 1)
#define HPSATMF_PHYS_NEX_RESET (1 << 2)
#define HPSATMF_PHYS_TASK_ABORT (1 << 3)
Reported by FlawFinder.
drivers/char/pcmcia/cm4000_cs.c
11 issues
Line: 108
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cm4000_dev {
struct pcmcia_device *p_dev;
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
Reported by FlawFinder.
Line: 109
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pcmcia_device *p_dev;
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
wait_queue_head_t ioq; /* if IO is locked, wait on this Q */
Reported by FlawFinder.
Line: 139
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long flags; /* lock+flags (MONITOR,IO,ATR) * for concurrent
access */
unsigned char pts[4];
struct timer_list timer; /* used to keep monitor running */
int monitor_running;
};
Reported by FlawFinder.
Line: 156
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This table doesn't use spaces after the comma between fields and thus
* violates process/coding-style.rst. However, I don't really think wrapping it around will
* make it any clearer to read -HW */
static unsigned char fi_di_table[10][14] = {
/*FI 00 01 02 03 04 05 06 07 08 09 10 11 12 13 */
/*DI */
/* 0 */ {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
/* 1 */ {0x01,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x91,0x11,0x11,0x11,0x11},
/* 2 */ {0x02,0x12,0x22,0x32,0x11,0x11,0x11,0x11,0x11,0x92,0xA2,0xB2,0x11,0x11},
Reported by FlawFinder.
Line: 401
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct card_fixup {
char atr[12];
u_int8_t atr_len;
u_int8_t stopbits;
};
static struct card_fixup card_fixups[] = {
Reported by FlawFinder.
Line: 454
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long tmp, i;
unsigned short num_bytes_read;
unsigned char pts_reply[4];
ssize_t rc;
unsigned int iobase = dev->p_dev->resource[0]->start;
rc = 0;
Reported by FlawFinder.
Line: 1413
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc;
void __user *argp = (void __user *)arg;
#ifdef CM4000_DEBUG
char *ioctl_names[CM_IOC_MAXNR + 1] = {
[_IOC_NR(CM_IOCGSTATUS)] "CM_IOCGSTATUS",
[_IOC_NR(CM_IOCGATR)] "CM_IOCGATR",
[_IOC_NR(CM_IOCARDOFF)] "CM_IOCARDOFF",
[_IOC_NR(CM_IOCSPTS)] "CM_IOCSPTS",
[_IOC_NR(CM_IOSDBGLVL)] "CM4000_DBGLVL",
Reported by FlawFinder.
Line: 1640
Column: 12
CWE codes:
362
goto out;
}
if (link->open) {
ret = -EBUSY;
goto out;
}
dev = link->priv;
Reported by FlawFinder.
Line: 1719
Column: 15
CWE codes:
362
* close doing that for us.
*/
DEBUGP(3, dev, "-> cmm_cm4000_release\n");
while (link->open) {
printk(KERN_INFO MODULE_NAME ": delaying release until "
"process has terminated\n");
/* note: don't interrupt us:
* close the applications which own
* the devices _first_ !
Reported by FlawFinder.
arch/xtensa/platforms/iss/network.c
11 issues
Line: 130
Column: 8
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
unsigned char *addr = dev->dev_addr;
if (str == NULL)
goto random;
if (!mac_pton(str, addr)) {
pr_err("%s: failed to parse '%s' as an ethernet address\n",
dev->name, str);
goto random;
Reported by FlawFinder.
Line: 135
Column: 8
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (!mac_pton(str, addr)) {
pr_err("%s: failed to parse '%s' as an ethernet address\n",
dev->name, str);
goto random;
}
if (is_multicast_ether_addr(addr)) {
pr_err("%s: attempt to assign a multicast ethernet address\n",
dev->name);
goto random;
Reported by FlawFinder.
Line: 140
Column: 8
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (is_multicast_ether_addr(addr)) {
pr_err("%s: attempt to assign a multicast ethernet address\n",
dev->name);
goto random;
}
if (!is_valid_ether_addr(addr)) {
pr_err("%s: attempt to assign an invalid ethernet address\n",
dev->name);
goto random;
Reported by FlawFinder.
Line: 145
Column: 8
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (!is_valid_ether_addr(addr)) {
pr_err("%s: attempt to assign an invalid ethernet address\n",
dev->name);
goto random;
}
if (!is_local_ether_addr(addr))
pr_warn("%s: assigning a globally valid ethernet address\n",
dev->name);
return;
Reported by FlawFinder.
Line: 152
Column: 1
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
dev->name);
return;
random:
pr_info("%s: choosing a random ethernet address\n",
dev->name);
eth_hw_addr_random(dev);
}
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define TRANSPORT_TUNTAP_MTU ETH_MAX_PACKET
struct tuntap_info {
char dev_name[IFNAMSIZ];
int fd;
};
/* ------------------------------------------------------------------------- */
Reported by FlawFinder.
Line: 85
Column: 9
CWE codes:
362
struct tuntap_info tuntap;
} info;
int (*open)(struct iss_net_private *lp);
void (*close)(struct iss_net_private *lp);
int (*read)(struct iss_net_private *lp, struct sk_buff **skb);
int (*write)(struct iss_net_private *lp, struct sk_buff **skb);
unsigned short (*protocol)(struct sk_buff *skb);
int (*poll)(struct iss_net_private *lp);
Reported by FlawFinder.
Line: 367
Column: 15
CWE codes:
362
spin_lock_bh(&lp->lock);
err = lp->tp.open(lp);
if (err < 0)
goto out;
netif_start_queue(dev);
Reported by FlawFinder.
Line: 470
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(hwaddr->sa_data))
return -EADDRNOTAVAIL;
spin_lock_bh(&lp->lock);
memcpy(dev->dev_addr, hwaddr->sa_data, ETH_ALEN);
spin_unlock_bh(&lp->lock);
return 0;
}
static int iss_net_change_mtu(struct net_device *dev, int new_mtu)
Reported by FlawFinder.
Line: 87
Column: 9
CWE codes:
120
20
int (*open)(struct iss_net_private *lp);
void (*close)(struct iss_net_private *lp);
int (*read)(struct iss_net_private *lp, struct sk_buff **skb);
int (*write)(struct iss_net_private *lp, struct sk_buff **skb);
unsigned short (*protocol)(struct sk_buff *skb);
int (*poll)(struct iss_net_private *lp);
} tp;
Reported by FlawFinder.
kernel/bpf/syscall.c
11 issues
Line: 1657
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
BPF_AUDIT_MAX,
};
static const char * const bpf_audit_str[BPF_AUDIT_MAX] = {
[BPF_AUDIT_LOAD] = "LOAD",
[BPF_AUDIT_UNLOAD] = "UNLOAD",
};
static void bpf_audit_prog(const struct bpf_prog *prog, unsigned int op)
Reported by FlawFinder.
Line: 1811
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void bpf_prog_show_fdinfo(struct seq_file *m, struct file *filp)
{
const struct bpf_prog *prog = filp->private_data;
char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
struct bpf_prog_stats stats;
bpf_prog_get_stats(prog, &stats);
bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
seq_printf(m,
Reported by FlawFinder.
Line: 2140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_prog *prog, *dst_prog = NULL;
struct btf *attach_btf = NULL;
int err;
char license[128];
bool is_gpl;
if (CHECK_ATTR(BPF_PROG_LOAD))
return -EINVAL;
Reported by FlawFinder.
Line: 2446
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct bpf_link *link = filp->private_data;
const struct bpf_prog *prog = link->prog;
char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
seq_printf(m,
"link_type:\t%s\n"
"link_id:\t%u\n"
Reported by FlawFinder.
Line: 2885
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_raw_event_map *btp;
struct bpf_prog *prog;
const char *tp_name;
char buf[128];
int err;
if (CHECK_ATTR(BPF_RAW_TRACEPOINT_OPEN))
return -EINVAL;
Reported by FlawFinder.
Line: 3499
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prog->aux->user->uid);
info.gpl_compatible = prog->gpl_compatible;
memcpy(info.tag, prog->tag, sizeof(prog->tag));
memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
mutex_lock(&prog->aux->used_maps_mutex);
ulen = info.nr_map_ids;
info.nr_map_ids = prog->aux->used_map_cnt;
Reported by FlawFinder.
Line: 3500
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.gpl_compatible = prog->gpl_compatible;
memcpy(info.tag, prog->tag, sizeof(prog->tag));
memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
mutex_lock(&prog->aux->used_maps_mutex);
ulen = info.nr_map_ids;
info.nr_map_ids = prog->aux->used_map_cnt;
ulen = min_t(u32, info.nr_map_ids, ulen);
Reported by FlawFinder.
Line: 3774
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.value_size = map->value_size;
info.max_entries = map->max_entries;
info.map_flags = map->map_flags;
memcpy(info.name, map->name, sizeof(map->name));
if (map->btf) {
info.btf_id = btf_obj_id(map->btf);
info.btf_key_type_id = map->btf_key_type_id;
info.btf_value_type_id = map->btf_value_type_id;
Reported by FlawFinder.
Line: 4408
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_unlock;
}
memcpy(used_maps_new, used_maps_old,
sizeof(used_maps_old[0]) * prog->aux->used_map_cnt);
used_maps_new[prog->aux->used_map_cnt] = map;
prog->aux->used_map_cnt++;
prog->aux->used_maps = used_maps_new;
Reported by FlawFinder.
Line: 2843
Column: 18
CWE codes:
126
char __user *ubuf = u64_to_user_ptr(info->raw_tracepoint.tp_name);
const char *tp_name = raw_tp_link->btp->tp->name;
u32 ulen = info->raw_tracepoint.tp_name_len;
size_t tp_len = strlen(tp_name);
if (!ulen ^ !ubuf)
return -EINVAL;
info->raw_tracepoint.tp_name_len = tp_len + 1;
Reported by FlawFinder.
drivers/video/backlight/sky81452-backlight.c
11 issues
Line: 129
Column: 5
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
for (i = 0; i < 6; i++) {
if (value & 0x01) {
sprintf(tmp, "%d ", i + 1);
strcat(buf, tmp);
}
value >>= 1;
}
strcat(buf, "\n");
} else {
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct regmap *regmap = bl_get_data(to_backlight_device(dev));
unsigned int reg, value = 0;
char tmp[3];
int i, ret;
reg = !strcmp(attr->attr.name, "open") ? SKY81452_REG5 : SKY81452_REG4;
ret = regmap_read(regmap, reg, &value);
if (ret < 0)
Reported by FlawFinder.
Line: 128
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*buf = 0;
for (i = 0; i < 6; i++) {
if (value & 0x01) {
sprintf(tmp, "%d ", i + 1);
strcat(buf, tmp);
}
value >>= 1;
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 135
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
strcat(buf, "\n");
} else {
strcpy(buf, "none\n");
}
return strlen(buf);
}
Reported by FlawFinder.
Line: 155
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
*buf = 0;
if (value & SKY81452_OCP)
strcat(buf, "over-current ");
if (value & SKY81452_OTMP)
strcat(buf, "over-temperature");
strcat(buf, "\n");
Reported by FlawFinder.
Line: 158
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(buf, "over-current ");
if (value & SKY81452_OTMP)
strcat(buf, "over-temperature");
strcat(buf, "\n");
return strlen(buf);
}
Reported by FlawFinder.
Line: 165
Column: 20
CWE codes:
362
}
static DEVICE_ATTR(enable, S_IWGRP | S_IWUSR, NULL, sky81452_bl_store_enable);
static DEVICE_ATTR(open, S_IRUGO, sky81452_bl_show_open_short, NULL);
static DEVICE_ATTR(short, S_IRUGO, sky81452_bl_show_open_short, NULL);
static DEVICE_ATTR(fault, S_IRUGO, sky81452_bl_show_fault, NULL);
static struct attribute *sky81452_bl_attribute[] = {
&dev_attr_enable.attr,
Reported by FlawFinder.
Line: 133
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
value >>= 1;
}
strcat(buf, "\n");
} else {
strcpy(buf, "none\n");
}
return strlen(buf);
Reported by FlawFinder.
Line: 138
Column: 9
CWE codes:
126
strcpy(buf, "none\n");
}
return strlen(buf);
}
static ssize_t sky81452_bl_show_fault(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (value & SKY81452_OTMP)
strcat(buf, "over-temperature");
strcat(buf, "\n");
return strlen(buf);
}
static DEVICE_ATTR(enable, S_IWGRP | S_IWUSR, NULL, sky81452_bl_store_enable);
static DEVICE_ATTR(open, S_IRUGO, sky81452_bl_show_open_short, NULL);
Reported by FlawFinder.
drivers/char/ipmi/ipmi_ssif.c
11 issues
Line: 251
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rtc_us_timer;
/* Used for sending/receiving data. +1 for the length. */
unsigned char data[IPMI_MAX_MSG_LENGTH + 1];
unsigned int data_len;
/* Temp receive buffer, gets copied into data. */
unsigned char recv[I2C_SMBUS_BLOCK_MAX];
Reported by FlawFinder.
Line: 255
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int data_len;
/* Temp receive buffer, gets copied into data. */
unsigned char recv[I2C_SMBUS_BLOCK_MAX];
struct i2c_client *client;
ssif_i2c_done done_handler;
/* Thread interface handling */
Reported by FlawFinder.
Line: 357
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void start_clear_flags(struct ssif_info *ssif_info, unsigned long *flags)
{
unsigned char msg[3];
ssif_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT;
ssif_info->ssif_state = SSIF_CLEARING_FLAGS;
ipmi_ssif_unlock_cond(ssif_info, flags);
Reported by FlawFinder.
Line: 376
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void start_flag_fetch(struct ssif_info *ssif_info, unsigned long *flags)
{
unsigned char mb[2];
ssif_info->req_flags = false;
ssif_info->ssif_state = SSIF_GETTING_FLAGS;
ipmi_ssif_unlock_cond(ssif_info, flags);
Reported by FlawFinder.
Line: 750
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data) {
if (len > IPMI_MAX_MSG_LENGTH)
len = IPMI_MAX_MSG_LENGTH;
memcpy(msg->rsp, data, len);
} else {
len = 0;
}
msg->rsp_size = len;
ssif_info->curr_msg = NULL;
Reported by FlawFinder.
Line: 1014
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -E2BIG;
ssif_info->retries_left = SSIF_SEND_RETRIES;
memcpy(ssif_info->data + 1, data, len);
ssif_info->data_len = len;
return start_resend(ssif_info);
}
/* Must be called with the message lock held. */
Reported by FlawFinder.
Line: 1146
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param_array(addr, ushort, &num_addrs, 0);
MODULE_PARM_DESC(addr, "The addresses to scan for IPMI BMCs on the SSIFs.");
static char *adapter_name[MAX_SSIF_BMCS];
static int num_adapter_names;
module_param_array(adapter_name, charp, &num_adapter_names, 0);
MODULE_PARM_DESC(adapter_name, "The string name of the I2C device that has the BMC. By default all devices are scanned.");
static int slave_addrs[MAX_SSIF_BMCS];
Reported by FlawFinder.
Line: 1342
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ssif_detect(struct i2c_client *client, struct i2c_board_info *info)
{
unsigned char *resp;
unsigned char msg[3];
int rv;
int len;
resp = kmalloc(IPMI_MAX_MSG_LENGTH, GFP_KERNEL);
if (!resp)
Reported by FlawFinder.
Line: 1482
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ssif_info *ssif_info,
unsigned char *resp)
{
unsigned char msg[65];
int ret;
bool do_middle;
if (ssif_info->max_xmit_msg_size <= 32)
return;
Reported by FlawFinder.
Line: 1624
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ssif_probe(struct i2c_client *client, const struct i2c_device_id *id)
{
unsigned char msg[3];
unsigned char *resp;
struct ssif_info *ssif_info;
int rv = 0;
int len;
int i;
Reported by FlawFinder.
arch/arm/mach-rpc/ecard.c
11 issues
Line: 640
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ec->card_desc = kmalloc(strlen(incd.d.string)+1, GFP_KERNEL);
if (ec->card_desc)
strcpy((char *)ec->card_desc, incd.d.string);
}
seq_printf(m, "%s\n", ec->card_desc ? ec->card_desc : "*unknown*");
} else
seq_printf(m, "Simple card %d\n", ec->cid.id);
Reported by FlawFinder.
Line: 800
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t type_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct expansion_card *ec = ECARD_DEV(dev);
return sprintf(buf, "%s\n", ec->easi ? "EASI" : "IOC");
}
static DEVICE_ATTR_RO(type);
static struct attribute *ecard_dev_attrs[] = {
&dev_attr_device.attr,
Reported by FlawFinder.
Line: 234
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_pgd = pgd_offset(mm, (unsigned long)IO_BASE);
dst_pgd = pgd_offset(mm, IO_START);
memcpy(dst_pgd, src_pgd, sizeof(pgd_t) * (IO_SIZE / PGDIR_SIZE));
src_pgd = pgd_offset(mm, (unsigned long)EASI_BASE);
dst_pgd = pgd_offset(mm, EASI_START);
memcpy(dst_pgd, src_pgd, sizeof(pgd_t) * (EASI_SIZE / PGDIR_SIZE));
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_pgd = pgd_offset(mm, (unsigned long)EASI_BASE);
dst_pgd = pgd_offset(mm, EASI_START);
memcpy(dst_pgd, src_pgd, sizeof(pgd_t) * (EASI_SIZE / PGDIR_SIZE));
flush_tlb_range(&vma, IO_START, IO_START + IO_SIZE);
flush_tlb_range(&vma, EASI_START, EASI_START + EASI_SIZE);
}
Reported by FlawFinder.
Line: 379
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
cd->start_offset = c_start(&excd);
memcpy(cd->d.string, excd.d.string, 256);
return 1;
}
/* ======================= Interrupt control ============================ */
Reported by FlawFinder.
Line: 756
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t irq_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct expansion_card *ec = ECARD_DEV(dev);
return sprintf(buf, "%u\n", ec->irq);
}
static DEVICE_ATTR_RO(irq);
static ssize_t dma_show(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 763
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t dma_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct expansion_card *ec = ECARD_DEV(dev);
return sprintf(buf, "%u\n", ec->dma);
}
static DEVICE_ATTR_RO(dma);
static ssize_t resource_show(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 774
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i;
for (i = 0; i < ECARD_NUM_RESOURCES; i++)
str += sprintf(str, "%08x %08x %08lx\n",
ec->resource[i].start,
ec->resource[i].end,
ec->resource[i].flags);
return str - buf;
Reported by FlawFinder.
Line: 786
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t vendor_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct expansion_card *ec = ECARD_DEV(dev);
return sprintf(buf, "%u\n", ec->cid.manufacturer);
}
static DEVICE_ATTR_RO(vendor);
static ssize_t device_show(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 793
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t device_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct expansion_card *ec = ECARD_DEV(dev);
return sprintf(buf, "%u\n", ec->cid.product);
}
static DEVICE_ATTR_RO(device);
static ssize_t type_show(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
drivers/char/ipmi/ipmi_si_intf.c
11 issues
Line: 366
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void start_check_enables(struct smi_info *smi_info)
{
unsigned char msg[2];
msg[0] = (IPMI_NETFN_APP_REQUEST << 2);
msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD;
start_new_msg(smi_info, msg, 2);
Reported by FlawFinder.
Line: 377
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void start_clear_flags(struct smi_info *smi_info)
{
unsigned char msg[3];
/* Make sure the watchdog pre-timeout flag is not set at startup. */
msg[0] = (IPMI_NETFN_APP_REQUEST << 2);
msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD;
msg[2] = WDT_PRE_TIMEOUT_INT;
Reported by FlawFinder.
Line: 565
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_GETTING_FLAGS:
{
unsigned char msg[4];
unsigned int len;
/* We got the flags from the SMI, now handle them. */
len = smi_info->handlers->get_result(smi_info->si_sm, msg, 4);
if (msg[2] != 0) {
Reported by FlawFinder.
Line: 588
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_CLEARING_FLAGS:
{
unsigned char msg[3];
/* We cleared the flags. */
smi_info->handlers->get_result(smi_info->si_sm, msg, 3);
if (msg[2] != 0) {
/* Error clearing flags */
Reported by FlawFinder.
Line: 679
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_CHECKING_ENABLES:
{
unsigned char msg[4];
u8 enables;
bool irq_on;
/* We got the flags from the SMI, now handle them. */
smi_info->handlers->get_result(smi_info->si_sm, msg, 4);
Reported by FlawFinder.
Line: 720
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_SETTING_ENABLES:
{
unsigned char msg[4];
smi_info->handlers->get_result(smi_info->si_sm, msg, 4);
if (msg[2] != 0)
dev_warn(smi_info->io.dev,
"Could not set the global enables: 0x%x.\n",
Reported by FlawFinder.
Line: 796
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* this if there is not yet an upper layer to handle anything.
*/
if (si_sm_result == SI_SM_ATTN || smi_info->got_attn) {
unsigned char msg[2];
if (smi_info->si_state != SI_NORMAL) {
/*
* We got an ATTN, but we are doing something else.
* Handle the ATTN later.
Reported by FlawFinder.
Line: 1310
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int try_get_dev_id(struct smi_info *smi_info)
{
unsigned char msg[2];
unsigned char *resp;
unsigned long resp_len;
int rv = 0;
unsigned int retry_count = 0;
Reported by FlawFinder.
Line: 1360
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_global_enables(struct smi_info *smi_info, u8 *enables)
{
unsigned char msg[3];
unsigned char *resp;
unsigned long resp_len;
int rv;
resp = kmalloc(IPMI_MAX_MSG_LENGTH, GFP_KERNEL);
Reported by FlawFinder.
Line: 1407
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int set_global_enables(struct smi_info *smi_info, u8 enables)
{
unsigned char msg[3];
unsigned char *resp;
unsigned long resp_len;
int rv;
resp = kmalloc(IPMI_MAX_MSG_LENGTH, GFP_KERNEL);
Reported by FlawFinder.
drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
11 issues
Line: 338
CWE codes:
476
BUG_ON(!engine);
txn = &engine->txn;
engine->tcm = tcm;
txn->engine_handle = engine;
txn->last_pat = NULL;
txn->current_va = engine->refill_va;
txn->current_pa = engine->refill_pa;
Reported by Cppcheck.
Line: 341
CWE codes:
476
engine->tcm = tcm;
txn->engine_handle = engine;
txn->last_pat = NULL;
txn->current_va = engine->refill_va;
txn->current_pa = engine->refill_pa;
return txn;
}
Reported by Cppcheck.
Line: 342
CWE codes:
476
txn->engine_handle = engine;
txn->last_pat = NULL;
txn->current_va = engine->refill_va;
txn->current_pa = engine->refill_pa;
return txn;
}
/*
Reported by Cppcheck.
Line: 1049
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static void map_1d_info(char **map, int xdiv, int ydiv, char *nice,
struct tcm_area *a)
{
sprintf(nice, "%dK", tcm_sizeof(*a) * 4);
if (a->p0.y + 1 < a->p1.y) {
text_map(map, xdiv, nice, (a->p0.y + a->p1.y) / 2 / ydiv, 0,
256 - 1);
} else if (a->p0.y < a->p1.y) {
if (strlen(nice) < map_width(xdiv, a->p0.x, 256 - 1))
Reported by FlawFinder.
Line: 1068
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static void map_2d_info(char **map, int xdiv, int ydiv, char *nice,
struct tcm_area *a)
{
sprintf(nice, "(%d*%d)", tcm_awidth(*a), tcm_aheight(*a));
if (strlen(nice) + 1 < map_width(xdiv, a->p0.x, a->p1.x))
text_map(map, xdiv, nice, (a->p0.y + a->p1.y) / 2 / ydiv,
a->p0.x, a->p1.x);
}
Reported by FlawFinder.
Line: 1084
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *m2d = alphabet;
const char *a2d = special;
const char *m2dp = m2d, *a2dp = a2d;
char nice[128];
int h_adj;
int w_adj;
unsigned long flags;
int lut_idx;
Reported by FlawFinder.
Line: 1038
Column: 37
CWE codes:
126
static void text_map(char **map, int xdiv, char *nice, int yd, int x0, int x1)
{
char *p = map[yd] + (x0 / xdiv);
int w = (map_width(xdiv, x0, x1) - strlen(nice)) / 2;
if (w >= 0) {
p += w;
while (*nice)
*p++ = *nice++;
}
Reported by FlawFinder.
Line: 1054
Column: 7
CWE codes:
126
text_map(map, xdiv, nice, (a->p0.y + a->p1.y) / 2 / ydiv, 0,
256 - 1);
} else if (a->p0.y < a->p1.y) {
if (strlen(nice) < map_width(xdiv, a->p0.x, 256 - 1))
text_map(map, xdiv, nice, a->p0.y / ydiv,
a->p0.x + xdiv, 256 - 1);
else if (strlen(nice) < map_width(xdiv, 0, a->p1.x))
text_map(map, xdiv, nice, a->p1.y / ydiv,
0, a->p1.y - xdiv);
Reported by FlawFinder.
Line: 1057
Column: 12
CWE codes:
126
if (strlen(nice) < map_width(xdiv, a->p0.x, 256 - 1))
text_map(map, xdiv, nice, a->p0.y / ydiv,
a->p0.x + xdiv, 256 - 1);
else if (strlen(nice) < map_width(xdiv, 0, a->p1.x))
text_map(map, xdiv, nice, a->p1.y / ydiv,
0, a->p1.y - xdiv);
} else if (strlen(nice) + 1 < map_width(xdiv, a->p0.x, a->p1.x)) {
text_map(map, xdiv, nice, a->p0.y / ydiv, a->p0.x, a->p1.x);
}
Reported by FlawFinder.
Line: 1060
Column: 13
CWE codes:
126
else if (strlen(nice) < map_width(xdiv, 0, a->p1.x))
text_map(map, xdiv, nice, a->p1.y / ydiv,
0, a->p1.y - xdiv);
} else if (strlen(nice) + 1 < map_width(xdiv, a->p0.x, a->p1.x)) {
text_map(map, xdiv, nice, a->p0.y / ydiv, a->p0.x, a->p1.x);
}
}
static void map_2d_info(char **map, int xdiv, int ydiv, char *nice,
Reported by FlawFinder.