The following issues were found
kernel/debug/kdb/kdb_support.c
11 issues
Line: 303
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char *s = kmalloc(n, type);
if (!s)
return NULL;
return strcpy(s, str);
}
/*
* kdb_getarea_size - Read an area of data. The kdb equivalent of
* copy_from_user, with kdb messages for invalid addresses.
Reported by FlawFinder.
Line: 55
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
EXPORT_SYMBOL(kdbgetsymval);
static char *kdb_name_table[100]; /* arbitrary size */
/*
* kdbnearsym - Return the name of the symbol with the nearest address
* less than 'addr'.
*
Reported by FlawFinder.
Line: 162
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static char ks_namebuf[KSYM_NAME_LEN+1], ks_namebuf_prev[KSYM_NAME_LEN+1];
/*
* kallsyms_symbol_complete
*
* Parameters:
Reported by FlawFinder.
Line: 190
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (++number == 1) {
prev_len = min_t(int, max_len-1,
strlen(ks_namebuf));
memcpy(ks_namebuf_prev, ks_namebuf, prev_len);
ks_namebuf_prev[prev_len] = '\0';
continue;
}
for (i = 0; i < prev_len; i++) {
if (ks_namebuf[i] != ks_namebuf_prev[i]) {
Reported by FlawFinder.
Line: 204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
if (prev_len > prefix_len)
memcpy(prefix_name, ks_namebuf_prev, prev_len+1);
return number;
}
/*
* kallsyms_symbol_next
Reported by FlawFinder.
Line: 378
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
page = pfn_to_page(pfn);
vaddr = kmap_atomic(page);
memcpy(res, vaddr + (addr & (PAGE_SIZE - 1)), size);
kunmap_atomic(vaddr);
return 0;
}
Reported by FlawFinder.
Line: 115
Column: 4
CWE codes:
120
* What was Rusty smoking when he wrote that code?
*/
if (symtab->sym_name != knt1) {
strncpy(knt1, symtab->sym_name, knt1_size);
knt1[knt1_size-1] = '\0';
}
for (i = 0; i < ARRAY_SIZE(kdb_name_table); ++i) {
if (kdb_name_table[i] &&
strcmp(kdb_name_table[i], knt1) == 0)
Reported by FlawFinder.
Line: 179
Column: 19
CWE codes:
126
int kallsyms_symbol_complete(char *prefix_name, int max_len)
{
loff_t pos = 0;
int prefix_len = strlen(prefix_name), prev_len = 0;
int i, number = 0;
const char *name;
while ((name = kdb_walk_kallsyms(&pos))) {
if (strncmp(name, prefix_name, prefix_len) == 0) {
Reported by FlawFinder.
Line: 189
Column: 8
CWE codes:
126
/* Work out the longest name that matches the prefix */
if (++number == 1) {
prev_len = min_t(int, max_len-1,
strlen(ks_namebuf));
memcpy(ks_namebuf_prev, ks_namebuf, prev_len);
ks_namebuf_prev[prev_len] = '\0';
continue;
}
for (i = 0; i < prev_len; i++) {
Reported by FlawFinder.
Line: 222
Column: 19
CWE codes:
126
*/
int kallsyms_symbol_next(char *prefix_name, int flag, int buf_size)
{
int prefix_len = strlen(prefix_name);
static loff_t pos;
const char *name;
if (!flag)
pos = 0;
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/dvm/rx.c
11 issues
Line: 89
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(&priv->measure_report, report, sizeof(*report));
priv->measurement_status |= MEASUREMENT_READY;
}
static void iwlagn_rx_pm_sleep_notif(struct iwl_priv *priv,
struct iwl_rx_cmd_buffer *rxb)
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iwlagn_recover_from_statistics(priv, rx_ofdm, rx_ofdm_ht, tx, stamp);
priv->statistics.flag = *flag;
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
Reported by FlawFinder.
Line: 417
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->statistics.flag = *flag;
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
Reported by FlawFinder.
Line: 418
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->statistics.flag = *flag;
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
Reported by FlawFinder.
Line: 419
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
Reported by FlawFinder.
Line: 420
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
sizeof(*bt_activity));
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
sizeof(*bt_activity));
#endif
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
sizeof(*bt_activity));
#endif
priv->rx_statistics_jiffies = stamp;
Reported by FlawFinder.
Line: 552
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->last_phy_res_valid = true;
priv->ampdu_ref++;
memcpy(&priv->last_phy_res, pkt->data,
sizeof(struct iwl_rx_phy_res));
}
/*
* returns non-zero if packet should be dropped
Reported by FlawFinder.
Line: 674
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats));
ieee80211_rx_napi(priv->hw, NULL, skb, priv->napi);
}
static u32 iwlagn_translate_rx_status(struct iwl_priv *priv, u32 decrypt_in)
Reported by FlawFinder.
drivers/video/fbdev/intelfb/intelfbdrv.c
11 issues
Line: 1106
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return 1;
info->pixmap.scan_align = 1;
strcpy(info->fix.id, dinfo->name);
info->fix.smem_start = dinfo->fb.physical;
info->fix.smem_len = dinfo->fb.size;
info->fix.type = FB_TYPE_PACKED_PIXELS;
info->fix.type_aux = 0;
info->fix.xpanstep = 8;
Reported by FlawFinder.
Line: 1015
Column: 10
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
var = &dinfo->info->var;
if (FIXED_MODE(dinfo)) {
memcpy(var, &dinfo->initial_var,
sizeof(struct fb_var_screeninfo));
msrc = 5;
} else {
const u8 *edid_s = fb_firmware_edid(&dinfo->pdev->dev);
u8 *edid_d = NULL;
Reported by FlawFinder.
Line: 1189
Column: 15
CWE codes:
362
if (user) {
dinfo->open--;
msleep(1);
if (!dinfo->open)
intelfbhw_disable_irq(dinfo);
}
return 0;
}
Reported by FlawFinder.
Line: 1343
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ACCEL(dinfo, info))
intelfbhw_2d_stop(dinfo);
memcpy(hw, &dinfo->save_state, sizeof(*hw));
if (intelfbhw_mode_to_hw(dinfo, hw, &info->var))
goto invalid_mode;
if (intelfbhw_program_mode(dinfo, hw, 0))
goto invalid_mode;
Reported by FlawFinder.
Line: 1642
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* save the bitmap to restore it when XFree will
make the cursor dirty */
memcpy(dinfo->cursor_src, src, size);
intelfbhw_cursor_load(dinfo, cursor->image.width,
cursor->image.height, src);
}
Reported by FlawFinder.
Line: 269
Column: 51
CWE codes:
126
"Initial video mode \"<xres>x<yres>[-<depth>][@<refresh>]\"");
#ifndef MODULE
#define OPT_EQUAL(opt, name) (!strncmp(opt, name, strlen(name)))
#define OPT_INTVAL(opt, name) simple_strtoul(opt + strlen(name) + 1, NULL, 0)
#define OPT_STRVAL(opt, name) (opt + strlen(name))
static __inline__ char * get_opt_string(const char *this_opt, const char *name)
{
Reported by FlawFinder.
Line: 270
Column: 52
CWE codes:
126
#ifndef MODULE
#define OPT_EQUAL(opt, name) (!strncmp(opt, name, strlen(name)))
#define OPT_INTVAL(opt, name) simple_strtoul(opt + strlen(name) + 1, NULL, 0)
#define OPT_STRVAL(opt, name) (opt + strlen(name))
static __inline__ char * get_opt_string(const char *this_opt, const char *name)
{
const char *p;
Reported by FlawFinder.
Line: 271
Column: 38
CWE codes:
126
#ifndef MODULE
#define OPT_EQUAL(opt, name) (!strncmp(opt, name, strlen(name)))
#define OPT_INTVAL(opt, name) simple_strtoul(opt + strlen(name) + 1, NULL, 0)
#define OPT_STRVAL(opt, name) (opt + strlen(name))
static __inline__ char * get_opt_string(const char *this_opt, const char *name)
{
const char *p;
int i;
Reported by FlawFinder.
Line: 285
Column: 3
CWE codes:
120
i++;
ret = kmalloc(i + 1, GFP_KERNEL);
if (ret) {
strncpy(ret, p, i);
ret[i] = '\0';
}
return ret;
}
Reported by FlawFinder.
Line: 311
Column: 16
CWE codes:
126
return 0;
if (OPT_EQUAL(this_opt, name)) {
if (this_opt[strlen(name)] == '=')
*ret = simple_strtoul(this_opt + strlen(name) + 1,
NULL, 0);
else
*ret = 1;
} else {
Reported by FlawFinder.
drivers/char/pcmcia/cm4000_cs.c
11 issues
Line: 108
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cm4000_dev {
struct pcmcia_device *p_dev;
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
Reported by FlawFinder.
Line: 109
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pcmcia_device *p_dev;
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
wait_queue_head_t ioq; /* if IO is locked, wait on this Q */
Reported by FlawFinder.
Line: 139
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long flags; /* lock+flags (MONITOR,IO,ATR) * for concurrent
access */
unsigned char pts[4];
struct timer_list timer; /* used to keep monitor running */
int monitor_running;
};
Reported by FlawFinder.
Line: 156
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This table doesn't use spaces after the comma between fields and thus
* violates process/coding-style.rst. However, I don't really think wrapping it around will
* make it any clearer to read -HW */
static unsigned char fi_di_table[10][14] = {
/*FI 00 01 02 03 04 05 06 07 08 09 10 11 12 13 */
/*DI */
/* 0 */ {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
/* 1 */ {0x01,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x91,0x11,0x11,0x11,0x11},
/* 2 */ {0x02,0x12,0x22,0x32,0x11,0x11,0x11,0x11,0x11,0x92,0xA2,0xB2,0x11,0x11},
Reported by FlawFinder.
Line: 401
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct card_fixup {
char atr[12];
u_int8_t atr_len;
u_int8_t stopbits;
};
static struct card_fixup card_fixups[] = {
Reported by FlawFinder.
Line: 454
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long tmp, i;
unsigned short num_bytes_read;
unsigned char pts_reply[4];
ssize_t rc;
unsigned int iobase = dev->p_dev->resource[0]->start;
rc = 0;
Reported by FlawFinder.
Line: 1413
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc;
void __user *argp = (void __user *)arg;
#ifdef CM4000_DEBUG
char *ioctl_names[CM_IOC_MAXNR + 1] = {
[_IOC_NR(CM_IOCGSTATUS)] "CM_IOCGSTATUS",
[_IOC_NR(CM_IOCGATR)] "CM_IOCGATR",
[_IOC_NR(CM_IOCARDOFF)] "CM_IOCARDOFF",
[_IOC_NR(CM_IOCSPTS)] "CM_IOCSPTS",
[_IOC_NR(CM_IOSDBGLVL)] "CM4000_DBGLVL",
Reported by FlawFinder.
Line: 1640
Column: 12
CWE codes:
362
goto out;
}
if (link->open) {
ret = -EBUSY;
goto out;
}
dev = link->priv;
Reported by FlawFinder.
Line: 1719
Column: 15
CWE codes:
362
* close doing that for us.
*/
DEBUGP(3, dev, "-> cmm_cm4000_release\n");
while (link->open) {
printk(KERN_INFO MODULE_NAME ": delaying release until "
"process has terminated\n");
/* note: don't interrupt us:
* close the applications which own
* the devices _first_ !
Reported by FlawFinder.
drivers/vfio/pci/vfio_pci_config.c
11 issues
Line: 180
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 virt = 0;
memcpy(val, vdev->vconfig + pos, count);
memcpy(&virt, perm->virt + offset, count);
/* Any non-virtualized bits? */
if (cpu_to_le32(~0U >> (32 - (count * 8))) != virt) {
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos, count);
memcpy(&virt, perm->virt + offset, count);
/* Any non-virtualized bits? */
if (cpu_to_le32(~0U >> (32 - (count * 8))) != virt) {
struct pci_dev *pdev = vdev->pdev;
__le32 phys_val = 0;
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 virt = 0, write = 0;
memcpy(&write, perm->write + offset, count);
if (!write)
return count; /* drop, no writable bits */
memcpy(&virt, perm->virt + offset, count);
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!write)
return count; /* drop, no writable bits */
memcpy(&virt, perm->virt + offset, count);
/* Virtualized and writable bits go to vconfig */
if (write & virt) {
__le32 virt_val = 0;
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (write & virt) {
__le32 virt_val = 0;
memcpy(&virt_val, vdev->vconfig + pos, count);
virt_val &= ~(write & virt);
virt_val |= (val & (write & virt));
memcpy(vdev->vconfig + pos, &virt_val, count);
Reported by FlawFinder.
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
virt_val &= ~(write & virt);
virt_val |= (val & (write & virt));
memcpy(vdev->vconfig + pos, &virt_val, count);
}
/* Non-virtualzed and writable bits go to hardware */
if (write & ~virt) {
struct pci_dev *pdev = vdev->pdev;
Reported by FlawFinder.
Line: 259
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pos >= PCI_CFG_SPACE_SIZE) { /* Extended cap header mangling */
if (offset < 4)
memcpy(val, vdev->vconfig + pos, count);
} else if (pos >= PCI_STD_HEADER_SIZEOF) { /* Std cap mangling */
if (offset == PCI_CAP_LIST_ID && count > 1)
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
Reported by FlawFinder.
Line: 262
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos, count);
} else if (pos >= PCI_STD_HEADER_SIZEOF) { /* Std cap mangling */
if (offset == PCI_CAP_LIST_ID && count > 1)
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
memcpy(val, vdev->vconfig + pos, 1);
}
Reported by FlawFinder.
Line: 265
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
memcpy(val, vdev->vconfig + pos, 1);
}
return count;
}
Reported by FlawFinder.
Line: 303
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int count, struct perm_bits *perm,
int offset, __le32 val)
{
memcpy(vdev->vconfig + pos, &val, count);
return count;
}
static int vfio_virt_config_read(struct vfio_pci_device *vdev, int pos,
int count, struct perm_bits *perm,
Reported by FlawFinder.
drivers/video/backlight/sky81452-backlight.c
11 issues
Line: 129
Column: 5
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
for (i = 0; i < 6; i++) {
if (value & 0x01) {
sprintf(tmp, "%d ", i + 1);
strcat(buf, tmp);
}
value >>= 1;
}
strcat(buf, "\n");
} else {
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct regmap *regmap = bl_get_data(to_backlight_device(dev));
unsigned int reg, value = 0;
char tmp[3];
int i, ret;
reg = !strcmp(attr->attr.name, "open") ? SKY81452_REG5 : SKY81452_REG4;
ret = regmap_read(regmap, reg, &value);
if (ret < 0)
Reported by FlawFinder.
Line: 128
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*buf = 0;
for (i = 0; i < 6; i++) {
if (value & 0x01) {
sprintf(tmp, "%d ", i + 1);
strcat(buf, tmp);
}
value >>= 1;
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 135
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
strcat(buf, "\n");
} else {
strcpy(buf, "none\n");
}
return strlen(buf);
}
Reported by FlawFinder.
Line: 155
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
*buf = 0;
if (value & SKY81452_OCP)
strcat(buf, "over-current ");
if (value & SKY81452_OTMP)
strcat(buf, "over-temperature");
strcat(buf, "\n");
Reported by FlawFinder.
Line: 158
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(buf, "over-current ");
if (value & SKY81452_OTMP)
strcat(buf, "over-temperature");
strcat(buf, "\n");
return strlen(buf);
}
Reported by FlawFinder.
Line: 165
Column: 20
CWE codes:
362
}
static DEVICE_ATTR(enable, S_IWGRP | S_IWUSR, NULL, sky81452_bl_store_enable);
static DEVICE_ATTR(open, S_IRUGO, sky81452_bl_show_open_short, NULL);
static DEVICE_ATTR(short, S_IRUGO, sky81452_bl_show_open_short, NULL);
static DEVICE_ATTR(fault, S_IRUGO, sky81452_bl_show_fault, NULL);
static struct attribute *sky81452_bl_attribute[] = {
&dev_attr_enable.attr,
Reported by FlawFinder.
Line: 133
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
value >>= 1;
}
strcat(buf, "\n");
} else {
strcpy(buf, "none\n");
}
return strlen(buf);
Reported by FlawFinder.
Line: 138
Column: 9
CWE codes:
126
strcpy(buf, "none\n");
}
return strlen(buf);
}
static ssize_t sky81452_bl_show_fault(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (value & SKY81452_OTMP)
strcat(buf, "over-temperature");
strcat(buf, "\n");
return strlen(buf);
}
static DEVICE_ATTR(enable, S_IWGRP | S_IWUSR, NULL, sky81452_bl_store_enable);
static DEVICE_ATTR(open, S_IRUGO, sky81452_bl_show_open_short, NULL);
Reported by FlawFinder.
drivers/net/ethernet/dec/tulip/uli526x.c
11 issues
Line: 179
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long reset_TXtimeout;
/* NIC SROM data */
unsigned char srom[128];
u8 init;
};
enum uli526x_offsets {
DCR0 = 0x00, DCR1 = 0x08, DCR2 = 0x10, DCR3 = 0x18, DCR4 = 0x20,
Reported by FlawFinder.
Line: 121
Column: 9
CWE codes:
120
20
struct uli526x_board_info {
struct uli_phy_ops {
void (*write)(struct uli526x_board_info *, u8, u8, u16);
u16 (*read)(struct uli526x_board_info *, u8, u8);
} phy;
struct net_device *next_dev; /* next device */
struct pci_dev *pdev; /* PCI device */
spinlock_t lock;
Reported by FlawFinder.
Line: 520
Column: 20
CWE codes:
120
20
for (phy_tmp = 0; phy_tmp < 32; phy_tmp++) {
u16 phy_value;
phy_value = phy->read(db, phy_tmp, 3); //peer add
if (phy_value != 0xffff && phy_value != 0) {
db->phy_addr = phy_tmp;
break;
}
}
Reported by FlawFinder.
Line: 533
Column: 23
CWE codes:
120
20
db->media_mode = uli526x_media_mode;
/* phyxcer capability setting */
phy_reg_reset = phy->read(db, db->phy_addr, 0);
phy_reg_reset = (phy_reg_reset | 0x8000);
phy->write(db, db->phy_addr, 0, phy_reg_reset);
/* See IEEE 802.3-2002.pdf (Section 2, Chapter "22.2.4 Management
* functions") or phy data sheet for details on phy reset
Reported by FlawFinder.
Line: 542
Column: 27
CWE codes:
120
20
*/
udelay(500);
timeout = 10;
while (timeout-- && phy->read(db, db->phy_addr, 0) & 0x8000)
udelay(100);
/* Process Phyxcer Media Mode */
uli526x_set_phyxcer(db);
Reported by FlawFinder.
Line: 1058
Column: 12
CWE codes:
120
20
}
/* Link status check, Dynamic media type change */
if ((phy->read(db, db->phy_addr, 5) & 0x01e0)!=0)
tmp_cr12 = 3;
if ( !(tmp_cr12 & 0x3) && !db->link_failed ) {
/* Link Failed */
ULI526X_DBUG(0, "Link Failed", tmp_cr12);
Reported by FlawFinder.
Line: 1478
Column: 18
CWE codes:
120
20
u8 ErrFlag = 0;
u16 phy_mode;
phy_mode = phy->read(db, db->phy_addr, 1);
phy_mode = phy->read(db, db->phy_addr, 1);
if ( (phy_mode & 0x24) == 0x24 ) {
phy_mode = ((phy->read(db, db->phy_addr, 5) & 0x01e0)<<7);
Reported by FlawFinder.
Line: 1479
Column: 18
CWE codes:
120
20
u16 phy_mode;
phy_mode = phy->read(db, db->phy_addr, 1);
phy_mode = phy->read(db, db->phy_addr, 1);
if ( (phy_mode & 0x24) == 0x24 ) {
phy_mode = ((phy->read(db, db->phy_addr, 5) & 0x01e0)<<7);
if(phy_mode&0x8000)
Reported by FlawFinder.
Line: 1483
Column: 21
CWE codes:
120
20
if ( (phy_mode & 0x24) == 0x24 ) {
phy_mode = ((phy->read(db, db->phy_addr, 5) & 0x01e0)<<7);
if(phy_mode&0x8000)
phy_mode = 0x8000;
else if(phy_mode&0x4000)
phy_mode = 0x4000;
else if(phy_mode&0x2000)
Reported by FlawFinder.
Line: 1522
Column: 17
CWE codes:
120
20
u16 phy_reg;
/* Phyxcer capability setting */
phy_reg = phy->read(db, db->phy_addr, 4) & ~0x01e0;
if (db->media_mode & ULI526X_AUTO) {
/* AUTO Mode */
phy_reg |= db->PHY_reg4;
} else {
Reported by FlawFinder.
tools/perf/tests/api-io.c
11 issues
Line: 41
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
pr_debug("mkstemp failed");
return -1;
}
Reported by FlawFinder.
Line: 36
Column: 27
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} \
} while (0)
static int make_test_file(char path[PATH_MAX], const char *contents)
{
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
Reported by FlawFinder.
Line: 42
Column: 7
CWE codes:
377
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
pr_debug("mkstemp failed");
return -1;
}
if (write(fd, contents, contents_len) < contents_len) {
Reported by FlawFinder.
Line: 57
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static int setup_test(char path[PATH_MAX], const char *contents,
size_t buf_size, struct io *io)
{
if (make_test_file(path, contents))
return -1;
Reported by FlawFinder.
Line: 63
Column: 11
CWE codes:
362
if (make_test_file(path, contents))
return -1;
io->fd = open(path, O_RDONLY);
if (io->fd < 0) {
pr_debug("Failed to open '%s'\n", path);
unlink(path);
return -1;
}
Reported by FlawFinder.
Line: 80
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static void cleanup_test(char path[PATH_MAX], struct io *io)
{
free(io->buf);
close(io->fd);
unlink(path);
}
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_test_get_char(const char *test_string, size_t buf_size)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
size_t i;
if (setup_test(path, test_string, buf_size, &io))
Reported by FlawFinder.
Line: 136
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 val3, int ch3,
bool end_eof)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
__u64 hex;
if (setup_test(path, test_string, 4, &io))
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 val3, int ch3,
bool end_eof)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
__u64 dec;
if (setup_test(path, test_string, 4, &io))
Reported by FlawFinder.
Line: 38
Column: 25
CWE codes:
126
static int make_test_file(char path[PATH_MAX], const char *contents)
{
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
Reported by FlawFinder.
drivers/usb/storage/ene_ub6250.c
11 issues
Line: 423
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 *Phy2LogMap; /* phy2log table */
u16 *Log2PhyMap; /* log2phy table */
u16 wrtblk;
unsigned char *pagemap[(MS_MAX_PAGES_PER_BLOCK + (MS_LIB_BITS_PER_BYTE-1)) / MS_LIB_BITS_PER_BYTE];
unsigned char *blkpag;
struct ms_lib_type_extdat *blkext;
unsigned char copybuf[512];
};
Reported by FlawFinder.
Line: 426
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *pagemap[(MS_MAX_PAGES_PER_BLOCK + (MS_LIB_BITS_PER_BYTE-1)) / MS_LIB_BITS_PER_BYTE];
unsigned char *blkpag;
struct ms_lib_type_extdat *blkext;
unsigned char copybuf[512];
};
/* SD Block Length */
/* 2^9 = 512 Bytes, The HW maximum read/write data length */
Reported by FlawFinder.
Line: 576
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_scsi_request_sense(struct us_data *us, struct scsi_cmnd *srb)
{
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
unsigned char buf[18];
memset(buf, 0, 18);
buf[0] = 0x70; /* Current error */
buf[2] = info->SrbStatus >> 16; /* Sense key */
buf[7] = 10; /* Additional length */
Reported by FlawFinder.
Line: 591
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_scsi_inquiry(struct us_data *us, struct scsi_cmnd *srb)
{
unsigned char data_ptr[36] = {
0x00, 0x00, 0x02, 0x00, 0x1F, 0x00, 0x00, 0x00, 0x55,
0x53, 0x42, 0x32, 0x2E, 0x30, 0x20, 0x20, 0x43, 0x61,
0x72, 0x64, 0x52, 0x65, 0x61, 0x64, 0x65, 0x72, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x30, 0x31, 0x30, 0x30 };
Reported by FlawFinder.
Line: 618
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sd_scsi_mode_sense(struct us_data *us, struct scsi_cmnd *srb)
{
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
Reported by FlawFinder.
Line: 621
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
if (info->SD_Status.WtP)
usb_stor_set_xfer_buf(mediaWP, 12, srb);
Reported by FlawFinder.
Line: 639
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 bl_num;
u32 bl_len;
unsigned int offset = 0;
unsigned char buf[8];
struct scatterlist *sg = NULL;
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
usb_stor_dbg(us, "sd_scsi_read_capacity\n");
if (info->SD_Status.HiCapacity) {
Reported by FlawFinder.
Line: 1472
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ms_scsi_mode_sense(struct us_data *us, struct scsi_cmnd *srb)
{
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
Reported by FlawFinder.
Line: 1475
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
if (info->MS_Status.WtP)
usb_stor_set_xfer_buf(mediaWP, 12, srb);
Reported by FlawFinder.
Line: 1492
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 bl_num;
u16 bl_len;
unsigned int offset = 0;
unsigned char buf[8];
struct scatterlist *sg = NULL;
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
usb_stor_dbg(us, "ms_scsi_read_capacity\n");
bl_len = 0x200;
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.c
11 issues
Line: 203
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((len + datalen) > buflen)
return 0;
memcpy(buf, name, len);
/* append data onto the end of the name string */
if (data && datalen)
memcpy(&buf[len], data, datalen);
Reported by FlawFinder.
Line: 207
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* append data onto the end of the name string */
if (data && datalen)
memcpy(&buf[len], data, datalen);
return len + datalen;
}
Reported by FlawFinder.
Line: 257
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = brcmf_fil_cmd_data(ifp, BRCMF_C_GET_VAR, drvr->proto_buf,
buflen, false);
if (err == 0)
memcpy(data, drvr->proto_buf, len);
} else {
err = -EPERM;
bphy_err(drvr, "Creating iovar failed\n");
}
Reported by FlawFinder.
Line: 317
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = buf;
/* copy prefix, no null */
memcpy(p, prefix, prefixlen);
p += prefixlen;
/* copy iovar name including null */
memcpy(p, name, namelen);
p += namelen;
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += prefixlen;
/* copy iovar name including null */
memcpy(p, name, namelen);
p += namelen;
/* bss config index as first data */
bsscfgidx_le = cpu_to_le32(bsscfgidx);
memcpy(p, &bsscfgidx_le, sizeof(bsscfgidx_le));
Reported by FlawFinder.
Line: 326
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* bss config index as first data */
bsscfgidx_le = cpu_to_le32(bsscfgidx);
memcpy(p, &bsscfgidx_le, sizeof(bsscfgidx_le));
p += sizeof(bsscfgidx_le);
/* parameter buffer follows */
if (datalen)
memcpy(p, data, datalen);
Reported by FlawFinder.
Line: 331
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* parameter buffer follows */
if (datalen)
memcpy(p, data, datalen);
return iolen;
}
s32
Reported by FlawFinder.
Line: 381
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = brcmf_fil_cmd_data(ifp, BRCMF_C_GET_VAR, drvr->proto_buf,
buflen, false);
if (err == 0)
memcpy(data, drvr->proto_buf, len);
} else {
err = -EPERM;
bphy_err(drvr, "Creating bsscfg failed\n");
}
brcmf_dbg(FIL, "ifidx=%d, bsscfgidx=%d, name=%s, len=%d\n", ifp->ifidx,
Reported by FlawFinder.
Line: 198
Column: 8
CWE codes:
126
{
u32 len;
len = strlen(name) + 1;
if ((len + datalen) > buflen)
return 0;
memcpy(buf, name, len);
Reported by FlawFinder.
Line: 305
Column: 14
CWE codes:
126
if (bsscfgidx == 0)
return brcmf_create_iovar(name, data, datalen, buf, buflen);
prefixlen = strlen(prefix);
namelen = strlen(name) + 1; /* length of iovar name + null */
iolen = prefixlen + namelen + sizeof(bsscfgidx_le) + datalen;
if (buflen < iolen) {
brcmf_err("buffer is too short\n");
Reported by FlawFinder.