The following issues were found
drivers/video/fbdev/intelfb/intelfbdrv.c
11 issues
Line: 1106
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return 1;
info->pixmap.scan_align = 1;
strcpy(info->fix.id, dinfo->name);
info->fix.smem_start = dinfo->fb.physical;
info->fix.smem_len = dinfo->fb.size;
info->fix.type = FB_TYPE_PACKED_PIXELS;
info->fix.type_aux = 0;
info->fix.xpanstep = 8;
Reported by FlawFinder.
Line: 1015
Column: 10
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
var = &dinfo->info->var;
if (FIXED_MODE(dinfo)) {
memcpy(var, &dinfo->initial_var,
sizeof(struct fb_var_screeninfo));
msrc = 5;
} else {
const u8 *edid_s = fb_firmware_edid(&dinfo->pdev->dev);
u8 *edid_d = NULL;
Reported by FlawFinder.
Line: 1189
Column: 15
CWE codes:
362
if (user) {
dinfo->open--;
msleep(1);
if (!dinfo->open)
intelfbhw_disable_irq(dinfo);
}
return 0;
}
Reported by FlawFinder.
Line: 1343
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ACCEL(dinfo, info))
intelfbhw_2d_stop(dinfo);
memcpy(hw, &dinfo->save_state, sizeof(*hw));
if (intelfbhw_mode_to_hw(dinfo, hw, &info->var))
goto invalid_mode;
if (intelfbhw_program_mode(dinfo, hw, 0))
goto invalid_mode;
Reported by FlawFinder.
Line: 1642
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* save the bitmap to restore it when XFree will
make the cursor dirty */
memcpy(dinfo->cursor_src, src, size);
intelfbhw_cursor_load(dinfo, cursor->image.width,
cursor->image.height, src);
}
Reported by FlawFinder.
Line: 269
Column: 51
CWE codes:
126
"Initial video mode \"<xres>x<yres>[-<depth>][@<refresh>]\"");
#ifndef MODULE
#define OPT_EQUAL(opt, name) (!strncmp(opt, name, strlen(name)))
#define OPT_INTVAL(opt, name) simple_strtoul(opt + strlen(name) + 1, NULL, 0)
#define OPT_STRVAL(opt, name) (opt + strlen(name))
static __inline__ char * get_opt_string(const char *this_opt, const char *name)
{
Reported by FlawFinder.
Line: 270
Column: 52
CWE codes:
126
#ifndef MODULE
#define OPT_EQUAL(opt, name) (!strncmp(opt, name, strlen(name)))
#define OPT_INTVAL(opt, name) simple_strtoul(opt + strlen(name) + 1, NULL, 0)
#define OPT_STRVAL(opt, name) (opt + strlen(name))
static __inline__ char * get_opt_string(const char *this_opt, const char *name)
{
const char *p;
Reported by FlawFinder.
Line: 271
Column: 38
CWE codes:
126
#ifndef MODULE
#define OPT_EQUAL(opt, name) (!strncmp(opt, name, strlen(name)))
#define OPT_INTVAL(opt, name) simple_strtoul(opt + strlen(name) + 1, NULL, 0)
#define OPT_STRVAL(opt, name) (opt + strlen(name))
static __inline__ char * get_opt_string(const char *this_opt, const char *name)
{
const char *p;
int i;
Reported by FlawFinder.
Line: 285
Column: 3
CWE codes:
120
i++;
ret = kmalloc(i + 1, GFP_KERNEL);
if (ret) {
strncpy(ret, p, i);
ret[i] = '\0';
}
return ret;
}
Reported by FlawFinder.
Line: 311
Column: 16
CWE codes:
126
return 0;
if (OPT_EQUAL(this_opt, name)) {
if (this_opt[strlen(name)] == '=')
*ret = simple_strtoul(this_opt + strlen(name) + 1,
NULL, 0);
else
*ret = 1;
} else {
Reported by FlawFinder.
tools/perf/tests/api-io.c
11 issues
Line: 41
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
pr_debug("mkstemp failed");
return -1;
}
Reported by FlawFinder.
Line: 36
Column: 27
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} \
} while (0)
static int make_test_file(char path[PATH_MAX], const char *contents)
{
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
Reported by FlawFinder.
Line: 42
Column: 7
CWE codes:
377
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
pr_debug("mkstemp failed");
return -1;
}
if (write(fd, contents, contents_len) < contents_len) {
Reported by FlawFinder.
Line: 57
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static int setup_test(char path[PATH_MAX], const char *contents,
size_t buf_size, struct io *io)
{
if (make_test_file(path, contents))
return -1;
Reported by FlawFinder.
Line: 63
Column: 11
CWE codes:
362
if (make_test_file(path, contents))
return -1;
io->fd = open(path, O_RDONLY);
if (io->fd < 0) {
pr_debug("Failed to open '%s'\n", path);
unlink(path);
return -1;
}
Reported by FlawFinder.
Line: 80
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static void cleanup_test(char path[PATH_MAX], struct io *io)
{
free(io->buf);
close(io->fd);
unlink(path);
}
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_test_get_char(const char *test_string, size_t buf_size)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
size_t i;
if (setup_test(path, test_string, buf_size, &io))
Reported by FlawFinder.
Line: 136
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 val3, int ch3,
bool end_eof)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
__u64 hex;
if (setup_test(path, test_string, 4, &io))
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 val3, int ch3,
bool end_eof)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
__u64 dec;
if (setup_test(path, test_string, 4, &io))
Reported by FlawFinder.
Line: 38
Column: 25
CWE codes:
126
static int make_test_file(char path[PATH_MAX], const char *contents)
{
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
Reported by FlawFinder.
drivers/net/wireless/ath/wcn36xx/main.c
11 issues
Line: 486
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (netdev_hw_addr_list_count(mc_list) <=
WCN36XX_HAL_MAX_NUM_MULTICAST_ADDRESS) {
netdev_hw_addr_list_for_each(ha, mc_list) {
memcpy(fp->mc_addr[fp->mc_addr_count],
ha->addr, ETH_ALEN);
fp->mc_addr_count++;
}
}
Reported by FlawFinder.
Line: 560
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* IEEE 802.11 spec (see chapter 11.7) like this:
* Temporal Key (16 b) - RX MIC (8 b) - TX MIC (8 b)
*/
memcpy(key, key_conf->key, 16);
memcpy(key + 16, key_conf->key + 24, 8);
memcpy(key + 24, key_conf->key + 16, 8);
} else {
memcpy(key, key_conf->key, key_conf->keylen);
}
Reported by FlawFinder.
Line: 561
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Temporal Key (16 b) - RX MIC (8 b) - TX MIC (8 b)
*/
memcpy(key, key_conf->key, 16);
memcpy(key + 16, key_conf->key + 24, 8);
memcpy(key + 24, key_conf->key + 16, 8);
} else {
memcpy(key, key_conf->key, key_conf->keylen);
}
Reported by FlawFinder.
Line: 562
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
memcpy(key, key_conf->key, 16);
memcpy(key + 16, key_conf->key + 24, 8);
memcpy(key + 24, key_conf->key + 16, 8);
} else {
memcpy(key, key_conf->key, key_conf->keylen);
}
if (IEEE80211_KEY_FLAG_PAIRWISE & key_conf->flags) {
Reported by FlawFinder.
Line: 564
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(key + 16, key_conf->key + 24, 8);
memcpy(key + 24, key_conf->key + 16, 8);
} else {
memcpy(key, key_conf->key, key_conf->keylen);
}
if (IEEE80211_KEY_FLAG_PAIRWISE & key_conf->flags) {
sta_priv->is_data_encrypted = true;
/* Reconfigure bss with encrypt_type */
Reported by FlawFinder.
Line: 757
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sta->ht_cap.ht_supported) {
BUILD_BUG_ON(sizeof(sta->ht_cap.mcs.rx_mask) >
sizeof(sta_priv->supported_rates.supported_mcs_set));
memcpy(sta_priv->supported_rates.supported_mcs_set,
sta->ht_cap.mcs.rx_mask,
sizeof(sta->ht_cap.mcs.rx_mask));
}
if (sta->vht_cap.vht_supported) {
Reported by FlawFinder.
Line: 791
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
};
rates->op_rate_mode = STA_11n;
memcpy(rates->dsss_rates, dsss_rates,
sizeof(*dsss_rates) * WCN36XX_HAL_NUM_DSSS_RATES);
memcpy(rates->ofdm_rates, ofdm_rates,
sizeof(*ofdm_rates) * WCN36XX_HAL_NUM_OFDM_RATES);
rates->supported_mcs_set[0] = 0xFF;
}
Reported by FlawFinder.
Line: 793
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rates->op_rate_mode = STA_11n;
memcpy(rates->dsss_rates, dsss_rates,
sizeof(*dsss_rates) * WCN36XX_HAL_NUM_DSSS_RATES);
memcpy(rates->ofdm_rates, ofdm_rates,
sizeof(*ofdm_rates) * WCN36XX_HAL_NUM_OFDM_RATES);
rates->supported_mcs_set[0] = 0xFF;
}
void wcn36xx_set_default_rates_v1(struct wcn36xx_hal_supported_rates_v1 *rates)
Reported by FlawFinder.
Line: 858
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bss_conf->ssid, bss_conf->ssid_len);
vif_priv->ssid.length = bss_conf->ssid_len;
memcpy(&vif_priv->ssid.ssid,
bss_conf->ssid,
bss_conf->ssid_len);
}
if (changed & BSS_CHANGED_ASSOC) {
Reported by FlawFinder.
Line: 1159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&wcn->conf_mutex);
memcpy(vif_priv->rekey_data.kek, data->kek, NL80211_KEK_LEN);
memcpy(vif_priv->rekey_data.kck, data->kck, NL80211_KCK_LEN);
vif_priv->rekey_data.replay_ctr =
cpu_to_le64(be64_to_cpup((__be64 *)data->replay_ctr));
vif_priv->rekey_data.valid = true;
Reported by FlawFinder.
drivers/usb/misc/usbsevseg.c
11 issues
Line: 256
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
for (i = 0; i < ARRAY_SIZE(display_textmodes); i++) {
if (mydev->textmode == i) {
strcat(buf, " [");
strcat(buf, display_textmodes[i]);
strcat(buf, "] ");
} else {
strcat(buf, " ");
strcat(buf, display_textmodes[i]);
strcat(buf, " ");
Reported by FlawFinder.
Line: 260
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(buf, "] ");
} else {
strcat(buf, " ");
strcat(buf, display_textmodes[i]);
strcat(buf, " ");
}
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int rc;
int i;
unsigned char buffer[MAXLEN] = {0};
u8 decimals = 0;
if(mydev->shadow_power != 1)
return;
Reported by FlawFinder.
Line: 148
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_interface *intf = to_usb_interface(dev); \
struct usb_sevsegdev *mydev = usb_get_intfdata(intf); \
\
return sprintf(buf, "%u\n", mydev->name); \
} \
\
static ssize_t name##_store(struct device *dev, \
struct device_attribute *attr, const char *buf, size_t count) \
{ \
Reported by FlawFinder.
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mydev->textlength = end;
if (end > 0)
memcpy(mydev->text, buf, end);
update_display_visual(mydev, GFP_KERNEL);
return count;
}
Reported by FlawFinder.
Line: 255
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
for (i = 0; i < ARRAY_SIZE(display_textmodes); i++) {
if (mydev->textmode == i) {
strcat(buf, " [");
strcat(buf, display_textmodes[i]);
strcat(buf, "] ");
} else {
strcat(buf, " ");
strcat(buf, display_textmodes[i]);
Reported by FlawFinder.
Line: 257
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (mydev->textmode == i) {
strcat(buf, " [");
strcat(buf, display_textmodes[i]);
strcat(buf, "] ");
} else {
strcat(buf, " ");
strcat(buf, display_textmodes[i]);
strcat(buf, " ");
}
Reported by FlawFinder.
Line: 259
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(buf, display_textmodes[i]);
strcat(buf, "] ");
} else {
strcat(buf, " ");
strcat(buf, display_textmodes[i]);
strcat(buf, " ");
}
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 261
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
} else {
strcat(buf, " ");
strcat(buf, display_textmodes[i]);
strcat(buf, " ");
}
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 264
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(buf, " ");
}
}
strcat(buf, "\n");
return strlen(buf);
}
Reported by FlawFinder.
drivers/usb/musb/musb_core.c
11 issues
Line: 2286
CWE codes:
908
if (!is_suspended)
error = callback(musb, data);
return error;
}
EXPORT_SYMBOL_GPL(musb_queue_resume_work);
static void musb_deassert_reset(struct work_struct *work)
{
Reported by Cppcheck.
Line: 1607
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* log core options (read using indexed model) */
reg = musb_read_configdata(mbase);
strcpy(aInfo, (reg & MUSB_CONFIGDATA_UTMIDW) ? "UTMI-16" : "UTMI-8");
if (reg & MUSB_CONFIGDATA_DYNFIFO) {
strcat(aInfo, ", dyn FIFOs");
musb->dyn_fifo = true;
}
if (reg & MUSB_CONFIGDATA_MPRXE) {
Reported by FlawFinder.
Line: 1866
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int ret;
spin_lock_irqsave(&musb->lock, flags);
ret = sprintf(buf, "%s\n", usb_otg_state_string(musb->xceiv->otg->state));
spin_unlock_irqrestore(&musb->lock, flags);
return ret;
}
Reported by FlawFinder.
Line: 1944
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_unlock_irqrestore(&musb->lock, flags);
pm_runtime_put_sync(dev);
return sprintf(buf, "Vbus %s, timeout %lu msec\n",
vbus ? "on" : "off", val);
}
static DEVICE_ATTR_RW(vbus);
/* Gadget drivers can't know that a host is connected so they might want
Reported by FlawFinder.
Line: 1599
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u8 reg;
char *type;
char aInfo[90];
void __iomem *mbase = musb->mregs;
int status = 0;
int i;
/* log core options (read using indexed model) */
Reported by FlawFinder.
Line: 1609
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcpy(aInfo, (reg & MUSB_CONFIGDATA_UTMIDW) ? "UTMI-16" : "UTMI-8");
if (reg & MUSB_CONFIGDATA_DYNFIFO) {
strcat(aInfo, ", dyn FIFOs");
musb->dyn_fifo = true;
}
if (reg & MUSB_CONFIGDATA_MPRXE) {
strcat(aInfo, ", bulk combine");
musb->bulk_combine = true;
Reported by FlawFinder.
Line: 1613
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
musb->dyn_fifo = true;
}
if (reg & MUSB_CONFIGDATA_MPRXE) {
strcat(aInfo, ", bulk combine");
musb->bulk_combine = true;
}
if (reg & MUSB_CONFIGDATA_MPTXE) {
strcat(aInfo, ", bulk split");
musb->bulk_split = true;
Reported by FlawFinder.
Line: 1617
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
musb->bulk_combine = true;
}
if (reg & MUSB_CONFIGDATA_MPTXE) {
strcat(aInfo, ", bulk split");
musb->bulk_split = true;
}
if (reg & MUSB_CONFIGDATA_HBRXE) {
strcat(aInfo, ", HB-ISO Rx");
musb->hb_iso_rx = true;
Reported by FlawFinder.
Line: 1621
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
musb->bulk_split = true;
}
if (reg & MUSB_CONFIGDATA_HBRXE) {
strcat(aInfo, ", HB-ISO Rx");
musb->hb_iso_rx = true;
}
if (reg & MUSB_CONFIGDATA_HBTXE) {
strcat(aInfo, ", HB-ISO Tx");
musb->hb_iso_tx = true;
Reported by FlawFinder.
Line: 1625
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
musb->hb_iso_rx = true;
}
if (reg & MUSB_CONFIGDATA_HBTXE) {
strcat(aInfo, ", HB-ISO Tx");
musb->hb_iso_tx = true;
}
if (reg & MUSB_CONFIGDATA_SOFTCONE)
strcat(aInfo, ", SoftConn");
Reported by FlawFinder.
drivers/isdn/hardware/mISDN/hfcmulti.c
11 issues
Line: 367
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
i = -1;
while (hfc_register_names[++i].name) {
if (hfc_register_names[i].reg == reg)
strcat(regname, hfc_register_names[i].name);
}
if (regname[0] == '\0')
strcpy(regname, "register");
bits[7] = '0' + (!!(val & 1));
Reported by FlawFinder.
Line: 397
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
;
while (hfc_register_names[++i].name) {
if (hfc_register_names[i].reg == reg)
strcat(regname, hfc_register_names[i].name);
}
if (regname[0] == '\0')
strcpy(regname, "register");
bits[7] = '0' + (!!(val & 1));
Reported by FlawFinder.
Line: 427
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
;
while (hfc_register_names[++i].name) {
if (hfc_register_names[i].reg == reg)
strcat(regname, hfc_register_names[i].name);
}
if (regname[0] == '\0')
strcpy(regname, "register");
printk(KERN_DEBUG
Reported by FlawFinder.
Line: 361
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
HFC_outb_debug(struct hfc_multi *hc, u_char reg, u_char val,
const char *function, int line)
{
char regname[256] = "", bits[9] = "xxxxxxxx";
int i;
i = -1;
while (hfc_register_names[++i].name) {
if (hfc_register_names[i].reg == reg)
Reported by FlawFinder.
Line: 370
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcat(regname, hfc_register_names[i].name);
}
if (regname[0] == '\0')
strcpy(regname, "register");
bits[7] = '0' + (!!(val & 1));
bits[6] = '0' + (!!(val & 2));
bits[5] = '0' + (!!(val & 4));
bits[4] = '0' + (!!(val & 8));
Reported by FlawFinder.
Line: 388
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u_char
HFC_inb_debug(struct hfc_multi *hc, u_char reg, const char *function, int line)
{
char regname[256] = "", bits[9] = "xxxxxxxx";
u_char val = HFC_inb_nodebug(hc, reg);
int i;
i = 0;
while (hfc_register_names[i++].name)
Reported by FlawFinder.
Line: 400
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcat(regname, hfc_register_names[i].name);
}
if (regname[0] == '\0')
strcpy(regname, "register");
bits[7] = '0' + (!!(val & 1));
bits[6] = '0' + (!!(val & 2));
bits[5] = '0' + (!!(val & 4));
bits[4] = '0' + (!!(val & 8));
Reported by FlawFinder.
Line: 418
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u_short
HFC_inw_debug(struct hfc_multi *hc, u_char reg, const char *function, int line)
{
char regname[256] = "";
u_short val = HFC_inw_nodebug(hc, reg);
int i;
i = 0;
while (hfc_register_names[i++].name)
Reported by FlawFinder.
Line: 430
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcat(regname, hfc_register_names[i].name);
}
if (regname[0] == '\0')
strcpy(regname, "register");
printk(KERN_DEBUG
"HFC_inw(chip %d, %02x=%s) = 0x%04x; in %s() line %d\n",
hc->id, reg, regname, val, function, line);
return val;
Reported by FlawFinder.
Line: 4799
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dchannel *dch;
struct bchannel *bch;
int ch, ret = 0;
char name[MISDN_MAX_IDLEN];
int bcount = 0;
dch = kzalloc(sizeof(struct dchannel), GFP_KERNEL);
if (!dch)
return -ENOMEM;
Reported by FlawFinder.
drivers/block/paride/pg.c
11 issues
Line: 217
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
unsigned long timeout; /* timeout requested */
int status; /* last sense key */
int drive; /* drive */
unsigned long access; /* count of active opens ... */
int present; /* device present ? */
char *bufptr;
char name[PG_NAMELEN]; /* pg0, pg1, ... */
};
Reported by FlawFinder.
Line: 252
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int *parm = *drives[unit];
struct pg *dev = &devices[unit];
dev->pi = &dev->pia;
clear_bit(0, &dev->access);
dev->busy = 0;
dev->present = 0;
dev->bufptr = NULL;
dev->drive = parm[D_SLV];
snprintf(dev->name, PG_NAMELEN, "%s%c", name, 'a'+unit);
Reported by FlawFinder.
Line: 538
Column: 32
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto out;
}
if (test_and_set_bit(0, &dev->access)) {
ret = -EBUSY;
goto out;
}
if (dev->busy) {
Reported by FlawFinder.
Line: 552
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
dev->bufptr = kmalloc(PG_MAX_DATA, GFP_KERNEL);
if (dev->bufptr == NULL) {
clear_bit(0, &dev->access);
printk("%s: buffer allocation failed\n", dev->name);
ret = -ENOMEM;
goto out;
}
Reported by FlawFinder.
Line: 571
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
kfree(dev->bufptr);
dev->bufptr = NULL;
clear_bit(0, &dev->access);
return 0;
}
static ssize_t pg_write(struct file *filp, const char __user *buf, size_t count, loff_t *ppos)
Reported by FlawFinder.
Line: 220
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long access; /* count of active opens ... */
int present; /* device present ? */
char *bufptr;
char name[PG_NAMELEN]; /* pg0, pg1, ... */
};
static struct pg devices[PG_UNITS];
static int pg_identify(struct pg *dev, int log);
Reported by FlawFinder.
Line: 227
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pg_identify(struct pg *dev, int log);
static char pg_scratch[512]; /* scratch block buffer */
static struct class *pg_class;
static void *par_drv; /* reference of parport driver */
/* kernel glue structures */
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pg_identify(struct pg *dev, int log)
{
int s;
char *ms[2] = { "master", "slave" };
char mf[10], id[18];
char id_cmd[12] = { ATAPI_IDENTIFY, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
char buf[36];
s = pg_command(dev, id_cmd, 36, jiffies + PG_TMO);
Reported by FlawFinder.
Line: 441
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int s;
char *ms[2] = { "master", "slave" };
char mf[10], id[18];
char id_cmd[12] = { ATAPI_IDENTIFY, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
char buf[36];
s = pg_command(dev, id_cmd, 36, jiffies + PG_TMO);
if (s)
Reported by FlawFinder.
Line: 442
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int s;
char *ms[2] = { "master", "slave" };
char mf[10], id[18];
char id_cmd[12] = { ATAPI_IDENTIFY, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
char buf[36];
s = pg_command(dev, id_cmd, 36, jiffies + PG_TMO);
if (s)
return -1;
Reported by FlawFinder.
drivers/scsi/bfa/bfad_attr.c
11 issues
Line: 368
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
u64_to_wwn(fc_vport->node_name, (u8 *)&port_cfg.nwwn);
u64_to_wwn(fc_vport->port_name, (u8 *)&port_cfg.pwwn);
if (strlen(vname) > 0)
strcpy((char *)&port_cfg.sym_name, vname);
port_cfg.roles = BFA_LPORT_ROLE_FCP_IM;
spin_lock_irqsave(&bfad->bfad_lock, flags);
list_for_each_entry(vp, &bfad->pbc_vport_list, list_entry) {
if (port_cfg.pwwn ==
Reported by FlawFinder.
Line: 711
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_im_port_s *im_port =
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
char serial_num[BFA_ADAPTER_SERIAL_NUM_LEN];
bfa_get_adapter_serial_num(&bfad->bfa, serial_num);
return snprintf(buf, PAGE_SIZE, "%s\n", serial_num);
}
Reported by FlawFinder.
Line: 725
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_im_port_s *im_port =
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
char model[BFA_ADAPTER_MODEL_NAME_LEN];
bfa_get_adapter_model(&bfad->bfa, model);
return snprintf(buf, PAGE_SIZE, "%s\n", model);
}
Reported by FlawFinder.
Line: 739
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_im_port_s *im_port =
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
char model[BFA_ADAPTER_MODEL_NAME_LEN];
char model_descr[BFA_ADAPTER_MODEL_DESCR_LEN];
int nports = 0;
bfa_get_adapter_model(&bfad->bfa, model);
nports = bfa_get_nports(&bfad->bfa);
Reported by FlawFinder.
Line: 740
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
char model[BFA_ADAPTER_MODEL_NAME_LEN];
char model_descr[BFA_ADAPTER_MODEL_DESCR_LEN];
int nports = 0;
bfa_get_adapter_model(&bfad->bfa, model);
nports = bfa_get_nports(&bfad->bfa);
if (!strcmp(model, "QLogic-425"))
Reported by FlawFinder.
Line: 834
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
struct bfa_lport_attr_s port_attr;
char symname[BFA_SYMNAME_MAXLEN];
bfa_fcs_lport_get_attr(&bfad->bfa_fcs.fabric.bport, &port_attr);
strlcpy(symname, port_attr.port_cfg.sym_name.symname,
BFA_SYMNAME_MAXLEN);
return snprintf(buf, PAGE_SIZE, "%s\n", symname);
Reported by FlawFinder.
Line: 850
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_im_port_s *im_port =
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
char hw_ver[BFA_VERSION_LEN];
bfa_get_pci_chip_rev(&bfad->bfa, hw_ver);
return snprintf(buf, PAGE_SIZE, "%s\n", hw_ver);
}
Reported by FlawFinder.
Line: 871
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_im_port_s *im_port =
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
char optrom_ver[BFA_VERSION_LEN];
bfa_get_adapter_optrom_ver(&bfad->bfa, optrom_ver);
return snprintf(buf, PAGE_SIZE, "%s\n", optrom_ver);
}
Reported by FlawFinder.
Line: 885
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_im_port_s *im_port =
(struct bfad_im_port_s *) shost->hostdata[0];
struct bfad_s *bfad = im_port->bfad;
char fw_ver[BFA_VERSION_LEN];
bfa_get_adapter_fw_ver(&bfad->bfa, fw_ver);
return snprintf(buf, PAGE_SIZE, "%s\n", fw_ver);
}
Reported by FlawFinder.
Line: 367
Column: 6
CWE codes:
126
memset(&port_cfg, 0, sizeof(port_cfg));
u64_to_wwn(fc_vport->node_name, (u8 *)&port_cfg.nwwn);
u64_to_wwn(fc_vport->port_name, (u8 *)&port_cfg.pwwn);
if (strlen(vname) > 0)
strcpy((char *)&port_cfg.sym_name, vname);
port_cfg.roles = BFA_LPORT_ROLE_FCP_IM;
spin_lock_irqsave(&bfad->bfad_lock, flags);
list_for_each_entry(vp, &bfad->pbc_vport_list, list_entry) {
Reported by FlawFinder.
arch/x86/kernel/alternative.c
11 issues
Line: 90
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
BYTES_NOP8,
};
const unsigned char * const x86_nops[ASM_NOP_MAX+1] =
{
NULL,
x86nops,
x86nops + 1,
x86nops + 1 + 2,
Reported by FlawFinder.
Line: 110
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int noplen = len;
if (noplen > ASM_NOP_MAX)
noplen = ASM_NOP_MAX;
memcpy(insns, x86_nops[noplen], noplen);
insns += noplen;
len -= noplen;
}
}
Reported by FlawFinder.
Line: 307
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DUMP_BYTES(instr, a->instrlen, "%px: old_insn: ", instr);
DUMP_BYTES(replacement, a->replacementlen, "%px: rpl_insn: ", replacement);
memcpy(insn_buff, replacement, a->replacementlen);
insn_buff_sz = a->replacementlen;
/*
* 0xe8 is a relative jump; fix the offset.
*
Reported by FlawFinder.
Line: 496
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct paravirt_patch_site *end)
{
struct paravirt_patch_site *p;
char insn_buff[MAX_PATCH_LEN];
for (p = start; p < end; p++) {
unsigned int used;
BUG_ON(p->len > MAX_PATCH_LEN);
Reported by FlawFinder.
Line: 503
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(p->len > MAX_PATCH_LEN);
/* prep the buffer with the original instructions */
memcpy(insn_buff, p->instr, p->len);
used = paravirt_patch(p->type, insn_buff, (unsigned long)p->instr, p->len);
BUG_ON(used > p->len);
/* Pad the rest with nops */
Reported by FlawFinder.
Line: 695
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* code cannot be running and speculative code-fetches are
* prevented. Just change the code.
*/
memcpy(addr, opcode, len);
} else {
local_irq_save(flags);
memcpy(addr, opcode, len);
local_irq_restore(flags);
sync_core();
Reported by FlawFinder.
Line: 698
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(addr, opcode, len);
} else {
local_irq_save(flags);
memcpy(addr, opcode, len);
local_irq_restore(flags);
sync_core();
/*
* Could also do a CLFLUSH here to speed up CPU recovery; but
Reported by FlawFinder.
Line: 841
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prev = use_temporary_mm(poking_mm);
kasan_disable_current();
memcpy((u8 *)poking_addr + offset_in_page(addr), opcode, len);
kasan_enable_current();
/*
* Ensure that the PTE is only cleared after the instructions of memcpy
* were issued by using a compiler barrier.
Reported by FlawFinder.
Line: 1124
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = text_opcode_size(tp[i].opcode);
if (len - INT3_INSN_SIZE > 0) {
memcpy(old + INT3_INSN_SIZE,
text_poke_addr(&tp[i]) + INT3_INSN_SIZE,
len - INT3_INSN_SIZE);
text_poke(text_poke_addr(&tp[i]) + INT3_INSN_SIZE,
(const char *)tp[i].text + INT3_INSN_SIZE,
len - INT3_INSN_SIZE);
Reported by FlawFinder.
Line: 1128
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
text_poke_addr(&tp[i]) + INT3_INSN_SIZE,
len - INT3_INSN_SIZE);
text_poke(text_poke_addr(&tp[i]) + INT3_INSN_SIZE,
(const char *)tp[i].text + INT3_INSN_SIZE,
len - INT3_INSN_SIZE);
do_sync++;
}
/*
Reported by FlawFinder.
drivers/block/drbd/drbd_state.c
11 issues
Line: 751
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*pbp = 0;
if (ns.role != os.role && flags & CS_DC_ROLE)
pbp += sprintf(pbp, "role( %s -> %s ) ",
drbd_role_str(os.role),
drbd_role_str(ns.role));
if (ns.peer != os.peer && flags & CS_DC_PEER)
pbp += sprintf(pbp, "peer( %s -> %s ) ",
drbd_role_str(os.peer),
Reported by FlawFinder.
Line: 755
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_role_str(os.role),
drbd_role_str(ns.role));
if (ns.peer != os.peer && flags & CS_DC_PEER)
pbp += sprintf(pbp, "peer( %s -> %s ) ",
drbd_role_str(os.peer),
drbd_role_str(ns.peer));
if (ns.conn != os.conn && flags & CS_DC_CONN)
pbp += sprintf(pbp, "conn( %s -> %s ) ",
drbd_conn_str(os.conn),
Reported by FlawFinder.
Line: 759
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_role_str(os.peer),
drbd_role_str(ns.peer));
if (ns.conn != os.conn && flags & CS_DC_CONN)
pbp += sprintf(pbp, "conn( %s -> %s ) ",
drbd_conn_str(os.conn),
drbd_conn_str(ns.conn));
if (ns.disk != os.disk && flags & CS_DC_DISK)
pbp += sprintf(pbp, "disk( %s -> %s ) ",
drbd_disk_str(os.disk),
Reported by FlawFinder.
Line: 763
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_conn_str(os.conn),
drbd_conn_str(ns.conn));
if (ns.disk != os.disk && flags & CS_DC_DISK)
pbp += sprintf(pbp, "disk( %s -> %s ) ",
drbd_disk_str(os.disk),
drbd_disk_str(ns.disk));
if (ns.pdsk != os.pdsk && flags & CS_DC_PDSK)
pbp += sprintf(pbp, "pdsk( %s -> %s ) ",
drbd_disk_str(os.pdsk),
Reported by FlawFinder.
Line: 767
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_disk_str(os.disk),
drbd_disk_str(ns.disk));
if (ns.pdsk != os.pdsk && flags & CS_DC_PDSK)
pbp += sprintf(pbp, "pdsk( %s -> %s ) ",
drbd_disk_str(os.pdsk),
drbd_disk_str(ns.pdsk));
return pbp - pb;
}
Reported by FlawFinder.
Line: 777
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void drbd_pr_state_change(struct drbd_device *device, union drbd_state os, union drbd_state ns,
enum chg_state_flags flags)
{
char pb[300];
char *pbp = pb;
pbp += print_state_change(pbp, os, ns, flags ^ CS_DC_MASK);
if (ns.aftr_isp != os.aftr_isp)
Reported by FlawFinder.
Line: 783
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pbp += print_state_change(pbp, os, ns, flags ^ CS_DC_MASK);
if (ns.aftr_isp != os.aftr_isp)
pbp += sprintf(pbp, "aftr_isp( %d -> %d ) ",
os.aftr_isp,
ns.aftr_isp);
if (ns.peer_isp != os.peer_isp)
pbp += sprintf(pbp, "peer_isp( %d -> %d ) ",
os.peer_isp,
Reported by FlawFinder.
Line: 787
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
os.aftr_isp,
ns.aftr_isp);
if (ns.peer_isp != os.peer_isp)
pbp += sprintf(pbp, "peer_isp( %d -> %d ) ",
os.peer_isp,
ns.peer_isp);
if (ns.user_isp != os.user_isp)
pbp += sprintf(pbp, "user_isp( %d -> %d ) ",
os.user_isp,
Reported by FlawFinder.
Line: 791
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
os.peer_isp,
ns.peer_isp);
if (ns.user_isp != os.user_isp)
pbp += sprintf(pbp, "user_isp( %d -> %d ) ",
os.user_isp,
ns.user_isp);
if (pbp != pb)
drbd_info(device, "%s\n", pb);
Reported by FlawFinder.
Line: 802
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void conn_pr_state_change(struct drbd_connection *connection, union drbd_state os, union drbd_state ns,
enum chg_state_flags flags)
{
char pb[300];
char *pbp = pb;
pbp += print_state_change(pbp, os, ns, flags);
if (is_susp(ns) != is_susp(os) && flags & CS_DC_SUSP)
Reported by FlawFinder.