The following issues were found
drivers/cpufreq/longhaul.c
11 issues
Line: 88
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int longhaul_version;
static struct cpufreq_frequency_table *longhaul_table;
static char speedbuffer[8];
static char *print_speed(int speed)
{
if (speed < 1000) {
snprintf(speedbuffer, sizeof(speedbuffer), "%dMHz", speed);
Reported by FlawFinder.
Line: 772
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_model = CPU_SAMUEL;
cpuname = "C3 'Samuel' [C5A]";
longhaul_version = TYPE_LONGHAUL_V1;
memcpy(mults, samuel1_mults, sizeof(samuel1_mults));
memcpy(eblcr, samuel1_eblcr, sizeof(samuel1_eblcr));
break;
case 7:
switch (c->x86_stepping) {
Reported by FlawFinder.
Line: 773
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpuname = "C3 'Samuel' [C5A]";
longhaul_version = TYPE_LONGHAUL_V1;
memcpy(mults, samuel1_mults, sizeof(samuel1_mults));
memcpy(eblcr, samuel1_eblcr, sizeof(samuel1_eblcr));
break;
case 7:
switch (c->x86_stepping) {
case 0:
Reported by FlawFinder.
Line: 784
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpuname = "C3 'Samuel 2' [C5B]";
/* Note, this is not a typo, early Samuel2's had
* Samuel1 ratios. */
memcpy(mults, samuel1_mults, sizeof(samuel1_mults));
memcpy(eblcr, samuel2_eblcr, sizeof(samuel2_eblcr));
break;
case 1 ... 15:
longhaul_version = TYPE_LONGHAUL_V2;
if (c->x86_stepping < 8) {
Reported by FlawFinder.
Line: 785
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Note, this is not a typo, early Samuel2's had
* Samuel1 ratios. */
memcpy(mults, samuel1_mults, sizeof(samuel1_mults));
memcpy(eblcr, samuel2_eblcr, sizeof(samuel2_eblcr));
break;
case 1 ... 15:
longhaul_version = TYPE_LONGHAUL_V2;
if (c->x86_stepping < 8) {
cpu_model = CPU_SAMUEL2;
Reported by FlawFinder.
Line: 796
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_model = CPU_EZRA;
cpuname = "C3 'Ezra' [C5C]";
}
memcpy(mults, ezra_mults, sizeof(ezra_mults));
memcpy(eblcr, ezra_eblcr, sizeof(ezra_eblcr));
break;
}
break;
Reported by FlawFinder.
Line: 797
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpuname = "C3 'Ezra' [C5C]";
}
memcpy(mults, ezra_mults, sizeof(ezra_mults));
memcpy(eblcr, ezra_eblcr, sizeof(ezra_eblcr));
break;
}
break;
case 8:
Reported by FlawFinder.
Line: 807
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpuname = "C3 'Ezra-T' [C5M]";
longhaul_version = TYPE_POWERSAVER;
numscales = 32;
memcpy(mults, ezrat_mults, sizeof(ezrat_mults));
memcpy(eblcr, ezrat_eblcr, sizeof(ezrat_eblcr));
break;
case 9:
longhaul_version = TYPE_POWERSAVER;
Reported by FlawFinder.
Line: 808
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
longhaul_version = TYPE_POWERSAVER;
numscales = 32;
memcpy(mults, ezrat_mults, sizeof(ezrat_mults));
memcpy(eblcr, ezrat_eblcr, sizeof(ezrat_eblcr));
break;
case 9:
longhaul_version = TYPE_POWERSAVER;
numscales = 32;
Reported by FlawFinder.
Line: 814
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 9:
longhaul_version = TYPE_POWERSAVER;
numscales = 32;
memcpy(mults, nehemiah_mults, sizeof(nehemiah_mults));
memcpy(eblcr, nehemiah_eblcr, sizeof(nehemiah_eblcr));
switch (c->x86_stepping) {
case 0 ... 1:
cpu_model = CPU_NEHEMIAH;
cpuname = "C3 'Nehemiah A' [C5XLOE]";
Reported by FlawFinder.
drivers/crypto/hifn_795x.c
11 issues
Line: 27
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <crypto/internal/des.h>
#include <crypto/internal/skcipher.h>
static char hifn_pll_ref[sizeof("extNNN")] = "ext";
module_param_string(hifn_pll_ref, hifn_pll_ref, sizeof(hifn_pll_ref), 0444);
MODULE_PARM_DESC(hifn_pll_ref,
"PLL reference clock (pci[freq] or ext[freq], default ext)");
static atomic_t hifn_dev_number;
Reported by FlawFinder.
Line: 401
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define HIFN_DEFAULT_ACTIVE_NUM 5
struct hifn_device {
char name[HIFN_NAMESIZE];
int irq;
struct pci_dev *pdev;
void __iomem *bar[3];
Reported by FlawFinder.
Line: 733
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct pci2id {
u_short pci_vendor;
u_short pci_prod;
char card_id[13];
} pci2id[] = {
{
PCI_VENDOR_ID_HIFN,
PCI_DEVICE_ID_HIFN_7955,
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Reported by FlawFinder.
Line: 1099
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (keylen) {
memcpy(buf_pos, key, keylen);
buf_pos += keylen;
}
if (ivsize) {
memcpy(buf_pos, iv, ivsize);
buf_pos += ivsize;
Reported by FlawFinder.
Line: 1103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf_pos += keylen;
}
if (ivsize) {
memcpy(buf_pos, iv, ivsize);
buf_pos += ivsize;
}
cmd_len = buf_pos - buf;
Reported by FlawFinder.
Line: 1630
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy = min3(srest, dst->length, size);
daddr = kmap_atomic(sg_page(dst));
memcpy(daddr + dst->offset + offset, saddr, copy);
kunmap_atomic(daddr);
nbytes -= copy;
size -= copy;
srest -= copy;
Reported by FlawFinder.
Line: 1955
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->flags &= ~HIFN_FLAG_OLD_KEY;
memcpy(ctx->key, key, len);
ctx->keysize = len;
return 0;
}
Reported by FlawFinder.
Line: 1974
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->flags &= ~HIFN_FLAG_OLD_KEY;
memcpy(ctx->key, key, len);
ctx->keysize = len;
return 0;
}
Reported by FlawFinder.
Line: 2229
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct hifn_alg_template {
char name[CRYPTO_MAX_ALG_NAME];
char drv_name[CRYPTO_MAX_ALG_NAME];
unsigned int bsize;
struct skcipher_alg skcipher;
};
Reported by FlawFinder.
Line: 2230
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hifn_alg_template {
char name[CRYPTO_MAX_ALG_NAME];
char drv_name[CRYPTO_MAX_ALG_NAME];
unsigned int bsize;
struct skcipher_alg skcipher;
};
static const struct hifn_alg_template hifn_alg_templates[] = {
Reported by FlawFinder.
drivers/crypto/qat/qat_common/qat_asym_algs.c
11 issues
Line: 403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->p = dma_alloc_coherent(dev, ctx->p_size, &ctx->dma_p, GFP_KERNEL);
if (!ctx->p)
return -ENOMEM;
memcpy(ctx->p, params->p, ctx->p_size);
/* If g equals 2 don't copy it */
if (params->g_size == 1 && *(char *)params->g == 0x02) {
ctx->g2 = true;
return 0;
Reported by FlawFinder.
Line: 414
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->g = dma_alloc_coherent(dev, ctx->p_size, &ctx->dma_g, GFP_KERNEL);
if (!ctx->g)
return -ENOMEM;
memcpy(ctx->g + (ctx->p_size - params->g_size), params->g,
params->g_size);
return 0;
}
Reported by FlawFinder.
Line: 462
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -ENOMEM;
goto err_clear_ctx;
}
memcpy(ctx->xa + (ctx->p_size - params.key_size), params.key,
params.key_size);
return 0;
err_clear_ctx:
Reported by FlawFinder.
Line: 946
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ctx->n)
goto err;
memcpy(ctx->n, ptr, ctx->key_sz);
return 0;
err:
ctx->key_sz = 0;
ctx->n = NULL;
return ret;
Reported by FlawFinder.
Line: 975
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ctx->e)
return -ENOMEM;
memcpy(ctx->e + (ctx->key_sz - vlen), ptr, vlen);
return 0;
}
static int qat_rsa_set_d(struct qat_rsa_ctx *ctx, const char *value,
size_t vlen)
Reported by FlawFinder.
Line: 1001
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ctx->d)
goto err;
memcpy(ctx->d + (ctx->key_sz - vlen), ptr, vlen);
return 0;
err:
ctx->d = NULL;
return ret;
}
Reported by FlawFinder.
Line: 1033
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->p = dma_alloc_coherent(dev, half_key_sz, &ctx->dma_p, GFP_KERNEL);
if (!ctx->p)
goto err;
memcpy(ctx->p + (half_key_sz - len), ptr, len);
/* q */
ptr = rsa_key->q;
len = rsa_key->q_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
Reported by FlawFinder.
Line: 1044
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->q = dma_alloc_coherent(dev, half_key_sz, &ctx->dma_q, GFP_KERNEL);
if (!ctx->q)
goto free_p;
memcpy(ctx->q + (half_key_sz - len), ptr, len);
/* dp */
ptr = rsa_key->dp;
len = rsa_key->dp_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
Reported by FlawFinder.
Line: 1056
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GFP_KERNEL);
if (!ctx->dp)
goto free_q;
memcpy(ctx->dp + (half_key_sz - len), ptr, len);
/* dq */
ptr = rsa_key->dq;
len = rsa_key->dq_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
Reported by FlawFinder.
Line: 1068
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GFP_KERNEL);
if (!ctx->dq)
goto free_dp;
memcpy(ctx->dq + (half_key_sz - len), ptr, len);
/* qinv */
ptr = rsa_key->qinv;
len = rsa_key->qinv_sz;
qat_rsa_drop_leading_zeros(&ptr, &len);
Reported by FlawFinder.
drivers/crypto/qce/sha.c
11 issues
Line: 56
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dma_unmap_sg(qce->dev, req->src, rctx->src_nents, DMA_TO_DEVICE);
dma_unmap_sg(qce->dev, &rctx->result_sg, 1, DMA_FROM_DEVICE);
memcpy(rctx->digest, result->auth_iv, digestsize);
if (req->result && rctx->last_blk)
memcpy(req->result, result->auth_iv, digestsize);
rctx->byte_count[0] = cpu_to_be32(result->auth_byte_count[0]);
rctx->byte_count[1] = cpu_to_be32(result->auth_byte_count[1]);
Reported by FlawFinder.
Line: 58
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rctx->digest, result->auth_iv, digestsize);
if (req->result && rctx->last_blk)
memcpy(req->result, result->auth_iv, digestsize);
rctx->byte_count[0] = cpu_to_be32(result->auth_byte_count[0]);
rctx->byte_count[1] = cpu_to_be32(result->auth_byte_count[1]);
error = qce_check_status(qce, &status);
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct qce_sha_reqctx *rctx = ahash_request_ctx(req);
struct qce_sha_saved_state *export_state = out;
memcpy(export_state->pending_buf, rctx->buf, rctx->buflen);
memcpy(export_state->partial_digest, rctx->digest, sizeof(rctx->digest));
export_state->byte_count[0] = rctx->byte_count[0];
export_state->byte_count[1] = rctx->byte_count[1];
export_state->pending_buflen = rctx->buflen;
export_state->count = rctx->count;
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct qce_sha_saved_state *export_state = out;
memcpy(export_state->pending_buf, rctx->buf, rctx->buflen);
memcpy(export_state->partial_digest, rctx->digest, sizeof(rctx->digest));
export_state->byte_count[0] = rctx->byte_count[0];
export_state->byte_count[1] = rctx->byte_count[1];
export_state->pending_buflen = rctx->buflen;
export_state->count = rctx->count;
export_state->first_blk = rctx->first_blk;
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rctx->flags = import_state->flags;
rctx->byte_count[0] = import_state->byte_count[0];
rctx->byte_count[1] = import_state->byte_count[1];
memcpy(rctx->buf, import_state->pending_buf, rctx->buflen);
memcpy(rctx->digest, import_state->partial_digest, sizeof(rctx->digest));
return 0;
}
Reported by FlawFinder.
Line: 215
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* data will be combined with current request bytes.
*/
if (rctx->buflen)
memcpy(rctx->tmpbuf, rctx->buf, rctx->buflen);
/* calculate how many bytes will be hashed later */
hash_later = total % blocksize;
/*
Reported by FlawFinder.
Line: 282
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!rctx->buflen) {
if (tmpl->hash_zero)
memcpy(req->result, tmpl->hash_zero,
tmpl->alg.ahash.halg.digestsize);
return 0;
}
rctx->last_blk = true;
Reported by FlawFinder.
Line: 292
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rctx->src_orig = req->src;
rctx->nbytes_orig = req->nbytes;
memcpy(rctx->tmpbuf, rctx->buf, rctx->buflen);
sg_init_one(rctx->sg, rctx->tmpbuf, rctx->buflen);
req->src = rctx->sg;
req->nbytes = rctx->buflen;
Reported by FlawFinder.
Line: 319
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!rctx->nbytes_orig) {
if (tmpl->hash_zero)
memcpy(req->result, tmpl->hash_zero,
tmpl->alg.ahash.halg.digestsize);
return 0;
}
return qce->async_req_enqueue(tmpl->qce, &req->base);
Reported by FlawFinder.
Line: 345
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(ctx->authkey, 0, sizeof(ctx->authkey));
if (keylen <= blocksize) {
memcpy(ctx->authkey, key, keylen);
return 0;
}
if (digestsize == SHA1_DIGEST_SIZE)
alg_name = "sha1-qce";
Reported by FlawFinder.
drivers/edac/i7core_edac.c
11 issues
Line: 708
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct mem_ctl_info *mci = to_mci(dev);
struct i7core_pvt *pvt = mci->pvt_info;
return sprintf(data, "0x%08x\n", pvt->inject.section);
}
/*
* i7core inject.type
*
Reported by FlawFinder.
Line: 746
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mem_ctl_info *mci = to_mci(dev);
struct i7core_pvt *pvt = mci->pvt_info;
return sprintf(data, "0x%08x\n", pvt->inject.type);
}
/*
* i7core_inject_inject.eccmask_store
*
Reported by FlawFinder.
Line: 786
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mem_ctl_info *mci = to_mci(dev);
struct i7core_pvt *pvt = mci->pvt_info;
return sprintf(data, "0x%08x\n", pvt->inject.eccmask);
}
/*
* i7core_addrmatch
*
Reported by FlawFinder.
Line: 841
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pvt = mci->pvt_info; \
edac_dbg(1, "pvt=%p\n", pvt); \
if (pvt->inject.param < 0) \
return sprintf(data, "any\n"); \
else \
return sprintf(data, "%d\n", pvt->inject.param);\
}
#define ATTR_ADDR_MATCH(param) \
Reported by FlawFinder.
Line: 843
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (pvt->inject.param < 0) \
return sprintf(data, "any\n"); \
else \
return sprintf(data, "%d\n", pvt->inject.param);\
}
#define ATTR_ADDR_MATCH(param) \
static DEVICE_ATTR(param, S_IRUGO | S_IWUSR, \
i7core_inject_show_##param, \
Reported by FlawFinder.
Line: 1033
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (injectmask & 0x0c)
pvt->inject.enable = 1;
return sprintf(data, "%d\n", pvt->inject.enable);
}
#define DECLARE_COUNTER(param) \
static ssize_t i7core_show_counter_##param( \
struct device *dev, \
Reported by FlawFinder.
Line: 1047
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
\
edac_dbg(1, "\n"); \
if (!pvt->ce_count_available || (pvt->is_registered)) \
return sprintf(data, "data unavailable\n"); \
return sprintf(data, "%lu\n", \
pvt->udimm_ce_count[param]); \
}
#define ATTR_COUNTER(param) \
Reported by FlawFinder.
Line: 1048
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
edac_dbg(1, "\n"); \
if (!pvt->ce_count_available || (pvt->is_registered)) \
return sprintf(data, "data unavailable\n"); \
return sprintf(data, "%lu\n", \
pvt->udimm_ce_count[param]); \
}
#define ATTR_COUNTER(param) \
static DEVICE_ATTR(udimm##param, S_IRUGO | S_IWUSR, \
Reported by FlawFinder.
Line: 867
Column: 6
CWE codes:
120
20
static int write_and_test(struct pci_dev *dev, const int where, const u32 val)
{
u32 read;
int count;
edac_dbg(0, "setting pci %02x:%02x.%x reg=%02x value=%08x\n",
dev->bus->number, PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn),
where, val);
Reported by FlawFinder.
drivers/firmware/qemu_fw_cfg.c
11 issues
Line: 418
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fw_cfg_sysfs_show_name(struct fw_cfg_sysfs_entry *e, char *buf)
{
return sprintf(buf, "%s\n", e->name);
}
static FW_CFG_SYSFS_ATTR(size);
static FW_CFG_SYSFS_ATTR(key);
static FW_CFG_SYSFS_ATTR(name);
Reported by FlawFinder.
Line: 822
Column: 14
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
size = memparse(arg, &str);
/* get "@<base>[:<ctrl_off>:<data_off>[:<dma_off>]]" chunks */
processed = sscanf(str, PH_ADDR_SCAN_FMT,
&base, &consumed,
&ctrl_off, &data_off, &consumed,
&dma_off, &consumed);
/* sscanf() must process precisely 1, 3 or 4 chunks:
Reported by FlawFinder.
Line: 879
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
switch (fw_cfg_cmdline_dev->num_resources) {
case 1:
return snprintf(buf, PAGE_SIZE, PH_ADDR_PR_1_FMT,
resource_size(&fw_cfg_cmdline_dev->resource[0]),
fw_cfg_cmdline_dev->resource[0].start);
case 3:
return snprintf(buf, PAGE_SIZE, PH_ADDR_PR_3_FMT,
resource_size(&fw_cfg_cmdline_dev->resource[0]),
Reported by FlawFinder.
Line: 883
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
resource_size(&fw_cfg_cmdline_dev->resource[0]),
fw_cfg_cmdline_dev->resource[0].start);
case 3:
return snprintf(buf, PAGE_SIZE, PH_ADDR_PR_3_FMT,
resource_size(&fw_cfg_cmdline_dev->resource[0]),
fw_cfg_cmdline_dev->resource[0].start,
fw_cfg_cmdline_dev->resource[1].start,
fw_cfg_cmdline_dev->resource[2].start);
case 4:
Reported by FlawFinder.
Line: 889
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
fw_cfg_cmdline_dev->resource[1].start,
fw_cfg_cmdline_dev->resource[2].start);
case 4:
return snprintf(buf, PAGE_SIZE, PH_ADDR_PR_4_FMT,
resource_size(&fw_cfg_cmdline_dev->resource[0]),
fw_cfg_cmdline_dev->resource[0].start,
fw_cfg_cmdline_dev->resource[1].start,
fw_cfg_cmdline_dev->resource[2].start,
fw_cfg_cmdline_dev->resource[3].start);
Reported by FlawFinder.
Line: 236
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* initialize fw_cfg device i/o from platform data */
static int fw_cfg_do_platform_probe(struct platform_device *pdev)
{
char sig[FW_CFG_SIG_SIZE];
struct resource *range, *ctrl, *data, *dma;
/* acquire i/o range details */
fw_cfg_is_mmio = false;
range = platform_get_resource(pdev, IORESOURCE_IO, 0);
Reported by FlawFinder.
Line: 305
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fw_cfg_showrev(struct kobject *k, struct kobj_attribute *a,
char *buf)
{
return sprintf(buf, "%u\n", fw_cfg_rev);
}
static const struct kobj_attribute fw_cfg_rev_attr = {
.attr = { .name = "rev", .mode = S_IRUSR },
.show = fw_cfg_showrev,
Reported by FlawFinder.
Line: 318
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kobject kobj;
u32 size;
u16 select;
char name[FW_CFG_MAX_FILE_PATH];
struct list_head list;
};
#ifdef CONFIG_CRASH_CORE
static ssize_t fw_cfg_write_vmcoreinfo(const struct fw_cfg_file *f)
Reported by FlawFinder.
Line: 408
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fw_cfg_sysfs_show_size(struct fw_cfg_sysfs_entry *e, char *buf)
{
return sprintf(buf, "%u\n", e->size);
}
static ssize_t fw_cfg_sysfs_show_key(struct fw_cfg_sysfs_entry *e, char *buf)
{
return sprintf(buf, "%u\n", e->select);
Reported by FlawFinder.
Line: 413
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fw_cfg_sysfs_show_key(struct fw_cfg_sysfs_entry *e, char *buf)
{
return sprintf(buf, "%u\n", e->select);
}
static ssize_t fw_cfg_sysfs_show_name(struct fw_cfg_sysfs_entry *e, char *buf)
{
return sprintf(buf, "%s\n", e->name);
Reported by FlawFinder.
drivers/crypto/qce/aead.c
11 issues
Line: 37
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int error;
u32 status;
unsigned int totallen;
unsigned char tag[SHA256_DIGEST_SIZE] = {0};
int ret = 0;
diff_dst = (req->src != req->dst) ? true : false;
dir_src = diff_dst ? DMA_TO_DEVICE : DMA_BIDIRECTIONAL;
dir_dst = diff_dst ? DMA_FROM_DEVICE : DMA_BIDIRECTIONAL;
Reported by FlawFinder.
Line: 394
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (msglen_size > 4)
msglen_size = 4;
memcpy(&msg_len[0], &rctx->cryptlen, 4);
memcpy(&rctx->ccm_nonce[0], rctx->iv, rctx->ivsize);
if (rctx->assoclen)
rctx->ccm_nonce[0] |= 1 << CCM_NONCE_ADATA_SHIFT;
rctx->ccm_nonce[0] |= ((ctx->authsize - 2) / 2) <<
Reported by FlawFinder.
Line: 396
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&msg_len[0], &rctx->cryptlen, 4);
memcpy(&rctx->ccm_nonce[0], rctx->iv, rctx->ivsize);
if (rctx->assoclen)
rctx->ccm_nonce[0] |= 1 << CCM_NONCE_ADATA_SHIFT;
rctx->ccm_nonce[0] |= ((ctx->authsize - 2) / 2) <<
CCM_NONCE_AUTHSIZE_SHIFT;
for (i = 0; i < msglen_size; i++)
Reported by FlawFinder.
Line: 423
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (IS_CCM_RFC4309(rctx->flags)) {
memset(rctx->ccm_rfc4309_iv, 0, QCE_MAX_IV_SIZE);
rctx->ccm_rfc4309_iv[0] = 3;
memcpy(&rctx->ccm_rfc4309_iv[1], ctx->ccm4309_salt, QCE_CCM4309_SALT_SIZE);
memcpy(&rctx->ccm_rfc4309_iv[4], req->iv, 8);
rctx->iv = rctx->ccm_rfc4309_iv;
rctx->ivsize = AES_BLOCK_SIZE;
} else {
rctx->iv = req->iv;
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(rctx->ccm_rfc4309_iv, 0, QCE_MAX_IV_SIZE);
rctx->ccm_rfc4309_iv[0] = 3;
memcpy(&rctx->ccm_rfc4309_iv[1], ctx->ccm4309_salt, QCE_CCM4309_SALT_SIZE);
memcpy(&rctx->ccm_rfc4309_iv[4], req->iv, 8);
rctx->iv = rctx->ccm_rfc4309_iv;
rctx->ivsize = AES_BLOCK_SIZE;
} else {
rctx->iv = req->iv;
rctx->ivsize = crypto_aead_ivsize(tfm);
Reported by FlawFinder.
Line: 575
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (keylen < QCE_CCM4309_SALT_SIZE)
return -EINVAL;
keylen -= QCE_CCM4309_SALT_SIZE;
memcpy(ctx->ccm4309_salt, key + keylen, QCE_CCM4309_SALT_SIZE);
}
if (keylen != AES_KEYSIZE_128 && keylen != AES_KEYSIZE_256 && keylen != AES_KEYSIZE_192)
return -EINVAL;
Reported by FlawFinder.
Line: 584
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->enc_keylen = keylen;
ctx->auth_keylen = keylen;
memcpy(ctx->enc_key, key, keylen);
memcpy(ctx->auth_key, key, keylen);
if (keylen == AES_KEYSIZE_192)
ctx->need_fallback = true;
Reported by FlawFinder.
Line: 585
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->auth_keylen = keylen;
memcpy(ctx->enc_key, key, keylen);
memcpy(ctx->auth_key, key, keylen);
if (keylen == AES_KEYSIZE_192)
ctx->need_fallback = true;
return IS_CCM_RFC4309(flags) ?
Reported by FlawFinder.
Line: 625
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* verify_skcipher_des3_key does not check for all the
* below conditions. Schedule fallback in this case.
*/
memcpy(_key, authenc_keys.enckey, DES3_EDE_KEY_SIZE);
if (!((_key[0] ^ _key[2]) | (_key[1] ^ _key[3])) ||
!((_key[2] ^ _key[4]) | (_key[3] ^ _key[5])) ||
!((_key[0] ^ _key[4]) | (_key[1] ^ _key[5])))
ctx->need_fallback = true;
} else if (IS_AES(flags)) {
Reported by FlawFinder.
Line: 643
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->enc_keylen = authenc_keys.enckeylen;
ctx->auth_keylen = authenc_keys.authkeylen;
memcpy(ctx->enc_key, authenc_keys.enckey, authenc_keys.enckeylen);
memset(ctx->auth_key, 0, sizeof(ctx->auth_key));
memcpy(ctx->auth_key, authenc_keys.authkey, authenc_keys.authkeylen);
return crypto_aead_setkey(ctx->fallback, key, keylen);
Reported by FlawFinder.
drivers/atm/eni.c
11 issues
Line: 2091
Column: 10
CWE codes:
134
Suggestion:
Make format string constant
left = *pos;
if (!left)
return sprintf(page,DEV_LABEL "(itf %d) signal %s, %dkB, "
"%d cps remaining\n",dev->number,signal[(int) dev->signal],
eni_dev->mem >> 10,eni_dev->tx_bw);
if (!--left)
return sprintf(page,"%4sBursts: TX"
#if !defined(CONFIG_ATM_ENI_BURST_TX_16W) && \
Reported by FlawFinder.
Line: 2095
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"%d cps remaining\n",dev->number,signal[(int) dev->signal],
eni_dev->mem >> 10,eni_dev->tx_bw);
if (!--left)
return sprintf(page,"%4sBursts: TX"
#if !defined(CONFIG_ATM_ENI_BURST_TX_16W) && \
!defined(CONFIG_ATM_ENI_BURST_TX_8W) && \
!defined(CONFIG_ATM_ENI_BURST_TX_4W) && \
!defined(CONFIG_ATM_ENI_BURST_TX_2W)
" none"
Reported by FlawFinder.
Line: 2138
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
#endif
"\n","");
if (!--left)
return sprintf(page,"%4sBuffer multipliers: tx %d%%, rx %d%%\n",
"",eni_dev->tx_mult,eni_dev->rx_mult);
for (i = 0; i < NR_CHAN; i++) {
struct eni_tx *tx = eni_dev->tx+i;
if (!tx->send) continue;
Reported by FlawFinder.
Line: 2145
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!tx->send) continue;
if (!--left) {
return sprintf(page, "tx[%d]: 0x%lx-0x%lx "
"(%6ld bytes), rsv %d cps, shp %d cps%s\n",i,
(unsigned long) (tx->send - eni_dev->ram),
tx->send-eni_dev->ram+tx->words*4-1,tx->words*4,
tx->reserved,tx->shaping,
tx == eni_dev->ubr ? " (UBR)" : "");
Reported by FlawFinder.
Line: 2153
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
tx == eni_dev->ubr ? " (UBR)" : "");
}
if (--left) continue;
return sprintf(page,"%10sbacklog %u packets\n","",
skb_queue_len(&tx->backlog));
}
read_lock(&vcc_sklist_lock);
for(i = 0; i < VCC_HTABLE_SIZE; ++i) {
struct hlist_head *head = &vcc_hash[i];
Reported by FlawFinder.
Line: 103
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define EV 64
static const char *ev[EV];
static unsigned long ev_a[EV],ev_b[EV];
static int ec = 0;
static void EVENT(const char *s,unsigned long a,unsigned long b)
Reported by FlawFinder.
Line: 2169
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
continue;
eni_vcc = ENI_VCC(vcc);
if (--left) continue;
length = sprintf(page,"vcc %4d: ",vcc->vci);
if (eni_vcc->rx) {
length += sprintf(page+length, "0x%lx-0x%lx "
"(%6ld bytes)",
(unsigned long) (eni_vcc->recv - eni_dev->ram),
eni_vcc->recv-eni_dev->ram+eni_vcc->words*4-1,
Reported by FlawFinder.
Line: 2171
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (--left) continue;
length = sprintf(page,"vcc %4d: ",vcc->vci);
if (eni_vcc->rx) {
length += sprintf(page+length, "0x%lx-0x%lx "
"(%6ld bytes)",
(unsigned long) (eni_vcc->recv - eni_dev->ram),
eni_vcc->recv-eni_dev->ram+eni_vcc->words*4-1,
eni_vcc->words*4);
if (eni_vcc->tx) length += sprintf(page+length,", ");
Reported by FlawFinder.
Line: 2176
Column: 32
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
(unsigned long) (eni_vcc->recv - eni_dev->ram),
eni_vcc->recv-eni_dev->ram+eni_vcc->words*4-1,
eni_vcc->words*4);
if (eni_vcc->tx) length += sprintf(page+length,", ");
}
if (eni_vcc->tx)
length += sprintf(page+length,"tx[%d], txing %d bytes",
eni_vcc->tx->index,eni_vcc->txing);
page[length] = '\n';
Reported by FlawFinder.
Line: 2179
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (eni_vcc->tx) length += sprintf(page+length,", ");
}
if (eni_vcc->tx)
length += sprintf(page+length,"tx[%d], txing %d bytes",
eni_vcc->tx->index,eni_vcc->txing);
page[length] = '\n';
read_unlock(&vcc_sklist_lock);
return length+1;
}
Reported by FlawFinder.
drivers/char/ipmi/ipmi_ssif.c
11 issues
Line: 251
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rtc_us_timer;
/* Used for sending/receiving data. +1 for the length. */
unsigned char data[IPMI_MAX_MSG_LENGTH + 1];
unsigned int data_len;
/* Temp receive buffer, gets copied into data. */
unsigned char recv[I2C_SMBUS_BLOCK_MAX];
Reported by FlawFinder.
Line: 255
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int data_len;
/* Temp receive buffer, gets copied into data. */
unsigned char recv[I2C_SMBUS_BLOCK_MAX];
struct i2c_client *client;
ssif_i2c_done done_handler;
/* Thread interface handling */
Reported by FlawFinder.
Line: 357
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void start_clear_flags(struct ssif_info *ssif_info, unsigned long *flags)
{
unsigned char msg[3];
ssif_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT;
ssif_info->ssif_state = SSIF_CLEARING_FLAGS;
ipmi_ssif_unlock_cond(ssif_info, flags);
Reported by FlawFinder.
Line: 376
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void start_flag_fetch(struct ssif_info *ssif_info, unsigned long *flags)
{
unsigned char mb[2];
ssif_info->req_flags = false;
ssif_info->ssif_state = SSIF_GETTING_FLAGS;
ipmi_ssif_unlock_cond(ssif_info, flags);
Reported by FlawFinder.
Line: 750
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data) {
if (len > IPMI_MAX_MSG_LENGTH)
len = IPMI_MAX_MSG_LENGTH;
memcpy(msg->rsp, data, len);
} else {
len = 0;
}
msg->rsp_size = len;
ssif_info->curr_msg = NULL;
Reported by FlawFinder.
Line: 1014
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -E2BIG;
ssif_info->retries_left = SSIF_SEND_RETRIES;
memcpy(ssif_info->data + 1, data, len);
ssif_info->data_len = len;
return start_resend(ssif_info);
}
/* Must be called with the message lock held. */
Reported by FlawFinder.
Line: 1146
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param_array(addr, ushort, &num_addrs, 0);
MODULE_PARM_DESC(addr, "The addresses to scan for IPMI BMCs on the SSIFs.");
static char *adapter_name[MAX_SSIF_BMCS];
static int num_adapter_names;
module_param_array(adapter_name, charp, &num_adapter_names, 0);
MODULE_PARM_DESC(adapter_name, "The string name of the I2C device that has the BMC. By default all devices are scanned.");
static int slave_addrs[MAX_SSIF_BMCS];
Reported by FlawFinder.
Line: 1342
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ssif_detect(struct i2c_client *client, struct i2c_board_info *info)
{
unsigned char *resp;
unsigned char msg[3];
int rv;
int len;
resp = kmalloc(IPMI_MAX_MSG_LENGTH, GFP_KERNEL);
if (!resp)
Reported by FlawFinder.
Line: 1482
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ssif_info *ssif_info,
unsigned char *resp)
{
unsigned char msg[65];
int ret;
bool do_middle;
if (ssif_info->max_xmit_msg_size <= 32)
return;
Reported by FlawFinder.
Line: 1624
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ssif_probe(struct i2c_client *client, const struct i2c_device_id *id)
{
unsigned char msg[3];
unsigned char *resp;
struct ssif_info *ssif_info;
int rv = 0;
int len;
int i;
Reported by FlawFinder.
drivers/block/drbd/drbd_state.c
11 issues
Line: 751
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*pbp = 0;
if (ns.role != os.role && flags & CS_DC_ROLE)
pbp += sprintf(pbp, "role( %s -> %s ) ",
drbd_role_str(os.role),
drbd_role_str(ns.role));
if (ns.peer != os.peer && flags & CS_DC_PEER)
pbp += sprintf(pbp, "peer( %s -> %s ) ",
drbd_role_str(os.peer),
Reported by FlawFinder.
Line: 755
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_role_str(os.role),
drbd_role_str(ns.role));
if (ns.peer != os.peer && flags & CS_DC_PEER)
pbp += sprintf(pbp, "peer( %s -> %s ) ",
drbd_role_str(os.peer),
drbd_role_str(ns.peer));
if (ns.conn != os.conn && flags & CS_DC_CONN)
pbp += sprintf(pbp, "conn( %s -> %s ) ",
drbd_conn_str(os.conn),
Reported by FlawFinder.
Line: 759
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_role_str(os.peer),
drbd_role_str(ns.peer));
if (ns.conn != os.conn && flags & CS_DC_CONN)
pbp += sprintf(pbp, "conn( %s -> %s ) ",
drbd_conn_str(os.conn),
drbd_conn_str(ns.conn));
if (ns.disk != os.disk && flags & CS_DC_DISK)
pbp += sprintf(pbp, "disk( %s -> %s ) ",
drbd_disk_str(os.disk),
Reported by FlawFinder.
Line: 763
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_conn_str(os.conn),
drbd_conn_str(ns.conn));
if (ns.disk != os.disk && flags & CS_DC_DISK)
pbp += sprintf(pbp, "disk( %s -> %s ) ",
drbd_disk_str(os.disk),
drbd_disk_str(ns.disk));
if (ns.pdsk != os.pdsk && flags & CS_DC_PDSK)
pbp += sprintf(pbp, "pdsk( %s -> %s ) ",
drbd_disk_str(os.pdsk),
Reported by FlawFinder.
Line: 767
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
drbd_disk_str(os.disk),
drbd_disk_str(ns.disk));
if (ns.pdsk != os.pdsk && flags & CS_DC_PDSK)
pbp += sprintf(pbp, "pdsk( %s -> %s ) ",
drbd_disk_str(os.pdsk),
drbd_disk_str(ns.pdsk));
return pbp - pb;
}
Reported by FlawFinder.
Line: 777
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void drbd_pr_state_change(struct drbd_device *device, union drbd_state os, union drbd_state ns,
enum chg_state_flags flags)
{
char pb[300];
char *pbp = pb;
pbp += print_state_change(pbp, os, ns, flags ^ CS_DC_MASK);
if (ns.aftr_isp != os.aftr_isp)
Reported by FlawFinder.
Line: 783
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pbp += print_state_change(pbp, os, ns, flags ^ CS_DC_MASK);
if (ns.aftr_isp != os.aftr_isp)
pbp += sprintf(pbp, "aftr_isp( %d -> %d ) ",
os.aftr_isp,
ns.aftr_isp);
if (ns.peer_isp != os.peer_isp)
pbp += sprintf(pbp, "peer_isp( %d -> %d ) ",
os.peer_isp,
Reported by FlawFinder.
Line: 787
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
os.aftr_isp,
ns.aftr_isp);
if (ns.peer_isp != os.peer_isp)
pbp += sprintf(pbp, "peer_isp( %d -> %d ) ",
os.peer_isp,
ns.peer_isp);
if (ns.user_isp != os.user_isp)
pbp += sprintf(pbp, "user_isp( %d -> %d ) ",
os.user_isp,
Reported by FlawFinder.
Line: 791
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
os.peer_isp,
ns.peer_isp);
if (ns.user_isp != os.user_isp)
pbp += sprintf(pbp, "user_isp( %d -> %d ) ",
os.user_isp,
ns.user_isp);
if (pbp != pb)
drbd_info(device, "%s\n", pb);
Reported by FlawFinder.
Line: 802
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void conn_pr_state_change(struct drbd_connection *connection, union drbd_state os, union drbd_state ns,
enum chg_state_flags flags)
{
char pb[300];
char *pbp = pb;
pbp += print_state_change(pbp, os, ns, flags);
if (is_susp(ns) != is_susp(os) && flags & CS_DC_SUSP)
Reported by FlawFinder.