The following issues were found
security/keys/keyctl.c
10 issues
Line: 29
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define KEY_MAX_DESC_SIZE 4096
static const unsigned char keyrings_capabilities[2] = {
[0] = (KEYCTL_CAPS0_CAPABILITIES |
(IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) |
(IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) |
(IS_ENABLED(CONFIG_ASYMMETRIC_KEY_TYPE) ? KEYCTL_CAPS0_PUBLIC_KEY : 0) |
(IS_ENABLED(CONFIG_BIG_KEYS) ? KEYCTL_CAPS0_BIG_KEY : 0) |
Reported by FlawFinder.
Line: 81
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
key_serial_t, ringid)
{
key_ref_t keyring_ref, key_ref;
char type[32], *description;
void *payload;
long ret;
ret = -EINVAL;
if (plen > 1024 * 1024 - 1)
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct key *key;
key_ref_t dest_ref;
size_t callout_len;
char type[32], *description, *callout_info;
long ret;
/* pull the type into kernel space */
ret = key_get_type_from_user(type, _type, sizeof(type));
if (ret < 0)
Reported by FlawFinder.
Line: 723
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct key_type *ktype;
key_ref_t keyring_ref, key_ref, dest_ref;
char type[32], *description;
long ret;
/* pull the type and description into kernel space */
ret = key_get_type_from_user(type, _type, sizeof(type));
if (ret < 0)
Reported by FlawFinder.
Line: 1728
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user *_restriction)
{
key_ref_t key_ref;
char type[32];
char *restriction = NULL;
long ret;
key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
if (IS_ERR(key_ref))
Reported by FlawFinder.
Line: 200
Column: 17
CWE codes:
126
ret = PTR_ERR(callout_info);
goto error2;
}
callout_len = strlen(callout_info);
}
/* get the destination keyring if specified */
dest_ref = NULL;
if (destringid) {
Reported by FlawFinder.
Line: 676
Column: 12
CWE codes:
126
okay:
key = key_ref_to_ptr(key_ref);
desclen = strlen(key->description);
/* calculate how much information we're going to return */
ret = -ENOMEM;
infobuf = kasprintf(GFP_KERNEL,
"%s;%d;%d;%08x;",
Reported by FlawFinder.
Line: 688
Column: 12
CWE codes:
126
key->perm);
if (!infobuf)
goto error2;
infolen = strlen(infobuf);
ret = infolen + desclen + 1;
/* consider returning the data */
if (buffer && buflen >= ret) {
if (copy_to_user(buffer, infobuf, infolen) != 0 ||
Reported by FlawFinder.
Line: 864
Column: 18
CWE codes:
120
20
/* the key is probably readable - now try to read it */
can_read_key:
if (!key->type->read) {
ret = -EOPNOTSUPP;
goto key_put_out;
}
if (!buffer || !buflen) {
Reported by FlawFinder.
samples/vfio-mdev/mtty.c
10 issues
Line: 1245
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
if (mdev_from_dev(dev))
return sprintf(buf, "This is MDEV %s\n", dev_name(dev));
return sprintf(buf, "\n");
}
static DEVICE_ATTR_RO(sample_mdev_dev);
Reported by FlawFinder.
Line: 1293
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t device_api_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", VFIO_DEVICE_API_PCI_STRING);
}
static MDEV_TYPE_ATTR_RO(device_api);
static struct attribute *mdev_types_attrs[] = {
Reported by FlawFinder.
Line: 918
CWE codes:
476
}
if (flags & VFIO_IRQ_SET_DATA_EVENTFD) {
int fd = *(int *)data;
if (fd > 0) {
struct eventfd_ctx *evt;
evt = eventfd_ctx_fdget(fd);
Reported by Cppcheck.
Line: 918
CWE codes:
476
}
if (flags & VFIO_IRQ_SET_DATA_EVENTFD) {
int fd = *(int *)data;
if (fd > 0) {
struct eventfd_ctx *evt;
evt = eventfd_ctx_fdget(fd);
Reported by Cppcheck.
Line: 661
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dump_buffer(buf, count);
handle_pci_cfg_write(mdev_state, offset, buf, count);
} else {
memcpy(buf, (mdev_state->vconfig + offset), count);
dump_buffer(buf, count);
}
break;
Reported by FlawFinder.
Line: 1114
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(&mdev_state->dev_info, &info, sizeof(info));
if (copy_to_user((void __user *)arg, &info, minsz))
return -EFAULT;
return 0;
Reported by FlawFinder.
Line: 1220
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sample_mtty_dev_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "This is phy device\n");
}
static DEVICE_ATTR_RO(sample_mtty_dev);
static struct attribute *mtty_dev_attrs[] = {
Reported by FlawFinder.
Line: 1270
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t name_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
{
static const char *name_str[2] = { "Single port serial",
"Dual port serial" };
return sysfs_emit(buf, "%s\n",
name_str[mtype_get_type_group_id(mtype)]);
}
Reported by FlawFinder.
Line: 1285
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
unsigned int ports = mtype_get_type_group_id(mtype) + 1;
return sprintf(buf, "%d\n", atomic_read(&mdev_avail_ports) / ports);
}
static MDEV_TYPE_ATTR_RO(available_instances);
static ssize_t device_api_show(struct mdev_type *mtype,
Reported by FlawFinder.
Line: 1247
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mdev_from_dev(dev))
return sprintf(buf, "This is MDEV %s\n", dev_name(dev));
return sprintf(buf, "\n");
}
static DEVICE_ATTR_RO(sample_mdev_dev);
static struct attribute *mdev_dev_attrs[] = {
Reported by FlawFinder.
security/integrity/ima/ima_template.c
10 issues
Line: 222
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (i = 0, template_fmt_ptr = template_fmt; i < template_num_fields;
i++, template_fmt_ptr += len + 1) {
char tmp_field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN + 1];
len = strchrnul(template_fmt_ptr, '|') - template_fmt_ptr;
if (len == 0 || len > IMA_TEMPLATE_FIELD_ID_MAX_LEN) {
pr_err("Invalid field with length %d\n", len);
return -EINVAL;
Reported by FlawFinder.
Line: 230
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(tmp_field_id, template_fmt_ptr, len);
tmp_field_id[len] = '\0';
found_fields[i] = lookup_template_field(tmp_field_id);
if (!found_fields[i]) {
pr_err("field '%s' not found\n", tmp_field_id);
return -ENOENT;
Reported by FlawFinder.
Line: 389
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -ENOMEM;
break;
}
memcpy((*entry)->template_data[i].data, data, field_data->len);
(*entry)->template_data_len += sizeof(field_data->len);
(*entry)->template_data_len += field_data->len;
}
if (ret < 0) {
Reported by FlawFinder.
Line: 405
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Restore the serialized binary measurement list without extending PCRs. */
int ima_restore_measurement_list(loff_t size, void *buf)
{
char template_name[MAX_TEMPLATE_NAME_LEN];
unsigned char zero[TPM_DIGEST_SIZE] = { 0 };
struct ima_kexec_hdr *khdr = buf;
struct ima_field_data hdr[HDR__LAST] = {
[HDR_PCR] = {.len = sizeof(u32)},
Reported by FlawFinder.
Line: 406
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ima_restore_measurement_list(loff_t size, void *buf)
{
char template_name[MAX_TEMPLATE_NAME_LEN];
unsigned char zero[TPM_DIGEST_SIZE] = { 0 };
struct ima_kexec_hdr *khdr = buf;
struct ima_field_data hdr[HDR__LAST] = {
[HDR_PCR] = {.len = sizeof(u32)},
[HDR_DIGEST] = {.len = TPM_DIGEST_SIZE},
Reported by FlawFinder.
Line: 467
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* template name is not null terminated */
memcpy(template_name, hdr[HDR_TEMPLATE_NAME].data,
hdr[HDR_TEMPLATE_NAME].len);
template_name[hdr[HDR_TEMPLATE_NAME].len] = 0;
if (strcmp(template_name, "ima") == 0) {
pr_err("attempting to restore an unsupported template \"%s\" failed\n",
Reported by FlawFinder.
Line: 102
Column: 21
CWE codes:
126
static int __init ima_template_setup(char *str)
{
struct ima_template_desc *template_desc;
int template_len = strlen(str);
if (ima_template)
return 1;
ima_init_template_list();
Reported by FlawFinder.
Line: 187
Column: 25
CWE codes:
126
static int template_fmt_size(const char *template_fmt)
{
char c;
int template_fmt_len = strlen(template_fmt);
int i = 0, j = 0;
while (i < template_fmt_len) {
c = template_fmt[i];
if (c == '|')
Reported by FlawFinder.
Line: 295
Column: 11
CWE codes:
126
&(template->num_fields));
if (result < 0) {
pr_err("template %s init failed, result: %d\n",
(strlen(template->name) ?
template->name : template->fmt), result);
return result;
}
template = ima_template_desc_buf();
Reported by FlawFinder.
Line: 311
Column: 11
CWE codes:
126
&(template->num_fields));
if (result < 0)
pr_err("template %s init failed, result: %d\n",
(strlen(template->name) ?
template->name : template->fmt), result);
return result;
}
Reported by FlawFinder.
sound/pci/maestro3.c
10 issues
Line: 1851
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pcm->private_data = chip;
pcm->info_flags = 0;
strcpy(pcm->name, chip->card->driver);
chip->pcm = pcm;
snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV,
&chip->pci->dev, 64*1024, 64*1024);
Reported by FlawFinder.
Line: 2732
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
card->private_data = chip;
sprintf(card->shortname, "ESS %s PCI", card->driver);
sprintf(card->longname, "%s at 0x%lx, irq %d",
card->shortname, chip->iobase, chip->irq);
err = snd_card_register(card);
if (err < 0)
Reported by FlawFinder.
Line: 2733
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
card->private_data = chip;
sprintf(card->shortname, "ESS %s PCI", card->driver);
sprintf(card->longname, "%s at 0x%lx, irq %d",
card->shortname, chip->iobase, chip->irq);
err = snd_card_register(card);
if (err < 0)
goto free_card;
Reported by FlawFinder.
Line: 46
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_FIRMWARE("ess/maestro3_assp_minisrc.fw");
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP; /* all enabled */
static bool external_amp[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS - 1)] = 1};
static int amp_gpio[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS - 1)] = -1};
module_param_array(index, int, NULL, 0444);
Reported by FlawFinder.
Line: 763
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_SND_MAESTRO3_INPUT
struct input_dev *input_dev;
char phys[64]; /* physical device path */
#else
struct snd_kcontrol *master_switch;
struct snd_kcontrol *master_volume;
#endif
struct work_struct hwvol_work;
Reported by FlawFinder.
Line: 2059
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#ifndef CONFIG_SND_MAESTRO3_INPUT
memset(&elem_id, 0, sizeof(elem_id));
elem_id.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
strcpy(elem_id.name, "Master Playback Switch");
chip->master_switch = snd_ctl_find_id(chip->card, &elem_id);
memset(&elem_id, 0, sizeof(elem_id));
elem_id.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
strcpy(elem_id.name, "Master Playback Volume");
chip->master_volume = snd_ctl_find_id(chip->card, &elem_id);
Reported by FlawFinder.
Line: 2063
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
chip->master_switch = snd_ctl_find_id(chip->card, &elem_id);
memset(&elem_id, 0, sizeof(elem_id));
elem_id.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
strcpy(elem_id.name, "Master Playback Volume");
chip->master_volume = snd_ctl_find_id(chip->card, &elem_id);
#endif
return 0;
}
Reported by FlawFinder.
Line: 2715
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
switch (pci->device) {
case PCI_DEVICE_ID_ESS_ALLEGRO:
case PCI_DEVICE_ID_ESS_ALLEGRO_1:
strcpy(card->driver, "Allegro");
break;
case PCI_DEVICE_ID_ESS_CANYON3D_2LE:
case PCI_DEVICE_ID_ESS_CANYON3D_2:
strcpy(card->driver, "Canyon3D-2");
break;
Reported by FlawFinder.
Line: 2719
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
break;
case PCI_DEVICE_ID_ESS_CANYON3D_2LE:
case PCI_DEVICE_ID_ESS_CANYON3D_2:
strcpy(card->driver, "Canyon3D-2");
break;
default:
strcpy(card->driver, "Maestro3");
break;
}
Reported by FlawFinder.
Line: 2722
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(card->driver, "Canyon3D-2");
break;
default:
strcpy(card->driver, "Maestro3");
break;
}
err = snd_m3_create(card, pci, external_amp[dev], amp_gpio[dev], &chip);
if (err < 0)
Reported by FlawFinder.
scripts/kconfig/mconf.c
10 issues
Line: 1017
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
conf_parse(av[1]);
conf_read(NULL);
mode = getenv("MENUCONFIG_MODE");
if (mode) {
if (!strcasecmp(mode, "single_menu"))
single_menu_mode = 1;
}
Reported by FlawFinder.
Line: 298
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void show_helptext(const char *title, const char *text);
static void show_help(struct menu *menu);
static char filename[PATH_MAX+1];
static void set_config_filename(const char *config_filename)
{
static char menu_backtitle[PATH_MAX+128];
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
Reported by FlawFinder.
Line: 301
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char filename[PATH_MAX+1];
static void set_config_filename(const char *config_filename)
{
static char menu_backtitle[PATH_MAX+128];
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
config_filename, rootmenu.prompt->text);
set_dialog_backtitle(menu_backtitle);
Reported by FlawFinder.
Line: 369
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
list_for_each_entry(pos, data->head, entries) {
if (pos->offset >= start && pos->offset < end) {
char header[4];
if (k < JUMP_NB) {
int key = '0' + (pos->index % JUMP_NB) + 1;
sprintf(header, "(%c)", key);
Reported by FlawFinder.
Line: 374
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (k < JUMP_NB) {
int key = '0' + (pos->index % JUMP_NB) + 1;
sprintf(header, "(%c)", key);
data->keys[k] = key;
data->targets[k] = pos->target;
k++;
} else {
sprintf(header, " ");
Reported by FlawFinder.
Line: 379
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data->targets[k] = pos->target;
k++;
} else {
sprintf(header, " ");
}
memcpy(buf + pos->offset, header, sizeof(header) - 1);
}
}
Reported by FlawFinder.
Line: 382
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sprintf(header, " ");
}
memcpy(buf + pos->offset, header, sizeof(header) - 1);
}
}
data->keys[k] = 0;
}
Reported by FlawFinder.
Line: 421
Column: 48
CWE codes:
126
/* strip the prefix if necessary */
dialog_input = dialog_input_result;
if (strncasecmp(dialog_input_result, CONFIG_, strlen(CONFIG_)) == 0)
dialog_input += strlen(CONFIG_);
sttext = str_new();
str_printf(&sttext, "Search (%s)", dialog_input_result);
stpart.text = str_get(&sttext);
Reported by FlawFinder.
Line: 422
Column: 19
CWE codes:
126
/* strip the prefix if necessary */
dialog_input = dialog_input_result;
if (strncasecmp(dialog_input_result, CONFIG_, strlen(CONFIG_)) == 0)
dialog_input += strlen(CONFIG_);
sttext = str_new();
str_printf(&sttext, "Search (%s)", dialog_input_result);
stpart.text = str_get(&sttext);
list_add_tail(&stpart.entries, &trail);
Reported by FlawFinder.
Line: 612
Column: 15
CWE codes:
126
item_set_data(menu);
break;
default:
tmp = 2 + strlen(sym_get_string_value(sym)); /* () = 2 */
item_make("(%s)", sym_get_string_value(sym));
tmp = indent - tmp + 4;
if (tmp < 0)
tmp = 0;
item_add_str("%*c%s%s", tmp, ' ', menu_get_prompt(menu),
Reported by FlawFinder.
scripts/dtc/libfdt/fdt_rw.c
10 issues
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!can_assume(NO_ROLLBACK))
*allocated = 1;
memcpy(new, s, len);
return (new - strtab);
}
int fdt_add_mem_rsv(void *fdt, uint64_t address, uint64_t size)
{
Reported by FlawFinder.
Line: 254
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
memcpy(namep, name, newlen+1);
return 0;
}
int fdt_setprop_placeholder(void *fdt, int nodeoffset, const char *name,
int len, void **prop_data)
Reported by FlawFinder.
Line: 287
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
if (len)
memcpy(prop_data, val, len);
return 0;
}
int fdt_appendprop(void *fdt, int nodeoffset, const char *name,
const void *val, int len)
Reported by FlawFinder.
Line: 308
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
prop->len = cpu_to_fdt32(newlen);
memcpy(prop->data + oldlen, val, len);
} else {
err = fdt_add_property_(fdt, nodeoffset, name, len, &prop);
if (err)
return err;
memcpy(prop->data, val, len);
Reported by FlawFinder.
Line: 313
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = fdt_add_property_(fdt, nodeoffset, name, len, &prop);
if (err)
return err;
memcpy(prop->data, val, len);
}
return 0;
}
int fdt_delprop(void *fdt, int nodeoffset, const char *name)
Reported by FlawFinder.
Line: 367
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nh->tag = cpu_to_fdt32(FDT_BEGIN_NODE);
memset(nh->name, 0, FDT_TAGALIGN(namelen+1));
memcpy(nh->name, name, namelen);
endtag = (fdt32_t *)((char *)nh + nodelen - FDT_TAGSIZE);
*endtag = cpu_to_fdt32(FDT_END_NODE);
return offset;
}
Reported by FlawFinder.
Line: 100
Column: 15
CWE codes:
126
/* Must only be used to roll back in case of error */
static void fdt_del_last_string_(void *fdt, const char *s)
{
int newlen = strlen(s) + 1;
fdt_set_size_dt_strings(fdt, fdt_size_dt_strings(fdt) - newlen);
}
static int fdt_splice_string_(void *fdt, int newlen)
Reported by FlawFinder.
Line: 132
Column: 12
CWE codes:
126
char *strtab = (char *)fdt + fdt_off_dt_strings(fdt);
const char *p;
char *new;
int len = strlen(s) + 1;
int err;
if (!can_assume(NO_ROLLBACK))
*allocated = 0;
Reported by FlawFinder.
Line: 247
Column: 11
CWE codes:
126
if (!namep)
return oldlen;
newlen = strlen(name);
err = fdt_splice_struct_(fdt, namep, FDT_TAGALIGN(oldlen+1),
FDT_TAGALIGN(newlen+1));
if (err)
return err;
Reported by FlawFinder.
Line: 376
Column: 58
CWE codes:
126
int fdt_add_subnode(void *fdt, int parentoffset, const char *name)
{
return fdt_add_subnode_namelen(fdt, parentoffset, name, strlen(name));
}
int fdt_del_node(void *fdt, int nodeoffset)
{
int endoffset;
Reported by FlawFinder.
sound/core/oss/pcm_oss.c
10 issues
Line: 3137
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
duplex = (pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count > 0 &&
pcm->streams[SNDRV_PCM_STREAM_CAPTURE].substream_count &&
!(pcm->info_flags & SNDRV_PCM_INFO_HALF_DUPLEX));
sprintf(name, "%s%s", pcm->name, duplex ? " (DUPLEX)" : "");
#ifdef SNDRV_OSS_INFO_DEV_AUDIO
snd_oss_info_register(SNDRV_OSS_INFO_DEV_AUDIO,
pcm->card->number,
name);
#endif
Reported by FlawFinder.
Line: 215
Column: 20
CWE codes:
362
}
if (hw_is_mask(var))
changed = snd_mask_refine_min(hw_param_mask(params, var),
val + !!open);
else if (hw_is_interval(var))
changed = snd_interval_refine_min(hw_param_interval(params, var),
val, open);
else
return -EINVAL;
Reported by FlawFinder.
Line: 218
Column: 14
CWE codes:
362
val + !!open);
else if (hw_is_interval(var))
changed = snd_interval_refine_min(hw_param_interval(params, var),
val, open);
else
return -EINVAL;
if (changed > 0) {
params->cmask |= 1 << var;
params->rmask |= 1 << var;
Reported by FlawFinder.
Line: 271
Column: 19
CWE codes:
362
}
}
if (hw_is_mask(var)) {
if (val == 0 && open) {
snd_mask_none(hw_param_mask(params, var));
changed = -EINVAL;
} else
changed = snd_mask_refine_max(hw_param_mask(params, var),
val - !!open);
Reported by FlawFinder.
Line: 276
Column: 21
CWE codes:
362
changed = -EINVAL;
} else
changed = snd_mask_refine_max(hw_param_mask(params, var),
val - !!open);
} else if (hw_is_interval(var))
changed = snd_interval_refine_max(hw_param_interval(params, var),
val, open);
else
return -EINVAL;
Reported by FlawFinder.
Line: 279
Column: 14
CWE codes:
362
val - !!open);
} else if (hw_is_interval(var))
changed = snd_interval_refine_max(hw_param_interval(params, var),
val, open);
else
return -EINVAL;
if (changed > 0) {
params->cmask |= 1 << var;
params->rmask |= 1 << var;
Reported by FlawFinder.
Line: 909
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto failure;
if (direct) {
memcpy(params, sparams, sizeof(*params));
} else {
_snd_pcm_hw_params_any(params);
_snd_pcm_hw_param_set(params, SNDRV_PCM_HW_PARAM_ACCESS,
(__force int)SNDRV_PCM_ACCESS_RW_INTERLEAVED, 0);
_snd_pcm_hw_param_set(params, SNDRV_PCM_HW_PARAM_FORMAT,
Reported by FlawFinder.
Line: 2472
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int snd_pcm_oss_open(struct inode *inode, struct file *file)
{
int err;
char task_name[32];
struct snd_pcm *pcm;
struct snd_pcm_oss_file *pcm_oss_file;
struct snd_pcm_oss_setup setup[2];
int nonblock;
wait_queue_entry_t wait;
Reported by FlawFinder.
Line: 2982
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snd_info_buffer *buffer)
{
struct snd_pcm_str *pstr = entry->private_data;
char line[128], str[32], task_name[32];
const char *ptr;
int idx1;
struct snd_pcm_oss_setup *setup, *setup1, template;
while (!snd_info_get_line(buffer, line, sizeof(line))) {
Reported by FlawFinder.
Line: 3131
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
pcm->oss.reg = 0;
if (dsp_map[pcm->card->number] == (int)pcm->device) {
char name[128];
int duplex;
register_oss_dsp(pcm, 0);
duplex = (pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count > 0 &&
pcm->streams[SNDRV_PCM_STREAM_CAPTURE].substream_count &&
!(pcm->info_flags & SNDRV_PCM_INFO_HALF_DUPLEX));
Reported by FlawFinder.
samples/bpf/xsk_fwd.c
10 issues
Line: 784
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
" forwarding port. Default: %u. May be invoked\n"
" multiple times.\n"
"\n";
printf(usage,
prog_name,
bpool_params_default.n_buffers,
port_params_default.iface_queue);
}
Reported by FlawFinder.
Line: 800
Column: 9
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
/* Parse the input arguments. */
for ( ; ;) {
opt = getopt_long(argc, argv, "c:i:q:", lgopts, &option_index);
if (opt == EOF)
break;
switch (opt) {
case 'b':
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* bpool memory initialization. */
bp = (struct bpool *)p;
memcpy(&bp->params, params, sizeof(*params));
bp->params.n_buffers = n_buffers;
bp->slabs = (u64 **)&p[sizeof(struct bpool)];
bp->slabs_reserved = (u64 **)&p[sizeof(struct bpool) +
slabs_size];
Reported by FlawFinder.
Line: 227
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
free(p);
return NULL;
}
memcpy(&bp->umem_cfg, umem_cfg, sizeof(*umem_cfg));
return bp;
}
static void
Reported by FlawFinder.
Line: 806
Column: 29
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
switch (opt) {
case 'b':
bpool_params.n_buffers = atoi(optarg);
break;
case 'c':
if (n_threads == MAX_THREADS) {
printf("Max number of threads (%d) reached.\n",
Reported by FlawFinder.
Line: 816
Column: 41
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
return -1;
}
thread_data[n_threads].cpu_core_id = atoi(optarg);
n_threads++;
break;
case 'i':
if (n_ports == MAX_PORTS) {
Reported by FlawFinder.
Line: 837
Column: 43
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
printf("No port specified for queue.\n");
return -1;
}
port_params[n_ports - 1].iface_queue = atoi(optarg);
break;
default:
printf("Illegal argument.\n");
return -1;
Reported by FlawFinder.
Line: 985
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i;
/* Parse args. */
memcpy(&bpool_params, &bpool_params_default,
sizeof(struct bpool_params));
memcpy(&umem_cfg, &umem_cfg_default,
sizeof(struct xsk_umem_config));
for (i = 0; i < MAX_PORTS; i++)
memcpy(&port_params[i], &port_params_default,
Reported by FlawFinder.
Line: 987
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Parse args. */
memcpy(&bpool_params, &bpool_params_default,
sizeof(struct bpool_params));
memcpy(&umem_cfg, &umem_cfg_default,
sizeof(struct xsk_umem_config));
for (i = 0; i < MAX_PORTS; i++)
memcpy(&port_params[i], &port_params_default,
sizeof(struct port_params));
Reported by FlawFinder.
Line: 990
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&umem_cfg, &umem_cfg_default,
sizeof(struct xsk_umem_config));
for (i = 0; i < MAX_PORTS; i++)
memcpy(&port_params[i], &port_params_default,
sizeof(struct port_params));
if (parse_args(argc, argv)) {
print_usage(argv[0]);
return -1;
Reported by FlawFinder.
sound/soc/fsl/fsl_asrc.c
10 issues
Line: 44
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* The following tables map the relationship between asrc_inclk/asrc_outclk in
* fsl_asrc.h and the registers of ASRCSR
*/
static unsigned char input_clk_map_imx35[ASRC_CLK_MAP_LEN] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
};
Reported by FlawFinder.
Line: 50
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
};
static unsigned char output_clk_map_imx35[ASRC_CLK_MAP_LEN] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
};
Reported by FlawFinder.
Line: 57
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* i.MX53 uses the same map for input and output */
static unsigned char input_clk_map_imx53[ASRC_CLK_MAP_LEN] = {
/* 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf */
0x0, 0x1, 0x2, 0x7, 0x4, 0x5, 0x6, 0x3, 0x8, 0x9, 0xa, 0xb, 0xc, 0xf, 0xe, 0xd,
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
};
Reported by FlawFinder.
Line: 64
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
};
static unsigned char output_clk_map_imx53[ASRC_CLK_MAP_LEN] = {
/* 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf */
0x8, 0x9, 0xa, 0x7, 0xc, 0x5, 0x6, 0xb, 0x0, 0x1, 0x2, 0x3, 0x4, 0xf, 0xe, 0xd,
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7,
};
Reported by FlawFinder.
Line: 78
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* clk_map_imx8qxp[0] is for i.MX8QXP asrc0
* clk_map_imx8qxp[1] is for i.MX8QXP asrc1
*/
static unsigned char clk_map_imx8qm[2][ASRC_CLK_MAP_LEN] = {
{
0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0x0,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf,
},
Reported by FlawFinder.
Line: 91
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
},
};
static unsigned char clk_map_imx8qxp[2][ASRC_CLK_MAP_LEN] = {
{
0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0x0,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0xf, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xf, 0xf,
0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf,
},
Reported by FlawFinder.
Line: 580
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct fsl_asrc *asrc = pair->asrc;
enum asrc_pair_index index = pair->index;
char name[4];
sprintf(name, "%cx%c", dir == IN ? 'r' : 't', index + 'a');
return dma_request_slave_channel(&asrc->pdev->dev, name);
}
Reported by FlawFinder.
Line: 582
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
enum asrc_pair_index index = pair->index;
char name[4];
sprintf(name, "%cx%c", dir == IN ? 'r' : 't', index + 'a');
return dma_request_slave_channel(&asrc->pdev->dev, name);
}
static int fsl_asrc_dai_startup(struct snd_pcm_substream *substream,
Reported by FlawFinder.
Line: 1023
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __iomem *regs;
int irq, ret, i;
u32 map_idx;
char tmp[16];
u32 width;
asrc = devm_kzalloc(&pdev->dev, sizeof(*asrc), GFP_KERNEL);
if (!asrc)
return -ENOMEM;
Reported by FlawFinder.
Line: 1078
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_warn(&pdev->dev, "failed to get spba clock\n");
for (i = 0; i < ASRC_CLK_MAX_NUM; i++) {
sprintf(tmp, "asrck_%x", i);
asrc_priv->asrck_clk[i] = devm_clk_get(&pdev->dev, tmp);
if (IS_ERR(asrc_priv->asrck_clk[i])) {
dev_err(&pdev->dev, "failed to get %s clock\n", tmp);
return PTR_ERR(asrc_priv->asrck_clk[i]);
}
Reported by FlawFinder.
net/tls/tls_sw.c
10 issues
Line: 506
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iv_offset = 1;
}
memcpy(&rec->iv_data[iv_offset], tls_ctx->tx.iv,
prot->iv_size + prot->salt_size);
xor_iv_with_seq(prot, rec->iv_data, tls_ctx->tx.rec_seq);
sge->offset += prot->prepend_size;
Reported by FlawFinder.
Line: 609
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
j = msg_npl->sg.start;
nsge = sk_msg_elem(msg_npl, j);
if (tmp.length) {
memcpy(nsge, &tmp, sizeof(*nsge));
sk_msg_iter_var_next(j);
nsge = sk_msg_elem(msg_npl, j);
}
osge = sk_msg_elem(msg_opl, i);
Reported by FlawFinder.
Line: 616
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
osge = sk_msg_elem(msg_opl, i);
while (osge->length) {
memcpy(nsge, osge, sizeof(*nsge));
sg_unmark_end(nsge);
sk_msg_iter_var_next(i);
sk_msg_iter_var_next(j);
if (i == *orig_end)
break;
Reported by FlawFinder.
Line: 841
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case __SK_REDIRECT:
sk_redir = psock->sk_redir;
memcpy(&msg_redir, msg, sizeof(*msg));
if (msg->apply_bytes < send)
msg->apply_bytes = 0;
else
msg->apply_bytes -= send;
sk_msg_return_zero(sk, msg, send);
Reported by FlawFinder.
Line: 1476
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (prot->version == TLS_1_3_VERSION ||
prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305)
memcpy(iv + iv_offset, tls_ctx->rx.iv,
crypto_aead_ivsize(ctx->aead_recv));
else
memcpy(iv + iv_offset, tls_ctx->rx.iv, prot->salt_size);
xor_iv_with_seq(prot, iv, tls_ctx->rx.rec_seq);
Reported by FlawFinder.
Line: 1479
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(iv + iv_offset, tls_ctx->rx.iv,
crypto_aead_ivsize(ctx->aead_recv));
else
memcpy(iv + iv_offset, tls_ctx->rx.iv, prot->salt_size);
xor_iv_with_seq(prot, iv, tls_ctx->rx.rec_seq);
/* Prepare AAD */
tls_make_aad(aad, rxm->full_len - prot->overhead_size +
Reported by FlawFinder.
Line: 1511
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err < 0)
goto fallback_to_reg_recv;
} else if (out_sg) {
memcpy(sgout, out_sg, n_sgout * sizeof(*sgout));
} else {
goto fallback_to_reg_recv;
}
} else {
fallback_to_reg_recv:
Reported by FlawFinder.
Line: 2051
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tls_context *tls_ctx = tls_get_ctx(strp->sk);
struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
struct tls_prot_info *prot = &tls_ctx->prot_info;
char header[TLS_HEADER_SIZE + MAX_IV_SIZE];
struct strp_msg *rxm = strp_msg(skb);
size_t cipher_overhead;
size_t data_len = 0;
int ret;
Reported by FlawFinder.
Line: 2463
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Note: 128 & 256 bit salt are the same size */
prot->rec_seq_size = rec_seq_size;
memcpy(cctx->iv, salt, salt_size);
memcpy(cctx->iv + salt_size, iv, iv_size);
cctx->rec_seq = kmemdup(rec_seq, rec_seq_size, GFP_KERNEL);
if (!cctx->rec_seq) {
rc = -ENOMEM;
goto free_iv;
Reported by FlawFinder.
Line: 2464
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Note: 128 & 256 bit salt are the same size */
prot->rec_seq_size = rec_seq_size;
memcpy(cctx->iv, salt, salt_size);
memcpy(cctx->iv + salt_size, iv, iv_size);
cctx->rec_seq = kmemdup(rec_seq, rec_seq_size, GFP_KERNEL);
if (!cctx->rec_seq) {
rc = -ENOMEM;
goto free_iv;
}
Reported by FlawFinder.