The following issues were found
drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
10 issues
Line: 200
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Convert i2c_client to i2c_board_info */
bi = &pdata.subdevs[i].v4l2_subdev.board_info;
memcpy(bi->type, client->name, I2C_NAME_SIZE);
bi->flags = client->flags;
bi->addr = client->addr;
bi->irq = client->irq;
bi->platform_data = plat_data;
Reported by FlawFinder.
Line: 375
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define CFG_VAR_NAME_MAX 64
#define GMIN_PMC_CLK_NAME 14 /* "pmc_plt_clk_[0..5]" */
static char gmin_pmc_clk_name[GMIN_PMC_CLK_NAME];
static struct i2c_client *gmin_i2c_dev_exists(struct device *dev, char *name,
struct i2c_client **client)
{
struct acpi_device *adev;
Reported by FlawFinder.
Line: 428
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int atomisp_get_acpi_power(struct device *dev)
{
char name[5];
struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
struct acpi_buffer b_name = { sizeof(name), name };
union acpi_object *package, *element;
acpi_handle handle = ACPI_HANDLE(dev);
acpi_handle rhandle;
Reported by FlawFinder.
Line: 1201
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
efi_char16_t var16[CFG_VAR_NAME_MAX];
const struct dmi_system_id *id;
struct device *dev = maindev;
char var8[CFG_VAR_NAME_MAX];
struct efivar_entry *ev;
int i, ret;
/* For sensors, try first to use the _DSM table */
if (!is_gmin) {
Reported by FlawFinder.
Line: 1253
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ev = kzalloc(sizeof(*ev), GFP_KERNEL);
if (!ev)
return -ENOMEM;
memcpy(&ev->var.VariableName, var16, sizeof(var16));
ev->var.VendorGuid = GMIN_CFG_VAR_EFI_GUID;
ev->var.DataSize = *out_len;
ret = efivar_entry_get(ev, &ev->var.Attributes,
&ev->var.DataSize, ev->var.Data);
Reported by FlawFinder.
Line: 1260
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = efivar_entry_get(ev, &ev->var.Attributes,
&ev->var.DataSize, ev->var.Data);
if (ret == 0) {
memcpy(out, ev->var.Data, ev->var.DataSize);
*out_len = ev->var.DataSize;
dev_info(maindev, "found EFI entry for '%s'\n", var8);
} else if (is_gmin) {
dev_info(maindev, "Failed to find EFI gmin variable %s\n", var8);
} else {
Reported by FlawFinder.
Line: 1276
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int gmin_get_var_int(struct device *dev, bool is_gmin, const char *var, int def)
{
char val[CFG_VAR_NAME_MAX];
size_t len = sizeof(val);
long result;
int ret;
ret = gmin_get_config_var(dev, is_gmin, var, val, &len);
Reported by FlawFinder.
Line: 462
Column: 7
CWE codes:
126
acpi_get_name(rhandle, ACPI_SINGLE_NAME, &b_name);
dev_dbg(dev, "Found PM resource '%s'\n", name);
if (strlen(name) == 4 && !strncmp(name, "CLK", 3)) {
if (name[3] >= '0' && name[3] <= '4')
clock_num = name[3] - '0';
#if 0
/*
* We could abort here, but let's parse all resources,
Reported by FlawFinder.
Line: 1092
Column: 8
CWE codes:
126
dev_info(dev, "Found DMI entry for '%s'\n", var8);
vl = strlen(gv->val);
if (vl > *out_len - 1)
return -ENOSPC;
strscpy(out, gv->val, *out_len);
*out_len = vl;
Reported by FlawFinder.
Line: 1183
Column: 13
CWE codes:
126
dev_info(dev, "found _DSM entry for '%s': %s\n", var,
cur->string.pointer);
strscpy(out, cur->string.pointer, *out_len);
*out_len = strlen(cur->string.pointer);
ACPI_FREE(obj);
return 0;
}
Reported by FlawFinder.
drivers/video/fbdev/core/fbcvt.c
10 issues
Line: 229
Column: 12
CWE codes:
120
20
read = snprintf(buf+offset, cnt, "fbcvt: %dx%d@%d: CVT Name - ",
cvt->xres, cvt->yres, cvt->refresh);
offset += read;
cnt -= read;
if (cvt->status)
snprintf(buf+offset, cnt, "Not a CVT standard - %d.%03d Mega "
"Pixel Image\n", pixcount, pixcount_mod);
Reported by FlawFinder.
Line: 230
Column: 9
CWE codes:
120
20
read = snprintf(buf+offset, cnt, "fbcvt: %dx%d@%d: CVT Name - ",
cvt->xres, cvt->yres, cvt->refresh);
offset += read;
cnt -= read;
if (cvt->status)
snprintf(buf+offset, cnt, "Not a CVT standard - %d.%03d Mega "
"Pixel Image\n", pixcount, pixcount_mod);
else {
Reported by FlawFinder.
Line: 238
Column: 11
CWE codes:
120
20
else {
if (pixcount) {
read = snprintf(buf+offset, cnt, "%d", pixcount);
cnt -= read;
offset += read;
}
read = snprintf(buf+offset, cnt, ".%03dM", pixcount_mod);
cnt -= read;
Reported by FlawFinder.
Line: 239
Column: 14
CWE codes:
120
20
if (pixcount) {
read = snprintf(buf+offset, cnt, "%d", pixcount);
cnt -= read;
offset += read;
}
read = snprintf(buf+offset, cnt, ".%03dM", pixcount_mod);
cnt -= read;
offset += read;
Reported by FlawFinder.
Line: 243
Column: 10
CWE codes:
120
20
}
read = snprintf(buf+offset, cnt, ".%03dM", pixcount_mod);
cnt -= read;
offset += read;
if (cvt->aspect_ratio == 0)
read = snprintf(buf+offset, cnt, "3");
else if (cvt->aspect_ratio == 3)
Reported by FlawFinder.
Line: 244
Column: 13
CWE codes:
120
20
read = snprintf(buf+offset, cnt, ".%03dM", pixcount_mod);
cnt -= read;
offset += read;
if (cvt->aspect_ratio == 0)
read = snprintf(buf+offset, cnt, "3");
else if (cvt->aspect_ratio == 3)
read = snprintf(buf+offset, cnt, "4");
Reported by FlawFinder.
Line: 256
Column: 10
CWE codes:
120
20
read = snprintf(buf+offset, cnt, "A");
else
read = 0;
cnt -= read;
offset += read;
if (cvt->flags & FB_CVT_FLAG_REDUCED_BLANK) {
read = snprintf(buf+offset, cnt, "-R");
cnt -= read;
Reported by FlawFinder.
Line: 257
Column: 13
CWE codes:
120
20
else
read = 0;
cnt -= read;
offset += read;
if (cvt->flags & FB_CVT_FLAG_REDUCED_BLANK) {
read = snprintf(buf+offset, cnt, "-R");
cnt -= read;
offset += read;
Reported by FlawFinder.
Line: 262
Column: 14
CWE codes:
120
20
if (cvt->flags & FB_CVT_FLAG_REDUCED_BLANK) {
read = snprintf(buf+offset, cnt, "-R");
cnt -= read;
offset += read;
}
}
printk(KERN_INFO "%s\n", buf);
kfree(buf);
Reported by FlawFinder.
drivers/video/backlight/backlight.c
10 issues
Line: 275
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct backlight_device *bd = to_backlight_device(dev);
return sprintf(buf, "%s\n", backlight_types[bd->props.type]);
}
static DEVICE_ATTR_RO(type);
static ssize_t max_brightness_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 313
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (WARN_ON(bd->props.scale > BACKLIGHT_SCALE_NON_LINEAR))
return sprintf(buf, "unknown\n");
return sprintf(buf, "%s\n", backlight_scale_types[bd->props.scale]);
}
static DEVICE_ATTR_RO(scale);
static struct class *backlight_class;
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void backlight_generate_event(struct backlight_device *bd,
enum backlight_update_reason reason)
{
char *envp[2];
switch (reason) {
case BACKLIGHT_UPDATE_SYSFS:
envp[0] = "SOURCE=sysfs";
break;
Reported by FlawFinder.
Line: 186
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct backlight_device *bd = to_backlight_device(dev);
return sprintf(buf, "%d\n", bd->props.power);
}
static ssize_t bl_power_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 227
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct backlight_device *bd = to_backlight_device(dev);
return sprintf(buf, "%d\n", bd->props.brightness);
}
int backlight_device_set_brightness(struct backlight_device *bd,
unsigned long brightness)
{
Reported by FlawFinder.
Line: 284
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct backlight_device *bd = to_backlight_device(dev);
return sprintf(buf, "%d\n", bd->props.max_brightness);
}
static DEVICE_ATTR_RO(max_brightness);
static ssize_t actual_brightness_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 296
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_lock(&bd->ops_lock);
if (bd->ops && bd->ops->get_brightness)
rc = sprintf(buf, "%d\n", bd->ops->get_brightness(bd));
else
rc = sprintf(buf, "%d\n", bd->props.brightness);
mutex_unlock(&bd->ops_lock);
return rc;
Reported by FlawFinder.
Line: 298
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (bd->ops && bd->ops->get_brightness)
rc = sprintf(buf, "%d\n", bd->ops->get_brightness(bd));
else
rc = sprintf(buf, "%d\n", bd->props.brightness);
mutex_unlock(&bd->ops_lock);
return rc;
}
static DEVICE_ATTR_RO(actual_brightness);
Reported by FlawFinder.
Line: 311
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct backlight_device *bd = to_backlight_device(dev);
if (WARN_ON(bd->props.scale > BACKLIGHT_SCALE_NON_LINEAR))
return sprintf(buf, "unknown\n");
return sprintf(buf, "%s\n", backlight_scale_types[bd->props.scale]);
}
static DEVICE_ATTR_RO(scale);
Reported by FlawFinder.
Line: 417
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set default properties */
if (props) {
memcpy(&new_bd->props, props,
sizeof(struct backlight_properties));
if (props->type <= 0 || props->type >= BACKLIGHT_TYPE_MAX) {
WARN(1, "%s: invalid backlight type", name);
new_bd->props.type = BACKLIGHT_RAW;
}
Reported by FlawFinder.
drivers/scsi/qedf/qedf_main.c
10 issues
Line: 1825
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct qedf_ctx *base_qedf = lport_priv(n_port);
struct qedf_ctx *vport_qedf;
char buf[32];
int rc = 0;
rc = fcoe_validate_vport_create(vport);
if (rc) {
fcoe_wwn_to_str(vport->port_name, buf, sizeof(buf));
Reported by FlawFinder.
Line: 1855
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy some fields from base_qedf */
vport_qedf = lport_priv(vn_port);
memcpy(vport_qedf, base_qedf, sizeof(struct qedf_ctx));
/* Set qedf data specific to this vport */
vport_qedf->lport = vn_port;
/* Use same hba_lock as base_qedf */
vport_qedf->hba_lock = base_qedf->hba_lock;
Reported by FlawFinder.
Line: 1896
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fc_host_dev_loss_tmo(vn_port->host) = qedf_dev_loss_tmo;
/* Init libfc stuffs */
memcpy(&vn_port->tt, &qedf_lport_template,
sizeof(qedf_lport_template));
fc_exch_init(vn_port);
fc_elsct_init(vn_port);
fc_lport_init(vn_port);
fc_disc_init(vn_port);
Reported by FlawFinder.
Line: 2277
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_WORK(&io_work->work, qedf_fp_io_handler);
/* Copy contents of CQE for deferred processing */
memcpy(&io_work->cqe, cqe, sizeof(struct fcoe_cqe));
io_work->qedf = fp->qedf;
io_work->fp = NULL; /* Only used for unsolicited frames */
queue_work_on(cpu, qedf_io_wq, &io_work->work);
Reported by FlawFinder.
Line: 3268
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct Scsi_Host *host;
bool is_vf = false;
struct qed_ll2_params params;
char host_buf[20];
struct qed_link_params link_params;
int status;
void *task_start, *task_end;
struct qed_slowpath_params slowpath_params;
struct qed_probe_params qed_params;
Reported by FlawFinder.
Line: 3341
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_INFO, "qedf->io_mempool=%p.\n",
qedf->io_mempool);
sprintf(host_buf, "qedf_%u_link",
qedf->lport->host->host_no);
qedf->link_update_wq = create_workqueue(host_buf);
INIT_DELAYED_WORK(&qedf->link_update, qedf_handle_link_update);
INIT_DELAYED_WORK(&qedf->link_recovery, qedf_link_recovery);
INIT_DELAYED_WORK(&qedf->grcdump_work, qedf_wq_grcdump);
Reported by FlawFinder.
Line: 3520
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_DISC, "WWNN=%016llx "
"WWPN=%016llx.\n", qedf->wwnn, qedf->wwpn);
sprintf(host_buf, "host_%d", host->host_no);
qed_ops->common->set_name(qedf->cdev, host_buf);
/* Allocate cmd mgr */
qedf->cmd_mgr = qedf_cmd_mgr_alloc(qedf);
if (!qedf->cmd_mgr) {
Reported by FlawFinder.
Line: 3593
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
}
sprintf(host_buf, "qedf_%u_timer", qedf->lport->host->host_no);
qedf->timer_work_queue =
create_workqueue(host_buf);
if (!qedf->timer_work_queue) {
QEDF_ERR(&(qedf->dbg_ctx), "Failed to start timer "
"workqueue.\n");
Reported by FlawFinder.
Line: 3605
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* DPC workqueue is not reaped during recovery unload */
if (mode != QEDF_MODE_RECOVERY) {
sprintf(host_buf, "qedf_%u_dpc",
qedf->lport->host->host_no);
qedf->dpc_wq = create_workqueue(host_buf);
}
INIT_DELAYED_WORK(&qedf->recovery_work, qedf_recovery_handler);
Reported by FlawFinder.
Line: 3445
Column: 2
CWE codes:
120
slowpath_params.drv_minor = QEDF_DRIVER_MINOR_VER;
slowpath_params.drv_rev = QEDF_DRIVER_REV_VER;
slowpath_params.drv_eng = QEDF_DRIVER_ENG_VER;
strncpy(slowpath_params.name, "qedf", QED_DRV_VER_STR_SIZE);
rc = qed_ops->common->slowpath_start(qedf->cdev, &slowpath_params);
if (rc) {
QEDF_ERR(&(qedf->dbg_ctx), "Cannot start slowpath.\n");
goto err2;
}
Reported by FlawFinder.
drivers/usb/storage/alauda.c
10 issues
Line: 215
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* ECC computation.
*/
static unsigned char parity[256];
static unsigned char ecc2[256];
static void nand_init_ecc(void)
{
int i, j, a;
Reported by FlawFinder.
Line: 216
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static unsigned char parity[256];
static unsigned char ecc2[256];
static void nand_init_ecc(void)
{
int i, j, a;
Reported by FlawFinder.
Line: 274
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void nand_store_ecc(unsigned char *data, unsigned char *ecc)
{
memcpy(data, ecc, 3);
}
/*
* Alauda driver
*/
Reported by FlawFinder.
Line: 455
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int alauda_check_media(struct us_data *us)
{
struct alauda_info *info = (struct alauda_info *) us->extra;
unsigned char status[2];
alauda_get_media_status(us, status);
/* Check for no media or door open */
if ((status[0] & 0x80) || ((status[0] & 0x1F) == 0x10)
Reported by FlawFinder.
Line: 496
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ALAUDA_BULK_CMD, ALAUDA_BULK_GET_STATUS2,
0, 0, 0, 0, 3, 0, MEDIA_PORT(us)
};
unsigned char data[3];
rc = usb_stor_bulk_transfer_buf(us, us->send_bulk_pipe,
command, 9, NULL);
if (rc != USB_STOR_XFER_GOOD)
return rc;
Reported by FlawFinder.
Line: 698
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ALAUDA_BULK_CMD, ALAUDA_BULK_ERASE_BLOCK, PBA_HI(pba),
PBA_ZONE(pba), 0, PBA_LO(pba), 0x02, 0, MEDIA_PORT(us)
};
unsigned char buf[2];
usb_stor_dbg(us, "Erasing PBA %d\n", pba);
rc = usb_stor_bulk_transfer_buf(us, us->send_bulk_pipe,
command, 9, NULL);
Reported by FlawFinder.
Line: 805
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u16 pba, lbap, new_pba;
unsigned char *bptr, *cptr, *xptr;
unsigned char ecc[3];
int i, result;
unsigned int uzonesize = MEDIA_INFO(us).uzonesize;
unsigned int zonesize = MEDIA_INFO(us).zonesize;
unsigned int pagesize = MEDIA_INFO(us).pagesize;
unsigned int blocksize = MEDIA_INFO(us).blocksize;
Reported by FlawFinder.
Line: 874
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = page; i < page+pages; i++) {
bptr = blockbuffer + (i * (pagesize + 64));
cptr = bptr + pagesize;
memcpy(bptr, xptr, pagesize);
xptr += pagesize;
nand_compute_ecc(bptr, ecc);
nand_store_ecc(cptr+13, ecc);
nand_compute_ecc(bptr + (pagesize / 2), ecc);
nand_store_ecc(cptr+8, ecc);
Reported by FlawFinder.
Line: 1124
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc;
struct alauda_info *info = (struct alauda_info *) us->extra;
unsigned char *ptr = us->iobuf;
static unsigned char inquiry_response[36] = {
0x00, 0x80, 0x00, 0x01, 0x1F, 0x00, 0x00, 0x00
};
if (srb->cmnd[0] == INQUIRY) {
usb_stor_dbg(us, "INQUIRY - Returning bogus response\n");
Reported by FlawFinder.
Line: 1130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (srb->cmnd[0] == INQUIRY) {
usb_stor_dbg(us, "INQUIRY - Returning bogus response\n");
memcpy(ptr, inquiry_response, sizeof(inquiry_response));
fill_inquiry_response(us, ptr, 36);
return USB_STOR_TRANSPORT_GOOD;
}
if (srb->cmnd[0] == TEST_UNIT_READY) {
Reported by FlawFinder.
drivers/sh/maple/maple.c
10 issues
Line: 174
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mdev->mq->command = command;
mdev->mq->length = length;
if (length > 1)
memcpy(sendbuf + 4, data, (length - 1) * 4);
mdev->mq->sendbuf = sendbuf;
mutex_lock(&maple_wlist_lock);
list_add_tail(&mdev->mq->list, &maple_waitq);
mutex_unlock(&maple_wlist_lock);
Reported by FlawFinder.
Line: 339
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
recvbuf = mdev->mq->recvbuf->buf;
/* copy the data as individual elements in
* case of memory optimisation */
memcpy(&mdev->devinfo.function, recvbuf + 4, 4);
memcpy(&mdev->devinfo.function_data[0], recvbuf + 8, 12);
memcpy(&mdev->devinfo.area_code, recvbuf + 20, 1);
memcpy(&mdev->devinfo.connector_direction, recvbuf + 21, 1);
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
Reported by FlawFinder.
Line: 340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy the data as individual elements in
* case of memory optimisation */
memcpy(&mdev->devinfo.function, recvbuf + 4, 4);
memcpy(&mdev->devinfo.function_data[0], recvbuf + 8, 12);
memcpy(&mdev->devinfo.area_code, recvbuf + 20, 1);
memcpy(&mdev->devinfo.connector_direction, recvbuf + 21, 1);
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
Reported by FlawFinder.
Line: 341
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* case of memory optimisation */
memcpy(&mdev->devinfo.function, recvbuf + 4, 4);
memcpy(&mdev->devinfo.function_data[0], recvbuf + 8, 12);
memcpy(&mdev->devinfo.area_code, recvbuf + 20, 1);
memcpy(&mdev->devinfo.connector_direction, recvbuf + 21, 1);
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
memcpy(mdev->product_name, mdev->devinfo.product_name, 30);
Reported by FlawFinder.
Line: 342
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&mdev->devinfo.function, recvbuf + 4, 4);
memcpy(&mdev->devinfo.function_data[0], recvbuf + 8, 12);
memcpy(&mdev->devinfo.area_code, recvbuf + 20, 1);
memcpy(&mdev->devinfo.connector_direction, recvbuf + 21, 1);
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
memcpy(mdev->product_name, mdev->devinfo.product_name, 30);
mdev->product_name[30] = '\0';
Reported by FlawFinder.
Line: 343
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&mdev->devinfo.function_data[0], recvbuf + 8, 12);
memcpy(&mdev->devinfo.area_code, recvbuf + 20, 1);
memcpy(&mdev->devinfo.connector_direction, recvbuf + 21, 1);
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
memcpy(mdev->product_name, mdev->devinfo.product_name, 30);
mdev->product_name[30] = '\0';
memcpy(mdev->product_licence, mdev->devinfo.product_licence, 60);
Reported by FlawFinder.
Line: 344
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&mdev->devinfo.area_code, recvbuf + 20, 1);
memcpy(&mdev->devinfo.connector_direction, recvbuf + 21, 1);
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
memcpy(mdev->product_name, mdev->devinfo.product_name, 30);
mdev->product_name[30] = '\0';
memcpy(mdev->product_licence, mdev->devinfo.product_licence, 60);
mdev->product_licence[60] = '\0';
Reported by FlawFinder.
Line: 345
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&mdev->devinfo.connector_direction, recvbuf + 21, 1);
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
memcpy(mdev->product_name, mdev->devinfo.product_name, 30);
mdev->product_name[30] = '\0';
memcpy(mdev->product_licence, mdev->devinfo.product_licence, 60);
mdev->product_licence[60] = '\0';
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&mdev->devinfo.product_name[0], recvbuf + 22, 30);
memcpy(&mdev->devinfo.standby_power, recvbuf + 112, 2);
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
memcpy(mdev->product_name, mdev->devinfo.product_name, 30);
mdev->product_name[30] = '\0';
memcpy(mdev->product_licence, mdev->devinfo.product_licence, 60);
mdev->product_licence[60] = '\0';
for (p = mdev->product_name + 29; mdev->product_name <= p; p--)
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&mdev->devinfo.max_power, recvbuf + 114, 2);
memcpy(mdev->product_name, mdev->devinfo.product_name, 30);
mdev->product_name[30] = '\0';
memcpy(mdev->product_licence, mdev->devinfo.product_licence, 60);
mdev->product_licence[60] = '\0';
for (p = mdev->product_name + 29; mdev->product_name <= p; p--)
if (*p == ' ')
*p = '\0';
Reported by FlawFinder.
drivers/tty/vt/keyboard.c
10 issues
Line: 2039
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char *cur_f = func_table[cur];
if (cur_f && strlen(cur_f) >= strlen(kbs)) {
strcpy(cur_f, kbs);
return kbs;
}
func_table[cur] = kbs;
Reported by FlawFinder.
Line: 142
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static DEFINE_SPINLOCK(led_lock);
static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */
static DECLARE_BITMAP(key_down, KEY_CNT); /* keyboard key bitmap */
static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
static bool dead_key_next;
/* Handles a number being assembled on the number pad */
static bool npadch_active;
static unsigned int npadch_value;
Reported by FlawFinder.
Line: 209
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.error = -ENODEV,
};
memcpy(d.ke.scancode, &scancode, sizeof(scancode));
input_handler_for_each_handle(&kbd_handler, &d, getkeycode_helper);
return d.error ?: d.ke.keycode;
}
Reported by FlawFinder.
Line: 236
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.error = -ENODEV,
};
memcpy(d.ke.scancode, &scancode, sizeof(scancode));
input_handler_for_each_handle(&kbd_handler, &d, setkeycode_helper);
return d.error;
}
Reported by FlawFinder.
Line: 718
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void k_dead(struct vc_data *vc, unsigned char value, char up_flag)
{
static const unsigned char ret_diacr[NR_DEAD] = {
'`', /* dead_grave */
'\'', /* dead_acute */
'^', /* dead_circumflex */
'~', /* dead_tilda */
'"', /* dead_diaeresis */
Reported by FlawFinder.
Line: 1735
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&kbd_event_lock, flags);
asize = accent_table_size;
memcpy(buf, accent_table, asize * sizeof(struct kbdiacruc));
spin_unlock_irqrestore(&kbd_event_lock, flags);
if (put_user(asize, &a->kb_cnt))
ret = -EFAULT;
Reported by FlawFinder.
Line: 1809
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
spin_lock_irqsave(&kbd_event_lock, flags);
if (ct)
memcpy(accent_table, buf,
ct * sizeof(struct kbdiacruc));
accent_table_size = ct;
spin_unlock_irqrestore(&kbd_event_lock, flags);
kfree(buf);
return 0;
Reported by FlawFinder.
Line: 332
Column: 40
CWE codes:
126
static void puts_queue(struct vc_data *vc, const char *cp)
{
tty_insert_flip_string(&vc->port, cp, strlen(cp));
tty_schedule_flip(&vc->port);
}
static void applkey(struct vc_data *vc, int key, char mode)
{
Reported by FlawFinder.
Line: 2038
Column: 15
CWE codes:
126
static DECLARE_BITMAP(is_kmalloc, MAX_NR_FUNC);
char *cur_f = func_table[cur];
if (cur_f && strlen(cur_f) >= strlen(kbs)) {
strcpy(cur_f, kbs);
return kbs;
}
func_table[cur] = kbs;
Reported by FlawFinder.
Line: 2038
Column: 32
CWE codes:
126
static DECLARE_BITMAP(is_kmalloc, MAX_NR_FUNC);
char *cur_f = func_table[cur];
if (cur_f && strlen(cur_f) >= strlen(kbs)) {
strcpy(cur_f, kbs);
return kbs;
}
func_table[cur] = kbs;
Reported by FlawFinder.
drivers/target/sbp/sbp_target.c
10 issues
Line: 2079
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t sbp_wwn_version_show(struct config_item *item, char *page)
{
return sprintf(page, "FireWire SBP fabric module %s\n", SBP_VERSION);
}
CONFIGFS_ATTR_RO(sbp_wwn_, version);
static struct configfs_attribute *sbp_wwn_attrs[] = {
Reported by FlawFinder.
Line: 186
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct sbp_session *sess;
int ret;
char guid_str[17];
snprintf(guid_str, sizeof(guid_str), "%016llx", guid);
sess = kmalloc(sizeof(*sess), GFP_KERNEL);
if (!sess)
Reported by FlawFinder.
Line: 1119
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!req->cmd_buf)
return -ENOMEM;
memcpy(req->cmd_buf, req->orb.command_block,
min_t(int, cmd_len, sizeof(req->orb.command_block)));
if (cmd_len > sizeof(req->orb.command_block)) {
pr_debug("sbp_fetch_command: filling in long command\n");
copy_len = cmd_len - sizeof(req->orb.command_block);
Reported by FlawFinder.
Line: 1854
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data[idx++] = (CSR_DIRECTORY_ID << 24) | tport->directory_id;
/* unit directory template */
memcpy(&data[idx], sbp_unit_directory_template,
sizeof(sbp_unit_directory_template));
idx += ARRAY_SIZE(sbp_unit_directory_template);
/* management_agent */
mgt_agt_addr = (tport->mgt_agt->handler.offset - CSR_REGISTER_BASE) / 4;
Reported by FlawFinder.
Line: 2096
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sbp_tport *tport = tpg->tport;
if (tport->directory_id == -1)
return sprintf(page, "implicit\n");
else
return sprintf(page, "%06x\n", tport->directory_id);
}
static ssize_t sbp_tpg_directory_id_store(struct config_item *item,
Reported by FlawFinder.
Line: 2098
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (tport->directory_id == -1)
return sprintf(page, "implicit\n");
else
return sprintf(page, "%06x\n", tport->directory_id);
}
static ssize_t sbp_tpg_directory_id_store(struct config_item *item,
const char *page, size_t count)
{
Reported by FlawFinder.
Line: 2133
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct se_portal_group *se_tpg = to_tpg(item);
struct sbp_tpg *tpg = container_of(se_tpg, struct sbp_tpg, se_tpg);
struct sbp_tport *tport = tpg->tport;
return sprintf(page, "%d\n", tport->enable);
}
static ssize_t sbp_tpg_enable_store(struct config_item *item,
const char *page, size_t count)
{
Reported by FlawFinder.
Line: 2194
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct se_portal_group *se_tpg = attrib_to_tpg(item);
struct sbp_tpg *tpg = container_of(se_tpg, struct sbp_tpg, se_tpg);
struct sbp_tport *tport = tpg->tport;
return sprintf(page, "%d\n", tport->mgt_orb_timeout);
}
static ssize_t sbp_tpg_attrib_mgt_orb_timeout_store(struct config_item *item,
const char *page, size_t count)
{
Reported by FlawFinder.
Line: 2229
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct se_portal_group *se_tpg = attrib_to_tpg(item);
struct sbp_tpg *tpg = container_of(se_tpg, struct sbp_tpg, se_tpg);
struct sbp_tport *tport = tpg->tport;
return sprintf(page, "%d\n", tport->max_reconnect_timeout);
}
static ssize_t sbp_tpg_attrib_max_reconnect_timeout_store(struct config_item *item,
const char *page, size_t count)
{
Reported by FlawFinder.
Line: 2264
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct se_portal_group *se_tpg = attrib_to_tpg(item);
struct sbp_tpg *tpg = container_of(se_tpg, struct sbp_tpg, se_tpg);
struct sbp_tport *tport = tpg->tport;
return sprintf(page, "%d\n", tport->max_logins_per_lun);
}
static ssize_t sbp_tpg_attrib_max_logins_per_lun_store(struct config_item *item,
const char *page, size_t count)
{
Reported by FlawFinder.
drivers/spi/spi.c
10 issues
Line: 69
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (len != -ENODEV)
return len;
return sprintf(buf, "%s%s\n", SPI_MODULE_PREFIX, spi->modalias);
}
static DEVICE_ATTR_RO(modalias);
static ssize_t driver_override_store(struct device *dev,
struct device_attribute *a,
Reported by FlawFinder.
Line: 150
Column: 8
CWE codes:
134
Suggestion:
Make format string constant
unsigned long flags; \
ssize_t len; \
spin_lock_irqsave(&stat->lock, flags); \
len = sprintf(buf, format_string, stat->field); \
spin_unlock_irqrestore(&stat->lock, flags); \
return len; \
} \
SPI_STATISTICS_ATTRS(name, file)
Reported by FlawFinder.
Line: 2457
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device *child;
child = device_find_child(&ctlr->dev, NULL, match_true);
return sprintf(buf, "%s\n",
child ? to_spi_device(child)->modalias : NULL);
}
static ssize_t slave_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 814
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < n; i++, bi++, info++) {
struct spi_controller *ctlr;
memcpy(&bi->board_info, info, sizeof(*info));
mutex_lock(&board_lock);
list_add_tail(&bi->list, &board_list);
list_for_each_entry(ctlr, &spi_controller_list, list)
spi_match_controller_to_boardinfo(ctlr,
Reported by FlawFinder.
Line: 2468
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
dev);
struct spi_device *spi;
struct device *child;
char name[32];
int rc;
rc = sscanf(buf, "%31s", name);
if (rc != 1 || !name[0])
return -EINVAL;
Reported by FlawFinder.
Line: 3276
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xfer = &rxfer->inserted_transfers[insert - 1 - i];
/* copy all spi_transfer data */
memcpy(xfer, xfer_first, sizeof(*xfer));
/* add to list */
list_add(&xfer->transfer_list, rxfer->replaced_after);
/* clear cs_change and delay for all but the last */
Reported by FlawFinder.
Line: 4103
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spi_message_add_tail(&x[1], &message);
}
memcpy(local_buf, txbuf, n_tx);
x[0].tx_buf = local_buf;
x[1].rx_buf = local_buf + n_tx;
/* do the i/o */
status = spi_sync(spi, &message);
Reported by FlawFinder.
Line: 4110
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* do the i/o */
status = spi_sync(spi, &message);
if (status == 0)
memcpy(rxbuf, x[1].rx_buf, n_rx);
if (x[0].tx_buf == buf)
mutex_unlock(&lock);
else
kfree(local_buf);
Reported by FlawFinder.
Line: 706
Column: 10
CWE codes:
126
if (!proxy)
return NULL;
WARN_ON(strlen(chip->modalias) >= sizeof(proxy->modalias));
proxy->chip_select = chip->chip_select;
proxy->max_speed_hz = chip->max_speed_hz;
proxy->mode = chip->mode;
proxy->irq = chip->irq;
Reported by FlawFinder.
Line: 2471
Column: 7
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
char name[32];
int rc;
rc = sscanf(buf, "%31s", name);
if (rc != 1 || !name[0])
return -EINVAL;
child = device_find_child(&ctlr->dev, NULL, match_true);
if (child) {
Reported by FlawFinder.
drivers/staging/greybus/camera.c
10 issues
Line: 202
CWE codes:
476
return -ENOMEM;
if (request_size)
memcpy(operation->request->payload, request, request_size);
ret = gb_operation_request_send_sync(operation);
if (ret) {
dev_err(&connection->hd->dev,
"%s: synchronous operation of type 0x%02x failed: %d\n",
Reported by Cppcheck.
Line: 31
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct gb_camera_debugfs_buffer {
char data[PAGE_SIZE];
size_t length;
};
enum gb_camera_state {
GB_CAMERA_STATE_UNCONFIGURED,
Reported by FlawFinder.
Line: 202
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
if (request_size)
memcpy(operation->request->payload, request, request_size);
ret = gb_operation_request_send_sync(operation);
if (ret) {
dev_err(&connection->hd->dev,
"%s: synchronous operation of type 0x%02x failed: %d\n",
Reported by FlawFinder.
Line: 213
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*response_size = operation->response->payload_size;
if (operation->response->payload_size)
memcpy(response, operation->response->payload,
operation->response->payload_size);
}
gb_operation_put(operation);
Reported by FlawFinder.
Line: 674
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->streams = streams;
req->padding = 0;
req->num_frames = cpu_to_le16(num_frames);
memcpy(req->settings, settings, settings_size);
mutex_lock(&gcam->mutex);
if (!gcam->connection) {
ret = -EINVAL;
Reported by FlawFinder.
Line: 898
Column: 21
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < size; i += 16) {
unsigned int nbytes = min_t(unsigned int, size - i, 16);
buffer->length += sprintf(buffer->data + buffer->length,
"%*ph\n", nbytes, caps + i);
}
done:
kfree(caps);
Reported by FlawFinder.
Line: 981
Column: 19
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
goto done;
buffer->length = sprintf(buffer->data, "%u;%u;", nstreams, flags);
for (i = 0; i < nstreams; ++i) {
struct gb_camera_stream_config *stream = &streams[i];
buffer->length += sprintf(buffer->data + buffer->length,
Reported by FlawFinder.
Line: 986
Column: 21
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < nstreams; ++i) {
struct gb_camera_stream_config *stream = &streams[i];
buffer->length += sprintf(buffer->data + buffer->length,
"%u;%u;%u;%u;%u;%u;%u;",
stream->width, stream->height,
stream->format, stream->vc,
stream->dt[0], stream->dt[1],
stream->max_size);
Reported by FlawFinder.
Line: 1054
Column: 19
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
buffer->length = sprintf(buffer->data, "%u", req_id);
return len;
}
struct gb_camera_debugfs_entry {
Reported by FlawFinder.
Line: 1160
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gb_camera_debugfs_init(struct gb_camera *gcam)
{
struct gb_connection *connection = gcam->connection;
char dirname[27];
unsigned int i;
/*
* Create root debugfs entry and a file entry for each camera operation.
*/
Reported by FlawFinder.