The following issues were found
drivers/firmware/xilinx/zynqmp-debug.c
10 issues
Line: 110
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (qdata.qid) {
case PM_QID_CLOCK_GET_NAME:
sprintf(debugfs_buf, "Clock name = %s\n",
(char *)pm_api_ret);
break;
case PM_QID_CLOCK_GET_FIXEDFACTOR_PARAMS:
sprintf(debugfs_buf, "Multiplier = %d, Divider = %d\n",
pm_api_ret[1], pm_api_ret[2]);
Reported by FlawFinder.
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pm_api_info {
u32 api_id;
char api_name[PM_API_NAME_LEN];
char api_name_len;
};
static char debugfs_buf[PAGE_SIZE];
Reported by FlawFinder.
Line: 30
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char api_name_len;
};
static char debugfs_buf[PAGE_SIZE];
#define PM_API(id) {id, #id, strlen(#id)}
static struct pm_api_info pm_api_list[] = {
PM_API(PM_GET_API_VERSION),
PM_API(PM_QUERY_DATA),
Reported by FlawFinder.
Line: 95
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (pm_id) {
case PM_GET_API_VERSION:
ret = zynqmp_pm_get_api_version(&pm_api_version);
sprintf(debugfs_buf, "PM-API Version = %d.%d\n",
pm_api_version >> 16, pm_api_version & 0xffff);
break;
case PM_QUERY_DATA:
qdata.qid = pm_api_arg[0];
qdata.arg1 = pm_api_arg[1];
Reported by FlawFinder.
Line: 114
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
(char *)pm_api_ret);
break;
case PM_QID_CLOCK_GET_FIXEDFACTOR_PARAMS:
sprintf(debugfs_buf, "Multiplier = %d, Divider = %d\n",
pm_api_ret[1], pm_api_ret[2]);
break;
default:
sprintf(debugfs_buf,
"data[0] = 0x%08x\ndata[1] = 0x%08x\n data[2] = 0x%08x\ndata[3] = 0x%08x\n",
Reported by FlawFinder.
Line: 118
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pm_api_ret[1], pm_api_ret[2]);
break;
default:
sprintf(debugfs_buf,
"data[0] = 0x%08x\ndata[1] = 0x%08x\n data[2] = 0x%08x\ndata[3] = 0x%08x\n",
pm_api_ret[0], pm_api_ret[1],
pm_api_ret[2], pm_api_ret[3]);
}
break;
Reported by FlawFinder.
Line: 125
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
break;
default:
sprintf(debugfs_buf, "Unsupported PM-API request\n");
ret = -EINVAL;
}
return ret;
}
Reported by FlawFinder.
Line: 32
Column: 32
CWE codes:
126
static char debugfs_buf[PAGE_SIZE];
#define PM_API(id) {id, #id, strlen(#id)}
static struct pm_api_info pm_api_list[] = {
PM_API(PM_GET_API_VERSION),
PM_API(PM_QUERY_DATA),
};
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
int ret;
int i = 0;
strcpy(debugfs_buf, "");
if (*off != 0 || len <= 1 || len > PAGE_SIZE - 1)
return -EINVAL;
kern_buff = memdup_user_nul(ptr, len);
Reported by FlawFinder.
Line: 208
Column: 12
CWE codes:
126
size_t len, loff_t *off)
{
return simple_read_from_buffer(ptr, len, off, debugfs_buf,
strlen(debugfs_buf));
}
/* Setup debugfs fops */
static const struct file_operations fops_zynqmp_pm_dbgfs = {
.owner = THIS_MODULE,
Reported by FlawFinder.
drivers/crypto/sa2ul.c
10 issues
Line: 376
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i, j;
for (i = 0; i < len; i += 16) {
memcpy(data, &in[i], 16);
for (j = 0; j < 16; j++)
in[i + j] = data[15 - j];
}
}
Reported by FlawFinder.
Line: 497
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(inv_key, &ctx.key_enc[key_pos], key_sz);
return 0;
}
/* Set Security context for the encryption engine */
static int sa_set_sc_enc(struct algo_data *ad, const u8 *key, u16 key_sz,
Reported by FlawFinder.
Line: 516
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mci = ad->mci_dec;
/* Set the mode control instructions in security context */
if (mci)
memcpy(&sc_buf[1], mci, MODE_CONTROL_BYTES);
/* For AES-CBC decryption get the inverse key */
if (ad->inv_key && !enc) {
if (sa_aes_inv_key(&sc_buf[SC_ENC_KEY_OFFSET], key, key_sz))
return -EINVAL;
Reported by FlawFinder.
Line: 524
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
/* For all other cases: key is used */
} else {
memcpy(&sc_buf[SC_ENC_KEY_OFFSET], key, key_sz);
}
return 0;
}
Reported by FlawFinder.
Line: 679
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (upd_info->flags & SA_CMDL_UPD_AUX_KEY) {
int offset = (req->auth_size & 0xF) ? 4 : 0;
memcpy(&cmdl[upd_info->aux_key_info.index],
&upd_info->aux_key[offset], 16);
}
}
}
Reported by FlawFinder.
Line: 750
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* SCCTL Owner info: 0=host, 1=CP_ACE */
sc_buf[SA_CTX_SCCTL_OWNER_OFFSET] = 0;
memcpy(&sc_buf[2], &sc_id, 2);
sc_buf[4] = 0x0;
sc_buf[5] = match_data->priv_id;
sc_buf[6] = match_data->priv;
sc_buf[7] = 0x0;
Reported by FlawFinder.
Line: 1129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ddev = dmaengine_get_dma_device(pdata->dma_tx);
rxd->ddev = ddev;
memcpy(cmdl, sa_ctx->cmdl, sa_ctx->cmdl_size);
sa_update_cmdl(req, cmdl, &sa_ctx->cmdl_upd_info);
if (req->type != CRYPTO_ALG_TYPE_AHASH) {
if (req->enc)
Reported by FlawFinder.
Line: 1386
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (sa_digest_size) {
case SHA1_DIGEST_SIZE:
memcpy(req->result, sha1_zero_message_hash, sa_digest_size);
break;
case SHA256_DIGEST_SIZE:
memcpy(req->result, sha256_zero_message_hash, sa_digest_size);
break;
case SHA512_DIGEST_SIZE:
Reported by FlawFinder.
Line: 1389
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(req->result, sha1_zero_message_hash, sa_digest_size);
break;
case SHA256_DIGEST_SIZE:
memcpy(req->result, sha256_zero_message_hash, sa_digest_size);
break;
case SHA512_DIGEST_SIZE:
memcpy(req->result, sha512_zero_message_hash, sa_digest_size);
break;
default:
Reported by FlawFinder.
Line: 1392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(req->result, sha256_zero_message_hash, sa_digest_size);
break;
case SHA512_DIGEST_SIZE:
memcpy(req->result, sha512_zero_message_hash, sa_digest_size);
break;
default:
return -EINVAL;
}
Reported by FlawFinder.
drivers/crypto/omap-sham.c
10 issues
Line: 731
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (ctx->bufcnt)
memcpy(buf, ctx->dd->xmit_buf, ctx->bufcnt);
scatterwalk_map_and_copy(buf + ctx->bufcnt, sg, ctx->offset,
min(new_len, ctx->total) - ctx->bufcnt, 0);
sg_init_table(ctx->sgl, 1);
sg_set_buf(ctx->sgl, buf, new_len);
Reported by FlawFinder.
Line: 906
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (rctx->bufcnt)
memcpy(rctx->dd->xmit_buf, rctx->buffer, rctx->bufcnt);
ret = omap_sham_align_sgs(req->src, nbytes, bs, final, rctx);
if (ret)
return ret;
Reported by FlawFinder.
Line: 1018
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!test_bit(FLAGS_AUTO_XOR, &dd->flags)) {
struct omap_sham_hmac_ctx *bctx = tctx->base;
memcpy(ctx->buffer, bctx->ipad, bs);
ctx->bufcnt = bs;
}
ctx->flags |= BIT(FLAGS_HMAC);
}
Reported by FlawFinder.
Line: 1320
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
keylen = ds;
} else {
memcpy(bctx->ipad, key, keylen);
}
memset(bctx->ipad + keylen, 0, bs - keylen);
if (!test_bit(FLAGS_AUTO_XOR, &sham.flags)) {
Reported by FlawFinder.
Line: 1326
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(bctx->ipad + keylen, 0, bs - keylen);
if (!test_bit(FLAGS_AUTO_XOR, &sham.flags)) {
memcpy(bctx->opad, bctx->ipad, bs);
for (i = 0; i < bs; i++) {
bctx->ipad[i] ^= HMAC_IPAD_VALUE;
bctx->opad[i] ^= HMAC_OPAD_VALUE;
}
Reported by FlawFinder.
Line: 1427
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct omap_sham_reqctx *rctx = ahash_request_ctx(req);
memcpy(out, rctx, sizeof(*rctx) + rctx->bufcnt);
return 0;
}
static int omap_sham_import(struct ahash_request *req, const void *in)
Reported by FlawFinder.
Line: 1437
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct omap_sham_reqctx *rctx = ahash_request_ctx(req);
const struct omap_sham_reqctx *ctx_in = in;
memcpy(rctx, in, sizeof(*rctx) + ctx_in->bufcnt);
return 0;
}
static struct ahash_alg algs_sha1_md5[] = {
Reported by FlawFinder.
Line: 1976
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -ENODEV;
goto err;
}
memcpy(res, r, sizeof(*res));
/* Get the IRQ */
dd->irq = platform_get_irq(pdev, 0);
if (dd->irq < 0) {
err = dd->irq;
Reported by FlawFinder.
Line: 1997
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct omap_sham_dev *dd = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dd->fallback_sz);
}
static ssize_t fallback_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t size)
{
Reported by FlawFinder.
Line: 2027
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct omap_sham_dev *dd = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dd->queue.max_qlen);
}
static ssize_t queue_len_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t size)
Reported by FlawFinder.
drivers/crypto/omap-aes-gcm.c
10 issues
Line: 248
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int err, assoclen;
memset(rctx->auth_tag, 0, sizeof(rctx->auth_tag));
memcpy(rctx->iv + GCM_AES_IV_SIZE, &counter, 4);
err = do_encrypt_iv(req, (u32 *)rctx->auth_tag, (u32 *)rctx->iv);
if (err)
return err;
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct omap_aes_reqctx *rctx = aead_request_ctx(req);
memcpy(rctx->iv, req->iv, GCM_AES_IV_SIZE);
return omap_aes_gcm_crypt(req, FLAGS_ENCRYPT | FLAGS_GCM);
}
int omap_aes_gcm_decrypt(struct aead_request *req)
{
Reported by FlawFinder.
Line: 284
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct omap_aes_reqctx *rctx = aead_request_ctx(req);
memcpy(rctx->iv, req->iv, GCM_AES_IV_SIZE);
return omap_aes_gcm_crypt(req, FLAGS_GCM);
}
int omap_aes_4106gcm_encrypt(struct aead_request *req)
{
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
struct omap_aes_reqctx *rctx = aead_request_ctx(req);
memcpy(rctx->iv, ctx->octx.nonce, 4);
memcpy(rctx->iv + 4, req->iv, 8);
return crypto_ipsec_check_assoclen(req->assoclen) ?:
omap_aes_gcm_crypt(req, FLAGS_ENCRYPT | FLAGS_GCM |
FLAGS_RFC4106_GCM);
}
Reported by FlawFinder.
Line: 294
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct omap_aes_reqctx *rctx = aead_request_ctx(req);
memcpy(rctx->iv, ctx->octx.nonce, 4);
memcpy(rctx->iv + 4, req->iv, 8);
return crypto_ipsec_check_assoclen(req->assoclen) ?:
omap_aes_gcm_crypt(req, FLAGS_ENCRYPT | FLAGS_GCM |
FLAGS_RFC4106_GCM);
}
Reported by FlawFinder.
Line: 305
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
struct omap_aes_reqctx *rctx = aead_request_ctx(req);
memcpy(rctx->iv, ctx->octx.nonce, 4);
memcpy(rctx->iv + 4, req->iv, 8);
return crypto_ipsec_check_assoclen(req->assoclen) ?:
omap_aes_gcm_crypt(req, FLAGS_GCM | FLAGS_RFC4106_GCM);
}
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct omap_aes_reqctx *rctx = aead_request_ctx(req);
memcpy(rctx->iv, ctx->octx.nonce, 4);
memcpy(rctx->iv + 4, req->iv, 8);
return crypto_ipsec_check_assoclen(req->assoclen) ?:
omap_aes_gcm_crypt(req, FLAGS_GCM | FLAGS_RFC4106_GCM);
}
int omap_aes_gcm_setkey(struct crypto_aead *tfm, const u8 *key,
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(ctx->octx.key, key, keylen);
ctx->octx.keylen = keylen;
return 0;
}
Reported by FlawFinder.
Line: 341
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(ctx->octx.key, key, keylen);
memcpy(ctx->octx.nonce, key + keylen, 4);
ctx->octx.keylen = keylen;
return 0;
}
Reported by FlawFinder.
Line: 342
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
memcpy(ctx->octx.key, key, keylen);
memcpy(ctx->octx.nonce, key + keylen, 4);
ctx->octx.keylen = keylen;
return 0;
}
Reported by FlawFinder.
drivers/crypto/nx/nx-aes-xcbc.c
10 issues
Line: 43
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(csbcpb->cpb.aes_xcbc.key, in_key, key_len);
return 0;
}
/*
Reported by FlawFinder.
Line: 71
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Change to ECB mode */
csbcpb->cpb.hdr.mode = NX_MODE_AES_ECB;
memcpy(key, csbcpb->cpb.aes_xcbc.key, AES_BLOCK_SIZE);
memcpy(csbcpb->cpb.aes_ecb.key, key, AES_BLOCK_SIZE);
NX_CPB_FDM(csbcpb) |= NX_FDM_ENDE_ENCRYPT;
/* K1 and K3 base patterns */
memset(keys[0], 0x01, sizeof(keys[0]));
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Change to ECB mode */
csbcpb->cpb.hdr.mode = NX_MODE_AES_ECB;
memcpy(key, csbcpb->cpb.aes_xcbc.key, AES_BLOCK_SIZE);
memcpy(csbcpb->cpb.aes_ecb.key, key, AES_BLOCK_SIZE);
NX_CPB_FDM(csbcpb) |= NX_FDM_ENDE_ENCRYPT;
/* K1 and K3 base patterns */
memset(keys[0], 0x01, sizeof(keys[0]));
memset(keys[1], 0x03, sizeof(keys[1]));
Reported by FlawFinder.
Line: 107
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = sizeof(keys[1]);
/* Encrypt the final result */
memcpy(csbcpb->cpb.aes_ecb.key, keys[0], AES_BLOCK_SIZE);
in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *) keys[1], &len,
nx_ctx->ap->sglen);
if (len != sizeof(keys[1]))
return -EINVAL;
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out:
/* Restore XCBC mode */
csbcpb->cpb.hdr.mode = NX_MODE_AES_XCBC_MAC;
memcpy(csbcpb->cpb.aes_xcbc.key, key, AES_BLOCK_SIZE);
NX_CPB_FDM(csbcpb) &= ~NX_FDM_ENDE_ENCRYPT;
return rc;
}
Reported by FlawFinder.
Line: 190
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* 2: > AES_BLOCK_SIZE: process X blocks, copy in leftover
*/
if (total <= AES_BLOCK_SIZE) {
memcpy(sctx->buffer + sctx->count, data, len);
sctx->count += len;
goto out;
}
in_sg = nx_ctx->in_sg;
Reported by FlawFinder.
Line: 257
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* we've hit the nx chip previously and we're updating again,
* so copy over the partial digest */
if (NX_CPB_FDM(csbcpb) & NX_FDM_CONTINUATION) {
memcpy(csbcpb->cpb.aes_xcbc.cv,
csbcpb->cpb.aes_xcbc.out_cv_mac,
AES_BLOCK_SIZE);
}
NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE;
Reported by FlawFinder.
Line: 284
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} while (leftover > AES_BLOCK_SIZE);
/* copy the leftover back into the state struct */
memcpy(sctx->buffer, data, leftover);
sctx->count = leftover;
out:
spin_unlock_irqrestore(&nx_ctx->lock, irq_flags);
return rc;
Reported by FlawFinder.
Line: 307
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (NX_CPB_FDM(csbcpb) & NX_FDM_CONTINUATION) {
/* we've hit the nx chip previously, now we're finalizing,
* so copy over the partial digest */
memcpy(csbcpb->cpb.aes_xcbc.cv,
csbcpb->cpb.aes_xcbc.out_cv_mac, AES_BLOCK_SIZE);
} else if (sctx->count == 0) {
/*
* we've never seen an update, so this is a 0 byte op. The
* hardware cannot handle a 0 byte op, so just ECB to
Reported by FlawFinder.
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
atomic_inc(&(nx_ctx->stats->aes_ops));
memcpy(out, csbcpb->cpb.aes_xcbc.out_cv_mac, AES_BLOCK_SIZE);
out:
spin_unlock_irqrestore(&nx_ctx->lock, irq_flags);
return rc;
}
Reported by FlawFinder.
drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
10 issues
Line: 459
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
INIT_LIST_HEAD(&fw_info->ucodes);
for (e = 1; e < OTX2_CPT_MAX_ENG_TYPES; e++) {
strcpy(eng_type, get_eng_type_str(e));
for (i = 0; i < strlen(eng_type); i++)
eng_type[i] = tolower(eng_type[i]);
snprintf(filename, sizeof(filename), "mrvl/cpt%02d/%s.out",
pdev->revision, eng_type);
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int *ucode_type)
{
struct otx2_cptpf_dev *cptpf = dev_get_drvdata(dev);
char ver_str_prefix[OTX2_CPT_UCODE_VER_STR_SZ];
char tmp_ver_str[OTX2_CPT_UCODE_VER_STR_SZ];
struct pci_dev *pdev = cptpf->pdev;
int i, val = 0;
u8 nn;
Reported by FlawFinder.
Line: 123
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct otx2_cptpf_dev *cptpf = dev_get_drvdata(dev);
char ver_str_prefix[OTX2_CPT_UCODE_VER_STR_SZ];
char tmp_ver_str[OTX2_CPT_UCODE_VER_STR_SZ];
struct pci_dev *pdev = cptpf->pdev;
int i, val = 0;
u8 nn;
strlcpy(tmp_ver_str, ucode_hdr->ver_str, OTX2_CPT_UCODE_VER_STR_SZ);
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < strlen(tmp_ver_str); i++)
tmp_ver_str[i] = tolower(tmp_ver_str[i]);
sprintf(ver_str_prefix, "ocpt-%02d", pdev->revision);
if (!strnstr(tmp_ver_str, ver_str_prefix, OTX2_CPT_UCODE_VER_STR_SZ))
return -EINVAL;
nn = ucode_hdr->ver_num.nn;
if (strnstr(tmp_ver_str, "se-", OTX2_CPT_UCODE_VER_STR_SZ) &&
Reported by FlawFinder.
Line: 389
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
set_ucode_filename(&uc_info->ucode, filename);
memcpy(uc_info->ucode.ver_str, ucode_hdr->ver_str,
OTX2_CPT_UCODE_VER_STR_SZ);
uc_info->ucode.ver_num = ucode_hdr->ver_num;
uc_info->ucode.type = ucode_type;
uc_info->ucode.size = ucode_size;
list_add_tail(&uc_info->list, &fw_info->ucodes);
Reported by FlawFinder.
Line: 452
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cpt_ucode_load_fw(struct pci_dev *pdev, struct fw_info_t *fw_info)
{
char filename[OTX2_CPT_NAME_LENGTH];
char eng_type[8] = {0};
int ret, e, i;
INIT_LIST_HEAD(&fw_info->ucodes);
Reported by FlawFinder.
Line: 453
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cpt_ucode_load_fw(struct pci_dev *pdev, struct fw_info_t *fw_info)
{
char filename[OTX2_CPT_NAME_LENGTH];
char eng_type[8] = {0};
int ret, e, i;
INIT_LIST_HEAD(&fw_info->ucodes);
for (e = 1; e < OTX2_CPT_MAX_ENG_TYPES; e++) {
Reported by FlawFinder.
Line: 696
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ucode->va)
return -ENOMEM;
memcpy(ucode->va, ucode_data + sizeof(struct otx2_cpt_ucode_hdr),
ucode->size);
/* Byte swap 64-bit */
for (i = 0; i < (ucode->size / 8); i++)
cpu_to_be64s(&((u64 *)ucode->va)[i]);
Reported by FlawFinder.
Line: 129
Column: 18
CWE codes:
126
u8 nn;
strlcpy(tmp_ver_str, ucode_hdr->ver_str, OTX2_CPT_UCODE_VER_STR_SZ);
for (i = 0; i < strlen(tmp_ver_str); i++)
tmp_ver_str[i] = tolower(tmp_ver_str[i]);
sprintf(ver_str_prefix, "ocpt-%02d", pdev->revision);
if (!strnstr(tmp_ver_str, ver_str_prefix, OTX2_CPT_UCODE_VER_STR_SZ))
return -EINVAL;
Reported by FlawFinder.
Line: 460
Column: 19
CWE codes:
126
for (e = 1; e < OTX2_CPT_MAX_ENG_TYPES; e++) {
strcpy(eng_type, get_eng_type_str(e));
for (i = 0; i < strlen(eng_type); i++)
eng_type[i] = tolower(eng_type[i]);
snprintf(filename, sizeof(filename), "mrvl/cpt%02d/%s.out",
pdev->revision, eng_type);
/* Request firmware for each engine type */
Reported by FlawFinder.
drivers/acpi/device_sysfs.c
10 issues
Line: 30
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (result)
return result;
result = sprintf(buf, "%s\n", (char *)path.pointer);
kfree(path.pointer);
return result;
}
struct acpi_data_node_attr {
Reported by FlawFinder.
Line: 351
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%s\n", acpi_power_state_string(state));
}
static DEVICE_ATTR_RO(real_power_state);
static ssize_t power_state_show(struct device *dev,
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct acpi_device *adev = to_acpi_device(dev);
return sprintf(buf, "%s\n", acpi_power_state_string(adev->power.state));
}
static DEVICE_ATTR_RO(power_state);
static ssize_t
Reported by FlawFinder.
Line: 403
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct acpi_device *acpi_dev = to_acpi_device(dev);
return sprintf(buf, "%s\n", acpi_device_hid(acpi_dev));
}
static DEVICE_ATTR_RO(hid);
static ssize_t uid_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 412
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct acpi_device *acpi_dev = to_acpi_device(dev);
return sprintf(buf, "%s\n", acpi_dev->pnp.unique_id);
}
static DEVICE_ATTR_RO(uid);
static ssize_t adr_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 422
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct acpi_device *acpi_dev = to_acpi_device(dev);
if (acpi_dev->pnp.bus_address > U32_MAX)
return sprintf(buf, "0x%016llx\n", acpi_dev->pnp.bus_address);
else
return sprintf(buf, "0x%08llx\n", acpi_dev->pnp.bus_address);
}
static DEVICE_ATTR_RO(adr);
Reported by FlawFinder.
Line: 424
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (acpi_dev->pnp.bus_address > U32_MAX)
return sprintf(buf, "0x%016llx\n", acpi_dev->pnp.bus_address);
else
return sprintf(buf, "0x%08llx\n", acpi_dev->pnp.bus_address);
}
static DEVICE_ATTR_RO(adr);
static ssize_t path_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 476
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ACPI_FAILURE(status))
return -EIO;
return sprintf(buf, "%llu\n", sun);
}
static DEVICE_ATTR_RO(sun);
static ssize_t
hrv_show(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 492
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ACPI_FAILURE(status))
return -EIO;
return sprintf(buf, "%llu\n", hrv);
}
static DEVICE_ATTR_RO(hrv);
static ssize_t status_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 507
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ACPI_FAILURE(status))
return -EIO;
return sprintf(buf, "%llu\n", sta);
}
static DEVICE_ATTR_RO(status);
/**
* acpi_device_setup_files - Create sysfs attributes of an ACPI device.
Reported by FlawFinder.
drivers/acpi/scan.c
10 issues
Line: 1125
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
else
break;
}
strcpy(device->pnp.bus_id, bus_id);
break;
}
}
/*
Reported by FlawFinder.
Line: 1373
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
acpi_object_is_system_bus(handle)) {
/* \_SB, \_TZ, LNXSYBUS */
acpi_add_id(pnp, ACPI_BUS_HID);
strcpy(pnp->device_name, ACPI_BUS_DEVICE_NAME);
strcpy(pnp->device_class, ACPI_BUS_CLASS);
}
break;
case ACPI_BUS_TYPE_POWER:
Reported by FlawFinder.
Line: 1374
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* \_SB, \_TZ, LNXSYBUS */
acpi_add_id(pnp, ACPI_BUS_HID);
strcpy(pnp->device_name, ACPI_BUS_DEVICE_NAME);
strcpy(pnp->device_class, ACPI_BUS_CLASS);
}
break;
case ACPI_BUS_TYPE_POWER:
acpi_add_id(pnp, ACPI_POWER_HID);
Reported by FlawFinder.
Line: 986
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void acpi_bus_init_power_state(struct acpi_device *device, int state)
{
struct acpi_device_power_state *ps = &device->power.states[state];
char pathname[5] = { '_', 'P', 'R', '0' + state, '\0' };
struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
acpi_status status;
INIT_LIST_HEAD(&ps->resources);
Reported by FlawFinder.
Line: 1091
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void acpi_device_get_busid(struct acpi_device *device)
{
char bus_id[5] = { '?', 0 };
struct acpi_buffer buffer = { sizeof(bus_id), bus_id };
int i = 0;
/*
* Bus ID
Reported by FlawFinder.
Line: 1102
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* TBD: Shouldn't this value be unique (within the ACPI namespace)?
*/
if (ACPI_IS_ROOT_DEVICE(device)) {
strcpy(device->pnp.bus_id, "ACPI");
return;
}
switch (device->device_type) {
case ACPI_BUS_TYPE_POWER_BUTTON:
Reported by FlawFinder.
Line: 1108
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
switch (device->device_type) {
case ACPI_BUS_TYPE_POWER_BUTTON:
strcpy(device->pnp.bus_id, "PWRF");
break;
case ACPI_BUS_TYPE_SLEEP_BUTTON:
strcpy(device->pnp.bus_id, "SLPF");
break;
case ACPI_BUS_TYPE_ECDT_EC:
Reported by FlawFinder.
Line: 1111
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(device->pnp.bus_id, "PWRF");
break;
case ACPI_BUS_TYPE_SLEEP_BUTTON:
strcpy(device->pnp.bus_id, "SLPF");
break;
case ACPI_BUS_TYPE_ECDT_EC:
strcpy(device->pnp.bus_id, "ECDT");
break;
default:
Reported by FlawFinder.
Line: 1114
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(device->pnp.bus_id, "SLPF");
break;
case ACPI_BUS_TYPE_ECDT_EC:
strcpy(device->pnp.bus_id, "ECDT");
break;
default:
acpi_get_name(device->handle, ACPI_SINGLE_NAME, &buffer);
/* Clean up trailing underscores (if any) */
for (i = 3; i > 1; i--) {
Reported by FlawFinder.
Line: 1282
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static bool acpi_ibm_smbus_match(acpi_handle handle)
{
char node_name[ACPI_PATH_SEGMENT_LENGTH];
struct acpi_buffer path = { sizeof(node_name), node_name };
if (!dmi_name_in_vendors("IBM"))
return false;
Reported by FlawFinder.
drivers/auxdisplay/panel.c
10 issues
Line: 157
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int release_data;
} std;
struct { /* valid when type == INPUT_TYPE_KBD */
char press_str[sizeof(void *) + sizeof(int)] __nonstring;
char repeat_str[sizeof(void *) + sizeof(int)] __nonstring;
char release_str[sizeof(void *) + sizeof(int)] __nonstring;
} kbd;
} u;
};
Reported by FlawFinder.
Line: 158
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} std;
struct { /* valid when type == INPUT_TYPE_KBD */
char press_str[sizeof(void *) + sizeof(int)] __nonstring;
char repeat_str[sizeof(void *) + sizeof(int)] __nonstring;
char release_str[sizeof(void *) + sizeof(int)] __nonstring;
} kbd;
} u;
};
Reported by FlawFinder.
Line: 159
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct { /* valid when type == INPUT_TYPE_KBD */
char press_str[sizeof(void *) + sizeof(int)] __nonstring;
char repeat_str[sizeof(void *) + sizeof(int)] __nonstring;
char release_str[sizeof(void *) + sizeof(int)] __nonstring;
} kbd;
} u;
};
static LIST_HEAD(logical_inputs); /* list of all defined logical inputs */
Reported by FlawFinder.
Line: 193
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool enabled;
} keypad;
static char keypad_buffer[KEYPAD_BUFFER];
static int keypad_buflen;
static int keypad_start;
static char keypressed;
static wait_queue_head_t keypad_read_wait;
Reported by FlawFinder.
Line: 250
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define LCD_PORT_D 1
#define LCD_PORTS 2
static unsigned char lcd_bits[LCD_PORTS][LCD_BITS][BIT_STATES];
/*
* LCD protocols
*/
#define LCD_PROTO_PARALLEL 0
Reported by FlawFinder.
Line: 504
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_PARM_DESC(keypad_enabled, "Deprecated option, use keypad_type instead");
/* for some LCD drivers (ks0074) we need a charset conversion table. */
static const unsigned char lcd_char_conv_ks0074[256] = {
/* 0|8 1|9 2|A 3|B 4|C 5|D 6|E 7|F */
/* 0x00 */ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
/* 0x08 */ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
/* 0x10 */ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
/* 0x18 */ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
Reported by FlawFinder.
Line: 573
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{"", "", "", ""}
};
static const char (*keypad_profile)[4][9] = old_keypad_profile;
static DECLARE_BITMAP(bits, LCD_BITS);
static void lcd_get_bits(unsigned int port, int *val)
{
Reported by FlawFinder.
Line: 1452
Column: 2
CWE codes:
120
key->rise_time = 1;
key->fall_time = 1;
strncpy(key->u.kbd.press_str, press, sizeof(key->u.kbd.press_str));
strncpy(key->u.kbd.repeat_str, repeat, sizeof(key->u.kbd.repeat_str));
strncpy(key->u.kbd.release_str, release,
sizeof(key->u.kbd.release_str));
list_add(&key->list, &logical_inputs);
return key;
Reported by FlawFinder.
Line: 1453
Column: 2
CWE codes:
120
key->fall_time = 1;
strncpy(key->u.kbd.press_str, press, sizeof(key->u.kbd.press_str));
strncpy(key->u.kbd.repeat_str, repeat, sizeof(key->u.kbd.repeat_str));
strncpy(key->u.kbd.release_str, release,
sizeof(key->u.kbd.release_str));
list_add(&key->list, &logical_inputs);
return key;
}
Reported by FlawFinder.
Line: 1454
Column: 2
CWE codes:
120
strncpy(key->u.kbd.press_str, press, sizeof(key->u.kbd.press_str));
strncpy(key->u.kbd.repeat_str, repeat, sizeof(key->u.kbd.repeat_str));
strncpy(key->u.kbd.release_str, release,
sizeof(key->u.kbd.release_str));
list_add(&key->list, &logical_inputs);
return key;
}
Reported by FlawFinder.
drivers/block/zram/zram_drv.c
10 issues
Line: 1021
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return -EBUSY;
}
strcpy(zram->compressor, compressor);
up_write(&zram->init_lock);
return len;
}
static ssize_t compact_store(struct device *dev,
Reported by FlawFinder.
Line: 427
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
down_read(&zram->init_lock);
file = zram->backing_dev;
if (!file) {
memcpy(buf, "none\n", 5);
up_read(&zram->init_lock);
return 5;
}
p = file_path(file, buf, PAGE_SIZE - 1);
Reported by FlawFinder.
Line: 1002
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_attribute *attr, const char *buf, size_t len)
{
struct zram *zram = dev_to_zram(dev);
char compressor[ARRAY_SIZE(zram->compressor)];
size_t sz;
strlcpy(compressor, buf, sizeof(compressor));
/* ignore trailing newline */
sz = strlen(compressor);
Reported by FlawFinder.
Line: 1271
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = zs_map_object(zram->mem_pool, handle, ZS_MM_RO);
if (size == PAGE_SIZE) {
dst = kmap_atomic(page);
memcpy(dst, src, PAGE_SIZE);
kunmap_atomic(dst);
ret = 0;
} else {
dst = kmap_atomic(page);
ret = zcomp_decompress(zstrm, src, size, dst);
Reported by FlawFinder.
Line: 1312
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *dst = kmap_atomic(bvec->bv_page);
void *src = kmap_atomic(page);
memcpy(dst + bvec->bv_offset, src + offset, bvec->bv_len);
kunmap_atomic(src);
kunmap_atomic(dst);
}
out:
if (is_partial_io(bvec))
Reported by FlawFinder.
Line: 1405
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = zstrm->buffer;
if (comp_len == PAGE_SIZE)
src = kmap_atomic(page);
memcpy(dst, src, comp_len);
if (comp_len == PAGE_SIZE)
kunmap_atomic(src);
zcomp_stream_put(zram->comp);
zs_unmap_object(zram->mem_pool, handle);
Reported by FlawFinder.
Line: 1465
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = kmap_atomic(bvec->bv_page);
dst = kmap_atomic(page);
memcpy(dst + offset, src + bvec->bv_offset, bvec->bv_len);
kunmap_atomic(dst);
kunmap_atomic(src);
vec.bv_page = page;
vec.bv_len = PAGE_SIZE;
Reported by FlawFinder.
Line: 438
Column: 8
CWE codes:
126
goto out;
}
ret = strlen(p);
memmove(buf, p, ret);
buf[ret++] = '\n';
out:
up_read(&zram->init_lock);
return ret;
Reported by FlawFinder.
Line: 473
Column: 7
CWE codes:
126
strlcpy(file_name, buf, PATH_MAX);
/* ignore trailing newline */
sz = strlen(file_name);
if (sz > 0 && file_name[sz - 1] == '\n')
file_name[sz - 1] = 0x00;
backing_dev = filp_open(file_name, O_RDWR|O_LARGEFILE, 0);
if (IS_ERR(backing_dev)) {
Reported by FlawFinder.
Line: 1007
Column: 7
CWE codes:
126
strlcpy(compressor, buf, sizeof(compressor));
/* ignore trailing newline */
sz = strlen(compressor);
if (sz > 0 && compressor[sz - 1] == '\n')
compressor[sz - 1] = 0x00;
if (!zcomp_available_algorithm(compressor))
return -EINVAL;
Reported by FlawFinder.