The following issues were found
drivers/rtc/rtc-abx80x.c
9 issues
Line: 170
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int abx80x_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
struct i2c_client *client = to_i2c_client(dev);
unsigned char buf[8];
int err, flags, rc_mode = 0;
/* Read the Oscillator Failure only in XT mode */
rc_mode = abx80x_is_rc_mode(client);
if (rc_mode < 0)
Reported by FlawFinder.
Line: 210
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int abx80x_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
struct i2c_client *client = to_i2c_client(dev);
unsigned char buf[8];
int err, flags;
if (tm->tm_year < 100)
return -EINVAL;
Reported by FlawFinder.
Line: 276
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int abx80x_read_alarm(struct device *dev, struct rtc_wkalrm *t)
{
struct i2c_client *client = to_i2c_client(dev);
unsigned char buf[7];
int irq_mask, err;
if (client->irq <= 0)
return -EINVAL;
Reported by FlawFinder.
Line: 420
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
autocalibration = abx80x_rtc_get_autocalibration(dev->parent);
if (autocalibration < 0) {
dev_err(dev, "Failed to read RTC autocalibration\n");
sprintf(buf, "0\n");
return autocalibration;
}
return sprintf(buf, "%d\n", autocalibration);
}
Reported by FlawFinder.
Line: 424
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return autocalibration;
}
return sprintf(buf, "%d\n", autocalibration);
}
static DEVICE_ATTR_RW(autocalibration);
static ssize_t oscillator_store(struct device *dev,
Reported by FlawFinder.
Line: 482
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (rc_mode)
return sprintf(buf, "rc\n");
else
return sprintf(buf, "xtal\n");
}
static DEVICE_ATTR_RW(oscillator);
Reported by FlawFinder.
Line: 484
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rc_mode)
return sprintf(buf, "rc\n");
else
return sprintf(buf, "xtal\n");
}
static DEVICE_ATTR_RW(oscillator);
static struct attribute *rtc_calib_attrs[] = {
Reported by FlawFinder.
Line: 682
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_node *np = client->dev.of_node;
struct abx80x_priv *priv;
int i, data, err, trickle_cfg = -EINVAL;
char buf[7];
unsigned int part = id->driver_data;
unsigned int partnumber;
unsigned int majrev, minrev;
unsigned int lot;
unsigned int wafer;
Reported by FlawFinder.
Line: 477
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rc_mode < 0) {
dev_err(dev, "Failed to read RTC oscillator selection\n");
sprintf(buf, "\n");
return rc_mode;
}
if (rc_mode)
return sprintf(buf, "rc\n");
Reported by FlawFinder.
drivers/scsi/lpfc/lpfc_hbadisc.c
9 issues
Line: 661
CWE codes:
476
evt_listp);
spin_unlock_irq(&phba->hbalock);
free_evt = 1;
switch (evtp->evt) {
case LPFC_EVT_ELS_RETRY:
ndlp = (struct lpfc_nodelist *) (evtp->evt_arg1);
lpfc_els_retry_delay_handler(ndlp);
free_evt = 0; /* evt is part of ndlp */
/* decrement the node reference count held
Reported by Cppcheck.
Line: 2722
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"with failover FCF (x%x)\n",
phba->fcf.current_rec.fcf_indx,
phba->fcf.failover_rec.fcf_indx);
memcpy(&phba->fcf.current_rec,
&phba->fcf.failover_rec,
sizeof(struct lpfc_fcf_rec));
/*
* Mark the fast FCF failover rediscovery completed
* and the start of the first round of the roundrobin
Reported by FlawFinder.
Line: 2875
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lpfc_unregister_fcf(phba);
/* Replace in-use record with the new record */
memcpy(&phba->fcf.current_rec, &phba->fcf.failover_rec,
sizeof(struct lpfc_fcf_rec));
lpfc_printf_log(phba, KERN_INFO, LOG_FIP,
"2783 Perform FLOGI roundrobin FCF failover: FCF "
"(x%x) to FCF (x%x)\n", current_fcf_index, fcf_index);
Reported by FlawFinder.
Line: 3264
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy((uint8_t *) &vport->fc_sparam, (uint8_t *) mp->virt,
sizeof (struct serv_parm));
ed_tov = be32_to_cpu(sp->cmn.e_d_tov);
if (sp->cmn.edtovResolution) /* E_D_TOV ticks are in nanoseconds */
ed_tov = (ed_tov + 999999) / 1000000;
Reported by FlawFinder.
Line: 3282
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fc_host_port_name(shost) = wwn_to_u64(vport->fc_portname.u.wwn);
if (vport->port_type == LPFC_PHYSICAL_PORT) {
memcpy(&phba->wwnn, &vport->fc_nodename, sizeof(phba->wwnn));
memcpy(&phba->wwpn, &vport->fc_portname, sizeof(phba->wwnn));
}
lpfc_mbuf_free(phba, mp->virt, mp->phys);
kfree(mp);
mempool_free(pmb, phba->mbox_mem_pool);
Reported by FlawFinder.
Line: 3596
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
la = (struct lpfc_mbx_read_top *) &pmb->u.mb.un.varReadTop;
attn_type = bf_get(lpfc_mbx_read_top_att_type, la);
memcpy(&phba->alpa_map[0], mp->virt, 128);
spin_lock_irqsave(shost->host_lock, iflags);
if (bf_get(lpfc_mbx_read_top_pb, la))
vport->fc_flag |= FC_BYPASSED_MODE;
else
Reported by FlawFinder.
Line: 3972
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset)
byte_count = sizeof(struct static_vport_info)
- offset;
memcpy(vport_buff + offset, mp->virt, byte_count);
offset += byte_count;
} else {
if (mb->un.varDmp.word_cnt >
sizeof(struct static_vport_info) - offset)
mb->un.varDmp.word_cnt =
Reported by FlawFinder.
Line: 4635
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct Scsi_Host *shost = lpfc_shost_from_vport(vport);
int old_state = ndlp->nlp_state;
int node_dropped = ndlp->nlp_flag & NLP_DROPPED;
char name1[16], name2[16];
lpfc_printf_vlog(vport, KERN_INFO, LOG_NODE,
"0904 NPort state transition x%06x, %s -> %s\n",
ndlp->nlp_DID,
lpfc_nlp_state_name(name1, sizeof(name1), old_state),
Reported by FlawFinder.
Line: 6861
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(&conn_entry->conn_rec, &conn_rec[i],
sizeof(struct lpfc_fcf_conn_rec));
list_add_tail(&conn_entry->list,
&phba->fcf_conn_rec_list);
}
Reported by FlawFinder.
drivers/net/wireless/intersil/p54/p54usb.c
9 issues
Line: 517
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return -ENOMEM;
left = block_size = min_t(size_t, P54U_FW_BLOCK, priv->fw->size);
strcpy(buf, p54u_firmware_upload_3887);
left -= strlen(p54u_firmware_upload_3887);
tmp += strlen(p54u_firmware_upload_3887);
data = priv->fw->data;
remains = priv->fw->size;
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 intf;
enum p54u_hw_type type;
const char *fw;
char hw[20];
} p54u_fwlist[__NUM_P54U_HWTYPES] = {
{
.type = P54U_NET2280,
.intf = FW_LM86,
.fw = "isl3886usb",
Reported by FlawFinder.
Line: 525
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remains = priv->fw->size;
hdr = (struct x2_header *)(buf + strlen(p54u_firmware_upload_3887));
memcpy(hdr->signature, X2_SIGNATURE, X2_SIGNATURE_SIZE);
hdr->fw_load_addr = cpu_to_le32(ISL38XX_DEV_FIRMWARE_ADDR);
hdr->fw_length = cpu_to_le32(priv->fw->size);
hdr->crc = cpu_to_le32(~crc32_le(~0, (void *)&hdr->fw_load_addr,
sizeof(u32)*2));
left -= sizeof(*hdr);
Reported by FlawFinder.
Line: 745
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (remains) {
unsigned int block_len = min(remains, (unsigned int)512);
memcpy(buf, data, block_len);
err = p54u_bulk_msg(priv, P54U_PIPE_DATA, buf, block_len);
if (err) {
dev_err(&priv->udev->dev, "(p54usb) firmware block "
"upload failed\n");
Reported by FlawFinder.
Line: 430
Column: 21
CWE codes:
120
20
read->addr = addr;
err = usb_bulk_msg(priv->udev, usb_sndbulkpipe(priv->udev, ep),
read, sizeof(*read), &alen, 1000);
if (err)
return err;
err = usb_bulk_msg(priv->udev, usb_rcvbulkpipe(priv->udev, ep),
reg, sizeof(*reg), &alen, 1000);
Reported by FlawFinder.
Line: 430
Column: 7
CWE codes:
120
20
read->addr = addr;
err = usb_bulk_msg(priv->udev, usb_sndbulkpipe(priv->udev, ep),
read, sizeof(*read), &alen, 1000);
if (err)
return err;
err = usb_bulk_msg(priv->udev, usb_rcvbulkpipe(priv->udev, ep),
reg, sizeof(*reg), &alen, 1000);
Reported by FlawFinder.
Line: 518
Column: 10
CWE codes:
126
left = block_size = min_t(size_t, P54U_FW_BLOCK, priv->fw->size);
strcpy(buf, p54u_firmware_upload_3887);
left -= strlen(p54u_firmware_upload_3887);
tmp += strlen(p54u_firmware_upload_3887);
data = priv->fw->data;
remains = priv->fw->size;
Reported by FlawFinder.
Line: 519
Column: 9
CWE codes:
126
left = block_size = min_t(size_t, P54U_FW_BLOCK, priv->fw->size);
strcpy(buf, p54u_firmware_upload_3887);
left -= strlen(p54u_firmware_upload_3887);
tmp += strlen(p54u_firmware_upload_3887);
data = priv->fw->data;
remains = priv->fw->size;
hdr = (struct x2_header *)(buf + strlen(p54u_firmware_upload_3887));
Reported by FlawFinder.
Line: 524
Column: 35
CWE codes:
126
data = priv->fw->data;
remains = priv->fw->size;
hdr = (struct x2_header *)(buf + strlen(p54u_firmware_upload_3887));
memcpy(hdr->signature, X2_SIGNATURE, X2_SIGNATURE_SIZE);
hdr->fw_load_addr = cpu_to_le32(ISL38XX_DEV_FIRMWARE_ADDR);
hdr->fw_length = cpu_to_le32(priv->fw->size);
hdr->crc = cpu_to_le32(~crc32_le(~0, (void *)&hdr->fw_load_addr,
sizeof(u32)*2));
Reported by FlawFinder.
drivers/scsi/aic94xx/aic94xx_sds.c
9 issues
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} __attribute__ ((packed));
struct asd_ocm_dir {
char sig[2];
u8 _r1[2];
u8 major; /* 0 */
u8 minor; /* 0 */
u8 _r2;
u8 num_de;
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct asd_bios_chim_struct {
char sig[4];
u8 major; /* 1 */
u8 minor; /* 0 */
u8 bios_major;
u8 bios_minor;
__le32 bios_build;
Reported by FlawFinder.
Line: 399
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} __attribute__ ((packed));
struct asd_manuf_sec {
char sig[2]; /* 'S', 'M' */
u16 offs_next;
u8 maj; /* 0 */
u8 min; /* 0 */
u16 chksum;
u16 size;
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} __attribute__ ((packed));
struct asd_manuf_phy_param {
char sig[2]; /* 'P', 'M' */
u16 next;
u8 maj; /* 0 */
u8 min; /* 2 */
u8 num_phy_desc; /* 8 */
u8 phy_desc_size; /* 8 */
Reported by FlawFinder.
Line: 510
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} __attribute__ ((packed));
struct asd_ms_conn_map {
char sig[2]; /* 'M', 'C' */
__le16 next;
u8 maj; /* 0 */
u8 min; /* 0 */
__le16 cm_size; /* size of this struct */
u8 num_conn;
Reported by FlawFinder.
Line: 691
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int asd_ms_get_sas_addr(struct asd_ha_struct *asd_ha,
struct asd_manuf_sec *ms)
{
memcpy(asd_ha->hw_prof.sas_addr, ms->sas_addr, SAS_ADDR_SIZE);
return 0;
}
static int asd_ms_get_pcba_sn(struct asd_ha_struct *asd_ha,
struct asd_manuf_sec *ms)
Reported by FlawFinder.
Line: 698
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int asd_ms_get_pcba_sn(struct asd_ha_struct *asd_ha,
struct asd_manuf_sec *ms)
{
memcpy(asd_ha->hw_prof.pcba_sn, ms->pcba_sn, ASD_PCBA_SN_SIZE);
asd_ha->hw_prof.pcba_sn[ASD_PCBA_SN_SIZE] = '\0';
return 0;
}
/**
Reported by FlawFinder.
Line: 935
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
/* This is the SAS address which should be sent in IDENTIFY. */
memcpy(asd_ha->hw_prof.phy_desc[i].sas_addr, pe->sas_addr,
SAS_ADDR_SIZE);
asd_ha->hw_prof.phy_desc[i].max_sas_lrate =
(pe->sas_link_rates & 0xF0) >> 4;
asd_ha->hw_prof.phy_desc[i].min_sas_lrate =
(pe->sas_link_rates & 0x0F);
Reported by FlawFinder.
Line: 982
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dflt_ps.id0 = 'h';
dflt_ps.num_phys = 8;
for (i =0; i < ASD_MAX_PHYS; i++) {
memcpy(dflt_ps.phy_ent[i].sas_addr,
asd_ha->hw_prof.sas_addr, SAS_ADDR_SIZE);
dflt_ps.phy_ent[i].sas_link_rates = 0x98;
dflt_ps.phy_ent[i].flags = 0x0;
dflt_ps.phy_ent[i].sata_link_rates = 0x0;
}
Reported by FlawFinder.
drivers/regulator/virtual.c
9 issues
Line: 111
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct virtual_consumer_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", data->min_uV);
}
static ssize_t set_min_uV(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 137
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct virtual_consumer_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", data->max_uV);
}
static ssize_t set_max_uV(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 163
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct virtual_consumer_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", data->min_uA);
}
static ssize_t set_min_uA(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 189
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct virtual_consumer_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", data->max_uA);
}
static ssize_t set_max_uA(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 218
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (data->mode) {
case REGULATOR_MODE_FAST:
return sprintf(buf, "fast\n");
case REGULATOR_MODE_NORMAL:
return sprintf(buf, "normal\n");
case REGULATOR_MODE_IDLE:
return sprintf(buf, "idle\n");
case REGULATOR_MODE_STANDBY:
Reported by FlawFinder.
Line: 220
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case REGULATOR_MODE_FAST:
return sprintf(buf, "fast\n");
case REGULATOR_MODE_NORMAL:
return sprintf(buf, "normal\n");
case REGULATOR_MODE_IDLE:
return sprintf(buf, "idle\n");
case REGULATOR_MODE_STANDBY:
return sprintf(buf, "standby\n");
default:
Reported by FlawFinder.
Line: 222
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case REGULATOR_MODE_NORMAL:
return sprintf(buf, "normal\n");
case REGULATOR_MODE_IDLE:
return sprintf(buf, "idle\n");
case REGULATOR_MODE_STANDBY:
return sprintf(buf, "standby\n");
default:
return sprintf(buf, "unknown\n");
}
Reported by FlawFinder.
Line: 224
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case REGULATOR_MODE_IDLE:
return sprintf(buf, "idle\n");
case REGULATOR_MODE_STANDBY:
return sprintf(buf, "standby\n");
default:
return sprintf(buf, "unknown\n");
}
}
Reported by FlawFinder.
Line: 226
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case REGULATOR_MODE_STANDBY:
return sprintf(buf, "standby\n");
default:
return sprintf(buf, "unknown\n");
}
}
static ssize_t set_mode(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/scsi/fnic/fnic_debugfs.c
9 issues
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *ubuf,
size_t cnt, loff_t *ppos)
{
char buf[64];
int len;
u8 *trace_type;
len = 0;
trace_type = (u8 *)filp->private_data;
if (*trace_type == fc_trc_flag->fnic_trace)
Reported by FlawFinder.
Line: 122
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = 0;
trace_type = (u8 *)filp->private_data;
if (*trace_type == fc_trc_flag->fnic_trace)
len = sprintf(buf, "%d\n", fnic_tracing_enabled);
else if (*trace_type == fc_trc_flag->fc_trace)
len = sprintf(buf, "%d\n", fnic_fc_tracing_enabled);
else if (*trace_type == fc_trc_flag->fc_clear)
len = sprintf(buf, "%d\n", fnic_fc_trace_cleared);
else
Reported by FlawFinder.
Line: 124
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (*trace_type == fc_trc_flag->fnic_trace)
len = sprintf(buf, "%d\n", fnic_tracing_enabled);
else if (*trace_type == fc_trc_flag->fc_trace)
len = sprintf(buf, "%d\n", fnic_fc_tracing_enabled);
else if (*trace_type == fc_trc_flag->fc_clear)
len = sprintf(buf, "%d\n", fnic_fc_trace_cleared);
else
pr_err("fnic: Cannot read to any debugfs file\n");
Reported by FlawFinder.
Line: 126
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (*trace_type == fc_trc_flag->fc_trace)
len = sprintf(buf, "%d\n", fnic_fc_tracing_enabled);
else if (*trace_type == fc_trc_flag->fc_clear)
len = sprintf(buf, "%d\n", fnic_fc_trace_cleared);
else
pr_err("fnic: Cannot read to any debugfs file\n");
return simple_read_from_buffer(ubuf, cnt, ppos, buf, len);
}
Reported by FlawFinder.
Line: 154
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user *ubuf,
size_t cnt, loff_t *ppos)
{
char buf[64];
unsigned long val;
int ret;
u8 *trace_type;
trace_type = (u8 *)filp->private_data;
Reported by FlawFinder.
Line: 486
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct stats_debug_info *debug = file->private_data;
struct fnic *fnic = (struct fnic *)debug->i_private;
char buf[64];
int len;
len = sprintf(buf, "%u\n", fnic->reset_stats);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, len);
Reported by FlawFinder.
Line: 489
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[64];
int len;
len = sprintf(buf, "%u\n", fnic->reset_stats);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, len);
}
/*
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fnic_stats *stats = &fnic->fnic_stats;
u64 *io_stats_p = (u64 *)&stats->io_stats;
u64 *fw_stats_p = (u64 *)&stats->fw_stats;
char buf[64];
unsigned long val;
int ret;
if (cnt >= sizeof(buf))
return -EINVAL;
Reported by FlawFinder.
Line: 696
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
void fnic_stats_debugfs_init(struct fnic *fnic)
{
char name[16];
snprintf(name, sizeof(name), "host%d", fnic->lport->host->host_no);
fnic->fnic_stats_debugfs_host = debugfs_create_dir(name,
fnic_stats_debugfs_root);
Reported by FlawFinder.
drivers/scsi/bnx2fc/bnx2fc_els.c
9 issues
Line: 170
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"beyond page size\n");
goto free_buf;
}
memcpy(buf, fc_hdr, hdr_len);
memcpy(buf + hdr_len, resp_buf, resp_len);
frame_len = hdr_len + resp_len;
bnx2fc_process_l2_frame_compl(tgt, buf, frame_len, l2_oxid);
Reported by FlawFinder.
Line: 171
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto free_buf;
}
memcpy(buf, fc_hdr, hdr_len);
memcpy(buf + hdr_len, resp_buf, resp_len);
frame_len = hdr_len + resp_len;
bnx2fc_process_l2_frame_compl(tgt, buf, frame_len, l2_oxid);
free_buf:
Reported by FlawFinder.
Line: 335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
printk(KERN_ERR PFX "srr buf: mem alloc failure\n");
goto srr_compl_done;
}
memcpy(buf, fc_hdr, hdr_len);
memcpy(buf + hdr_len, resp_buf, resp_len);
fp = fc_frame_alloc(NULL, resp_len);
if (!fp) {
printk(KERN_ERR PFX "fc_frame_alloc failure\n");
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto srr_compl_done;
}
memcpy(buf, fc_hdr, hdr_len);
memcpy(buf + hdr_len, resp_buf, resp_len);
fp = fc_frame_alloc(NULL, resp_len);
if (!fp) {
printk(KERN_ERR PFX "fc_frame_alloc failure\n");
goto free_buf;
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fh = (struct fc_frame_header *) fc_frame_header_get(fp);
/* Copy FC Frame header and payload into the frame */
memcpy(fh, buf, hdr_len + resp_len);
opcode = fc_frame_payload_op(fp);
switch (opcode) {
case ELS_LS_ACC:
BNX2FC_IO_DBG(srr_req, "SRR success\n");
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
printk(KERN_ERR PFX "rec buf: mem alloc failure\n");
goto rec_compl_done;
}
memcpy(buf, fc_hdr, hdr_len);
memcpy(buf + hdr_len, resp_buf, resp_len);
fp = fc_frame_alloc(NULL, resp_len);
if (!fp) {
printk(KERN_ERR PFX "fc_frame_alloc failure\n");
Reported by FlawFinder.
Line: 461
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto rec_compl_done;
}
memcpy(buf, fc_hdr, hdr_len);
memcpy(buf + hdr_len, resp_buf, resp_len);
fp = fc_frame_alloc(NULL, resp_len);
if (!fp) {
printk(KERN_ERR PFX "fc_frame_alloc failure\n");
goto free_buf;
Reported by FlawFinder.
Line: 471
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fh = (struct fc_frame_header *) fc_frame_header_get(fp);
/* Copy FC Frame header and payload into the frame */
memcpy(fh, buf, hdr_len + resp_len);
opcode = fc_frame_payload_op(fp);
if (opcode == ELS_LS_RJT) {
BNX2FC_IO_DBG(rec_req, "opcode is RJT\n");
rjt = fc_frame_payload_get(fp, sizeof(*rjt));
Reported by FlawFinder.
Line: 739
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill ELS Payload */
if ((op >= ELS_LS_RJT) && (op <= ELS_AUTH_ELS)) {
memcpy(mp_req->req_buf, data, data_len);
} else {
printk(KERN_ERR PFX "Invalid ELS op 0x%x\n", op);
els_req->cb_func = NULL;
els_req->cb_arg = NULL;
spin_lock_bh(&tgt->tgt_lock);
Reported by FlawFinder.
drivers/platform/x86/asus-wmi.c
9 issues
Line: 1547
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%s\n", ASUS_FAN_DESC);
}
static ssize_t asus_hwmon_temp1(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 295
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
status = asus_wmi_evaluate_method(ASUS_WMI_METHODID_AGFN,
phys_addr, 0, &retval);
if (!status)
memcpy(args.pointer, input.pointer, args.length);
kfree(input.pointer);
if (status)
return -ENXIO;
Reported by FlawFinder.
Line: 463
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", charge_end_threshold);
}
static DEVICE_ATTR_RW(charge_control_end_threshold);
static int asus_wmi_battery_add(struct power_supply *battery)
Reported by FlawFinder.
Line: 1385
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* If we already set a value then just return it */
if (asus->agfn_pwm >= 0)
return sprintf(buf, "%d\n", asus->agfn_pwm);
/*
* If we haven't set already set a value through the AGFN interface,
* we read a current value through the (now-deprecated) FAN_CTRL device.
*/
Reported by FlawFinder.
Line: 1408
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = -1;
}
return sprintf(buf, "%d\n", value);
}
static ssize_t pwm1_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count) {
Reported by FlawFinder.
Line: 1468
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENXIO;
}
return sprintf(buf, "%d\n", value < 0 ? -1 : value*100);
}
static ssize_t pwm1_enable_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 1486
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* in practice on X532FL at least (the bit is always 0) and there's
* also nothing in the DSDT to indicate that this behaviour exists.
*/
return sprintf(buf, "%d\n", asus->fan_pwm_mode);
}
static ssize_t pwm1_enable_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 1562
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
return err;
return sprintf(buf, "%ld\n",
deci_kelvin_to_millicelsius(value & 0xFFFF));
}
/* Fan1 */
static DEVICE_ATTR_RW(pwm1);
Reported by FlawFinder.
Line: 2271
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return value;
return sprintf(buf, "%d\n", value);
}
#define ASUS_WMI_CREATE_DEVICE_ATTR(_name, _mode, _cm) \
static ssize_t show_##_name(struct device *dev, \
struct device_attribute *attr, \
Reported by FlawFinder.
drivers/nvme/host/core.c
9 issues
Line: 638
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (req->mq_hctx->type == HCTX_TYPE_POLL)
req->cmd_flags |= REQ_HIPRI;
nvme_clear_nvme_request(req);
memcpy(nvme_req(req)->cmd, cmd, sizeof(*cmd));
}
struct request *nvme_alloc_request(struct request_queue *q,
struct nvme_command *cmd, blk_mq_req_flags_t flags)
{
Reported by FlawFinder.
Line: 1326
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
warn_str, cur->nidl);
return -1;
}
memcpy(ids->eui64, data + sizeof(*cur), NVME_NIDT_EUI64_LEN);
return NVME_NIDT_EUI64_LEN;
case NVME_NIDT_NGUID:
if (cur->nidl != NVME_NIDT_NGUID_LEN) {
dev_warn(ctrl->device, "%s %d for NVME_NIDT_NGUID\n",
warn_str, cur->nidl);
Reported by FlawFinder.
Line: 1334
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
warn_str, cur->nidl);
return -1;
}
memcpy(ids->nguid, data + sizeof(*cur), NVME_NIDT_NGUID_LEN);
return NVME_NIDT_NGUID_LEN;
case NVME_NIDT_UUID:
if (cur->nidl != NVME_NIDT_UUID_LEN) {
dev_warn(ctrl->device, "%s %d for NVME_NIDT_UUID\n",
warn_str, cur->nidl);
Reported by FlawFinder.
Line: 1350
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
warn_str, cur->nidl);
return -1;
}
memcpy(&ids->csi, data + sizeof(*cur), NVME_NIDT_CSI_LEN);
*csi_seen = true;
return NVME_NIDT_CSI_LEN;
default:
/* Skip unknown types */
return cur->nidl;
Reported by FlawFinder.
Line: 2491
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
off = snprintf(subsys->subnqn, NVMF_NQN_SIZE,
"nqn.2014.08.org.nvmexpress:%04x%04x",
le16_to_cpu(id->vid), le16_to_cpu(id->ssvid));
memcpy(subsys->subnqn + off, id->sn, sizeof(id->sn));
off += sizeof(id->sn);
memcpy(subsys->subnqn + off, id->mn, sizeof(id->mn));
off += sizeof(id->mn);
memset(subsys->subnqn + off, 0, sizeof(subsys->subnqn) - off);
}
Reported by FlawFinder.
Line: 2493
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
le16_to_cpu(id->vid), le16_to_cpu(id->ssvid));
memcpy(subsys->subnqn + off, id->sn, sizeof(id->sn));
off += sizeof(id->sn);
memcpy(subsys->subnqn + off, id->mn, sizeof(id->mn));
off += sizeof(id->mn);
memset(subsys->subnqn + off, 0, sizeof(subsys->subnqn) - off);
}
static void nvme_release_subsystem(struct device *dev)
Reported by FlawFinder.
Line: 3763
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* subsystem instance.
*/
if (!nvme_mpath_set_disk_name(ns, disk->disk_name, &disk->flags))
sprintf(disk->disk_name, "nvme%dn%d", ctrl->instance,
ns->head->instance);
ns->disk = disk;
if (nvme_update_ns_info(ns, id))
goto out_put_disk;
Reported by FlawFinder.
Line: 4143
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void nvme_aen_uevent(struct nvme_ctrl *ctrl)
{
char *envp[2] = { NULL, NULL };
u32 aen_result = ctrl->aen_result;
ctrl->aen_result = 0;
if (!aen_result)
return;
Reported by FlawFinder.
Line: 2449
Column: 13
CWE codes:
126
if (!match)
return true;
matchlen = strlen(match);
WARN_ON_ONCE(matchlen > len);
if (memcmp(idstr, match, matchlen))
return false;
Reported by FlawFinder.
drivers/s390/cio/css.c
9 issues
Line: 321
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct subchannel *sch = to_subchannel(dev);
return sprintf(buf, "%01x\n", sch->st);
}
static DEVICE_ATTR_RO(type);
static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 331
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct subchannel *sch = to_subchannel(dev);
return sprintf(buf, "css:t%01X\n", sch->st);
}
static DEVICE_ATTR_RO(modalias);
static ssize_t driver_override_store(struct device *dev,
Reported by FlawFinder.
Line: 412
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (chp = 0; chp < 8; chp++) {
mask = 0x80 >> chp;
if (ssd->path_mask & mask)
ret += sprintf(buf + ret, "%02x ", ssd->chpid[chp].id);
else
ret += sprintf(buf + ret, "00 ");
}
ret += sprintf(buf + ret, "\n");
return ret;
Reported by FlawFinder.
Line: 414
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ssd->path_mask & mask)
ret += sprintf(buf + ret, "%02x ", ssd->chpid[chp].id);
else
ret += sprintf(buf + ret, "00 ");
}
ret += sprintf(buf + ret, "\n");
return ret;
}
static DEVICE_ATTR_RO(chpids);
Reported by FlawFinder.
Line: 428
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct subchannel *sch = to_subchannel(dev);
struct pmcw *pmcw = &sch->schib.pmcw;
return sprintf(buf, "%02x %02x %02x\n",
pmcw->pim, pmcw->pam, pmcw->pom);
}
static DEVICE_ATTR_RO(pimpampom);
static struct attribute *io_subchannel_type_attrs[] = {
Reported by FlawFinder.
Line: 885
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!css->id_valid)
return -EINVAL;
return sprintf(buf, "%x\n", css->cssid);
}
static DEVICE_ATTR_RO(real_cssid);
static ssize_t cm_enable_show(struct device *dev, struct device_attribute *a,
char *buf)
Reported by FlawFinder.
Line: 896
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int ret;
mutex_lock(&css->mutex);
ret = sprintf(buf, "%x\n", css->cm_enabled);
mutex_unlock(&css->mutex);
return ret;
}
static ssize_t cm_enable_store(struct device *dev, struct device_attribute *a,
Reported by FlawFinder.
Line: 357
Column: 6
CWE codes:
126
device_lock(dev);
old = sch->driver_override;
if (strlen(driver_override)) {
sch->driver_override = driver_override;
} else {
kfree(driver_override);
sch->driver_override = NULL;
}
Reported by FlawFinder.
Line: 416
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
ret += sprintf(buf + ret, "00 ");
}
ret += sprintf(buf + ret, "\n");
return ret;
}
static DEVICE_ATTR_RO(chpids);
static ssize_t pimpampom_show(struct device *dev,
Reported by FlawFinder.