The following issues were found
drivers/net/wireless/intel/ipw2x00/libipw_wx.c
38 issues
Line: 306
Column: 31
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
.flags = 0
};
int i, key, key_provided, len;
struct lib80211_crypt_data **crypt;
int host_crypto = ieee->host_encrypt || ieee->host_decrypt;
LIBIPW_DEBUG_WX("SET_ENCODE\n");
key = erq->flags & IW_ENCODE_INDEX;
Reported by FlawFinder.
Line: 325
Column: 28
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
LIBIPW_DEBUG_WX("Key: %d [%s]\n", key, key_provided ?
"provided" : "default");
crypt = &ieee->crypt_info.crypt[key];
if (erq->flags & IW_ENCODE_DISABLED) {
if (key_provided && *crypt) {
LIBIPW_DEBUG_WX("Disabling encryption on key %d.\n",
key);
Reported by FlawFinder.
Line: 328
Column: 24
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
crypt = &ieee->crypt_info.crypt[key];
if (erq->flags & IW_ENCODE_DISABLED) {
if (key_provided && *crypt) {
LIBIPW_DEBUG_WX("Disabling encryption on key %d.\n",
key);
lib80211_crypt_delayed_deinit(&ieee->crypt_info, crypt);
} else
LIBIPW_DEBUG_WX("Disabling encryption.\n");
Reported by FlawFinder.
Line: 331
Column: 53
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (key_provided && *crypt) {
LIBIPW_DEBUG_WX("Disabling encryption on key %d.\n",
key);
lib80211_crypt_delayed_deinit(&ieee->crypt_info, crypt);
} else
LIBIPW_DEBUG_WX("Disabling encryption.\n");
/* Check all the keys to see if any are still configured,
* and if no key index was provided, de-init them all */
Reported by FlawFinder.
Line: 338
Column: 25
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
/* Check all the keys to see if any are still configured,
* and if no key index was provided, de-init them all */
for (i = 0; i < WEP_KEYS; i++) {
if (ieee->crypt_info.crypt[i] != NULL) {
if (key_provided)
break;
lib80211_crypt_delayed_deinit(&ieee->crypt_info,
&ieee->crypt_info.crypt[i]);
}
Reported by FlawFinder.
Line: 342
Column: 33
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (key_provided)
break;
lib80211_crypt_delayed_deinit(&ieee->crypt_info,
&ieee->crypt_info.crypt[i]);
}
}
if (i == WEP_KEYS) {
sec.enabled = 0;
Reported by FlawFinder.
Line: 360
Column: 26
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
sec.encrypt = 1;
sec.flags |= SEC_ENABLED | SEC_ENCRYPT;
if (*crypt != NULL && (*crypt)->ops != NULL &&
strcmp((*crypt)->ops->name, "WEP") != 0) {
/* changing to use WEP; deinit previously used algorithm
* on this key */
lib80211_crypt_delayed_deinit(&ieee->crypt_info, crypt);
}
Reported by FlawFinder.
Line: 360
Column: 7
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
sec.encrypt = 1;
sec.flags |= SEC_ENABLED | SEC_ENCRYPT;
if (*crypt != NULL && (*crypt)->ops != NULL &&
strcmp((*crypt)->ops->name, "WEP") != 0) {
/* changing to use WEP; deinit previously used algorithm
* on this key */
lib80211_crypt_delayed_deinit(&ieee->crypt_info, crypt);
}
Reported by FlawFinder.
Line: 361
Column: 15
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
sec.flags |= SEC_ENABLED | SEC_ENCRYPT;
if (*crypt != NULL && (*crypt)->ops != NULL &&
strcmp((*crypt)->ops->name, "WEP") != 0) {
/* changing to use WEP; deinit previously used algorithm
* on this key */
lib80211_crypt_delayed_deinit(&ieee->crypt_info, crypt);
}
Reported by FlawFinder.
Line: 364
Column: 52
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
strcmp((*crypt)->ops->name, "WEP") != 0) {
/* changing to use WEP; deinit previously used algorithm
* on this key */
lib80211_crypt_delayed_deinit(&ieee->crypt_info, crypt);
}
if (*crypt == NULL && host_crypto) {
struct lib80211_crypt_data *new_crypt;
Reported by FlawFinder.
tools/testing/selftests/proc/proc-pid-vm.c
38 issues
Line: 159
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{(void *)payload, len},
};
int fd, fd1;
char buf[64];
memset(&h, 0, sizeof(h));
h.e_ident[0] = 0x7f;
h.e_ident[1] = 'E';
h.e_ident[2] = 'L';
Reported by FlawFinder.
Line: 205
Column: 8
CWE codes:
362
/* Avoid ETXTBSY on exec. */
snprintf(buf, sizeof(buf), "/proc/self/fd/%u", fd);
fd1 = open(buf, O_RDONLY|O_CLOEXEC);
close(fd);
return fd1;
}
#endif
Reported by FlawFinder.
Line: 269
Column: 6
CWE codes:
362
/* Reserve fd 0 for 1-byte pipe ping from child. */
close(0);
if (open("/", O_RDONLY|O_DIRECTORY|O_PATH) != 0) {
return 1;
}
exec_fd = make_exe(payload, sizeof(payload));
Reported by FlawFinder.
Line: 302
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
/* Generate "head -n1 /proc/$PID/maps" */
char buf0[256];
memset(buf0, ' ', sizeof(buf0));
int len = snprintf(buf0, sizeof(buf0),
"%08lx-%08lx r-xp 00000000 %02lx:%02lx %llu",
VADDR, VADDR + PAGE_SIZE,
MAJOR(st.st_dev), MINOR(st.st_dev),
Reported by FlawFinder.
Line: 316
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Test /proc/$PID/maps */
{
const size_t len = strlen(buf0) + (g_vsyscall ? strlen(str_vsyscall) : 0);
char buf[256];
ssize_t rv;
int fd;
snprintf(buf, sizeof(buf), "/proc/%u/maps", pid);
fd = open(buf, O_RDONLY);
Reported by FlawFinder.
Line: 321
Column: 8
CWE codes:
362
int fd;
snprintf(buf, sizeof(buf), "/proc/%u/maps", pid);
fd = open(buf, O_RDONLY);
if (fd == -1) {
return 1;
}
rv = read(fd, buf, sizeof(buf));
assert(rv == len);
Reported by FlawFinder.
Line: 335
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Test /proc/$PID/smaps */
{
char buf[4096];
ssize_t rv;
int fd;
snprintf(buf, sizeof(buf), "/proc/%u/smaps", pid);
fd = open(buf, O_RDONLY);
Reported by FlawFinder.
Line: 340
Column: 8
CWE codes:
362
int fd;
snprintf(buf, sizeof(buf), "/proc/%u/smaps", pid);
fd = open(buf, O_RDONLY);
if (fd == -1) {
return 1;
}
rv = read(fd, buf, sizeof(buf));
assert(0 <= rv && rv <= sizeof(buf));
Reported by FlawFinder.
Line: 382
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Test /proc/$PID/smaps_rollup */
{
char bufr[256];
memset(bufr, ' ', sizeof(bufr));
len = snprintf(bufr, sizeof(bufr),
"%08lx-%08lx ---p 00000000 00:00 0",
VADDR, VADDR + PAGE_SIZE);
bufr[len] = ' ';
Reported by FlawFinder.
Line: 391
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
snprintf(bufr + MAPS_OFFSET, sizeof(bufr) - MAPS_OFFSET,
"[rollup]\n");
char buf[1024];
ssize_t rv;
int fd;
snprintf(buf, sizeof(buf), "/proc/%u/smaps_rollup", pid);
fd = open(buf, O_RDONLY);
Reported by FlawFinder.
drivers/net/wireless/ath/ath6kl/wmi.c
38 issues
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eth_hdr->h_proto = cpu_to_be16(new_len);
memcpy(datap, eth_hdr, sizeof(*eth_hdr));
llc_hdr = (struct ath6kl_llc_snap_hdr *)(datap + sizeof(*eth_hdr));
llc_hdr->dsap = 0xAA;
llc_hdr->ssap = 0xAA;
llc_hdr->cntl = 0x03;
Reported by FlawFinder.
Line: 226
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case WMI_META_VERSION_2:
skb_push(skb, WMI_MAX_TX_META_SZ);
v2 = (struct wmi_tx_meta_v2 *) skb->data;
memcpy(v2, (struct wmi_tx_meta_v2 *) tx_meta_info,
sizeof(struct wmi_tx_meta_v2));
break;
}
return 0;
Reported by FlawFinder.
Line: 405
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sub_type = pwh->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
memcpy((u8 *) &wh, datap, sizeof(struct ieee80211_hdr_3addr));
/* Strip off the 802.11 header */
if (sub_type == cpu_to_le16(IEEE80211_STYPE_QOS_DATA)) {
hdr_size = roundup(sizeof(struct ieee80211_qos_hdr),
sizeof(u32));
Reported by FlawFinder.
Line: 425
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch ((le16_to_cpu(wh.frame_control)) &
(IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
case IEEE80211_FCTL_TODS:
memcpy(eth_hdr.h_dest, wh.addr3, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr2, ETH_ALEN);
break;
case IEEE80211_FCTL_FROMDS:
memcpy(eth_hdr.h_dest, wh.addr1, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr3, ETH_ALEN);
Reported by FlawFinder.
Line: 426
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
case IEEE80211_FCTL_TODS:
memcpy(eth_hdr.h_dest, wh.addr3, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr2, ETH_ALEN);
break;
case IEEE80211_FCTL_FROMDS:
memcpy(eth_hdr.h_dest, wh.addr1, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr3, ETH_ALEN);
break;
Reported by FlawFinder.
Line: 429
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(eth_hdr.h_source, wh.addr2, ETH_ALEN);
break;
case IEEE80211_FCTL_FROMDS:
memcpy(eth_hdr.h_dest, wh.addr1, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr3, ETH_ALEN);
break;
case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
break;
default:
Reported by FlawFinder.
Line: 430
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case IEEE80211_FCTL_FROMDS:
memcpy(eth_hdr.h_dest, wh.addr1, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr3, ETH_ALEN);
break;
case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
break;
default:
memcpy(eth_hdr.h_dest, wh.addr1, ETH_ALEN);
Reported by FlawFinder.
Line: 435
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
break;
default:
memcpy(eth_hdr.h_dest, wh.addr1, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr2, ETH_ALEN);
break;
}
skb_pull(skb, sizeof(struct ath6kl_llc_snap_hdr));
Reported by FlawFinder.
Line: 436
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
default:
memcpy(eth_hdr.h_dest, wh.addr1, ETH_ALEN);
memcpy(eth_hdr.h_source, wh.addr2, ETH_ALEN);
break;
}
skb_pull(skb, sizeof(struct ath6kl_llc_snap_hdr));
skb_push(skb, sizeof(eth_hdr));
Reported by FlawFinder.
Line: 445
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
datap = skb->data;
memcpy(datap, ð_hdr, sizeof(eth_hdr));
return 0;
}
/*
Reported by FlawFinder.
drivers/block/mtip32xx/mtip32xx.c
38 issues
Line: 2152
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int size = 0;
if (test_bit(MTIP_DDF_OVER_TEMP_BIT, &dd->dd_flag))
size += sprintf(buf, "%s", "thermal_shutdown\n");
else if (test_bit(MTIP_DDF_WRITE_PROTECT_BIT, &dd->dd_flag))
size += sprintf(buf, "%s", "write_protect\n");
else
size += sprintf(buf, "%s", "online\n");
Reported by FlawFinder.
Line: 2154
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (test_bit(MTIP_DDF_OVER_TEMP_BIT, &dd->dd_flag))
size += sprintf(buf, "%s", "thermal_shutdown\n");
else if (test_bit(MTIP_DDF_WRITE_PROTECT_BIT, &dd->dd_flag))
size += sprintf(buf, "%s", "write_protect\n");
else
size += sprintf(buf, "%s", "online\n");
return size;
}
Reported by FlawFinder.
Line: 2156
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (test_bit(MTIP_DDF_WRITE_PROTECT_BIT, &dd->dd_flag))
size += sprintf(buf, "%s", "write_protect\n");
else
size += sprintf(buf, "%s", "online\n");
return size;
}
static DEVICE_ATTR(status, 0444, mtip_hw_show_status, NULL);
Reported by FlawFinder.
Line: 2204
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (dd->port &&
test_bit(MTIP_PF_REBUILD_BIT, &dd->port->flags)) {
size += sprintf(&buf[size],
" device %s %s (ftl rebuild %d %%)\n",
dev_name(&dd->pdev->dev),
id_buf,
status);
} else {
Reported by FlawFinder.
Line: 2210
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
id_buf,
status);
} else {
size += sprintf(&buf[size],
" device %s %s\n",
dev_name(&dd->pdev->dev),
id_buf);
}
}
Reported by FlawFinder.
Line: 2234
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (dd->port &&
test_bit(MTIP_PF_REBUILD_BIT, &dd->port->flags)) {
size += sprintf(&buf[size],
" device %s %s (ftl rebuild %d %%)\n",
dev_name(&dd->pdev->dev),
id_buf,
status);
} else {
Reported by FlawFinder.
Line: 2240
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
id_buf,
status);
} else {
size += sprintf(&buf[size],
" device %s %s\n",
dev_name(&dd->pdev->dev),
id_buf);
}
}
Reported by FlawFinder.
Line: 474
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long *tagbits,
int cnt)
{
unsigned char tagmap[128];
int group, tagmap_len = 0;
memset(tagmap, 0, sizeof(tagmap));
for (group = SLOTBITS_IN_LONGS; group > 0; group--)
tagmap_len += sprintf(tagmap + tagmap_len, "%016lX ",
Reported by FlawFinder.
Line: 479
Column: 17
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
memset(tagmap, 0, sizeof(tagmap));
for (group = SLOTBITS_IN_LONGS; group > 0; group--)
tagmap_len += sprintf(tagmap + tagmap_len, "%016lX ",
tagbits[group-1]);
dev_warn(&dd->pdev->dev,
"%d command(s) %s: tagmap [%s]", cnt, msg, tagmap);
}
Reported by FlawFinder.
Line: 1013
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the command to the command table */
int_cmd = blk_mq_rq_to_pdu(rq);
int_cmd->icmd = &icmd;
memcpy(int_cmd->command, fis, fis_len*4);
rq->timeout = timeout;
/* insert request and run queue */
blk_execute_rq(NULL, rq, true);
Reported by FlawFinder.
drivers/s390/crypto/zcrypt_msgtype6.c
38 issues
Line: 1041
CWE codes:
562
ap_msg->receive = zcrypt_msgtype6_receive;
ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
atomic_inc_return(&zcrypt_step);
ap_msg->private = &resp_type;
rc = ICAMEX_msg_to_type6MEX_msgX(zq, ap_msg, mex);
if (rc)
goto out_free;
init_completion(&resp_type.work);
rc = ap_queue_message(zq->queue, ap_msg);
Reported by Cppcheck.
Line: 1089
CWE codes:
562
ap_msg->receive = zcrypt_msgtype6_receive;
ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
atomic_inc_return(&zcrypt_step);
ap_msg->private = &resp_type;
rc = ICACRT_msg_to_type6CRT_msgX(zq, ap_msg, crt);
if (rc)
goto out_free;
init_completion(&resp_type.work);
rc = ap_queue_message(zq->queue, ap_msg);
Reported by Cppcheck.
Line: 63
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short cprb_len; /* CPRB length */
unsigned char cprb_ver_id; /* CPRB version id. */
unsigned char pad_000; /* Alignment pad byte. */
unsigned char srpi_rtcode[4]; /* SRPI return code LELONG */
unsigned char srpi_verb; /* SRPI verb type */
unsigned char flags; /* flags */
unsigned char func_id[2]; /* function id */
unsigned char checkpoint_flag; /* */
unsigned char resv2; /* reserved */
Reported by FlawFinder.
Line: 66
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char srpi_rtcode[4]; /* SRPI return code LELONG */
unsigned char srpi_verb; /* SRPI verb type */
unsigned char flags; /* flags */
unsigned char func_id[2]; /* function id */
unsigned char checkpoint_flag; /* */
unsigned char resv2; /* reserved */
unsigned short req_parml; /* request parameter buffer */
/* length 16-bit little endian */
unsigned char req_parmp[4]; /* request parameter buffer *
Reported by FlawFinder.
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char resv2; /* reserved */
unsigned short req_parml; /* request parameter buffer */
/* length 16-bit little endian */
unsigned char req_parmp[4]; /* request parameter buffer *
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char req_datal[4]; /* request data buffer */
/* length ULELONG */
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char req_datal[4]; /* request data buffer */
/* length ULELONG */
unsigned char req_datap[4]; /* request data buffer */
/* pointer */
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
Reported by FlawFinder.
Line: 77
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* the CPRB). */
unsigned char req_datal[4]; /* request data buffer */
/* length ULELONG */
unsigned char req_datap[4]; /* request data buffer */
/* pointer */
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */
unsigned char rpl_parmp[4]; /* reply parameter buffer *
Reported by FlawFinder.
Line: 81
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* pointer */
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */
unsigned char rpl_parmp[4]; /* reply parameter buffer *
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */
Reported by FlawFinder.
Line: 82
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */
unsigned char rpl_parmp[4]; /* reply parameter buffer *
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */
unsigned char rpl_datap[4]; /* reply data buffer */
Reported by FlawFinder.
Line: 86
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */
unsigned char rpl_datap[4]; /* reply data buffer */
/* pointer */
unsigned short ccp_rscode; /* server reason code ULESHORT */
unsigned short ccp_rtcode; /* server return code ULESHORT */
unsigned char repd_parml[2]; /* replied parameter len ULESHORT*/
Reported by FlawFinder.
init/main.c
38 issues
Line: 329
CWE codes:
682
struct xbc_node *root)
{
struct xbc_node *knode, *vnode;
char *end = buf + size;
const char *val;
int ret;
xbc_node_for_each_key_value(root, knode, val) {
ret = xbc_node_compose_key_after(root, knode,
Reported by Cppcheck.
Line: 728
CWE codes:
570
{
const struct obs_kernel_param *p;
for (p = __setup_start; p < __setup_end; p++) {
if ((p->early && parameq(param, p->str)) ||
(strcmp(param, "console") == 0 &&
strcmp(p->str, "earlycon") == 0)
) {
if (p->setup_func(val) != 0)
Reported by Cppcheck.
Line: 1404
CWE codes:
570
initcall_entry_t *fn;
trace_initcall_level("early");
for (fn = __initcall_start; fn < __initcall0_start; fn++)
do_one_initcall(initcall_from_entry(fn));
}
static int run_init_process(const char *init_filename)
{
Reported by Cppcheck.
Line: 638
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* lines because there could be dashes (separator of init
* command line) in the command lines.
*/
strcpy(saved_command_line, extra_command_line);
strcpy(static_command_line, extra_command_line);
}
strcpy(saved_command_line + xlen, boot_command_line);
strcpy(static_command_line + xlen, command_line);
Reported by FlawFinder.
Line: 639
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* command line) in the command lines.
*/
strcpy(saved_command_line, extra_command_line);
strcpy(static_command_line, extra_command_line);
}
strcpy(saved_command_line + xlen, boot_command_line);
strcpy(static_command_line + xlen, command_line);
if (ilen) {
Reported by FlawFinder.
Line: 641
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(saved_command_line, extra_command_line);
strcpy(static_command_line, extra_command_line);
}
strcpy(saved_command_line + xlen, boot_command_line);
strcpy(static_command_line + xlen, command_line);
if (ilen) {
/*
* Append supplemental init boot args to saved_command_line
Reported by FlawFinder.
Line: 642
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(static_command_line, extra_command_line);
}
strcpy(saved_command_line + xlen, boot_command_line);
strcpy(static_command_line + xlen, command_line);
if (ilen) {
/*
* Append supplemental init boot args to saved_command_line
* so that user can check what command line options passed
Reported by FlawFinder.
Line: 658
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
len += 4;
}
strcpy(saved_command_line + len, extra_init_args);
}
}
/*
* We need to finalize in a non-__init function or else race conditions
Reported by FlawFinder.
Line: 906
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
end = unknown_options;
for (p = &argv_init[1]; *p; p++)
end += sprintf(end, " %s", *p);
for (p = &envp_init[2]; *p; p++)
end += sprintf(end, " %s", *p);
pr_notice("Unknown command line parameters:%s\n", unknown_options);
memblock_free(__pa(unknown_options), len);
Reported by FlawFinder.
Line: 908
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (p = &argv_init[1]; *p; p++)
end += sprintf(end, " %s", *p);
for (p = &envp_init[2]; *p; p++)
end += sprintf(end, " %s", *p);
pr_notice("Unknown command line parameters:%s\n", unknown_options);
memblock_free(__pa(unknown_options), len);
}
Reported by FlawFinder.
drivers/gpu/drm/amd/pm/amdgpu_pm.c
37 issues
Line: 607
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size >= PAGE_SIZE)
size = PAGE_SIZE - 1;
memcpy(buf, table, size);
return size;
}
static ssize_t amdgpu_set_pp_table(struct device *dev,
Reported by FlawFinder.
Line: 799
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret;
uint32_t parameter_size = 0;
long parameter[64];
char buf_cpy[128];
char *tmp_str;
char *sub_str;
const char delimiter[3] = {' ', '\n', '\0'};
uint32_t type;
Reported by FlawFinder.
Line: 802
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char buf_cpy[128];
char *tmp_str;
char *sub_str;
const char delimiter[3] = {' ', '\n', '\0'};
uint32_t type;
if (amdgpu_in_reset(adev))
return -EPERM;
if (adev->in_suspend && !adev->in_runpm)
Reported by FlawFinder.
Line: 830
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
return -EINVAL;
memcpy(buf_cpy, buf, count+1);
tmp_str = buf_cpy;
if ((type == PP_OD_EDIT_VDDC_CURVE) ||
(type == PP_OD_EDIT_VDDGFX_OFFSET))
Reported by FlawFinder.
Line: 1094
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long level;
char *sub_str = NULL;
char *tmp;
char buf_cpy[AMDGPU_MASK_BUF_MAX + 1];
const char delimiter[3] = {' ', '\n', '\0'};
size_t bytes;
*mask = 0;
Reported by FlawFinder.
Line: 1095
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *sub_str = NULL;
char *tmp;
char buf_cpy[AMDGPU_MASK_BUF_MAX + 1];
const char delimiter[3] = {' ', '\n', '\0'};
size_t bytes;
*mask = 0;
bytes = min(count, sizeof(buf_cpy) - 1);
Reported by FlawFinder.
Line: 1101
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*mask = 0;
bytes = min(count, sizeof(buf_cpy) - 1);
memcpy(buf_cpy, buf, bytes);
buf_cpy[bytes] = '\0';
tmp = buf_cpy;
while ((sub_str = strsep(&tmp, delimiter)) != NULL) {
if (strlen(sub_str)) {
ret = kstrtoul(sub_str, 0, &level);
Reported by FlawFinder.
Line: 1492
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct amdgpu_device *adev = drm_to_adev(ddev);
uint32_t parameter_size = 0;
long parameter[64];
char *sub_str, buf_cpy[128];
char *tmp_str;
uint32_t i = 0;
char tmp[2];
long int profile_mode = 0;
const char delimiter[3] = {' ', '\n', '\0'};
Reported by FlawFinder.
Line: 1495
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *sub_str, buf_cpy[128];
char *tmp_str;
uint32_t i = 0;
char tmp[2];
long int profile_mode = 0;
const char delimiter[3] = {' ', '\n', '\0'};
if (amdgpu_in_reset(adev))
return -EPERM;
Reported by FlawFinder.
Line: 1497
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t i = 0;
char tmp[2];
long int profile_mode = 0;
const char delimiter[3] = {' ', '\n', '\0'};
if (amdgpu_in_reset(adev))
return -EPERM;
if (adev->in_suspend && !adev->in_runpm)
return -EPERM;
Reported by FlawFinder.
tools/perf/util/symbol-elf.c
37 issues
Line: 2146
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (kcore__open(&kcore, kce->kcore_filename))
return -1;
strcpy(kce->extract_filename, PERF_KCORE_EXTRACT);
if (kcore__init(&extract, kce->extract_filename, kcore.elfclass, true))
goto out_kcore_close;
if (kcore__copy_hdr(&kcore, &extract, count))
goto out_extract_close;
Reported by FlawFinder.
Line: 300
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
Elf_Scn *scn_plt_rel, *scn_symstrs, *scn_dynsym;
size_t dynsym_idx;
GElf_Ehdr ehdr;
char sympltname[1024];
Elf *elf;
int nr = 0, symidx, err = 0;
if (!ss->dynsym)
return 0;
Reported by FlawFinder.
Line: 527
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nhdr->n_namesz == sizeof("GNU")) {
if (memcmp(name, "GNU", sizeof("GNU")) == 0) {
size_t sz = min(size, descsz);
memcpy(bf, ptr, sz);
memset(bf + sz, 0, size - sz);
err = descsz;
break;
}
}
Reported by FlawFinder.
Line: 560
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!abfd->build_id || abfd->build_id->size > size)
goto out_close;
memcpy(bid->data, abfd->build_id->data, abfd->build_id->size);
memset(bid->data + abfd->build_id->size, 0, size - abfd->build_id->size);
err = bid->size = abfd->build_id->size;
out_close:
bfd_close(abfd);
Reported by FlawFinder.
Line: 580
Column: 7
CWE codes:
362
if (size < BUILD_ID_SIZE)
goto out;
fd = open(filename, O_RDONLY);
if (fd < 0)
goto out;
elf = elf_begin(fd, PERF_ELF_C_READ_MMAP, NULL);
if (elf == NULL) {
Reported by FlawFinder.
Line: 606
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int filename__read_build_id(const char *filename, struct build_id *bid)
{
struct kmod_path m = { .name = NULL, };
char path[PATH_MAX];
int err;
if (!filename)
return -EFAULT;
Reported by FlawFinder.
Line: 641
Column: 7
CWE codes:
362
size_t size = sizeof(bid->data);
int fd, err = -1;
fd = open(filename, O_RDONLY);
if (fd < 0)
goto out;
while (1) {
char bf[BUFSIZ];
Reported by FlawFinder.
Line: 646
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
goto out;
while (1) {
char bf[BUFSIZ];
GElf_Nhdr nhdr;
size_t namesz, descsz;
if (read(fd, &nhdr, sizeof(nhdr)) != sizeof(nhdr))
break;
Reported by FlawFinder.
Line: 735
Column: 7
CWE codes:
362
Elf_Scn *sec;
Elf_Kind ek;
fd = open(filename, O_RDONLY);
if (fd < 0)
goto out;
elf = elf_begin(fd, PERF_ELF_C_READ_MMAP, NULL);
if (elf == NULL) {
Reported by FlawFinder.
Line: 847
Column: 8
CWE codes:
362
type = dso->symtab_type;
} else {
fd = open(name, O_RDONLY);
if (fd < 0) {
dso->load_errno = errno;
return -1;
}
}
Reported by FlawFinder.
drivers/i2c/busses/i2c-mlxbf.c
37 issues
Line: 741
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & MLXBF_I2C_F_WRITE) {
write_en = 1;
write_len += operation->length;
memcpy(data_desc + data_idx,
operation->buffer, operation->length);
data_idx += operation->length;
}
/*
* We assume that read operations are performed only once per
Reported by FlawFinder.
Line: 787
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLXBF_I2C_MASTER_DATA_DESC_ADDR);
/* Get data from Master GW data descriptor. */
memcpy(read_buf, data_desc, read_len + 1);
}
/*
* After a read operation the SMBus FSM ps (present state)
* needs to be 'manually' reset. This should be removed in
Reported by FlawFinder.
Line: 653
Column: 44
CWE codes:
120
20
}
static int mlxbf_i2c_smbus_enable(struct mlxbf_i2c_priv *priv, u8 slave,
u8 len, u8 block_en, u8 pec_en, bool read)
{
u32 command;
/* Set Master GW control word. */
if (read) {
Reported by FlawFinder.
Line: 658
Column: 6
CWE codes:
120
20
u32 command;
/* Set Master GW control word. */
if (read) {
command = MLXBF_I2C_MASTER_ENABLE_READ;
command |= rol32(len, MLXBF_I2C_MASTER_READ_SHIFT);
} else {
command = MLXBF_I2C_MASTER_ENABLE_WRITE;
command |= rol32(len, MLXBF_I2C_MASTER_WRITE_SHIFT);
Reported by FlawFinder.
Line: 806
Column: 13
CWE codes:
120
20
static void
mlxbf_i2c_smbus_quick_command(struct mlxbf_i2c_smbus_request *request,
u8 read)
{
request->operation_cnt = MLXBF_I2C_SMBUS_OP_CNT_1;
request->operation[0].length = 0;
request->operation[0].flags = MLXBF_I2C_F_WRITE;
Reported by FlawFinder.
Line: 812
Column: 33
CWE codes:
120
20
request->operation[0].length = 0;
request->operation[0].flags = MLXBF_I2C_F_WRITE;
request->operation[0].flags |= read ? MLXBF_I2C_F_READ : 0;
}
static void mlxbf_i2c_smbus_byte_func(struct mlxbf_i2c_smbus_request *request,
u8 *data, bool read, bool pec_check)
{
Reported by FlawFinder.
Line: 816
Column: 26
CWE codes:
120
20
}
static void mlxbf_i2c_smbus_byte_func(struct mlxbf_i2c_smbus_request *request,
u8 *data, bool read, bool pec_check)
{
request->operation_cnt = MLXBF_I2C_SMBUS_OP_CNT_1;
request->operation[0].length = 1;
request->operation[0].length += pec_check;
Reported by FlawFinder.
Line: 824
Column: 33
CWE codes:
120
20
request->operation[0].length += pec_check;
request->operation[0].flags = MLXBF_I2C_F_SMBUS_OPERATION;
request->operation[0].flags |= read ?
MLXBF_I2C_F_READ : MLXBF_I2C_F_WRITE;
request->operation[0].flags |= pec_check ? MLXBF_I2C_F_SMBUS_PEC : 0;
request->operation[0].buffer = data;
}
Reported by FlawFinder.
Line: 833
Column: 39
CWE codes:
120
20
static void
mlxbf_i2c_smbus_data_byte_func(struct mlxbf_i2c_smbus_request *request,
u8 *command, u8 *data, bool read, bool pec_check)
{
request->operation_cnt = MLXBF_I2C_SMBUS_OP_CNT_2;
request->operation[0].length = 1;
request->operation[0].flags =
Reported by FlawFinder.
Line: 845
Column: 32
CWE codes:
120
20
request->operation[1].length = 1;
request->operation[1].length += pec_check;
request->operation[1].flags = read ?
MLXBF_I2C_F_READ : MLXBF_I2C_F_WRITE;
request->operation[1].buffer = data;
}
static void
Reported by FlawFinder.
sound/core/control.c
37 issues
Line: 230
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* Return: 0 on success, error code on failure
*/
static int snd_ctl_new(struct snd_kcontrol **kctl, unsigned int count,
unsigned int access, struct snd_ctl_file *file)
{
unsigned int idx;
if (count == 0 || count > MAX_CONTROL_COUNT)
return -EINVAL;
Reported by FlawFinder.
Line: 242
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -ENOMEM;
for (idx = 0; idx < count; idx++) {
(*kctl)->vd[idx].access = access;
(*kctl)->vd[idx].owner = file;
}
(*kctl)->count = count;
return 0;
Reported by FlawFinder.
Line: 266
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
struct snd_kcontrol *kctl;
unsigned int count;
unsigned int access;
int err;
if (snd_BUG_ON(!ncontrol || !ncontrol->info))
return NULL;
Reported by FlawFinder.
Line: 276
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (count == 0)
count = 1;
access = ncontrol->access;
if (access == 0)
access = SNDRV_CTL_ELEM_ACCESS_READWRITE;
access &= (SNDRV_CTL_ELEM_ACCESS_READWRITE |
SNDRV_CTL_ELEM_ACCESS_VOLATILE |
SNDRV_CTL_ELEM_ACCESS_INACTIVE |
Reported by FlawFinder.
Line: 279
Column: 2
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access = ncontrol->access;
if (access == 0)
access = SNDRV_CTL_ELEM_ACCESS_READWRITE;
access &= (SNDRV_CTL_ELEM_ACCESS_READWRITE |
SNDRV_CTL_ELEM_ACCESS_VOLATILE |
SNDRV_CTL_ELEM_ACCESS_INACTIVE |
SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE |
SNDRV_CTL_ELEM_ACCESS_TLV_COMMAND |
SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK |
Reported by FlawFinder.
Line: 288
Column: 34
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
SNDRV_CTL_ELEM_ACCESS_LED_MASK |
SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK);
err = snd_ctl_new(&kctl, count, access, NULL);
if (err < 0)
return NULL;
/* The 'numid' member is decided when calling snd_ctl_add(). */
kctl->id.iface = ncontrol->iface;
Reported by FlawFinder.
Line: 558
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ret = -ENOENT;
goto error;
}
if (!(kctl->vd[0].access & SNDRV_CTL_ELEM_ACCESS_USER)) {
ret = -EINVAL;
goto error;
}
for (idx = 0; idx < kctl->count; idx++)
if (kctl->vd[idx].owner != NULL && kctl->vd[idx].owner != file) {
Reported by FlawFinder.
Line: 603
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
vd = &kctl->vd[index_offset];
ret = 0;
if (active) {
if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_INACTIVE))
goto unlock;
vd->access &= ~SNDRV_CTL_ELEM_ACCESS_INACTIVE;
} else {
if (vd->access & SNDRV_CTL_ELEM_ACCESS_INACTIVE)
goto unlock;
Reported by FlawFinder.
Line: 605
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (active) {
if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_INACTIVE))
goto unlock;
vd->access &= ~SNDRV_CTL_ELEM_ACCESS_INACTIVE;
} else {
if (vd->access & SNDRV_CTL_ELEM_ACCESS_INACTIVE)
goto unlock;
vd->access |= SNDRV_CTL_ELEM_ACCESS_INACTIVE;
}
Reported by FlawFinder.
Line: 607
Column: 11
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto unlock;
vd->access &= ~SNDRV_CTL_ELEM_ACCESS_INACTIVE;
} else {
if (vd->access & SNDRV_CTL_ELEM_ACCESS_INACTIVE)
goto unlock;
vd->access |= SNDRV_CTL_ELEM_ACCESS_INACTIVE;
}
snd_ctl_build_ioff(id, kctl, index_offset);
downgrade_write(&card->controls_rwsem);
Reported by FlawFinder.