The following issues were found
drivers/video/fbdev/au1100fb.c
8 issues
Line: 242
CWE codes:
476
u32 value;
fbdev = to_au1100fb_device(fbi);
palette = fbdev->regs->lcd_pallettebase;
if (regno > (AU1100_LCD_NBR_PALETTE_ENTRIES - 1))
return -EINVAL;
if (fbi->var.grayscale) {
Reported by Cppcheck.
Line: 269
CWE codes:
476
(blue << fbi->var.blue.offset);
value &= 0xFFFF;
} else if (panel_is_active(fbdev->panel)) {
/* COLOR TFT PALLETTIZED (use RGB 565) */
value = (red & 0xF800)|((green >> 5) & 0x07E0)|((blue >> 11) & 0x001F);
value &= 0xFFFF;
} else if (panel_is_color(fbdev->panel)) {
Reported by Cppcheck.
Line: 274
CWE codes:
476
value = (red & 0xF800)|((green >> 5) & 0x07E0)|((blue >> 11) & 0x001F);
value &= 0xFFFF;
} else if (panel_is_color(fbdev->panel)) {
/* COLOR STN MODE */
value = (((panel_swap_rgb(fbdev->panel) ? blue : red) >> 12) & 0x000F) |
((green >> 8) & 0x00F0) |
(((panel_swap_rgb(fbdev->panel) ? red : blue) >> 4) & 0x0F00);
value &= 0xFFF;
Reported by Cppcheck.
Line: 347
CWE codes:
476
pgprot_val(vma->vm_page_prot) |= (6 << 9); //CCA=6
return dma_mmap_coherent(fbdev->dev, vma, fbdev->fb_mem, fbdev->fb_phys,
fbdev->fb_len);
}
static const struct fb_ops au1100fb_ops =
{
Reported by Cppcheck.
Line: 348
CWE codes:
476
pgprot_val(vma->vm_page_prot) |= (6 << 9); //CCA=6
return dma_mmap_coherent(fbdev->dev, vma, fbdev->fb_mem, fbdev->fb_phys,
fbdev->fb_len);
}
static const struct fb_ops au1100fb_ops =
{
.owner = THIS_MODULE,
Reported by Cppcheck.
Line: 566
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fbdev->lcdclk)
clk_disable(fbdev->lcdclk);
memcpy(&fbregs, fbdev->regs, sizeof(struct au1100fb_regs));
return 0;
}
int au1100fb_drv_resume(struct platform_device *dev)
Reported by FlawFinder.
Line: 578
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!fbdev)
return 0;
memcpy(fbdev->regs, &fbregs, sizeof(struct au1100fb_regs));
if (fbdev->lcdclk)
clk_enable(fbdev->lcdclk);
/* Unblank the LCD */
Reported by FlawFinder.
Line: 388
Column: 11
CWE codes:
126
this_opt += 6;
for (i = 0; i < num_panels; i++) {
if (!strncmp(this_opt, known_lcd_panels[i].name,
strlen(this_opt))) {
fbdev->panel = &known_lcd_panels[i];
fbdev->panel_idx = i;
break;
}
}
Reported by FlawFinder.
drivers/staging/media/atomisp/pci/sh_css_param_dvs.c
8 issues
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int width_uv = dvs_config->width_uv;
unsigned int height_uv = dvs_config->height_uv;
memcpy(dvs_config->xcoords_y, dvs_config_src->xcoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config->ycoords_y, dvs_config_src->ycoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config->xcoords_uv, dvs_config_src->xcoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
Reported by FlawFinder.
Line: 161
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dvs_config->xcoords_y, dvs_config_src->xcoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config->ycoords_y, dvs_config_src->ycoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config->xcoords_uv, dvs_config_src->xcoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
memcpy(dvs_config->ycoords_uv, dvs_config_src->ycoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config->ycoords_y, dvs_config_src->ycoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config->xcoords_uv, dvs_config_src->xcoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
memcpy(dvs_config->ycoords_uv, dvs_config_src->ycoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
}
Reported by FlawFinder.
Line: 165
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config->xcoords_uv, dvs_config_src->xcoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
memcpy(dvs_config->ycoords_uv, dvs_config_src->ycoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
}
struct ia_css_dvs_6axis_config *
generate_dvs_6axis_table(const struct ia_css_resolution *frame_res,
Reported by FlawFinder.
Line: 262
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dvs_config_src->width_uv; /* = Y/2, depens on colour format YUV 4.2.0*/
height_uv = dvs_config_src->height_uv;
memcpy(dvs_config_dst->xcoords_y, dvs_config_src->xcoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config_dst->ycoords_y, dvs_config_src->ycoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config_dst->xcoords_uv, dvs_config_src->xcoords_uv,
Reported by FlawFinder.
Line: 264
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dvs_config_dst->xcoords_y, dvs_config_src->xcoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config_dst->ycoords_y, dvs_config_src->ycoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config_dst->xcoords_uv, dvs_config_src->xcoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
memcpy(dvs_config_dst->ycoords_uv, dvs_config_src->ycoords_uv,
Reported by FlawFinder.
Line: 267
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dvs_config_dst->ycoords_y, dvs_config_src->ycoords_y,
(width_y * height_y * sizeof(uint32_t)));
memcpy(dvs_config_dst->xcoords_uv, dvs_config_src->xcoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
memcpy(dvs_config_dst->ycoords_uv, dvs_config_src->ycoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
}
Reported by FlawFinder.
Line: 269
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dvs_config_dst->xcoords_uv, dvs_config_src->xcoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
memcpy(dvs_config_dst->ycoords_uv, dvs_config_src->ycoords_uv,
(width_uv * height_uv * sizeof(uint32_t)));
}
void
ia_css_dvs_statistics_get(enum dvs_statistics_type type,
Reported by FlawFinder.
drivers/staging/iio/adc/ad7816.c
8 issues
Line: 127
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ad7816_chip_info *chip = iio_priv(indio_dev);
if (chip->mode)
return sprintf(buf, "power-save\n");
return sprintf(buf, "full\n");
}
static ssize_t ad7816_store_mode(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 128
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (chip->mode)
return sprintf(buf, "power-save\n");
return sprintf(buf, "full\n");
}
static ssize_t ad7816_store_mode(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
Line: 159
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "full\npower-save\n");
}
static IIO_DEVICE_ATTR(available_modes, 0444, ad7816_show_available_modes,
NULL, 0);
Reported by FlawFinder.
Line: 172
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ad7816_chip_info *chip = iio_priv(indio_dev);
return sprintf(buf, "%d\n", chip->channel_id);
}
static ssize_t ad7816_store_channel(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
Line: 234
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data &= AD7816_TEMP_FLOAT_MASK;
if (value < 0)
data = BIT(AD7816_TEMP_FLOAT_OFFSET) - data;
return sprintf(buf, "%d.%.2d\n", value, data * 25);
}
return sprintf(buf, "%u\n", data);
}
static IIO_DEVICE_ATTR(value, 0444, ad7816_show_value, NULL, 0);
Reported by FlawFinder.
Line: 236
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data = BIT(AD7816_TEMP_FLOAT_OFFSET) - data;
return sprintf(buf, "%d.%.2d\n", value, data * 25);
}
return sprintf(buf, "%u\n", data);
}
static IIO_DEVICE_ATTR(value, 0444, ad7816_show_value, NULL, 0);
static struct attribute *ad7816_attributes[] = {
Reported by FlawFinder.
Line: 284
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = AD7816_BOUND_VALUE_MIN +
(chip->oti_data[chip->channel_id] -
AD7816_BOUND_VALUE_BASE);
return sprintf(buf, "%d\n", value);
}
return sprintf(buf, "%u\n", chip->oti_data[chip->channel_id]);
}
static inline ssize_t ad7816_set_oti(struct device *dev,
Reported by FlawFinder.
Line: 286
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
AD7816_BOUND_VALUE_BASE);
return sprintf(buf, "%d\n", value);
}
return sprintf(buf, "%u\n", chip->oti_data[chip->channel_id]);
}
static inline ssize_t ad7816_set_oti(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_sup.c
8 issues
Line: 1158
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct fc_vport_identifiers vid;
struct fc_vport *vport;
memcpy(&ha->npiv_info[i], entry, sizeof(struct qla_npiv_entry));
flags = le16_to_cpu(entry->flags);
if (flags == 0xffff)
continue;
if ((flags & BIT_0) == 0)
Reported by FlawFinder.
Line: 1326
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dburst = dwords - liter;
/* Copy to dma buffer */
memcpy(optrom, dwptr, dburst << 2);
/* Burst write */
ql_log(ql_log_warn + ql_dbg_verbose, vha, 0x7095,
"Write burst (%#lx dwords)...\n", dburst);
ret = qla2x00_load_ram(vha, optrom_dma,
Reported by FlawFinder.
Line: 1534
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return QLA_MEMORY_ALLOC_FAILED;
ha->isp_ops->read_optrom(vha, dbuf, ha->flt_region_vpd_nvram << 2,
RMW_BUFFER_SIZE);
memcpy(dbuf + (naddr << 2), buf, bytes);
ha->isp_ops->write_optrom(vha, dbuf, ha->flt_region_vpd_nvram << 2,
RMW_BUFFER_SIZE);
vfree(dbuf);
return QLA_SUCCESS;
Reported by FlawFinder.
Line: 2634
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = buf + buf_size_without_sfub;
/* Extract SFUB from end of file */
memcpy(sfub_buf, (uint8_t *)p,
sizeof(struct secure_flash_update_block));
for (i = 0; i < (sizeof(struct secure_flash_update_block) >> 2); i++)
check_sum += le32_to_cpu(p[i]);
Reported by FlawFinder.
Line: 2668
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cnt = le16_to_cpu(flt->length) / sizeof(struct qla_flt_region);
for (; cnt; cnt--, flt_reg++) {
if (le32_to_cpu(flt_reg->start) == start) {
memcpy((uint8_t *)region, flt_reg,
sizeof(struct qla_flt_region));
rval = QLA_SUCCESS;
break;
}
}
Reported by FlawFinder.
Line: 2921
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dburst = dwords - liter;
/* Copy to dma buffer */
memcpy(optrom, dwptr, dburst << 2);
/* Burst write */
ql_log(ql_log_warn + ql_dbg_verbose, vha, 0x7095,
"Write burst (%#lx dwords)...\n", dburst);
rval = qla2x00_load_ram(vha, optrom_dma,
Reported by FlawFinder.
Line: 3053
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto slow_read;
}
memcpy(pbuf, optrom, burst * 4);
left -= burst;
faddr += burst;
pbuf += burst * 4;
}
Reported by FlawFinder.
Line: 3581
Column: 26
CWE codes:
126
while (pos < end && *pos != 0x78) {
len = (*pos == 0x82) ? pos[1] : pos[2];
if (!strncmp(pos, key, strlen(key)))
break;
if (*pos != 0x90 && *pos != 0x91)
pos += len;
Reported by FlawFinder.
drivers/scsi/scsi_lib.c
8 issues
Line: 232
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
rq->cmd_len = COMMAND_SIZE(cmd[0]);
memcpy(rq->cmd, cmd, rq->cmd_len);
rq->retries = retries;
req->timeout = timeout;
req->cmd_flags |= flags;
req->rq_flags |= rq_flags | RQF_QUIET;
Reported by FlawFinder.
Line: 255
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (resid)
*resid = rq->resid_len;
if (sense && rq->sense_len)
memcpy(sense, rq->sense, SCSI_SENSE_BUFFERSIZE);
if (sshdr)
scsi_normalize_sense(rq->sense, rq->sense_len, sshdr);
ret = rq->result;
out:
blk_put_request(req);
Reported by FlawFinder.
Line: 2017
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *buffer, int len, int timeout, int retries,
struct scsi_mode_data *data, struct scsi_sense_hdr *sshdr)
{
unsigned char cmd[10];
unsigned char *real_buffer;
int ret;
memset(cmd, 0, sizeof(cmd));
cmd[1] = (pf ? 0x10 : 0) | (sp ? 0x01 : 0);
Reported by FlawFinder.
Line: 2030
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
real_buffer = kmalloc(8 + len, GFP_KERNEL);
if (!real_buffer)
return -ENOMEM;
memcpy(real_buffer + 8, buffer, len);
len += 8;
real_buffer[0] = 0;
real_buffer[1] = 0;
real_buffer[2] = data->medium_type;
real_buffer[3] = data->device_specific;
Reported by FlawFinder.
Line: 2052
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
real_buffer = kmalloc(4 + len, GFP_KERNEL);
if (!real_buffer)
return -ENOMEM;
memcpy(real_buffer + 4, buffer, len);
len += 4;
real_buffer[0] = 0;
real_buffer[1] = data->medium_type;
real_buffer[2] = data->device_specific;
real_buffer[3] = data->block_descriptor_length;
Reported by FlawFinder.
Line: 2090
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *buffer, int len, int timeout, int retries,
struct scsi_mode_data *data, struct scsi_sense_hdr *sshdr)
{
unsigned char cmd[12];
int use_10_for_ms;
int header_length;
int result, retry_count = retries;
struct scsi_sense_hdr my_sshdr;
Reported by FlawFinder.
Line: 2358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void scsi_evt_emit(struct scsi_device *sdev, struct scsi_event *evt)
{
int idx = 0;
char *envp[3];
switch (evt->evt_type) {
case SDEV_EVT_MEDIA_CHANGE:
envp[idx++] = "SDEV_MEDIA_CHANGE=1";
break;
Reported by FlawFinder.
Line: 3150
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur_id_str = d + 4;
if (cur_id_size >= id_len)
cur_id_size = id_len - 1;
memcpy(id, cur_id_str, cur_id_size);
break;
default:
break;
}
}
Reported by FlawFinder.
drivers/tty/moxa.c
8 issues
Line: 734
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int moxa_load_fw(struct moxa_board_conf *brd, const struct firmware *fw)
{
const void *ptr = fw->data;
char rsn[64];
u16 lens[5];
size_t len;
unsigned int a, lenp, lencnt;
int ret = -EINVAL;
struct {
Reported by FlawFinder.
Line: 751
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
BUILD_BUG_ON(ARRAY_SIZE(hdr->len) != ARRAY_SIZE(lens));
if (fw->size < MOXA_FW_HDRLEN) {
strcpy(rsn, "too short (even header won't fit)");
goto err;
}
if (hdr->magic != cpu_to_le32(0x30343034)) {
sprintf(rsn, "bad magic: %.8x", le32_to_cpu(hdr->magic));
goto err;
Reported by FlawFinder.
Line: 755
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto err;
}
if (hdr->magic != cpu_to_le32(0x30343034)) {
sprintf(rsn, "bad magic: %.8x", le32_to_cpu(hdr->magic));
goto err;
}
if (hdr->type != 3) {
sprintf(rsn, "not for linux, type is %u", hdr->type);
goto err;
Reported by FlawFinder.
Line: 759
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto err;
}
if (hdr->type != 3) {
sprintf(rsn, "not for linux, type is %u", hdr->type);
goto err;
}
if (moxa_check_fw_model(brd, hdr->model)) {
sprintf(rsn, "not for this card, model is %u", hdr->model);
goto err;
Reported by FlawFinder.
Line: 763
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto err;
}
if (moxa_check_fw_model(brd, hdr->model)) {
sprintf(rsn, "not for this card, model is %u", hdr->model);
goto err;
}
len = MOXA_FW_HDRLEN;
lencnt = hdr->model == 2 ? 5 : 3;
Reported by FlawFinder.
Line: 776
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
printk(KERN_WARNING "MOXA firmware: unexpected input "
"at offset %u, but going on\n", (u32)len);
if (!lens[a] && a < lencnt) {
sprintf(rsn, "too few entries in fw file");
goto err;
}
len += lens[a];
}
Reported by FlawFinder.
Line: 783
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (len != fw->size) {
sprintf(rsn, "bad length: %u (should be %u)", (u32)fw->size,
(u32)len);
goto err;
}
ptr += MOXA_FW_HDRLEN;
Reported by FlawFinder.
Line: 791
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ptr += MOXA_FW_HDRLEN;
lenp = 0; /* bios */
strcpy(rsn, "read above");
ret = moxa_load_bios(brd, ptr, lens[lenp]);
if (ret)
goto err;
Reported by FlawFinder.
drivers/scsi/qla2xxx/tcm_qla2xxx.c
8 issues
Line: 1829
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t tcm_qla2xxx_wwn_version_show(struct config_item *item,
char *page)
{
return sprintf(page,
"TCM QLOGIC QLA2XXX NPIV capable fabric module %s on %s/%s on %s\n",
QLA2XXX_VERSION, utsname()->sysname,
utsname()->machine, utsname()->release);
}
Reported by FlawFinder.
Line: 864
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct tcm_qla2xxx_tpg *tpg = container_of(se_tpg, \
struct tcm_qla2xxx_tpg, se_tpg); \
\
return sprintf(page, "%d\n", tpg->tpg_attrib.name); \
} \
\
static ssize_t tcm_qla2xxx_tpg_attrib_##name##_store( \
struct config_item *item, const char *page, size_t count) \
{ \
Reported by FlawFinder.
Line: 1004
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct tcm_qla2xxx_tpg *tpg = container_of(se_tpg,
struct tcm_qla2xxx_tpg, se_tpg);
return sprintf(page, "%d\n", tpg->tpg_attrib.fabric_prot_type);
}
CONFIGFS_ATTR(tcm_qla2xxx_tpg_, enable);
CONFIGFS_ATTR_RO(tcm_qla2xxx_tpg_, dynamic_sessions);
CONFIGFS_ATTR(tcm_qla2xxx_tpg_, fabric_prot_type);
Reported by FlawFinder.
Line: 1467
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tcm_qla2xxx_lport *lport;
struct tcm_qla2xxx_tpg *tpg;
struct se_session *se_sess;
unsigned char port_name[36];
int num_tags = (ha->cur_fw_xcb_count) ? ha->cur_fw_xcb_count :
TCM_QLA2XXX_DEFAULT_TAGS;
lport = vha->vha_tgt.target_lport_ptr;
if (!lport) {
Reported by FlawFinder.
Line: 1663
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
lport->lport_wwpn = wwpn;
tcm_qla2xxx_format_wwn(&lport->lport_name[0], TCM_QLA2XXX_NAMELEN,
wwpn);
sprintf(lport->lport_naa_name, "naa.%016llx", (unsigned long long) wwpn);
ret = tcm_qla2xxx_init_lport(lport);
if (ret != 0)
goto out;
Reported by FlawFinder.
Line: 1762
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tcm_qla2xxx_lport *lport;
u64 phys_wwpn, npiv_wwpn, npiv_wwnn;
char *p, tmp[128];
int ret;
snprintf(tmp, 128, "%s", name);
p = strchr(tmp, '@');
Reported by FlawFinder.
Line: 1788
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
lport->lport_npiv_wwpn = npiv_wwpn;
lport->lport_npiv_wwnn = npiv_wwnn;
sprintf(lport->lport_naa_name, "naa.%016llx", (unsigned long long) npiv_wwpn);
ret = tcm_qla2xxx_init_lport(lport);
if (ret != 0)
goto out;
Reported by FlawFinder.
Line: 1777
Column: 36
CWE codes:
126
if (tcm_qla2xxx_parse_wwn(tmp, &phys_wwpn, 1) < 0)
return ERR_PTR(-EINVAL);
if (tcm_qla2xxx_npiv_parse_wwn(p, strlen(p)+1,
&npiv_wwpn, &npiv_wwnn) < 0)
return ERR_PTR(-EINVAL);
lport = kzalloc(sizeof(struct tcm_qla2xxx_lport), GFP_KERNEL);
if (!lport) {
Reported by FlawFinder.
drivers/usb/gadget/function/f_tcm.c
8 issues
Line: 1126
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("usbg_get_cmd failed\n");
return -ENOMEM;
}
memcpy(cmd->cmd_buf, cmd_iu->cdb, cmd_len);
if (fu->flags & USBG_USE_STREAMS) {
if (cmd->tag > UASP_SS_EP_COMP_NUM_STREAMS)
goto err;
if (!cmd->tag)
Reported by FlawFinder.
Line: 1234
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("usbg_get_cmd failed\n");
return -ENOMEM;
}
memcpy(cmd->cmd_buf, cbw->CDB, cmd_len);
cmd->bot_tag = cbw->Tag;
cmd->prio_attr = TCM_SIMPLE_TAG;
cmd->unpacked_lun = cbw->Lun;
cmd->is_read = cbw->Flags & US_BULK_FLAG_IN ? 1 : 0;
Reported by FlawFinder.
Line: 1488
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*/
static ssize_t usbg_wwn_version_show(struct config_item *item, char *page)
{
return sprintf(page, "usb-gadget fabric module\n");
}
CONFIGFS_ATTR_RO(usbg_wwn_, version);
static struct configfs_attribute *usbg_wwn_attrs[] = {
Reported by FlawFinder.
Line: 1645
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct se_portal_group *se_tpg = to_tpg(item);
struct usbg_tpg *tpg = container_of(se_tpg, struct usbg_tpg, se_tpg);
unsigned char i_port[USBG_NAMELEN], *ptr;
int ret;
if (!strncmp(page, "NULL", 4)) {
ret = tcm_usbg_drop_nexus(tpg);
return (!ret) ? count : ret;
Reported by FlawFinder.
Line: 1323
Column: 8
CWE codes:
126
if (!n)
return NULL;
n += 4;
len = strlen(n);
if (len == 0 || len > USBG_NAMELEN - 1)
return NULL;
return n;
}
Reported by FlawFinder.
Line: 1652
Column: 6
CWE codes:
126
ret = tcm_usbg_drop_nexus(tpg);
return (!ret) ? count : ret;
}
if (strlen(page) >= USBG_NAMELEN) {
#define NEXUS_STORE_MSG "Emulated NAA Sas Address: %s, exceeds max: %d\n"
pr_err(NEXUS_STORE_MSG, page, USBG_NAMELEN);
#undef NEXUS_STORE_MSG
return -EINVAL;
Reported by FlawFinder.
Line: 1667
Column: 13
CWE codes:
126
return -EINVAL;
}
if (i_port[strlen(i_port) - 1] == '\n')
i_port[strlen(i_port) - 1] = '\0';
ret = tcm_usbg_make_nexus(tpg, &i_port[0]);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 1668
Column: 10
CWE codes:
126
}
if (i_port[strlen(i_port) - 1] == '\n')
i_port[strlen(i_port) - 1] = '\0';
ret = tcm_usbg_make_nexus(tpg, &i_port[0]);
if (ret < 0)
return ret;
return count;
Reported by FlawFinder.
drivers/usb/host/ehci-dbg.c
8 issues
Line: 40
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
byte = readb(&ehci->caps->portroute[(i >> 1)]);
sprintf(tmp, "%d ",
(i & 0x1) ? byte & 0xf : (byte >> 4) & 0xf);
strcat(buf, tmp);
}
ehci_dbg(ehci, "%s portroute %s\n", label, buf);
}
}
Reported by FlawFinder.
Line: 32
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Port routing, per EHCI 0.95 Spec, Section 2.2.5 */
if (HCS_PORTROUTED(params)) {
int i;
char buf[46], tmp[7], byte;
buf[0] = 0;
for (i = 0; i < HCS_N_PORTS(params); i++) {
/* FIXME MIPS won't readb() ... */
byte = readb(&ehci->caps->portroute[(i >> 1)]);
Reported by FlawFinder.
Line: 38
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < HCS_N_PORTS(params); i++) {
/* FIXME MIPS won't readb() ... */
byte = readb(&ehci->caps->portroute[(i >> 1)]);
sprintf(tmp, "%d ",
(i & 0x1) ? byte & 0xf : (byte >> 4) & 0xf);
strcat(buf, tmp);
}
ehci_dbg(ehci, "%s portroute %s\n", label, buf);
}
Reported by FlawFinder.
Line: 263
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline void
dbg_status(struct ehci_hcd *ehci, const char *label, u32 status)
{
char buf[80];
dbg_status_buf(buf, sizeof(buf), label, status);
ehci_dbg(ehci, "%s\n", buf);
}
Reported by FlawFinder.
Line: 272
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline void
dbg_cmd(struct ehci_hcd *ehci, const char *label, u32 command)
{
char buf[80];
dbg_command_buf(buf, sizeof(buf), label, command);
ehci_dbg(ehci, "%s\n", buf);
}
Reported by FlawFinder.
Line: 281
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline void
dbg_port(struct ehci_hcd *ehci, const char *label, int port, u32 status)
{
char buf[80];
dbg_port_buf(buf, sizeof(buf), label, port, status);
ehci_dbg(ehci, "%s\n", buf);
}
Reported by FlawFinder.
Line: 761
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ehci_hcd *ehci;
unsigned long flags;
unsigned temp, size, i;
char *next, scratch[80];
static char fmt[] = "%*s\n";
static char label[] = "";
hcd = bus_to_hcd(buf->bus);
ehci = hcd_to_ehci(hcd);
Reported by FlawFinder.
Line: 507
Column: 9
CWE codes:
126
}
spin_unlock_irqrestore(&ehci->lock, flags);
return strlen(buf->output_buf);
}
static ssize_t fill_bandwidth_buffer(struct debug_buffer *buf)
{
struct ehci_hcd *ehci;
Reported by FlawFinder.
drivers/usb/host/oxu210hp-hcd.c
8 issues
Line: 633
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* functions have the "wrong" filename when they're output... */
#define dbg_status(oxu, label, status) { \
char _buf[80]; \
dbg_status_buf(_buf, sizeof _buf, label, status); \
oxu_dbg(oxu, "%s\n", _buf); \
}
#define dbg_cmd(oxu, label, command) { \
Reported by FlawFinder.
Line: 639
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
#define dbg_cmd(oxu, label, command) { \
char _buf[80]; \
dbg_command_buf(_buf, sizeof _buf, label, command); \
oxu_dbg(oxu, "%s\n", _buf); \
}
#define dbg_port(oxu, label, port, status) { \
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
#define dbg_port(oxu, label, port, status) { \
char _buf[80]; \
dbg_port_buf(_buf, sizeof _buf, label, port, status); \
oxu_dbg(oxu, "%s\n", _buf); \
}
/*
Reported by FlawFinder.
Line: 1532
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qtd->length, token);
if ((usb_pipein(qtd->urb->pipe)) &&
(NULL != qtd->transfer_buffer))
memcpy(qtd->transfer_buffer, qtd->buffer, qtd->length);
do_status = (urb->status == -EREMOTEIO)
&& usb_pipecontrol(urb->pipe);
if (stopped && qtd->qtd_list.prev != &qh->qtd_list) {
last = list_entry(qtd->qtd_list.prev,
Reported by FlawFinder.
Line: 1652
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qtd_fill(qtd, qtd->buffer_dma, sizeof(struct usb_ctrlrequest),
token | (2 /* "setup" */ << 8), 8);
memcpy(qtd->buffer, qtd->urb->setup_packet,
sizeof(struct usb_ctrlrequest));
/* ... and always at least one more pid */
token ^= QTD_TOGGLE;
qtd_prev = qtd;
Reported by FlawFinder.
Line: 1682
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
transfer_buf = urb->transfer_buffer;
if (!is_input)
memcpy(qtd->buffer, qtd->urb->transfer_buffer, len);
if (is_input)
token |= (1 /* "in" */ << 8);
/* else it's already initted to "out" pid (0 << 8) */
Reported by FlawFinder.
Line: 3302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} while (!murb);
/* Coping the urb */
memcpy(murb, urb, sizeof(struct urb));
murb->transfer_buffer_length = 4096;
murb->transfer_buffer = transfer_buffer + i * 4096;
/* Null pointer for the encodes that this is a micro urb */
Reported by FlawFinder.
Line: 3333
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} while (!murb);
/* Coping the urb */
memcpy(murb, urb, sizeof(struct urb));
murb->transfer_buffer_length = rem > 0 ? rem : 4096;
murb->transfer_buffer = transfer_buffer + (num - 1) * 4096;
/* Null pointer for the encodes that this is a micro urb */
Reported by FlawFinder.