The following issues were found
drivers/staging/rtl8723bs/hal/HalHWImg8723B_RF.c
8 issues
Line: 323
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct odm_rf_cal_t *pRFCalibrateInfo = &pDM_Odm->RFCalibrateInfo;
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GA_P,
gDeltaSwingTableIdx_MP_2GA_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
Reported by FlawFinder.
Line: 328
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gDeltaSwingTableIdx_MP_2GA_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GA_N,
gDeltaSwingTableIdx_MP_2GA_N_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gDeltaSwingTableIdx_MP_2GA_N_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GB_P,
gDeltaSwingTableIdx_MP_2GB_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
Reported by FlawFinder.
Line: 338
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gDeltaSwingTableIdx_MP_2GB_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GB_N,
gDeltaSwingTableIdx_MP_2GB_N_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
Reported by FlawFinder.
Line: 344
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DELTA_SWINGIDX_SIZE
);
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GCCKA_P,
gDeltaSwingTableIdx_MP_2GCCKA_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
Reported by FlawFinder.
Line: 349
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gDeltaSwingTableIdx_MP_2GCCKA_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GCCKA_N,
gDeltaSwingTableIdx_MP_2GCCKA_N_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
Reported by FlawFinder.
Line: 354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gDeltaSwingTableIdx_MP_2GCCKA_N_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GCCKB_P,
gDeltaSwingTableIdx_MP_2GCCKB_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
Reported by FlawFinder.
Line: 359
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gDeltaSwingTableIdx_MP_2GCCKB_P_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
memcpy(
pRFCalibrateInfo->DeltaSwingTableIdx_2GCCKB_N,
gDeltaSwingTableIdx_MP_2GCCKB_N_TxPowerTrack_SDIO_8723B,
DELTA_SWINGIDX_SIZE
);
}
Reported by FlawFinder.
drivers/scsi/wd33c93.c
8 issues
Line: 1759
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MAX_WD33C93_HOSTS 4
#define MAX_SETUP_ARGS ARRAY_SIZE(setup_args)
#define SETUP_BUFFER_SIZE 200
static char setup_buffer[SETUP_BUFFER_SIZE];
static char setup_used[MAX_SETUP_ARGS];
static int done_setup = 0;
static int
wd33c93_setup(char *str)
Reported by FlawFinder.
Line: 1760
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MAX_SETUP_ARGS ARRAY_SIZE(setup_args)
#define SETUP_BUFFER_SIZE 200
static char setup_buffer[SETUP_BUFFER_SIZE];
static char setup_used[MAX_SETUP_ARGS];
static int done_setup = 0;
static int
wd33c93_setup(char *str)
{
Reported by FlawFinder.
Line: 1937
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i;
int flags;
int val;
char buf[32];
if (!done_setup && setup_strings)
wd33c93_setup(setup_strings);
hostdata = (struct WD33C93_hostdata *) instance->hostdata;
Reported by FlawFinder.
Line: 1781
Column: 3
CWE codes:
120
p1 = setup_buffer;
*p1 = '\0';
if (str)
strncpy(p1, str, SETUP_BUFFER_SIZE - strlen(setup_buffer));
setup_buffer[SETUP_BUFFER_SIZE - 1] = '\0';
p1 = setup_buffer;
i = 0;
while (*p1 && (i < MAX_SETUP_ARGS)) {
p2 = strchr(p1, ',');
Reported by FlawFinder.
Line: 1781
Column: 40
CWE codes:
126
p1 = setup_buffer;
*p1 = '\0';
if (str)
strncpy(p1, str, SETUP_BUFFER_SIZE - strlen(setup_buffer));
setup_buffer[SETUP_BUFFER_SIZE - 1] = '\0';
p1 = setup_buffer;
i = 0;
while (*p1 && (i < MAX_SETUP_ARGS)) {
p2 = strchr(p1, ',');
Reported by FlawFinder.
Line: 1817
Column: 36
CWE codes:
126
for (x = 0; x < MAX_SETUP_ARGS; x++) {
if (setup_used[x])
continue;
if (!strncmp(setup_args[x], key, strlen(key)))
break;
if (!strncmp(setup_args[x], "next", strlen("next")))
return 0;
}
if (x == MAX_SETUP_ARGS)
Reported by FlawFinder.
Line: 1819
Column: 39
CWE codes:
126
continue;
if (!strncmp(setup_args[x], key, strlen(key)))
break;
if (!strncmp(setup_args[x], "next", strlen("next")))
return 0;
}
if (x == MAX_SETUP_ARGS)
return 0;
setup_used[x] = 1;
Reported by FlawFinder.
Line: 1825
Column: 23
CWE codes:
126
if (x == MAX_SETUP_ARGS)
return 0;
setup_used[x] = 1;
cp = setup_args[x] + strlen(key);
*val = -1;
if (*cp != ':')
return ++x;
cp++;
if ((*cp >= '0') && (*cp <= '9')) {
Reported by FlawFinder.
drivers/target/loopback/tcm_loop.c
8 issues
Line: 1109
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Start items for tcm_loop_cit */
static ssize_t tcm_loop_wwn_version_show(struct config_item *item, char *page)
{
return sprintf(page, "TCM Loopback Fabric module %s\n", TCM_LOOP_VERSION);
}
CONFIGFS_ATTR_RO(tcm_loop_wwn_, version);
static struct configfs_attribute *tcm_loop_wwn_attrs[] = {
Reported by FlawFinder.
Line: 566
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((se_cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) ||
(se_cmd->se_cmd_flags & SCF_EMULATED_TASK_SENSE))) {
memcpy(sc->sense_buffer, se_cmd->sense_buffer,
SCSI_SENSE_BUFFERSIZE);
sc->result = SAM_STAT_CHECK_CONDITION;
} else
sc->result = scsi_status;
Reported by FlawFinder.
Line: 678
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct tcm_loop_tpg *tl_tpg = container_of(se_tpg, struct tcm_loop_tpg,
tl_se_tpg);
return sprintf(page, "%d\n", tl_tpg->tl_fabric_prot_type);
}
static ssize_t tcm_loop_tpg_attrib_fabric_prot_type_store(
struct config_item *item, const char *page, size_t count)
{
Reported by FlawFinder.
Line: 812
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tcm_loop_tpg *tl_tpg = container_of(se_tpg,
struct tcm_loop_tpg, tl_se_tpg);
struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba;
unsigned char i_port[TL_WWN_ADDR_LEN], *ptr, *port_ptr;
int ret;
/*
* Shutdown the active I_T nexus if 'NULL' is passed..
*/
if (!strncmp(page, "NULL", 4)) {
Reported by FlawFinder.
Line: 826
Column: 6
CWE codes:
126
* the fabric protocol_id set in tcm_loop_make_scsi_hba(), and call
* tcm_loop_make_nexus()
*/
if (strlen(page) >= TL_WWN_ADDR_LEN) {
pr_err("Emulated NAA Sas Address: %s, exceeds max: %d\n",
page, TL_WWN_ADDR_LEN);
return -EINVAL;
}
snprintf(&i_port[0], TL_WWN_ADDR_LEN, "%s", page);
Reported by FlawFinder.
Line: 870
Column: 13
CWE codes:
126
* Clear any trailing newline for the NAA WWN
*/
check_newline:
if (i_port[strlen(i_port)-1] == '\n')
i_port[strlen(i_port)-1] = '\0';
ret = tcm_loop_make_nexus(tl_tpg, port_ptr);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 871
Column: 10
CWE codes:
126
*/
check_newline:
if (i_port[strlen(i_port)-1] == '\n')
i_port[strlen(i_port)-1] = '\0';
ret = tcm_loop_make_nexus(tl_tpg, port_ptr);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 1062
Column: 6
CWE codes:
126
tl_hba->tl_proto_id = SCSI_PROTOCOL_ISCSI;
check_len:
if (strlen(name) >= TL_WWN_ADDR_LEN) {
pr_err("Emulated NAA %s Address: %s, exceeds max: %d\n",
name, tcm_loop_dump_proto_id(tl_hba), TL_WWN_ADDR_LEN);
ret = -EINVAL;
goto out;
}
Reported by FlawFinder.
drivers/usb/gadget/function/rndis.c
8 issues
Line: 903
Column: 3
CWE codes:
134
Suggestion:
Make format string constant
struct proc_dir_entry *proc_entry;
char name[20];
sprintf(name, NAME_TEMPLATE, i);
proc_entry = proc_create_data(name, 0660, NULL,
&rndis_proc_ops, params);
if (!proc_entry) {
kfree(params);
rndis_put_nr(i);
Reported by FlawFinder.
Line: 943
Column: 3
CWE codes:
134
Suggestion:
Make format string constant
{
char name[20];
sprintf(name, NAME_TEMPLATE, i);
remove_proc_entry(name, NULL);
}
#endif
kfree(params);
Reported by FlawFinder.
Line: 296
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_debug("%s: RNDIS_OID_GEN_VENDOR_DESCRIPTION\n", __func__);
if (params->vendorDescr) {
length = strlen(params->vendorDescr);
memcpy(outbuf, params->vendorDescr, length);
} else {
outbuf[0] = 0;
}
retval = 0;
break;
Reported by FlawFinder.
Line: 410
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_debug("%s: RNDIS_OID_802_3_PERMANENT_ADDRESS\n", __func__);
if (params->dev) {
length = ETH_ALEN;
memcpy(outbuf, params->host_mac, length);
retval = 0;
}
break;
/* mandatory */
Reported by FlawFinder.
Line: 420
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_debug("%s: RNDIS_OID_802_3_CURRENT_ADDRESS\n", __func__);
if (params->dev) {
length = ETH_ALEN;
memcpy(outbuf, params->host_mac, length);
retval = 0;
}
break;
/* mandatory */
Reported by FlawFinder.
Line: 901
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_USB_GADGET_DEBUG_FILES
{
struct proc_dir_entry *proc_entry;
char name[20];
sprintf(name, NAME_TEMPLATE, i);
proc_entry = proc_create_data(name, 0660, NULL,
&rndis_proc_ops, params);
if (!proc_entry) {
Reported by FlawFinder.
Line: 941
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_USB_GADGET_DEBUG_FILES
{
char name[20];
sprintf(name, NAME_TEMPLATE, i);
remove_proc_entry(name, NULL);
}
#endif
Reported by FlawFinder.
Line: 295
Column: 13
CWE codes:
126
case RNDIS_OID_GEN_VENDOR_DESCRIPTION:
pr_debug("%s: RNDIS_OID_GEN_VENDOR_DESCRIPTION\n", __func__);
if (params->vendorDescr) {
length = strlen(params->vendorDescr);
memcpy(outbuf, params->vendorDescr, length);
} else {
outbuf[0] = 0;
}
retval = 0;
Reported by FlawFinder.
drivers/usb/misc/chaoskey.c
8 issues
Line: 79
Column: 6
CWE codes:
362
char in_ep;
struct mutex lock;
struct mutex rng_lock;
int open; /* open count */
bool present; /* device not disconnected */
bool reading; /* ongoing IO */
bool reads_started; /* track first read for Alea */
int size; /* size of buf */
int valid; /* bytes of buf read */
Reported by FlawFinder.
Line: 242
Column: 12
CWE codes:
362
dev->present = false;
usb_poison_urb(dev->urb);
if (!dev->open) {
mutex_unlock(&dev->lock);
chaoskey_free(dev);
} else
mutex_unlock(&dev->lock);
Reported by FlawFinder.
Line: 271
Column: 9
CWE codes:
362
file->private_data = dev;
mutex_lock(&dev->lock);
++dev->open;
mutex_unlock(&dev->lock);
usb_dbg(interface, "open success");
return 0;
}
Reported by FlawFinder.
Line: 292
Column: 57
CWE codes:
362
mutex_lock(&dev->lock);
usb_dbg(interface, "open count at release is %d", dev->open);
if (dev->open <= 0) {
usb_dbg(interface, "invalid open count (%d)", dev->open);
mutex_unlock(&dev->lock);
return -ENODEV;
Reported by FlawFinder.
Line: 294
Column: 11
CWE codes:
362
usb_dbg(interface, "open count at release is %d", dev->open);
if (dev->open <= 0) {
usb_dbg(interface, "invalid open count (%d)", dev->open);
mutex_unlock(&dev->lock);
return -ENODEV;
}
Reported by FlawFinder.
Line: 295
Column: 54
CWE codes:
362
usb_dbg(interface, "open count at release is %d", dev->open);
if (dev->open <= 0) {
usb_dbg(interface, "invalid open count (%d)", dev->open);
mutex_unlock(&dev->lock);
return -ENODEV;
}
--dev->open;
Reported by FlawFinder.
Line: 300
Column: 9
CWE codes:
362
return -ENODEV;
}
--dev->open;
if (!dev->present) {
if (dev->open == 0) {
mutex_unlock(&dev->lock);
chaoskey_free(dev);
Reported by FlawFinder.
Line: 513
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (this_time > max)
this_time = max;
memcpy(data, dev->buf + dev->used, this_time);
dev->used += this_time;
mutex_unlock(&dev->lock);
Reported by FlawFinder.
drivers/staging/rtl8192u/ieee80211/ieee80211_crypt_ccmp.c
8 issues
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Nonce: QC | A2 | PN */
iv[1] = qc;
memcpy(iv + 2, hdr->addr2, ETH_ALEN);
memcpy(iv + 8, pn, CCMP_PN_LEN);
/* AAD:
* FC with bits 4..6 and 11..13 masked to zero; 14 is always one
* A1 | A2 | A3
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Nonce: QC | A2 | PN */
iv[1] = qc;
memcpy(iv + 2, hdr->addr2, ETH_ALEN);
memcpy(iv + 8, pn, CCMP_PN_LEN);
/* AAD:
* FC with bits 4..6 and 11..13 masked to zero; 14 is always one
* A1 | A2 | A3
* SC with bits 4..15 (seq#) masked to zero
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos = (u8 *)hdr;
aad[0] = pos[0] & 0x8f;
aad[1] = pos[1] & 0xc7;
memcpy(aad + 2, hdr->addr1, 3 * ETH_ALEN);
pos = (u8 *)&hdr->seq_ctl;
aad[20] = pos[0] & 0x0f;
aad[21] = 0; /* all bits masked */
memset(aad + 22, 0, 8);
if (a4_included)
Reported by FlawFinder.
Line: 150
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aad[21] = 0; /* all bits masked */
memset(aad + 22, 0, 8);
if (a4_included)
memcpy(aad + 22, hdr->addr4, ETH_ALEN);
if (qc_included) {
aad[a4_included ? 28 : 22] = qc;
/* rest of QC masked */
}
Reported by FlawFinder.
Line: 316
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -5;
}
memcpy(key->rx_pn, pn, CCMP_PN_LEN);
}
/* Remove hdr and MIC */
memmove(skb->data + CCMP_HDR_LEN, skb->data, hdr_len);
skb_pull(skb, CCMP_HDR_LEN);
skb_trim(skb, skb->len - CCMP_MIC_LEN);
Reported by FlawFinder.
Line: 336
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(data, 0, sizeof(*data));
data->key_idx = keyidx;
if (len == CCMP_TK_LEN) {
memcpy(data->key, key, CCMP_TK_LEN);
data->key_set = 1;
if (seq) {
data->rx_pn[0] = seq[5];
data->rx_pn[1] = seq[4];
data->rx_pn[2] = seq[3];
Reported by FlawFinder.
Line: 367
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!data->key_set)
return 0;
memcpy(key, data->key, CCMP_TK_LEN);
if (seq) {
seq[0] = data->tx_pn[5];
seq[1] = data->tx_pn[4];
seq[2] = data->tx_pn[3];
Reported by FlawFinder.
Line: 385
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ieee80211_ccmp_data *ccmp = priv;
p += sprintf(p, "key[%d] alg=CCMP key_set=%d tx_pn=%pm rx_pn=%pm format_errors=%d replays=%d decrypt_errors=%d\n",
ccmp->key_idx, ccmp->key_set,
ccmp->tx_pn, ccmp->rx_pn,
ccmp->dot11RSNAStatsCCMPFormatErrors,
ccmp->dot11RSNAStatsCCMPReplays,
ccmp->dot11RSNAStatsCCMPDecryptErrors);
Reported by FlawFinder.
drivers/staging/wfx/hif_tx.c
8 issues
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!hif)
return -ENOMEM;
body->length = cpu_to_le16(len);
memcpy(body->pds_data, conf, len);
wfx_fill_header(hif, -1, HIF_REQ_ID_CONFIGURATION, buf_len);
ret = wfx_cmd_send(wdev, hif, NULL, 0, false);
kfree(hif);
return ret;
}
Reported by FlawFinder.
Line: 201
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
get_mib_name(mib_id), val_len,
le16_to_cpu(reply->length));
if (!ret)
memcpy(val, &reply->mib_data, le16_to_cpu(reply->length));
else
memset(val, 0xFF, val_len);
out:
kfree(hif);
kfree(reply);
Reported by FlawFinder.
Line: 222
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
body->mib_id = cpu_to_le16(mib_id);
body->length = cpu_to_le16(val_len);
memcpy(&body->mib_data, val, val_len);
wfx_fill_header(hif, vif_id, HIF_REQ_ID_WRITE_MIB, buf_len);
ret = wfx_cmd_send(wdev, hif, NULL, 0, false);
kfree(hif);
return ret;
}
Reported by FlawFinder.
Line: 245
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!hif)
return -ENOMEM;
for (i = 0; i < req->n_ssids; i++) {
memcpy(body->ssid_def[i].ssid, req->ssids[i].ssid,
IEEE80211_MAX_SSID_LEN);
body->ssid_def[i].ssid_length =
cpu_to_le32(req->ssids[i].ssid_len);
}
body->num_of_ssids = HIF_API_MAX_NB_SSIDS;
Reported by FlawFinder.
Line: 328
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(body->bssid, conf->bssid, sizeof(body->bssid));
if (ssid) {
body->ssid_length = cpu_to_le32(ssidlen);
memcpy(body->ssid, ssid, ssidlen);
}
wfx_fill_header(hif, wvif->id, HIF_REQ_ID_JOIN, sizeof(*body));
ret = wfx_cmd_send(wvif->wdev, hif, NULL, 0, false);
kfree(hif);
return ret;
Reported by FlawFinder.
Line: 364
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!hif)
return -ENOMEM;
// FIXME: swap bytes as necessary in body
memcpy(body, arg, sizeof(*body));
if (wfx_api_older_than(wdev, 1, 5))
// Legacy firmwares expect that add_key to be sent on right
// interface.
wfx_fill_header(hif, arg->int_id, HIF_REQ_ID_ADD_KEY,
sizeof(*body));
Reported by FlawFinder.
Line: 464
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
body->basic_rate_set =
cpu_to_le32(wfx_rate_mask_to_hw(wvif->wdev, conf->basic_rates));
body->ssid_length = conf->ssid_len;
memcpy(body->ssid, conf->ssid, conf->ssid_len);
wfx_fill_header(hif, wvif->id, HIF_REQ_ID_START, sizeof(*body));
ret = wfx_cmd_send(wvif->wdev, hif, NULL, 0, false);
kfree(hif);
return ret;
}
Reported by FlawFinder.
Line: 518
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
body->beacon = 1;
body->num_ies = cpu_to_le16(1);
memcpy(body->ie, ies, ies_len);
wfx_fill_header(hif, wvif->id, HIF_REQ_ID_UPDATE_IE, buf_len);
ret = wfx_cmd_send(wvif->wdev, hif, NULL, 0, false);
kfree(hif);
return ret;
}
Reported by FlawFinder.
drivers/thermal/thermal_core.c
8 issues
Line: 244
CWE codes:
570
{
struct thermal_governor **governor;
for_each_governor_table(governor)
thermal_unregister_governor(*governor);
}
static int __init thermal_register_governors(void)
{
Reported by Cppcheck.
Line: 253
CWE codes:
570
int ret = 0;
struct thermal_governor **governor;
for_each_governor_table(governor) {
ret = thermal_register_governor(*governor);
if (ret) {
pr_err("Failed to register governor: '%s'",
(*governor)->name);
break;
Reported by Cppcheck.
Line: 268
CWE codes:
570
if (ret) {
struct thermal_governor **gov;
for_each_governor_table(gov) {
if (gov == governor)
break;
thermal_unregister_governor(*gov);
}
}
Reported by Cppcheck.
Line: 672
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto free_mem;
dev->id = result;
sprintf(dev->name, "cdev%d", dev->id);
result =
sysfs_create_link(&tz->device.kobj, &cdev->device.kobj, dev->name);
if (result)
goto release_ida;
Reported by FlawFinder.
Line: 678
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (result)
goto release_ida;
sprintf(dev->attr_name, "cdev%d_trip_point", dev->id);
sysfs_attr_init(&dev->attr.attr);
dev->attr.attr.name = dev->attr_name;
dev->attr.attr.mode = 0444;
dev->attr.show = trip_point_show;
result = device_create_file(&tz->device, &dev->attr);
Reported by FlawFinder.
Line: 687
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (result)
goto remove_symbol_link;
sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id);
sysfs_attr_init(&dev->weight_attr.attr);
dev->weight_attr.attr.name = dev->weight_attr_name;
dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO;
dev->weight_attr.show = weight_show;
dev->weight_attr.store = weight_store;
Reported by FlawFinder.
Line: 1191
Column: 15
CWE codes:
126
int count;
struct thermal_governor *governor;
if (!type || strlen(type) == 0) {
pr_err("Error: No thermal zone type defined\n");
return ERR_PTR(-EINVAL);
}
if (type && strlen(type) >= THERMAL_NAME_LENGTH) {
Reported by FlawFinder.
Line: 1196
Column: 14
CWE codes:
126
return ERR_PTR(-EINVAL);
}
if (type && strlen(type) >= THERMAL_NAME_LENGTH) {
pr_err("Error: Thermal zone name (%s) too long, should be under %d chars\n",
type, THERMAL_NAME_LENGTH);
return ERR_PTR(-EINVAL);
}
Reported by FlawFinder.
drivers/tty/serial/sh-sci.c
8 issues
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long clk_rates[SCI_NUM_CLKS];
int irqs[SCIx_NR_IRQS];
char *irqstr[SCIx_NR_IRQS];
struct dma_chan *chan_tx;
struct dma_chan *chan_rx;
#ifdef CONFIG_SERIAL_SH_SCI_DMA
Reported by FlawFinder.
Line: 1111
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct uart_port *port = dev_get_drvdata(dev);
struct sci_port *sci = to_sci_port(port);
return sprintf(buf, "%d\n", sci->rx_trigger);
}
static ssize_t rx_fifo_trigger_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 1149
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
v = sci->rx_fifo_timeout;
return sprintf(buf, "%d\n", v);
}
static ssize_t rx_fifo_timeout_store(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
Line: 3083
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.index = -1,
};
static char early_serial_buf[32];
static int sci_probe_earlyprintk(struct platform_device *pdev)
{
const struct plat_sci_port *cfg = dev_get_platdata(&pdev->dev);
Reported by FlawFinder.
Line: 3423
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
device->port.serial_in = sci_serial_in;
device->port.serial_out = sci_serial_out;
device->port.type = type;
memcpy(&sci_ports[0].port, &device->port, sizeof(struct uart_port));
port_cfg.type = type;
sci_ports[0].cfg = &port_cfg;
sci_ports[0].params = sci_probe_regmap(&port_cfg);
port_cfg.scscr = sci_serial_in(&sci_ports[0].port, SCSCR);
sci_serial_out(&sci_ports[0].port, SCSCR,
Reported by FlawFinder.
Line: 1475
Column: 15
CWE codes:
120
20
struct dma_tx_state state;
enum dma_status status;
unsigned long flags;
unsigned int read;
int active, count;
dev_dbg(port->dev, "DMA Rx timed out\n");
spin_lock_irqsave(&port->lock, flags);
Reported by FlawFinder.
Line: 1517
Column: 6
CWE codes:
120
20
dmaengine_terminate_async(s->chan_rx);
read = sg_dma_len(&s->sg_rx[active]) - state.residue;
if (read) {
count = sci_dma_rx_push(s, s->rx_buf[active], read);
if (count)
tty_flip_buffer_push(&port->state->port);
}
Reported by FlawFinder.
Line: 1518
Column: 49
CWE codes:
120
20
read = sg_dma_len(&s->sg_rx[active]) - state.residue;
if (read) {
count = sci_dma_rx_push(s, s->rx_buf[active], read);
if (count)
tty_flip_buffer_push(&port->state->port);
}
if (port->type == PORT_SCIFA || port->type == PORT_SCIFB)
Reported by FlawFinder.
drivers/staging/greybus/audio_topology.c
8 issues
Line: 22
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct gbaudio_ctl_pvt {
unsigned int ctl_id;
unsigned int data_cport;
unsigned int access;
unsigned int vcount;
struct gb_audio_ctl_elem_info *info;
};
static struct gbaudio_module_info *find_gb_module(
Reported by FlawFinder.
Line: 38
Column: 6
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
if (!name)
return NULL;
if (sscanf(name, "%s %d", begin, &dev_id) != 2)
return NULL;
dev_dbg(codec->dev, "%s:Find module#%d\n", __func__, dev_id);
mutex_lock(&codec->lock);
Reported by FlawFinder.
Line: 183
Column: 24
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
}
/* update uinfo */
uinfo->access = data->access;
uinfo->count = data->vcount;
uinfo->type = (__force snd_ctl_elem_type_t)info->type;
switch (info->type) {
case GB_AUDIO_CTL_ELEM_TYPE_BOOLEAN:
Reported by FlawFinder.
Line: 692
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -ENOMEM;
ctldata->ctl_id = ctl->id;
ctldata->data_cport = le16_to_cpu(ctl->data_cport);
ctldata->access = le32_to_cpu(ctl->access);
ctldata->vcount = ctl->count_values;
ctldata->info = &ctl->info;
*kctl = (struct snd_kcontrol_new)
SOC_MIXER_GB(ctl->name, ctl->count, ctldata);
ctldata = NULL;
Reported by FlawFinder.
Line: 890
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -ENOMEM;
ctldata->ctl_id = ctl->id;
ctldata->data_cport = le16_to_cpu(ctl->data_cport);
ctldata->access = le32_to_cpu(ctl->access);
ctldata->vcount = ctl->count_values;
ctldata->info = &ctl->info;
*kctl = (struct snd_kcontrol_new)
SOC_DAPM_MIXER_GB(ctl->name, ctl->count, ctldata);
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char const *name)
{
int dev_id;
char begin[NAME_SIZE];
struct gbaudio_module_info *module;
if (!name)
return NULL;
Reported by FlawFinder.
Line: 986
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gb_audio_control *curr;
struct gbaudio_control *control, *_control;
size_t size;
char temp_name[NAME_SIZE];
ret = gbaudio_validate_kcontrol_count(w);
if (ret) {
dev_err(module->dev, "Invalid kcontrol count=%d for %s\n",
w->ncontrols, w->name);
Reported by FlawFinder.
Line: 1147
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gb_audio_control *curr;
struct gbaudio_control *control, *_control;
size_t size;
char temp_name[NAME_SIZE];
size = sizeof(struct snd_kcontrol_new) * module->num_controls;
dapm_kctls = devm_kzalloc(module->dev, size, GFP_KERNEL);
if (!dapm_kctls)
return -ENOMEM;
Reported by FlawFinder.