The following issues were found
drivers/power/supply/test_power.c
8 issues
Line: 355
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_ac_online(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n",
map_get_key(map_ac_online, ac_online, "unknown"));
}
static int param_set_usb_online(const char *key, const struct kernel_param *kp)
{
Reported by FlawFinder.
Line: 368
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_usb_online(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n",
map_get_key(map_ac_online, usb_online, "unknown"));
}
static int param_set_battery_status(const char *key,
const struct kernel_param *kp)
Reported by FlawFinder.
Line: 382
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_battery_status(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n",
map_get_key(map_ac_online, battery_status, "unknown"));
}
static int param_set_battery_health(const char *key,
const struct kernel_param *kp)
Reported by FlawFinder.
Line: 396
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_battery_health(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n",
map_get_key(map_ac_online, battery_health, "unknown"));
}
static int param_set_battery_present(const char *key,
const struct kernel_param *kp)
Reported by FlawFinder.
Line: 411
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_battery_present(char *buffer,
const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n",
map_get_key(map_ac_online, battery_present, "unknown"));
}
static int param_set_battery_technology(const char *key,
const struct kernel_param *kp)
Reported by FlawFinder.
Line: 427
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_battery_technology(char *buffer,
const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n",
map_get_key(map_ac_online, battery_technology,
"unknown"));
}
static int param_set_battery_capacity(const char *key,
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int map_get_value(struct battery_property_map *map, const char *key,
int def_val)
{
char buf[MAX_KEYLENGTH];
int cr;
strncpy(buf, key, MAX_KEYLENGTH);
buf[MAX_KEYLENGTH-1] = '\0';
Reported by FlawFinder.
Line: 309
Column: 2
CWE codes:
120
char buf[MAX_KEYLENGTH];
int cr;
strncpy(buf, key, MAX_KEYLENGTH);
buf[MAX_KEYLENGTH-1] = '\0';
cr = strnlen(buf, MAX_KEYLENGTH) - 1;
if (cr < 0)
return def_val;
Reported by FlawFinder.
drivers/rtc/rtc-pcf8583.c
8 issues
Line: 51
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf8583_get_datetime(struct i2c_client *client, struct rtc_time *dt)
{
unsigned char buf[8], addr[1] = { 1 };
struct i2c_msg msgs[2] = {
{
.addr = client->addr,
.flags = 0,
.len = 1,
Reported by FlawFinder.
Line: 89
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf8583_set_datetime(struct i2c_client *client, struct rtc_time *dt, int datetoo)
{
unsigned char buf[8];
int ret, len = 6;
buf[0] = 0;
buf[1] = get_ctrl(client) | 0x80;
buf[2] = 0;
Reported by FlawFinder.
Line: 123
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf8583_set_ctrl(struct i2c_client *client, unsigned char *ctrl)
{
unsigned char buf[2];
buf[0] = 0;
buf[1] = *ctrl;
set_ctrl(client, *ctrl);
Reported by FlawFinder.
Line: 134
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf8583_read_mem(struct i2c_client *client, struct rtc_mem *mem)
{
unsigned char addr[1];
struct i2c_msg msgs[2] = {
{
.addr = client->addr,
.flags = 0,
.len = 1,
Reported by FlawFinder.
Line: 159
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf8583_write_mem(struct i2c_client *client, struct rtc_mem *mem)
{
unsigned char buf[9];
int ret;
if (mem->loc < 8 || mem->nr > 8)
return -EINVAL;
Reported by FlawFinder.
Line: 166
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
buf[0] = mem->loc;
memcpy(buf + 1, mem->data, mem->nr);
ret = i2c_master_send(client, buf, mem->nr + 1);
return ret == mem->nr + 1 ? 0 : -EIO;
}
Reported by FlawFinder.
Line: 175
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf8583_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
struct i2c_client *client = to_i2c_client(dev);
unsigned char ctrl, year[2];
struct rtc_mem mem = {
.loc = CMOS_YEAR,
.nr = sizeof(year),
.data = year
};
Reported by FlawFinder.
Line: 225
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcf8583_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
struct i2c_client *client = to_i2c_client(dev);
unsigned char year[2], chk;
struct rtc_mem cmos_year = {
.loc = CMOS_YEAR,
.nr = sizeof(year),
.data = year
};
Reported by FlawFinder.
drivers/scsi/fcoe/fcoe.c
8 issues
Line: 323
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for_each_dev_addr(real_dev, ha) {
if ((ha->type == NETDEV_HW_ADDR_T_SAN) &&
(is_valid_ether_addr(ha->addr))) {
memcpy(fip->ctl_src_addr, ha->addr, ETH_ALEN);
fip->spma = 1;
break;
}
}
rcu_read_unlock();
Reported by FlawFinder.
Line: 332
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* setup Source Mac Address */
if (!fip->spma)
memcpy(fip->ctl_src_addr, netdev->dev_addr, netdev->addr_len);
/*
* Add FCoE MAC address as second unicast MAC address
* or enter promiscuous mode if not capable of listening
* for multiple unicast MACs.
Reported by FlawFinder.
Line: 599
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_uc_del(fcoe->netdev, port->data_src_addr);
if (!is_zero_ether_addr(addr))
dev_uc_add(fcoe->netdev, addr);
memcpy(port->data_src_addr, addr, ETH_ALEN);
}
/**
* fcoe_get_src_mac() - return the Ethernet source address for an lport
* @lport: libfc lport
Reported by FlawFinder.
Line: 1563
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fill up mac and fcoe headers */
eh = eth_hdr(skb);
eh->h_proto = htons(ETH_P_FCOE);
memcpy(eh->h_dest, ctlr->dest_addr, ETH_ALEN);
if (ctlr->map_dest)
memcpy(eh->h_dest + 3, fh->fh_d_id, 3);
if (unlikely(ctlr->flogi_oxid != FC_XID_UNKNOWN))
memcpy(eh->h_source, ctlr->ctl_src_addr, ETH_ALEN);
Reported by FlawFinder.
Line: 1565
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eh->h_proto = htons(ETH_P_FCOE);
memcpy(eh->h_dest, ctlr->dest_addr, ETH_ALEN);
if (ctlr->map_dest)
memcpy(eh->h_dest + 3, fh->fh_d_id, 3);
if (unlikely(ctlr->flogi_oxid != FC_XID_UNKNOWN))
memcpy(eh->h_source, ctlr->ctl_src_addr, ETH_ALEN);
else
memcpy(eh->h_source, port->data_src_addr, ETH_ALEN);
Reported by FlawFinder.
Line: 1568
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(eh->h_dest + 3, fh->fh_d_id, 3);
if (unlikely(ctlr->flogi_oxid != FC_XID_UNKNOWN))
memcpy(eh->h_source, ctlr->ctl_src_addr, ETH_ALEN);
else
memcpy(eh->h_source, port->data_src_addr, ETH_ALEN);
hp = (struct fcoe_hdr *)(eh + 1);
memset(hp, 0, sizeof(*hp));
Reported by FlawFinder.
Line: 1570
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(ctlr->flogi_oxid != FC_XID_UNKNOWN))
memcpy(eh->h_source, ctlr->ctl_src_addr, ETH_ALEN);
else
memcpy(eh->h_source, port->data_src_addr, ETH_ALEN);
hp = (struct fcoe_hdr *)(eh + 1);
memset(hp, 0, sizeof(*hp));
if (FC_FCOE_VER)
FC_FCOE_ENCAPS_VER(hp, FC_FCOE_VER);
Reported by FlawFinder.
Line: 2661
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net_device *netdev = fcoe->netdev;
struct fc_lport *vn_port;
int rc;
char buf[32];
rc = fcoe_validate_vport_create(vport);
if (rc) {
fcoe_wwn_to_str(vport->port_name, buf, sizeof(buf));
printk(KERN_ERR "fcoe: Failed to create vport, "
Reported by FlawFinder.
drivers/platform/x86/think-lmi.c
8 issues
Line: 250
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(obj);
return -EIO;
}
memcpy(pwdcfg, obj->buffer.pointer, sizeof(struct tlmi_pwdcfg));
kfree(obj);
return 0;
}
static int tlmi_save_bios_settings(const char *password)
Reported by FlawFinder.
Line: 450
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!length || length >= TLMI_LANG_MAXLEN)
return -EINVAL;
memcpy(setting->kbdlang, buf, length);
setting->kbdlang[length] = '\0';
return count;
}
static struct kobj_attribute auth_kbdlang = __ATTR_RW(kbdlang);
Reported by FlawFinder.
Line: 658
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", tlmi_priv.pending_changes);
}
static struct kobj_attribute pending_reboot = __ATTR_RO(pending_reboot);
/* ---- Initialisation --------------------------------------------------------- */
Reported by FlawFinder.
Line: 169
Column: 37
CWE codes:
126
/* Utility function to execute WMI call to BIOS */
static int tlmi_simple_call(const char *guid, const char *arg)
{
const struct acpi_buffer input = { strlen(arg), (char *)arg };
struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
acpi_status status;
int i, err;
/*
Reported by FlawFinder.
Line: 280
Column: 37
CWE codes:
126
static int tlmi_get_bios_selections(const char *item, char **value)
{
const struct acpi_buffer input = { strlen(item), (char *)item };
struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
acpi_status status;
int ret;
status = wmi_evaluate_method(LENOVO_GET_BIOS_SELECTIONS_GUID,
Reported by FlawFinder.
Line: 317
Column: 11
CWE codes:
126
size_t pwdlen;
char *p;
pwdlen = strlen(buf);
/* pwdlen == 0 is allowed to clear the password */
if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen)))
return -EINVAL;
strscpy(setting->password, buf, setting->maxlen);
Reported by FlawFinder.
Line: 354
Column: 11
CWE codes:
126
p = strchrnul(new_pwd, '\n');
*p = '\0';
pwdlen = strlen(new_pwd);
/* pwdlen == 0 is allowed to clear the password */
if (pwdlen && ((pwdlen < setting->minlen) || (pwdlen > setting->maxlen))) {
ret = -EINVAL;
goto out;
}
Reported by FlawFinder.
Line: 504
Column: 34
CWE codes:
126
/* validate and split from `item,value` -> `value` */
value = strpbrk(item, ",");
if (!value || value == item || !strlen(value + 1))
return -EINVAL;
ret = sysfs_emit(buf, "%s\n", value + 1);
kfree(item);
return ret;
Reported by FlawFinder.
drivers/platform/mellanox/mlxbf-pmc.c
8 issues
Line: 1086
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!evt_name)
return -EINVAL;
return sprintf(buf, "0x%llx: %s\n", evt_num, evt_name);
}
/* Store function for "event" sysfs files */
static ssize_t mlxbf_pmc_event_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 1141
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -EINVAL;
for (i = 0, buf[0] = '\0'; i < size; ++i) {
len += sprintf(e_info, "0x%x: %s\n", events[i].evt_num,
events[i].evt_name);
if (len > PAGE_SIZE)
break;
strcat(buf, e_info);
ret = len;
Reported by FlawFinder.
Line: 1145
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
events[i].evt_name);
if (len > PAGE_SIZE)
break;
strcat(buf, e_info);
ret = len;
}
return ret;
}
Reported by FlawFinder.
Line: 139
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t total_blocks;
uint32_t tile_count;
struct device *hwmon_dev;
const char *block_name[MLXBF_PMC_MAX_BLOCKS];
struct mlxbf_pmc_block_info block[MLXBF_PMC_MAX_BLOCKS];
const struct attribute_group *groups[MLXBF_PMC_MAX_BLOCKS];
bool svc_sreg_support;
uint32_t sreg_tbl_perf;
unsigned int event_set;
Reported by FlawFinder.
Line: 1010
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
} else
return -EINVAL;
return sprintf(buf, "0x%llx\n", value);
}
/* Store function for "counter" sysfs files */
static ssize_t mlxbf_pmc_counter_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 1080
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
err = mlxbf_pmc_read_event(blk_num, cnt_num, is_l3, &evt_num);
if (err)
return sprintf(buf, "No event being monitored\n");
evt_name = mlxbf_pmc_get_event_name(pmc->block_name[blk_num], evt_num);
if (!evt_name)
return -EINVAL;
Reported by FlawFinder.
Line: 1132
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
attr, struct mlxbf_pmc_attribute, dev_attr);
int blk_num, i, size, len = 0, ret = 0;
const struct mlxbf_pmc_events *events;
char e_info[MLXBF_PMC_EVENT_INFO_LEN];
blk_num = attr_event_list->nr;
events = mlxbf_pmc_event_list(pmc->block_name[blk_num], &size);
if (!events)
Reported by FlawFinder.
Line: 1170
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = FIELD_GET(MLXBF_PMC_L3C_PERF_CNT_CFG_EN, perfcnt_cfg);
return sprintf(buf, "%d\n", value);
}
/* Store function for "enable" sysfs files - only for l3cache */
static ssize_t mlxbf_pmc_enable_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/ie.c
8 issues
Line: 112
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
tmp = (u8 *)&priv->mgmt_ie[index].ie_buffer;
memcpy(tmp, &ie->ie_buffer, le16_to_cpu(ie->ie_length));
priv->mgmt_ie[index].ie_length = ie->ie_length;
priv->mgmt_ie[index].ie_index = cpu_to_le16(index);
priv->mgmt_ie[index].mgmt_subtype_mask =
cpu_to_le16(mask);
Reported by FlawFinder.
Line: 130
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
ie->ie_length = 0;
memcpy(&priv->mgmt_ie[index], ie,
sizeof(struct mwifiex_ie));
}
le16_unaligned_add_cpu(&ie_list->len,
le16_to_cpu(
Reported by FlawFinder.
Line: 174
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (beacon_ie) {
len = sizeof(struct mwifiex_ie) - IEEE_MAX_IE_SIZE +
le16_to_cpu(beacon_ie->ie_length);
memcpy(pos, beacon_ie, len);
pos += len;
le16_unaligned_add_cpu(&ap_custom_ie->len, len);
}
if (pr_ie) {
len = sizeof(struct mwifiex_ie) - IEEE_MAX_IE_SIZE +
Reported by FlawFinder.
Line: 181
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pr_ie) {
len = sizeof(struct mwifiex_ie) - IEEE_MAX_IE_SIZE +
le16_to_cpu(pr_ie->ie_length);
memcpy(pos, pr_ie, len);
pos += len;
le16_unaligned_add_cpu(&ap_custom_ie->len, len);
}
if (ar_ie) {
len = sizeof(struct mwifiex_ie) - IEEE_MAX_IE_SIZE +
Reported by FlawFinder.
Line: 188
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ar_ie) {
len = sizeof(struct mwifiex_ie) - IEEE_MAX_IE_SIZE +
le16_to_cpu(ar_ie->ie_length);
memcpy(pos, ar_ie, len);
pos += len;
le16_unaligned_add_cpu(&ap_custom_ie->len, len);
}
ret = mwifiex_update_autoindex_ies(priv, ap_custom_ie);
Reported by FlawFinder.
Line: 247
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
IEEE_MAX_IE_SIZE)
return -EINVAL;
memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
vs_ie, vs_ie->len + 2);
le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2);
ie->mgmt_subtype_mask = cpu_to_le16(mask);
ie->ie_index = cpu_to_le16(MWIFIEX_AUTO_IDX_MASK);
}
Reported by FlawFinder.
Line: 383
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -EINVAL;
goto out;
}
memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len);
ie_len += token_len;
break;
}
left_len -= token_len;
parsed_len += token_len;
Reported by FlawFinder.
Line: 403
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -EINVAL;
goto out;
}
memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len);
ie_len += token_len;
}
if (!ie_len)
goto out;
Reported by FlawFinder.
drivers/pwm/sysfs.c
8 issues
Line: 174
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
}
return sprintf(buf, "%s\n", polarity);
}
static ssize_t polarity_store(struct device *child,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
Line: 45
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pwm_get_state(pwm, &state);
return sprintf(buf, "%llu\n", state.period);
}
static ssize_t period_store(struct device *child,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
Line: 80
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pwm_get_state(pwm, &state);
return sprintf(buf, "%llu\n", state.duty_cycle);
}
static ssize_t duty_cycle_store(struct device *child,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
Line: 115
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pwm_get_state(pwm, &state);
return sprintf(buf, "%d\n", state.enabled);
}
static ssize_t enable_store(struct device *child,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
Line: 215
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%u %u\n", result.period, result.duty_cycle);
}
static DEVICE_ATTR_RW(period);
static DEVICE_ATTR_RW(duty_cycle);
static DEVICE_ATTR_RW(enable);
Reported by FlawFinder.
Line: 244
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pwm_export_child(struct device *parent, struct pwm_device *pwm)
{
struct pwm_export *export;
char *pwm_prop[2];
int ret;
if (test_and_set_bit(PWMF_EXPORTED, &pwm->flags))
return -EBUSY;
Reported by FlawFinder.
Line: 288
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pwm_unexport_child(struct device *parent, struct pwm_device *pwm)
{
struct device *child;
char *pwm_prop[2];
if (!test_and_clear_bit(PWMF_EXPORTED, &pwm->flags))
return -ENODEV;
child = device_find_child(parent, pwm, pwm_unexport_match);
Reported by FlawFinder.
Line: 364
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
const struct pwm_chip *chip = dev_get_drvdata(parent);
return sprintf(buf, "%u\n", chip->npwm);
}
static DEVICE_ATTR_RO(npwm);
static struct attribute *pwm_chip_attrs[] = {
&dev_attr_export.attr,
Reported by FlawFinder.
drivers/s390/char/con3270.c
8 issues
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *str;
str = (cp->nr_up != 0) ? "History" : "Running";
memcpy(cp->status->string + 24, str, 7);
codepage_convert(cp->view.ascebc, cp->status->string + 24, 7);
cp->update_flags |= CON_UPDATE_STATUS;
}
static void
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cp->status = alloc_string(&cp->freemem, sizeof(blueprint));
/* Copy blueprint to status line */
memcpy(cp->status->string, blueprint, sizeof(blueprint));
/* Set TO_RA addresses. */
raw3270_buffer_address(cp->view.dev, cp->status->string + 1,
cp->view.cols * (cp->view.rows - 1));
raw3270_buffer_address(cp->view.dev, cp->status->string + 21,
cp->view.cols * cp->view.rows - 8);
Reported by FlawFinder.
Line: 213
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct con3270 *cp = from_timer(cp, t, timer);
struct raw3270_request *wrq;
char wcc, prolog[6];
unsigned long flags;
unsigned long updated;
struct string *s, *n;
int rc;
Reported by FlawFinder.
Line: 470
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = (cp->cline->len < cp->view.cols - 5) ?
cp->cline->len + 4 : cp->view.cols;
s = con3270_alloc_string(cp, size);
memcpy(s->string, cp->cline->string, cp->cline->len);
if (cp->cline->len < cp->view.cols - 5) {
s->string[s->len - 4] = TO_RA;
s->string[s->len - 1] = 0;
} else {
while (--size >= cp->cline->len)
Reported by FlawFinder.
Line: 60
Column: 26
CWE codes:
120
20
/* Input stuff. */
struct string *input; /* input string for read request. */
struct raw3270_request *read; /* single read request. */
struct raw3270_request *kreset; /* single keyboard reset request. */
struct tasklet_struct readlet; /* tasklet to issue read request. */
};
static struct con3270 *condev;
Reported by FlawFinder.
Line: 350
Column: 12
CWE codes:
120
20
raw3270_deactivate_view(&cp->view);
raw3270_request_reset(rrq);
xchg(&cp->read, rrq);
raw3270_put_view(&cp->view);
}
/*
* Read request completion callback.
Reported by FlawFinder.
Line: 374
Column: 18
CWE codes:
120
20
struct raw3270_request *rrq;
int rc;
rrq = xchg(&cp->read, 0);
if (!rrq)
/* Read already scheduled. */
return;
rrq->callback = con3270_read_callback;
rrq->callback_data = cp;
Reported by FlawFinder.
Line: 630
Column: 32
CWE codes:
120
20
timer_setup(&condev->timer, con3270_update, 0);
tasklet_init(&condev->readlet,
(void (*)(unsigned long)) con3270_read_tasklet,
(unsigned long) condev->read);
raw3270_add_view(&condev->view, &con3270_fn, 1, RAW3270_VIEW_LOCK_IRQ);
INIT_LIST_HEAD(&condev->freemem);
for (i = 0; i < CON3270_STRING_PAGES; i++) {
Reported by FlawFinder.
drivers/rapidio/rio-sysfs.c
8 issues
Line: 24
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
{ \
struct rio_dev *rdev = to_rio_dev(dev); \
\
return sprintf(buf, format_string, rdev->field); \
} \
static DEVICE_ATTR_RO(field);
rio_config_attr(did, "0x%04x\n");
rio_config_attr(vid, "0x%04x\n");
Reported by FlawFinder.
Line: 61
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct rio_dev *rdev = to_rio_dev(dev);
return sprintf(buf, "%s\n",
(rdev->prev) ? rio_name(rdev->prev) : "root");
}
static DEVICE_ATTR_RO(lprev);
static ssize_t lnext_show(struct device *dev,
Reported by FlawFinder.
Line: 76
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rdev->pef & RIO_PEF_SWITCH) {
for (i = 0; i < RIO_GET_TOTAL_PORTS(rdev->swpinfo); i++) {
if (rdev->rswitch->nextdev[i])
str += sprintf(str, "%s\n",
rio_name(rdev->rswitch->nextdev[i]));
else
str += sprintf(str, "null\n");
}
}
Reported by FlawFinder.
Line: 48
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rdev->rswitch->route_table[i] == RIO_INVALID_ROUTE)
continue;
str +=
sprintf(str, "%04x %02x\n", i,
rdev->rswitch->route_table[i]);
}
return (str - buf);
}
Reported by FlawFinder.
Line: 79
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
str += sprintf(str, "%s\n",
rio_name(rdev->rswitch->nextdev[i]));
else
str += sprintf(str, "null\n");
}
}
return str - buf;
}
Reported by FlawFinder.
Line: 92
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct rio_dev *rdev = to_rio_dev(dev);
return sprintf(buf, "rapidio:v%04Xd%04Xav%04Xad%04X\n",
rdev->vid, rdev->did, rdev->asm_vid, rdev->asm_did);
}
static DEVICE_ATTR_RO(modalias);
static struct attribute *rio_dev_attrs[] = {
Reported by FlawFinder.
Line: 335
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct rio_mport *mport = to_rio_mport(dev);
if (mport)
return sprintf(buf, "0x%04x\n", mport->host_deviceid);
else
return -ENODEV;
}
static DEVICE_ATTR_RO(port_destid);
Reported by FlawFinder.
Line: 347
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct rio_mport *mport = to_rio_mport(dev);
if (mport)
return sprintf(buf, "%u\n", mport->sys_size);
else
return -ENODEV;
}
static DEVICE_ATTR_RO(sys_size);
Reported by FlawFinder.
drivers/scsi/libiscsi.c
8 issues
Line: 731
CWE codes:
476
task->state = ISCSI_TASK_PENDING;
if (data_size) {
memcpy(task->data, data, data_size);
task->data_count = data_size;
} else
task->data_count = 0;
if (conn->session->tt->alloc_pdu) {
Reported by Cppcheck.
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ecdb_ahdr->ahslength = cpu_to_be16(ahslength);
ecdb_ahdr->ahstype = ISCSI_AHSTYPE_CDB;
ecdb_ahdr->reserved = 0;
memcpy(ecdb_ahdr->ecdb, cmd->cmnd + ISCSI_CDB_SIZE, rlen);
ISCSI_DBG_SESSION(task->conn->session,
"iscsi_prep_ecdb_ahs: varlen_cdb_len %d "
"rlen %d pad_len %d ahs_length %d iscsi_headers_size "
"%u\n", cmd->cmd_len, rlen, pad_len, ahslength,
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rc;
cmd_len = ISCSI_CDB_SIZE;
}
memcpy(hdr->cdb, sc->cmnd, cmd_len);
task->imm_count = 0;
if (scsi_get_prot_op(sc) != SCSI_PROT_NORMAL)
task->protected = true;
Reported by FlawFinder.
Line: 731
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
task->state = ISCSI_TASK_PENDING;
if (data_size) {
memcpy(task->data, data, data_size);
task->data_count = data_size;
} else
task->data_count = 0;
if (conn->session->tt->alloc_pdu) {
Reported by FlawFinder.
Line: 746
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
itt = task->hdr->itt;
task->hdr_len = sizeof(struct iscsi_hdr);
memcpy(task->hdr, hdr, sizeof(struct iscsi_hdr));
if (hdr->itt != RESERVED_ITT) {
if (session->tt->parse_pdu_itt)
task->hdr->itt = itt;
else
Reported by FlawFinder.
Line: 861
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (datalen < senselen)
goto invalid_datalen;
memcpy(sc->sense_buffer, data + 2,
min_t(uint16_t, senselen, SCSI_SENSE_BUFFERSIZE));
ISCSI_DBG_SESSION(session, "copied %d bytes of sense\n",
min_t(uint16_t, senselen,
SCSI_SENSE_BUFFERSIZE));
}
Reported by FlawFinder.
Line: 1036
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
datalen);
return ISCSI_ERR_PROTO;
}
memcpy(&rejected_pdu, data, sizeof(struct iscsi_hdr));
opcode = rejected_pdu.opcode & ISCSI_OPCODE_MASK;
switch (reject->reason) {
case ISCSI_REASON_DATA_DIGEST_ERROR:
iscsi_conn_printk(KERN_ERR, conn,
Reported by FlawFinder.
Line: 2686
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (items) {
*items = q->pool + max;
memcpy(*items, q->pool, max * sizeof(void *));
}
return 0;
enomem:
Reported by FlawFinder.