The following issues were found
drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
8 issues
Line: 601
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.ref_flow_handle = ref_flow_handle;
if (actions->flags & BNXT_TC_ACTION_FLAG_L2_REWRITE) {
memcpy(req.l2_rewrite_dmac, actions->l2_rewrite_dmac,
ETH_ALEN);
memcpy(req.l2_rewrite_smac, actions->l2_rewrite_smac,
ETH_ALEN);
action_flags |=
CFA_FLOW_ALLOC_REQ_ACTION_FLAGS_L2_HEADER_REWRITE;
Reported by FlawFinder.
Line: 603
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (actions->flags & BNXT_TC_ACTION_FLAG_L2_REWRITE) {
memcpy(req.l2_rewrite_dmac, actions->l2_rewrite_dmac,
ETH_ALEN);
memcpy(req.l2_rewrite_smac, actions->l2_rewrite_smac,
ETH_ALEN);
action_flags |=
CFA_FLOW_ALLOC_REQ_ACTION_FLAGS_L2_HEADER_REWRITE;
}
Reported by FlawFinder.
Line: 681
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.ip_proto = flow->l4_key.ip_proto;
if (flow->flags & BNXT_TC_FLOW_FLAGS_ETH_ADDRS) {
memcpy(req.dmac, flow->l2_key.dmac, ETH_ALEN);
memcpy(req.smac, flow->l2_key.smac, ETH_ALEN);
}
if (flow->l2_key.num_vlans > 0) {
flow_flags |= CFA_FLOW_ALLOC_REQ_FLAGS_NUM_VLAN_ONE;
Reported by FlawFinder.
Line: 682
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flow->flags & BNXT_TC_FLOW_FLAGS_ETH_ADDRS) {
memcpy(req.dmac, flow->l2_key.dmac, ETH_ALEN);
memcpy(req.smac, flow->l2_key.smac, ETH_ALEN);
}
if (flow->l2_key.num_vlans > 0) {
flow_flags |= CFA_FLOW_ALLOC_REQ_FLAGS_NUM_VLAN_ONE;
/* FW expects the inner_vlan_tci value to be set
Reported by FlawFinder.
Line: 748
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CFA_FLOW_ALLOC_REQ_ACTION_FLAGS_L2_HEADER_REWRITE;
req.l2_rewrite_vlan_tpid = actions->push_vlan_tpid;
req.l2_rewrite_vlan_tci = actions->push_vlan_tci;
memcpy(&req.l2_rewrite_dmac, &req.dmac, ETH_ALEN);
memcpy(&req.l2_rewrite_smac, &req.smac, ETH_ALEN);
}
if (actions->flags & BNXT_TC_ACTION_FLAG_POP_VLAN) {
action_flags |=
CFA_FLOW_ALLOC_REQ_ACTION_FLAGS_L2_HEADER_REWRITE;
Reported by FlawFinder.
Line: 749
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.l2_rewrite_vlan_tpid = actions->push_vlan_tpid;
req.l2_rewrite_vlan_tci = actions->push_vlan_tci;
memcpy(&req.l2_rewrite_dmac, &req.dmac, ETH_ALEN);
memcpy(&req.l2_rewrite_smac, &req.smac, ETH_ALEN);
}
if (actions->flags & BNXT_TC_ACTION_FLAG_POP_VLAN) {
action_flags |=
CFA_FLOW_ALLOC_REQ_ACTION_FLAGS_L2_HEADER_REWRITE;
/* Rewrite config with tpid = 0 implies vlan pop */
Reported by FlawFinder.
Line: 756
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CFA_FLOW_ALLOC_REQ_ACTION_FLAGS_L2_HEADER_REWRITE;
/* Rewrite config with tpid = 0 implies vlan pop */
req.l2_rewrite_vlan_tpid = 0;
memcpy(&req.l2_rewrite_dmac, &req.dmac, ETH_ALEN);
memcpy(&req.l2_rewrite_smac, &req.smac, ETH_ALEN);
}
}
req.action_flags = cpu_to_le16(action_flags);
Reported by FlawFinder.
Line: 757
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Rewrite config with tpid = 0 implies vlan pop */
req.l2_rewrite_vlan_tpid = 0;
memcpy(&req.l2_rewrite_dmac, &req.dmac, ETH_ALEN);
memcpy(&req.l2_rewrite_smac, &req.smac, ETH_ALEN);
}
}
req.action_flags = cpu_to_le16(action_flags);
mutex_lock(&bp->hwrm_cmd_lock);
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/af9035.c
8 issues
Line: 58
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->buf[1] = req->mbox;
state->buf[2] = req->cmd;
state->buf[3] = state->seq++;
memcpy(&state->buf[REQ_HDR_LEN], req->wbuf, req->wlen);
wlen = REQ_HDR_LEN + req->wlen + CHECKSUM_LEN;
rlen = ACK_HDR_LEN + req->rlen + CHECKSUM_LEN;
/* calc and add checksum */
Reported by FlawFinder.
Line: 107
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read request, copy returned data to return buf */
if (req->rlen)
memcpy(req->rbuf, &state->buf[ACK_HDR_LEN], req->rlen);
exit:
mutex_unlock(&d->usb_mutex);
return ret;
}
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wbuf[3] = 0;
wbuf[4] = (reg >> 8) & 0xff;
wbuf[5] = (reg >> 0) & 0xff;
memcpy(&wbuf[6], val, len);
return af9035_ctrl_msg(d, &req);
}
/* read multiple registers */
Reported by FlawFinder.
Line: 352
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (state->chip_type == 0x9306) {
buf[1] = 0x03; /* I2C bus */
buf[2] = msg[0].addr << 1;
memcpy(&buf[3], msg[0].buf, msg[0].len);
} else {
buf[1] = msg[0].addr << 1;
buf[3] = 0x00; /* reg addr MSB */
buf[4] = 0x00; /* reg addr LSB */
Reported by FlawFinder.
Line: 361
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Keep prev behavior for write req len > 2*/
if (msg[0].len > 2) {
buf[2] = 0x00; /* reg addr len */
memcpy(&buf[5], msg[0].buf, msg[0].len);
/* Use reg addr fields if write req len <= 2 */
} else {
req.wlen = 5;
buf[2] = msg[0].len;
Reported by FlawFinder.
Line: 410
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (state->chip_type == 0x9306) {
buf[1] = 0x03; /* I2C bus */
buf[2] = msg[0].addr << 1;
memcpy(&buf[3], msg[0].buf, msg[0].len);
} else {
buf[1] = msg[0].addr << 1;
buf[2] = 0x00; /* reg addr len */
buf[3] = 0x00; /* reg addr MSB */
buf[4] = 0x00; /* reg addr LSB */
Reported by FlawFinder.
Line: 416
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[2] = 0x00; /* reg addr len */
buf[3] = 0x00; /* reg addr MSB */
buf[4] = 0x00; /* reg addr LSB */
memcpy(&buf[5], msg[0].buf, msg[0].len);
}
ret = af9035_ctrl_msg(d, &req);
}
} else if (AF9035_IS_I2C_XFER_READ(msg, num)) {
if (msg[0].len > 40) {
Reported by FlawFinder.
Line: 1962
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct usb_device_id *id)
{
struct usb_device *udev = interface_to_usbdev(intf);
char manufacturer[sizeof("Afatech")];
memset(manufacturer, 0, sizeof(manufacturer));
usb_string(udev, udev->descriptor.iManufacturer,
manufacturer, sizeof(manufacturer));
/*
Reported by FlawFinder.
drivers/net/ethernet/cortina/gemini.c
8 issues
Line: 2191
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
static void gmac_get_drvinfo(struct net_device *netdev,
struct ethtool_drvinfo *info)
{
strcpy(info->driver, DRV_NAME);
strcpy(info->bus_info, netdev->dev_id ? "1" : "0");
}
static const struct net_device_ops gmac_351x_ops = {
.ndo_init = gmac_init,
Reported by FlawFinder.
Line: 2192
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct ethtool_drvinfo *info)
{
strcpy(info->driver, DRV_NAME);
strcpy(info->bus_info, netdev->dev_id ? "1" : "0");
}
static const struct net_device_ops gmac_351x_ops = {
.ndo_init = gmac_init,
.ndo_open = gmac_open,
Reported by FlawFinder.
Line: 171
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
RX_STATS_NUM + RX_STATUS_NUM + RX_CHKSUM_NUM + 1 + \
TX_MAX_FRAGS + 2)
static const char gmac_stats_strings[GMAC_STATS_NUM][ETH_GSTRING_LEN] = {
"GMAC_IN_DISCARDS",
"GMAC_IN_ERRORS",
"GMAC_IN_MCAST",
"GMAC_IN_BCAST",
"GMAC_IN_MAC1",
Reported by FlawFinder.
Line: 1881
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__le32 addr[3];
memset(addr, 0, sizeof(addr));
memcpy(addr, netdev->dev_addr, ETH_ALEN);
writel(le32_to_cpu(addr[0]), port->gmac_base + GMAC_STA_ADD0);
writel(le32_to_cpu(addr[1]), port->gmac_base + GMAC_STA_ADD1);
writel(le32_to_cpu(addr[2]), port->gmac_base + GMAC_STA_ADD2);
}
Reported by FlawFinder.
Line: 1892
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct sockaddr *sa = addr;
memcpy(netdev->dev_addr, sa->sa_data, ETH_ALEN);
gmac_write_mac_address(netdev);
return 0;
}
Reported by FlawFinder.
Line: 2016
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (stringset != ETH_SS_STATS)
return;
memcpy(data, gmac_stats_strings, sizeof(gmac_stats_strings));
}
static void gmac_get_ethtool_stats(struct net_device *netdev,
struct ethtool_stats *estats, u64 *values)
{
Reported by FlawFinder.
Line: 2354
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gemini_ethernet_port_probe(struct platform_device *pdev)
{
char *port_names[2] = { "ethernet0", "ethernet1" };
struct gemini_ethernet_port *port;
struct device *dev = &pdev->dev;
struct gemini_ethernet *geth;
struct net_device *netdev;
struct device *parent;
Reported by FlawFinder.
Line: 2466
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DEFAULT_NAPI_WEIGHT);
if (is_valid_ether_addr((void *)port->mac_addr)) {
memcpy(netdev->dev_addr, port->mac_addr, ETH_ALEN);
} else {
dev_dbg(dev, "ethernet address 0x%08x%08x%08x invalid\n",
port->mac_addr[0], port->mac_addr[1],
port->mac_addr[2]);
dev_info(dev, "using a random ethernet address\n");
Reported by FlawFinder.
drivers/block/aoe/aoecmd.c
8 issues
Line: 133
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 host_tag = newtag(d);
memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src);
memcpy(h->dst, t->addr, sizeof h->dst);
h->type = __constant_cpu_to_be16(ETH_P_AOE);
h->verfl = AOE_HVER;
h->major = cpu_to_be16(d->aoemajor);
h->minor = d->aoeminor;
Reported by FlawFinder.
Line: 134
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 host_tag = newtag(d);
memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src);
memcpy(h->dst, t->addr, sizeof h->dst);
h->type = __constant_cpu_to_be16(ETH_P_AOE);
h->verfl = AOE_HVER;
h->major = cpu_to_be16(d->aoemajor);
h->minor = d->aoeminor;
h->cmd = AOECMD_ATA;
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(h, 0, sizeof *h + sizeof *ch);
memset(h->dst, 0xff, sizeof h->dst);
memcpy(h->src, ifp->dev_addr, sizeof h->src);
h->type = __constant_cpu_to_be16(ETH_P_AOE);
h->verfl = AOE_HVER;
h->major = cpu_to_be16(aoemajor);
h->minor = aoeminor;
h->cmd = AOECMD_CFG;
Reported by FlawFinder.
Line: 458
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sk_buff_head queue;
struct aoe_hdr *h;
struct aoetgt *t;
char buf[128];
u32 n;
t = f->t;
n = newtag(d);
skb = f->skb;
Reported by FlawFinder.
Line: 484
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
f->tag = n;
fhash(f);
h->tag = cpu_to_be32(n);
memcpy(h->dst, t->addr, sizeof h->dst);
memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src);
skb->dev = t->ifp->nd;
skb = skb_clone(skb, GFP_ATOMIC);
if (skb == NULL)
Reported by FlawFinder.
Line: 485
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fhash(f);
h->tag = cpu_to_be32(n);
memcpy(h->dst, t->addr, sizeof h->dst);
memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src);
skb->dev = t->ifp->nd;
skb = skb_clone(skb, GFP_ATOMIC);
if (skb == NULL)
return;
Reported by FlawFinder.
Line: 1300
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct frame *f;
u32 n;
ulong flags;
char ebuf[128];
u16 aoemajor;
h = (struct aoe_hdr *) skb->data;
aoemajor = be16_to_cpu(get_unaligned(&h->major));
d = aoedev_by_aoeaddr(aoemajor, h->minor, 0);
Reported by FlawFinder.
Line: 1452
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto nomem;
t->nframes = nframes;
t->d = d;
memcpy(t->addr, addr, sizeof t->addr);
t->ifp = t->ifs;
aoecmd_wreset(t);
t->maxout = t->nframes / 2;
INIT_LIST_HEAD(&t->ffree);
return *tt = t;
Reported by FlawFinder.
drivers/cpufreq/brcmstb-avs-cpufreq.c
8 issues
Line: 671
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (brcm_avs_get_pmap(priv, &pmap))
return sprintf(buf, "<unknown>\n");
return sprintf(buf, "%s %u\n", brcm_avs_mode_to_string(pmap.mode),
pmap.mode);
}
static ssize_t show_brcm_avs_pmap(struct cpufreq_policy *policy, char *buf)
{
Reported by FlawFinder.
Line: 658
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
unsigned int pstate;
if (brcm_avs_get_pstate(priv, &pstate))
return sprintf(buf, "<unknown>\n");
return sprintf(buf, "%u\n", pstate);
}
static ssize_t show_brcm_avs_mode(struct cpufreq_policy *policy, char *buf)
Reported by FlawFinder.
Line: 660
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (brcm_avs_get_pstate(priv, &pstate))
return sprintf(buf, "<unknown>\n");
return sprintf(buf, "%u\n", pstate);
}
static ssize_t show_brcm_avs_mode(struct cpufreq_policy *policy, char *buf)
{
struct private_data *priv = policy->driver_data;
Reported by FlawFinder.
Line: 669
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct pmap pmap;
if (brcm_avs_get_pmap(priv, &pmap))
return sprintf(buf, "<unknown>\n");
return sprintf(buf, "%s %u\n", brcm_avs_mode_to_string(pmap.mode),
pmap.mode);
}
Reported by FlawFinder.
Line: 683
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct pmap pmap;
if (brcm_avs_get_pmap(priv, &pmap))
return sprintf(buf, "<unknown>\n");
brcm_avs_parse_p1(pmap.p1, &mdiv_p0, &pdiv, &ndiv);
brcm_avs_parse_p2(pmap.p2, &mdiv_p1, &mdiv_p2, &mdiv_p3, &mdiv_p4);
return sprintf(buf, "0x%08x 0x%08x %u %u %u %u %u %u %u %u %u\n",
Reported by FlawFinder.
Line: 688
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
brcm_avs_parse_p1(pmap.p1, &mdiv_p0, &pdiv, &ndiv);
brcm_avs_parse_p2(pmap.p2, &mdiv_p1, &mdiv_p2, &mdiv_p3, &mdiv_p4);
return sprintf(buf, "0x%08x 0x%08x %u %u %u %u %u %u %u %u %u\n",
pmap.p1, pmap.p2, ndiv, pdiv, mdiv_p0, mdiv_p1, mdiv_p2,
mdiv_p3, mdiv_p4, pmap.mode, pmap.state);
}
static ssize_t show_brcm_avs_voltage(struct cpufreq_policy *policy, char *buf)
Reported by FlawFinder.
Line: 697
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct private_data *priv = policy->driver_data;
return sprintf(buf, "0x%08x\n", brcm_avs_get_voltage(priv->base));
}
static ssize_t show_brcm_avs_frequency(struct cpufreq_policy *policy, char *buf)
{
struct private_data *priv = policy->driver_data;
Reported by FlawFinder.
Line: 704
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct private_data *priv = policy->driver_data;
return sprintf(buf, "0x%08x\n", brcm_avs_get_frequency(priv->base));
}
cpufreq_freq_attr_ro(brcm_avs_pstate);
cpufreq_freq_attr_ro(brcm_avs_mode);
cpufreq_freq_attr_ro(brcm_avs_pmap);
Reported by FlawFinder.
drivers/acpi/acpica/exfldio.c
8 issues
Line: 387
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Copy the data from the source buffer.
* Length is the field width in bytes.
*/
memcpy(value,
(obj_desc->buffer_field.buffer_obj)->buffer.
pointer +
obj_desc->buffer_field.base_byte_offset +
field_datum_byte_offset,
obj_desc->common_field.access_byte_width);
Reported by FlawFinder.
Line: 398
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Copy the data to the target buffer.
* Length is the field width in bytes.
*/
memcpy((obj_desc->buffer_field.buffer_obj)->buffer.
pointer +
obj_desc->buffer_field.base_byte_offset +
field_datum_byte_offset, value,
obj_desc->common_field.access_byte_width);
}
Reported by FlawFinder.
Line: 692
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
status =
acpi_ex_field_datum_io(obj_desc, 0, &raw_datum,
ACPI_READ);
memcpy(buffer, &raw_datum, buffer_length);
}
return_ACPI_STATUS(status);
}
Reported by FlawFinder.
Line: 766
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Write merged datum to target buffer */
memcpy(((char *)buffer) + buffer_offset, &merged_datum,
ACPI_MIN(obj_desc->common_field.access_byte_width,
buffer_length - buffer_offset));
buffer_offset += obj_desc->common_field.access_byte_width;
merged_datum =
Reported by FlawFinder.
Line: 784
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Write the last datum to the buffer */
memcpy(((char *)buffer) + buffer_offset, &merged_datum,
ACPI_MIN(obj_desc->common_field.access_byte_width,
buffer_length - buffer_offset));
return_ACPI_STATUS(AE_OK);
}
Reported by FlawFinder.
Line: 852
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* at Byte zero. All unused (upper) bytes of the
* buffer will be 0.
*/
memcpy((char *)new_buffer, (char *)buffer, buffer_length);
buffer = new_buffer;
buffer_length = required_length;
}
/* TBD: Move to common setup code */
Reported by FlawFinder.
Line: 884
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Get initial Datum from the input buffer */
memcpy(&raw_datum, buffer,
ACPI_MIN(obj_desc->common_field.access_byte_width,
buffer_length - buffer_offset));
merged_datum =
raw_datum << obj_desc->common_field.start_field_bit_offset;
Reported by FlawFinder.
Line: 936
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Get the next input datum from the buffer */
buffer_offset += obj_desc->common_field.access_byte_width;
memcpy(&raw_datum, ((char *)buffer) + buffer_offset,
ACPI_MIN(obj_desc->common_field.access_byte_width,
buffer_length - buffer_offset));
merged_datum |=
raw_datum << obj_desc->common_field.start_field_bit_offset;
Reported by FlawFinder.
drivers/extcon/extcon.c
8 issues
Line: 358
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "%u\n", edev->state);
for (i = 0; i < edev->max_supported; i++) {
count += sprintf(buf + count, "%s=%d\n",
extcon_info[edev->supported_cable[i]].name,
!!(edev->state & BIT(i)));
}
return count;
Reported by FlawFinder.
Line: 372
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct extcon_dev *edev = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", edev->name);
}
static DEVICE_ATTR_RO(name);
static ssize_t cable_name_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 383
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
attr_name);
int i = cable->cable_index;
return sprintf(buf, "%s\n",
extcon_info[cable->edev->supported_cable[i]].name);
}
static ssize_t cable_state_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 355
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct extcon_dev *edev = dev_get_drvdata(dev);
if (edev->max_supported == 0)
return sprintf(buf, "%u\n", edev->state);
for (i = 0; i < edev->max_supported; i++) {
count += sprintf(buf + count, "%s=%d\n",
extcon_info[edev->supported_cable[i]].name,
!!(edev->state & BIT(i)));
Reported by FlawFinder.
Line: 395
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i = cable->cable_index;
return sprintf(buf, "%d\n",
extcon_get_state(cable->edev, cable->edev->supported_cable[i]));
}
/**
* extcon_sync() - Synchronize the state for an external connector.
Reported by FlawFinder.
Line: 410
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int extcon_sync(struct extcon_dev *edev, unsigned int id)
{
char name_buf[120];
char state_buf[120];
char *prop_buf;
char *envp[3];
int env_offset = 0;
int length;
Reported by FlawFinder.
Line: 411
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int extcon_sync(struct extcon_dev *edev, unsigned int id)
{
char name_buf[120];
char state_buf[120];
char *prop_buf;
char *envp[3];
int env_offset = 0;
int length;
int index;
Reported by FlawFinder.
Line: 413
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name_buf[120];
char state_buf[120];
char *prop_buf;
char *envp[3];
int env_offset = 0;
int length;
int index;
int state;
unsigned long flags;
Reported by FlawFinder.
drivers/gpu/drm/drm_modes.c
8 issues
Line: 1764
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (refresh_ptr)
return false; /* named + refresh is invalid */
strcpy(mode->name, drm_named_modes_whitelist[i]);
mode->specified = true;
break;
}
}
Reported by FlawFinder.
Line: 1572
Column: 19
CWE codes:
126
value = delim + 1;
delim = strchr(value, ',');
if (!delim)
delim = value + strlen(value);
if (!strncmp(value, "normal", delim - value))
mode->panel_orientation = DRM_MODE_PANEL_ORIENTATION_NORMAL;
else if (!strncmp(value, "upside_down", delim - value))
mode->panel_orientation = DRM_MODE_PANEL_ORIENTATION_BOTTOM_UP;
Reported by FlawFinder.
Line: 1603
Column: 22
CWE codes:
126
delim = strchr(option, ',');
if (!delim)
delim = option + strlen(option);
}
if (!strncmp(option, "rotate", delim - option)) {
if (drm_mode_parse_cmdline_int(delim, °))
return -EINVAL;
Reported by FlawFinder.
Line: 1753
Column: 14
CWE codes:
126
mode_end = options_off;
parse_extras = true;
} else {
mode_end = strlen(name);
parse_extras = true;
}
/* First check for a named mode */
for (i = 0; i < ARRAY_SIZE(drm_named_modes_whitelist); i++) {
Reported by FlawFinder.
Line: 1784
Column: 22
CWE codes:
126
/* No mode? Check for freestanding extras and/or options */
if (!mode->specified) {
unsigned int len = strlen(mode_option);
if (bpp_ptr || refresh_ptr)
return false; /* syntax error */
if (len == 1 || (len >= 2 && mode_option[1] == ','))
Reported by FlawFinder.
Line: 1829
Column: 10
CWE codes:
126
if (options_ptr)
len = options_ptr - extra_ptr;
else
len = strlen(extra_ptr);
ret = drm_mode_parse_cmdline_extra(extra_ptr, len, freestanding,
connector, mode);
if (ret)
return false;
Reported by FlawFinder.
Line: 1938
Column: 2
CWE codes:
120
break;
}
strncpy(out->name, in->name, DRM_DISPLAY_MODE_LEN);
out->name[DRM_DISPLAY_MODE_LEN-1] = 0;
}
/**
* drm_mode_convert_umode - convert a modeinfo into a drm_display_mode
Reported by FlawFinder.
Line: 1980
Column: 2
CWE codes:
120
* useful for the kernel->userspace direction anyway.
*/
out->type = in->type & DRM_MODE_TYPE_ALL;
strncpy(out->name, in->name, DRM_DISPLAY_MODE_LEN);
out->name[DRM_DISPLAY_MODE_LEN-1] = 0;
/* Clearing picture aspect ratio bits from out flags,
* as the aspect-ratio information is not stored in
* flags for kernel-mode, but in picture_aspect_ratio.
Reported by FlawFinder.
drivers/base/firmware_loader/fallback.c
8 issues
Line: 309
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
loff_t offset, size_t count, bool read)
{
if (read)
memcpy(buffer, fw_priv->data + offset, count);
else
memcpy(fw_priv->data + offset, buffer, count);
}
static void firmware_rw(struct fw_priv *fw_priv, char *buffer,
Reported by FlawFinder.
Line: 311
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (read)
memcpy(buffer, fw_priv->data + offset, count);
else
memcpy(fw_priv->data + offset, buffer, count);
}
static void firmware_rw(struct fw_priv *fw_priv, char *buffer,
loff_t offset, size_t count, bool read)
{
Reported by FlawFinder.
Line: 326
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
page_data = kmap(fw_priv->pages[page_nr]);
if (read)
memcpy(buffer, page_data + page_ofs, page_cnt);
else
memcpy(page_data + page_ofs, buffer, page_cnt);
kunmap(fw_priv->pages[page_nr]);
buffer += page_cnt;
Reported by FlawFinder.
Line: 328
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (read)
memcpy(buffer, page_data + page_ofs, page_cnt);
else
memcpy(page_data + page_ofs, buffer, page_cnt);
kunmap(fw_priv->pages[page_nr]);
buffer += page_cnt;
offset += page_cnt;
count -= page_cnt;
Reported by FlawFinder.
Line: 306
Column: 41
CWE codes:
120
20
static DEVICE_ATTR(loading, 0644, firmware_loading_show, firmware_loading_store);
static void firmware_rw_data(struct fw_priv *fw_priv, char *buffer,
loff_t offset, size_t count, bool read)
{
if (read)
memcpy(buffer, fw_priv->data + offset, count);
else
memcpy(fw_priv->data + offset, buffer, count);
Reported by FlawFinder.
Line: 308
Column: 6
CWE codes:
120
20
static void firmware_rw_data(struct fw_priv *fw_priv, char *buffer,
loff_t offset, size_t count, bool read)
{
if (read)
memcpy(buffer, fw_priv->data + offset, count);
else
memcpy(fw_priv->data + offset, buffer, count);
}
Reported by FlawFinder.
Line: 315
Column: 38
CWE codes:
120
20
}
static void firmware_rw(struct fw_priv *fw_priv, char *buffer,
loff_t offset, size_t count, bool read)
{
while (count) {
void *page_data;
int page_nr = offset >> PAGE_SHIFT;
int page_ofs = offset & (PAGE_SIZE-1);
Reported by FlawFinder.
Line: 325
Column: 7
CWE codes:
120
20
page_data = kmap(fw_priv->pages[page_nr]);
if (read)
memcpy(buffer, page_data + page_ofs, page_cnt);
else
memcpy(page_data + page_ofs, buffer, page_cnt);
kunmap(fw_priv->pages[page_nr]);
Reported by FlawFinder.
drivers/fpga/dfl-fme-error.c
8 issues
Line: 55
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = readq(base + PCIE0_ERROR);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n", (unsigned long long)value);
}
static ssize_t pcie0_errors_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 100
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = readq(base + PCIE1_ERROR);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n", (unsigned long long)value);
}
static ssize_t pcie1_errors_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 139
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
base = dfl_get_feature_ioaddr_by_id(dev, FME_FEATURE_ID_GLOBAL_ERR);
return sprintf(buf, "0x%llx\n",
(unsigned long long)readq(base + RAS_NONFAT_ERROR));
}
static DEVICE_ATTR_RO(nonfatal_errors);
static ssize_t catfatal_errors_show(struct device *dev,
Reported by FlawFinder.
Line: 151
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
base = dfl_get_feature_ioaddr_by_id(dev, FME_FEATURE_ID_GLOBAL_ERR);
return sprintf(buf, "0x%llx\n",
(unsigned long long)readq(base + RAS_CATFAT_ERROR));
}
static DEVICE_ATTR_RO(catfatal_errors);
static ssize_t inject_errors_show(struct device *dev,
Reported by FlawFinder.
Line: 169
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
v = readq(base + RAS_ERROR_INJECT);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n",
(unsigned long long)FIELD_GET(INJECT_ERROR_MASK, v));
}
static ssize_t inject_errors_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 214
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = readq(base + FME_ERROR);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n", (unsigned long long)value);
}
static ssize_t fme_errors_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 261
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = readq(base + FME_FIRST_ERROR);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n", (unsigned long long)value);
}
static DEVICE_ATTR_RO(first_error);
static ssize_t next_error_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 278
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value = readq(base + FME_NEXT_ERROR);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n", (unsigned long long)value);
}
static DEVICE_ATTR_RO(next_error);
static struct attribute *fme_global_err_attrs[] = {
&dev_attr_pcie0_errors.attr,
Reported by FlawFinder.