The following issues were found
drivers/block/xen-blkback/xenbus.c
8 issues
Line: 394
Column: 10
CWE codes:
134
Suggestion:
Make format string constant
} \
\
out: \
return sprintf(buf, format, result); \
} \
static DEVICE_ATTR(name, 0444, show_##name, NULL)
VBD_SHOW_ALLRING(oo_req, "%llu\n");
VBD_SHOW_ALLRING(rd_req, "%llu\n");
Reported by FlawFinder.
Line: 430
Column: 10
CWE codes:
134
Suggestion:
Make format string constant
struct xenbus_device *dev = to_xenbus_device(_dev); \
struct backend_info *be = dev_get_drvdata(&dev->dev); \
\
return sprintf(buf, format, ##args); \
} \
static DEVICE_ATTR(name, 0444, show_##name, NULL)
VBD_SHOW(physical_device, "%x:%x\n", be->major, be->minor);
VBD_SHOW(mode, "%s\n", be->mode);
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void xen_update_blkif_status(struct xen_blkif *blkif)
{
int err;
char name[TASK_COMM_LEN];
struct xen_blkif_ring *ring;
int i;
/* Not ready to connect? */
if (!blkif->rings || !blkif->rings[0].irq || !blkif->vbd.bdev)
Reported by FlawFinder.
Line: 999
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
for (i = 0; i < nr_grefs; i++) {
char ring_ref_name[RINGREF_NAME_LEN];
if (blkif->multi_ref)
snprintf(ring_ref_name, RINGREF_NAME_LEN, "ring-ref%u", i);
else {
WARN_ON(i != 0);
Reported by FlawFinder.
Line: 1069
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct xenbus_device *dev = be->dev;
struct xen_blkif *blkif = be->blkif;
char protocol[64] = "";
int err, i;
char *xspath;
size_t xspathsize;
const size_t xenstore_path_ext_size = 11; /* sufficient for "/queue-NNN" */
unsigned int requested_num_queues = 0;
Reported by FlawFinder.
Line: 1083
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = xenbus_scanf(XBT_NIL, dev->otherend, "protocol",
"%63s", protocol);
if (err <= 0)
strcpy(protocol, "unspecified, assuming default");
else if (0 == strcmp(protocol, XEN_IO_PROTO_ABI_NATIVE))
blkif->blk_protocol = BLKIF_PROTOCOL_NATIVE;
else if (0 == strcmp(protocol, XEN_IO_PROTO_ABI_X86_32))
blkif->blk_protocol = BLKIF_PROTOCOL_X86_32;
else if (0 == strcmp(protocol, XEN_IO_PROTO_ABI_X86_64))
Reported by FlawFinder.
Line: 66
Column: 14
CWE codes:
126
devname = strstr(devpath, "/dev/");
if (devname != NULL)
devname += strlen("/dev/");
else
devname = devpath;
snprintf(buf, TASK_COMM_LEN, "%d.%s", blkif->domid, devname);
kfree(devpath);
Reported by FlawFinder.
Line: 1143
Column: 16
CWE codes:
126
if (blkif->nr_rings == 1)
return read_per_ring_refs(&blkif->rings[0], dev->otherend);
else {
xspathsize = strlen(dev->otherend) + xenstore_path_ext_size;
xspath = kmalloc(xspathsize, GFP_KERNEL);
if (!xspath) {
xenbus_dev_fatal(dev, -ENOMEM, "reading ring references");
return -ENOMEM;
}
Reported by FlawFinder.
drivers/fpga/fpga-mgr.c
8 issues
Line: 402
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct fpga_manager *mgr = to_fpga_manager(dev);
return sprintf(buf, "%s\n", mgr->name);
}
static ssize_t state_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 410
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct fpga_manager *mgr = to_fpga_manager(dev);
return sprintf(buf, "%s\n", state_str[mgr->state]);
}
static ssize_t status_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 426
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
status = mgr->mops->status(mgr);
if (status & FPGA_MGR_STATUS_OPERATION_ERR)
len += sprintf(buf + len, "reconfig operation error\n");
if (status & FPGA_MGR_STATUS_CRC_ERR)
len += sprintf(buf + len, "reconfig CRC error\n");
if (status & FPGA_MGR_STATUS_INCOMPATIBLE_IMAGE_ERR)
len += sprintf(buf + len, "reconfig incompatible image\n");
if (status & FPGA_MGR_STATUS_IP_PROTOCOL_ERR)
Reported by FlawFinder.
Line: 428
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (status & FPGA_MGR_STATUS_OPERATION_ERR)
len += sprintf(buf + len, "reconfig operation error\n");
if (status & FPGA_MGR_STATUS_CRC_ERR)
len += sprintf(buf + len, "reconfig CRC error\n");
if (status & FPGA_MGR_STATUS_INCOMPATIBLE_IMAGE_ERR)
len += sprintf(buf + len, "reconfig incompatible image\n");
if (status & FPGA_MGR_STATUS_IP_PROTOCOL_ERR)
len += sprintf(buf + len, "reconfig IP protocol error\n");
if (status & FPGA_MGR_STATUS_FIFO_OVERFLOW_ERR)
Reported by FlawFinder.
Line: 430
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (status & FPGA_MGR_STATUS_CRC_ERR)
len += sprintf(buf + len, "reconfig CRC error\n");
if (status & FPGA_MGR_STATUS_INCOMPATIBLE_IMAGE_ERR)
len += sprintf(buf + len, "reconfig incompatible image\n");
if (status & FPGA_MGR_STATUS_IP_PROTOCOL_ERR)
len += sprintf(buf + len, "reconfig IP protocol error\n");
if (status & FPGA_MGR_STATUS_FIFO_OVERFLOW_ERR)
len += sprintf(buf + len, "reconfig fifo overflow error\n");
Reported by FlawFinder.
Line: 432
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (status & FPGA_MGR_STATUS_INCOMPATIBLE_IMAGE_ERR)
len += sprintf(buf + len, "reconfig incompatible image\n");
if (status & FPGA_MGR_STATUS_IP_PROTOCOL_ERR)
len += sprintf(buf + len, "reconfig IP protocol error\n");
if (status & FPGA_MGR_STATUS_FIFO_OVERFLOW_ERR)
len += sprintf(buf + len, "reconfig fifo overflow error\n");
return len;
}
Reported by FlawFinder.
Line: 434
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (status & FPGA_MGR_STATUS_IP_PROTOCOL_ERR)
len += sprintf(buf + len, "reconfig IP protocol error\n");
if (status & FPGA_MGR_STATUS_FIFO_OVERFLOW_ERR)
len += sprintf(buf + len, "reconfig fifo overflow error\n");
return len;
}
static DEVICE_ATTR_RO(name);
Reported by FlawFinder.
Line: 578
Column: 16
CWE codes:
126
return NULL;
}
if (!name || !strlen(name)) {
dev_err(parent, "Attempt to register with no name!\n");
return NULL;
}
mgr = kzalloc(sizeof(*mgr), GFP_KERNEL);
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
8 issues
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(output), size);
memcpy(&output, info->buffer.pointer, size);
/* TODO: check version? */
DRM_DEBUG_DRIVER("ATIF version %u\n", output.version);
amdgpu_atif_parse_notification(&atif->notifications, output.notification_mask);
Reported by FlawFinder.
Line: 264
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(¶ms, 0, sizeof(params));
size = min(sizeof(params), size);
memcpy(¶ms, info->buffer.pointer, size);
DRM_DEBUG_DRIVER("SYSTEM_PARAMS: mask = %#x, flags = %#x\n",
params.flags, params.valid_mask);
params.flags = params.flags & params.valid_mask;
Reported by FlawFinder.
Line: 340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&characteristics, 0, sizeof(characteristics));
size = min(sizeof(characteristics), size);
memcpy(&characteristics, info->buffer.pointer, size);
atif->backlight_caps.caps_valid = true;
atif->backlight_caps.min_input_signal =
characteristics.min_input_signal;
atif->backlight_caps.max_input_signal =
Reported by FlawFinder.
Line: 383
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(req, 0, sizeof(*req));
size = min(sizeof(*req), size);
memcpy(req, info->buffer.pointer, size);
DRM_DEBUG_DRIVER("SBIOS pending requests: %#x\n", req->pending);
count = hweight32(req->pending);
out:
Reported by FlawFinder.
Line: 573
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(output), size);
memcpy(&output, info->buffer.pointer, size);
/* TODO: check version? */
DRM_DEBUG_DRIVER("ATCS version %u\n", output.version);
amdgpu_atcs_parse_functions(&atcs->functions, output.function_bits);
Reported by FlawFinder.
Line: 698
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(atcs_output), size);
memcpy(&atcs_output, info->buffer.pointer, size);
kfree(info);
switch (atcs_output.ret_val) {
case ATCS_REQUEST_REFUSED:
Reported by FlawFinder.
Line: 917
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static bool amdgpu_atif_pci_probe_handle(struct pci_dev *pdev)
{
char acpi_method_name[255] = { 0 };
struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
acpi_handle dhandle, atif_handle;
acpi_status status;
int ret;
Reported by FlawFinder.
Line: 952
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static bool amdgpu_atcs_pci_probe_handle(struct pci_dev *pdev)
{
char acpi_method_name[255] = { 0 };
struct acpi_buffer buffer = { sizeof(acpi_method_name), acpi_method_name };
acpi_handle dhandle, atcs_handle;
acpi_status status;
int ret;
Reported by FlawFinder.
drivers/ata/libahci.c
8 issues
Line: 399
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
em_ctl = readl(mmio + HOST_EM_CTL);
ahci_rpm_put_port(ap);
return sprintf(buf, "%s%s%s%s\n",
em_ctl & EM_CTL_LED ? "led " : "",
em_ctl & EM_CTL_SAFTE ? "saf-te " : "",
em_ctl & EM_CTL_SES ? "ses-2 " : "",
em_ctl & EM_CTL_SGPIO ? "sgpio " : "");
}
Reported by FlawFinder.
Line: 245
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ata_port *ap = ata_shost_to_port(shost);
struct ahci_host_priv *hpriv = ap->host->private_data;
return sprintf(buf, "%x\n", hpriv->cap);
}
static ssize_t ahci_show_host_cap2(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 255
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ata_port *ap = ata_shost_to_port(shost);
struct ahci_host_priv *hpriv = ap->host->private_data;
return sprintf(buf, "%x\n", hpriv->cap2);
}
static ssize_t ahci_show_host_version(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 265
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ata_port *ap = ata_shost_to_port(shost);
struct ahci_host_priv *hpriv = ap->host->private_data;
return sprintf(buf, "%x\n", hpriv->version);
}
static ssize_t ahci_show_port_cmd(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 277
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t ret;
ahci_rpm_get_port(ap);
ret = sprintf(buf, "%x\n", readl(port_mmio + PORT_CMD));
ahci_rpm_put_port(ap);
return ret;
}
Reported by FlawFinder.
Line: 1123
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ata_for_each_link(link, ap, EDGE) {
emp = &pp->em_priv[link->pmp];
rc += sprintf(buf, "%lx\n", emp->led_state);
}
return rc;
}
static ssize_t ahci_led_store(struct ata_port *ap, const char *buf,
Reported by FlawFinder.
Line: 1199
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* display the saved value of activity behavior for this
* disk.
*/
return sprintf(buf, "%d\n", emp->blink_policy);
}
static void ahci_port_init(struct device *dev, struct ata_port *ap,
int port_no, void __iomem *mmio,
void __iomem *port_mmio)
Reported by FlawFinder.
Line: 1651
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ata_tf_to_fis(&qc->tf, qc->dev->link->pmp, 1, cmd_tbl);
if (is_atapi) {
memset(cmd_tbl + AHCI_CMD_TBL_CDB, 0, 32);
memcpy(cmd_tbl + AHCI_CMD_TBL_CDB, qc->cdb, qc->dev->cdb_len);
}
n_elem = 0;
if (qc->flags & ATA_QCFLAG_DMAMAP)
n_elem = ahci_fill_sg(qc, cmd_tbl);
Reported by FlawFinder.
drivers/base/swnode.c
8 issues
Line: 179
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (IS_ERR(pointer))
return PTR_ERR(pointer);
memcpy(val, pointer, length);
return 0;
}
static int property_entry_read_string_array(const struct property_entry *props,
const char *propname,
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (IS_ERR(pointer))
return PTR_ERR(pointer);
memcpy(strings, pointer, length);
return array_len;
}
static void property_entry_free_data(const struct property_entry *p)
Reported by FlawFinder.
Line: 288
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
} else {
memcpy(dst_ptr, pointer, src->length);
}
dst->length = src->length;
dst->type = src->type;
dst->name = kstrdup(src->name, GFP_KERNEL);
Reported by FlawFinder.
Line: 569
Column: 9
CWE codes:
126
* children that follow that convention.
*/
if (!strncmp(to_swnode(port)->node->name, "port@",
strlen("port@")))
return port;
old = port;
}
return NULL;
Reported by FlawFinder.
Line: 651
Column: 25
CWE codes:
126
const char *parent_name = swnode->parent->node->name;
int ret;
if (strlen("port@") >= strlen(parent_name) ||
strncmp(parent_name, "port@", strlen("port@")))
return -EINVAL;
/* Ports have naming style "port@n", we need to select the n */
ret = kstrtou32(parent_name + strlen("port@"), 10, &endpoint->port);
Reported by FlawFinder.
Line: 651
Column: 6
CWE codes:
126
const char *parent_name = swnode->parent->node->name;
int ret;
if (strlen("port@") >= strlen(parent_name) ||
strncmp(parent_name, "port@", strlen("port@")))
return -EINVAL;
/* Ports have naming style "port@n", we need to select the n */
ret = kstrtou32(parent_name + strlen("port@"), 10, &endpoint->port);
Reported by FlawFinder.
Line: 652
Column: 36
CWE codes:
126
int ret;
if (strlen("port@") >= strlen(parent_name) ||
strncmp(parent_name, "port@", strlen("port@")))
return -EINVAL;
/* Ports have naming style "port@n", we need to select the n */
ret = kstrtou32(parent_name + strlen("port@"), 10, &endpoint->port);
if (ret)
Reported by FlawFinder.
Line: 656
Column: 32
CWE codes:
126
return -EINVAL;
/* Ports have naming style "port@n", we need to select the n */
ret = kstrtou32(parent_name + strlen("port@"), 10, &endpoint->port);
if (ret)
return ret;
endpoint->id = swnode->id;
endpoint->local_fwnode = fwnode;
Reported by FlawFinder.
drivers/crypto/caam/caamalg.c
8 issues
Line: 605
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ctx->adata.keylen_pad + keys.enckeylen > CAAM_MAX_KEY_SIZE)
goto badkey;
memcpy(ctx->key, keys.authkey, keys.authkeylen);
memcpy(ctx->key + ctx->adata.keylen_pad, keys.enckey,
keys.enckeylen);
dma_sync_single_for_device(jrdev, ctx->key_dma,
ctx->adata.keylen_pad +
keys.enckeylen, ctx->dir);
Reported by FlawFinder.
Line: 606
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto badkey;
memcpy(ctx->key, keys.authkey, keys.authkeylen);
memcpy(ctx->key + ctx->adata.keylen_pad, keys.enckey,
keys.enckeylen);
dma_sync_single_for_device(jrdev, ctx->key_dma,
ctx->adata.keylen_pad +
keys.enckeylen, ctx->dir);
goto skip_split_key;
Reported by FlawFinder.
Line: 622
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* postpend encryption key to auth split key */
memcpy(ctx->key + ctx->adata.keylen_pad, keys.enckey, keys.enckeylen);
dma_sync_single_for_device(jrdev, ctx->key_dma, ctx->adata.keylen_pad +
keys.enckeylen, ctx->dir);
print_hex_dump_debug("ctx.key@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, ctx->key,
Reported by FlawFinder.
Line: 670
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
dma_sync_single_for_device(jrdev, ctx->key_dma, keylen, ctx->dir);
ctx->cdata.keylen = keylen;
return gcm_set_sh_desc(aead);
}
Reported by FlawFinder.
Line: 691
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
/*
* The last four bytes of the key material are used as the salt value
* in the nonce. Update the AES key length.
*/
Reported by FlawFinder.
Line: 717
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
print_hex_dump_debug("key in @"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1);
memcpy(ctx->key, key, keylen);
/*
* The last four bytes of the key material are used as the salt value
* in the nonce. Update the AES key length.
*/
Reported by FlawFinder.
Line: 1028
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* This is used e.g. by the CTS mode.
*/
if (ivsize && !ecode) {
memcpy(req->iv, (u8 *)edesc->sec4_sg + edesc->sec4_sg_bytes,
ivsize);
print_hex_dump_debug("dstiv @" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, req->iv,
ivsize, 1);
Reported by FlawFinder.
Line: 1702
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Make sure IV is located in a DMAable area */
if (ivsize) {
iv = (u8 *)edesc->sec4_sg + sec4_sg_bytes;
memcpy(iv, req->iv, ivsize);
iv_dma = dma_map_single(jrdev, iv, ivsize, DMA_BIDIRECTIONAL);
if (dma_mapping_error(jrdev, iv_dma)) {
dev_err(jrdev, "unable to map IV\n");
caam_unmap(jrdev, req->src, req->dst, src_nents,
Reported by FlawFinder.
drivers/crypto/exynos-rng.c
8 issues
Line: 142
Column: 20
CWE codes:
120
20
*/
static int exynos_rng_get_random(struct exynos_rng_dev *rng,
u8 *dst, unsigned int dlen,
unsigned int *read)
{
int retry = EXYNOS_RNG_WAIT_RETRIES;
if (rng->type == EXYNOS_PRNG_EXYNOS4) {
exynos_rng_writel(rng, EXYNOS_RNG_CONTROL_START,
Reported by FlawFinder.
Line: 165
Column: 54
CWE codes:
120
20
exynos_rng_writel(rng, EXYNOS_RNG_STATUS_RNG_DONE,
EXYNOS_RNG_STATUS);
*read = min_t(size_t, dlen, EXYNOS_RNG_SEED_SIZE);
memcpy_fromio(dst, rng->mem + EXYNOS_RNG_OUT_BASE, *read);
rng->bytes_seeding += *read;
return 0;
}
Reported by FlawFinder.
Line: 166
Column: 25
CWE codes:
120
20
EXYNOS_RNG_STATUS);
*read = min_t(size_t, dlen, EXYNOS_RNG_SEED_SIZE);
memcpy_fromio(dst, rng->mem + EXYNOS_RNG_OUT_BASE, *read);
rng->bytes_seeding += *read;
return 0;
}
/* Re-seed itself from time to time */
Reported by FlawFinder.
Line: 184
Column: 54
CWE codes:
120
20
rng->bytes_seeding < EXYNOS_RNG_RESEED_BYTES)
return;
if (exynos_rng_get_random(rng, seed, sizeof(seed), &read))
return;
exynos_rng_set_seed(rng, seed, read);
/* Let others do some of their job. */
Reported by FlawFinder.
Line: 187
Column: 33
CWE codes:
120
20
if (exynos_rng_get_random(rng, seed, sizeof(seed), &read))
return;
exynos_rng_set_seed(rng, seed, read);
/* Let others do some of their job. */
mutex_unlock(&rng->lock);
mutex_lock(&rng->lock);
}
Reported by FlawFinder.
drivers/block/rnbd/rnbd-clt-sysfs.c
8 issues
Line: 511
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t len)
{
int ret;
char pathname[NAME_MAX], *s;
strscpy(pathname, dev->pathname, sizeof(pathname));
while ((s = strchr(pathname, '/')))
s[0] = '!';
Reported by FlawFinder.
Line: 567
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rnbd_clt_dev *dev;
struct rnbd_map_options opt;
int ret;
char pathname[NAME_MAX];
char sessname[NAME_MAX];
enum rnbd_access_mode access_mode = RNBD_ACCESS_RW;
u16 port_nr = RTRS_PORT;
u32 nr_poll_queues = 0;
Reported by FlawFinder.
Line: 568
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rnbd_map_options opt;
int ret;
char pathname[NAME_MAX];
char sessname[NAME_MAX];
enum rnbd_access_mode access_mode = RNBD_ACCESS_RW;
u16 port_nr = RTRS_PORT;
u32 nr_poll_queues = 0;
struct sockaddr_storage *addrs;
Reported by FlawFinder.
Line: 96
Column: 8
CWE codes:
126
ret = -ENOMEM;
goto out;
}
if (strlen(p) > NAME_MAX) {
pr_err("map_device: sessname too long\n");
ret = -EINVAL;
kfree(p);
goto out;
}
Reported by FlawFinder.
Line: 119
Column: 35
CWE codes:
126
goto out;
}
ret = rtrs_addr_to_sockaddr(p, strlen(p),
*opt->dest_port,
&opt->paths[p_cnt]);
if (ret) {
pr_err("Can't parse path %s: %d\n", p, ret);
kfree(p);
Reported by FlawFinder.
Line: 139
Column: 8
CWE codes:
126
ret = -ENOMEM;
goto out;
}
if (strlen(p) > NAME_MAX) {
pr_err("map_device: Device path too long\n");
ret = -EINVAL;
kfree(p);
goto out;
}
Reported by FlawFinder.
Line: 529
Column: 8
CWE codes:
126
struct kobject *gd_kobj = &disk_to_dev(dev->gd)->kobj;
int ret, len;
len = strlen(dev->pathname) + strlen(dev->sess->sessname) + 2;
dev->blk_symlink_name = kzalloc(len, GFP_KERNEL);
if (!dev->blk_symlink_name) {
rnbd_clt_err(dev, "Failed to allocate memory for blk_symlink_name\n");
return -ENOMEM;
}
Reported by FlawFinder.
Line: 529
Column: 32
CWE codes:
126
struct kobject *gd_kobj = &disk_to_dev(dev->gd)->kobj;
int ret, len;
len = strlen(dev->pathname) + strlen(dev->sess->sessname) + 2;
dev->blk_symlink_name = kzalloc(len, GFP_KERNEL);
if (!dev->blk_symlink_name) {
rnbd_clt_err(dev, "Failed to allocate memory for blk_symlink_name\n");
return -ENOMEM;
}
Reported by FlawFinder.
drivers/acpi/sbs.c
8 issues
Line: 521
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
if (result)
return result;
sprintf(battery->name, ACPI_BATTERY_DIR_NAME, id);
battery->bat_desc.name = battery->name;
battery->bat_desc.type = POWER_SUPPLY_TYPE_BATTERY;
if (!acpi_battery_mode(battery)) {
battery->bat_desc.properties = sbs_charge_battery_props;
battery->bat_desc.num_properties =
Reported by FlawFinder.
Line: 637
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sbs->hc = acpi_driver_data(device->parent);
sbs->device = device;
strcpy(acpi_device_name(device), ACPI_SBS_DEVICE_NAME);
strcpy(acpi_device_class(device), ACPI_SBS_CLASS);
device->driver_data = sbs;
result = acpi_charger_add(sbs);
if (result && result != -ENODEV)
Reported by FlawFinder.
Line: 638
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sbs->hc = acpi_driver_data(device->parent);
sbs->device = device;
strcpy(acpi_device_name(device), ACPI_SBS_DEVICE_NAME);
strcpy(acpi_device_class(device), ACPI_SBS_CLASS);
device->driver_data = sbs;
result = acpi_charger_add(sbs);
if (result && result != -ENODEV)
goto end;
Reported by FlawFinder.
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct power_supply_desc bat_desc;
struct acpi_sbs *sbs;
unsigned long update_time;
char name[8];
char manufacturer_name[ACPI_SBS_BLOCK_MAX];
char device_name[ACPI_SBS_BLOCK_MAX];
char device_chemistry[ACPI_SBS_BLOCK_MAX];
u16 alarm_capacity;
u16 full_charge_capacity;
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct acpi_sbs *sbs;
unsigned long update_time;
char name[8];
char manufacturer_name[ACPI_SBS_BLOCK_MAX];
char device_name[ACPI_SBS_BLOCK_MAX];
char device_chemistry[ACPI_SBS_BLOCK_MAX];
u16 alarm_capacity;
u16 full_charge_capacity;
u16 design_capacity;
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long update_time;
char name[8];
char manufacturer_name[ACPI_SBS_BLOCK_MAX];
char device_name[ACPI_SBS_BLOCK_MAX];
char device_chemistry[ACPI_SBS_BLOCK_MAX];
u16 alarm_capacity;
u16 full_charge_capacity;
u16 design_capacity;
u16 design_voltage;
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[8];
char manufacturer_name[ACPI_SBS_BLOCK_MAX];
char device_name[ACPI_SBS_BLOCK_MAX];
char device_chemistry[ACPI_SBS_BLOCK_MAX];
u16 alarm_capacity;
u16 full_charge_capacity;
u16 design_capacity;
u16 design_voltage;
u16 serial_number;
Reported by FlawFinder.
Line: 447
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct acpi_battery *battery = to_acpi_battery(dev_get_drvdata(dev));
acpi_battery_get_alarm(battery);
return sprintf(buf, "%d\n", battery->alarm_capacity *
acpi_battery_scale(battery) * 1000);
}
static ssize_t acpi_battery_alarm_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
drivers/firewire/ohci.c
8 issues
Line: 475
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char dir, int speed, u32 *header, int evt)
{
int tcode = header[0] >> 4 & 0xf;
char specific[12];
if (likely(!(param_debug & OHCI_PARAM_DEBUG_AT_AR)))
return;
if (unlikely(evt >= ARRAY_SIZE(evts)))
Reported by FlawFinder.
Line: 1377
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
packet->payload_bus = payload_bus;
packet->payload_mapped = true;
} else {
memcpy(driver_data->inline_data, packet->payload,
packet->payload_length);
payload_bus = d_bus + 3 * sizeof(*d);
}
d[2].req_count = cpu_to_le16(packet->payload_length);
Reported by FlawFinder.
Line: 1662
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void handle_dead_contexts(struct fw_ohci *ohci)
{
unsigned int i;
char name[8];
detect_dead_context(ohci, "ATReq", OHCI1394_AsReqTrContextBase);
detect_dead_context(ohci, "ATRsp", OHCI1394_AsRspTrContextBase);
detect_dead_context(ohci, "ARReq", OHCI1394_AsReqRcvContextBase);
detect_dead_context(ohci, "ARRsp", OHCI1394_AsRspRcvContextBase);
Reported by FlawFinder.
Line: 1671
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < 32; ++i) {
if (!(ohci->it_context_support & (1 << i)))
continue;
sprintf(name, "IT%u", i);
detect_dead_context(ohci, name, OHCI1394_IsoXmitContextBase(i));
}
for (i = 0; i < 32; ++i) {
if (!(ohci->ir_context_support & (1 << i)))
continue;
Reported by FlawFinder.
Line: 1677
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < 32; ++i) {
if (!(ohci->ir_context_support & (1 << i)))
continue;
sprintf(name, "IR%u", i);
detect_dead_context(ohci, name, OHCI1394_IsoRcvContextBase(i));
}
/* TODO: maybe try to flush and restart the dead contexts */
}
Reported by FlawFinder.
Line: 2183
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
size_t size = length * 4;
memcpy(dest, src, size);
if (size < CONFIG_ROM_SIZE)
memset(&dest[length], 0, CONFIG_ROM_SIZE - size);
}
static int configure_1394a_enhancements(struct fw_ohci *ohci)
Reported by FlawFinder.
Line: 2753
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ctx->base.header_size > 4)
ctx_hdr[1] = swab32(dma_hdr[0]); /* timestamp */
if (ctx->base.header_size > 8)
memcpy(&ctx_hdr[2], &dma_hdr[2], ctx->base.header_size - 8);
ctx->header_length += ctx->base.header_size;
}
static int handle_ir_packet_per_buffer(struct context *context,
struct descriptor *d,
Reported by FlawFinder.
Line: 3253
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (p->header_length > 0) {
d[2].req_count = cpu_to_le16(p->header_length);
d[2].data_address = cpu_to_le32(d_bus + z * sizeof(*d));
memcpy(&d[z], p->header, p->header_length);
}
pd = d + z - payload_z;
payload_end_index = payload_index + p->payload_length;
for (i = 0; i < payload_z; i++) {
Reported by FlawFinder.