The following issues were found
drivers/hwmon/ibmpowernv.c
8 issues
Line: 169
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_data *sdata = container_of(devattr, struct sensor_data,
dev_attr);
return sprintf(buf, "%s\n", sdata->label);
}
static int get_logical_cpu(int hwcpu)
{
int cpu;
Reported by FlawFinder.
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 hwmon_index;
u32 opal_index;
enum sensors type;
char label[MAX_LABEL_LEN];
char name[MAX_ATTR_LEN];
struct device_attribute dev_attr;
struct sensor_group_data *sgrp_data;
};
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 opal_index;
enum sensors type;
char label[MAX_LABEL_LEN];
char name[MAX_ATTR_LEN];
struct device_attribute dev_attr;
struct sensor_group_data *sgrp_data;
};
struct sensor_group_data {
Reported by FlawFinder.
Line: 120
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (sdata->type == POWER_INPUT)
x *= 1000000;
return sprintf(buf, "%llu\n", x);
}
static ssize_t show_enable(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 129
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_data *sdata = container_of(devattr, struct sensor_data,
dev_attr);
return sprintf(buf, "%u\n", sdata->sgrp_data->enable);
}
static ssize_t store_enable(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_sensor_index_attr(const char *name, u32 *index, char *attr)
{
char *hash_pos = strchr(name, '#');
char buf[8] = { 0 };
char *dash_pos;
u32 copy_len;
int err;
if (!hash_pos)
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *parse_opal_node_name(const char *node_name,
enum sensors type, u32 *index)
{
char attr_suffix[MAX_ATTR_LEN];
const char *attr_name;
int err;
err = get_sensor_index_attr(node_name, index, attr_suffix);
if (err)
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
if (copy_len >= sizeof(buf))
return -EINVAL;
strncpy(buf, hash_pos + 1, copy_len);
err = kstrtou32(buf, 10, index);
if (err)
return err;
Reported by FlawFinder.
drivers/hwmon/dell-smm-hwmon.c
8 issues
Line: 653
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return type;
if (type >= ARRAY_SIZE(labels))
type = ARRAY_SIZE(labels) - 1;
return sprintf(buf, "%s\n", labels[type]);
}
static ssize_t i8k_hwmon_temp_show(struct device *dev,
struct device_attribute *devattr,
char *buf)
Reported by FlawFinder.
Line: 697
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (type >= ARRAY_SIZE(labels))
type = (ARRAY_SIZE(labels) - 1);
return sprintf(buf, "%s%s\n", (dock ? "Docking " : ""), labels[type]);
}
static ssize_t i8k_hwmon_fan_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 62
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define I8K_POWER_BATTERY 0x01
static DEFINE_MUTEX(i8k_mutex);
static char bios_version[4];
static char bios_machineid[16];
static struct device *i8k_hwmon_dev;
static u32 i8k_hwmon_flags;
static uint i8k_fan_mult = I8K_FAN_MULT;
static uint i8k_pwm_mult;
Reported by FlawFinder.
Line: 63
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static DEFINE_MUTEX(i8k_mutex);
static char bios_version[4];
static char bios_machineid[16];
static struct device *i8k_hwmon_dev;
static u32 i8k_hwmon_flags;
static uint i8k_fan_mult = I8K_FAN_MULT;
static uint i8k_pwm_mult;
static uint i8k_fan_max = I8K_FAN_HIGH;
Reported by FlawFinder.
Line: 447
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int val = 0;
int speed;
unsigned char buff[16];
int __user *argp = (int __user *)arg;
if (!argp)
return -EINVAL;
Reported by FlawFinder.
Line: 666
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
temp = i8k_get_temp(index);
if (temp < 0)
return temp;
return sprintf(buf, "%d\n", temp * 1000);
}
static ssize_t i8k_hwmon_fan_label_show(struct device *dev,
struct device_attribute *devattr,
char *buf)
Reported by FlawFinder.
Line: 709
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fan_speed = i8k_get_fan_speed(index);
if (fan_speed < 0)
return fan_speed;
return sprintf(buf, "%d\n", fan_speed);
}
static ssize_t i8k_hwmon_pwm_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 721
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
status = i8k_get_fan_status(index);
if (status < 0)
return -EIO;
return sprintf(buf, "%d\n", clamp_val(status * i8k_pwm_mult, 0, 255));
}
static ssize_t i8k_hwmon_pwm_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/hwmon/dme1737.c
8 issues
Line: 1502
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dme1737_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", data->name);
}
/* ---------------------------------------------------------------------
* Sysfs device attribute defines and structs
* --------------------------------------------------------------------- */
Reported by FlawFinder.
Line: 827
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_dbg(dev, "Unknown function %d.\n", fn);
}
return sprintf(buf, "%d\n", res);
}
static ssize_t set_in(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 911
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_dbg(dev, "Unknown function %d.\n", fn);
}
return sprintf(buf, "%d\n", res);
}
static ssize_t set_temp(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 1003
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_dbg(dev, "Unknown function %d.\n", fn);
}
return sprintf(buf, "%d\n", res);
}
static ssize_t set_zone(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 1117
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_dbg(dev, "Unknown function %d.\n", fn);
}
return sprintf(buf, "%d\n", res);
}
static ssize_t set_fan(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 1253
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_dbg(dev, "Unknown function %d.\n", fn);
}
return sprintf(buf, "%d\n", res);
}
static struct attribute *dme1737_pwm_chmod_attr[];
static void dme1737_chmod_file(struct device*, struct attribute*, umode_t);
Reported by FlawFinder.
Line: 1468
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct dme1737_data *data = i2c_get_clientdata(client);
return sprintf(buf, "%d\n", data->vrm);
}
static ssize_t vrm_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 1494
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dme1737_data *data = dme1737_update_device(dev);
return sprintf(buf, "%d\n", vid_from_reg(data->vid, data->vrm));
}
static ssize_t name_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
drivers/hwmon/max6639.c
8 issues
Line: 163
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return PTR_ERR(data);
temp = data->temp[attr->index] * 125;
return sprintf(buf, "%ld\n", temp);
}
static ssize_t temp_fault_show(struct device *dev,
struct device_attribute *dev_attr, char *buf)
{
Reported by FlawFinder.
Line: 175
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(data))
return PTR_ERR(data);
return sprintf(buf, "%d\n", data->temp_fault[attr->index]);
}
static ssize_t temp_max_show(struct device *dev,
struct device_attribute *dev_attr, char *buf)
{
Reported by FlawFinder.
Line: 184
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(dev_attr);
struct max6639_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", (data->temp_therm[attr->index] * 1000));
}
static ssize_t temp_max_store(struct device *dev,
struct device_attribute *dev_attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 216
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(dev_attr);
struct max6639_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", (data->temp_alert[attr->index] * 1000));
}
static ssize_t temp_crit_store(struct device *dev,
struct device_attribute *dev_attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 249
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(dev_attr);
struct max6639_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", (data->temp_ot[attr->index] * 1000));
}
static ssize_t temp_emergency_store(struct device *dev,
struct device_attribute *dev_attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 281
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(dev_attr);
struct max6639_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", data->pwm[attr->index] * 255 / 120);
}
static ssize_t pwm_store(struct device *dev,
struct device_attribute *dev_attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 318
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(data))
return PTR_ERR(data);
return sprintf(buf, "%d\n", FAN_FROM_REG(data->fan[attr->index],
data->rpm_range));
}
static ssize_t alarm_show(struct device *dev,
struct device_attribute *dev_attr, char *buf)
Reported by FlawFinder.
Line: 331
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(data))
return PTR_ERR(data);
return sprintf(buf, "%d\n", !!(data->status & (1 << attr->index)));
}
static SENSOR_DEVICE_ATTR_RO(temp1_input, temp_input, 0);
static SENSOR_DEVICE_ATTR_RO(temp2_input, temp_input, 1);
static SENSOR_DEVICE_ATTR_RO(temp1_fault, temp_fault, 0);
Reported by FlawFinder.
drivers/gpu/drm/msm/msm_rd.c
8 issues
Line: 83
Column: 7
CWE codes:
362
struct msm_rd_state {
struct drm_device *dev;
bool open;
/* current submit to read out: */
struct msm_gem_submit *submit;
/* fifo access is synchronized on the producer side by
Reported by FlawFinder.
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wait_queue_head_t fifo_event;
struct circ_buf fifo;
char buf[BUF_SZ];
};
static void rd_write(struct msm_rd_state *rd, const void *buf, int sz)
{
struct circ_buf *fifo = &rd->fifo;
Reported by FlawFinder.
Line: 110
Column: 64
CWE codes:
362
char *fptr = &fifo->buf[fifo->head];
int n;
wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open);
if (!rd->open)
return;
/* Note that smp_load_acquire() is not strictly required
* as CIRC_SPACE_TO_END() does not access the tail more
Reported by FlawFinder.
Line: 111
Column: 12
CWE codes:
362
int n;
wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open);
if (!rd->open)
return;
/* Note that smp_load_acquire() is not strictly required
* as CIRC_SPACE_TO_END() does not access the tail more
* than once.
Reported by FlawFinder.
Line: 119
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* than once.
*/
n = min(sz, circ_space_to_end(&rd->fifo));
memcpy(fptr, ptr, n);
smp_store_release(&fifo->head, (fifo->head + n) & (BUF_SZ - 1));
sz -= n;
ptr += n;
Reported by FlawFinder.
Line: 186
Column: 10
CWE codes:
362
mutex_lock(&dev->struct_mutex);
if (rd->open || !gpu) {
ret = -EBUSY;
goto out;
}
file->private_data = rd;
Reported by FlawFinder.
Line: 345
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct drm_device *dev = submit->dev;
struct task_struct *task;
char msg[256];
int i, n;
if (!rd->open)
return;
Reported by FlawFinder.
Line: 348
Column: 11
CWE codes:
362
char msg[256];
int i, n;
if (!rd->open)
return;
/* writing into fifo is serialized by caller, and
* rd->read_lock is used to serialize the reads
*/
Reported by FlawFinder.
drivers/input/mouse/cyapa_gen6.c
8 issues
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cyapa->btn_capability = (resp_data[70] << 3) & CAPABILITY_BTN_MASK;
memcpy(&cyapa->product_id[0], &resp_data[51], 5);
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &resp_data[56], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &resp_data[62], 2);
cyapa->product_id[15] = '\0';
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&cyapa->product_id[0], &resp_data[51], 5);
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &resp_data[56], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &resp_data[62], 2);
cyapa->product_id[15] = '\0';
/* Get the number of Rx electrodes. */
Reported by FlawFinder.
Line: 241
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &resp_data[56], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &resp_data[62], 2);
cyapa->product_id[15] = '\0';
/* Get the number of Rx electrodes. */
rotat_align = resp_data[68];
cyapa->electrodes_rx =
Reported by FlawFinder.
Line: 279
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cyapa->platform_ver = (resp_data[12] >> PIP_BL_PLATFORM_VER_SHIFT) &
PIP_BL_PLATFORM_VER_MASK;
memcpy(&cyapa->product_id[0], &resp_data[13], 5);
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &resp_data[18], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &resp_data[24], 2);
cyapa->product_id[15] = '\0';
Reported by FlawFinder.
Line: 281
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&cyapa->product_id[0], &resp_data[13], 5);
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &resp_data[18], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &resp_data[24], 2);
cyapa->product_id[15] = '\0';
return 0;
Reported by FlawFinder.
Line: 283
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &resp_data[18], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &resp_data[24], 2);
cyapa->product_id[15] = '\0';
return 0;
}
Reported by FlawFinder.
Line: 600
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOBUFS;
}
memcpy(data, &resp_data[10], read_len);
*data_buf_lens = read_len;
return 0;
}
static ssize_t cyapa_gen6_show_baseline(struct device *dev,
Reported by FlawFinder.
Line: 710
Column: 5
CWE codes:
126
goto out;
/* Only support product ID starting with CYTRA */
if (memcmp(cyapa->product_id, product_id,
strlen(product_id)) != 0) {
dev_err(dev, "%s: unknown product ID (%s)\n",
__func__, cyapa->product_id);
error = -EINVAL;
}
break;
Reported by FlawFinder.
drivers/input/mouse/cyapa_gen3.c
8 issues
Line: 613
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int error;
size_t i;
unsigned char cmd[CYAPA_CMD_LEN + 1];
size_t cmd_len;
for (i = 0; i < len; i += CYAPA_CMD_LEN) {
const u8 *payload = &buf[i];
Reported by FlawFinder.
Line: 621
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_len = (len - i >= CYAPA_CMD_LEN) ? CYAPA_CMD_LEN : len - i;
cmd[0] = i;
memcpy(&cmd[1], payload, cmd_len);
error = cyapa_i2c_reg_write_block(cyapa, 0, cmd_len + 1, cmd);
if (error)
return error;
}
Reported by FlawFinder.
Line: 658
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set write command and security key bytes. */
write_block_cmd.checksum_seed = GEN3_BL_CMD_CHECKSUM_SEED;
write_block_cmd.cmd_code = GEN3_BL_CMD_WRITE_BLOCK;
memcpy(write_block_cmd.key, security_key, sizeof(security_key));
put_unaligned_be16(block, &write_block_cmd.block_num);
memcpy(write_block_cmd.block_data, data, CYAPA_FW_BLOCK_SIZE);
write_block_cmd.block_checksum = cyapa_gen3_csum(
write_block_cmd.block_data, CYAPA_FW_BLOCK_SIZE);
write_block_cmd.cmd_checksum = cyapa_gen3_csum((u8 *)&write_block_cmd,
Reported by FlawFinder.
Line: 660
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
write_block_cmd.cmd_code = GEN3_BL_CMD_WRITE_BLOCK;
memcpy(write_block_cmd.key, security_key, sizeof(security_key));
put_unaligned_be16(block, &write_block_cmd.block_num);
memcpy(write_block_cmd.block_data, data, CYAPA_FW_BLOCK_SIZE);
write_block_cmd.block_checksum = cyapa_gen3_csum(
write_block_cmd.block_data, CYAPA_FW_BLOCK_SIZE);
write_block_cmd.cmd_checksum = cyapa_gen3_csum((u8 *)&write_block_cmd,
sizeof(write_block_cmd) - 1);
Reported by FlawFinder.
Line: 993
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret != QUERY_DATA_SIZE)
return (ret < 0) ? ret : -EIO;
memcpy(&cyapa->product_id[0], &query_data[0], 5);
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &query_data[5], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &query_data[11], 2);
cyapa->product_id[15] = '\0';
Reported by FlawFinder.
Line: 995
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&cyapa->product_id[0], &query_data[0], 5);
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &query_data[5], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &query_data[11], 2);
cyapa->product_id[15] = '\0';
cyapa->fw_maj_ver = query_data[15];
Reported by FlawFinder.
Line: 997
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cyapa->product_id[5] = '-';
memcpy(&cyapa->product_id[6], &query_data[5], 6);
cyapa->product_id[12] = '-';
memcpy(&cyapa->product_id[13], &query_data[11], 2);
cyapa->product_id[15] = '\0';
cyapa->fw_maj_ver = query_data[15];
cyapa->fw_min_ver = query_data[16];
Reported by FlawFinder.
Line: 1106
Column: 5
CWE codes:
126
/* Only support product ID starting with CYTRA */
if (memcmp(cyapa->product_id, product_id,
strlen(product_id)) != 0) {
dev_err(dev, "unsupported product ID (%s)\n",
cyapa->product_id);
return -EINVAL;
}
Reported by FlawFinder.
drivers/macintosh/via-pmu.c
8 issues
Line: 143
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct adb_request *current_req;
static struct adb_request *last_req;
static struct adb_request *req_awaiting_reply;
static unsigned char interrupt_data[2][32];
static int interrupt_data_len[2];
static int int_data_last;
static unsigned char *reply_ptr;
static int data_index;
static int data_len;
Reported by FlawFinder.
Line: 560
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long i;
for (i=0; i<pmu_battery_count; i++) {
char title[16];
sprintf(title, "battery_%ld", i);
proc_pmu_batt[i] = proc_create_single_data(title, 0,
proc_pmu_root, pmu_battery_proc_show,
(void *)i);
}
Reported by FlawFinder.
Line: 561
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i=0; i<pmu_battery_count; i++) {
char title[16];
sprintf(title, "battery_%ld", i);
proc_pmu_batt[i] = proc_create_single_data(title, 0,
proc_pmu_root, pmu_battery_proc_show,
(void *)i);
}
Reported by FlawFinder.
Line: 874
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pmu_irqstats_proc_show(struct seq_file *m, void *v)
{
int i;
static const char *irq_names[NUM_IRQ_STATS] = {
"Unknown interrupt (type 0)",
"Unknown interrupt (type 1)",
"PC-Card eject button",
"Sound/Brightness button",
"ADB message",
Reported by FlawFinder.
Line: 932
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t pmu_options_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos)
{
char tmp[33];
char *label, *val;
size_t fcount = count;
if (!count)
return -EINVAL;
Reported by FlawFinder.
Line: 1408
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len <= 2)
req->reply_len = 0;
else {
memcpy(req->reply, data + 1, len - 1);
req->reply_len = len - 1;
}
pmu_done(req);
} else {
#ifdef CONFIG_XMON
Reported by FlawFinder.
Line: 2111
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rb_put;
struct rb_entry {
unsigned short len;
unsigned char data[16];
} rb_buf[RB_SIZE];
wait_queue_head_t wait;
spinlock_t lock;
#if defined(CONFIG_INPUT_ADBHID) && defined(CONFIG_PMAC_BACKLIGHT)
int backlight_locker;
Reported by FlawFinder.
Line: 2143
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i != pp->rb_get) {
struct rb_entry *rp = &pp->rb_buf[pp->rb_put];
rp->len = len;
memcpy(rp->data, data, len);
pp->rb_put = i;
wake_up_interruptible(&pp->wait);
}
spin_unlock(&pp->lock);
}
Reported by FlawFinder.
drivers/isdn/mISDN/core.c
8 issues
Line: 89
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
static ssize_t name_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
strcpy(buf, dev_name(dev));
return strlen(buf);
}
static DEVICE_ATTR_RO(name);
#if 0 /* hangs */
Reported by FlawFinder.
Line: 38
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!mdev)
return -ENODEV;
return sprintf(buf, "%d\n", mdev->id);
}
static DEVICE_ATTR_RO(id);
static ssize_t nrbchan_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 49
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!mdev)
return -ENODEV;
return sprintf(buf, "%d\n", mdev->nrbchan);
}
static DEVICE_ATTR_RO(nrbchan);
static ssize_t d_protocols_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 60
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!mdev)
return -ENODEV;
return sprintf(buf, "%d\n", mdev->Dprotocols);
}
static DEVICE_ATTR_RO(d_protocols);
static ssize_t b_protocols_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 71
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!mdev)
return -ENODEV;
return sprintf(buf, "%d\n", mdev->Bprotocols | get_all_Bprotocols());
}
static DEVICE_ATTR_RO(b_protocols);
static ssize_t protocol_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 82
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!mdev)
return -ENODEV;
return sprintf(buf, "%d\n", mdev->D.protocol);
}
static DEVICE_ATTR_RO(protocol);
static ssize_t name_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 104
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!out)
return -ENOMEM;
memcpy(out, buf, count);
if (count && out[count - 1] == '\n')
out[--count] = 0;
if (count)
err = device_rename(dev, out);
kfree(out);
Reported by FlawFinder.
Line: 90
Column: 9
CWE codes:
126
struct device_attribute *attr, char *buf)
{
strcpy(buf, dev_name(dev));
return strlen(buf);
}
static DEVICE_ATTR_RO(name);
#if 0 /* hangs */
static ssize_t name_set(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
fs/nls/nls_iso8859-7.c
8 issues
Line: 16
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/nls.h>
#include <linux/errno.h>
static const wchar_t charset2uni[256] = {
/* 0x00*/
0x0000, 0x0001, 0x0002, 0x0003,
0x0004, 0x0005, 0x0006, 0x0007,
0x0008, 0x0009, 0x000a, 0x000b,
0x000c, 0x000d, 0x000e, 0x000f,
Reported by FlawFinder.
Line: 99
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x03cc, 0x03cd, 0x03ce, 0x0000,
};
static const unsigned char page00[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 127
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x00, 0x00, 0x00, 0xbb, 0x00, 0xbd, 0x00, 0x00, /* 0xb8-0xbf */
};
static const unsigned char page02[256] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x00-0x07 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x08-0x0f */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x10-0x17 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x18-0x1f */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 155
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x00, 0x00, 0x00, 0x00, 0xa2, 0xa1, 0x00, 0x00, /* 0xb8-0xbf */
};
static const unsigned char page03[256] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x00-0x07 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x08-0x0f */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x10-0x17 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x18-0x1f */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 185
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0x00, /* 0xc8-0xcf */
};
static const unsigned char page20[256] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x00-0x07 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x08-0x0f */
0x00, 0x00, 0x00, 0x00, 0x00, 0xaf, 0x00, 0x00, /* 0x10-0x17 */
};
Reported by FlawFinder.
Line: 191
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x00, 0x00, 0x00, 0x00, 0x00, 0xaf, 0x00, 0x00, /* 0x10-0x17 */
};
static const unsigned char *const page_uni2charset[256] = {
page00, NULL, page02, page03, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
page20, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
Reported by FlawFinder.
Line: 199
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
page20, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
};
static const unsigned char charset2lower[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 235
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0x00, /* 0xf8-0xff */
};
static const unsigned char charset2upper[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.