The following issues were found
include/uapi/linux/xfrm.h
7 issues
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 ctx_alg;
__u16 ctx_len;
__u32 ctx_sid;
char ctx_str[0];
};
/* Security Context Domains of Interpretation */
#define XFRM_SC_DOI_RESERVED 0
#define XFRM_SC_DOI_LSM 1
Reported by FlawFinder.
Line: 103
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xfrm_algo {
char alg_name[64];
unsigned int alg_key_len; /* in bits */
char alg_key[0];
};
struct xfrm_algo_auth {
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xfrm_algo {
char alg_name[64];
unsigned int alg_key_len; /* in bits */
char alg_key[0];
};
struct xfrm_algo_auth {
char alg_name[64];
unsigned int alg_key_len; /* in bits */
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xfrm_algo_auth {
char alg_name[64];
unsigned int alg_key_len; /* in bits */
unsigned int alg_trunc_len; /* in bits */
char alg_key[0];
};
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char alg_name[64];
unsigned int alg_key_len; /* in bits */
unsigned int alg_trunc_len; /* in bits */
char alg_key[0];
};
struct xfrm_algo_aead {
char alg_name[64];
unsigned int alg_key_len; /* in bits */
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xfrm_algo_aead {
char alg_name[64];
unsigned int alg_key_len; /* in bits */
unsigned int alg_icv_len; /* in bits */
char alg_key[0];
};
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char alg_name[64];
unsigned int alg_key_len; /* in bits */
unsigned int alg_icv_len; /* in bits */
char alg_key[0];
};
struct xfrm_stats {
__u32 replay_window;
__u32 replay;
Reported by FlawFinder.
drivers/input/misc/uinput.c
7 issues
Line: 738
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* custom waveforms in uinput anyway we can just copy the whole
* thing (to the compat size) and ignore the pointer.
*/
memcpy(&ff_up_compat.effect, &ff_up->effect,
sizeof(struct ff_effect_compat));
memcpy(&ff_up_compat.old, &ff_up->old,
sizeof(struct ff_effect_compat));
if (copy_to_user(buffer, &ff_up_compat,
Reported by FlawFinder.
Line: 740
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
memcpy(&ff_up_compat.effect, &ff_up->effect,
sizeof(struct ff_effect_compat));
memcpy(&ff_up_compat.old, &ff_up->old,
sizeof(struct ff_effect_compat));
if (copy_to_user(buffer, &ff_up_compat,
sizeof(struct uinput_ff_upload_compat)))
return -EFAULT;
Reported by FlawFinder.
Line: 767
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ff_up->request_id = ff_up_compat.request_id;
ff_up->retval = ff_up_compat.retval;
memcpy(&ff_up->effect, &ff_up_compat.effect,
sizeof(struct ff_effect_compat));
memcpy(&ff_up->old, &ff_up_compat.old,
sizeof(struct ff_effect_compat));
} else {
Reported by FlawFinder.
Line: 769
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ff_up->retval = ff_up_compat.retval;
memcpy(&ff_up->effect, &ff_up_compat.effect,
sizeof(struct ff_effect_compat));
memcpy(&ff_up->old, &ff_up_compat.old,
sizeof(struct ff_effect_compat));
} else {
if (copy_from_user(ff_up, buffer,
sizeof(struct uinput_ff_upload)))
Reported by FlawFinder.
Line: 648
Column: 36
CWE codes:
120
20
while (read + input_event_size() <= count &&
uinput_fetch_next_event(udev, &event)) {
if (input_event_to_user(buffer + read, &event))
return -EFAULT;
read += input_event_size();
}
Reported by FlawFinder.
Line: 826
Column: 8
CWE codes:
126
if (maxlen == 0)
return -EINVAL;
len = strlen(str) + 1;
if (len > maxlen)
len = maxlen;
ret = copy_to_user(p, str, len);
if (ret)
Reported by FlawFinder.
drivers/isdn/capi/kcapi.c
7 issues
Line: 51
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ------------------------------------------------------------- */
static const struct capi_version driver_version = {2, 0, 1, 1 << 4};
static char driver_serial[CAPI_SERIAL_LEN] = "0004711";
static char capi_manufakturer[64] = "AVM Berlin";
#define NCCI2CTRL(ncci) (((ncci) >> 24) & 0x7f)
struct capi_ctr *capi_controller[CAPI_MAXCONTR];
Reported by FlawFinder.
Line: 52
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const struct capi_version driver_version = {2, 0, 1, 1 << 4};
static char driver_serial[CAPI_SERIAL_LEN] = "0004711";
static char capi_manufakturer[64] = "AVM Berlin";
#define NCCI2CTRL(ncci) (((ncci) >> 24) & 0x7f)
struct capi_ctr *capi_controller[CAPI_MAXCONTR];
DEFINE_MUTEX(capi_controller_lock);
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ctr->blocked = 0;
ctr->traceflag = showcapimsgs;
sprintf(ctr->procfn, "capi/controllers/%d", ctr->cnr);
ctr->procent = proc_create_single_data(ctr->procfn, 0, NULL,
ctr->proc_show, ctr);
ncontrollers++;
Reported by FlawFinder.
Line: 771
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctr = get_capi_ctr_by_nr(contr);
if (ctr && ctr->state == CAPI_CTR_RUNNING) {
memcpy(verp, &ctr->version, sizeof(capi_version));
ret = CAPI_NOERROR;
} else
ret = CAPI_REGNOTINSTALLED;
mutex_unlock(&capi_controller_lock);
Reported by FlawFinder.
Line: 837
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctr = get_capi_ctr_by_nr(contr);
if (ctr && ctr->state == CAPI_CTR_RUNNING) {
memcpy(profp, &ctr->profile, sizeof(struct capi_profile));
ret = CAPI_NOERROR;
} else
ret = CAPI_REGNOTINSTALLED;
mutex_unlock(&capi_controller_lock);
Reported by FlawFinder.
Line: 730
Column: 3
CWE codes:
120
u16 ret;
if (contr == 0) {
strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
return CAPI_NOERROR;
}
mutex_lock(&capi_controller_lock);
Reported by FlawFinder.
Line: 738
Column: 3
CWE codes:
120
ctr = get_capi_ctr_by_nr(contr);
if (ctr && ctr->state == CAPI_CTR_RUNNING) {
strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
ret = CAPI_NOERROR;
} else
ret = CAPI_REGNOTINSTALLED;
mutex_unlock(&capi_controller_lock);
Reported by FlawFinder.
drivers/hwmon/gpio-fan.c
7 issues
Line: 75
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n",
gpiod_get_value_cansleep(fan_data->alarm_gpio));
}
static DEVICE_ATTR_RO(fan1_alarm);
Reported by FlawFinder.
Line: 171
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
u8 pwm = fan_data->speed_index * 255 / (fan_data->num_speed - 1);
return sprintf(buf, "%d\n", pwm);
}
static ssize_t pwm1_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 206
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", fan_data->pwm_enable);
}
static ssize_t pwm1_enable_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 238
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t pwm1_mode_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "0\n");
}
static ssize_t fan1_min_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 246
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", fan_data->speed[0].rpm);
}
static ssize_t fan1_max_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 254
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n",
fan_data->speed[fan_data->num_speed - 1].rpm);
}
static ssize_t fan1_input_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 263
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", fan_data->speed[fan_data->speed_index].rpm);
}
static ssize_t set_rpm(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/ipack/ipack.c
7 issues
Line: 104
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
char *buf) \
{ \
struct ipack_device *idev = to_ipack_dev(dev); \
return sprintf(buf, format_string, idev->field); \
}
static ssize_t id_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if ((i & s) == 0)
buf[c++] = ' ';
}
sprintf(&buf[c], "%02x", idev->id[i]);
c += 2;
}
buf[c++] = '\n';
return c;
}
Reported by FlawFinder.
Line: 143
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ipack_device *idev = to_ipack_dev(dev);
switch (idev->id_format) {
case IPACK_ID_VERSION_1:
return sprintf(buf, "0x%02x\n", idev->id_vendor);
case IPACK_ID_VERSION_2:
return sprintf(buf, "0x%06x\n", idev->id_vendor);
default:
return -EIO;
}
Reported by FlawFinder.
Line: 145
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case IPACK_ID_VERSION_1:
return sprintf(buf, "0x%02x\n", idev->id_vendor);
case IPACK_ID_VERSION_2:
return sprintf(buf, "0x%06x\n", idev->id_vendor);
default:
return -EIO;
}
}
Reported by FlawFinder.
Line: 157
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ipack_device *idev = to_ipack_dev(dev);
switch (idev->id_format) {
case IPACK_ID_VERSION_1:
return sprintf(buf, "0x%02x\n", idev->id_device);
case IPACK_ID_VERSION_2:
return sprintf(buf, "0x%04x\n", idev->id_device);
default:
return -EIO;
}
Reported by FlawFinder.
Line: 159
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case IPACK_ID_VERSION_1:
return sprintf(buf, "0x%02x\n", idev->id_device);
case IPACK_ID_VERSION_2:
return sprintf(buf, "0x%04x\n", idev->id_device);
default:
return -EIO;
}
}
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ipack_device *idev = to_ipack_dev(dev);
return sprintf(buf, "ipac:f%02Xv%08Xd%08X", idev->id_format,
idev->id_vendor, idev->id_device);
}
ipack_device_attr(id_format, "0x%hhx\n");
Reported by FlawFinder.
drivers/hwtracing/coresight/coresight-etm4x-sysfs.c
7 issues
Line: 875
Column: 6
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
if (strlen(buf) >= 20)
return -EINVAL;
if (sscanf(buf, "%s", str) != 1)
return -EINVAL;
spin_lock(&drvdata->spinlock);
idx = config->addr_idx;
if (!strcmp(str, "instr"))
Reported by FlawFinder.
Line: 1159
Column: 6
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
if (strlen(buf) >= 10)
return -EINVAL;
if (sscanf(buf, "%s", str) != 1)
return -EINVAL;
spin_lock(&drvdata->spinlock);
idx = config->addr_idx;
if (!strcmp(str, "none"))
Reported by FlawFinder.
Line: 2331
Column: 48
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
struct etmv4_reg *reg = data;
reg->data = etm4x_relaxed_read32(®->csdev->access, reg->offset);
}
static u32 etmv4_cross_read(const struct etmv4_drvdata *drvdata, u32 offset)
{
struct etmv4_reg reg;
Reported by FlawFinder.
Line: 869
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *buf, size_t size)
{
u8 idx;
char str[20] = "";
struct etmv4_drvdata *drvdata = dev_get_drvdata(dev->parent);
struct etmv4_config *config = &drvdata->config;
if (strlen(buf) >= 20)
return -EINVAL;
Reported by FlawFinder.
Line: 1153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *buf, size_t size)
{
u8 idx;
char str[10] = "";
struct etmv4_drvdata *drvdata = dev_get_drvdata(dev->parent);
struct etmv4_config *config = &drvdata->config;
if (strlen(buf) >= 10)
return -EINVAL;
Reported by FlawFinder.
Line: 873
Column: 6
CWE codes:
126
struct etmv4_drvdata *drvdata = dev_get_drvdata(dev->parent);
struct etmv4_config *config = &drvdata->config;
if (strlen(buf) >= 20)
return -EINVAL;
if (sscanf(buf, "%s", str) != 1)
return -EINVAL;
spin_lock(&drvdata->spinlock);
Reported by FlawFinder.
Line: 1157
Column: 6
CWE codes:
126
struct etmv4_drvdata *drvdata = dev_get_drvdata(dev->parent);
struct etmv4_config *config = &drvdata->config;
if (strlen(buf) >= 10)
return -EINVAL;
if (sscanf(buf, "%s", str) != 1)
return -EINVAL;
spin_lock(&drvdata->spinlock);
Reported by FlawFinder.
drivers/infiniband/core/umem_odp.c
7 issues
Line: 119
Column: 17
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* @access: ib_reg_mr access flags
*/
struct ib_umem_odp *ib_umem_odp_alloc_implicit(struct ib_device *device,
int access)
{
struct ib_umem *umem;
struct ib_umem_odp *umem_odp;
int ret;
Reported by FlawFinder.
Line: 125
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct ib_umem_odp *umem_odp;
int ret;
if (access & IB_ACCESS_HUGETLB)
return ERR_PTR(-EINVAL);
umem_odp = kzalloc(sizeof(*umem_odp), GFP_KERNEL);
if (!umem_odp)
return ERR_PTR(-ENOMEM);
Reported by FlawFinder.
Line: 133
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return ERR_PTR(-ENOMEM);
umem = &umem_odp->umem;
umem->ibdev = device;
umem->writable = ib_access_writable(access);
umem->owning_mm = current->mm;
umem_odp->is_implicit_odp = 1;
umem_odp->page_shift = PAGE_SHIFT;
umem_odp->tgid = get_task_pid(current->group_leader, PIDTYPE_PID);
Reported by FlawFinder.
Line: 226
Column: 46
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* conjunction with MMU notifiers.
*/
struct ib_umem_odp *ib_umem_odp_get(struct ib_device *device,
unsigned long addr, size_t size, int access,
const struct mmu_interval_notifier_ops *ops)
{
struct ib_umem_odp *umem_odp;
struct mm_struct *mm;
int ret;
Reported by FlawFinder.
Line: 233
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct mm_struct *mm;
int ret;
if (WARN_ON_ONCE(!(access & IB_ACCESS_ON_DEMAND)))
return ERR_PTR(-EINVAL);
umem_odp = kzalloc(sizeof(struct ib_umem_odp), GFP_KERNEL);
if (!umem_odp)
return ERR_PTR(-ENOMEM);
Reported by FlawFinder.
Line: 243
Column: 47
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
umem_odp->umem.ibdev = device;
umem_odp->umem.length = size;
umem_odp->umem.address = addr;
umem_odp->umem.writable = ib_access_writable(access);
umem_odp->umem.owning_mm = mm = current->mm;
umem_odp->notifier.ops = ops;
umem_odp->page_shift = PAGE_SHIFT;
#ifdef CONFIG_HUGETLB_PAGE
Reported by FlawFinder.
Line: 249
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
umem_odp->page_shift = PAGE_SHIFT;
#ifdef CONFIG_HUGETLB_PAGE
if (access & IB_ACCESS_HUGETLB)
umem_odp->page_shift = HPAGE_SHIFT;
#endif
umem_odp->tgid = get_task_pid(current->group_leader, PIDTYPE_PID);
ret = ib_init_umem_odp(umem_odp, ops);
Reported by FlawFinder.
drivers/hwmon/ibmpex.c
7 issues
Line: 262
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t name_show(struct device *dev, struct device_attribute *devattr,
char *buf)
{
return sprintf(buf, "%s\n", DRVNAME);
}
static SENSOR_DEVICE_ATTR_RO(name, name, 0);
static ssize_t ibmpex_show_sensor(struct device *dev,
struct device_attribute *devattr,
Reported by FlawFinder.
Line: 338
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENOMEM;
if (type == TEMP_SENSOR)
sprintf(n, "temp%d_input%s",
counter, sensor_name_suffixes[func]);
else if (type == POWER_SENSOR)
sprintf(n, "power%d_average%s",
counter, sensor_name_suffixes[func]);
Reported by FlawFinder.
Line: 341
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(n, "temp%d_input%s",
counter, sensor_name_suffixes[func]);
else if (type == POWER_SENSOR)
sprintf(n, "power%d_average%s",
counter, sensor_name_suffixes[func]);
sysfs_attr_init(&data->sensors[sensor].attr[func].dev_attr.attr);
data->sensors[sensor].attr[func].dev_attr.attr.name = n;
data->sensors[sensor].attr[func].dev_attr.attr.mode = 0444;
Reported by FlawFinder.
Line: 78
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int interface;
struct kernel_ipmi_msg tx_message;
unsigned char tx_msg_data[IPMI_MAX_MSG_LENGTH];
long tx_msgid;
unsigned char rx_msg_data[IPMI_MAX_MSG_LENGTH];
unsigned long rx_msg_len;
unsigned char rx_result;
Reported by FlawFinder.
Line: 81
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char tx_msg_data[IPMI_MAX_MSG_LENGTH];
long tx_msgid;
unsigned char rx_msg_data[IPMI_MAX_MSG_LENGTH];
unsigned long rx_msg_len;
unsigned char rx_result;
int rx_recv_type;
unsigned char sensor_major;
Reported by FlawFinder.
Line: 275
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int mult = data->sensors[attr->index].multiplier;
ibmpex_update_device(data);
return sprintf(buf, "%d\n",
data->sensors[attr->index].values[attr->nr] * mult);
}
static ssize_t ibmpex_high_low_store(struct device *dev,
struct device_attribute *devattr,
Reported by FlawFinder.
Line: 567
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (msg->msg.data_len > 1) {
data->rx_msg_len = msg->msg.data_len - 1;
memcpy(data->rx_msg_data, msg->msg.data + 1, data->rx_msg_len);
} else
data->rx_msg_len = 0;
ipmi_free_recv_msg(msg);
complete(&data->read_complete);
Reported by FlawFinder.
drivers/input/misc/ati_remote2.c
7 issues
Line: 71
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
pr_debug("%s()\n", __func__);
return sprintf(buffer, "0x%04x\n", *(unsigned int *)kp->arg);
}
static int ati_remote2_set_mode_mask(const char *val,
const struct kernel_param *kp)
{
Reported by FlawFinder.
Line: 87
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
pr_debug("%s()\n", __func__);
return sprintf(buffer, "0x%02x\n", *(unsigned int *)kp->arg);
}
static unsigned int channel_mask = ATI_REMOTE2_MAX_CHANNEL_MASK;
#define param_check_channel_mask(name, p) __param_check(name, p, unsigned int)
static const struct kernel_param_ops param_ops_channel_mask = {
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long jiffies;
int mode;
char name[64];
char phys[64];
/* Each mode (AUX1-AUX4 and PC) can have an independent keymap. */
u16 keycode[ATI_REMOTE2_MODES][ARRAY_SIZE(ati_remote2_key_table)];
Reported by FlawFinder.
Line: 196
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int mode;
char name[64];
char phys[64];
/* Each mode (AUX1-AUX4 and PC) can have an independent keymap. */
u16 keycode[ATI_REMOTE2_MODES][ARRAY_SIZE(ati_remote2_key_table)];
unsigned int flags;
Reported by FlawFinder.
Line: 516
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ke->keycode = ar2->keycode[mode][offset];
ke->len = sizeof(scancode);
memcpy(&ke->scancode, &scancode, sizeof(scancode));
ke->index = index;
return 0;
}
Reported by FlawFinder.
Line: 708
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_interface *intf = usb_ifnum_to_if(udev, 0);
struct ati_remote2 *ar2 = usb_get_intfdata(intf);
return sprintf(buf, "0x%04x\n", ar2->channel_mask);
}
static ssize_t ati_remote2_store_channel_mask(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 758
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_interface *intf = usb_ifnum_to_if(udev, 0);
struct ati_remote2 *ar2 = usb_get_intfdata(intf);
return sprintf(buf, "0x%02x\n", ar2->mode_mask);
}
static ssize_t ati_remote2_store_mode_mask(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/gpu/drm/i2c/tda9950.c
7 issues
Line: 70
Column: 7
CWE codes:
362
u16 addresses;
struct cec_msg rx_msg;
struct cec_notifier *notify;
bool open;
};
static int tda9950_write_range(struct i2c_client *client, u8 addr, u8 *p, int cnt)
{
struct i2c_msg msg;
Reported by FlawFinder.
Line: 83
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
buf[0] = addr;
memcpy(buf + 1, p, cnt);
msg.addr = client->addr;
msg.flags = 0;
msg.len = cnt + 1;
msg.buf = buf;
Reported by FlawFinder.
Line: 145
Column: 13
CWE codes:
362
u8 csr, cconr, buf[19];
u8 arb_lost_cnt, nack_cnt, err_cnt;
if (!priv->open)
return IRQ_NONE;
csr = tda9950_read(priv->client, REG_CSR);
if (!(csr & CSR_INT))
return IRQ_NONE;
Reported by FlawFinder.
Line: 202
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (priv->rx_msg.len > CEC_MAX_MSG_SIZE)
priv->rx_msg.len = CEC_MAX_MSG_SIZE;
memcpy(priv->rx_msg.msg, buf + 2, priv->rx_msg.len);
cec_received_msg(priv->adap, &priv->rx_msg);
break;
default: /* unknown */
dev_err(&priv->client->dev, "unknown service id 0x%02x\n",
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = 2 + msg->len;
buf[1] = CDR1_REQ;
memcpy(buf + 2, msg->msg, msg->len);
if (attempts > 5)
attempts = 5;
tda9950_write(priv->client, REG_CCONR, attempts);
Reported by FlawFinder.
Line: 262
Column: 32
CWE codes:
362
{
int ret = 0;
if (priv->glue && priv->glue->open)
ret = priv->glue->open(priv->glue->data);
priv->open = true;
return ret;
Reported by FlawFinder.
Line: 263
Column: 21
CWE codes:
362
int ret = 0;
if (priv->glue && priv->glue->open)
ret = priv->glue->open(priv->glue->data);
priv->open = true;
return ret;
}
Reported by FlawFinder.