The following issues were found
arch/um/os-Linux/mem.c
7 issues
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (tempname == NULL)
return -1;
strcpy(tempname, tempdir);
strcat(tempname, template);
fd = mkstemp(tempname);
if (fd < 0) {
os_warn("open - cannot create %s: %s\n", tempname,
strerror(errno));
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
return -1;
strcpy(tempname, tempdir);
strcat(tempname, template);
fd = mkstemp(tempname);
if (fd < 0) {
os_warn("open - cannot create %s: %s\n", tempname,
strerror(errno));
goto out;
Reported by FlawFinder.
Line: 66
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
os_info("Checking environment variables for a tempdir...");
for (i = 0; vars[i]; i++) {
dir = getenv(vars[i]);
if ((dir != NULL) && (*dir != '\0')) {
os_info("%s\n", dir);
if (check_tmpfs(dir) >= 0)
goto done;
else
Reported by FlawFinder.
Line: 110
Column: 7
CWE codes:
362
}
#ifdef O_TMPFILE
fd = open(tempdir, O_CLOEXEC | O_RDWR | O_EXCL | O_TMPFILE, 0700);
/*
* If the running system does not support O_TMPFILE flag then retry
* without it.
*/
if (fd != -1 || (errno != EINVAL && errno != EISDIR &&
Reported by FlawFinder.
Line: 126
Column: 7
CWE codes:
377
strcpy(tempname, tempdir);
strcat(tempname, template);
fd = mkstemp(tempname);
if (fd < 0) {
os_warn("open - cannot create %s: %s\n", tempname,
strerror(errno));
goto out;
}
Reported by FlawFinder.
Line: 120
Column: 20
CWE codes:
126
return fd;
#endif
tempname = malloc(strlen(tempdir) + strlen(template) + 1);
if (tempname == NULL)
return -1;
strcpy(tempname, tempdir);
strcat(tempname, template);
Reported by FlawFinder.
Line: 120
Column: 38
CWE codes:
126
return fd;
#endif
tempname = malloc(strlen(tempdir) + strlen(template) + 1);
if (tempname == NULL)
return -1;
strcpy(tempname, tempdir);
strcat(tempname, template);
Reported by FlawFinder.
arch/um/drivers/slip_user.c
7 issues
Line: 157
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pri->slip.esc = 0;
if (pri->gate_addr != NULL) {
sprintf(version_buf, "%d", UML_NET_VERSION);
strcpy(gate_buf, pri->gate_addr);
err = slip_tramp(argv, sfd);
if (err < 0) {
printk(UM_KERN_ERR "slip_tramp failed - err = %d\n",
Reported by FlawFinder.
Line: 126
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int slip_open(void *data)
{
struct slip_data *pri = data;
char version_buf[sizeof("nnnnn\0")];
char gate_buf[sizeof("nnn.nnn.nnn.nnn\0")];
char *argv[] = { "uml_net", version_buf, "slip", "up", gate_buf,
NULL };
int sfd, mfd, err;
Reported by FlawFinder.
Line: 127
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct slip_data *pri = data;
char version_buf[sizeof("nnnnn\0")];
char gate_buf[sizeof("nnn.nnn.nnn.nnn\0")];
char *argv[] = { "uml_net", version_buf, "slip", "up", gate_buf,
NULL };
int sfd, mfd, err;
err = get_pty();
Reported by FlawFinder.
Line: 140
Column: 8
CWE codes:
362
}
mfd = err;
err = open(ptsname(mfd), O_RDWR, 0);
if (err < 0) {
printk(UM_KERN_ERR "Couldn't open tty for slip line, "
"err = %d\n", -err);
goto out_close;
}
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pri->slip.pos = 0;
pri->slip.esc = 0;
if (pri->gate_addr != NULL) {
sprintf(version_buf, "%d", UML_NET_VERSION);
strcpy(gate_buf, pri->gate_addr);
err = slip_tramp(argv, sfd);
if (err < 0) {
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void slip_close(int fd, void *data)
{
struct slip_data *pri = data;
char version_buf[sizeof("nnnnn\0")];
char *argv[] = { "uml_net", version_buf, "slip", "down", pri->name,
NULL };
int err;
if (pri->gate_addr != NULL)
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (pri->gate_addr != NULL)
iter_addresses(pri->dev, close_addr, pri->name);
sprintf(version_buf, "%d", UML_NET_VERSION);
err = slip_tramp(argv, pri->slave);
if (err != 0)
printk(UM_KERN_ERR "slip_tramp failed - errno = %d\n", -err);
Reported by FlawFinder.
arch/mips/bcm63xx/boards/board_bcm963xx.c
7 issues
Line: 708
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int bcm63xx_get_fallback_sprom(struct ssb_bus *bus, struct ssb_sprom *out)
{
if (bus->bustype == SSB_BUSTYPE_PCI) {
memcpy(out, &bcm63xx_sprom, sizeof(struct ssb_sprom));
return 0;
} else {
pr_err("unable to fill SPROM for given bustype\n");
return -EINVAL;
}
Reported by FlawFinder.
Line: 732
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned int i;
u8 *boot_addr, *cfe;
char cfe_version[32];
char *board_name = NULL;
u32 val;
struct bcm_hcs *hcs;
/* read base address of boot chip select (0)
Reported by FlawFinder.
Line: 767
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
snprintf(cfe_version, 12, "%s", (char *) &cfe[4]);
}
} else {
strcpy(cfe_version, "unknown");
}
pr_info("CFE version: %s\n", cfe_version);
bcm63xx_nvram_init(boot_addr + BCM963XX_NVRAM_OFFSET);
Reported by FlawFinder.
Line: 790
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* bail out if board is not found, will complain later */
if (!board.name[0]) {
char name[17];
memcpy(name, board_name, 16);
name[16] = 0;
pr_err("unknown bcm963xx board: %s\n", name);
return;
}
Reported by FlawFinder.
Line: 791
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* bail out if board is not found, will complain later */
if (!board.name[0]) {
char name[17];
memcpy(name, board_name, 16);
name[16] = 0;
pr_err("unknown bcm963xx board: %s\n", name);
return;
}
Reported by FlawFinder.
Line: 887
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
#ifdef CONFIG_SSB_PCIHOST
if (!bcm63xx_nvram_get_mac_address(bcm63xx_sprom.il0mac)) {
memcpy(bcm63xx_sprom.et0mac, bcm63xx_sprom.il0mac, ETH_ALEN);
memcpy(bcm63xx_sprom.et1mac, bcm63xx_sprom.il0mac, ETH_ALEN);
if (ssb_arch_register_fallback_sprom(
&bcm63xx_get_fallback_sprom) < 0)
pr_err("failed to register fallback SPROM\n");
}
Reported by FlawFinder.
Line: 888
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef CONFIG_SSB_PCIHOST
if (!bcm63xx_nvram_get_mac_address(bcm63xx_sprom.il0mac)) {
memcpy(bcm63xx_sprom.et0mac, bcm63xx_sprom.il0mac, ETH_ALEN);
memcpy(bcm63xx_sprom.et1mac, bcm63xx_sprom.il0mac, ETH_ALEN);
if (ssb_arch_register_fallback_sprom(
&bcm63xx_get_fallback_sprom) < 0)
pr_err("failed to register fallback SPROM\n");
}
#endif /* CONFIG_SSB_PCIHOST */
Reported by FlawFinder.
arch/sparc/kernel/vio.c
7 issues
Line: 125
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (!strcmp(vdev->type, "vdc-port"))
str = "vdisk";
return sprintf(buf, "%s\n", str);
}
static DEVICE_ATTR_RO(devspec);
static ssize_t type_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 133
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct vio_dev *vdev = to_vio_dev(dev);
return sprintf(buf, "%s\n", vdev->type);
}
static DEVICE_ATTR_RO(type);
static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 142
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
const struct vio_dev *vdev = to_vio_dev(dev);
return sprintf(buf, "vio:T%sS%s\n", vdev->type, vdev->compat);
}
static DEVICE_ATTR_RO(modalias);
static struct attribute *vio_dev_attrs[] = {
&dev_attr_devspec.attr,
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
vdev->mp = mp;
memcpy(vdev->type, type, tlen);
if (compat)
memcpy(vdev->compat, compat, clen);
else
memset(vdev->compat, 0, sizeof(vdev->compat));
vdev->compat_len = clen;
Reported by FlawFinder.
Line: 338
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vdev->mp = mp;
memcpy(vdev->type, type, tlen);
if (compat)
memcpy(vdev->compat, compat, clen);
else
memset(vdev->compat, 0, sizeof(vdev->compat));
vdev->compat_len = clen;
vdev->port_id = ~0UL;
Reported by FlawFinder.
Line: 307
Column: 11
CWE codes:
126
type = mdesc_get_property(hp, mp, "name", &tlen);
if (!type) {
type = mdesc_node_name(hp, mp);
tlen = strlen(type) + 1;
}
}
if (tlen > VIO_MAX_TYPE_LEN || strlen(type) >= VIO_MAX_TYPE_LEN) {
printk(KERN_ERR "VIO: Type string [%s] is too long.\n",
type);
Reported by FlawFinder.
Line: 310
Column: 33
CWE codes:
126
tlen = strlen(type) + 1;
}
}
if (tlen > VIO_MAX_TYPE_LEN || strlen(type) >= VIO_MAX_TYPE_LEN) {
printk(KERN_ERR "VIO: Type string [%s] is too long.\n",
type);
return NULL;
}
Reported by FlawFinder.
arch/x86/tools/insn_decoder_test.c
7 issues
Line: 55
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
fprintf(stderr, "%s: warning: ", prog);
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
}
static void dump_field(FILE *fp, const char *name, const char *indent,
struct insn_field *field)
Reported by FlawFinder.
Line: 128
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (line[0] == '<') {
/* Symbol line */
strcpy(sym, line);
continue;
}
insns++;
memset(insn_buff, 0, 16);
Reported by FlawFinder.
Line: 134
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
insns++;
memset(insn_buff, 0, 16);
strcpy(copy, line);
tab1 = strchr(copy, '\t');
if (!tab1)
malformed_line(line, insns);
s = tab1 + 1;
s += strspn(s, " ");
Reported by FlawFinder.
Line: 92
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int c;
prog = argv[0];
while ((c = getopt(argc, argv, "ynv")) != -1) {
switch (c) {
case 'y':
x86_64 = 1;
break;
case 'n':
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int main(int argc, char **argv)
{
char line[BUFSIZE], sym[BUFSIZE] = "<unknown>";
unsigned char insn_buff[16];
struct insn insn;
int insns = 0;
int warnings = 0;
Reported by FlawFinder.
Line: 114
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int main(int argc, char **argv)
{
char line[BUFSIZE], sym[BUFSIZE] = "<unknown>";
unsigned char insn_buff[16];
struct insn insn;
int insns = 0;
int warnings = 0;
parse_args(argc, argv);
Reported by FlawFinder.
Line: 122
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
parse_args(argc, argv);
while (fgets(line, BUFSIZE, stdin)) {
char copy[BUFSIZE], *s, *tab1, *tab2;
int nb = 0, ret;
unsigned int b;
if (line[0] == '<') {
/* Symbol line */
Reported by FlawFinder.
arch/sparc/kernel/pcic.c
7 issues
Line: 575
CWE codes:
908
/* real_irq means PROM did not bother to program the upper
* half of PCIC. This happens on JS-E with PROM 3.11, for instance.
*/
if (real_irq == 0 || p->force) {
if (p->irq == 0 || p->irq >= 15) { /* Corrupted map */
pci_info(dev, "PCIC: BAD IRQ %d\n", p->irq); for (;;) {}
}
pci_info(dev, "PCIC: setting irq %d at pin %d\n", p->irq,
p->pin);
Reported by Cppcheck.
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pbm = &pcic->pbm;
pbm->prom_node = node;
prom_getstring(node, "name", namebuf, 63); namebuf[63] = 0;
strcpy(pbm->prom_name, namebuf);
{
extern int pcic_nmi_trap_patch[4];
t_nmi[0] = pcic_nmi_trap_patch[0];
Reported by FlawFinder.
Line: 292
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct linux_pcic *pcic;
struct linux_prom_registers regs[PROMREG_MAX];
struct linux_pbm_info* pbm;
char namebuf[64];
phandle node;
int err;
if (pcic0_up) {
prom_printf("PCIC: called twice!\n");
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pcic_map_pci_device(struct linux_pcic *pcic,
struct pci_dev *dev, int node)
{
char namebuf[64];
unsigned long address;
unsigned long flags;
int j;
if (node == 0 || node == -1) {
Reported by FlawFinder.
Line: 480
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
int j;
if (node == 0 || node == -1) {
strcpy(namebuf, "???");
} else {
prom_getstring(node, "name", namebuf, 63); namebuf[63] = 0;
}
for (j = 0; j < 6; j++) {
Reported by FlawFinder.
Line: 536
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pcic_ca2irq *p;
unsigned int real_irq;
int i, ivec;
char namebuf[64];
if (node == 0 || node == -1) {
strcpy(namebuf, "???");
} else {
prom_getstring(node, "name", namebuf, sizeof(namebuf));
Reported by FlawFinder.
Line: 539
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char namebuf[64];
if (node == 0 || node == -1) {
strcpy(namebuf, "???");
} else {
prom_getstring(node, "name", namebuf, sizeof(namebuf));
}
if ((p = pcic->pcic_imap) == NULL) {
Reported by FlawFinder.
arch/sparc/crypto/sha256_glue.c
7 issues
Line: 69
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sctx->count += len;
if (partial) {
done = SHA256_BLOCK_SIZE - partial;
memcpy(sctx->buf + partial, data, done);
sha256_sparc64_transform(sctx->state, sctx->buf, 1);
}
if (len - done >= SHA256_BLOCK_SIZE) {
const unsigned int rounds = (len - done) / SHA256_BLOCK_SIZE;
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
done += rounds * SHA256_BLOCK_SIZE;
}
memcpy(sctx->buf, data + done, len - done);
}
static int sha256_sparc64_update(struct shash_desc *desc, const u8 *data,
unsigned int len)
{
Reported by FlawFinder.
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Handle the fast case right here */
if (partial + len < SHA256_BLOCK_SIZE) {
sctx->count += len;
memcpy(sctx->buf + partial, data, len);
} else
__sha256_sparc64_update(sctx, data, len, partial);
return 0;
}
Reported by FlawFinder.
Line: 115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* We need to fill a whole block for __sha256_sparc64_update() */
if (padlen <= 56) {
sctx->count += padlen;
memcpy(sctx->buf + index, padding, padlen);
} else {
__sha256_sparc64_update(sctx, padding, padlen, index);
}
__sha256_sparc64_update(sctx, (const u8 *)&bits, sizeof(bits), 56);
Reported by FlawFinder.
Line: 137
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sha256_sparc64_final(desc, D);
memcpy(hash, D, SHA224_DIGEST_SIZE);
memzero_explicit(D, SHA256_DIGEST_SIZE);
return 0;
}
Reported by FlawFinder.
Line: 147
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct sha256_state *sctx = shash_desc_ctx(desc);
memcpy(out, sctx, sizeof(*sctx));
return 0;
}
static int sha256_sparc64_import(struct shash_desc *desc, const void *in)
{
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct sha256_state *sctx = shash_desc_ctx(desc);
memcpy(sctx, in, sizeof(*sctx));
return 0;
}
static struct shash_alg sha256_alg = {
.digestsize = SHA256_DIGEST_SIZE,
Reported by FlawFinder.
arch/sh/drivers/dma/dma-sysfs.c
7 issues
Line: 36
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (unlikely(!info) || !channel)
continue;
len += sprintf(buf + len, "%2d: %14s %s\n",
channel->chan, info->name,
channel->dev_id);
}
return len;
Reported by FlawFinder.
Line: 62
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct dma_channel *channel = to_dma_channel(dev);
return sprintf(buf, "%s\n", channel->dev_id);
}
static ssize_t dma_store_dev_id(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 70
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
const char *buf, size_t count)
{
struct dma_channel *channel = to_dma_channel(dev);
strcpy(channel->dev_id, buf);
return count;
}
static DEVICE_ATTR(dev_id, S_IRUGO | S_IWUSR, dma_show_dev_id, dma_store_dev_id);
Reported by FlawFinder.
Line: 114
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
struct device_attribute *attr, char *buf)\
{ \
struct dma_channel *channel = to_dma_channel(dev); \
return sprintf(buf, fmt, channel->field); \
} \
static DEVICE_ATTR(field, S_IRUGO, dma_show_##field, NULL);
dma_ro_attr(count, "0x%08x\n");
dma_ro_attr(flags, "0x%08lx\n");
Reported by FlawFinder.
Line: 95
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct dma_channel *channel = to_dma_channel(dev);
return sprintf(buf, "0x%08x\n", channel->mode);
}
static ssize_t dma_store_mode(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int dma_create_sysfs_files(struct dma_channel *chan, struct dma_info *info)
{
struct device *dev = &chan->dev;
char name[16];
int ret;
dev->id = chan->vchan;
dev->bus = &dma_subsys;
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void dma_remove_sysfs_files(struct dma_channel *chan, struct dma_info *info)
{
struct device *dev = &chan->dev;
char name[16];
device_remove_file(dev, &dev_attr_dev_id);
device_remove_file(dev, &dev_attr_count);
device_remove_file(dev, &dev_attr_mode);
device_remove_file(dev, &dev_attr_flags);
Reported by FlawFinder.
arch/s390/mm/cmm.c
7 issues
Line: 288
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cmm_timeout_handler(struct ctl_table *ctl, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
char buf[64], *p;
long nr, seconds;
unsigned int len;
if (!*lenp || (*ppos && !write)) {
*lenp = 0;
Reported by FlawFinder.
Line: 299
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (write) {
len = min(*lenp, sizeof(buf));
memcpy(buf, buffer, len);
buf[len - 1] = '\0';
cmm_skip_blanks(buf, &p);
nr = simple_strtoul(p, &p, 0);
cmm_skip_blanks(p, &p);
seconds = simple_strtoul(p, &p, 0);
Reported by FlawFinder.
Line: 308
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cmm_set_timeout(nr, seconds);
*ppos += *lenp;
} else {
len = sprintf(buf, "%ld %ld\n",
cmm_timeout_pages, cmm_timeout_seconds);
if (len > *lenp)
len = *lenp;
memcpy(buffer, buf, len);
*lenp = len;
Reported by FlawFinder.
Line: 312
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmm_timeout_pages, cmm_timeout_seconds);
if (len > *lenp)
len = *lenp;
memcpy(buffer, buf, len);
*lenp = len;
*ppos += len;
}
return 0;
}
Reported by FlawFinder.
Line: 354
Column: 6
CWE codes:
126
{
long nr, seconds;
if (strlen(sender) > 0 && strcmp(from, sender) != 0)
return;
if (!cmm_skip_blanks(msg + strlen(SMSG_PREFIX), &msg))
return;
if (strncmp(msg, "SHRINK", 6) == 0) {
if (!cmm_skip_blanks(msg + 6, &msg))
Reported by FlawFinder.
Line: 356
Column: 29
CWE codes:
126
if (strlen(sender) > 0 && strcmp(from, sender) != 0)
return;
if (!cmm_skip_blanks(msg + strlen(SMSG_PREFIX), &msg))
return;
if (strncmp(msg, "SHRINK", 6) == 0) {
if (!cmm_skip_blanks(msg + 6, &msg))
return;
nr = simple_strtoul(msg, &msg, 0);
Reported by FlawFinder.
Line: 398
Column: 13
CWE codes:
126
#ifdef CONFIG_CMM_IUCV
/* convert sender to uppercase characters */
if (sender) {
int len = strlen(sender);
while (len--)
sender[len] = toupper(sender[len]);
} else {
sender = cmm_default_sender;
}
Reported by FlawFinder.
arch/mips/kernel/segment.c
7 issues
Line: 25
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Segment access mode. */
am = (cfg & MIPS_SEGCFG_AM) >> MIPS_SEGCFG_AM_SHIFT;
str += sprintf(str, "%-5s", am_str[am]);
/*
* Access modes MK, MSK and MUSK are mapped segments. Therefore
* there is no direct physical address mapping unless it becomes
* unmapped uncached at error level due to EU.
Reported by FlawFinder.
Line: 33
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* unmapped uncached at error level due to EU.
*/
if ((am == 0) || (am > 3) || (cfg & MIPS_SEGCFG_EU))
str += sprintf(str, " %03lx",
((cfg & MIPS_SEGCFG_PA) >> MIPS_SEGCFG_PA_SHIFT));
else
str += sprintf(str, " UND");
if ((am == 0) || (am > 3))
Reported by FlawFinder.
Line: 36
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
str += sprintf(str, " %03lx",
((cfg & MIPS_SEGCFG_PA) >> MIPS_SEGCFG_PA_SHIFT));
else
str += sprintf(str, " UND");
if ((am == 0) || (am > 3))
str += sprintf(str, " %01ld",
((cfg & MIPS_SEGCFG_C) >> MIPS_SEGCFG_C_SHIFT));
else
Reported by FlawFinder.
Line: 39
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
str += sprintf(str, " UND");
if ((am == 0) || (am > 3))
str += sprintf(str, " %01ld",
((cfg & MIPS_SEGCFG_C) >> MIPS_SEGCFG_C_SHIFT));
else
str += sprintf(str, " U");
/* Exception configuration. */
Reported by FlawFinder.
Line: 42
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
str += sprintf(str, " %01ld",
((cfg & MIPS_SEGCFG_C) >> MIPS_SEGCFG_C_SHIFT));
else
str += sprintf(str, " U");
/* Exception configuration. */
str += sprintf(str, " %01ld\n",
((cfg & MIPS_SEGCFG_EU) >> MIPS_SEGCFG_EU_SHIFT));
}
Reported by FlawFinder.
Line: 45
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
str += sprintf(str, " U");
/* Exception configuration. */
str += sprintf(str, " %01ld\n",
((cfg & MIPS_SEGCFG_EU) >> MIPS_SEGCFG_EU_SHIFT));
}
static int show_segments(struct seq_file *m, void *v)
{
Reported by FlawFinder.
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int show_segments(struct seq_file *m, void *v)
{
unsigned int segcfg;
char str[42];
seq_puts(m, "Segment Virtual Size Access Mode Physical Caching EU\n");
seq_puts(m, "------- ------- ---- ----------- -------- ------- --\n");
segcfg = read_c0_segctl0();
Reported by FlawFinder.