The following issues were found
drivers/net/usb/usbnet.c
7 issues
Line: 169
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress)
{
int tmp = -1, ret;
unsigned char buf [13];
ret = usb_string(dev->udev, iMACAddress, buf, sizeof buf);
if (ret == 12)
tmp = hex2bin(dev->net->dev_addr, buf, 6);
if (tmp < 0) {
Reported by FlawFinder.
Line: 1728
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dev->interrupt_count = 0;
dev->net = net;
strcpy (net->name, "usb%d");
memcpy (net->dev_addr, node_id, sizeof node_id);
/* rx and tx sides can use different message sizes;
* bind() should set rx_urb_size in that case.
*/
Reported by FlawFinder.
Line: 1729
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->net = net;
strcpy (net->name, "usb%d");
memcpy (net->dev_addr, node_id, sizeof node_id);
/* rx and tx sides can use different message sizes;
* bind() should set rx_urb_size in that case.
*/
dev->hard_mtu = net->mtu + net->hard_header_len;
Reported by FlawFinder.
Line: 1755
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
(net->dev_addr [0] & 0x02) == 0))
strcpy (net->name, "eth%d");
/* WLAN devices should always be named "wlan%d" */
if ((dev->driver_info->flags & FLAG_WLAN) != 0)
strcpy(net->name, "wlan%d");
/* WWAN devices should always be named "wwan%d" */
if ((dev->driver_info->flags & FLAG_WWAN) != 0)
Reported by FlawFinder.
Line: 1758
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy (net->name, "eth%d");
/* WLAN devices should always be named "wlan%d" */
if ((dev->driver_info->flags & FLAG_WLAN) != 0)
strcpy(net->name, "wlan%d");
/* WWAN devices should always be named "wwan%d" */
if ((dev->driver_info->flags & FLAG_WWAN) != 0)
strcpy(net->name, "wwan%d");
/* devices that cannot do ARP */
Reported by FlawFinder.
Line: 1761
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(net->name, "wlan%d");
/* WWAN devices should always be named "wwan%d" */
if ((dev->driver_info->flags & FLAG_WWAN) != 0)
strcpy(net->name, "wwan%d");
/* devices that cannot do ARP */
if ((dev->driver_info->flags & FLAG_NOARP) != 0)
net->flags |= IFF_NOARP;
Reported by FlawFinder.
Line: 2010
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
USB_CTRL_GET_TIMEOUT);
if (err > 0 && err <= size) {
if (data)
memcpy(data, buf, err);
else
netdev_dbg(dev->net,
"Huh? Data requested but thrown away.\n");
}
kfree(buf);
Reported by FlawFinder.
drivers/net/wireless/ath/ath11k/core.c
7 issues
Line: 344
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t name_len)
{
/* strlen(',variant=') + strlen(ab->qmi.target.bdf_ext) */
char variant[9 + ATH11K_QMI_BDF_EXT_STR_LENGTH] = { 0 };
if (ab->qmi.target.bdf_ext[0] != '\0')
scnprintf(variant, sizeof(variant), ",variant=%s",
ab->qmi.target.bdf_ext);
Reported by FlawFinder.
Line: 365
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *file)
{
const struct firmware *fw;
char path[100];
int ret;
if (file == NULL)
return ERR_PTR(-ENOENT);
Reported by FlawFinder.
Line: 478
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
size_t len, magic_len;
const u8 *data;
char *filename, filepath[100];
size_t ie_len;
struct ath11k_fw_ie *hdr;
int ret, ie_id;
filename = ATH11K_BOARD_API2_FILE;
Reported by FlawFinder.
Line: 594
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BOARD_NAME_SIZE 100
int ath11k_core_fetch_bdf(struct ath11k_base *ab, struct ath11k_board_data *bd)
{
char boardname[BOARD_NAME_SIZE];
int ret;
ret = ath11k_core_create_board_name(ab, boardname, BOARD_NAME_SIZE);
if (ret) {
ath11k_err(ab, "failed to create board name: %d", ret);
Reported by FlawFinder.
Line: 427
Column: 24
CWE codes:
126
ath11k_dbg_dump(ab, ATH11K_DBG_BOOT, "board name", "",
board_ie_data, board_ie_len);
if (board_ie_len != strlen(boardname))
break;
ret = memcmp(board_ie_data, boardname, strlen(boardname));
if (ret)
break;
Reported by FlawFinder.
Line: 430
Column: 43
CWE codes:
126
if (board_ie_len != strlen(boardname))
break;
ret = memcmp(board_ie_data, boardname, strlen(boardname));
if (ret)
break;
name_match_found = true;
ath11k_dbg(ab, ATH11K_DBG_BOOT,
Reported by FlawFinder.
Line: 498
Column: 14
CWE codes:
126
filepath, sizeof(filepath));
/* magic has extra null byte padded */
magic_len = strlen(ATH11K_BOARD_MAGIC) + 1;
if (len < magic_len) {
ath11k_err(ab, "failed to find magic value in %s, file too short: %zu\n",
filepath, len);
ret = -EINVAL;
goto err;
Reported by FlawFinder.
drivers/net/wireless/ath/ath9k/main.c
7 issues
Line: 1026
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iter_data->mask[i] &=
~(iter_data->hw_macaddr[i] ^ mac[i]);
} else {
memcpy(iter_data->hw_macaddr, mac, ETH_ALEN);
iter_data->has_hw_macaddr = true;
}
if (!vif->bss_conf.use_short_slot)
iter_data->slottime = 20;
Reported by FlawFinder.
Line: 1160
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eth_zero_addr(common->curbssid);
eth_broadcast_addr(common->bssidmask);
memcpy(common->macaddr, vif->addr, ETH_ALEN);
common->curaid = 0;
ah->opmode = vif->type;
ah->imask &= ~ATH9K_INT_SWBA;
ah->imask &= ~ATH9K_INT_TSFOOR;
ah->slottime = 9;
Reported by FlawFinder.
Line: 1200
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ath9k_calculate_iter_data(sc, ctx, &iter_data);
if (iter_data.has_hw_macaddr)
memcpy(common->macaddr, iter_data.hw_macaddr, ETH_ALEN);
memcpy(common->bssidmask, iter_data.mask, ETH_ALEN);
ath_hw_setbssidmask(common);
if (iter_data.naps > 0) {
Reported by FlawFinder.
Line: 1202
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (iter_data.has_hw_macaddr)
memcpy(common->macaddr, iter_data.hw_macaddr, ETH_ALEN);
memcpy(common->bssidmask, iter_data.mask, ETH_ALEN);
ath_hw_setbssidmask(common);
if (iter_data.naps > 0) {
ath9k_hw_set_tsfadjust(ah, true);
ah->opmode = NL80211_IFTYPE_AP;
Reported by FlawFinder.
Line: 1884
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ath_dbg(common, CONFIG, "BSSID %pM Changed ASSOC %d\n",
bss_conf->bssid, bss_conf->assoc);
memcpy(avp->bssid, bss_conf->bssid, ETH_ALEN);
avp->aid = bss_conf->aid;
avp->assoc = bss_conf->assoc;
ath9k_calculate_summary_state(sc, avp->chanctx);
}
Reported by FlawFinder.
Line: 1893
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((changed & BSS_CHANGED_IBSS) ||
(changed & BSS_CHANGED_OCB)) {
memcpy(common->curbssid, bss_conf->bssid, ETH_ALEN);
common->curaid = bss_conf->aid;
ath9k_hw_write_associd(sc->sc_ah);
}
if ((changed & BSS_CHANGED_BEACON_ENABLED) ||
Reported by FlawFinder.
Line: 2093
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
chan = &sband->channels[idx];
pos = chan->hw_value;
memcpy(survey, &sc->survey[pos], sizeof(*survey));
survey->channel = chan;
spin_unlock_irqrestore(&common->cc_lock, flags);
return 0;
}
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
7 issues
Line: 462
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
request->req_buf_addr.high_addr = cpu_to_le32(msgbuf->ioctbuf_phys_hi);
request->req_buf_addr.low_addr = cpu_to_le32(msgbuf->ioctbuf_phys_lo);
if (buf)
memcpy(msgbuf->ioctbuf, buf, buf_len);
else
memset(msgbuf->ioctbuf, 0, buf_len);
err = brcmf_commonring_write_complete(commonring);
brcmf_commonring_unlock(commonring);
Reported by FlawFinder.
Line: 516
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!skb)
return -EBADF;
memcpy(buf, skb->data, (len < msgbuf->ioctl_resp_ret_len) ?
len : msgbuf->ioctl_resp_ret_len);
}
brcmu_pkt_buf_free_skb(skb);
*fwerr = msgbuf->ioctl_resp_status;
Reported by FlawFinder.
Line: 625
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
create->tid = brcmf_flowring_tid(msgbuf->flow, flowid);
create->flow_ring_id = cpu_to_le16(flowid +
BRCMF_H2D_MSGRING_FLOWRING_IDSTART);
memcpy(create->sa, work->sa, ETH_ALEN);
memcpy(create->da, work->da, ETH_ALEN);
address = (u64)msgbuf->flowring_dma_handle[flowid];
create->flow_ring_addr.high_addr = cpu_to_le32(address >> 32);
create->flow_ring_addr.low_addr = cpu_to_le32(address & 0xffffffff);
create->max_items = cpu_to_le16(BRCMF_H2D_TXFLOWRING_MAX_ITEM);
Reported by FlawFinder.
Line: 626
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
create->flow_ring_id = cpu_to_le16(flowid +
BRCMF_H2D_MSGRING_FLOWRING_IDSTART);
memcpy(create->sa, work->sa, ETH_ALEN);
memcpy(create->da, work->da, ETH_ALEN);
address = (u64)msgbuf->flowring_dma_handle[flowid];
create->flow_ring_addr.high_addr = cpu_to_le32(address >> 32);
create->flow_ring_addr.low_addr = cpu_to_le32(address & 0xffffffff);
create->max_items = cpu_to_le16(BRCMF_H2D_TXFLOWRING_MAX_ITEM);
create->len_item = cpu_to_le16(BRCMF_H2D_TXFLOWRING_ITEMSIZE);
Reported by FlawFinder.
Line: 683
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
create->flowid = flowid;
create->ifidx = ifidx;
memcpy(create->sa, eh->h_source, ETH_ALEN);
memcpy(create->da, eh->h_dest, ETH_ALEN);
spin_lock_irqsave(&msgbuf->flowring_work_lock, flags);
list_add_tail(&create->queue, &msgbuf->work_queue);
spin_unlock_irqrestore(&msgbuf->flowring_work_lock, flags);
Reported by FlawFinder.
Line: 684
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
create->flowid = flowid;
create->ifidx = ifidx;
memcpy(create->sa, eh->h_source, ETH_ALEN);
memcpy(create->da, eh->h_dest, ETH_ALEN);
spin_lock_irqsave(&msgbuf->flowring_work_lock, flags);
list_add_tail(&create->queue, &msgbuf->work_queue);
spin_unlock_irqrestore(&msgbuf->flowring_work_lock, flags);
schedule_work(&msgbuf->flowring_work);
Reported by FlawFinder.
Line: 748
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tx_msghdr->flags |= (skb->priority & 0x07) <<
BRCMF_MSGBUF_PKT_FLAGS_PRIO_SHIFT;
tx_msghdr->seg_cnt = 1;
memcpy(tx_msghdr->txhdr, skb->data, ETH_HLEN);
tx_msghdr->data_len = cpu_to_le16(skb->len - ETH_HLEN);
address = (u64)physaddr;
tx_msghdr->data_buf_addr.high_addr = cpu_to_le32(address >> 32);
tx_msghdr->data_buf_addr.low_addr =
cpu_to_le32(address & 0xffffffff);
Reported by FlawFinder.
sound/i2c/tea6330t.c
7 issues
Line: 38
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snd_i2c_bus *bus;
int equalizer;
int fader;
unsigned char regs[8];
unsigned char mleft, mright;
unsigned char bass, treble;
unsigned char max_bass, max_treble;
};
Reported by FlawFinder.
Line: 98
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tea6330t *tea = snd_kcontrol_chip(kcontrol);
int change, count, err;
unsigned char bytes[3];
unsigned char val1, val2;
val1 = (ucontrol->value.integer.value[0] % 44) + 0x14;
val2 = (ucontrol->value.integer.value[1] % 44) + 0x14;
snd_i2c_lock(tea->bus);
Reported by FlawFinder.
Line: 150
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tea6330t *tea = snd_kcontrol_chip(kcontrol);
int change, err;
unsigned char bytes[3];
unsigned char oval1, oval2, val1, val2;
val1 = ucontrol->value.integer.value[0] & 1;
val2 = ucontrol->value.integer.value[1] & 1;
snd_i2c_lock(tea->bus);
Reported by FlawFinder.
Line: 202
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tea6330t *tea = snd_kcontrol_chip(kcontrol);
int change, err;
unsigned char bytes[2];
unsigned char val1;
val1 = ucontrol->value.integer.value[0] % (tea->max_bass + 1);
snd_i2c_lock(tea->bus);
tea->bass = val1;
Reported by FlawFinder.
Line: 250
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tea6330t *tea = snd_kcontrol_chip(kcontrol);
int change, err;
unsigned char bytes[2];
unsigned char val1;
val1 = ucontrol->value.integer.value[0] % (tea->max_treble + 1);
snd_i2c_lock(tea->bus);
tea->treble = val1;
Reported by FlawFinder.
Line: 289
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int idx;
int err;
u8 default_treble, default_bass;
unsigned char bytes[7];
tea = kzalloc(sizeof(*tea), GFP_KERNEL);
if (tea == NULL)
return -ENOMEM;
err = snd_i2c_device_create(bus, "TEA6330T", TEA6330T_ADDR, &device);
Reported by FlawFinder.
Line: 339
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (err < 0)
goto __error;
strcat(card->mixername, ",TEA6330T");
err = snd_component_add(card, "TEA6330T");
if (err < 0)
goto __error;
for (idx = 0; idx < ARRAY_SIZE(snd_tea6330t_controls); idx++) {
Reported by FlawFinder.
security/apparmor/lib.c
7 issues
Line: 497
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (prefix) {
hname = aa_str_alloc(strlen(prefix) + strlen(name) + 3, gfp);
if (hname)
sprintf(hname, "%s//%s", prefix, name);
} else {
hname = aa_str_alloc(strlen(name) + 1, gfp);
if (hname)
strcpy(hname, name);
}
Reported by FlawFinder.
Line: 501
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
} else {
hname = aa_str_alloc(strlen(name) + 1, gfp);
if (hname)
strcpy(hname, name);
}
if (!hname)
return false;
policy->hname = hname;
/* base.name is a substring of fqname */
Reported by FlawFinder.
Line: 242
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
u32 chrsmask, const char * const *names, u32 namesmask)
{
char str[33];
audit_log_format(ab, "\"");
if ((mask & chrsmask) && chrs) {
aa_perm_mask_to_str(str, sizeof(str), chrs, mask & chrsmask);
mask &= ~chrsmask;
Reported by FlawFinder.
Line: 206
Column: 20
CWE codes:
126
void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, u32 mask)
{
unsigned int i, perm = 1;
size_t num_chrs = strlen(chrs);
for (i = 0; i < num_chrs; perm <<= 1, i++) {
if (mask & perm) {
/* Ensure that one byte is left for NUL-termination */
if (WARN_ON_ONCE(str_size <= 1))
Reported by FlawFinder.
Line: 495
Column: 41
CWE codes:
126
/* freed by policy_free */
if (prefix) {
hname = aa_str_alloc(strlen(prefix) + strlen(name) + 3, gfp);
if (hname)
sprintf(hname, "%s//%s", prefix, name);
} else {
hname = aa_str_alloc(strlen(name) + 1, gfp);
if (hname)
Reported by FlawFinder.
Line: 495
Column: 24
CWE codes:
126
/* freed by policy_free */
if (prefix) {
hname = aa_str_alloc(strlen(prefix) + strlen(name) + 3, gfp);
if (hname)
sprintf(hname, "%s//%s", prefix, name);
} else {
hname = aa_str_alloc(strlen(name) + 1, gfp);
if (hname)
Reported by FlawFinder.
Line: 499
Column: 24
CWE codes:
126
if (hname)
sprintf(hname, "%s//%s", prefix, name);
} else {
hname = aa_str_alloc(strlen(name) + 1, gfp);
if (hname)
strcpy(hname, name);
}
if (!hname)
return false;
Reported by FlawFinder.
net/sunrpc/auth_gss/svcauth_gss.c
7 issues
Line: 702
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resv->iov_len += round_up_to_quad(o->len);
if (resv->iov_len > PAGE_SIZE)
return -1;
memcpy(p, o->data, o->len);
memset(p + o->len, 0, round_up_to_quad(o->len) - o->len);
return 0;
}
/*
Reported by FlawFinder.
Line: 1177
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
length = min_t(unsigned int, inlen, argv->iov_len);
memcpy(page_address(in_token->pages[0]), argv->iov_base, length);
inlen -= length;
to_offs = length;
from_offs = rqstp->rq_arg.page_base;
while (inlen) {
Reported by FlawFinder.
Line: 1191
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
length = min_t(unsigned int, inlen,
min_t(unsigned int, PAGE_SIZE - pgto_offs,
PAGE_SIZE - pgfrom_offs));
memcpy(page_address(in_token->pages[pgto]) + pgto_offs,
page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs,
length);
to_offs += length;
from_offs += length;
Reported by FlawFinder.
Line: 1432
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct net *net = PDE_DATA(file_inode(file));
char tbuf[20];
unsigned long i;
int res;
if (*ppos || count > sizeof(tbuf)-1)
return -EINVAL;
Reported by FlawFinder.
Line: 1462
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net *net = PDE_DATA(file_inode(file));
struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
unsigned long p = *ppos;
char tbuf[10];
size_t len;
snprintf(tbuf, sizeof(tbuf), "%d\n", sn->use_gss_proxy);
len = strlen(tbuf);
if (p >= len)
Reported by FlawFinder.
Line: 1696
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
verf_len = ntohl(*p++);
p += XDR_QUADLEN(verf_len);
/* move accept_stat to right place: */
memcpy(p, p + 2, 4);
/* Also don't wrap if the accept stat is nonzero: */
if (*p != rpc_success) {
resbuf->head[0].iov_len -= 2 * 4;
return NULL;
}
Reported by FlawFinder.
Line: 1466
Column: 8
CWE codes:
126
size_t len;
snprintf(tbuf, sizeof(tbuf), "%d\n", sn->use_gss_proxy);
len = strlen(tbuf);
if (p >= len)
return 0;
len -= p;
if (len > count)
len = count;
Reported by FlawFinder.
scripts/dtc/fdtput.c
7 issues
Line: 100
Column: 4
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
fprintf(stderr, "\tstring: '%s'\n", ptr);
} else {
int *iptr = (int *)ptr;
sscanf(*arg, fmt, &ival);
if (len == 4)
*iptr = cpu_to_fdt32(ival);
else
*ptr = (uint8_t)ival;
if (disp->verbose) {
Reported by FlawFinder.
Line: 295
Column: 11
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
disp.size = -1;
disp.oper = OPER_WRITE_PROP;
for (;;) {
int c = getopt(argc, argv, "chpt:v");
if (c == -1)
break;
/*
* TODO: add options to:
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int len; /* length of this cell/string/byte */
int ival;
int upto; /* the number of bytes we have written to buf */
char fmt[3];
upto = 0;
if (disp->verbose)
fprintf(stderr, "Decoding value:\n");
Reported by FlawFinder.
Line: 95
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = value + upto;
if (disp->type == 's') {
memcpy(ptr, *arg, len);
if (disp->verbose)
fprintf(stderr, "\tstring: '%s'\n", ptr);
} else {
int *iptr = (int *)ptr;
sscanf(*arg, fmt, &ival);
Reported by FlawFinder.
Line: 42
Column: 13
CWE codes:
126
static void report_error(const char *name, int namelen, int err)
{
if (namelen == -1)
namelen = strlen(name);
fprintf(stderr, "Error at '%1.*s': %s\n", namelen, name,
fdt_strerror(err));
}
/**
Reported by FlawFinder.
Line: 78
Column: 10
CWE codes:
126
for (; arg_count > 0; arg++, arg_count--, upto += len) {
/* assume integer unless told otherwise */
if (disp->type == 's')
len = strlen(*arg) + 1;
else
len = disp->size == -1 ? 4 : disp->size;
/* enlarge our value buffer by a suitable margin if needed */
if (upto + len > value_size) {
Reported by FlawFinder.
Line: 164
Column: 17
CWE codes:
126
/* equivalent to strchrnul(), but it requires _GNU_SOURCE */
sep = strchr(path, '/');
if (!sep)
sep = path + strlen(path);
node = fdt_subnode_offset_namelen(blob, offset, path,
sep - path);
if (node == -FDT_ERR_NOTFOUND) {
node = fdt_add_subnode_namelen(blob, offset, path,
Reported by FlawFinder.
sound/pci/bt87x.c
7 issues
Line: 687
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (err < 0)
return err;
pcm->private_data = chip;
strcpy(pcm->name, name);
snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE, &snd_bt87x_pcm_ops);
snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV_SG,
&chip->pci->dev,
128 * 1024,
ALIGN(255 * 4092, 1024));
Reported by FlawFinder.
Line: 916
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strcpy(card->driver, "Bt87x");
sprintf(card->shortname, "Brooktree Bt%x", pci->device);
sprintf(card->longname, "%s at %#llx, irq %i",
card->shortname, (unsigned long long)pci_resource_start(pci, 0),
chip->irq);
strcpy(card->mixername, "Bt87x");
err = snd_card_register(card);
Reported by FlawFinder.
Line: 28
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
static int index[SNDRV_CARDS] = {[0 ... (SNDRV_CARDS - 1)] = -2}; /* Exclude the first card */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP; /* Enable this card */
static int digital_rate[SNDRV_CARDS]; /* digital input rate */
static bool load_all; /* allow to load cards not the allowlist */
module_param_array(index, int, NULL, 0444);
Reported by FlawFinder.
Line: 620
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int snd_bt87x_capture_source_info(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_info *info)
{
static const char *const texts[3] = {"TV Tuner", "FM", "Mic/Line"};
return snd_ctl_enum_info(info, 1, 3, texts);
}
static int snd_bt87x_capture_source_get(struct snd_kcontrol *kcontrol,
Reported by FlawFinder.
Line: 914
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
chip->board.no_analog ? "no " : "",
chip->board.no_digital ? "no " : "", chip->board.dig_rate);
strcpy(card->driver, "Bt87x");
sprintf(card->shortname, "Brooktree Bt%x", pci->device);
sprintf(card->longname, "%s at %#llx, irq %i",
card->shortname, (unsigned long long)pci_resource_start(pci, 0),
chip->irq);
strcpy(card->mixername, "Bt87x");
Reported by FlawFinder.
Line: 915
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
chip->board.no_digital ? "no " : "", chip->board.dig_rate);
strcpy(card->driver, "Bt87x");
sprintf(card->shortname, "Brooktree Bt%x", pci->device);
sprintf(card->longname, "%s at %#llx, irq %i",
card->shortname, (unsigned long long)pci_resource_start(pci, 0),
chip->irq);
strcpy(card->mixername, "Bt87x");
Reported by FlawFinder.
Line: 919
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sprintf(card->longname, "%s at %#llx, irq %i",
card->shortname, (unsigned long long)pci_resource_start(pci, 0),
chip->irq);
strcpy(card->mixername, "Bt87x");
err = snd_card_register(card);
if (err < 0)
goto _error;
Reported by FlawFinder.
sound/usb/line6/driver.c
7 issues
Line: 767
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
line6->ifcdev = &interface->dev;
INIT_DELAYED_WORK(&line6->startup_work, line6_startup_work);
strcpy(card->id, properties->id);
strcpy(card->driver, driver_name);
strcpy(card->shortname, properties->name);
sprintf(card->longname, "Line 6 %s at USB %s", properties->name,
dev_name(line6->ifcdev));
card->private_free = line6_destruct;
Reported by FlawFinder.
Line: 768
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
INIT_DELAYED_WORK(&line6->startup_work, line6_startup_work);
strcpy(card->id, properties->id);
strcpy(card->driver, driver_name);
strcpy(card->shortname, properties->name);
sprintf(card->longname, "Line 6 %s at USB %s", properties->name,
dev_name(line6->ifcdev));
card->private_free = line6_destruct;
Reported by FlawFinder.
Line: 769
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(card->id, properties->id);
strcpy(card->driver, driver_name);
strcpy(card->shortname, properties->name);
sprintf(card->longname, "Line 6 %s at USB %s", properties->name,
dev_name(line6->ifcdev));
card->private_free = line6_destruct;
usb_set_intfdata(interface, line6);
Reported by FlawFinder.
Line: 770
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strcpy(card->id, properties->id);
strcpy(card->driver, driver_name);
strcpy(card->shortname, properties->name);
sprintf(card->longname, "Line 6 %s at USB %s", properties->name,
dev_name(line6->ifcdev));
card->private_free = line6_destruct;
usb_set_intfdata(interface, line6);
Reported by FlawFinder.
Line: 29
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
This is Line 6's MIDI manufacturer ID.
*/
const unsigned char line6_midi_id[3] = {
0x00, 0x01, 0x0c
};
EXPORT_SYMBOL_GPL(line6_midi_id);
/*
Reported by FlawFinder.
Line: 274
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
buffer[0] = LINE6_SYSEX_BEGIN;
memcpy(buffer + 1, line6_midi_id, sizeof(line6_midi_id));
buffer[sizeof(line6_midi_id) + 1] = code1;
buffer[sizeof(line6_midi_id) + 2] = code2;
buffer[sizeof(line6_midi_id) + 3 + size] = LINE6_SYSEX_END;
return buffer;
}
Reported by FlawFinder.
Line: 675
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = snd_hwdep_new(line6->card, "config", 0, &hwdep);
if (err < 0)
goto end;
strcpy(hwdep->name, "config");
hwdep->iface = SNDRV_HWDEP_IFACE_LINE6;
hwdep->ops = hwdep_ops;
hwdep->private_data = line6;
hwdep->exclusive = true;
Reported by FlawFinder.