The following issues were found
arch/powerpc/xmon/xmon.c
32 issues
Line: 1094
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
break;
case 'z':
if (xmon_is_ro) {
printf(xmon_ro_msg);
break;
}
memzcan();
break;
case 'i':
Reported by FlawFinder.
Line: 1164
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
break;
case 'p':
if (xmon_is_ro) {
printf(xmon_ro_msg);
break;
}
proccall();
break;
case 'P':
Reported by FlawFinder.
Line: 1545
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
int mode;
case 'd': /* bd - hardware data breakpoint */
if (xmon_is_ro) {
printf(xmon_ro_msg);
break;
}
if (!ppc_breakpoint_available()) {
printf("Hardware data breakpoint not supported on this cpu\n");
break;
Reported by FlawFinder.
Line: 1567
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
dabr[i].enabled = 0;
if (scanhex(&dabr[i].address)) {
if (!is_kernel_addr(dabr[i].address)) {
printf(badaddr);
break;
}
dabr[i].address &= ~HW_BRK_TYPE_DABR;
dabr[i].enabled = mode | BP_DABR;
}
Reported by FlawFinder.
Line: 1579
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
case 'i': /* bi - hardware instr breakpoint */
if (xmon_is_ro) {
printf(xmon_ro_msg);
break;
}
if (!cpu_has_feature(CPU_FTR_ARCH_207S)) {
printf("Hardware instruction breakpoint "
"not supported on this cpu\n");
Reported by FlawFinder.
Line: 1637
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
termch = cmd;
cmd = skipbl();
if (cmd == '?') {
printf(breakpoint_help_string);
break;
}
termch = cmd;
if (xmon_is_ro || !scanhex(&a)) {
Reported by FlawFinder.
Line: 1899
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (trap == INTERRUPT_PROGRAM)
print_bug_trap(fp);
printf(linux_banner);
}
static void prregs(struct pt_regs *fp)
{
int n, trap;
Reported by FlawFinder.
Line: 2014
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
write_spr(int n, unsigned long val)
{
if (xmon_is_ro) {
printf(xmon_ro_msg);
return;
}
if (setjmp(bus_error_jmp) == 0) {
catch_spr_faults = 1;
Reported by FlawFinder.
Line: 2276
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
n = 0;
if (xmon_is_ro) {
printf(xmon_ro_msg);
return n;
}
if (setjmp(bus_error_jmp) == 0) {
catch_memory_errors = 1;
Reported by FlawFinder.
Line: 2429
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
scanhex((void *)&adrs);
cmd = skipbl();
if (cmd == '?') {
printf(memex_help_string);
return;
} else {
termch = cmd;
}
last_cmd = "m\n";
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/join.c
32 issues
Line: 63
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Wrap the generic IE buffer with a pass through TLV type */
ie_header.type = cpu_to_le16(TLV_TYPE_PASSTHROUGH);
ie_header.len = cpu_to_le16(priv->gen_ie_buf_len);
memcpy(*buffer, &ie_header, sizeof(ie_header));
/* Increment the return size and the return buffer pointer
param */
*buffer += sizeof(ie_header);
ret_len += sizeof(ie_header);
Reported by FlawFinder.
Line: 72
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the generic IE buffer to the output buffer, advance
pointer */
memcpy(*buffer, priv->gen_ie_buf, priv->gen_ie_buf_len);
/* Increment the return size and the return buffer pointer
param */
*buffer += priv->gen_ie_buf_len;
ret_len += priv->gen_ie_buf_len;
Reported by FlawFinder.
Line: 118
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tsf_tlv.header.type = cpu_to_le16(TLV_TYPE_TSFTIMESTAMP);
tsf_tlv.header.len = cpu_to_le16(2 * sizeof(tsf_val));
memcpy(*buffer, &tsf_tlv, sizeof(tsf_tlv.header));
*buffer += sizeof(tsf_tlv.header);
/* TSF at the time when beacon/probe_response was received */
tsf_val = cpu_to_le64(bss_desc->fw_tsf);
memcpy(*buffer, &tsf_val, sizeof(tsf_val));
Reported by FlawFinder.
Line: 123
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* TSF at the time when beacon/probe_response was received */
tsf_val = cpu_to_le64(bss_desc->fw_tsf);
memcpy(*buffer, &tsf_val, sizeof(tsf_val));
*buffer += sizeof(tsf_val);
tsf_val = cpu_to_le64(bss_desc->timestamp);
mwifiex_dbg(priv->adapter, INFO,
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"info: %s: TSF offset calc: %016llx - %016llx\n",
__func__, bss_desc->timestamp, bss_desc->fw_tsf);
memcpy(*buffer, &tsf_val, sizeof(tsf_val));
*buffer += sizeof(tsf_val);
return sizeof(tsf_tlv.header) + (2 * sizeof(tsf_val));
}
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 card_rates_size;
/* Copy AP supported rates */
memcpy(out_rates, bss_desc->supported_rates, MWIFIEX_SUPPORTED_RATES);
/* Get the STA supported rates */
card_rates_size = mwifiex_get_active_data_rates(priv, card_rates);
/* Get the common rates between AP and STA supported rates */
if (mwifiex_get_common_rates(priv, out_rates, MWIFIEX_SUPPORTED_RATES,
card_rates, card_rates_size)) {
Reported by FlawFinder.
Line: 258
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Wrap the generic IE buffer with a pass through TLV type */
ie_header.type = cpu_to_le16(TLV_TYPE_PASSTHROUGH);
ie_header.len = cpu_to_le16(priv->wps_ie_len);
memcpy(*buffer, &ie_header, sizeof(ie_header));
*buffer += sizeof(ie_header);
retLen += sizeof(ie_header);
memcpy(*buffer, priv->wps_ie, priv->wps_ie_len);
*buffer += priv->wps_ie_len;
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*buffer += sizeof(ie_header);
retLen += sizeof(ie_header);
memcpy(*buffer, priv->wps_ie, priv->wps_ie_len);
*buffer += priv->wps_ie_len;
retLen += priv->wps_ie_len;
}
Reported by FlawFinder.
Line: 305
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Wrap the generic IE buffer with a pass through TLV type */
ie_header.type = cpu_to_le16(TLV_TYPE_WAPI_IE);
ie_header.len = cpu_to_le16(priv->wapi_ie_len);
memcpy(*buffer, &ie_header, sizeof(ie_header));
/* Increment the return size and the return buffer pointer
param */
*buffer += sizeof(ie_header);
retLen += sizeof(ie_header);
Reported by FlawFinder.
Line: 314
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the wapi IE buffer to the output buffer, advance
pointer */
memcpy(*buffer, priv->wapi_ie, priv->wapi_ie_len);
/* Increment the return size and the return buffer pointer
param */
*buffer += priv->wapi_ie_len;
retLen += priv->wapi_ie_len;
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlxsw/core_hwmon.c
32 issues
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_attribute dev_attr;
struct mlxsw_hwmon *hwmon;
unsigned int type_index;
char name[32];
};
static int mlxsw_hwmon_get_attr_index(int index, int count)
{
if (index >= count)
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_hwmon_attr *mlwsw_hwmon_attr =
container_of(attr, struct mlxsw_hwmon_attr, dev_attr);
struct mlxsw_hwmon *mlxsw_hwmon = mlwsw_hwmon_attr->hwmon;
char mtmp_pl[MLXSW_REG_MTMP_LEN];
int temp, index;
int err;
index = mlxsw_hwmon_get_attr_index(mlwsw_hwmon_attr->type_index,
mlxsw_hwmon->module_sensor_max);
Reported by FlawFinder.
Line: 76
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return err;
}
mlxsw_reg_mtmp_unpack(mtmp_pl, &temp, NULL, NULL, NULL, NULL);
return sprintf(buf, "%d\n", temp);
}
static ssize_t mlxsw_hwmon_temp_max_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_hwmon_attr *mlwsw_hwmon_attr =
container_of(attr, struct mlxsw_hwmon_attr, dev_attr);
struct mlxsw_hwmon *mlxsw_hwmon = mlwsw_hwmon_attr->hwmon;
char mtmp_pl[MLXSW_REG_MTMP_LEN];
int temp_max, index;
int err;
index = mlxsw_hwmon_get_attr_index(mlwsw_hwmon_attr->type_index,
mlxsw_hwmon->module_sensor_max);
Reported by FlawFinder.
Line: 99
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return err;
}
mlxsw_reg_mtmp_unpack(mtmp_pl, NULL, &temp_max, NULL, NULL, NULL);
return sprintf(buf, "%d\n", temp_max);
}
static ssize_t mlxsw_hwmon_temp_rst_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t len)
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_hwmon_attr *mlwsw_hwmon_attr =
container_of(attr, struct mlxsw_hwmon_attr, dev_attr);
struct mlxsw_hwmon *mlxsw_hwmon = mlwsw_hwmon_attr->hwmon;
char mtmp_pl[MLXSW_REG_MTMP_LEN] = {0};
unsigned long val;
int index;
int err;
err = kstrtoul(buf, 10, &val);
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_hwmon_attr *mlwsw_hwmon_attr =
container_of(attr, struct mlxsw_hwmon_attr, dev_attr);
struct mlxsw_hwmon *mlxsw_hwmon = mlwsw_hwmon_attr->hwmon;
char mfsm_pl[MLXSW_REG_MFSM_LEN];
int err;
mlxsw_reg_mfsm_pack(mfsm_pl, mlwsw_hwmon_attr->type_index);
err = mlxsw_reg_query(mlxsw_hwmon->core, MLXSW_REG(mfsm), mfsm_pl);
if (err) {
Reported by FlawFinder.
Line: 153
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_err(mlxsw_hwmon->bus_info->dev, "Failed to query fan\n");
return err;
}
return sprintf(buf, "%u\n", mlxsw_reg_mfsm_rpm_get(mfsm_pl));
}
static ssize_t mlxsw_hwmon_fan_fault_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mlxsw_hwmon_attr *mlwsw_hwmon_attr =
container_of(attr, struct mlxsw_hwmon_attr, dev_attr);
struct mlxsw_hwmon *mlxsw_hwmon = mlwsw_hwmon_attr->hwmon;
char fore_pl[MLXSW_REG_FORE_LEN];
bool fault;
int err;
err = mlxsw_reg_query(mlxsw_hwmon->core, MLXSW_REG(fore), fore_pl);
if (err) {
Reported by FlawFinder.
Line: 174
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
mlxsw_reg_fore_unpack(fore_pl, mlwsw_hwmon_attr->type_index, &fault);
return sprintf(buf, "%u\n", fault);
}
static ssize_t mlxsw_hwmon_pwm_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
drivers/staging/greybus/tools/loopback_test.c
31 issues
Line: 578
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
char file[MAX_SYSFS_PATH];
snprintf(file, MAX_SYSFS_PATH, "%s%s/iteration_count", path, node);
if (access(file, F_OK) == 0)
return 1;
return 0;
}
int find_loopback_devices(struct loopback_test *t)
Reported by FlawFinder.
Line: 899
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
memset(&t, 0, sizeof(t));
while ((o = getopt(argc, argv,
"t:s:i:S:D:m:v::d::r::p::a::l::x::o:O:c:w:z::f::")) != -1) {
switch (o) {
case 't':
snprintf(t.test_name, MAX_STR_LEN, "%s", optarg);
break;
Reported by FlawFinder.
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct loopback_device {
char name[MAX_STR_LEN];
char sysfs_entry[MAX_SYSFS_PATH];
char debugfs_entry[MAX_SYSFS_PATH];
struct loopback_results results;
};
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct loopback_device {
char name[MAX_STR_LEN];
char sysfs_entry[MAX_SYSFS_PATH];
char debugfs_entry[MAX_SYSFS_PATH];
struct loopback_results results;
};
struct loopback_test {
Reported by FlawFinder.
Line: 73
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct loopback_device {
char name[MAX_STR_LEN];
char sysfs_entry[MAX_SYSFS_PATH];
char debugfs_entry[MAX_SYSFS_PATH];
struct loopback_results results;
};
struct loopback_test {
int verbose;
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int file_output;
int stop_all;
int poll_count;
char test_name[MAX_STR_LEN];
char sysfs_prefix[MAX_SYSFS_PREFIX];
char debugfs_prefix[MAX_SYSFS_PREFIX];
struct timespec poll_timeout;
struct loopback_device devices[MAX_NUM_DEVICES];
struct loopback_results aggregate_results;
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int stop_all;
int poll_count;
char test_name[MAX_STR_LEN];
char sysfs_prefix[MAX_SYSFS_PREFIX];
char debugfs_prefix[MAX_SYSFS_PREFIX];
struct timespec poll_timeout;
struct loopback_device devices[MAX_NUM_DEVICES];
struct loopback_results aggregate_results;
struct pollfd fds[MAX_NUM_DEVICES];
Reported by FlawFinder.
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int poll_count;
char test_name[MAX_STR_LEN];
char sysfs_prefix[MAX_SYSFS_PREFIX];
char debugfs_prefix[MAX_SYSFS_PREFIX];
struct timespec poll_timeout;
struct loopback_device devices[MAX_NUM_DEVICES];
struct loopback_results aggregate_results;
struct pollfd fds[MAX_NUM_DEVICES];
};
Reported by FlawFinder.
Line: 248
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int open_sysfs(const char *sys_pfx, const char *node, int flags)
{
int fd;
char path[MAX_SYSFS_PATH];
snprintf(path, sizeof(path), "%s%s", sys_pfx, node);
fd = open(path, flags);
if (fd < 0) {
fprintf(stderr, "unable to open %s\n", path);
Reported by FlawFinder.
Line: 251
Column: 7
CWE codes:
362
char path[MAX_SYSFS_PATH];
snprintf(path, sizeof(path), "%s%s", sys_pfx, node);
fd = open(path, flags);
if (fd < 0) {
fprintf(stderr, "unable to open %s\n", path);
abort();
}
return fd;
Reported by FlawFinder.
tools/perf/builtin-daemon.c
31 issues
Line: 1113
Column: 31
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return 0;
}
if (perf_config_system() && !access(perf_etc_perfconfig(), R_OK))
daemon->config_real = strdup(perf_etc_perfconfig());
else if (perf_config_global() && perf_home_perfconfig())
daemon->config_real = strdup(perf_home_perfconfig());
return daemon->config_real ? 0 : -1;
Reported by FlawFinder.
Line: 1103
Column: 16
CWE codes:
120/785!
Suggestion:
Ensure that the destination buffer is at least of size MAXPATHLEN, andto protect against implementation problems, the input argument should also be checked to ensure it is no larger than MAXPATHLEN
}
if (daemon->config) {
char *real = realpath(daemon->config, NULL);
if (!real) {
perror("failed: realpath");
return -1;
}
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *base;
struct list_head sessions;
FILE *out;
char perf[PATH_MAX];
int signal_fd;
time_t start;
};
static struct daemon __daemon = {
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int session_config(struct daemon *daemon, const char *var, const char *value)
{
struct daemon_session *session;
char name[100];
if (get_session_name(var, name, sizeof(name) - 1))
return -EINVAL;
var = strchr(var, '.');
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int daemon_session__run(struct daemon_session *session,
struct daemon *daemon)
{
char buf[PATH_MAX];
char **argv;
int argc, fd;
if (asprintf(&session->base, "%s/session-%s",
daemon->base, session->name) < 0) {
Reported by FlawFinder.
Line: 354
Column: 7
CWE codes:
362
return -1;
}
fd = open("/dev/null", O_RDONLY);
if (fd < 0) {
perror("failed: open /dev/null");
return -1;
}
Reported by FlawFinder.
Line: 363
Column: 7
CWE codes:
362
dup2(fd, 0);
close(fd);
fd = open(SESSION_OUTPUT, O_RDWR|O_CREAT|O_TRUNC, 0644);
if (fd < 0) {
perror("failed: open session output");
return -1;
}
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *msg, bool do_ack)
{
struct pollfd pollfd = { .events = POLLIN, };
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
Reported by FlawFinder.
Line: 515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct pollfd pollfd = { .events = POLLIN, };
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
/* open the control file */
scnprintf(control_path, sizeof(control_path), "%s/%s",
Reported by FlawFinder.
kernel/trace/ftrace.c
31 issues
Line: 507
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int function_stat_show(struct seq_file *m, void *v)
{
struct ftrace_profile *rec = v;
char str[KSYM_SYMBOL_LEN];
int ret = 0;
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
static struct trace_seq s;
unsigned long long avg;
unsigned long long stddev;
Reported by FlawFinder.
Line: 933
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftrace_profile_read(struct file *filp, char __user *ubuf,
size_t cnt, loff_t *ppos)
{
char buf[64]; /* big enough to hold a number */
int r;
r = sprintf(buf, "%u\n", ftrace_profile_enabled);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
}
Reported by FlawFinder.
Line: 936
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[64]; /* big enough to hold a number */
int r;
r = sprintf(buf, "%u\n", ftrace_profile_enabled);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
}
static const struct file_operations ftrace_profile_fops = {
.open = tracing_open_generic,
Reported by FlawFinder.
Line: 1970
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_ip_ins(const char *fmt, const unsigned char *p)
{
char ins[MCOUNT_INSN_SIZE];
int i;
if (copy_from_kernel_nofault(ins, p, MCOUNT_INSN_SIZE)) {
printk(KERN_CONT "%s[FAULT] %px\n", fmt, p);
return;
Reported by FlawFinder.
Line: 3968
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftrace_match_record(struct dyn_ftrace *rec, struct ftrace_glob *func_g,
struct ftrace_glob *mod_g, int exclude_mod)
{
char str[KSYM_SYMBOL_LEN];
char *modname;
kallsyms_lookup(rec->ip, NULL, NULL, &modname, str);
if (mod_g) {
Reported by FlawFinder.
Line: 4118
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
/* All modules have the symbol __this_module */
static const char this_mod[] = "__this_module";
char modname[MAX_PARAM_PREFIX_LEN + sizeof(this_mod) + 2];
unsigned long val;
int n;
n = snprintf(modname, sizeof(modname), "%s:%s", module, this_mod);
Reported by FlawFinder.
Line: 4668
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ftrace_hash *hash = NULL;
struct hlist_node *tmp;
struct hlist_head hhd;
char str[KSYM_SYMBOL_LEN];
int count = 0;
int i, ret = -ENODEV;
int size;
if (!glob || !strlen(glob) || !strcmp(glob, "*"))
Reported by FlawFinder.
Line: 5513
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* command line interface to allow users to set filters on boot up.
*/
#define FTRACE_FILTER_SIZE COMMAND_LINE_SIZE
static char ftrace_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
static char ftrace_filter_buf[FTRACE_FILTER_SIZE] __initdata;
/* Used by function selftest to not test if filter is set */
bool ftrace_filter_param __initdata;
Reported by FlawFinder.
Line: 5514
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
#define FTRACE_FILTER_SIZE COMMAND_LINE_SIZE
static char ftrace_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
static char ftrace_filter_buf[FTRACE_FILTER_SIZE] __initdata;
/* Used by function selftest to not test if filter is set */
bool ftrace_filter_param __initdata;
static int __init set_ftrace_notrace(char *str)
Reported by FlawFinder.
Line: 5536
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__setup("ftrace_filter=", set_ftrace_filter);
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
static char ftrace_graph_buf[FTRACE_FILTER_SIZE] __initdata;
static char ftrace_graph_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
static int ftrace_graph_set_hash(struct ftrace_hash *hash, char *buffer);
static int __init set_graph_function(char *str)
{
Reported by FlawFinder.
net/ncsi/ncsi-pkt.h
31 issues
Line: 32
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ncsi_aen_pkt_hdr {
struct ncsi_pkt_hdr common; /* Common NCSI packet header */
unsigned char reserved2[3]; /* Reserved */
unsigned char type; /* AEN packet type */
};
/* NCSI common command packet */
struct ncsi_cmd_pkt {
Reported by FlawFinder.
Line: 40
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ncsi_cmd_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
__be32 checksum; /* Checksum */
unsigned char pad[26];
};
struct ncsi_rsp_pkt {
struct ncsi_rsp_pkt_hdr rsp; /* Response header */
__be32 checksum; /* Checksum */
Reported by FlawFinder.
Line: 46
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ncsi_rsp_pkt {
struct ncsi_rsp_pkt_hdr rsp; /* Response header */
__be32 checksum; /* Checksum */
unsigned char pad[22];
};
/* Select Package */
struct ncsi_cmd_sp_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
Reported by FlawFinder.
Line: 52
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Select Package */
struct ncsi_cmd_sp_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
unsigned char reserved[3]; /* Reserved */
unsigned char hw_arbitration; /* HW arbitration */
__be32 checksum; /* Checksum */
unsigned char pad[22];
};
Reported by FlawFinder.
Line: 55
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char reserved[3]; /* Reserved */
unsigned char hw_arbitration; /* HW arbitration */
__be32 checksum; /* Checksum */
unsigned char pad[22];
};
/* Disable Channel */
struct ncsi_cmd_dc_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
Reported by FlawFinder.
Line: 61
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Disable Channel */
struct ncsi_cmd_dc_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
unsigned char reserved[3]; /* Reserved */
unsigned char ald; /* Allow link down */
__be32 checksum; /* Checksum */
unsigned char pad[22];
};
Reported by FlawFinder.
Line: 64
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char reserved[3]; /* Reserved */
unsigned char ald; /* Allow link down */
__be32 checksum; /* Checksum */
unsigned char pad[22];
};
/* Reset Channel */
struct ncsi_cmd_rc_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
Reported by FlawFinder.
Line: 72
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
__be32 reserved; /* Reserved */
__be32 checksum; /* Checksum */
unsigned char pad[22];
};
/* AEN Enable */
struct ncsi_cmd_ae_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
Reported by FlawFinder.
Line: 78
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* AEN Enable */
struct ncsi_cmd_ae_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
unsigned char reserved[3]; /* Reserved */
unsigned char mc_id; /* MC ID */
__be32 mode; /* AEN working mode */
__be32 checksum; /* Checksum */
unsigned char pad[18];
};
Reported by FlawFinder.
Line: 82
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char mc_id; /* MC ID */
__be32 mode; /* AEN working mode */
__be32 checksum; /* Checksum */
unsigned char pad[18];
};
/* Set Link */
struct ncsi_cmd_sl_pkt {
struct ncsi_cmd_pkt_hdr cmd; /* Command header */
Reported by FlawFinder.
fs/io_uring.c
31 issues
Line: 9512
CWE codes:
908
struct io_kiocb *req;
hlist_for_each_entry(req, list, hash_node)
seq_printf(m, " op=%d, task_works=%d\n", req->opcode,
req->task->task_works != NULL);
}
spin_unlock_irq(&ctx->completion_lock);
if (has_lock)
mutex_unlock(&ctx->uring_lock);
Reported by Cppcheck.
Line: 823
Column: 19
CWE codes:
362
struct io_timeout_rem timeout_rem;
struct io_connect connect;
struct io_sr_msg sr_msg;
struct io_open open;
struct io_close close;
struct io_rsrc_update rsrc_update;
struct io_fadvise fadvise;
struct io_madvise madvise;
struct io_epoll epoll;
Reported by FlawFinder.
Line: 1491
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ocqe = list_first_entry(&ctx->cq_overflow_list,
struct io_overflow_cqe, list);
if (cqe)
memcpy(cqe, &ocqe->cqe, sizeof(*cqe));
else
io_account_cq_overflow(ctx);
posted = true;
list_del(&ocqe->list);
Reported by FlawFinder.
Line: 3121
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct io_async_rw *rw = req->async_data;
memcpy(&rw->iter, iter, sizeof(*iter));
rw->free_iovec = iovec;
rw->bytes_done = 0;
/* can only be fixed buffers, no need to do anything */
if (iov_iter_is_bvec(iter))
return;
Reported by FlawFinder.
Line: 3136
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rw->iter.iov += iov_off;
}
if (rw->fast_iov != fast_iov)
memcpy(rw->fast_iov + iov_off, fast_iov + iov_off,
sizeof(struct iovec) * iter->nr_segs);
} else {
req->flags |= REQ_F_NEED_CLEANUP;
}
}
Reported by FlawFinder.
Line: 3798
Column: 13
CWE codes:
362
return -EBADF;
/* open.how should be already initialised */
if (!(req->open.how.flags & O_PATH) && force_o_largefile())
req->open.how.flags |= O_LARGEFILE;
req->open.dfd = READ_ONCE(sqe->fd);
fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
req->open.filename = getname(fname);
Reported by FlawFinder.
Line: 3799
Column: 8
CWE codes:
362
/* open.how should be already initialised */
if (!(req->open.how.flags & O_PATH) && force_o_largefile())
req->open.how.flags |= O_LARGEFILE;
req->open.dfd = READ_ONCE(sqe->fd);
fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
req->open.filename = getname(fname);
if (IS_ERR(req->open.filename)) {
Reported by FlawFinder.
Line: 3801
Column: 7
CWE codes:
362
if (!(req->open.how.flags & O_PATH) && force_o_largefile())
req->open.how.flags |= O_LARGEFILE;
req->open.dfd = READ_ONCE(sqe->fd);
fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
req->open.filename = getname(fname);
if (IS_ERR(req->open.filename)) {
ret = PTR_ERR(req->open.filename);
req->open.filename = NULL;
Reported by FlawFinder.
Line: 3803
Column: 7
CWE codes:
362
req->open.dfd = READ_ONCE(sqe->fd);
fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
req->open.filename = getname(fname);
if (IS_ERR(req->open.filename)) {
ret = PTR_ERR(req->open.filename);
req->open.filename = NULL;
return ret;
}
Reported by FlawFinder.
Line: 3804
Column: 18
CWE codes:
362
req->open.dfd = READ_ONCE(sqe->fd);
fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
req->open.filename = getname(fname);
if (IS_ERR(req->open.filename)) {
ret = PTR_ERR(req->open.filename);
req->open.filename = NULL;
return ret;
}
req->open.nofile = rlimit(RLIMIT_NOFILE);
Reported by FlawFinder.
net/netfilter/nf_tables_api.c
31 issues
Line: 1831
CWE codes:
908
struct nft_hook *hook;
list_for_each_entry(hook, hook_list, list) {
if (this->ops.dev == hook->ops.dev)
return hook;
}
return NULL;
}
Reported by Cppcheck.
Line: 1831
CWE codes:
908
struct nft_hook *hook;
list_for_each_entry(hook, hook_list, list) {
if (this->ops.dev == hook->ops.dev)
return hook;
}
return NULL;
}
Reported by Cppcheck.
Line: 2222
CWE codes:
908
n = 0;
list_for_each_entry(hook, hook_list2, list) {
if (!nft_hook_list_find(hook_list1, hook))
return false;
n++;
}
list_for_each_entry(hook, hook_list1, list)
Reported by Cppcheck.
Line: 3214
CWE codes:
908
struct nft_chain *chain;
struct nft_ctx ctx = {
.net = net,
.family = table->family,
};
int err;
list_for_each_entry(chain, &table->chains, list) {
if (!nft_is_base_chain(chain))
Reported by Cppcheck.
Line: 3764
CWE codes:
908
if (!nft_is_active_next(ctx->net, set))
continue;
if (!sscanf(i->name, name, &tmp))
continue;
if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
continue;
set_bit(tmp - min, inuse);
Reported by Cppcheck.
Line: 6474
CWE codes:
908
const struct nft_object_type *type;
list_for_each_entry(type, &nf_tables_objects, list) {
if (objtype == type->type)
return type;
}
return NULL;
}
Reported by Cppcheck.
Line: 7126
CWE codes:
908
const struct nf_flowtable_type *type;
list_for_each_entry(type, &nf_tables_flowtables, list) {
if (family == type->family)
return type;
}
return NULL;
}
Reported by Cppcheck.
Line: 7185
CWE codes:
908
continue;
list_for_each_entry(hook2, &ft->hook_list, list) {
if (hook->ops.dev == hook2->ops.dev &&
hook->ops.pf == hook2->ops.pf) {
err = -EEXIST;
goto err_unregister_net_hooks;
}
}
Reported by Cppcheck.
Line: 7848
CWE codes:
908
mutex_lock(&nft_net->commit_mutex);
list_for_each_entry(table, &nft_net->tables, list) {
list_for_each_entry(flowtable, &table->flowtables, list) {
nft_flowtable_event(event, dev, flowtable);
}
}
mutex_unlock(&nft_net->commit_mutex);
return NOTIFY_DONE;
Reported by Cppcheck.
Line: 8064
CWE codes:
908
fallthrough;
case NFT_VALIDATE_DO:
list_for_each_entry(table, &nft_net->tables, list) {
if (nft_table_validate(net, table) < 0)
return -EAGAIN;
}
break;
}
Reported by Cppcheck.
drivers/scsi/ips.c
31 issues
Line: 1418
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bp = &buffer[0];
memset(bp, 0, sizeof (buffer));
sprintf(bp, "%s%s%s Build %d", "IBM PCI ServeRAID ",
IPS_VERSION_HIGH, IPS_VERSION_LOW, IPS_BUILD_IDENT);
if (ha->ad_type > 0 && ha->ad_type <= MAX_ADAPTER_NAME) {
strcat(bp, " <");
strcat(bp, ips_adapter_name[ha->ad_type - 1]);
Reported by FlawFinder.
Line: 1423
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (ha->ad_type > 0 && ha->ad_type <= MAX_ADAPTER_NAME) {
strcat(bp, " <");
strcat(bp, ips_adapter_name[ha->ad_type - 1]);
strcat(bp, ">");
}
return (bp);
}
Reported by FlawFinder.
Line: 1404
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
ips_info(struct Scsi_Host *SH)
{
static char buffer[256];
char *bp;
ips_ha_t *ha;
METHOD_TRACE("ips_info", 1);
Reported by FlawFinder.
Line: 1422
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
IPS_VERSION_HIGH, IPS_VERSION_LOW, IPS_BUILD_IDENT);
if (ha->ad_type > 0 && ha->ad_type <= MAX_ADAPTER_NAME) {
strcat(bp, " <");
strcat(bp, ips_adapter_name[ha->ad_type - 1]);
strcat(bp, ">");
}
return (bp);
Reported by FlawFinder.
Line: 1609
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (pt->CoppCmd) {
case IPS_NUMCTRLS:
memcpy(ha->ioctl_data + sizeof (ips_passthru_t),
&ips_num_controllers, sizeof (int));
ips_scmd_buf_write(SC, ha->ioctl_data,
sizeof (ips_passthru_t) + sizeof (int));
SC->result = DID_OK << 16;
Reported by FlawFinder.
Line: 1708
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ha->flash_data)
return IPS_FAILURE;
pt->BasicStatus = 0;
memcpy(&ha->flash_data[ha->flash_datasize], pt + 1,
pt->CoppCP.cmd.flashfw.count);
ha->flash_datasize += pt->CoppCP.cmd.flashfw.count;
if (pt->CoppCP.cmd.flashfw.packet_num ==
pt->CoppCP.cmd.flashfw.total_packets - 1) {
if (pt->CoppCP.cmd.flashfw.type == IPS_BIOS_IMAGE)
Reported by FlawFinder.
Line: 1849
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sg_list.list = scb->sg_list.list;
cmd_busaddr = scb->scb_busaddr;
/* copy in the CP */
memcpy(&scb->cmd, &pt->CoppCP.cmd, sizeof (IPS_IOCTL_CMD));
/* FIX stuff that might be wrong */
scb->sg_list.list = sg_list.list;
scb->scb_busaddr = cmd_busaddr;
scb->bus = scb->scsi_cmd->device->channel;
scb->target_id = scb->scsi_cmd->device->id;
Reported by FlawFinder.
Line: 1916
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sg_list.list = scb->sg_list.list;
cmd_busaddr = scb->scb_busaddr;
/* copy in the CP */
memcpy(&scb->cmd, &pt->CoppCP.cmd, sizeof (IPS_IOCTL_CMD));
memcpy(&scb->dcdb, &pt->CoppCP.dcdb, sizeof (IPS_DCDB_TABLE));
/* FIX stuff that might be wrong */
scb->sg_list.list = sg_list.list;
scb->scb_busaddr = cmd_busaddr;
Reported by FlawFinder.
Line: 1917
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_busaddr = scb->scb_busaddr;
/* copy in the CP */
memcpy(&scb->cmd, &pt->CoppCP.cmd, sizeof (IPS_IOCTL_CMD));
memcpy(&scb->dcdb, &pt->CoppCP.dcdb, sizeof (IPS_DCDB_TABLE));
/* FIX stuff that might be wrong */
scb->sg_list.list = sg_list.list;
scb->scb_busaddr = cmd_busaddr;
scb->bus = scb->scsi_cmd->device->channel;
Reported by FlawFinder.
Line: 2006
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy data back to the user */
if (scb->cmd.dcdb.op_code == IPS_CMD_DCDB) /* Copy DCDB Back to Caller's Area */
memcpy(&pt->CoppCP.dcdb, &scb->dcdb, sizeof (IPS_DCDB_TABLE));
pt->BasicStatus = scb->basic_status;
pt->ExtendedStatus = scb->extended_status;
pt->AdapterType = ha->ad_type;
Reported by FlawFinder.