The following issues were found
tools/perf/builtin-daemon.c
31 issues
Line: 1113
Column: 31
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return 0;
}
if (perf_config_system() && !access(perf_etc_perfconfig(), R_OK))
daemon->config_real = strdup(perf_etc_perfconfig());
else if (perf_config_global() && perf_home_perfconfig())
daemon->config_real = strdup(perf_home_perfconfig());
return daemon->config_real ? 0 : -1;
Reported by FlawFinder.
Line: 1103
Column: 16
CWE codes:
120/785!
Suggestion:
Ensure that the destination buffer is at least of size MAXPATHLEN, andto protect against implementation problems, the input argument should also be checked to ensure it is no larger than MAXPATHLEN
}
if (daemon->config) {
char *real = realpath(daemon->config, NULL);
if (!real) {
perror("failed: realpath");
return -1;
}
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *base;
struct list_head sessions;
FILE *out;
char perf[PATH_MAX];
int signal_fd;
time_t start;
};
static struct daemon __daemon = {
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int session_config(struct daemon *daemon, const char *var, const char *value)
{
struct daemon_session *session;
char name[100];
if (get_session_name(var, name, sizeof(name) - 1))
return -EINVAL;
var = strchr(var, '.');
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int daemon_session__run(struct daemon_session *session,
struct daemon *daemon)
{
char buf[PATH_MAX];
char **argv;
int argc, fd;
if (asprintf(&session->base, "%s/session-%s",
daemon->base, session->name) < 0) {
Reported by FlawFinder.
Line: 354
Column: 7
CWE codes:
362
return -1;
}
fd = open("/dev/null", O_RDONLY);
if (fd < 0) {
perror("failed: open /dev/null");
return -1;
}
Reported by FlawFinder.
Line: 363
Column: 7
CWE codes:
362
dup2(fd, 0);
close(fd);
fd = open(SESSION_OUTPUT, O_RDWR|O_CREAT|O_TRUNC, 0644);
if (fd < 0) {
perror("failed: open session output");
return -1;
}
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *msg, bool do_ack)
{
struct pollfd pollfd = { .events = POLLIN, };
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
Reported by FlawFinder.
Line: 515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct pollfd pollfd = { .events = POLLIN, };
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
/* open the control file */
scnprintf(control_path, sizeof(control_path), "%s/%s",
Reported by FlawFinder.
drivers/gpu/drm/drm_dp_mst_topology.c
31 issues
Line: 397
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
buf[idx] = (req->u.dpcd_write.num_bytes);
idx++;
memcpy(&buf[idx], req->u.dpcd_write.bytes, req->u.dpcd_write.num_bytes);
idx += req->u.dpcd_write.num_bytes;
break;
case DP_REMOTE_I2C_READ:
buf[idx] = (req->u.i2c_read.port_number & 0xf) << 4;
buf[idx] |= (req->u.i2c_read.num_transactions & 0x3);
Reported by FlawFinder.
Line: 409
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
buf[idx] = req->u.i2c_read.transactions[i].num_bytes;
idx++;
memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes);
idx += req->u.i2c_read.transactions[i].num_bytes;
buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4;
buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf);
idx++;
Reported by FlawFinder.
Line: 429
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
buf[idx] = (req->u.i2c_write.num_bytes);
idx++;
memcpy(&buf[idx], req->u.i2c_write.bytes, req->u.i2c_write.num_bytes);
idx += req->u.i2c_write.num_bytes;
break;
case DP_QUERY_STREAM_ENC_STATUS: {
const struct drm_dp_query_stream_enc_status *msg;
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg = &req->u.enc_status;
buf[idx] = msg->stream_id;
idx++;
memcpy(&buf[idx], msg->client_id, sizeof(msg->client_id));
idx += sizeof(msg->client_id);
buf[idx] = 0;
buf[idx] |= FIELD_PREP(GENMASK(1, 0), msg->stream_event);
buf[idx] |= msg->valid_stream_event ? BIT(2) : 0;
buf[idx] |= FIELD_PREP(GENMASK(4, 3), msg->stream_behavior);
Reported by FlawFinder.
Line: 691
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct drm_dp_sideband_msg_tx *txmsg)
{
struct drm_dp_sideband_msg_req_body req;
char buf[64];
int ret;
int i;
drm_dp_mst_rad_to_str(txmsg->dst->rad, txmsg->dst->lct, buf,
sizeof(buf));
Reported by FlawFinder.
Line: 763
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return false;
if (hdr->somt) {
memcpy(&msg->initial_hdr, hdr,
sizeof(struct drm_dp_sideband_msg_hdr));
msg->have_somt = true;
}
if (hdr->eomt)
msg->have_eomt = true;
Reported by FlawFinder.
Line: 779
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u8 crc4;
memcpy(&msg->chunk[msg->curchunk_idx], replybuf, replybuflen);
msg->curchunk_idx += replybuflen;
if (msg->curchunk_idx >= msg->curchunk_len) {
/* do CRC */
crc4 = drm_dp_msg_data_crc4(msg->chunk, msg->curchunk_len - 1);
Reported by FlawFinder.
Line: 790
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DUMP_PREFIX_NONE, 16, 1,
msg->chunk, msg->curchunk_len, false);
/* copy chunk into bigger msg */
memcpy(&msg->msg[msg->curlen], msg->chunk, msg->curchunk_len - 1);
msg->curlen += msg->curchunk_len - 1;
}
return true;
}
Reported by FlawFinder.
Line: 803
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int idx = 1;
int i;
memcpy(repmsg->u.link_addr.guid, &raw->msg[idx], 16);
idx += 16;
repmsg->u.link_addr.nports = raw->msg[idx] & 0xf;
idx++;
if (idx > raw->curlen)
goto fail_len;
Reported by FlawFinder.
Line: 831
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
if (idx > raw->curlen)
goto fail_len;
memcpy(repmsg->u.link_addr.ports[i].peer_guid, &raw->msg[idx], 16);
idx += 16;
if (idx > raw->curlen)
goto fail_len;
repmsg->u.link_addr.ports[i].num_sdp_streams = (raw->msg[idx] >> 4) & 0xf;
repmsg->u.link_addr.ports[i].num_sdp_stream_sinks = (raw->msg[idx] & 0xf);
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
30 issues
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
BUILD_BUG_ON(sizeof(dev->alpha2) > sizeof(hdr.alpha2));
memcpy(hdr.alpha2, dev->alpha2, sizeof(dev->alpha2));
hdr.n_2ch = n_2ch;
hdr.n_5ch = n_5ch;
memcpy(__skb_push(skb, sizeof(hdr)), &hdr, sizeof(hdr));
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr.n_2ch = n_2ch;
hdr.n_5ch = n_5ch;
memcpy(__skb_push(skb, sizeof(hdr)), &hdr, sizeof(hdr));
return mt76_mcu_skb_send_msg(dev, skb, MCU_CMD_SET_CHAN_DOMAIN, false);
}
EXPORT_SYMBOL_GPL(mt76_connac_mcu_set_channel_domain);
Reported by FlawFinder.
Line: 238
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u16 ntlv;
ptlv = skb_put(skb, len);
memcpy(ptlv, &tlv, sizeof(tlv));
ntlv = le16_to_cpu(ntlv_hdr->tlv_num);
ntlv_hdr->tlv_num = cpu_to_le16(ntlv + 1);
if (sta_hdr) {
Reported by FlawFinder.
Line: 359
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(basic->peer_addr, sta->addr, ETH_ALEN);
basic->qos = sta->wme;
}
EXPORT_SYMBOL_GPL(mt76_connac_mcu_sta_basic_tlv);
static void
Reported by FlawFinder.
Line: 472
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
generic->partial_aid = cpu_to_le16(vif->bss_conf.aid);
else
generic->partial_aid = cpu_to_le16(sta->aid);
memcpy(generic->peer_addr, sta->addr, ETH_ALEN);
generic->muar_idx = mvif->omac_idx;
generic->qos = sta->wme;
} else {
if (is_mt7921(dev) &&
vif->type == NL80211_IFTYPE_STATION)
Reported by FlawFinder.
Line: 478
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
if (is_mt7921(dev) &&
vif->type == NL80211_IFTYPE_STATION)
memcpy(generic->peer_addr, vif->bss_conf.bssid,
ETH_ALEN);
else
eth_broadcast_addr(generic->peer_addr);
generic->muar_idx = 0xe;
Reported by FlawFinder.
Line: 773
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ra_info->legacy = cpu_to_le16((u16)sta->supp_rates[band]);
if (sta->ht_cap.ht_supported)
memcpy(ra_info->rx_mcs_bitmask, sta->ht_cap.mcs.rx_mask,
HT_MCS_MASK_NUM);
tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_STATE, sizeof(*state));
state = (struct sta_rec_state *)tlv;
state->state = sta_state;
Reported by FlawFinder.
Line: 935
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ba->ba_winsize = enable ? cpu_to_le16(params->buf_size) : 0;
ba->ba_en = enable;
} else {
memcpy(ba->peer_addr, params->sta->addr, ETH_ALEN);
ba->ba_type = MT_BA_TYPE_RECIPIENT;
ba->rst_ba_tid = params->tid;
ba->rst_ba_sel = RST_BA_MAC_TID_MATCH;
ba->rst_ba_sb = 1;
}
Reported by FlawFinder.
Line: 1036
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx = mvif->omac_idx > EXT_BSSID_START ? HW_BSSID_0 : mvif->omac_idx;
basic_req.basic.hw_bss_idx = idx;
memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN);
cmd = enable ? MCU_UNI_CMD_DEV_INFO_UPDATE : MCU_UNI_CMD_BSS_INFO_UPDATE;
data = enable ? (void *)&dev_req : (void *)&basic_req;
len = enable ? sizeof(dev_req) : sizeof(basic_req);
Reported by FlawFinder.
Line: 1303
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(basic_req.basic.bssid, vif->bss_conf.bssid, ETH_ALEN);
basic_req.basic.bmc_tx_wlan_idx = cpu_to_le16(wcid->idx);
basic_req.basic.sta_idx = cpu_to_le16(wcid->idx);
basic_req.basic.conn_state = !enable;
err = mt76_mcu_send_msg(mdev, MCU_UNI_CMD_BSS_INFO_UPDATE, &basic_req,
Reported by FlawFinder.
drivers/hwmon/adm1026.c
30 issues
Line: 473
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", INS_FROM_REG(nr, data->in[nr]));
}
static ssize_t in_min_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
Reported by FlawFinder.
Line: 481
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", INS_FROM_REG(nr, data->in_min[nr]));
}
static ssize_t in_min_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
Reported by FlawFinder.
Line: 509
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", INS_FROM_REG(nr, data->in_max[nr]));
}
static ssize_t in_max_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
Reported by FlawFinder.
Line: 585
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", INS_FROM_REG(16, data->in[16]) -
NEG12_OFFSET);
}
static ssize_t in16_min_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 592
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", INS_FROM_REG(16, data->in_min[16])
- NEG12_OFFSET);
}
static ssize_t in16_min_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 621
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", INS_FROM_REG(16, data->in_max[16])
- NEG12_OFFSET);
}
static ssize_t in16_max_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 659
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", FAN_FROM_REG(data->fan[nr],
data->fan_div[nr]));
}
static ssize_t fan_min_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 668
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", FAN_FROM_REG(data->fan_min[nr],
data->fan_div[nr]));
}
static ssize_t fan_min_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 736
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", data->fan_div[nr]);
}
static ssize_t fan_div_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
{
Reported by FlawFinder.
Line: 797
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct adm1026_data *data = adm1026_update_device(dev);
return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr]));
}
static ssize_t temp_min_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
Reported by FlawFinder.
tools/testing/selftests/net/mptcp/mptcp_connect.c
30 issues
Line: 860
CWE codes:
908
close(fd);
}
srand(foo);
}
static void xsetsockopt(int fd, int level, int optname, const void *optval, socklen_t optlen)
{
int err;
Reported by Cppcheck.
Line: 103
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
exit(1);
}
static void handle_signal(int nr)
Reported by FlawFinder.
Line: 856
Column: 4
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
int ret = read(fd, &foo, sizeof(foo));
if (ret < 0)
srand(fd + foo);
close(fd);
}
srand(foo);
}
Reported by FlawFinder.
Line: 860
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
close(fd);
}
srand(foo);
}
static void xsetsockopt(int fd, int level, int optname, const void *optval, socklen_t optlen)
{
int err;
Reported by FlawFinder.
Line: 1008
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int c;
while ((c = getopt(argc, argv, "6jr:lp:s:hut:m:S:R:w:M:P:c:")) != -1) {
switch (c) {
case 'j':
cfg_join = true;
cfg_mode = CFG_MODE_POLL;
cfg_wait = 400000;
Reported by FlawFinder.
Line: 383
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t do_recvmsg_cmsg(const int fd, char *buf, const size_t len)
{
char msg_buf[8192];
struct iovec iov = {
.iov_base = buf,
.iov_len = len,
};
struct msghdr msg = {
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t do_rnd_read(const int fd, char *buf, const size_t len)
{
int ret = 0;
char tmp[16384];
size_t cap = rand();
cap &= 0xffff;
if (cap == 0)
Reported by FlawFinder.
Line: 458
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.events = POLLIN | POLLOUT,
};
unsigned int woff = 0, wlen = 0;
char wbuf[8192];
set_nonblock(peerfd);
for (;;) {
char rbuf[8192];
Reported by FlawFinder.
Line: 463
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
set_nonblock(peerfd);
for (;;) {
char rbuf[8192];
ssize_t len;
if (fds.events == 0)
break;
Reported by FlawFinder.
Line: 562
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t r;
do {
char buf[16384];
r = do_rnd_read(infd, buf, sizeof(buf));
if (r > 0) {
if (write(outfd, buf, r) != r)
break;
Reported by FlawFinder.
drivers/crypto/ixp4xx_crypto.c
30 issues
Line: 350
Column: 53
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
static struct tasklet_struct crypto_done_tasklet;
static void finish_scattered_hmac(struct crypt_ctl *crypt)
{
struct aead_request *req = crypt->data.aead_req;
struct aead_ctx *req_ctx = aead_request_ctx(req);
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
int authsize = crypto_aead_authsize(tfm);
Reported by FlawFinder.
Line: 368
Column: 20
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
static void one_packet(dma_addr_t phys)
{
struct device *dev = &pdev->dev;
struct crypt_ctl *crypt;
struct ixp_ctx *ctx;
int failed;
failed = phys & 0x1 ? -EBADMSG : 0;
phys &= ~0x3;
Reported by FlawFinder.
Line: 384
Column: 26
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
free_buf_chain(dev, req_ctx->src, crypt->src_buf);
free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
if (req_ctx->hmac_virt)
finish_scattered_hmac(crypt);
req->base.complete(&req->base, failed);
break;
}
case CTL_FLAG_PERFORM_ABLK: {
Reported by FlawFinder.
Line: 684
Column: 20
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
int key_len)
{
struct ixp_ctx *ctx = crypto_tfm_ctx(tfm);
struct crypt_ctl *crypt;
struct buffer_desc *buf;
int i;
u8 *pad;
dma_addr_t pad_phys, buf_phys;
Reported by FlawFinder.
Line: 700
Column: 7
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
return -ENOMEM;
}
crypt = get_crypt_desc_emerg();
if (!crypt) {
dma_pool_free(ctx_pool, pad, pad_phys);
dma_pool_free(buffer_pool, buf, buf_phys);
return -EAGAIN;
}
Reported by FlawFinder.
Line: 730
Column: 43
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
buf->phys_addr = pad_phys;
atomic_inc(&ctx->configuring);
qmgr_put_entry(send_qid, crypt_virt2phys(crypt));
BUG_ON(qmgr_stat_overflow(send_qid));
return 0;
}
static int setup_auth(struct crypto_tfm *tfm, int encrypt, unsigned int authsize,
Reported by FlawFinder.
Line: 784
Column: 20
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
static int gen_rev_aes_key(struct crypto_tfm *tfm)
{
struct crypt_ctl *crypt;
struct ixp_ctx *ctx = crypto_tfm_ctx(tfm);
struct ix_sa_dir *dir = &ctx->decrypt;
crypt = get_crypt_desc_emerg();
if (!crypt)
Reported by FlawFinder.
Line: 789
Column: 7
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
struct ix_sa_dir *dir = &ctx->decrypt;
crypt = get_crypt_desc_emerg();
if (!crypt)
return -EAGAIN;
*(u32 *)dir->npe_ctx |= cpu_to_be32(CIPH_ENCR);
crypt->data.tfm = tfm;
Reported by FlawFinder.
Line: 805
Column: 43
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
crypt->ctl_flags |= CTL_FLAG_GEN_REVAES;
atomic_inc(&ctx->configuring);
qmgr_put_entry(send_qid, crypt_virt2phys(crypt));
BUG_ON(qmgr_stat_overflow(send_qid));
return 0;
}
static int setup_cipher(struct crypto_tfm *tfm, int encrypt, const u8 *key,
Reported by FlawFinder.
Line: 978
Column: 20
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
struct ixp_ctx *ctx = crypto_skcipher_ctx(tfm);
unsigned int ivsize = crypto_skcipher_ivsize(tfm);
struct ix_sa_dir *dir;
struct crypt_ctl *crypt;
unsigned int nbytes = req->cryptlen;
enum dma_data_direction src_direction = DMA_BIDIRECTIONAL;
struct ablk_ctx *req_ctx = skcipher_request_ctx(req);
struct buffer_desc src_hook;
struct device *dev = &pdev->dev;
Reported by FlawFinder.
drivers/net/ethernet/intel/iavf/iavf_ethtool.c
30 issues
Line: 199
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list args;
va_start(args, size);
vsnprintf(*p, ETH_GSTRING_LEN, stats[i].stat_string, args);
*p += ETH_GSTRING_LEN;
va_end(args);
}
}
Reported by FlawFinder.
Line: 34
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* arguments to the iavf_add_stat_string() helper function.
**/
struct iavf_stats {
char stat_string[ETH_GSTRING_LEN];
int sizeof_stat;
int stat_offset;
};
/* Helper macro to define an iavf_stat structure with proper size and type.
Reported by FlawFinder.
Line: 248
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* our one private flag is actually available.
*/
struct iavf_priv_flags {
char flag_string[ETH_GSTRING_LEN];
u32 flag;
bool read_only;
};
#define IAVF_PRIV_FLAG(_name, _flag, _read_only) { \
Reported by FlawFinder.
Line: 1065
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case TCP_V6_FLOW:
case UDP_V6_FLOW:
case SCTP_V6_FLOW:
memcpy(fsp->h_u.usr_ip6_spec.ip6src, &rule->ip_data.v6_addrs.src_ip,
sizeof(struct in6_addr));
memcpy(fsp->h_u.usr_ip6_spec.ip6dst, &rule->ip_data.v6_addrs.dst_ip,
sizeof(struct in6_addr));
fsp->h_u.tcp_ip6_spec.psrc = rule->ip_data.src_port;
fsp->h_u.tcp_ip6_spec.pdst = rule->ip_data.dst_port;
Reported by FlawFinder.
Line: 1067
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case SCTP_V6_FLOW:
memcpy(fsp->h_u.usr_ip6_spec.ip6src, &rule->ip_data.v6_addrs.src_ip,
sizeof(struct in6_addr));
memcpy(fsp->h_u.usr_ip6_spec.ip6dst, &rule->ip_data.v6_addrs.dst_ip,
sizeof(struct in6_addr));
fsp->h_u.tcp_ip6_spec.psrc = rule->ip_data.src_port;
fsp->h_u.tcp_ip6_spec.pdst = rule->ip_data.dst_port;
fsp->h_u.tcp_ip6_spec.tclass = rule->ip_data.tclass;
memcpy(fsp->m_u.usr_ip6_spec.ip6src, &rule->ip_mask.v6_addrs.src_ip,
Reported by FlawFinder.
Line: 1072
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fsp->h_u.tcp_ip6_spec.psrc = rule->ip_data.src_port;
fsp->h_u.tcp_ip6_spec.pdst = rule->ip_data.dst_port;
fsp->h_u.tcp_ip6_spec.tclass = rule->ip_data.tclass;
memcpy(fsp->m_u.usr_ip6_spec.ip6src, &rule->ip_mask.v6_addrs.src_ip,
sizeof(struct in6_addr));
memcpy(fsp->m_u.usr_ip6_spec.ip6dst, &rule->ip_mask.v6_addrs.dst_ip,
sizeof(struct in6_addr));
fsp->m_u.tcp_ip6_spec.psrc = rule->ip_mask.src_port;
fsp->m_u.tcp_ip6_spec.pdst = rule->ip_mask.dst_port;
Reported by FlawFinder.
Line: 1074
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fsp->h_u.tcp_ip6_spec.tclass = rule->ip_data.tclass;
memcpy(fsp->m_u.usr_ip6_spec.ip6src, &rule->ip_mask.v6_addrs.src_ip,
sizeof(struct in6_addr));
memcpy(fsp->m_u.usr_ip6_spec.ip6dst, &rule->ip_mask.v6_addrs.dst_ip,
sizeof(struct in6_addr));
fsp->m_u.tcp_ip6_spec.psrc = rule->ip_mask.src_port;
fsp->m_u.tcp_ip6_spec.pdst = rule->ip_mask.dst_port;
fsp->m_u.tcp_ip6_spec.tclass = rule->ip_mask.tclass;
break;
Reported by FlawFinder.
Line: 1082
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case AH_V6_FLOW:
case ESP_V6_FLOW:
memcpy(fsp->h_u.ah_ip6_spec.ip6src, &rule->ip_data.v6_addrs.src_ip,
sizeof(struct in6_addr));
memcpy(fsp->h_u.ah_ip6_spec.ip6dst, &rule->ip_data.v6_addrs.dst_ip,
sizeof(struct in6_addr));
fsp->h_u.ah_ip6_spec.spi = rule->ip_data.spi;
fsp->h_u.ah_ip6_spec.tclass = rule->ip_data.tclass;
Reported by FlawFinder.
Line: 1084
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case ESP_V6_FLOW:
memcpy(fsp->h_u.ah_ip6_spec.ip6src, &rule->ip_data.v6_addrs.src_ip,
sizeof(struct in6_addr));
memcpy(fsp->h_u.ah_ip6_spec.ip6dst, &rule->ip_data.v6_addrs.dst_ip,
sizeof(struct in6_addr));
fsp->h_u.ah_ip6_spec.spi = rule->ip_data.spi;
fsp->h_u.ah_ip6_spec.tclass = rule->ip_data.tclass;
memcpy(fsp->m_u.ah_ip6_spec.ip6src, &rule->ip_mask.v6_addrs.src_ip,
sizeof(struct in6_addr));
Reported by FlawFinder.
Line: 1088
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct in6_addr));
fsp->h_u.ah_ip6_spec.spi = rule->ip_data.spi;
fsp->h_u.ah_ip6_spec.tclass = rule->ip_data.tclass;
memcpy(fsp->m_u.ah_ip6_spec.ip6src, &rule->ip_mask.v6_addrs.src_ip,
sizeof(struct in6_addr));
memcpy(fsp->m_u.ah_ip6_spec.ip6dst, &rule->ip_mask.v6_addrs.dst_ip,
sizeof(struct in6_addr));
fsp->m_u.ah_ip6_spec.spi = rule->ip_mask.spi;
fsp->m_u.ah_ip6_spec.tclass = rule->ip_mask.tclass;
Reported by FlawFinder.
drivers/scsi/atp870u.c
30 issues
Line: 95
CWE codes:
788
static inline u8 atp_readb_io(struct atp_unit *atp, u8 channel, u8 reg)
{
return inb(atp->ioport[channel] + reg);
}
static inline u16 atp_readw_io(struct atp_unit *atp, u8 channel, u8 reg)
{
return inw(atp->ioport[channel] + reg);
Reported by Cppcheck.
Line: 144
CWE codes:
788
#ifdef ED_DBGP
printk("atp870u_intr_handle enter\n");
#endif
dev->in_int[c] = 1;
cmdp = atp_readb_io(dev, c, 0x10);
if (dev->working[c] != 0) {
if (is885(dev)) {
if ((atp_readb_io(dev, c, 0x16) & 0x80) == 0)
atp_writeb_io(dev, c, 0x16,
Reported by Cppcheck.
Line: 146
CWE codes:
788
#endif
dev->in_int[c] = 1;
cmdp = atp_readb_io(dev, c, 0x10);
if (dev->working[c] != 0) {
if (is885(dev)) {
if ((atp_readb_io(dev, c, 0x16) & 0x80) == 0)
atp_writeb_io(dev, c, 0x16,
(atp_readb_io(dev, c, 0x16) | 0x80));
}
Reported by Cppcheck.
Line: 197
CWE codes:
758
}
if (is885(dev)) {
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
Reported by Cppcheck.
Line: 199
CWE codes:
758
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
if (dev->id[c][target_id].last_len != adrcnt) {
k = dev->id[c][target_id].last_len;
Reported by Cppcheck.
Line: 259
CWE codes:
758
dev->last_cmd[c] = 0xff;
}
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
Reported by Cppcheck.
Line: 261
CWE codes:
758
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
k = dev->id[c][target_id].last_len;
k -= adrcnt;
Reported by Cppcheck.
Line: 299
CWE codes:
758
printk("cmdp = 0x41\n");
#endif
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
Reported by Cppcheck.
Line: 301
CWE codes:
758
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
k = dev->id[c][target_id].last_len;
k -= adrcnt;
Reported by Cppcheck.
Line: 359
CWE codes:
758
adrcnt = dev->id[c][target_id].tran_len;
k = dev->id[c][target_id].last_len;
atp_writeb_io(dev, c, 0x12, ((unsigned char *) &k)[2]);
atp_writeb_io(dev, c, 0x13, ((unsigned char *) &k)[1]);
atp_writeb_io(dev, c, 0x14, ((unsigned char *) &k)[0]);
#ifdef ED_DBGP
printk("k %x, k[0] 0x%x k[1] 0x%x k[2] 0x%x\n", k,
atp_readb_io(dev, c, 0x14),
Reported by Cppcheck.
drivers/acpi/acpica/acevents.h
30 issues
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
drivers/media/pci/ddbridge/ddbridge-core.c
30 issues
Line: 2929
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "NO SNR\n");
snr[31] = 0; /* in case it is not terminated on EEPROM */
}
return sprintf(buf, "%s\n", snr);
}
static ssize_t bsnr_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2940
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ddbridge_flashread(dev, 0, snr, 0x10, 15);
snr[15] = 0; /* in case it is not terminated on EEPROM */
return sprintf(buf, "%s\n", snr);
}
static ssize_t bpsnr_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2957
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
snr[0] == 0xff)
return sprintf(buf, "NO SNR\n");
snr[31] = 0; /* in case it is not terminated on EEPROM */
return sprintf(buf, "%s\n", snr);
}
static ssize_t redirect_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 1610
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_detach;
}
dvb->fe2->tuner_priv = dvb->fe->tuner_priv;
memcpy(&dvb->fe2->ops.tuner_ops,
&dvb->fe->ops.tuner_ops,
sizeof(struct dvb_tuner_ops));
}
}
Reported by FlawFinder.
Line: 2750
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ddb *dev = dev_get_drvdata(device);
return sprintf(buf, "%d\n", dev->port_num);
}
static ssize_t ts_irq_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2758
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ddb *dev = dev_get_drvdata(device);
return sprintf(buf, "%d\n", dev->ts_irq);
}
static ssize_t i2c_irq_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2766
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ddb *dev = dev_get_drvdata(device);
return sprintf(buf, "%d\n", dev->i2c_irq);
}
static ssize_t fan_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2776
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u32 val;
val = ddbreadl(dev, GPIO_OUTPUT) & 1;
return sprintf(buf, "%d\n", val);
}
static ssize_t fan_store(struct device *device, struct device_attribute *d,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 2801
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u32 spd;
spd = ddblreadl(link, TEMPMON_FANCONTROL) & 0xff;
return sprintf(buf, "%u\n", spd * 100);
}
static ssize_t temp_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2814
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u8 tmp[2];
if (!link->info->temp_num)
return sprintf(buf, "no sensor\n");
adap = &dev->i2c[link->info->temp_bus].adap;
if (i2c_read_regs(adap, 0x48, 0, tmp, 2) < 0)
return sprintf(buf, "read_error\n");
temp = (tmp[0] << 3) | (tmp[1] >> 5);
temp *= 125;
Reported by FlawFinder.