The following issues were found
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
30 issues
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
BUILD_BUG_ON(sizeof(dev->alpha2) > sizeof(hdr.alpha2));
memcpy(hdr.alpha2, dev->alpha2, sizeof(dev->alpha2));
hdr.n_2ch = n_2ch;
hdr.n_5ch = n_5ch;
memcpy(__skb_push(skb, sizeof(hdr)), &hdr, sizeof(hdr));
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr.n_2ch = n_2ch;
hdr.n_5ch = n_5ch;
memcpy(__skb_push(skb, sizeof(hdr)), &hdr, sizeof(hdr));
return mt76_mcu_skb_send_msg(dev, skb, MCU_CMD_SET_CHAN_DOMAIN, false);
}
EXPORT_SYMBOL_GPL(mt76_connac_mcu_set_channel_domain);
Reported by FlawFinder.
Line: 238
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u16 ntlv;
ptlv = skb_put(skb, len);
memcpy(ptlv, &tlv, sizeof(tlv));
ntlv = le16_to_cpu(ntlv_hdr->tlv_num);
ntlv_hdr->tlv_num = cpu_to_le16(ntlv + 1);
if (sta_hdr) {
Reported by FlawFinder.
Line: 359
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(basic->peer_addr, sta->addr, ETH_ALEN);
basic->qos = sta->wme;
}
EXPORT_SYMBOL_GPL(mt76_connac_mcu_sta_basic_tlv);
static void
Reported by FlawFinder.
Line: 472
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
generic->partial_aid = cpu_to_le16(vif->bss_conf.aid);
else
generic->partial_aid = cpu_to_le16(sta->aid);
memcpy(generic->peer_addr, sta->addr, ETH_ALEN);
generic->muar_idx = mvif->omac_idx;
generic->qos = sta->wme;
} else {
if (is_mt7921(dev) &&
vif->type == NL80211_IFTYPE_STATION)
Reported by FlawFinder.
Line: 478
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
if (is_mt7921(dev) &&
vif->type == NL80211_IFTYPE_STATION)
memcpy(generic->peer_addr, vif->bss_conf.bssid,
ETH_ALEN);
else
eth_broadcast_addr(generic->peer_addr);
generic->muar_idx = 0xe;
Reported by FlawFinder.
Line: 773
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ra_info->legacy = cpu_to_le16((u16)sta->supp_rates[band]);
if (sta->ht_cap.ht_supported)
memcpy(ra_info->rx_mcs_bitmask, sta->ht_cap.mcs.rx_mask,
HT_MCS_MASK_NUM);
tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_STATE, sizeof(*state));
state = (struct sta_rec_state *)tlv;
state->state = sta_state;
Reported by FlawFinder.
Line: 935
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ba->ba_winsize = enable ? cpu_to_le16(params->buf_size) : 0;
ba->ba_en = enable;
} else {
memcpy(ba->peer_addr, params->sta->addr, ETH_ALEN);
ba->ba_type = MT_BA_TYPE_RECIPIENT;
ba->rst_ba_tid = params->tid;
ba->rst_ba_sel = RST_BA_MAC_TID_MATCH;
ba->rst_ba_sb = 1;
}
Reported by FlawFinder.
Line: 1036
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx = mvif->omac_idx > EXT_BSSID_START ? HW_BSSID_0 : mvif->omac_idx;
basic_req.basic.hw_bss_idx = idx;
memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN);
cmd = enable ? MCU_UNI_CMD_DEV_INFO_UPDATE : MCU_UNI_CMD_BSS_INFO_UPDATE;
data = enable ? (void *)&dev_req : (void *)&basic_req;
len = enable ? sizeof(dev_req) : sizeof(basic_req);
Reported by FlawFinder.
Line: 1303
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(basic_req.basic.bssid, vif->bss_conf.bssid, ETH_ALEN);
basic_req.basic.bmc_tx_wlan_idx = cpu_to_le16(wcid->idx);
basic_req.basic.sta_idx = cpu_to_le16(wcid->idx);
basic_req.basic.conn_state = !enable;
err = mt76_mcu_send_msg(mdev, MCU_UNI_CMD_BSS_INFO_UPDATE, &basic_req,
Reported by FlawFinder.
tools/testing/selftests/net/mptcp/mptcp_connect.c
30 issues
Line: 860
CWE codes:
908
close(fd);
}
srand(foo);
}
static void xsetsockopt(int fd, int level, int optname, const void *optval, socklen_t optlen)
{
int err;
Reported by Cppcheck.
Line: 103
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
exit(1);
}
static void handle_signal(int nr)
Reported by FlawFinder.
Line: 856
Column: 4
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
int ret = read(fd, &foo, sizeof(foo));
if (ret < 0)
srand(fd + foo);
close(fd);
}
srand(foo);
}
Reported by FlawFinder.
Line: 860
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
close(fd);
}
srand(foo);
}
static void xsetsockopt(int fd, int level, int optname, const void *optval, socklen_t optlen)
{
int err;
Reported by FlawFinder.
Line: 1008
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int c;
while ((c = getopt(argc, argv, "6jr:lp:s:hut:m:S:R:w:M:P:c:")) != -1) {
switch (c) {
case 'j':
cfg_join = true;
cfg_mode = CFG_MODE_POLL;
cfg_wait = 400000;
Reported by FlawFinder.
Line: 383
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t do_recvmsg_cmsg(const int fd, char *buf, const size_t len)
{
char msg_buf[8192];
struct iovec iov = {
.iov_base = buf,
.iov_len = len,
};
struct msghdr msg = {
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t do_rnd_read(const int fd, char *buf, const size_t len)
{
int ret = 0;
char tmp[16384];
size_t cap = rand();
cap &= 0xffff;
if (cap == 0)
Reported by FlawFinder.
Line: 458
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.events = POLLIN | POLLOUT,
};
unsigned int woff = 0, wlen = 0;
char wbuf[8192];
set_nonblock(peerfd);
for (;;) {
char rbuf[8192];
Reported by FlawFinder.
Line: 463
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
set_nonblock(peerfd);
for (;;) {
char rbuf[8192];
ssize_t len;
if (fds.events == 0)
break;
Reported by FlawFinder.
Line: 562
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t r;
do {
char buf[16384];
r = do_rnd_read(infd, buf, sizeof(buf));
if (r > 0) {
if (write(outfd, buf, r) != r)
break;
Reported by FlawFinder.
drivers/acpi/acpica/acevents.h
30 issues
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
Line: 52
*/
acpi_status acpi_ev_init_global_lock_handler(void);
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status
acpi_ev_acquire_global_lock(u16 timeout))
ACPI_HW_DEPENDENT_RETURN_OK(acpi_status acpi_ev_release_global_lock(void))
acpi_status acpi_ev_remove_global_lock_handler(void);
Reported by Cppcheck.
drivers/media/radio/radio-wl1273.c
30 issues
Line: 194
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy RDS block to internal buffer */
memcpy(&radio->buffer[radio->wr_index], &rds, RDS_BLOCK_SIZE);
radio->wr_index += 3;
/* wrap write pointer */
if (radio->wr_index >= radio->buf_size)
radio->wr_index = 0;
Reported by FlawFinder.
Line: 157
Column: 12
CWE codes:
120
20
if (core->mode != WL1273_MODE_RX)
return 0;
r = core->read(core, WL1273_RDS_SYNC_GET, &val);
if (r)
return r;
if ((val & 0x01) == 0) {
/* RDS decoder not synchronized */
Reported by FlawFinder.
Line: 249
Column: 13
CWE codes:
120
20
if (flags & WL1273_LEV_EVENT) {
u16 level;
r = core->read(core, WL1273_RSSI_LVL_GET, &level);
if (r)
goto out;
if (level > 14)
dev_dbg(radio->dev, "IRQ: LEV: 0x%x04\n", level);
Reported by FlawFinder.
Line: 299
Column: 14
CWE codes:
120
20
goto out;
}
r = core->read(core, WL1273_FREQ_SET, &freq);
if (r)
goto out;
if (radio->band == WL1273_BAND_JAPAN)
radio->rx_frequency = WL1273_BAND_JAPAN_LOW +
Reported by FlawFinder.
Line: 318
Column: 14
CWE codes:
120
20
dev_dbg(radio->dev, "%dkHz\n", radio->rx_frequency);
} else {
r = core->read(core, WL1273_CHANL_SET, &freq);
if (r)
goto out;
dev_dbg(radio->dev, "%dkHz\n", freq);
}
Reported by FlawFinder.
Line: 461
Column: 13
CWE codes:
120
20
int r;
if (core->mode == WL1273_MODE_RX) {
r = core->read(core, WL1273_FREQ_SET, &f);
if (r)
return r;
dev_dbg(radio->dev, "Freq get: 0x%04x\n", f);
if (radio->band == WL1273_BAND_JAPAN)
Reported by FlawFinder.
Line: 884
Column: 12
CWE codes:
120
20
core->mode == WL1273_MODE_SUSPENDED)
return -EPERM;
r = core->read(core, WL1273_READ_FMANT_TUNE_VALUE, &val);
if (r) {
dev_err(dev, "%s: read error: %d\n", __func__, r);
goto out;
}
Reported by FlawFinder.
Line: 1206
Column: 12
CWE codes:
120
20
}
radio->owner = file;
r = core->read(core, WL1273_RDS_SYNC_GET, &val);
if (r) {
dev_err(radio->dev, "%s: Get RDS_SYNC fails.\n", __func__);
goto out;
} else if (val == 0) {
dev_info(radio->dev, "RDS_SYNC: Not synchronized\n");
Reported by FlawFinder.
arch/m68k/math-emu/fp_decode.h
30 issues
Line: 144
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
bfextu %d2{#17,#3},%d0 | get the register nr
btst #15,%d2 | test for data/addr register
jne 1\@f
printf PDECODE,"d%d",1,%d0
jsr fp_get_data_reg
jra 2\@f
1\@: printf PDECODE,"a%d",1,%d0
jsr fp_get_addr_reg
move.l %a0,%d0
Reported by FlawFinder.
Line: 147
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf PDECODE,"d%d",1,%d0
jsr fp_get_data_reg
jra 2\@f
1\@: printf PDECODE,"a%d",1,%d0
jsr fp_get_addr_reg
move.l %a0,%d0
2\@:
debug lea "'l'.w,%a0"
btst #11,%d2 | 16/32 bit size?
Reported by FlawFinder.
Line: 156
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
jne 3\@f
debug lea "'w'.w,%a0"
ext.l %d0
3\@: printf PDECODE,":%c",1,%a0
move.w %d2,%d1 | scale factor
rol.w #7,%d1
and.w #3,%d1
debug move.l "%d1,-(%sp)"
debug ext.l "%d1"
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
and.w #3,%d1
debug move.l "%d1,-(%sp)"
debug ext.l "%d1"
printf PDECODE,":%d",1,%d1
debug move.l "(%sp)+,%d1"
lsl.l %d1,%d0
.endm
| decode the base displacement size
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
| addressing mode: data register direct
.macro fp_mode_data_direct
fp_decode_addr_reg
printf PDECODE,"d%d",1,%d0
.endm
| addressing mode: address register indirect
.macro fp_mode_addr_indirect
fp_decode_addr_reg
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
| addressing mode: address register indirect
.macro fp_mode_addr_indirect
fp_decode_addr_reg
printf PDECODE,"(a%d)",1,%d0
jsr fp_get_addr_reg
.endm
| adjust stack for byte moves from/to stack
.macro fp_test_sp_byte_move
Reported by FlawFinder.
Line: 247
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
| addressing mode: address register indirect with postincrement
.macro fp_mode_addr_indirect_postinc
fp_decode_addr_reg
printf PDECODE,"(a%d)+",1,%d0
fp_test_sp_byte_move
jsr fp_get_addr_reg
move.l %a0,%a1 | save addr
.if do_fmovem
lea (%a0,%d1.w*4),%a0
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
| addressing mode: address register indirect with predecrement
.macro fp_mode_addr_indirect_predec
fp_decode_addr_reg
printf PDECODE,"-(a%d)",1,%d0
fp_test_sp_byte_move
jsr fp_get_addr_reg
.if do_fmovem
.if !do_fmovem_cr
lea (-12,%a0),%a1 | setup to addr of 1st reg to move
Reported by FlawFinder.
Line: 294
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
.macro fp_mode_addr_indirect_disp16
.if !do_no_pc_mode
fp_test_basereg_d16 1f
printf PDECODE,"pc"
fp_get_pc %a0
jra 2f
.endif
1: fp_decode_addr_reg
printf PDECODE,"a%d",1,%d0
Reported by FlawFinder.
Line: 299
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
jra 2f
.endif
1: fp_decode_addr_reg
printf PDECODE,"a%d",1,%d0
jsr fp_get_addr_reg
2: fp_get_instr_word %a1,fp_err_ua1
printf PDECODE,"@(%x)",1,%a1
add.l %a1,%a0
.endm
Reported by FlawFinder.
net/core/filter.c
30 issues
Line: 10507
}
#ifdef CONFIG_DEBUG_INFO_BTF
BTF_ID_LIST_GLOBAL(btf_sock_ids)
#define BTF_SOCK_TYPE(name, type) BTF_ID(struct, type)
BTF_SOCK_TYPE_xxx
#undef BTF_SOCK_TYPE
#else
u32 btf_sock_ids[MAX_BTF_SOCK_TYPE];
Reported by Cppcheck.
Line: 10630
return (unsigned long)sock_from_file(file);
}
BTF_ID_LIST(bpf_sock_from_file_btf_ids)
BTF_ID(struct, socket)
BTF_ID(struct, file)
const struct bpf_func_proto bpf_sock_from_file_proto = {
.func = bpf_sock_from_file,
Reported by Cppcheck.
Line: 871
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
insn++;
if (new_prog)
memcpy(new_insn, tmp_insns,
sizeof(*insn) * (insn - tmp_insns));
new_insn += insn - tmp_insns;
}
if (!new_prog) {
Reported by FlawFinder.
Line: 1370
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!fp)
return -ENOMEM;
memcpy(fp->insns, fprog->filter, fsize);
fp->len = fprog->len;
/* Since unattached filters are not copied back to user
* space through sk_get_filter(), we do not need to hold
* a copy here, and can spare us the work.
Reported by FlawFinder.
Line: 1699
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & BPF_F_RECOMPUTE_CSUM)
__skb_postpull_rcsum(skb, ptr, len, offset);
memcpy(ptr, from, len);
if (flags & BPF_F_RECOMPUTE_CSUM)
__skb_postpush_rcsum(skb, ptr, len, offset);
if (flags & BPF_F_INVALIDATE_HASH)
skb_clear_hash(skb);
Reported by FlawFinder.
Line: 1732
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!ptr))
goto err_clear;
if (ptr != to)
memcpy(to, ptr, len);
return 0;
err_clear:
memset(to, 0, len);
return -EFAULT;
Reported by FlawFinder.
Line: 1766
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!ptr))
goto err_clear;
if (ptr != to)
memcpy(to, ptr, len);
return 0;
err_clear:
memset(to, 0, len);
return -EFAULT;
Reported by FlawFinder.
Line: 1809
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = start + offset;
if (likely(ptr + len <= end)) {
memcpy(to, ptr, len);
return 0;
}
err_clear:
memset(to, 0, len);
Reported by FlawFinder.
Line: 2660
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = sge->length;
to = raw + poffset;
memcpy(to, from, len);
poffset += len;
sge->length = 0;
put_page(sg_page(sge));
sk_msg_iter_var_next(i);
Reported by FlawFinder.
Line: 2772
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
from = sg_virt(psge);
if (front)
memcpy(raw, from, front);
if (back) {
from += front;
to = raw + front + len;
Reported by FlawFinder.
drivers/media/pci/solo6x10/solo6x10-core.c
30 issues
Line: 211
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct solo_dev *solo_dev =
container_of(dev, struct solo_dev, dev);
return sprintf(buf, "%d\n", solo_dev->p2m_timeouts);
}
static ssize_t sdram_size_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 221
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct solo_dev *solo_dev =
container_of(dev, struct solo_dev, dev);
return sprintf(buf, "%dMegs\n", solo_dev->sdram_size >> 20);
}
static ssize_t tw28xx_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 231
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct solo_dev *solo_dev =
container_of(dev, struct solo_dev, dev);
return sprintf(buf, "tw2815[%d] tw2864[%d] tw2865[%d]\n",
hweight32(solo_dev->tw2815),
hweight32(solo_dev->tw2864),
hweight32(solo_dev->tw2865));
}
Reported by FlawFinder.
Line: 247
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *out = buf;
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_0);
out += sprintf(out, "Channel 0 => Input %d\n", val & 0x1f);
out += sprintf(out, "Channel 1 => Input %d\n", (val >> 5) & 0x1f);
out += sprintf(out, "Channel 2 => Input %d\n", (val >> 10) & 0x1f);
out += sprintf(out, "Channel 3 => Input %d\n", (val >> 15) & 0x1f);
out += sprintf(out, "Channel 4 => Input %d\n", (val >> 20) & 0x1f);
out += sprintf(out, "Channel 5 => Input %d\n", (val >> 25) & 0x1f);
Reported by FlawFinder.
Line: 248
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_0);
out += sprintf(out, "Channel 0 => Input %d\n", val & 0x1f);
out += sprintf(out, "Channel 1 => Input %d\n", (val >> 5) & 0x1f);
out += sprintf(out, "Channel 2 => Input %d\n", (val >> 10) & 0x1f);
out += sprintf(out, "Channel 3 => Input %d\n", (val >> 15) & 0x1f);
out += sprintf(out, "Channel 4 => Input %d\n", (val >> 20) & 0x1f);
out += sprintf(out, "Channel 5 => Input %d\n", (val >> 25) & 0x1f);
Reported by FlawFinder.
Line: 249
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_0);
out += sprintf(out, "Channel 0 => Input %d\n", val & 0x1f);
out += sprintf(out, "Channel 1 => Input %d\n", (val >> 5) & 0x1f);
out += sprintf(out, "Channel 2 => Input %d\n", (val >> 10) & 0x1f);
out += sprintf(out, "Channel 3 => Input %d\n", (val >> 15) & 0x1f);
out += sprintf(out, "Channel 4 => Input %d\n", (val >> 20) & 0x1f);
out += sprintf(out, "Channel 5 => Input %d\n", (val >> 25) & 0x1f);
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_1);
Reported by FlawFinder.
Line: 250
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
out += sprintf(out, "Channel 0 => Input %d\n", val & 0x1f);
out += sprintf(out, "Channel 1 => Input %d\n", (val >> 5) & 0x1f);
out += sprintf(out, "Channel 2 => Input %d\n", (val >> 10) & 0x1f);
out += sprintf(out, "Channel 3 => Input %d\n", (val >> 15) & 0x1f);
out += sprintf(out, "Channel 4 => Input %d\n", (val >> 20) & 0x1f);
out += sprintf(out, "Channel 5 => Input %d\n", (val >> 25) & 0x1f);
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_1);
out += sprintf(out, "Channel 6 => Input %d\n", val & 0x1f);
Reported by FlawFinder.
Line: 251
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
out += sprintf(out, "Channel 1 => Input %d\n", (val >> 5) & 0x1f);
out += sprintf(out, "Channel 2 => Input %d\n", (val >> 10) & 0x1f);
out += sprintf(out, "Channel 3 => Input %d\n", (val >> 15) & 0x1f);
out += sprintf(out, "Channel 4 => Input %d\n", (val >> 20) & 0x1f);
out += sprintf(out, "Channel 5 => Input %d\n", (val >> 25) & 0x1f);
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_1);
out += sprintf(out, "Channel 6 => Input %d\n", val & 0x1f);
out += sprintf(out, "Channel 7 => Input %d\n", (val >> 5) & 0x1f);
Reported by FlawFinder.
Line: 252
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
out += sprintf(out, "Channel 2 => Input %d\n", (val >> 10) & 0x1f);
out += sprintf(out, "Channel 3 => Input %d\n", (val >> 15) & 0x1f);
out += sprintf(out, "Channel 4 => Input %d\n", (val >> 20) & 0x1f);
out += sprintf(out, "Channel 5 => Input %d\n", (val >> 25) & 0x1f);
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_1);
out += sprintf(out, "Channel 6 => Input %d\n", val & 0x1f);
out += sprintf(out, "Channel 7 => Input %d\n", (val >> 5) & 0x1f);
out += sprintf(out, "Channel 8 => Input %d\n", (val >> 10) & 0x1f);
Reported by FlawFinder.
Line: 255
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
out += sprintf(out, "Channel 5 => Input %d\n", (val >> 25) & 0x1f);
val = solo_reg_read(solo_dev, SOLO_VI_CH_SWITCH_1);
out += sprintf(out, "Channel 6 => Input %d\n", val & 0x1f);
out += sprintf(out, "Channel 7 => Input %d\n", (val >> 5) & 0x1f);
out += sprintf(out, "Channel 8 => Input %d\n", (val >> 10) & 0x1f);
out += sprintf(out, "Channel 9 => Input %d\n", (val >> 15) & 0x1f);
out += sprintf(out, "Channel 10 => Input %d\n", (val >> 20) & 0x1f);
out += sprintf(out, "Channel 11 => Input %d\n", (val >> 25) & 0x1f);
Reported by FlawFinder.
drivers/media/pci/ddbridge/ddbridge-core.c
30 issues
Line: 2929
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "NO SNR\n");
snr[31] = 0; /* in case it is not terminated on EEPROM */
}
return sprintf(buf, "%s\n", snr);
}
static ssize_t bsnr_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2940
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ddbridge_flashread(dev, 0, snr, 0x10, 15);
snr[15] = 0; /* in case it is not terminated on EEPROM */
return sprintf(buf, "%s\n", snr);
}
static ssize_t bpsnr_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2957
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
snr[0] == 0xff)
return sprintf(buf, "NO SNR\n");
snr[31] = 0; /* in case it is not terminated on EEPROM */
return sprintf(buf, "%s\n", snr);
}
static ssize_t redirect_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 1610
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_detach;
}
dvb->fe2->tuner_priv = dvb->fe->tuner_priv;
memcpy(&dvb->fe2->ops.tuner_ops,
&dvb->fe->ops.tuner_ops,
sizeof(struct dvb_tuner_ops));
}
}
Reported by FlawFinder.
Line: 2750
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ddb *dev = dev_get_drvdata(device);
return sprintf(buf, "%d\n", dev->port_num);
}
static ssize_t ts_irq_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2758
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ddb *dev = dev_get_drvdata(device);
return sprintf(buf, "%d\n", dev->ts_irq);
}
static ssize_t i2c_irq_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2766
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ddb *dev = dev_get_drvdata(device);
return sprintf(buf, "%d\n", dev->i2c_irq);
}
static ssize_t fan_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2776
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u32 val;
val = ddbreadl(dev, GPIO_OUTPUT) & 1;
return sprintf(buf, "%d\n", val);
}
static ssize_t fan_store(struct device *device, struct device_attribute *d,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 2801
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u32 spd;
spd = ddblreadl(link, TEMPMON_FANCONTROL) & 0xff;
return sprintf(buf, "%u\n", spd * 100);
}
static ssize_t temp_show(struct device *device,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 2814
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u8 tmp[2];
if (!link->info->temp_num)
return sprintf(buf, "no sensor\n");
adap = &dev->i2c[link->info->temp_bus].adap;
if (i2c_read_regs(adap, 0x48, 0, tmp, 2) < 0)
return sprintf(buf, "read_error\n");
temp = (tmp[0] << 3) | (tmp[1] >> 5);
temp *= 125;
Reported by FlawFinder.
drivers/scsi/atp870u.c
30 issues
Line: 95
CWE codes:
788
static inline u8 atp_readb_io(struct atp_unit *atp, u8 channel, u8 reg)
{
return inb(atp->ioport[channel] + reg);
}
static inline u16 atp_readw_io(struct atp_unit *atp, u8 channel, u8 reg)
{
return inw(atp->ioport[channel] + reg);
Reported by Cppcheck.
Line: 144
CWE codes:
788
#ifdef ED_DBGP
printk("atp870u_intr_handle enter\n");
#endif
dev->in_int[c] = 1;
cmdp = atp_readb_io(dev, c, 0x10);
if (dev->working[c] != 0) {
if (is885(dev)) {
if ((atp_readb_io(dev, c, 0x16) & 0x80) == 0)
atp_writeb_io(dev, c, 0x16,
Reported by Cppcheck.
Line: 146
CWE codes:
788
#endif
dev->in_int[c] = 1;
cmdp = atp_readb_io(dev, c, 0x10);
if (dev->working[c] != 0) {
if (is885(dev)) {
if ((atp_readb_io(dev, c, 0x16) & 0x80) == 0)
atp_writeb_io(dev, c, 0x16,
(atp_readb_io(dev, c, 0x16) | 0x80));
}
Reported by Cppcheck.
Line: 197
CWE codes:
758
}
if (is885(dev)) {
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
Reported by Cppcheck.
Line: 199
CWE codes:
758
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
if (dev->id[c][target_id].last_len != adrcnt) {
k = dev->id[c][target_id].last_len;
Reported by Cppcheck.
Line: 259
CWE codes:
758
dev->last_cmd[c] = 0xff;
}
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
Reported by Cppcheck.
Line: 261
CWE codes:
758
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
k = dev->id[c][target_id].last_len;
k -= adrcnt;
Reported by Cppcheck.
Line: 299
CWE codes:
758
printk("cmdp = 0x41\n");
#endif
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
Reported by Cppcheck.
Line: 301
CWE codes:
758
adrcnt = 0;
((unsigned char *) &adrcnt)[2] =
atp_readb_io(dev, c, 0x12);
((unsigned char *) &adrcnt)[1] =
atp_readb_io(dev, c, 0x13);
((unsigned char *) &adrcnt)[0] =
atp_readb_io(dev, c, 0x14);
k = dev->id[c][target_id].last_len;
k -= adrcnt;
Reported by Cppcheck.
Line: 359
CWE codes:
758
adrcnt = dev->id[c][target_id].tran_len;
k = dev->id[c][target_id].last_len;
atp_writeb_io(dev, c, 0x12, ((unsigned char *) &k)[2]);
atp_writeb_io(dev, c, 0x13, ((unsigned char *) &k)[1]);
atp_writeb_io(dev, c, 0x14, ((unsigned char *) &k)[0]);
#ifdef ED_DBGP
printk("k %x, k[0] 0x%x k[1] 0x%x k[2] 0x%x\n", k,
atp_readb_io(dev, c, 0x14),
Reported by Cppcheck.
drivers/scsi/megaraid.c
30 issues
Line: 1853
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
adapter = (adapter_t *)host->hostdata;
sprintf (buffer,
"LSI Logic MegaRAID %s %d commands %d targs %d chans %d luns",
adapter->fw_version, adapter->product_info.max_commands,
adapter->host->max_id, adapter->host->max_channel,
(u32)adapter->host->max_lun);
return buffer;
Reported by FlawFinder.
Line: 329
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0,
adapter->product_info.bios_version[0] & 0x0f);
} else {
memcpy(adapter->fw_version,
(char *)adapter->product_info.fw_version, 4);
adapter->fw_version[4] = 0;
memcpy(adapter->bios_version,
(char *)adapter->product_info.bios_version, 4);
Reported by FlawFinder.
Line: 333
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(char *)adapter->product_info.fw_version, 4);
adapter->fw_version[4] = 0;
memcpy(adapter->bios_version,
(char *)adapter->product_info.bios_version, 4);
adapter->bios_version[4] = 0;
}
Reported by FlawFinder.
Line: 708
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pthru->islogical = 1;
pthru->logdrv = ldrv_num;
pthru->cdblen = cmd->cmd_len;
memcpy(pthru->cdb, cmd->cmnd, cmd->cmd_len);
if( adapter->has_64bit_addr ) {
mbox->m_out.cmd = MEGA_MBOXCMD_PASSTHRU64;
}
else {
Reported by FlawFinder.
Line: 976
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pthru->cdblen = cmd->cmd_len;
pthru->logdrv = cmd->device->lun;
memcpy(pthru->cdb, cmd->cmnd, cmd->cmd_len);
/* Not sure about the direction */
scb->dma_direction = DMA_BIDIRECTIONAL;
/* Special Code for Handling READ_CAPA/ INQ using bounce buffers */
Reported by FlawFinder.
Line: 1040
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
epthru->cdblen = cmd->cmd_len;
epthru->logdrv = cmd->device->lun;
memcpy(epthru->cdb, cmd->cmnd, cmd->cmd_len);
/* Not sure about the direction */
scb->dma_direction = DMA_BIDIRECTIONAL;
switch(cmd->cmnd[0]) {
Reported by FlawFinder.
Line: 1116
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy mailbox data into host structure */
memcpy((char *)&mbox->m_out, (char *)scb->raw_mbox,
sizeof(struct mbox_out));
mbox->m_out.cmdid = scb->idx; /* Set cmdid */
mbox->m_in.busy = 1; /* Set busy */
Reported by FlawFinder.
Line: 1190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto bug_blocked_mailbox;
/* Copy mailbox data into host structure */
memcpy((char *) mbox, raw_mbox, sizeof(struct mbox_out));
mbox->m_out.cmdid = 0xFE;
mbox->m_in.busy = 1;
switch (raw_mbox[0]) {
case MEGA_MBOXCMD_LREAD64:
Reported by FlawFinder.
Line: 1301
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
atomic_sub(nstatus, &adapter->pend_cmds);
memcpy(completed, (void *)adapter->mbox->m_in.completed,
nstatus);
/* Acknowledge interrupt */
irq_ack(adapter);
Reported by FlawFinder.
Line: 1378
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
atomic_sub(nstatus, &adapter->pend_cmds);
memcpy(completed, (void *)adapter->mbox->m_in.completed,
nstatus);
/* Acknowledge interrupt */
WRINDOOR(adapter, 0x2);
Reported by FlawFinder.