The following issues were found
drivers/scsi/mvsas/mv_init.c
5 issues
Line: 281
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!mvi->bulk_buffer1)
goto err_out;
sprintf(pool_name, "%s%d", "mvs_dma_pool", mvi->id);
mvi->dma_pool = dma_pool_create(pool_name, &mvi->pdev->dev,
MVS_SLOT_BUF_SZ, 16, 0);
if (!mvi->dma_pool) {
printk(KERN_DEBUG "failed to create dma pool %s.\n", pool_name);
goto err_out;
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mvs_alloc(struct mvs_info *mvi, struct Scsi_Host *shost)
{
int i = 0, slot_nr;
char pool_name[32];
if (mvi->flags & MVF_FLAG_SOC)
slot_nr = MVS_SOC_SLOTS;
else
slot_nr = MVS_CHIP_SLOT_SZ;
Reported by FlawFinder.
Line: 490
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_be64((u64)(*(u64 *)&mvi->phy[i].dev_sas_addr));
}
memcpy(mvi->sas_addr, &mvi->phy[0].dev_sas_addr, SAS_ADDR_SIZE);
}
static int mvs_pci_init(struct pci_dev *pdev, const struct pci_device_id *ent)
{
unsigned int rc, nhost = 0;
Reported by FlawFinder.
Line: 722
Column: 10
CWE codes:
126
if (val >= 0x10000) {
mv_dprintk("interrupt coalescing timer %d us is"
"too long\n", val);
return strlen(buffer);
}
interrupt_coalescing = val;
core_nr = ((struct mvs_prv_info *)sha->lldd_ha)->n_host;
Reported by FlawFinder.
Line: 741
Column: 9
CWE codes:
126
}
mv_dprintk("set interrupt coalescing time to %d us\n",
interrupt_coalescing);
return strlen(buffer);
}
static ssize_t interrupt_coalescing_show(struct device *cdev,
struct device_attribute *attr, char *buffer)
{
Reported by FlawFinder.
drivers/scsi/nsp32.c
5 issues
Line: 324
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
char buf[NSP32_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
#ifndef NSP32_DEBUG
printk("%snsp32: %s\n", type, buf);
#else
Reported by FlawFinder.
Line: 341
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
char buf[NSP32_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (mask & NSP32_DEBUG_MASK) {
printk("nsp32-debug: 0x%x %s (%d): %s\n", mask, func, line, buf);
}
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void nsp32_message(const char *func, int line, char *type, char *fmt, ...)
{
va_list args;
char buf[NSP32_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
Reported by FlawFinder.
Line: 338
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void nsp32_dmessage(const char *func, int line, int mask, char *fmt, ...)
{
va_list args;
char buf[NSP32_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
Reported by FlawFinder.
Line: 2576
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
data = (nsp32_hw_data *)host->hostdata;
memcpy(data, &nsp32_data_base, sizeof(nsp32_hw_data));
host->irq = data->IrqNumber;
host->io_port = data->BaseAddress;
host->unique_id = data->BaseAddress;
host->n_io_port = data->NumAddress;
Reported by FlawFinder.
drivers/scsi/pcmcia/nsp_cs.c
5 issues
Line: 143
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
char buf[NSP_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
#ifndef NSP_DEBUG
printk("%snsp_cs: %s\n", type, buf);
#else
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
char buf[NSP_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (mask & NSP_DEBUG_MASK) {
printk("nsp_cs-debug: 0x%x %s (%d): %s\n", mask, func, line, buf);
}
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void nsp_cs_message(const char *func, int line, char *type, char *fmt, ...)
{
va_list args;
char buf[NSP_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
Reported by FlawFinder.
Line: 157
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void nsp_cs_dmessage(const char *func, int line, int mask, char *fmt, ...)
{
va_list args;
char buf[NSP_DEBUG_BUF_LEN];
va_start(args, fmt);
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
Reported by FlawFinder.
Line: 1322
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
memcpy(host->hostdata, data_b, sizeof(nsp_hw_data));
data = (nsp_hw_data *)host->hostdata;
data->ScsiInfo->host = host;
#ifdef NSP_DEBUG
data->CmdId = 0;
#endif
Reported by FlawFinder.
drivers/scsi/qedf/qedf_io.c
5 issues
Line: 580
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* 16 bytes: CDB information */
if (io_req->cmd_type != QEDF_TASK_MGMT_CMD)
memcpy(fcp_cmnd->fc_cdb, sc_cmd->cmnd, sc_cmd->cmd_len);
/* 4 bytes: FCP data length */
fcp_cmnd->fc_dl = htonl(io_req->data_xfer_len);
}
Reported by FlawFinder.
Line: 662
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < cnt; i++) {
tmp_fcp_cmnd[i] = cpu_to_be32(tmp_fcp_cmnd[i]);
}
memcpy(fcp_cmnd, tmp_fcp_cmnd, sizeof(struct fcp_cmnd));
init_initiator_rw_fcoe_task(io_req->task_params,
io_req->sgl_task_params,
sense_data_buffer_phys_addr,
io_req->task_retry_identifier, fcp_cmnd);
Reported by FlawFinder.
Line: 1103
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sc_cmd->sense_buffer) {
memset(sc_cmd->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE);
if (fcp_sns_len)
memcpy(sc_cmd->sense_buffer, sense_data,
fcp_sns_len);
}
}
static void qedf_unmap_sg_list(struct qedf_ctx *qedf, struct qedf_ioreq *io_req)
Reported by FlawFinder.
Line: 2585
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy data from BDQ buffer into fc_frame struct */
fh = (struct fc_frame_header *)fc_frame_header_get(fp);
memcpy(fh, (void *)bdq_addr, pktlen);
QEDF_WARN(&qedf->dbg_ctx,
"Processing Unsolicated frame, src=%06x dest=%06x r_ctl=0x%x type=0x%x cmd=%02x\n",
ntoh24(fh->fh_s_id), ntoh24(fh->fh_d_id), fh->fh_r_ctl,
fh->fh_type, fc_frame_payload_op(fp));
Reported by FlawFinder.
Line: 2616
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_WORK(&io_work->work, qedf_fp_io_handler);
/* Copy contents of CQE for deferred processing */
memcpy(&io_work->cqe, cqe, sizeof(struct fcoe_cqe));
io_work->qedf = qedf;
io_work->fp = fp;
queue_work_on(smp_processor_id(), qedf_io_wq, &io_work->work);
Reported by FlawFinder.
drivers/scsi/scsi_devinfo.c
5 issues
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct scsi_dev_info_list {
struct list_head dev_info_list;
char vendor[8];
char model[16];
blist_flags_t flags;
unsigned compatible; /* for use with scsi_static_device_list entries */
};
Reported by FlawFinder.
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scsi_dev_info_list {
struct list_head dev_info_list;
char vendor[8];
char model[16];
blist_flags_t flags;
unsigned compatible; /* for use with scsi_static_device_list entries */
};
struct scsi_dev_info_list_table {
Reported by FlawFinder.
Line: 39
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static blist_flags_t scsi_default_dev_flags;
static LIST_HEAD(scsi_dev_info_list);
static char scsi_dev_flags[256];
/*
* scsi_static_device_list: deprecated list of devices that require
* settings that differ from the default, includes black-listed (broken)
* devices. The entries here are added to the tail of scsi_dev_info_list
Reported by FlawFinder.
Line: 292
Column: 16
CWE codes:
126
{
size_t from_length;
from_length = strlen(from);
/* This zero-pads the destination */
strncpy(to, from, to_length);
if (from_length < to_length && !compatible) {
/*
* space pad the string if it is short.
Reported by FlawFinder.
Line: 294
Column: 2
CWE codes:
120
from_length = strlen(from);
/* This zero-pads the destination */
strncpy(to, from, to_length);
if (from_length < to_length && !compatible) {
/*
* space pad the string if it is short.
*/
memset(&to[from_length], ' ', to_length - from_length);
Reported by FlawFinder.
drivers/scsi/snic/snic_debugfs.c
5 issues
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *ppos)
{
struct snic *snic = (struct snic *) filp->private_data;
char buf[64];
int len;
len = sprintf(buf, "%u\n", snic->reset_stats);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, len);
Reported by FlawFinder.
Line: 95
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[64];
int len;
len = sprintf(buf, "%u\n", snic->reset_stats);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, len);
}
/*
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct snic_stats *stats = &snic->s_stats;
u64 *io_stats_p = (u64 *) &stats->io;
u64 *fw_stats_p = (u64 *) &stats->fw;
char buf[64];
unsigned long val;
int ret;
if (cnt >= sizeof(buf))
return -EINVAL;
Reported by FlawFinder.
Line: 358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
void snic_stats_debugfs_init(struct snic *snic)
{
char name[16];
snprintf(name, sizeof(name), "host%d", snic->shost->host_no);
snic->stats_host = debugfs_create_dir(name, snic_glob->stats_root);
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
snic_trc_seq_show(struct seq_file *sfp, void *data)
{
char buf[SNIC_TRC_PBLEN];
if (snic_get_trc_data(buf, SNIC_TRC_PBLEN) > 0)
seq_printf(sfp, "%s\n", buf);
return 0;
Reported by FlawFinder.
drivers/scsi/sym53c8xx_2/sym_glue.c
5 issues
Line: 1973
.show_width = 1,
.set_dt = sym2_set_dt,
.show_dt = 1,
#if 0
.set_iu = sym2_set_iu,
.show_iu = 1,
.set_qas = sym2_set_qas,
.show_qas = 1,
#endif
Reported by Cppcheck.
Line: 192
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Bounce back the sense data to user.
*/
memset(cmd->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE);
memcpy(cmd->sense_buffer, cp->sns_bbuf,
min(SCSI_SENSE_BUFFERSIZE, SYM_SNS_BBUF_LEN));
#if 0
/*
* If the device reports a UNIT ATTENTION condition
* due to a RESET condition, we should consider all
Reported by FlawFinder.
Line: 315
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static inline int sym_setup_cdb(struct sym_hcb *np, struct scsi_cmnd *cmd, struct sym_ccb *cp)
{
memcpy(cp->cdb_buf, cmd->cmnd, cmd->cmd_len);
cp->phys.cmd.addr = CCB_BA(cp, cdb_buf[0]);
cp->phys.cmd.size = cpu_to_scr(cmd->cmd_len);
return 0;
Reported by FlawFinder.
Line: 1293
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* Edit its name.
*/
strlcpy(np->s.chip_name, dev->chip.name, sizeof(np->s.chip_name));
sprintf(np->s.inst_name, "sym%d", np->s.unit);
if ((SYM_CONF_DMA_ADDRESSING_MODE > 0) && (np->features & FE_DAC) &&
!dma_set_mask(&pdev->dev, DMA_DAC_MASK)) {
set_dac(np);
} else if (dma_set_mask(&pdev->dev, DMA_BIT_MASK(32))) {
Reported by FlawFinder.
Line: 991
Column: 17
CWE codes:
126
static int is_keyword(char *ptr, int len, char *verb)
{
int verb_len = strlen(verb);
if (len >= verb_len && !memcmp(verb, ptr, verb_len))
return verb_len;
else
return 0;
Reported by FlawFinder.
drivers/scsi/xen-scsifront.c
5 issues
Line: 128
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int pause:1;
unsigned callers;
char dev_state_path[64];
struct task_struct *curr;
};
static DEFINE_MUTEX(scsifront_mutex);
Reported by FlawFinder.
Line: 212
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(sc->cmd_len > VSCSIIF_MAX_COMMAND_SIZE);
memcpy(ring_req->cmnd, sc->cmnd, sc->cmd_len);
ring_req->sc_data_direction = (uint8_t)sc->sc_data_direction;
ring_req->timeout_per_command = sc->request->timeout / HZ;
for (i = 0; i < (shadow->nr_segments & ~VSCSIIF_SG_GRANT); i++)
Reported by FlawFinder.
Line: 277
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ring_rsp->sense_len);
if (sense_len)
memcpy(sc->sense_buffer, ring_rsp->sense_buffer, sense_len);
sc->scsi_done(sc);
}
static void scsifront_sync_cmd_done(struct vscsifrnt_info *info,
Reported by FlawFinder.
Line: 832
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vscsifrnt_info *info;
struct Scsi_Host *host;
int err = -ENOMEM;
char name[TASK_COMM_LEN];
host = scsi_host_alloc(&scsifront_sht, sizeof(*info));
if (!host) {
xenbus_dev_fatal(dev, err, "fail to allocate scsi host");
return err;
Reported by FlawFinder.
Line: 978
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct xenbus_device *dev = info->dev;
int i, err = 0;
char str[64];
char **dir;
unsigned int dir_n = 0;
unsigned int device_state;
unsigned int hst, chn, tgt, lun;
struct scsi_device *sdev;
Reported by FlawFinder.
drivers/soc/qcom/mdt_loader.c
5 issues
Line: 120
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
hash_offset = phdrs[1].p_offset;
memcpy(data, fw->data, ehdr_size);
memcpy(data + ehdr_size, fw->data + hash_offset, hash_size);
*data_len = ehdr_size + hash_size;
return data;
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hash_offset = phdrs[1].p_offset;
memcpy(data, fw->data, ehdr_size);
memcpy(data + ehdr_size, fw->data + hash_offset, hash_size);
*data_len = ehdr_size + hash_size;
return data;
}
Reported by FlawFinder.
Line: 253
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(ptr, fw->data + phdr->p_offset, phdr->p_filesz);
} else if (phdr->p_filesz) {
/* Firmware not large enough, load split-out segments */
sprintf(fw_name + fw_name_len - 3, "b%02d", i);
ret = request_firmware_into_buf(&seg_fw, fw_name, dev,
ptr, phdr->p_filesz);
Reported by FlawFinder.
Line: 256
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
memcpy(ptr, fw->data + phdr->p_offset, phdr->p_filesz);
} else if (phdr->p_filesz) {
/* Firmware not large enough, load split-out segments */
sprintf(fw_name + fw_name_len - 3, "b%02d", i);
ret = request_firmware_into_buf(&seg_fw, fw_name, dev,
ptr, phdr->p_filesz);
if (ret) {
dev_err(dev, "failed to load %s\n", fw_name);
break;
Reported by FlawFinder.
Line: 157
Column: 16
CWE codes:
126
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
fw_name_len = strlen(firmware);
if (fw_name_len <= 4)
return -EINVAL;
fw_name = kstrdup(firmware, GFP_KERNEL);
if (!fw_name)
Reported by FlawFinder.
drivers/soc/qcom/socinfo.c
5 issues
Line: 113
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 fmt;
__le32 id;
__le32 ver;
char build_id[SMEM_SOCINFO_BUILD_ID_LENGTH];
/* Version 2 */
__le32 raw_id;
__le32 raw_ver;
/* Version 3 */
__le32 hw_plat;
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 raw_device_num;
/* Version 13 */
__le32 nproduct_id;
char chip_id[SMEM_SOCINFO_CHIP_ID_LENGTH];
/* Version 14 */
__le32 num_clusters;
__le32 ncluster_array_offset;
__le32 num_defective_parts;
__le32 ndefective_parts_array_offset;
Reported by FlawFinder.
Line: 177
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct smem_image_version {
char name[SMEM_IMAGE_VERSION_NAME_SIZE];
char variant[SMEM_IMAGE_VERSION_VARIANT_SIZE];
char pad;
char oem[SMEM_IMAGE_VERSION_OEM_SIZE];
};
#endif /* CONFIG_DEBUG_FS */
Reported by FlawFinder.
Line: 178
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct smem_image_version {
char name[SMEM_IMAGE_VERSION_NAME_SIZE];
char variant[SMEM_IMAGE_VERSION_VARIANT_SIZE];
char pad;
char oem[SMEM_IMAGE_VERSION_OEM_SIZE];
};
#endif /* CONFIG_DEBUG_FS */
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[SMEM_IMAGE_VERSION_NAME_SIZE];
char variant[SMEM_IMAGE_VERSION_VARIANT_SIZE];
char pad;
char oem[SMEM_IMAGE_VERSION_OEM_SIZE];
};
#endif /* CONFIG_DEBUG_FS */
struct qcom_socinfo {
struct soc_device *soc_dev;
Reported by FlawFinder.