The following issues were found
drivers/target/target_core_fabric_lib.c
5 issues
Line: 154
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* length of the iSCSI TransportID or the contents of the ADDITIONAL
* LENGTH field.
*/
len = sprintf(&buf[off], "%s", se_nacl->initiatorname);
off += len;
if ((*format_code == 1) && (pr_reg->isid_present_at_reg)) {
/*
* Set FORMAT CODE 01b for iSCSI Initiator port TransportID
* format.
Reported by FlawFinder.
Line: 190
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
buf[off++] = 0x78; /* ASCII Character: "x" */
len += 5;
isid_len = sprintf(buf + off, "%s", pr_reg->pr_reg_isid);
off += isid_len;
len += isid_len;
}
buf[off] = '\0';
len += 1;
Reported by FlawFinder.
Line: 112
Column: 8
CWE codes:
126
p = nacl->initiatorname;
if (strncasecmp(p, "0x", 2) == 0)
p += 2;
len = strlen(p);
if (len % 2)
return -EINVAL;
count = min(len / 2, 16U);
leading_zero_bytes = 16 - count;
Reported by FlawFinder.
Line: 224
Column: 8
CWE codes:
126
u32 len = 0, padding = 0;
spin_lock_irq(&se_nacl->nacl_sess_lock);
len = strlen(se_nacl->initiatorname);
/*
* Add extra byte for NULL terminator
*/
len++;
/*
Reported by FlawFinder.
Line: 238
Column: 10
CWE codes:
126
*/
if (pr_reg->isid_present_at_reg) {
len += 5; /* For ",i,0x" ASCII separator */
len += strlen(pr_reg->pr_reg_isid);
*format_code = 1;
} else
*format_code = 0;
spin_unlock_irq(&se_nacl->nacl_sess_lock);
/*
Reported by FlawFinder.
drivers/tee/tee_core.c
5 issues
Line: 62
Column: 26
CWE codes:
362
kref_init(&ctx->refcount);
ctx->teedev = teedev;
rc = teedev->desc->ops->open(ctx);
if (rc)
goto err;
return ctx;
err:
Reported by FlawFinder.
Line: 143
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name,
size_t size)
{
unsigned char hash[SHA1_DIGEST_SIZE];
struct crypto_shash *shash = NULL;
struct shash_desc *desc = NULL;
int rc;
shash = crypto_alloc_shash("sha1", 0, 0);
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc < 0)
goto out_free_desc;
memcpy(uuid->b, hash, UUID_SIZE);
/* Tag for version 5 */
uuid->b[6] = (hash[6] & 0x0F) | 0x50;
uuid->b[8] = (hash[8] & 0x3F) | 0x80;
Reported by FlawFinder.
Line: 238
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case TEE_IOCTL_LOGIN_GROUP:
memcpy(&ns_grp, connection_data, sizeof(gid_t));
grp = make_kgid(current_user_ns(), ns_grp);
if (!gid_valid(grp) || !in_egroup_p(grp)) {
rc = -EPERM;
goto out_free_name;
}
Reported by FlawFinder.
Line: 889
Column: 51
CWE codes:
362
int offs = 0;
if (!teedesc || !teedesc->name || !teedesc->ops ||
!teedesc->ops->get_version || !teedesc->ops->open ||
!teedesc->ops->release || !pool)
return ERR_PTR(-EINVAL);
teedev = kzalloc(sizeof(*teedev), GFP_KERNEL);
if (!teedev) {
Reported by FlawFinder.
drivers/thermal/intel/int340x_thermal/processor_thermal_mbox.c
5 issues
Line: 111
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int ret = 0;
while (workload_types[i] != NULL)
ret += sprintf(&buf[ret], "%s ", workload_types[i++]);
ret += sprintf(&buf[ret], "\n");
return ret;
}
Reported by FlawFinder.
Line: 168
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (cmd_resp > ARRAY_SIZE(workload_types) - 1)
return -EINVAL;
return sprintf(buf, "%s\n", workload_types[cmd_resp]);
}
static DEVICE_ATTR_RW(workload_type);
static struct attribute *workload_req_attrs[] = {
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *buf, size_t count)
{
struct pci_dev *pdev = to_pci_dev(dev);
char str_preference[15];
u32 data = 0;
ssize_t ret;
ret = sscanf(buf, "%14s", str_preference);
if (ret != 1)
Reported by FlawFinder.
Line: 113
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
while (workload_types[i] != NULL)
ret += sprintf(&buf[ret], "%s ", workload_types[i++]);
ret += sprintf(&buf[ret], "\n");
return ret;
}
static DEVICE_ATTR_RO(workload_available_types);
Reported by FlawFinder.
Line: 129
Column: 8
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
u32 data = 0;
ssize_t ret;
ret = sscanf(buf, "%14s", str_preference);
if (ret != 1)
return -EINVAL;
ret = match_string(workload_types, -1, str_preference);
if (ret < 0)
Reported by FlawFinder.
drivers/tty/hvc/hvc_xen.c
5 issues
Line: 675
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
xen_raw_console_write(buf);
}
Reported by FlawFinder.
Line: 671
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void xen_raw_printk(const char *fmt, ...)
{
static char buf[512];
va_list ap;
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
Reported by FlawFinder.
Line: 382
Column: 24
CWE codes:
126
if (irq < 0)
return irq;
info->irq = irq;
devid = dev->nodename[strlen(dev->nodename) - 1] - '0';
info->hvc = hvc_alloc(xenbus_devid_to_vtermno(devid),
irq, &domU_hvc_ops, 256);
if (IS_ERR(info->hvc))
return PTR_ERR(info->hvc);
ret = gnttab_alloc_grant_references(1, &gref_head);
Reported by FlawFinder.
Line: 433
Column: 24
CWE codes:
126
int ret, devid;
struct xencons_info *info;
devid = dev->nodename[strlen(dev->nodename) - 1] - '0';
if (devid == 0)
return -ENODEV;
info = kzalloc(sizeof(struct xencons_info), GFP_KERNEL);
if (!info)
Reported by FlawFinder.
Line: 658
Column: 16
CWE codes:
126
void xen_raw_console_write(const char *str)
{
ssize_t len = strlen(str);
int rc = 0;
if (xen_domain()) {
rc = dom0_write_console(0, str, len);
if (rc != -ENOSYS || !xen_hvm_domain())
Reported by FlawFinder.
drivers/tty/n_gsm.c
5 issues
Line: 681
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len += 2;
} else {
gsm->txframe[0] = GSM0_SOF;
memcpy(gsm->txframe + 1 , msg->data, msg->len);
gsm->txframe[msg->len + 1] = GSM0_SOF;
len = msg->len + 2;
}
if (debug & 4)
Reported by FlawFinder.
Line: 895
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*dp++ = last << 7 | first << 6 | 1; /* EA */
len--;
}
memcpy(dp, dlci->skb->data, len);
skb_pull(dlci->skb, len);
__gsm_data_queue(dlci, msg);
if (last) {
dev_kfree_skb_any(dlci->skb);
dlci->skb = NULL;
Reported by FlawFinder.
Line: 1001
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
msg->data[0] = (cmd & 0xFE) << 1 | EA; /* Clear C/R */
msg->data[1] = (dlen << 1) | EA;
memcpy(msg->data + 2, data, dlen);
gsm_data_queue(gsm->dlci[0], msg);
}
/**
* gsm_process_modem - process received modem status
Reported by FlawFinder.
Line: 1303
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (msg == NULL)
return;
msg->data[0] = (ctrl->cmd << 1) | 2 | EA; /* command */
memcpy(msg->data + 1, ctrl->data, ctrl->len);
gsm_data_queue(gsm->dlci[0], msg);
}
/**
* gsm_control_retransmit - retransmit a control frame
Reported by FlawFinder.
Line: 2840
Column: 2
CWE codes:
120
mux_net = netdev_priv(net);
mux_net->dlci = dlci;
kref_init(&mux_net->ref);
strncpy(nc->if_name, net->name, IFNAMSIZ); /* return net name */
/* reconfigure dlci for network */
dlci->prev_adaption = dlci->adaption;
dlci->prev_data = dlci->data;
dlci->adaption = nc->adaption;
Reported by FlawFinder.
drivers/tty/serial/msm_serial.c
5 issues
Line: 172
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct msm_port {
struct uart_port uart;
char name[16];
struct clk *clk;
struct clk *pclk;
unsigned int imr;
int is_uartdm;
unsigned int old_snap_state;
Reported by FlawFinder.
Line: 725
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
port->icount.rx += count;
while (count > 0) {
unsigned char buf[4];
int sysrq, r_count, i;
sr = msm_read(port, UART_SR);
if ((sr & UART_SR_RX_READY) == 0) {
msm_port->old_snap_state -= count;
Reported by FlawFinder.
Line: 841
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
while (tf_pointer < tx_count) {
int i;
char buf[4] = { 0 };
if (!(msm_read(port, UART_SR) & UART_SR_TX_READY))
break;
if (msm_port->is_uartdm)
Reported by FlawFinder.
Line: 876
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct circ_buf *xmit = &msm_port->uart.state->xmit;
struct msm_dma *dma = &msm_port->tx_dma;
unsigned int pio_count, dma_count, dma_min;
char buf[4] = { 0 };
void __iomem *tf;
int err = 0;
if (port->x_char) {
if (msm_port->is_uartdm)
Reported by FlawFinder.
Line: 1619
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
while (i < count) {
int j;
unsigned int num_chars;
char buf[4] = { 0 };
if (is_uartdm)
num_chars = min(count - i, (unsigned int)sizeof(buf));
else
num_chars = 1;
Reported by FlawFinder.
drivers/tty/serial/pch_uart.c
5 issues
Line: 1789
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
priv->port.has_sysrq = IS_ENABLED(CONFIG_SERIAL_PCH_UART_CONSOLE);
priv->trigger = PCH_UART_HAL_TRIGGER_M;
snprintf(priv->irq_name, IRQ_NAME_SIZE,
KBUILD_MODNAME ":" PCH_UART_DRIVER_DEVICE "%d",
priv->port.line);
spin_lock_init(&priv->port.lock);
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
dma_addr_t rx_buf_dma;
#define IRQ_NAME_SIZE 17
char irq_name[IRQ_NAME_SIZE];
/* protect the eg20t_port private structure and io access to membase */
spinlock_t lock;
};
Reported by FlawFinder.
Line: 1042
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct uart_port *port = &priv->port;
struct tty_struct *tty = tty_port_tty_get(&port->state->port);
char *error_msg[5] = {};
int i = 0;
if (lsr & PCH_UART_LSR_ERR)
error_msg[i++] = "Error data in FIFO\n";
Reported by FlawFinder.
Line: 1734
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int fifosize;
int port_type;
struct pch_uart_driver_data *board;
char name[32];
board = &drv_dat[id->driver_data];
port_type = board->port_type;
priv = kzalloc(sizeof(struct eg20t_port), GFP_KERNEL);
Reported by FlawFinder.
Line: 1830
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pch_uart_exit_port(struct eg20t_port *priv)
{
char name[32];
snprintf(name, sizeof(name), "uart%d_regs", priv->port.line);
debugfs_remove(debugfs_lookup(name, NULL));
uart_remove_one_port(&pch_uart_driver, &priv->port);
free_page((unsigned long)priv->rxbuf.buf);
Reported by FlawFinder.
drivers/tty/vt/consolemap.c
5 issues
Line: 193
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 **uni_pgdir[32];
unsigned long refcount;
unsigned long sum;
unsigned char *inverse_translations[4];
u16 *inverse_trans_unicode;
};
static struct uni_pagedir *dflt;
Reported by FlawFinder.
Line: 326
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
unsigned short inbuf[E_TABSZ];
unsigned char ubuf[E_TABSZ];
if (copy_from_user(ubuf, arg, E_TABSZ))
return -EFAULT;
for (i = 0; i < E_TABSZ ; i++)
Reported by FlawFinder.
Line: 335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
inbuf[i] = UNI_DIRECT_BASE | ubuf[i];
console_lock();
memcpy(translations[USER_MAP], inbuf, sizeof(inbuf));
update_user_maps();
console_unlock();
return 0;
}
Reported by FlawFinder.
Line: 345
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, ch;
unsigned short *p = translations[USER_MAP];
unsigned char outbuf[E_TABSZ];
console_lock();
for (i = 0; i < E_TABSZ ; i++)
{
ch = conv_uni_to_pc(vc_cons[fg_console].d, p[i]);
Reported by FlawFinder.
Line: 366
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EFAULT;
console_lock();
memcpy(translations[USER_MAP], inbuf, sizeof(inbuf));
update_user_maps();
console_unlock();
return 0;
}
Reported by FlawFinder.
drivers/usb/cdns3/cdns3-gadget.c
5 issues
Line: 462
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!s) {
if (length <= request->length) {
memcpy(&((u8 *)request->buf)[request->actual],
descmiss_req->buf,
descmiss_req->actual);
request->actual = length;
} else {
/* It should never occures */
Reported by FlawFinder.
Line: 474
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (length <= sg_dma_len(s)) {
void *p = phys_to_virt(sg_dma_address(s));
memcpy(&((u8 *)p)[request->actual],
descmiss_req->buf,
descmiss_req->actual);
request->actual = length;
} else {
request->status = -ENOMEM;
Reported by FlawFinder.
Line: 826
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv_req->aligned_buf->dma,
priv_req->aligned_buf->size,
priv_req->aligned_buf->dir);
memcpy(request->buf, priv_req->aligned_buf->buf,
request->length);
}
priv_req->flags &= ~(REQUEST_PENDING | REQUEST_UNALIGNED);
/* All TRBs have finished, clear the counter */
Reported by FlawFinder.
Line: 949
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Make DMA buffer CPU accessible */
dma_sync_single_for_cpu(priv_dev->sysdev,
buf->dma, buf->size, buf->dir);
memcpy(buf->buf, priv_req->request.buf,
priv_req->request.length);
}
/* Transfer DMA buffer ownership back to device */
dma_sync_single_for_device(priv_dev->sysdev,
Reported by FlawFinder.
Line: 2159
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long num;
int ret;
/* ep name pattern likes epXin or epXout */
char c[2] = {ep->name[2], '\0'};
ret = kstrtoul(c, 10, &num);
if (ret)
return ERR_PTR(ret);
Reported by FlawFinder.
drivers/usb/core/config.c
5 issues
Line: 69
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cfgno, inum, asnum, ep->desc.bEndpointAddress);
return;
}
memcpy(&ep->ssp_isoc_ep_comp, desc, USB_DT_SSP_ISOC_EP_COMP_SIZE);
}
static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno,
int inum, int asnum, struct usb_host_endpoint *ep,
unsigned char *buffer, int size)
Reported by FlawFinder.
Line: 108
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buffer += desc->bLength;
size -= desc->bLength;
memcpy(&ep->ss_ep_comp, desc, USB_DT_SS_EP_COMP_SIZE);
/* Check the various values */
if (usb_endpoint_xfer_control(&ep->desc) && desc->bMaxBurst != 0) {
dev_warn(ddev, "Control endpoint with bMaxBurst = %d in "
"config %d interface %d altsetting %d ep %d: "
Reported by FlawFinder.
Line: 314
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
++ifp->desc.bNumEndpoints;
memcpy(&endpoint->desc, d, n);
INIT_LIST_HEAD(&endpoint->urb_list);
/*
* Fix up bInterval values outside the legal range.
* Use 10 or 8 ms if no proper value can be guessed.
Reported by FlawFinder.
Line: 544
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
++intfc->num_altsetting;
memcpy(&alt->desc, d, USB_DT_INTERFACE_SIZE);
/* Skip over any Class Specific or Vendor Specific descriptors;
* find the first endpoint or interface descriptor */
alt->extra = buffer;
i = find_next_descriptor(buffer, size, USB_DT_ENDPOINT,
Reported by FlawFinder.
Line: 621
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 inums[USB_MAXINTERFACES], nalts[USB_MAXINTERFACES];
unsigned iad_num = 0;
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
nintf = nintf_orig = config->desc.bNumInterfaces;
config->desc.bNumInterfaces = 0; // Adjusted later
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
config->desc.bLength < USB_DT_CONFIG_SIZE ||
Reported by FlawFinder.