The following issues were found
drivers/usb/core/endpoint.c
5 issues
Line: 42
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
char *buf) \
{ \
struct ep_device *ep = to_ep_device(dev); \
return sprintf(buf, format_string, ep->desc->field); \
} \
static DEVICE_ATTR_RO(field)
usb_ep_attr(bLength, "%02x\n");
usb_ep_attr(bEndpointAddress, "%02x\n");
Reported by FlawFinder.
Line: 79
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
type = "Interrupt";
break;
}
return sprintf(buf, "%s\n", type);
}
static DEVICE_ATTR_RO(type);
static ssize_t interval_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 114
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
direction = "in";
else
direction = "out";
return sprintf(buf, "%s\n", direction);
}
static DEVICE_ATTR_RO(direction);
static struct attribute *ep_dev_attrs[] = {
&dev_attr_bLength.attr,
Reported by FlawFinder.
Line: 55
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct ep_device *ep = to_ep_device(dev);
return sprintf(buf, "%04x\n", usb_endpoint_maxp(ep->desc));
}
static DEVICE_ATTR_RO(wMaxPacketSize);
static ssize_t type_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 98
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
interval /= 1000;
}
return sprintf(buf, "%d%cs\n", interval, unit);
}
static DEVICE_ATTR_RO(interval);
static ssize_t direction_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
drivers/usb/core/port.c
5 issues
Line: 49
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
}
return sprintf(buf, "%s\n", result);
}
static DEVICE_ATTR_RO(connect_type);
static ssize_t over_current_count_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 102
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p = "0";
}
return sprintf(buf, "%s\n", p);
}
static ssize_t usb3_lpm_permit_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 24
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct usb_port *port_dev = to_usb_port(dev);
return sprintf(buf, "0x%08x\n", port_dev->location);
}
static DEVICE_ATTR_RO(location);
static ssize_t connect_type_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 58
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct usb_port *port_dev = to_usb_port(dev);
return sprintf(buf, "%u\n", port_dev->over_current_count);
}
static DEVICE_ATTR_RO(over_current_count);
static ssize_t quirks_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 67
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct usb_port *port_dev = to_usb_port(dev);
return sprintf(buf, "%08x\n", port_dev->quirks);
}
static ssize_t quirks_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/usb/dwc3/debugfs.c
5 issues
Line: 362
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *s = file->private_data;
struct dwc3 *dwc = s->private;
unsigned long flags;
char buf[32] = { 0 };
u32 sel;
int ret;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *s = file->private_data;
struct dwc3 *dwc = s->private;
u32 mode = 0;
char buf[32];
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
if (dwc->dr_mode != USB_DR_MODE_OTG)
Reported by FlawFinder.
Line: 506
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dwc3 *dwc = s->private;
unsigned long flags;
u32 testmode = 0;
char buf[32];
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
if (!strncmp(buf, "test_j", 6))
Reported by FlawFinder.
Line: 579
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dwc3 *dwc = s->private;
unsigned long flags;
enum dwc3_link_state state = 0;
char buf[32];
u32 reg;
u8 speed;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
Reported by FlawFinder.
Line: 632
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct dwc3_ep_file_map {
const char name[25];
const struct file_operations *const fops;
};
static int dwc3_tx_fifo_size_show(struct seq_file *s, void *unused)
{
Reported by FlawFinder.
drivers/usb/gadget/composite.c
5 issues
Line: 1551
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (d && d->ext_compat_id) {
*buf++ = i;
*buf++ = 0x01;
memcpy(buf, d->ext_compat_id, 16);
buf += 22;
} else {
++buf;
*buf = 0x01;
buf += 23;
Reported by FlawFinder.
Line: 1723
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
value = min(w_length, (u16) sizeof cdev->desc);
memcpy(req->buf, &cdev->desc, value);
break;
case USB_DT_DEVICE_QUALIFIER:
if (!gadget_is_dualspeed(gadget) ||
gadget->speed >= USB_SPEED_SUPER)
break;
Reported by FlawFinder.
Line: 1779
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct usb_otg_descriptor);
value = min_t(int, w_length, otg_desc_len);
memcpy(req->buf, config->descriptors[0], value);
}
break;
}
break;
Reported by FlawFinder.
Line: 2118
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_gadget *gadget = dev_to_usb_gadget(dev);
struct usb_composite_dev *cdev = get_gadget_data(gadget);
return sprintf(buf, "%d\n", cdev->suspended);
}
static DEVICE_ATTR_RO(suspended);
static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver)
{
Reported by FlawFinder.
Line: 2559
Column: 14
CWE codes:
126
desc->iManufacturer = dev_str[USB_GADGET_MANUFACTURER_IDX].id;
dev_str[USB_GADGET_MANUFACTURER_IDX].s = covr->manufacturer;
} else if (!strlen(dev_str[USB_GADGET_MANUFACTURER_IDX].s)) {
desc->iManufacturer = dev_str[USB_GADGET_MANUFACTURER_IDX].id;
cdev->def_manufacturer = composite_default_mfr(cdev->gadget);
dev_str[USB_GADGET_MANUFACTURER_IDX].s = cdev->def_manufacturer;
}
Reported by FlawFinder.
drivers/usb/gadget/function/f_hid.c
5 issues
Line: 594
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
length = min_t(unsigned short, length,
hidg_desc_copy.bLength);
memcpy(req->buf, &hidg_desc_copy, length);
goto respond;
break;
}
case HID_DT_REPORT:
VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: REPORT\n");
Reported by FlawFinder.
Line: 602
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: REPORT\n");
length = min_t(unsigned short, length,
hidg->report_desc_length);
memcpy(req->buf, hidg->report_desc, length);
goto respond;
break;
default:
VDBG(cdev, "Unknown descriptor request 0x%x\n",
Reported by FlawFinder.
Line: 914
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result; \
\
mutex_lock(&opts->lock); \
result = sprintf(page, "%d\n", opts->name); \
mutex_unlock(&opts->lock); \
\
return result; \
} \
\
Reported by FlawFinder.
Line: 962
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&opts->lock);
result = opts->report_desc_length;
memcpy(page, opts->report_desc, opts->report_desc_length);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 1004
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct f_hid_opts *opts = to_f_hid_opts(item);
return sprintf(page, "%d:%d\n", major, opts->minor);
}
CONFIGFS_ATTR_RO(f_hid_opts_, dev);
static struct configfs_attribute *hid_attrs[] = {
Reported by FlawFinder.
drivers/usb/gadget/function/u_ether.h
5 issues
Line: 80
Column: 12
CWE codes:
362
struct sk_buff_head *list);
/* called on network open/close */
void (*open)(struct gether *);
void (*close)(struct gether *);
};
#define DEFAULT_FILTER (USB_CDC_PACKET_TYPE_BROADCAST \
|USB_CDC_PACKET_TYPE_ALL_MULTICAST \
Reported by FlawFinder.
Line: 91
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* variant of gether_setup that allows customizing network device name */
struct eth_dev *gether_setup_name(struct usb_gadget *g,
const char *dev_addr, const char *host_addr,
u8 ethaddr[ETH_ALEN], unsigned qmult, const char *netname);
/* netdev setup/teardown as directed by the gadget driver */
/* gether_setup - initialize one ethernet-over-usb link
* @g: gadget to associated with these links
Reported by FlawFinder.
Line: 91
Column: 31
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* variant of gether_setup that allows customizing network device name */
struct eth_dev *gether_setup_name(struct usb_gadget *g,
const char *dev_addr, const char *host_addr,
u8 ethaddr[ETH_ALEN], unsigned qmult, const char *netname);
/* netdev setup/teardown as directed by the gadget driver */
/* gether_setup - initialize one ethernet-over-usb link
* @g: gadget to associated with these links
Reported by FlawFinder.
Line: 108
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Returns a eth_dev pointer on success, or an ERR_PTR on failure
*/
static inline struct eth_dev *gether_setup(struct usb_gadget *g,
const char *dev_addr, const char *host_addr,
u8 ethaddr[ETH_ALEN], unsigned qmult)
{
return gether_setup_name(g, dev_addr, host_addr, ethaddr, qmult, "usb");
}
Reported by FlawFinder.
Line: 108
Column: 31
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Returns a eth_dev pointer on success, or an ERR_PTR on failure
*/
static inline struct eth_dev *gether_setup(struct usb_gadget *g,
const char *dev_addr, const char *host_addr,
u8 ethaddr[ETH_ALEN], unsigned qmult)
{
return gether_setup_name(g, dev_addr, host_addr, ethaddr, qmult, "usb");
}
Reported by FlawFinder.
drivers/usb/gadget/function/u_serial.c
5 issues
Line: 1241
CWE codes:
788
/* ... and sysfs class devices, so mdev/udev make /dev/ttyGS* */
port = ports[port_num].port;
tty_dev = tty_port_register_device(&port->port,
gs_tty_driver, port_num, NULL);
if (IS_ERR(tty_dev)) {
pr_err("%s: failed to register tty for port %d, err %ld\n",
__func__, port_num, PTR_ERR(tty_dev));
Reported by Cppcheck.
Line: 906
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return;
if (cons->missed && ep->maxpacket >= 64) {
char buf[64];
size_t len;
len = sprintf(buf, "\n[missed %zu bytes]\n", cons->missed);
kfifo_in(&cons->buf, buf, len);
cons->missed = 0;
Reported by FlawFinder.
Line: 909
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[64];
size_t len;
len = sprintf(buf, "\n[missed %zu bytes]\n", cons->missed);
kfifo_in(&cons->buf, buf, len);
cons->missed = 0;
}
req->length = size;
Reported by FlawFinder.
Line: 1020
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!cons)
return -ENOMEM;
strcpy(cons->console.name, "ttyGS");
cons->console.write = gs_console_write;
cons->console.device = gs_console_device;
cons->console.flags = CON_PRINTBUFFER;
cons->console.index = port->port_num;
Reported by FlawFinder.
Line: 1107
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (WARN_ON(port == NULL))
ret = -ENXIO;
else
ret = sprintf(page, "%u\n", !!port->console);
mutex_unlock(&ports[port_num].lock);
return ret;
}
Reported by FlawFinder.
drivers/usb/gadget/udc/fsl_udc_core.c
5 issues
Line: 2314
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct fsl_ep *ep = &udc->eps[index];
ep->udc = udc;
strcpy(ep->name, name);
ep->ep.name = ep->name;
ep->ep.ops = &fsl_ep_ops;
ep->stopped = 0;
Reported by FlawFinder.
Line: 1581
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*p++ = le32_to_cpu(*s++);
*p = le32_to_cpu(*s);
} else {
memcpy(buffer_ptr, (u8 *) qh->setup_buffer, 8);
}
} while (!(fsl_readl(&dr_regs->usbcmd) & USB_CMD_SUTW));
/* Clear Setup Tripwire */
temp = fsl_readl(&dr_regs->usbcmd);
Reported by FlawFinder.
Line: 2488
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* setup the udc->eps[] for non-control endpoints and link
* to gadget.ep_list */
for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) {
char name[14];
sprintf(name, "ep%dout", i);
struct_ep_setup(udc_controller, i * 2, name, 1);
sprintf(name, "ep%din", i);
struct_ep_setup(udc_controller, i * 2 + 1, name, 1);
Reported by FlawFinder.
Line: 2490
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) {
char name[14];
sprintf(name, "ep%dout", i);
struct_ep_setup(udc_controller, i * 2, name, 1);
sprintf(name, "ep%din", i);
struct_ep_setup(udc_controller, i * 2 + 1, name, 1);
}
Reported by FlawFinder.
Line: 2492
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(name, "ep%dout", i);
struct_ep_setup(udc_controller, i * 2, name, 1);
sprintf(name, "ep%din", i);
struct_ep_setup(udc_controller, i * 2 + 1, name, 1);
}
/* use dma_pool for TD management */
udc_controller->td_pool = dma_pool_create("udc_td", &pdev->dev,
Reported by FlawFinder.
drivers/usb/host/fotg210-hcd.c
5 issues
Line: 264
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* functions have the "wrong" filename when they're output... */
#define dbg_status(fotg210, label, status) { \
char _buf[80]; \
dbg_status_buf(_buf, sizeof(_buf), label, status); \
fotg210_dbg(fotg210, "%s\n", _buf); \
}
#define dbg_cmd(fotg210, label, command) { \
Reported by FlawFinder.
Line: 270
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
#define dbg_cmd(fotg210, label, command) { \
char _buf[80]; \
dbg_command_buf(_buf, sizeof(_buf), label, command); \
fotg210_dbg(fotg210, "%s\n", _buf); \
}
#define dbg_port(fotg210, label, port, status) { \
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
#define dbg_port(fotg210, label, port, status) { \
char _buf[80]; \
fotg210_dbg(fotg210, "%s\n", \
dbg_port_buf(_buf, sizeof(_buf), label, port, status));\
}
/* troubleshooting help: expose state in debugfs */
Reported by FlawFinder.
Line: 646
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fotg210_hcd *fotg210;
unsigned long flags;
unsigned temp, size, i;
char *next, scratch[80];
static const char fmt[] = "%*s\n";
static const char label[] = "";
hcd = bus_to_hcd(buf->bus);
fotg210 = hcd_to_fotg210(hcd);
Reported by FlawFinder.
Line: 483
Column: 9
CWE codes:
126
}
spin_unlock_irqrestore(&fotg210->lock, flags);
return strlen(buf->output_buf);
}
/* count tds, get ep direction */
static unsigned output_buf_tds_dir(char *buf, struct fotg210_hcd *fotg210,
struct fotg210_qh_hw *hw, struct fotg210_qh *qh, unsigned size)
Reported by FlawFinder.
drivers/usb/misc/sisusbvga/sisusb_struct.h
5 issues
Line: 72
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ROWS;
unsigned char CHAR_HEIGHT;
unsigned short CRT_LEN;
unsigned char SR[4];
unsigned char MISC;
unsigned char CRTC[0x19];
unsigned char ATTR[0x14];
unsigned char GRC[9];
};
Reported by FlawFinder.
Line: 74
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short CRT_LEN;
unsigned char SR[4];
unsigned char MISC;
unsigned char CRTC[0x19];
unsigned char ATTR[0x14];
unsigned char GRC[9];
};
struct SiS_StResInfo_S {
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char SR[4];
unsigned char MISC;
unsigned char CRTC[0x19];
unsigned char ATTR[0x14];
unsigned char GRC[9];
};
struct SiS_StResInfo_S {
unsigned short HTotal;
Reported by FlawFinder.
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char MISC;
unsigned char CRTC[0x19];
unsigned char ATTR[0x14];
unsigned char GRC[9];
};
struct SiS_StResInfo_S {
unsigned short HTotal;
unsigned short VTotal;
Reported by FlawFinder.
Line: 112
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct SiS_CRT1Table {
unsigned char CR[17];
};
struct SiS_VCLKData {
unsigned char SR2B, SR2C;
unsigned short CLOCK;
Reported by FlawFinder.