The following issues were found
drivers/net/can/spi/mcp251x.c
5 issues
Line: 632
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mcp251x_write_reg(spi, TXBCTRL(tx_buf_idx) + i,
buf[i]);
} else {
memcpy(priv->spi_tx_buf, buf, TXBDAT_OFF + len);
mcp251x_spi_write(spi, TXBDAT_OFF + len);
}
}
static void mcp251x_hw_tx(struct spi_device *spi, struct can_frame *frame,
Reported by FlawFinder.
Line: 660
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[TXBEID8_OFF] = GET_BYTE(eid, 1);
buf[TXBEID0_OFF] = GET_BYTE(eid, 0);
buf[TXBDLC_OFF] = (rtr << DLC_RTR_SHIFT) | frame->len;
memcpy(buf + TXBDAT_OFF, frame->data, frame->len);
mcp251x_hw_tx_frame(spi, buf, frame->len, tx_buf_idx);
/* use INSTRUCTION_RTS, to avoid "repeated frame problem" */
priv->spi_tx_buf[0] = INSTRUCTION_RTS(1 << tx_buf_idx);
mcp251x_spi_write(priv->spi, 1);
Reported by FlawFinder.
Line: 688
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spi_write_then_read(spi, priv->spi_tx_buf, 1,
priv->spi_rx_buf,
SPI_TRANSFER_BUF_LEN);
memcpy(buf + 1, priv->spi_rx_buf,
SPI_TRANSFER_BUF_LEN - 1);
} else {
mcp251x_spi_trans(spi, SPI_TRANSFER_BUF_LEN);
memcpy(buf, priv->spi_rx_buf, SPI_TRANSFER_BUF_LEN);
}
Reported by FlawFinder.
Line: 692
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SPI_TRANSFER_BUF_LEN - 1);
} else {
mcp251x_spi_trans(spi, SPI_TRANSFER_BUF_LEN);
memcpy(buf, priv->spi_rx_buf, SPI_TRANSFER_BUF_LEN);
}
}
}
static void mcp251x_hw_rx(struct spi_device *spi, int buf_idx)
Reported by FlawFinder.
Line: 736
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Data length */
frame->len = can_cc_dlc2len(buf[RXBDLC_OFF] & RXBDLC_LEN_MASK);
memcpy(frame->data, buf + RXBDAT_OFF, frame->len);
priv->net->stats.rx_packets++;
priv->net->stats.rx_bytes += frame->len;
can_led_event(priv->net, CAN_LED_EVENT_RX);
Reported by FlawFinder.
drivers/mmc/host/alcor.c
5 issues
Line: 185
Column: 69
CWE codes:
120
20
AU6601_DATA_XFER_CTRL);
}
static void alcor_trf_block_pio(struct alcor_sdmmc_host *host, bool read)
{
struct alcor_pci_priv *priv = host->alcor_pci;
size_t blksize, len;
u8 *buf;
Reported by FlawFinder.
Line: 199
Column: 47
CWE codes:
120
20
return;
}
if (!!(host->data->flags & MMC_DATA_READ) != read) {
dev_err(host->dev, "got unexpected direction %i != %i\n",
!!(host->data->flags & MMC_DATA_READ), read);
}
if (!sg_miter_next(&host->sg_miter))
Reported by FlawFinder.
Line: 201
Column: 43
CWE codes:
120
20
if (!!(host->data->flags & MMC_DATA_READ) != read) {
dev_err(host->dev, "got unexpected direction %i != %i\n",
!!(host->data->flags & MMC_DATA_READ), read);
}
if (!sg_miter_next(&host->sg_miter))
return;
Reported by FlawFinder.
Line: 211
Column: 3
CWE codes:
120
20
len = min(host->sg_miter.length, blksize);
dev_dbg(host->dev, "PIO, %s block size: 0x%zx\n",
read ? "read" : "write", blksize);
host->sg_miter.consumed = len;
host->blocks--;
buf = host->sg_miter.addr;
Reported by FlawFinder.
Line: 218
Column: 6
CWE codes:
120
20
buf = host->sg_miter.addr;
if (read)
ioread32_rep(priv->iobase + AU6601_REG_BUFFER, buf, len >> 2);
else
iowrite32_rep(priv->iobase + AU6601_REG_BUFFER, buf, len >> 2);
sg_miter_stop(&host->sg_miter);
Reported by FlawFinder.
drivers/net/dsa/sja1105/sja1105_dynamic_config.c
5 issues
Line: 1209
Column: 26
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (index >= 0 && index >= ops->max_entry_count)
return -ERANGE;
if (index < 0 && !(ops->access & OP_SEARCH))
return -EOPNOTSUPP;
if (!(ops->access & OP_READ))
return -EOPNOTSUPP;
if (ops->packed_size > SJA1105_MAX_DYN_CMD_SIZE)
return -ERANGE;
Reported by FlawFinder.
Line: 1211
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -ERANGE;
if (index < 0 && !(ops->access & OP_SEARCH))
return -EOPNOTSUPP;
if (!(ops->access & OP_READ))
return -EOPNOTSUPP;
if (ops->packed_size > SJA1105_MAX_DYN_CMD_SIZE)
return -ERANGE;
if (!ops->cmd_packing)
return -EOPNOTSUPP;
Reported by FlawFinder.
Line: 1257
Column: 31
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
cmd = (struct sja1105_dyn_cmd) {0};
ops->cmd_packing(packed_buf, &cmd, UNPACK);
if (!cmd.valident && !(ops->access & OP_VALID_ANYWAY))
return -ENOENT;
cpu_relax();
} while (cmd.valid && --retries);
if (cmd.valid)
Reported by FlawFinder.
Line: 1292
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -ERANGE;
if (index < 0)
return -ERANGE;
if (!(ops->access & OP_WRITE))
return -EOPNOTSUPP;
if (!keep && !(ops->access & OP_DEL))
return -EOPNOTSUPP;
if (ops->packed_size > SJA1105_MAX_DYN_CMD_SIZE)
return -ERANGE;
Reported by FlawFinder.
Line: 1294
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -ERANGE;
if (!(ops->access & OP_WRITE))
return -EOPNOTSUPP;
if (!keep && !(ops->access & OP_DEL))
return -EOPNOTSUPP;
if (ops->packed_size > SJA1105_MAX_DYN_CMD_SIZE)
return -ERANGE;
cmd.valident = keep; /* If false, deletes entry */
Reported by FlawFinder.
drivers/mtd/nand/raw/brcmnand/brcmnand.c
5 issues
Line: 2551
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static void brcmnand_print_cfg(struct brcmnand_host *host,
char *buf, struct brcmnand_cfg *cfg)
{
buf += sprintf(buf,
"%lluMiB total, %uKiB blocks, %u%s pages, %uB OOB, %u-bit",
(unsigned long long)cfg->device_size >> 20,
cfg->block_size >> 10,
cfg->page_size >= 1024 ? cfg->page_size >> 10 : cfg->page_size,
cfg->page_size >= 1024 ? "KiB" : "B",
Reported by FlawFinder.
Line: 2561
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Account for Hamming ECC and for BCH 512B vs 1KiB sectors */
if (is_hamming_ecc(host->ctrl, cfg))
sprintf(buf, ", Hamming ECC");
else if (cfg->sector_size_1k)
sprintf(buf, ", BCH-%u (1KiB sector)", cfg->ecc_level << 1);
else
sprintf(buf, ", BCH-%u", cfg->ecc_level);
}
Reported by FlawFinder.
Line: 2563
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (is_hamming_ecc(host->ctrl, cfg))
sprintf(buf, ", Hamming ECC");
else if (cfg->sector_size_1k)
sprintf(buf, ", BCH-%u (1KiB sector)", cfg->ecc_level << 1);
else
sprintf(buf, ", BCH-%u", cfg->ecc_level);
}
/*
Reported by FlawFinder.
Line: 2565
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (cfg->sector_size_1k)
sprintf(buf, ", BCH-%u (1KiB sector)", cfg->ecc_level << 1);
else
sprintf(buf, ", BCH-%u", cfg->ecc_level);
}
/*
* Minimum number of bytes to address a page. Calculated as:
* roundup(log2(size / page-size) / 8)
Reported by FlawFinder.
Line: 2588
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
nanddev_get_ecc_requirements(&chip->base);
struct brcmnand_controller *ctrl = host->ctrl;
struct brcmnand_cfg *cfg = &host->hwcfg;
char msg[128];
u32 offs, tmp, oob_sector;
int ret;
memset(cfg, 0, sizeof(*cfg));
Reported by FlawFinder.
drivers/mtd/nand/spi/core.c
5 issues
Line: 398
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (req->datalen)
memcpy(req->databuf.in, spinand->databuf + req->dataoffs,
req->datalen);
if (req->ooblen) {
if (req->mode == MTD_OPS_AUTO_OOB)
mtd_ooblayout_get_databytes(mtd, req->oobbuf.in,
Reported by FlawFinder.
Line: 408
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->ooboffs,
req->ooblen);
else
memcpy(req->oobbuf.in, spinand->oobbuf + req->ooboffs,
req->ooblen);
}
return 0;
}
Reported by FlawFinder.
Line: 439
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(spinand->databuf, 0xff, nanddev_page_size(nand));
if (req->datalen)
memcpy(spinand->databuf + req->dataoffs, req->databuf.out,
req->datalen);
if (req->ooblen) {
if (req->mode == MTD_OPS_AUTO_OOB)
mtd_ooblayout_set_databytes(mtd, req->oobbuf.out,
Reported by FlawFinder.
Line: 449
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->ooboffs,
req->ooblen);
else
memcpy(spinand->oobbuf + req->ooboffs, req->oobbuf.out,
req->ooblen);
}
wdesc = spinand->dirmaps[req->pos.plane].wdesc;
Reported by FlawFinder.
Line: 536
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = spi_mem_exec_op(spinand->spimem, &op);
if (!ret)
memcpy(buf, spinand->scratchbuf, SPINAND_MAX_ID_LEN);
return ret;
}
static int spinand_reset_op(struct spinand_device *spinand)
Reported by FlawFinder.
drivers/mtd/nftlmount.c
5 issues
Line: 143
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* This is the first we've seen. Copy the media header structure into place */
memcpy(mh, buf, sizeof(struct NFTLMediaHeader));
/* Do some sanity checks on it */
#if 0
The new DiskOnChip driver scans the MediaHeader itself, and presents a virtual
erasesize based on UnitSizeFactor. So the erasesize we read from the mtd
Reported by FlawFinder.
Line: 252
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
for (i = 0; i < n; i++) {
if (c != ((unsigned char *)a)[i])
return 1;
}
return 0;
}
Reported by FlawFinder.
Line: 100
Column: 14
CWE codes:
120
20
}
/* Finally reread to check ECC */
ret = mtd->read(mtd, block * nftl->EraseSize, SECTORSIZE,
&retlen, buf);
if (ret < 0) {
printk(KERN_NOTICE "ANAND header found at 0x%x in mtd%d, but ECC read failed (err %d)\n",
block * nftl->EraseSize, nftl->mbd.mtd->index, ret);
continue;
Reported by FlawFinder.
Line: 148
Column: 57
CWE codes:
120
20
/* Do some sanity checks on it */
#if 0
The new DiskOnChip driver scans the MediaHeader itself, and presents a virtual
erasesize based on UnitSizeFactor. So the erasesize we read from the mtd
device is already correct.
if (mh->UnitSizeFactor == 0) {
printk(KERN_NOTICE "NFTL: UnitSizeFactor 0x00 detected. This violates the spec but we think we know what it means...\n");
} else if (mh->UnitSizeFactor < 0xfc) {
printk(KERN_NOTICE "Sorry, we don't support UnitSizeFactor 0x%02x\n",
Reported by FlawFinder.
Line: 219
Column: 16
CWE codes:
120
20
The new DiskOnChip driver already scanned the bad block table. Just query it.
if ((i & (SECTORSIZE - 1)) == 0) {
/* read one sector for every SECTORSIZE of blocks */
ret = mtd->read(nftl->mbd.mtd,
block * nftl->EraseSize + i +
SECTORSIZE, SECTORSIZE,
&retlen, buf);
if (ret < 0) {
printk(KERN_NOTICE "Read of bad sector table failed (err %d)\n",
Reported by FlawFinder.
drivers/misc/lkdtm/fortify.c
5 issues
Line: 20
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void lkdtm_FORTIFIED_STRSCPY(void)
{
char *src;
char dst[5];
struct {
union {
char big[10];
char src[5];
Reported by FlawFinder.
Line: 24
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
union {
char big[10];
char src[5];
};
} weird = { .big = "hello!" };
char weird_dst[sizeof(weird.src) + 1];
Reported by FlawFinder.
Line: 25
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
union {
char big[10];
char src[5];
};
} weird = { .big = "hello!" };
char weird_dst[sizeof(weird.src) + 1];
src = kstrdup("foobar", GFP_KERNEL);
Reported by FlawFinder.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char src[5];
};
} weird = { .big = "hello!" };
char weird_dst[sizeof(weird.src) + 1];
src = kstrdup("foobar", GFP_KERNEL);
if (src == NULL)
return;
Reported by FlawFinder.
Line: 77
Column: 20
CWE codes:
126
* Use strlen here so size cannot be known at compile time and there is
* a runtime write overflow.
*/
strscpy(dst, src, strlen(src));
pr_err("FAIL: strscpy() overflow not detected!\n");
pr_expected_config(CONFIG_FORTIFY_SOURCE);
kfree(src);
Reported by FlawFinder.
drivers/net/dsa/vitesse-vsc73xx-core.c
5 issues
Line: 379
Column: 19
CWE codes:
120
20
static int vsc73xx_read(struct vsc73xx *vsc, u8 block, u8 subblock, u8 reg,
u32 *val)
{
return vsc->ops->read(vsc, block, subblock, reg, val);
}
static int vsc73xx_write(struct vsc73xx *vsc, u8 block, u8 subblock, u8 reg,
u32 val)
{
Reported by FlawFinder.
Line: 953
Column: 2
CWE codes:
120
/* The first counters is the RX octets */
j = 0;
strncpy(data + j * ETH_GSTRING_LEN,
"RxEtherStatsOctets", ETH_GSTRING_LEN);
j++;
/* Each port supports recording 3 RX counters and 3 TX counters,
* figure out what counters we use in this set-up and return the
Reported by FlawFinder.
Line: 966
Column: 4
CWE codes:
120
for (i = 0; i < 3; i++) {
cnt = vsc73xx_find_counter(vsc, indices[i], false);
if (cnt)
strncpy(data + j * ETH_GSTRING_LEN,
cnt->name, ETH_GSTRING_LEN);
j++;
}
/* TX stats begins with the number of TX octets */
Reported by FlawFinder.
Line: 972
Column: 2
CWE codes:
120
}
/* TX stats begins with the number of TX octets */
strncpy(data + j * ETH_GSTRING_LEN,
"TxEtherStatsOctets", ETH_GSTRING_LEN);
j++;
for (i = 3; i < 6; i++) {
cnt = vsc73xx_find_counter(vsc, indices[i], true);
Reported by FlawFinder.
Line: 979
Column: 4
CWE codes:
120
for (i = 3; i < 6; i++) {
cnt = vsc73xx_find_counter(vsc, indices[i], true);
if (cnt)
strncpy(data + j * ETH_GSTRING_LEN,
cnt->name, ETH_GSTRING_LEN);
j++;
}
}
Reported by FlawFinder.
drivers/media/i2c/saa717x.c
5 issues
Line: 91
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = v4l2_get_subdevdata(sd);
struct i2c_adapter *adap = client->adapter;
int fw_addr = reg == 0x454 || (reg >= 0x464 && reg <= 0x478) || reg == 0x480 || reg == 0x488;
unsigned char mm1[6];
struct i2c_msg msg;
msg.flags = 0;
msg.addr = client->addr;
mm1[0] = (reg >> 8) & 0xff;
Reported by FlawFinder.
Line: 125
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = v4l2_get_subdevdata(sd);
struct i2c_adapter *adap = client->adapter;
int fw_addr = (reg >= 0x404 && reg <= 0x4b8) || reg == 0x528;
unsigned char mm1[2];
unsigned char mm2[4] = { 0, 0, 0, 0 };
struct i2c_msg msgs[2];
u32 value;
msgs[0].flags = 0;
Reported by FlawFinder.
Line: 126
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_adapter *adap = client->adapter;
int fw_addr = (reg >= 0x404 && reg <= 0x4b8) || reg == 0x528;
unsigned char mm1[2];
unsigned char mm2[4] = { 0, 0, 0, 0 };
struct i2c_msg msgs[2];
u32 value;
msgs[0].flags = 0;
msgs[1].flags = I2C_M_RD;
Reported by FlawFinder.
Line: 685
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u32 reg_data3;
static char *stdres[0x20] = {
[0x00] = "no standard detected",
[0x01] = "B/G (in progress)",
[0x02] = "D/K (in progress)",
[0x03] = "M (in progress)",
Reported by FlawFinder.
Line: 1102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct saa717x_state *decoder = to_state(sd);
int audio_mode;
char *mes[4] = {
"MONO", "STEREO", "LANG1", "LANG2/SAP"
};
audio_mode = TUNER_AUDIO_STEREO;
Reported by FlawFinder.
drivers/mtd/ubi/ubi.h
5 issues
Line: 224
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct ubi_rename_entry {
int new_name_len;
char new_name[UBI_VOL_NAME_MAX + 1];
int remove;
struct ubi_volume_desc *desc;
struct list_head list;
};
Reported by FlawFinder.
Line: 358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int alignment;
int data_pad;
int name_len;
char name[UBI_VOL_NAME_MAX + 1];
int upd_ebs;
int ch_lnum;
long long upd_bytes;
long long upd_received;
Reported by FlawFinder.
Line: 427
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int power_cut_counter;
unsigned int power_cut_min;
unsigned int power_cut_max;
char dfs_dir_name[UBI_DFS_DIR_LEN + 1];
struct dentry *dfs_dir;
struct dentry *dfs_chk_gen;
struct dentry *dfs_chk_io;
struct dentry *dfs_chk_fastmap;
struct dentry *dfs_disable_bgt;
Reported by FlawFinder.
Line: 562
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cdev cdev;
struct device dev;
int ubi_num;
char ubi_name[sizeof(UBI_NAME_STR)+5];
int vol_count;
struct ubi_volume *volumes[UBI_MAX_VOLUMES+UBI_INT_VOL_COUNT];
spinlock_t volumes_lock;
int ref_count;
int image_seq;
Reported by FlawFinder.
Line: 627
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int works_count;
struct task_struct *bgt_thread;
int thread_enabled;
char bgt_name[sizeof(UBI_BGT_NAME_PATTERN)+2];
/* I/O sub-system's stuff */
long long flash_size;
int peb_count;
int peb_size;
Reported by FlawFinder.