The following issues were found
drivers/net/ethernet/3com/typhoon.c
5 issues
Line: 508
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = RESPONSE_RING_SIZE - cleared;
}
memcpy(resp_save, resp, len);
if (unlikely(wrap_len)) {
resp_save += len / sizeof(*resp);
memcpy(resp_save, base, wrap_len);
}
Reported by FlawFinder.
Line: 511
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(resp_save, resp, len);
if (unlikely(wrap_len)) {
resp_save += len / sizeof(*resp);
memcpy(resp_save, base, wrap_len);
}
resp_save = NULL;
} else if (resp->cmd == TYPHOON_CMD_READ_MEDIA_STATUS) {
typhoon_media_status(tp->dev, resp);
Reported by FlawFinder.
Line: 616
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = COMMAND_RING_SIZE - ring->lastWrite;
}
memcpy(ring->ringBase + ring->lastWrite, cmd, len);
if (unlikely(wrap_len)) {
struct cmd_desc *wrap_ptr = cmd;
wrap_ptr += len / sizeof(*cmd);
memcpy(ring->ringBase, wrap_ptr, wrap_len);
}
Reported by FlawFinder.
Line: 620
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(wrap_len)) {
struct cmd_desc *wrap_ptr = cmd;
wrap_ptr += len / sizeof(*cmd);
memcpy(ring->ringBase, wrap_ptr, wrap_len);
}
typhoon_inc_cmd_index(&ring->lastWrite, num_cmd);
/* "I feel a presence... another warrior is on the mesa."
Reported by FlawFinder.
Line: 1998
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tp->card_state = Sleeping;
smp_wmb();
typhoon_do_get_stats(tp);
memcpy(&tp->stats_saved, &tp->dev->stats, sizeof(struct net_device_stats));
INIT_COMMAND_NO_RESPONSE(&xp_cmd, TYPHOON_CMD_HALT);
typhoon_issue_command(tp, 1, &xp_cmd, 0, NULL);
if (typhoon_wait_status(ioaddr, TYPHOON_STATUS_HALTED) < 0)
Reported by FlawFinder.
drivers/net/ethernet/dlink/sundance.c
5 issues
Line: 54
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
4 100Mbps full duplex.
*/
#define MAX_UNITS 8
static char *media[MAX_UNITS];
/* Operational parameters that are set at compile time. */
/* Keep the ring sizes a power of two for compile efficiency.
Reported by FlawFinder.
Line: 408
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* MII transceiver section. */
struct mii_if_info mii_if;
int mii_preamble_required;
unsigned char phys[MII_CNT]; /* MII device addresses, only first one used. */
struct pci_dev *pci_dev;
void __iomem *base;
spinlock_t statlock;
};
Reported by FlawFinder.
Line: 1614
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
__set_mac_addr(dev);
return 0;
}
Reported by FlawFinder.
Line: 1621
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static const struct {
const char name[ETH_GSTRING_LEN];
} sundance_stats[] = {
{ "tx_multiple_collisions" },
{ "tx_single_collisions" },
{ "tx_late_collisions" },
{ "tx_deferred" },
Reported by FlawFinder.
Line: 1698
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 *data)
{
if (stringset == ETH_SS_STATS)
memcpy(data, sundance_stats, sizeof(sundance_stats));
}
static int get_sset_count(struct net_device *dev, int sset)
{
switch (sset) {
Reported by FlawFinder.
drivers/misc/bcm-vk/bcm_vk_dev.c
5 issues
Line: 1412
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
vk->devid = id;
snprintf(name, sizeof(name), DRV_MODULE_NAME ".%d", id);
misc_device = &vk->miscdev;
misc_device->minor = MISC_DYNAMIC_MINOR;
misc_device->name = kstrdup(name, GFP_KERNEL);
if (!misc_device->name) {
err = -ENOMEM;
Reported by FlawFinder.
Line: 1456
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
goto err_destroy_workqueue;
}
snprintf(name, sizeof(name), KBUILD_MODNAME ".%d_ttyVK", id);
err = bcm_vk_tty_init(vk, name);
if (err)
goto err_unregister_panic_notifier;
/*
Reported by FlawFinder.
Line: 42
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct load_image_entry {
const u32 image_type;
const char *image_name[IMG_PER_TYPE_MAX];
};
#define NUM_BOOT_STAGES 2
/* default firmware images names */
static const struct load_image_entry image_tab[][NUM_BOOT_STAGES] = {
Reported by FlawFinder.
Line: 246
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct bcm_vk_peer_log log;
struct bcm_vk_peer_log *log_info = &vk->peerlog_info;
char loc_buf[BCM_VK_PEER_LOG_LINE_MAX];
int cnt;
struct device *dev = &vk->pdev->dev;
unsigned int data_offset;
memcpy_fromio(&log, vk->bar[BAR_2] + vk->peerlog_off, sizeof(log));
Reported by FlawFinder.
Line: 1285
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i;
int id;
int irq;
char name[20];
struct bcm_vk *vk;
struct device *dev = &pdev->dev;
struct miscdevice *misc_device;
u32 boot_status;
Reported by FlawFinder.
drivers/md/md-autodetect.c
5 issues
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct block_device *bdev;
struct mddev *mddev;
int err = 0, i;
char name[16];
if (args->partitioned) {
mdev = MKDEV(mdp_major, args->minor << MdpMinorShift);
sprintf(name, "md_d%d", args->minor);
} else {
Reported by FlawFinder.
Line: 135
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (args->partitioned) {
mdev = MKDEV(mdp_major, args->minor << MdpMinorShift);
sprintf(name, "md_d%d", args->minor);
} else {
mdev = MKDEV(MD_MAJOR, args->minor);
sprintf(name, "md%d", args->minor);
}
Reported by FlawFinder.
Line: 138
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(name, "md_d%d", args->minor);
} else {
mdev = MKDEV(MD_MAJOR, args->minor);
sprintf(name, "md%d", args->minor);
}
for (i = 0; i < MD_SB_DISKS && devname != NULL; i++) {
struct kstat stat;
char *p;
Reported by FlawFinder.
Line: 144
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (i = 0; i < MD_SB_DISKS && devname != NULL; i++) {
struct kstat stat;
char *p;
char comp_name[64];
dev_t dev;
p = strchr(devname, ',');
if (p)
*p++ = 0;
Reported by FlawFinder.
Line: 241
Column: 8
CWE codes:
126
{
int len, pos;
len = strlen(str) + 1;
pos = 0;
while (pos < len) {
char *comma = strchr(str+pos, ',');
int wlen;
Reported by FlawFinder.
drivers/mtd/mtd_blkdevs.c
5 issues
Line: 213
Column: 11
CWE codes:
362
mutex_lock(&mtd_table_mutex);
mutex_lock(&dev->lock);
if (dev->open)
goto unlock;
kref_get(&dev->ref);
__module_get(dev->tr->owner);
Reported by FlawFinder.
Line: 222
Column: 15
CWE codes:
362
if (!dev->mtd)
goto unlock;
if (dev->tr->open) {
ret = dev->tr->open(dev);
if (ret)
goto error_put;
}
Reported by FlawFinder.
Line: 223
Column: 18
CWE codes:
362
goto unlock;
if (dev->tr->open) {
ret = dev->tr->open(dev);
if (ret)
goto error_put;
}
ret = __get_mtd_device(dev->mtd);
Reported by FlawFinder.
Line: 262
Column: 13
CWE codes:
362
mutex_lock(&mtd_table_mutex);
mutex_lock(&dev->lock);
if (--dev->open)
goto unlock;
kref_put(&dev->ref, blktrans_dev_release);
module_put(dev->tr->owner);
Reported by FlawFinder.
Line: 478
Column: 11
CWE codes:
362
/* If the device is currently open, tell trans driver to close it,
then put mtd device, and don't touch it again */
mutex_lock(&old->lock);
if (old->open) {
if (old->tr->release)
old->tr->release(old);
__put_mtd_device(old->mtd);
}
Reported by FlawFinder.
drivers/mtd/tests/readtest.c
5 issues
Line: 82
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void dump_eraseblock(int ebnum)
{
int i, j, n;
char line[128];
int pg, oob;
pr_info("dumping eraseblock %d\n", ebnum);
n = mtd->erasesize;
for (i = 0; i < n;) {
Reported by FlawFinder.
Line: 90
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < n;) {
char *p = line;
p += sprintf(p, "%05x: ", i);
for (j = 0; j < 32 && i < n; j++, i++)
p += sprintf(p, "%02x", (unsigned int)iobuf[i]);
printk(KERN_CRIT "%s\n", line);
cond_resched();
}
Reported by FlawFinder.
Line: 92
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p += sprintf(p, "%05x: ", i);
for (j = 0; j < 32 && i < n; j++, i++)
p += sprintf(p, "%02x", (unsigned int)iobuf[i]);
printk(KERN_CRIT "%s\n", line);
cond_resched();
}
if (!mtd->oobsize)
return;
Reported by FlawFinder.
Line: 104
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (oob = 0; oob < n;) {
char *p = line;
p += sprintf(p, "%05x: ", i);
for (j = 0; j < 32 && oob < n; j++, oob++, i++)
p += sprintf(p, "%02x",
(unsigned int)iobuf1[i]);
printk(KERN_CRIT "%s\n", line);
cond_resched();
Reported by FlawFinder.
Line: 106
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p += sprintf(p, "%05x: ", i);
for (j = 0; j < 32 && oob < n; j++, oob++, i++)
p += sprintf(p, "%02x",
(unsigned int)iobuf1[i]);
printk(KERN_CRIT "%s\n", line);
cond_resched();
}
}
Reported by FlawFinder.
drivers/net/ethernet/8390/ax88796.c
5 issues
Line: 695
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* read the mac from the card prom if we need it */
if (ax->plat->flags & AXFLG_HAS_EEPROM) {
unsigned char SA_prom[32];
ei_outb(6, ioaddr + EN0_RCNTLO);
ei_outb(0, ioaddr + EN0_RCNTHI);
ei_outb(0, ioaddr + EN0_RSARLO);
ei_outb(0, ioaddr + EN0_RSARHI);
Reported by FlawFinder.
Line: 712
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 16; i++)
SA_prom[i] = SA_prom[i+i];
memcpy(dev->dev_addr, SA_prom, ETH_ALEN);
}
#ifdef CONFIG_AX88796_93CX6
if (ax->plat->flags & AXFLG_HAS_93CX6) {
unsigned char mac_addr[ETH_ALEN];
Reported by FlawFinder.
Line: 717
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_AX88796_93CX6
if (ax->plat->flags & AXFLG_HAS_93CX6) {
unsigned char mac_addr[ETH_ALEN];
struct eeprom_93cx6 eeprom;
eeprom.data = ei_local;
eeprom.register_read = ax_eeprom_register_read;
eeprom.register_write = ax_eeprom_register_write;
Reported by FlawFinder.
Line: 729
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(__le16 __force *)mac_addr,
sizeof(mac_addr) >> 1);
memcpy(dev->dev_addr, mac_addr, ETH_ALEN);
}
#endif
if (ax->plat->wordlength == 2) {
/* We must set the 8390 for word mode. */
ei_outb(ax->plat->dcr_val, ei_local->mem + EN0_DCFG);
Reported by FlawFinder.
Line: 753
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((ax->plat->flags & AXFLG_MAC_FROMPLATFORM) &&
ax->plat->mac_addr)
memcpy(dev->dev_addr, ax->plat->mac_addr, ETH_ALEN);
if (!is_valid_ether_addr(dev->dev_addr)) {
eth_hw_addr_random(dev);
dev_info(&dev->dev, "Using random MAC address: %pM\n",
dev->dev_addr);
Reported by FlawFinder.
drivers/misc/isl29003.c
5 issues
Line: 189
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct i2c_client *client = to_i2c_client(dev);
return sprintf(buf, "%i\n", isl29003_get_range(client));
}
static ssize_t isl29003_store_range(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 225
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct i2c_client *client = to_i2c_client(dev);
return sprintf(buf, "%d\n", isl29003_get_resolution(client));
}
static ssize_t isl29003_store_resolution(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 259
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct i2c_client *client = to_i2c_client(dev);
return sprintf(buf, "%d\n", isl29003_get_mode(client));
}
static ssize_t isl29003_store_mode(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 294
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct i2c_client *client = to_i2c_client(dev);
return sprintf(buf, "%d\n", isl29003_get_power_state(client));
}
static ssize_t isl29003_store_power_state(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 330
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!isl29003_get_power_state(client))
return -EBUSY;
return sprintf(buf, "%d\n", isl29003_get_adc_value(client));
}
static DEVICE_ATTR(lux, S_IRUGO, isl29003_show_lux, NULL);
static struct attribute *isl29003_attributes[] = {
Reported by FlawFinder.
drivers/mmc/core/sdio.c
5 issues
Line: 45
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENODATA; \
if (!card->info[num-1][0]) \
return 0; \
return sprintf(buf, "%s\n", card->info[num-1]); \
} \
static DEVICE_ATTR_RO(info##num)
sdio_info_attr(1);
sdio_info_attr(2);
Reported by FlawFinder.
Line: 694
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if (oldcard && (oldcard->type != MMC_TYPE_SD_COMBO ||
memcmp(card->raw_cid, oldcard->raw_cid, sizeof(card->raw_cid)) != 0)) {
err = -ENOENT;
goto mismatch;
}
} else {
card->type = MMC_TYPE_SDIO;
if (oldcard && oldcard->type != MMC_TYPE_SDIO) {
Reported by FlawFinder.
Line: 701
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if (oldcard && oldcard->type != MMC_TYPE_SDIO) {
err = -ENOENT;
goto mismatch;
}
}
/*
* Call the optional HC's init_card function to handle quirks.
Reported by FlawFinder.
Line: 820
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
card = oldcard;
} else {
err = -ENOENT;
goto mismatch;
}
}
card->ocr = ocr_card;
mmc_fixup_device(card, sdio_fixup_methods);
Reported by FlawFinder.
Line: 886
Column: 1
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
host->card = card;
return 0;
mismatch:
pr_debug("%s: Perhaps the card was replaced\n", mmc_hostname(host));
remove:
if (oldcard != card)
mmc_remove_card(card);
return err;
Reported by FlawFinder.
drivers/md/persistent-data/dm-array.c
5 issues
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (vt->inc)
vt->inc(vt->context, value, delta);
for (i = nr_entries; i < new_nr; i++)
memcpy(element_at(info, ab, i), value, vt->size);
ab->nr_entries = cpu_to_le32(new_nr);
}
/*
* Remove some entries from the back of an array block. Every value
Reported by FlawFinder.
Line: 792
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (entry >= le32_to_cpu(ab->nr_entries))
r = -ENODATA;
else
memcpy(value_le, element_at(info, ab, entry),
info->value_type.size);
unlock_ablock(info, block);
return r;
}
Reported by FlawFinder.
Line: 834
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vt->inc(vt->context, value, 1);
}
memcpy(old_value, value, info->value_type.size);
out:
unlock_ablock(info, block);
return r;
}
Reported by FlawFinder.
Line: 828
Column: 12
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
old_value = element_at(info, ab, entry);
if (vt->dec &&
(!vt->equal || !vt->equal(vt->context, old_value, value))) {
vt->dec(vt->context, old_value, 1);
if (vt->inc)
vt->inc(vt->context, value, 1);
}
Reported by FlawFinder.
Line: 828
Column: 26
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
old_value = element_at(info, ab, entry);
if (vt->dec &&
(!vt->equal || !vt->equal(vt->context, old_value, value))) {
vt->dec(vt->context, old_value, 1);
if (vt->inc)
vt->inc(vt->context, value, 1);
}
Reported by FlawFinder.