The following issues were found
drivers/input/misc/yealink.c
5 issues
Line: 691
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < ARRAY_SIZE(lcdMap); i++) {
if (lcdMap[i].type != '.')
continue;
ret += sprintf(&buf[ret], "%s %s\n",
yld->lcdMap[i] == ' ' ? " " : "on",
lcdMap[i].u.p.name);
}
up_read(&sysfs_rwsema);
return ret;
Reported by FlawFinder.
Line: 75
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union {
struct pictogram_map {
u8 a,m;
char name[10];
} p;
struct segment_map {
u8 a,m;
} s[7];
} u;
Reported by FlawFinder.
Line: 101
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_ctrlrequest *ctl_req;
struct urb *urb_ctl;
char phys[64]; /* physical device path */
u8 lcdMap[ARRAY_SIZE(lcdMap)]; /* state of LCD, LED ... */
int key_code; /* last reported key */
unsigned int shutdown:1;
Reported by FlawFinder.
Line: 305
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = sizeof(p->data);
p->size = len;
p->offset = cpu_to_be16(ix);
memcpy(p->data, &buf[ix], len);
yealink_cmd(yld, p);
ix += len;
}
return 0;
}
Reported by FlawFinder.
Line: 558
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static ssize_t show_map(struct device *dev, struct device_attribute *attr,
char *buf)
{
memcpy(buf, &map_seg7, sizeof(map_seg7));
return sizeof(map_seg7);
}
static ssize_t store_map(struct device *dev, struct device_attribute *attr,
const char *buf, size_t cnt)
Reported by FlawFinder.
drivers/gpu/drm/drm_syncobj.c
5 issues
Line: 1151
CWE codes:
476
return timeout;
wait->first_signaled = first;
} else {
timeout = drm_timeout_abs_to_jiffies(timeline_wait->timeout_nsec);
timeout = drm_syncobj_array_wait_timeout(syncobjs,
u64_to_user_ptr(timeline_wait->points),
timeline_wait->count_handles,
timeline_wait->flags,
timeout, &first);
Reported by Cppcheck.
Line: 1153
CWE codes:
476
} else {
timeout = drm_timeout_abs_to_jiffies(timeline_wait->timeout_nsec);
timeout = drm_syncobj_array_wait_timeout(syncobjs,
u64_to_user_ptr(timeline_wait->points),
timeline_wait->count_handles,
timeline_wait->flags,
timeout, &first);
if (timeout < 0)
return timeout;
Reported by Cppcheck.
Line: 1154
CWE codes:
476
timeout = drm_timeout_abs_to_jiffies(timeline_wait->timeout_nsec);
timeout = drm_syncobj_array_wait_timeout(syncobjs,
u64_to_user_ptr(timeline_wait->points),
timeline_wait->count_handles,
timeline_wait->flags,
timeout, &first);
if (timeout < 0)
return timeout;
timeline_wait->first_signaled = first;
Reported by Cppcheck.
Line: 1155
CWE codes:
476
timeout = drm_syncobj_array_wait_timeout(syncobjs,
u64_to_user_ptr(timeline_wait->points),
timeline_wait->count_handles,
timeline_wait->flags,
timeout, &first);
if (timeout < 0)
return timeout;
timeline_wait->first_signaled = first;
}
Reported by Cppcheck.
Line: 1159
CWE codes:
476
timeout, &first);
if (timeout < 0)
return timeout;
timeline_wait->first_signaled = first;
}
return 0;
}
static int drm_syncobj_array_find(struct drm_file *file_private,
Reported by Cppcheck.
drivers/gpu/drm/nouveau/nvif/object.c
5 issues
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
args->mthd.version = 0;
args->mthd.method = mthd;
memcpy(args->mthd.data, data, size);
ret = nvif_object_ioctl(object, args, sizeof(*args) + size, NULL);
memcpy(data, args->mthd.data, size);
if (args != (void *)stack)
kfree(args);
return ret;
Reported by FlawFinder.
Line: 161
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(args->mthd.data, data, size);
ret = nvif_object_ioctl(object, args, sizeof(*args) + size, NULL);
memcpy(data, args->mthd.data, size);
if (args != (void *)stack)
kfree(args);
return ret;
}
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(args = kzalloc(argn, GFP_KERNEL)))
return -ENOMEM;
args->ioctl.type = NVIF_IOCTL_V0_MAP;
memcpy(args->map.data, argv, argc);
ret = nvif_object_ioctl(object, args, argn, NULL);
*handle = args->map.handle;
*length = args->map.length;
maptype = args->map.type;
Reported by FlawFinder.
Line: 295
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
args->new.handle = handle;
args->new.oclass = oclass;
memcpy(args->new.data, data, size);
ret = nvif_object_ioctl(parent, args, sizeof(*args) + size,
&object->priv);
memcpy(data, args->new.data, size);
kfree(args);
if (ret == 0)
Reported by FlawFinder.
Line: 298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(args->new.data, data, size);
ret = nvif_object_ioctl(parent, args, sizeof(*args) + size,
&object->priv);
memcpy(data, args->new.data, size);
kfree(args);
if (ret == 0)
object->client = parent->client;
}
Reported by FlawFinder.
drivers/macintosh/macio_sysfs.c
5 issues
Line: 22
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
while (cplen > 0) {
int l;
length += sprintf (buf, "%s\n", compat);
buf += length;
l = strlen (compat) + 1;
compat += l;
cplen -= l;
}
Reported by FlawFinder.
Line: 60
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t type_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", of_node_get_device_type(dev->of_node));
}
static DEVICE_ATTR_RO(type);
static struct attribute *macio_dev_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
Line: 45
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct platform_device *ofdev;
ofdev = to_platform_device(dev);
return sprintf(buf, "%pOF\n", ofdev->dev.of_node);
}
static DEVICE_ATTR_RO(modalias);
static DEVICE_ATTR_RO(devspec);
static ssize_t name_show(struct device *dev,
Reported by FlawFinder.
Line: 53
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t name_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%pOFn\n", dev->of_node);
}
static DEVICE_ATTR_RO(name);
static ssize_t type_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 24
Column: 7
CWE codes:
126
int l;
length += sprintf (buf, "%s\n", compat);
buf += length;
l = strlen (compat) + 1;
compat += l;
cplen -= l;
}
return length;
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/core/firmware.c
5 issues
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
nvkm_firmware_load_name(const struct nvkm_subdev *subdev, const char *base,
const char *name, int ver, const struct firmware **pfw)
{
char path[64];
int ret;
snprintf(path, sizeof(path), "%s%s", base, name);
ret = nvkm_firmware_get(subdev, path, ver, pfw);
if (ret < 0)
Reported by FlawFinder.
Line: 74
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct firmware **fw)
{
struct nvkm_device *device = subdev->device;
char f[64];
char cname[16];
int i;
/* Convert device name to lowercase */
strncpy(cname, device->chip->name, sizeof(cname));
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct nvkm_device *device = subdev->device;
char f[64];
char cname[16];
int i;
/* Convert device name to lowercase */
strncpy(cname, device->chip->name, sizeof(cname));
cname[sizeof(cname) - 1] = '\0';
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
120
int i;
/* Convert device name to lowercase */
strncpy(cname, device->chip->name, sizeof(cname));
cname[sizeof(cname) - 1] = '\0';
i = strlen(cname);
while (i) {
--i;
cname[i] = tolower(cname[i]);
Reported by FlawFinder.
Line: 81
Column: 6
CWE codes:
126
/* Convert device name to lowercase */
strncpy(cname, device->chip->name, sizeof(cname));
cname[sizeof(cname) - 1] = '\0';
i = strlen(cname);
while (i) {
--i;
cname[i] = tolower(cname[i]);
}
Reported by FlawFinder.
drivers/input/keyboard/applespi.c
5 issues
Line: 108
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param(iso_layout, bool, 0644);
MODULE_PARM_DESC(iso_layout, "Enable/Disable hardcoded ISO-layout of the keyboard. ([0] = disabled, 1 = enabled)");
static char touchpad_dimensions[40];
module_param_string(touchpad_dimensions, touchpad_dimensions,
sizeof(touchpad_dimensions), 0444);
MODULE_PARM_DESC(touchpad_dimensions, "The pixel dimensions of the touchpad, as XxY+W+H .");
/**
Reported by FlawFinder.
Line: 429
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dentry *debugfs_root;
bool debug_tp_dim;
char tp_dim_val[40];
int tp_dim_min_x;
int tp_dim_max_x;
int tp_dim_min_y;
int tp_dim_max_y;
};
Reported by FlawFinder.
Line: 1485
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto msg_complete;
}
memcpy(applespi->msg_buf + off, &packet->data, len);
applespi->saved_msg_len += len;
if (rem > 0)
return;
Reported by FlawFinder.
Line: 1609
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!efivar_entry)
return -ENOMEM;
memcpy(efivar_entry->var.VariableName, EFI_BL_LEVEL_NAME,
sizeof(EFI_BL_LEVEL_NAME));
efivar_entry->var.VendorGuid = EFI_BL_LEVEL_GUID;
efi_data_len = sizeof(efi_data);
sts = efivar_entry_get(efivar_entry, NULL, &efi_data_len, &efi_data);
Reported by FlawFinder.
Line: 1003
Column: 12
CWE codes:
126
struct applespi_data *applespi = file->private_data;
return simple_read_from_buffer(buf, len, off, applespi->tp_dim_val,
strlen(applespi->tp_dim_val));
}
static const struct file_operations applespi_tp_dim_fops = {
.owner = THIS_MODULE,
.open = applespi_tp_dim_open,
Reported by FlawFinder.
drivers/input/joystick/xpad.c
5 issues
Line: 605
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xpad_led *led;
#endif
char phys[64]; /* physical device path */
int mapping; /* map d-pad to buttons or to axes */
int xtype; /* type of xbox device */
int pad_nr; /* the order x360 pads were attached */
const char *name; /* name of the device */
Reported by FlawFinder.
Line: 997
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
/* This packet applies to our device, so prepare to send it */
memcpy(xpad->odata, init_packet->data, init_packet->len);
xpad->irq_out->transfer_buffer_length = init_packet->len;
/* Update packet with current sequence number */
xpad->odata[2] = xpad->odata_serial++;
return true;
Reported by FlawFinder.
Line: 1033
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (packet) {
memcpy(xpad->odata, packet->data, packet->len);
xpad->irq_out->transfer_buffer_length = packet->len;
packet->pending = false;
return true;
}
Reported by FlawFinder.
Line: 1234
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&xpad->odata_lock, flags);
packet->len = sizeof(mode_report_ack);
memcpy(packet->data, mode_report_ack, packet->len);
packet->data[2] = seq_num;
packet->pending = true;
/* Reset the sequence so we send out the ack now */
xpad->last_out_packet = -1;
Reported by FlawFinder.
Line: 1359
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static DEFINE_IDA(xpad_pad_seq);
struct xpad_led {
char name[16];
struct led_classdev led_cdev;
struct usb_xpad *xpad;
};
/*
Reported by FlawFinder.
drivers/input/joystick/psxpad-spi.c
5 issues
Line: 63
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct psxpad {
struct spi_device *spi;
struct input_dev *idev;
char phys[0x20];
bool motor1enable;
bool motor2enable;
u8 motor1level;
u8 motor2level;
u8 sendbuf[0x20] ____cacheline_aligned;
Reported by FlawFinder.
Line: 101
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pad->motor1enable = motor1enable;
pad->motor2enable = motor2enable;
memcpy(pad->sendbuf, PSX_CMD_ENTER_CFG, sizeof(PSX_CMD_ENTER_CFG));
err = psxpad_command(pad, sizeof(PSX_CMD_ENTER_CFG));
if (err) {
dev_err(&pad->spi->dev,
"%s: failed to enter config mode: %d\n",
__func__, err);
Reported by FlawFinder.
Line: 110
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(pad->sendbuf, PSX_CMD_ENABLE_MOTOR,
sizeof(PSX_CMD_ENABLE_MOTOR));
pad->sendbuf[3] = pad->motor1enable ? 0x00 : 0xFF;
pad->sendbuf[4] = pad->motor2enable ? 0x80 : 0xFF;
err = psxpad_command(pad, sizeof(PSX_CMD_ENABLE_MOTOR));
if (err) {
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(pad->sendbuf, PSX_CMD_EXIT_CFG, sizeof(PSX_CMD_EXIT_CFG));
err = psxpad_command(pad, sizeof(PSX_CMD_EXIT_CFG));
if (err) {
dev_err(&pad->spi->dev,
"%s: failed to exit config mode: %d\n",
__func__, err);
Reported by FlawFinder.
Line: 213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
psxpad_control_motor(pad, true, true);
memcpy(pad->sendbuf, PSX_CMD_POLL, sizeof(PSX_CMD_POLL));
pad->sendbuf[3] = pad->motor1enable ? pad->motor1level : 0x00;
pad->sendbuf[4] = pad->motor2enable ? pad->motor2level : 0x00;
err = psxpad_command(pad, sizeof(PSX_CMD_POLL));
if (err) {
dev_err(&pad->spi->dev,
Reported by FlawFinder.
drivers/input/joystick/iforce/iforce-ff.c
5 issues
Line: 21
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int make_magnitude_modifier(struct iforce* iforce,
struct resource* mod_chunk, int no_alloc, __s16 level)
{
unsigned char data[3];
if (!no_alloc) {
mutex_lock(&iforce->mem_mutex);
if (allocate_resource(&(iforce->device_memory), mod_chunk, 2,
iforce->device_memory.start, iforce->device_memory.end, 2L,
Reported by FlawFinder.
Line: 52
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct resource* mod_chunk, int no_alloc,
__s16 magnitude, __s16 offset, u16 period, u16 phase)
{
unsigned char data[7];
period = TIME_SCALE(period);
if (!no_alloc) {
mutex_lock(&iforce->mem_mutex);
Reported by FlawFinder.
Line: 91
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 attack_duration, __s16 initial_level,
u16 fade_duration, __s16 final_level)
{
unsigned char data[8];
attack_duration = TIME_SCALE(attack_duration);
fade_duration = TIME_SCALE(fade_duration);
if (!no_alloc) {
Reported by FlawFinder.
Line: 131
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct resource* mod_chunk, int no_alloc,
__u16 rsat, __u16 lsat, __s16 rk, __s16 lk, u16 db, __s16 center)
{
unsigned char data[10];
if (!no_alloc) {
mutex_lock(&iforce->mem_mutex);
if (allocate_resource(&(iforce->device_memory), mod_chunk, 8,
iforce->device_memory.start, iforce->device_memory.end, 2L,
Reported by FlawFinder.
Line: 294
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 effect_type, u8 axes, u16 duration, u16 delay, u16 button,
u16 interval, u16 direction)
{
unsigned char data[14];
duration = TIME_SCALE(duration);
delay = TIME_SCALE(delay);
interval = TIME_SCALE(interval);
Reported by FlawFinder.
drivers/input/gameport/gameport.c
5 issues
Line: 462
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gameport *gameport = to_gameport_port(dev);
return sprintf(buf, "%s\n", gameport->name);
}
static DEVICE_ATTR(description, S_IRUGO, gameport_description_show, NULL);
static ssize_t drvctl_store(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 516
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list args;
va_start(args, fmt);
vsnprintf(gameport->phys, sizeof(gameport->phys), fmt, args);
va_end(args);
}
EXPORT_SYMBOL(gameport_set_phys);
/*
Reported by FlawFinder.
Line: 681
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t description_show(struct device_driver *drv, char *buf)
{
struct gameport_driver *driver = to_gameport_driver(drv);
return sprintf(buf, "%s\n", driver->description ? driver->description : "(none)");
}
static DRIVER_ATTR_RO(description);
static struct attribute *gameport_driver_attrs[] = {
&driver_attr_description.attr,
Reported by FlawFinder.
Line: 805
Column: 16
CWE codes:
362
int gameport_open(struct gameport *gameport, struct gameport_driver *drv, int mode)
{
if (gameport->open) {
if (gameport->open(gameport, mode)) {
return -1;
}
} else {
if (mode != GAMEPORT_MODE_RAW)
Reported by FlawFinder.
Line: 806
Column: 17
CWE codes:
362
int gameport_open(struct gameport *gameport, struct gameport_driver *drv, int mode)
{
if (gameport->open) {
if (gameport->open(gameport, mode)) {
return -1;
}
} else {
if (mode != GAMEPORT_MODE_RAW)
return -1;
Reported by FlawFinder.