The following issues were found
sound/pci/oxygen/oxygen_lib.c
4 issues
Line: 666
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
chip->irq = pci->irq;
card->sync_irq = chip->irq;
strcpy(card->driver, chip->model.chip);
strcpy(card->shortname, chip->model.shortname);
sprintf(card->longname, "%s at %#lx, irq %i",
chip->model.longname, chip->addr, chip->irq);
strcpy(card->mixername, chip->model.chip);
snd_component_add(card, chip->model.chip);
Reported by FlawFinder.
Line: 667
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
card->sync_irq = chip->irq;
strcpy(card->driver, chip->model.chip);
strcpy(card->shortname, chip->model.shortname);
sprintf(card->longname, "%s at %#lx, irq %i",
chip->model.longname, chip->addr, chip->irq);
strcpy(card->mixername, chip->model.chip);
snd_component_add(card, chip->model.chip);
Reported by FlawFinder.
Line: 668
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strcpy(card->driver, chip->model.chip);
strcpy(card->shortname, chip->model.shortname);
sprintf(card->longname, "%s at %#lx, irq %i",
chip->model.longname, chip->addr, chip->irq);
strcpy(card->mixername, chip->model.chip);
snd_component_add(card, chip->model.chip);
err = oxygen_pcm_init(chip);
Reported by FlawFinder.
Line: 670
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(card->shortname, chip->model.shortname);
sprintf(card->longname, "%s at %#lx, irq %i",
chip->model.longname, chip->addr, chip->irq);
strcpy(card->mixername, chip->model.chip);
snd_component_add(card, chip->model.chip);
err = oxygen_pcm_init(chip);
if (err < 0)
goto err_card;
Reported by FlawFinder.
drivers/scsi/qlogicpti.c
4 issues
Line: 848
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *qlogicpti_info(struct Scsi_Host *host)
{
static char buf[80];
struct qlogicpti *qpti = (struct qlogicpti *) host->hostdata;
sprintf(buf, "PTI Qlogic,ISP SBUS SCSI irq %d regs at %p",
qpti->qhost->irq, qpti->qregs);
return buf;
Reported by FlawFinder.
Line: 851
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static char buf[80];
struct qlogicpti *qpti = (struct qlogicpti *) host->hostdata;
sprintf(buf, "PTI Qlogic,ISP SBUS SCSI irq %d regs at %p",
qpti->qhost->irq, qpti->qregs);
return buf;
}
/* I am a certified frobtronicist. */
Reported by FlawFinder.
Line: 894
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
cmd->control_flags |= CFLAG_READ;
cmd->time_out = Cmnd->request->timeout/HZ;
memcpy(cmd->cdb, Cmnd->cmnd, Cmnd->cmd_len);
}
/* Do it to it baby. */
static inline int load_cmd(struct scsi_cmnd *Cmnd, struct Command_Entry *cmd,
struct qlogicpti *qpti, u_int in_ptr, u_int out_ptr)
Reported by FlawFinder.
Line: 1179
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qpti->send_marker = 1;
if (sts->state_flags & SF_GOT_SENSE)
memcpy(Cmnd->sense_buffer, sts->req_sense_data,
SCSI_SENSE_BUFFERSIZE);
if (sts->hdr.entry_type == ENTRY_STATUS)
Cmnd->result =
qlogicpti_return_status(sts, qpti->qpti_id);
Reported by FlawFinder.
drivers/usb/gadget/udc/renesas_usb3.c
4 issues
Line: 2494
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!usb3->driver)
return -ENODEV;
return sprintf(buf, "%s\n", usb3_is_host(usb3) ? "host" : "peripheral");
}
static DEVICE_ATTR_RW(role);
static int renesas_usb3_b_device_show(struct seq_file *s, void *unused)
{
Reported by FlawFinder.
Line: 315
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct renesas_usb3 *usb3;
struct renesas_usb3_dma *dma;
int num;
char ep_name[USB3_EP_NAME_SIZE];
struct list_head queue;
u32 rammap_val;
bool dir_in;
bool halt;
bool wedge;
Reported by FlawFinder.
Line: 1580
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct renesas_usb3_ep *usb3_ep = usb3_get_ep(usb3, 0);
if (tx_data)
memcpy(usb3->ep0_buf, tx_data,
min_t(size_t, len, USB3_EP0_BUF_SIZE));
usb3->ep0_req->buf = &usb3->ep0_buf;
usb3->ep0_req->length = len;
usb3->ep0_req->complete = complete;
Reported by FlawFinder.
Line: 2518
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct seq_file *s = file->private_data;
struct renesas_usb3 *usb3 = s->private;
char buf[32];
if (!usb3->driver)
return -ENODEV;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
Reported by FlawFinder.
drivers/scsi/virtio_scsi.c
4 issues
Line: 160
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
WARN_ON(virtio32_to_cpu(vscsi->vdev, resp->sense_len) >
VIRTIO_SCSI_SENSE_SIZE);
if (resp->sense_len) {
memcpy(sc->sense_buffer, resp->sense,
min_t(u32,
virtio32_to_cpu(vscsi->vdev, resp->sense_len),
VIRTIO_SCSI_SENSE_SIZE));
}
Reported by FlawFinder.
Line: 336
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct scsi_device *sdev;
struct Scsi_Host *shost = virtio_scsi_host(vscsi->vdev);
unsigned char scsi_cmd[MAX_COMMAND_SIZE];
int result, inquiry_len, inq_result_len = 256;
char *inq_result = kmalloc(inq_result_len, GFP_KERNEL);
shost_for_each_device(sdev, shost) {
inquiry_len = sdev->inquiry_len ? sdev->inquiry_len : 36;
Reported by FlawFinder.
Line: 578
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef CONFIG_BLK_DEV_INTEGRITY
if (virtio_has_feature(vscsi->vdev, VIRTIO_SCSI_F_T10_PI)) {
virtio_scsi_init_hdr_pi(vscsi->vdev, &cmd->req.cmd_pi, sc);
memcpy(cmd->req.cmd_pi.cdb, sc->cmnd, sc->cmd_len);
req_size = sizeof(cmd->req.cmd_pi);
} else
#endif
{
virtio_scsi_init_hdr(vscsi->vdev, &cmd->req.cmd, sc);
Reported by FlawFinder.
Line: 584
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif
{
virtio_scsi_init_hdr(vscsi->vdev, &cmd->req.cmd, sc);
memcpy(cmd->req.cmd.cdb, sc->cmnd, sc->cmd_len);
req_size = sizeof(cmd->req.cmd);
}
kick = (sc->flags & SCMD_LAST) != 0;
ret = virtscsi_add_cmd(req_vq, cmd, req_size, sizeof(cmd->resp.cmd), kick);
Reported by FlawFinder.
drivers/usb/gadget/udc/snps_udc_core.c
4 issues
Line: 3155
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
tmp, dev->phys_addr, dev->chiprev,
(dev->chiprev == UDC_HSA0_REV) ?
"A0" : "B1");
strcpy(tmp, UDC_DRIVER_VERSION_STRING);
if (dev->chiprev == UDC_HSA0_REV) {
dev_err(dev->dev, "chip revision is A0; too old\n");
retval = -ENODEV;
goto finished;
}
Reported by FlawFinder.
Line: 1154
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (ep->bna_occurred) {
VDBG(dev, "copy to BNA dummy desc.\n");
memcpy(ep->bna_dummy_req->td_data,
req->td_data,
sizeof(struct udc_data_dma));
}
}
/* write desc pointer */
Reported by FlawFinder.
Line: 2139
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (ep->bna_occurred) {
VDBG(dev, "Recover desc. from BNA dummy\n");
memcpy(req->td_data, ep->bna_dummy_req->td_data,
sizeof(struct udc_data_dma));
ep->bna_occurred = 0;
udc_init_bna_dummy(ep->req);
}
td = udc_get_last_dma_desc(req);
Reported by FlawFinder.
Line: 3130
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* general probe */
int udc_probe(struct udc *dev)
{
char tmp[128];
u32 reg;
int retval;
/* device struct setup */
dev->gadget.ops = &udc_ops;
Reported by FlawFinder.
drivers/usb/serial/cyberjack.c
4 issues
Line: 95
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cyberjack_private {
spinlock_t lock; /* Lock for SMP */
short rdtodo; /* Bytes still to read */
unsigned char wrbuf[5*64]; /* Buffer for collecting data to write */
short wrfilled; /* Overall data size we already got */
short wrsent; /* Data already sent */
};
static int cyberjack_port_probe(struct usb_serial_port *port)
Reported by FlawFinder.
Line: 188
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy data */
memcpy(priv->wrbuf + priv->wrfilled, buf, count);
usb_serial_debug_data(dev, __func__, count, priv->wrbuf + priv->wrfilled);
priv->wrfilled += count;
if (priv->wrfilled >= 3) {
Reported by FlawFinder.
Line: 207
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
length = (wrexpected > port->bulk_out_size) ?
port->bulk_out_size : wrexpected;
memcpy(port->write_urb->transfer_buffer, priv->wrbuf, length);
priv->wrsent = length;
/* set up our urb */
port->write_urb->transfer_buffer_length = length;
Reported by FlawFinder.
Line: 378
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
length = ((priv->wrfilled - priv->wrsent) > port->bulk_out_size) ?
port->bulk_out_size : (priv->wrfilled - priv->wrsent);
memcpy(port->write_urb->transfer_buffer,
priv->wrbuf + priv->wrsent, length);
priv->wrsent += length;
/* set up our urb */
port->write_urb->transfer_buffer_length = length;
Reported by FlawFinder.
drivers/scsi/sr.c
4 issues
Line: 732
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
disk->major = SCSI_CDROM_MAJOR;
disk->first_minor = minor;
sprintf(disk->disk_name, "sr%d", minor);
disk->fops = &sr_bdops;
disk->flags = GENHD_FL_CD | GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE;
disk->events = DISK_EVENT_MEDIA_CHANGE | DISK_EVENT_EJECT_REQUEST;
disk->event_flags = DISK_EVENT_FLAG_POLL | DISK_EVENT_FLAG_UEVENT;
Reported by FlawFinder.
Line: 755
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cd->cdi.handle = cd;
cd->cdi.mask = 0;
cd->cdi.capacity = 1;
sprintf(cd->cdi.name, "sr%d", minor);
sdev->sector_size = 2048; /* A guess, just in case */
/* FIXME: need to handle a get_capabilities failure properly ?? */
get_capabilities(cd);
Reported by FlawFinder.
Line: 804
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void get_sectorsize(struct scsi_cd *cd)
{
unsigned char cmd[10];
unsigned char buffer[8];
int the_result, retries = 3;
int sector_size;
struct request_queue *queue;
Reported by FlawFinder.
Line: 805
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void get_sectorsize(struct scsi_cd *cd)
{
unsigned char cmd[10];
unsigned char buffer[8];
int the_result, retries = 3;
int sector_size;
struct request_queue *queue;
do {
Reported by FlawFinder.
drivers/spi/spi-fsl-qspi.c
4 issues
Line: 567
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 val;
for (i = 0; i < ALIGN_DOWN(op->data.nbytes, 4); i += 4) {
memcpy(&val, op->data.buf.out + i, 4);
val = fsl_qspi_endian_xchg(q, val);
qspi_writel(q, val, base + QUADSPI_TBDR);
}
if (i < op->data.nbytes) {
Reported by FlawFinder.
Line: 573
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (i < op->data.nbytes) {
memcpy(&val, op->data.buf.out + i, op->data.nbytes - i);
val = fsl_qspi_endian_xchg(q, val);
qspi_writel(q, val, base + QUADSPI_TBDR);
}
if (needs_fill_txfifo(q)) {
Reported by FlawFinder.
Line: 595
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ALIGN_DOWN(op->data.nbytes, 4); i += 4) {
val = qspi_readl(q, base + QUADSPI_RBDR(i / 4));
val = fsl_qspi_endian_xchg(q, val);
memcpy(buf + i, &val, 4);
}
if (i < op->data.nbytes) {
val = qspi_readl(q, base + QUADSPI_RBDR(i / 4));
val = fsl_qspi_endian_xchg(q, val);
Reported by FlawFinder.
Line: 601
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i < op->data.nbytes) {
val = qspi_readl(q, base + QUADSPI_RBDR(i / 4));
val = fsl_qspi_endian_xchg(q, val);
memcpy(buf + i, &val, op->data.nbytes - i);
}
}
static int fsl_qspi_do_op(struct fsl_qspi *q, const struct spi_mem_op *op)
{
Reported by FlawFinder.
drivers/scsi/snic/vnic_devcmd.h
4 issues
Line: 188
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct vnic_devcmd_fw_info {
char fw_version[32];
char fw_build[32];
char hw_version[32];
char hw_serial_number[32];
};
Reported by FlawFinder.
Line: 189
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vnic_devcmd_fw_info {
char fw_version[32];
char fw_build[32];
char hw_version[32];
char hw_serial_number[32];
};
struct vnic_devcmd_notify {
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vnic_devcmd_fw_info {
char fw_version[32];
char fw_build[32];
char hw_version[32];
char hw_serial_number[32];
};
struct vnic_devcmd_notify {
u32 csum; /* checksum over following words */
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char fw_version[32];
char fw_build[32];
char hw_version[32];
char hw_serial_number[32];
};
struct vnic_devcmd_notify {
u32 csum; /* checksum over following words */
Reported by FlawFinder.
drivers/staging/rtl8192u/ieee80211/ieee80211_module.c
4 issues
Line: 188
Column: 46
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
ieee80211_crypt_deinit_entries(ieee, 1);
for (i = 0; i < WEP_KEYS; i++) {
struct ieee80211_crypt_data *crypt = ieee->crypt[i];
if (crypt) {
if (crypt->ops)
crypt->ops->deinit(crypt->priv);
kfree(crypt);
Reported by FlawFinder.
Line: 190
Column: 7
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
for (i = 0; i < WEP_KEYS; i++) {
struct ieee80211_crypt_data *crypt = ieee->crypt[i];
if (crypt) {
if (crypt->ops)
crypt->ops->deinit(crypt->priv);
kfree(crypt);
ieee->crypt[i] = NULL;
}
Reported by FlawFinder.
Line: 193
Column: 10
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (crypt) {
if (crypt->ops)
crypt->ops->deinit(crypt->priv);
kfree(crypt);
ieee->crypt[i] = NULL;
}
}
ieee80211_networks_free(ieee);
Reported by FlawFinder.
Line: 194
Column: 10
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (crypt->ops)
crypt->ops->deinit(crypt->priv);
kfree(crypt);
ieee->crypt[i] = NULL;
}
}
ieee80211_networks_free(ieee);
free_netdev(dev);
Reported by FlawFinder.