The following issues were found
drivers/staging/greybus/Documentation/firmware/firmware.c
4 issues
Line: 193
Column: 7
CWE codes:
362
printf("Opening %s firmware management device\n", fwdev);
fd = open(fwdev, O_RDWR);
if (fd < 0) {
printf("Failed to open: %s\n", fwdev);
return -1;
}
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
120
intf_load.major = 0;
intf_load.minor = 0;
strncpy((char *)&intf_load.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE);
ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load);
if (ret < 0) {
printf("Failed to load interface firmware: %s (%d)\n", fwdev,
Reported by FlawFinder.
Line: 104
Column: 2
CWE codes:
120
/* Get Backend Firmware Version */
printf("Getting Backend Firmware Version\n");
strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE);
retry_fw_version:
ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info);
if (ret < 0) {
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
/* Try Backend Firmware Update over Unipro */
printf("Updating Backend Firmware\n");
strncpy((char *)&backend_update.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE);
retry_fw_update:
backend_update.status = 0;
Reported by FlawFinder.
drivers/usb/musb/tusb6010.c
4 issues
Line: 185
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > 4) {
for (i = 0; i < (len >> 2); i++) {
memcpy(&val, buf, 4);
musb_writel(fifo, 0, val);
buf += 4;
}
len %= 4;
}
Reported by FlawFinder.
Line: 193
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (len > 0) {
/* Write the rest 1 - 3 bytes to FIFO */
memcpy(&val, buf, len);
musb_writel(fifo, 0, val);
}
}
static inline void tusb_fifo_read_unaligned(void __iomem *fifo,
Reported by FlawFinder.
Line: 207
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > 4) {
for (i = 0; i < (len >> 2); i++) {
val = musb_readl(fifo, 0);
memcpy(buf, &val, 4);
buf += 4;
}
len %= 4;
}
if (len > 0) {
Reported by FlawFinder.
Line: 215
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > 0) {
/* Read the rest 1 - 3 bytes from FIFO */
val = musb_readl(fifo, 0);
memcpy(buf, &val, len);
}
}
static void tusb_write_fifo(struct musb_hw_ep *hw_ep, u16 len, const u8 *buf)
{
Reported by FlawFinder.
drivers/scsi/scsi_dh.c
4 issues
Line: 79
Column: 41
CWE codes:
126
return "alua";
for (b = scsi_dh_blist; b->vendor; b++) {
if (!strncmp(sdev->vendor, b->vendor, strlen(b->vendor)) &&
!strncmp(sdev->model, b->model, strlen(b->model))) {
return b->driver;
}
}
return NULL;
Reported by FlawFinder.
Line: 80
Column: 39
CWE codes:
126
for (b = scsi_dh_blist; b->vendor; b++) {
if (!strncmp(sdev->vendor, b->vendor, strlen(b->vendor)) &&
!strncmp(sdev->model, b->model, strlen(b->model))) {
return b->driver;
}
}
return NULL;
}
Reported by FlawFinder.
Line: 94
Column: 33
CWE codes:
126
spin_lock(&list_lock);
list_for_each_entry(tmp, &scsi_dh_list, list) {
if (!strncmp(tmp->name, name, strlen(tmp->name))) {
found = tmp;
break;
}
}
spin_unlock(&list_lock);
Reported by FlawFinder.
Line: 107
Column: 15
CWE codes:
126
{
struct scsi_device_handler *dh;
if (!name || strlen(name) == 0)
return NULL;
dh = __scsi_dh_lookup(name);
if (!dh) {
request_module("scsi_dh_%s", name);
Reported by FlawFinder.
drivers/staging/greybus/authentication.c
4 issues
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
}
memcpy(euid, response.uid, sizeof(response.uid));
return 0;
}
static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id,
Reported by FlawFinder.
Line: 133
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
response = op->response->payload;
*result = response->result_code;
*size = op->response->payload_size - sizeof(*response);
memcpy(certificate, response->certificate, *size);
done:
gb_operation_put(op);
return ret;
}
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
response = op->response->payload;
*result = response->result_code;
*signature_size = op->response->payload_size - sizeof(*response);
memcpy(auth_response, response->response, sizeof(response->response));
memcpy(signature, response->signature, *signature_size);
done:
gb_operation_put(op);
return ret;
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*result = response->result_code;
*signature_size = op->response->payload_size - sizeof(*response);
memcpy(auth_response, response->response, sizeof(response->response));
memcpy(signature, response->signature, *signature_size);
done:
gb_operation_put(op);
return ret;
}
Reported by FlawFinder.
drivers/soc/tegra/pmc.c
4 issues
Line: 2127
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value >>= pmc->soc->regs->rst_source_shift;
if (WARN_ON(value >= pmc->soc->num_reset_sources))
return sprintf(buf, "%s\n", "UNKNOWN");
return sprintf(buf, "%s\n", pmc->soc->reset_sources[value]);
}
static DEVICE_ATTR_RO(reset_reason);
Reported by FlawFinder.
Line: 2129
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (WARN_ON(value >= pmc->soc->num_reset_sources))
return sprintf(buf, "%s\n", "UNKNOWN");
return sprintf(buf, "%s\n", pmc->soc->reset_sources[value]);
}
static DEVICE_ATTR_RO(reset_reason);
static ssize_t reset_level_show(struct device *dev,
Reported by FlawFinder.
Line: 2144
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
value >>= pmc->soc->regs->rst_level_shift;
if (WARN_ON(value >= pmc->soc->num_reset_levels))
return sprintf(buf, "%s\n", "UNKNOWN");
return sprintf(buf, "%s\n", pmc->soc->reset_levels[value]);
}
static DEVICE_ATTR_RO(reset_level);
Reported by FlawFinder.
Line: 2146
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (WARN_ON(value >= pmc->soc->num_reset_levels))
return sprintf(buf, "%s\n", "UNKNOWN");
return sprintf(buf, "%s\n", pmc->soc->reset_levels[value]);
}
static DEVICE_ATTR_RO(reset_level);
static void tegra_pmc_reset_sysfs_init(struct tegra_pmc *pmc)
Reported by FlawFinder.
drivers/target/target_core_rd.c
4 issues
Line: 487
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rd_addr = sg_virt(rd_sg) + rd_offset;
if (data_direction == DMA_FROM_DEVICE)
memcpy(m.addr, rd_addr, len);
else
memcpy(rd_addr, m.addr, len);
rd_size -= len;
if (!rd_size)
Reported by FlawFinder.
Line: 489
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data_direction == DMA_FROM_DEVICE)
memcpy(m.addr, rd_addr, len);
else
memcpy(rd_addr, m.addr, len);
rd_size -= len;
if (!rd_size)
continue;
Reported by FlawFinder.
Line: 599
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct rd_dev *rd_dev = RD_DEV(dev);
ssize_t bl = sprintf(b, "TCM RamDisk ID: %u RamDisk Makeup: rd_mcp\n",
rd_dev->rd_dev_id);
bl += sprintf(b + bl, " PAGES/PAGE_SIZE: %u*%lu"
" SG_table_count: %u nullio: %d dummy: %d\n",
rd_dev->rd_page_count,
PAGE_SIZE, rd_dev->sg_table_count,
Reported by FlawFinder.
Line: 601
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t bl = sprintf(b, "TCM RamDisk ID: %u RamDisk Makeup: rd_mcp\n",
rd_dev->rd_dev_id);
bl += sprintf(b + bl, " PAGES/PAGE_SIZE: %u*%lu"
" SG_table_count: %u nullio: %d dummy: %d\n",
rd_dev->rd_page_count,
PAGE_SIZE, rd_dev->sg_table_count,
!!(rd_dev->rd_flags & RDF_NULLIO),
!!(rd_dev->rd_flags & RDF_DUMMY));
Reported by FlawFinder.
drivers/tty/serial/sunsab.c
4 issues
Line: 797
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct uart_sunsab_port *up = (void *)port;
static char buf[36];
sprintf(buf, "SAB82532 %s", sab82532_version[up->type]);
return buf;
}
static void sunsab_release_port(struct uart_port *port)
{
Reported by FlawFinder.
Line: 78
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
#define SAB_BASE_BAUD ( 29491200 / 16 )
static char *sab82532_version[16] = {
"V1.0", "V2.0", "V3.2", "V(0x03)",
"V(0x04)", "V(0x05)", "V(0x06)", "V(0x07)",
"V(0x08)", "V(0x09)", "V(0x0a)", "V(0x0b)",
"V(0x0c)", "V(0x0d)", "V(0x0e)", "V(0x0f)"
};
Reported by FlawFinder.
Line: 112
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union sab82532_irq_status *stat)
{
struct tty_port *port = NULL;
unsigned char buf[32];
int saw_console_brk = 0;
int free_fifo = 0;
int count = 0;
int i;
Reported by FlawFinder.
Line: 795
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *sunsab_type(struct uart_port *port)
{
struct uart_sunsab_port *up = (void *)port;
static char buf[36];
sprintf(buf, "SAB82532 %s", sab82532_version[up->type]);
return buf;
}
Reported by FlawFinder.
drivers/usb/mtu3/mtu3_debugfs.c
4 issues
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!mregs)
return;
sprintf(mregs->name, "%s", name);
regset = &mregs->regset;
regset->regs = regs;
regset->nregs = nregs;
regset->base = base;
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *sf = file->private_data;
struct mtu3 *mtu = sf->private;
const struct debugfs_reg32 *regs;
char buf[32];
u32 val;
int i;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct seq_file *sf = file->private_data;
struct ssusb_mtk *ssusb = sf->private;
char buf[16];
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
if (!strncmp(buf, "host", 4) && !ssusb->is_host) {
Reported by FlawFinder.
Line: 498
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *sf = file->private_data;
struct ssusb_mtk *ssusb = sf->private;
struct otg_switch_mtk *otg_sx = &ssusb->otg_switch;
char buf[16];
bool enable;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
Reported by FlawFinder.
drivers/scsi/ncr53c8xx.c
4 issues
Line: 1613
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
**----------------------------------------------------------------
*/
int unit; /* Unit number */
char inst_name[16]; /* ncb instance name */
/*----------------------------------------------------------------
** Initial value of some IO register bits.
** These values are assumed to have been set by BIOS, and may
** be used for probing adapter implementation differences.
Reported by FlawFinder.
Line: 4705
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lcb *lp;
int target, lun;
int i;
char inst_name[16];
/* Local copy so we don't access np after freeing it! */
strlcpy(inst_name, ncr_name(np), sizeof(inst_name));
printk("%s: releasing host resources\n", ncr_name(np));
Reported by FlawFinder.
Line: 4961
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
** Copy back sense data to caller's buffer.
*/
memcpy(cmd->sense_buffer, cp->sense_buf,
min_t(size_t, SCSI_SENSE_BUFFERSIZE,
sizeof(cp->sense_buf)));
if (DEBUG_FLAGS & (DEBUG_RESULT|DEBUG_TINY)) {
u_char *p = cmd->sense_buffer;
Reported by FlawFinder.
Line: 8344
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Store input information in the host data structure. */
np->unit = unit;
np->verbose = driver_setup.verbose;
sprintf(np->inst_name, "ncr53c720-%d", np->unit);
np->revision_id = device->chip.revision_id;
np->features = device->chip.features;
np->clock_divn = device->chip.nr_divisor;
np->maxoffs = device->chip.offset_max;
np->maxburst = device->chip.burst_max;
Reported by FlawFinder.
drivers/usb/host/u132-hcd.c
4 issues
Line: 93
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MAX_U132_UDEVS 4
#define MAX_U132_ENDPS 100
#define MAX_U132_RINGS 4
static const char *cc_to_text[16] = {
"No Error ",
"CRC Error ",
"Bit Stuff ",
"Data Togg ",
"Stall ",
Reported by FlawFinder.
Line: 2335
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 urb_size = 8;
u8 *b = urb->setup_packet;
int i = 0;
char data[30 * 3 + 4];
char *d = data;
int m = (sizeof(data) - 1) / 3;
int l = 0;
data[0] = 0;
while (urb_size-- > 0) {
Reported by FlawFinder.
Line: 2343
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
while (urb_size-- > 0) {
if (i > m) {
} else if (i++ < m) {
int w = sprintf(d, " %02X", *b++);
d += w;
l += w;
} else
d += sprintf(d, " ..");
}
Reported by FlawFinder.
Line: 2347
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
d += w;
l += w;
} else
d += sprintf(d, " ..");
}
if (endp) {
unsigned long irqs;
int retval;
spin_lock_irqsave(&endp->queue_lock.slock,
Reported by FlawFinder.