The following issues were found
drivers/soc/qcom/qcom_aoss.c
4 issues
Line: 267
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int qmp_qdss_clk_prepare(struct clk_hw *hw)
{
static const char buf[QMP_MSG_LEN] = "{class: clock, res: qdss, val: 1}";
struct qmp *qmp = container_of(hw, struct qmp, qdss_clk);
return qmp_send(qmp, buf, sizeof(buf));
}
Reported by FlawFinder.
Line: 275
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void qmp_qdss_clk_unprepare(struct clk_hw *hw)
{
static const char buf[QMP_MSG_LEN] = "{class: clock, res: qdss, val: 0}";
struct qmp *qmp = container_of(hw, struct qmp, qdss_clk);
qmp_send(qmp, buf, sizeof(buf));
}
Reported by FlawFinder.
Line: 319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int qmp_pd_power_toggle(struct qmp_pd *res, bool enable)
{
char buf[QMP_MSG_LEN] = {};
snprintf(buf, sizeof(buf),
"{class: image, res: load_state, name: %s, val: %s}",
res->pd.name, enable ? "on" : "off");
return qmp_send(res->qmp, buf, sizeof(buf));
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long state)
{
struct qmp_cooling_device *qmp_cdev = cdev->devdata;
char buf[QMP_MSG_LEN] = {};
bool cdev_state;
int ret;
/* Normalize state */
cdev_state = !!state;
Reported by FlawFinder.
drivers/usb/early/xhci-dbc.h
4 issues
Line: 95
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define XDBC_STRING_SERIAL "0001"
struct xdbc_strings {
char string0[XDBC_MAX_STRING_LENGTH];
char manufacturer[XDBC_MAX_STRING_LENGTH];
char product[XDBC_MAX_STRING_LENGTH];
char serial[XDBC_MAX_STRING_LENGTH];
};
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xdbc_strings {
char string0[XDBC_MAX_STRING_LENGTH];
char manufacturer[XDBC_MAX_STRING_LENGTH];
char product[XDBC_MAX_STRING_LENGTH];
char serial[XDBC_MAX_STRING_LENGTH];
};
#define XDBC_PROTOCOL 1 /* GNU Remote Debug Command Set */
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xdbc_strings {
char string0[XDBC_MAX_STRING_LENGTH];
char manufacturer[XDBC_MAX_STRING_LENGTH];
char product[XDBC_MAX_STRING_LENGTH];
char serial[XDBC_MAX_STRING_LENGTH];
};
#define XDBC_PROTOCOL 1 /* GNU Remote Debug Command Set */
#define XDBC_VENDOR_ID 0x1d6b /* Linux Foundation 0x1d6b */
Reported by FlawFinder.
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char string0[XDBC_MAX_STRING_LENGTH];
char manufacturer[XDBC_MAX_STRING_LENGTH];
char product[XDBC_MAX_STRING_LENGTH];
char serial[XDBC_MAX_STRING_LENGTH];
};
#define XDBC_PROTOCOL 1 /* GNU Remote Debug Command Set */
#define XDBC_VENDOR_ID 0x1d6b /* Linux Foundation 0x1d6b */
#define XDBC_PRODUCT_ID 0x0011 /* __le16 idProduct; device 0011 */
Reported by FlawFinder.
drivers/staging/media/zoran/videocodec.h
4 issues
Line: 226
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct jpeg_com_marker {
int len; /* number of usable bytes in data */
char data[60];
};
struct jpeg_app_marker {
int appn; /* number app segment */
int len; /* number of usable bytes in data */
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct jpeg_app_marker {
int appn; /* number app segment */
int len; /* number of usable bytes in data */
char data[60];
};
struct videocodec {
struct module *owner;
/* -- filled in by slave device during register -- */
Reported by FlawFinder.
Line: 238
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct videocodec {
struct module *owner;
/* -- filled in by slave device during register -- */
char name[32];
unsigned long magic; /* may be used for client<->master attaching */
unsigned long flags; /* functionality flags */
unsigned int type; /* codec type */
/* -- these is filled in later during master device attach -- */
Reported by FlawFinder.
Line: 277
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct videocodec_master {
/* -- filled in by master device for registration -- */
char name[32];
unsigned long magic; /* may be used for client<->master attaching */
unsigned long flags; /* functionality flags */
unsigned int type; /* master type */
void *data; /* private master data */
Reported by FlawFinder.
drivers/tty/hvc/hvc_console.c
4 issues
Line: 154
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void hvc_console_print(struct console *co, const char *b,
unsigned count)
{
char c[N_OUTBUF] __ALIGNED__;
unsigned i = 0, n = 0;
int r, donecr = 0, index = co->index;
/* Console access attempt outside of acceptable console range. */
if (index >= MAX_NR_HVC_CONSOLES)
Reported by FlawFinder.
Line: 523
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rsize) {
if (rsize > count)
rsize = count;
memcpy(hp->outbuf + hp->n_outbuf, buf, rsize);
count -= rsize;
buf += rsize;
hp->n_outbuf += rsize;
written += rsize;
}
Reported by FlawFinder.
Line: 636
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct tty_struct *tty;
int i, n, count, poll_mask = 0;
char buf[N_INBUF] __ALIGNED__;
unsigned long flags;
int read_total = 0;
int written_total = 0;
spin_lock_irqsave(&hp->lock, flags);
Reported by FlawFinder.
Line: 934
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
hp->data = data;
hp->ops = ops;
hp->outbuf_size = outbuf_size;
hp->outbuf = &((char *)hp)[ALIGN(sizeof(*hp), sizeof(long))];
tty_port_init(&hp->port);
hp->port.ops = &hvc_port_ops;
INIT_WORK(&hp->tty_resize, hvc_set_winsz);
Reported by FlawFinder.
drivers/video/fbdev/metronomefb.c
4 issues
Line: 377
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
we can't immediately set the opcode since the controller
will try parse the command before we've set it all up */
memcpy(par->metromem_cmd->args, epd_frame_table[par->dt].config,
sizeof(epd_frame_table[par->dt].config));
/* the rest are 0 */
memset(&par->metromem_cmd->args[4], 0,
(ARRAY_SIZE(par->metromem_cmd->args) - 4) * 2);
Reported by FlawFinder.
Line: 445
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fbsize = par->info->fix.smem_len;
/* copy from vm to metromem */
memcpy(par->metromem_img, buf, fbsize);
cksum = calc_img_cksum((u16 *) par->metromem_img, fbsize/2);
*((u16 *)(par->metromem_img) + fbsize/2) = cksum;
metronome_display_cmd(par);
}
Reported by FlawFinder.
Line: 717
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* set cmap */
for (i = 0; i < 8; i++)
info->cmap.red[i] = (((2*i)+1)*(0xFFFF))/16;
memcpy(info->cmap.green, info->cmap.red, sizeof(u16)*8);
memcpy(info->cmap.blue, info->cmap.red, sizeof(u16)*8);
retval = register_framebuffer(info);
if (retval < 0)
goto err_cmap;
Reported by FlawFinder.
Line: 718
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 8; i++)
info->cmap.red[i] = (((2*i)+1)*(0xFFFF))/16;
memcpy(info->cmap.green, info->cmap.red, sizeof(u16)*8);
memcpy(info->cmap.blue, info->cmap.red, sizeof(u16)*8);
retval = register_framebuffer(info);
if (retval < 0)
goto err_cmap;
Reported by FlawFinder.
drivers/scsi/st.h
4 issues
Line: 28
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* scsi tape command */
struct st_request {
unsigned char cmd[MAX_COMMAND_SIZE];
unsigned char sense[SCSI_SENSE_BUFFERSIZE];
int result;
struct scsi_tape *stp;
struct completion *waiting;
struct bio *bio;
Reported by FlawFinder.
Line: 29
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* scsi tape command */
struct st_request {
unsigned char cmd[MAX_COMMAND_SIZE];
unsigned char sense[SCSI_SENSE_BUFFERSIZE];
int result;
struct scsi_tape *stp;
struct completion *waiting;
struct bio *bio;
};
Reported by FlawFinder.
Line: 187
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int nbr_requests;
int nbr_dio;
int nbr_pages;
unsigned char last_cmnd[6];
unsigned char last_sense[16];
#endif
struct gendisk *disk;
struct kref kref;
struct scsi_tape_stats *stats;
Reported by FlawFinder.
Line: 188
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int nbr_dio;
int nbr_pages;
unsigned char last_cmnd[6];
unsigned char last_sense[16];
#endif
struct gendisk *disk;
struct kref kref;
struct scsi_tape_stats *stats;
};
Reported by FlawFinder.
drivers/staging/rtl8192u/ieee80211/ieee80211.h
4 issues
Line: 320
Column: 5
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
u8 seq[8]; /* sequence counter (set: RX, get: TX) */
u16 key_len;
u8 key[0];
} crypt;
} u;
};
// linux under 2.6.9 release may not support it, so modify it for common use
Reported by FlawFinder.
Line: 1716
Column: 31
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
u16 pairwise_key_type;
u16 group_key_type;
struct list_head crypt_deinit_list;
struct ieee80211_crypt_data *crypt[WEP_KEYS];
int tx_keyidx; /* default TX key index (crypt[tx_keyidx]) */
struct timer_list crypt_deinit_timer;
int crypt_quiesced;
int bcrx_sta_key; /* use individual keys to override default keys even
Reported by FlawFinder.
Line: 2418
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline const char *escape_essid(const char *essid, u8 essid_len)
{
static char escaped[IW_ESSID_MAX_SIZE * 2 + 1];
if (ieee80211_is_empty_essid(essid, essid_len)) {
memcpy(escaped, "<hidden>", sizeof("<hidden>"));
return escaped;
}
Reported by FlawFinder.
Line: 2421
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static char escaped[IW_ESSID_MAX_SIZE * 2 + 1];
if (ieee80211_is_empty_essid(essid, essid_len)) {
memcpy(escaped, "<hidden>", sizeof("<hidden>"));
return escaped;
}
snprintf(escaped, sizeof(escaped), "%*pE", essid_len, essid);
return escaped;
Reported by FlawFinder.
drivers/vfio/mdev/vfio_mdev.c
4 issues
Line: 25
Column: 29
CWE codes:
362
struct mdev_device *mdev = to_mdev_device(core_vdev->dev);
struct mdev_parent *parent = mdev->type->parent;
if (unlikely(!parent->ops->open))
return -EINVAL;
return parent->ops->open(mdev);
}
Reported by FlawFinder.
Line: 28
Column: 22
CWE codes:
362
if (unlikely(!parent->ops->open))
return -EINVAL;
return parent->ops->open(mdev);
}
static void vfio_mdev_release(struct vfio_device *core_vdev)
{
struct mdev_device *mdev = to_mdev_device(core_vdev->dev);
Reported by FlawFinder.
Line: 58
Column: 29
CWE codes:
120
20
struct mdev_device *mdev = to_mdev_device(core_vdev->dev);
struct mdev_parent *parent = mdev->type->parent;
if (unlikely(!parent->ops->read))
return -EINVAL;
return parent->ops->read(mdev, buf, count, ppos);
}
Reported by FlawFinder.
Line: 61
Column: 22
CWE codes:
120
20
if (unlikely(!parent->ops->read))
return -EINVAL;
return parent->ops->read(mdev, buf, count, ppos);
}
static ssize_t vfio_mdev_write(struct vfio_device *core_vdev,
const char __user *buf, size_t count,
loff_t *ppos)
Reported by FlawFinder.
drivers/vdpa/vdpa_sim/vdpa_sim_net.c
4 issues
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
net_config->mtu = cpu_to_vdpasim16(vdpasim, 1500);
net_config->status = cpu_to_vdpasim16(vdpasim, VIRTIO_NET_S_LINK_UP);
memcpy(net_config->mac, macaddr_buf, ETH_ALEN);
}
static void vdpasim_net_mgmtdev_release(struct device *dev)
{
}
Reported by FlawFinder.
Line: 43
Column: 10
CWE codes:
120
20
struct vdpasim *vdpasim = container_of(work, struct vdpasim, work);
struct vdpasim_virtqueue *txq = &vdpasim->vqs[1];
struct vdpasim_virtqueue *rxq = &vdpasim->vqs[0];
ssize_t read, write;
size_t total_write;
int pkts = 0;
int err;
spin_lock(&vdpasim->lock);
Reported by FlawFinder.
Line: 74
Column: 8
CWE codes:
120
20
read = vringh_iov_pull_iotlb(&txq->vring, &txq->out_iov,
vdpasim->buffer,
PAGE_SIZE);
if (read <= 0)
break;
write = vringh_iov_push_iotlb(&rxq->vring, &rxq->in_iov,
vdpasim->buffer, read);
if (write <= 0)
Reported by FlawFinder.
drivers/thunderbolt/retimer.c
4 issues
Line: 188
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct tb_retimer *rt = tb_to_retimer(dev);
return sprintf(buf, "%#x\n", rt->device);
}
static DEVICE_ATTR_RO(device);
static ssize_t nvm_authenticate_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 204
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!rt->nvm)
ret = -EAGAIN;
else
ret = sprintf(buf, "%#x\n", rt->auth_status);
mutex_unlock(&rt->tb->lock);
return ret;
}
Reported by FlawFinder.
Line: 279
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!rt->nvm)
ret = -EAGAIN;
else
ret = sprintf(buf, "%x.%x\n", rt->nvm->major, rt->nvm->minor);
mutex_unlock(&rt->tb->lock);
return ret;
}
static DEVICE_ATTR_RO(nvm_version);
Reported by FlawFinder.
Line: 291
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct tb_retimer *rt = tb_to_retimer(dev);
return sprintf(buf, "%#x\n", rt->vendor);
}
static DEVICE_ATTR_RO(vendor);
static struct attribute *retimer_attrs[] = {
&dev_attr_device.attr,
Reported by FlawFinder.