The following issues were found
drivers/bus/brcmstb_gisb.c
4 issues
Line: 134
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mutex lock;
struct list_head next;
u32 valid_mask;
const char *master_names[sizeof(u32) * BITS_PER_BYTE];
u32 saved_timeout;
};
static LIST_HEAD(brcmstb_gisb_arb_device_list);
Reported by FlawFinder.
Line: 202
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
timeout = gisb_read(gdev, ARB_TIMER);
mutex_unlock(&gdev->lock);
return sprintf(buf, "%d", timeout);
}
static ssize_t gisb_arb_set_timeout(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 245
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 arb_addr;
u32 master;
const char *m_name;
char m_fmt[11];
cap_status = gisb_read(gdev, ARB_ERR_CAP_STATUS);
/* Invalid captured address, bail out */
if (!(cap_status & ARB_ERR_CAP_STATUS_VALID))
Reported by FlawFinder.
Line: 319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 bp_status;
u64 arb_addr;
u32 master;
char m_fmt[11];
bp_status = gisb_read(gdev, ARB_BP_CAP_STATUS);
/* Invalid captured address, bail out */
if (!(bp_status & ARB_BP_CAP_STATUS_VALID))
Reported by FlawFinder.
drivers/bus/fsl-mc/dprc.c
4 issues
Line: 453
Column: 2
CWE codes:
120
obj_desc->ver_major = le16_to_cpu(rsp_params->version_major);
obj_desc->ver_minor = le16_to_cpu(rsp_params->version_minor);
obj_desc->flags = le16_to_cpu(rsp_params->flags);
strncpy(obj_desc->type, rsp_params->type, 16);
obj_desc->type[15] = '\0';
strncpy(obj_desc->label, rsp_params->label, 16);
obj_desc->label[15] = '\0';
return 0;
}
Reported by FlawFinder.
Line: 455
Column: 2
CWE codes:
120
obj_desc->flags = le16_to_cpu(rsp_params->flags);
strncpy(obj_desc->type, rsp_params->type, 16);
obj_desc->type[15] = '\0';
strncpy(obj_desc->label, rsp_params->label, 16);
obj_desc->label[15] = '\0';
return 0;
}
EXPORT_SYMBOL_GPL(dprc_get_obj);
Reported by FlawFinder.
Line: 494
Column: 2
CWE codes:
120
cmd_params->irq_addr = cpu_to_le64(irq_cfg->paddr);
cmd_params->irq_num = cpu_to_le32(irq_cfg->irq_num);
cmd_params->obj_id = cpu_to_le32(obj_id);
strncpy(cmd_params->obj_type, obj_type, 16);
cmd_params->obj_type[15] = '\0';
/* send command to mc*/
return mc_send_command(mc_io, &cmd);
}
Reported by FlawFinder.
Line: 567
Column: 2
CWE codes:
120
cmd_params = (struct dprc_cmd_get_obj_region *)cmd.params;
cmd_params->obj_id = cpu_to_le32(obj_id);
cmd_params->region_index = region_index;
strncpy(cmd_params->obj_type, obj_type, 16);
cmd_params->obj_type[15] = '\0';
/* send command to mc*/
err = mc_send_command(mc_io, &cmd);
if (err)
Reported by FlawFinder.
drivers/bus/mhi/core/init.c
4 issues
Line: 24
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static DEFINE_IDA(mhi_controller_ida);
const char * const mhi_ee_str[MHI_EE_MAX] = {
[MHI_EE_PBL] = "PRIMARY BOOTLOADER",
[MHI_EE_SBL] = "SECONDARY BOOTLOADER",
[MHI_EE_AMSS] = "MISSION MODE",
[MHI_EE_RDDM] = "RAMDUMP DOWNLOAD MODE",
[MHI_EE_WFW] = "WLAN FIRMWARE",
Reported by FlawFinder.
Line: 37
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[MHI_EE_NOT_SUPPORTED] = "NOT SUPPORTED",
};
const char * const dev_state_tran_str[DEV_ST_TRANSITION_MAX] = {
[DEV_ST_TRANSITION_PBL] = "PBL",
[DEV_ST_TRANSITION_READY] = "READY",
[DEV_ST_TRANSITION_SBL] = "SBL",
[DEV_ST_TRANSITION_MISSION_MODE] = "MISSION MODE",
[DEV_ST_TRANSITION_FP] = "FLASH PROGRAMMER",
Reported by FlawFinder.
Line: 47
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[DEV_ST_TRANSITION_DISABLE] = "DISABLE",
};
const char * const mhi_state_str[MHI_STATE_MAX] = {
[MHI_STATE_RESET] = "RESET",
[MHI_STATE_READY] = "READY",
[MHI_STATE_M0] = "M0",
[MHI_STATE_M1] = "M1",
[MHI_STATE_M2] = "M2",
Reported by FlawFinder.
Line: 59
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[MHI_STATE_SYS_ERR] = "SYS ERROR",
};
const char * const mhi_ch_state_type_str[MHI_CH_STATE_TYPE_MAX] = {
[MHI_CH_STATE_TYPE_RESET] = "RESET",
[MHI_CH_STATE_TYPE_STOP] = "STOP",
[MHI_CH_STATE_TYPE_START] = "START",
};
Reported by FlawFinder.
drivers/bus/mhi/core/internal.h
4 issues
Line: 379
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MHI_CH_STATE_TYPE_MAX,
};
extern const char * const mhi_ch_state_type_str[MHI_CH_STATE_TYPE_MAX];
#define TO_CH_STATE_TYPE_STR(state) (((state) >= MHI_CH_STATE_TYPE_MAX) ? \
"INVALID_STATE" : \
mhi_ch_state_type_str[(state)])
#define MHI_INVALID_BRSTMODE(mode) (mode != MHI_DB_BRST_DISABLE && \
Reported by FlawFinder.
Line: 387
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MHI_INVALID_BRSTMODE(mode) (mode != MHI_DB_BRST_DISABLE && \
mode != MHI_DB_BRST_ENABLE)
extern const char * const mhi_ee_str[MHI_EE_MAX];
#define TO_MHI_EXEC_STR(ee) (((ee) >= MHI_EE_MAX) ? \
"INVALID_EE" : mhi_ee_str[ee])
#define MHI_IN_PBL(ee) (ee == MHI_EE_PBL || ee == MHI_EE_PTHRU || \
ee == MHI_EE_EDL)
Reported by FlawFinder.
Line: 408
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DEV_ST_TRANSITION_MAX,
};
extern const char * const dev_state_tran_str[DEV_ST_TRANSITION_MAX];
#define TO_DEV_STATE_TRANS_STR(state) (((state) >= DEV_ST_TRANSITION_MAX) ? \
"INVALID_STATE" : dev_state_tran_str[state])
extern const char * const mhi_state_str[MHI_STATE_MAX];
#define TO_MHI_STATE_STR(state) ((state >= MHI_STATE_MAX || \
Reported by FlawFinder.
Line: 412
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define TO_DEV_STATE_TRANS_STR(state) (((state) >= DEV_ST_TRANSITION_MAX) ? \
"INVALID_STATE" : dev_state_tran_str[state])
extern const char * const mhi_state_str[MHI_STATE_MAX];
#define TO_MHI_STATE_STR(state) ((state >= MHI_STATE_MAX || \
!mhi_state_str[state]) ? \
"INVALID_STATE" : mhi_state_str[state])
/* internal power states */
Reported by FlawFinder.
drivers/char/applicom.h
4 issues
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char tic_ack_from_pc;
unsigned char numcard_ack_from_pc;
unsigned char typ_ack_from_pc;
unsigned char conf_end_test[4];
unsigned char error_code[2];
unsigned char parameter_error[4];
unsigned char time_base;
unsigned char nul_inc;
unsigned char vers;
Reported by FlawFinder.
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char numcard_ack_from_pc;
unsigned char typ_ack_from_pc;
unsigned char conf_end_test[4];
unsigned char error_code[2];
unsigned char parameter_error[4];
unsigned char time_base;
unsigned char nul_inc;
unsigned char vers;
unsigned char num_card;
Reported by FlawFinder.
Line: 77
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char typ_ack_from_pc;
unsigned char conf_end_test[4];
unsigned char error_code[2];
unsigned char parameter_error[4];
unsigned char time_base;
unsigned char nul_inc;
unsigned char vers;
unsigned char num_card;
unsigned char reserv1[32];
Reported by FlawFinder.
Line: 82
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char nul_inc;
unsigned char vers;
unsigned char num_card;
unsigned char reserv1[32];
};
#endif /* __LINUX_APPLICOM_H__ */
Reported by FlawFinder.
drivers/char/bsr.c
4 issues
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
dev_t bsr_dev;
struct cdev bsr_cdev;
struct device *bsr_device;
char bsr_name[32];
};
static unsigned total_bsr_devs;
static struct list_head bsr_devs = LIST_HEAD_INIT(bsr_devs);
Reported by FlawFinder.
Line: 83
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bsr_size_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct bsr_dev *bsr_dev = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", bsr_dev->bsr_bytes);
}
static DEVICE_ATTR_RO(bsr_size);
static ssize_t
bsr_stride_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 91
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bsr_stride_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct bsr_dev *bsr_dev = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", bsr_dev->bsr_stride);
}
static DEVICE_ATTR_RO(bsr_stride);
static ssize_t
bsr_length_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 99
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bsr_length_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct bsr_dev *bsr_dev = dev_get_drvdata(dev);
return sprintf(buf, "%llu\n", bsr_dev->bsr_len);
}
static DEVICE_ATTR_RO(bsr_length);
static struct attribute *bsr_dev_attrs[] = {
&dev_attr_bsr_size.attr,
Reported by FlawFinder.
drivers/char/hw_random/core.c
4 issues
Line: 191
Column: 11
CWE codes:
120
20
int present;
BUG_ON(!mutex_is_locked(&reading_mutex));
if (rng->read)
return rng->read(rng, (void *)buffer, size, wait);
if (rng->data_present)
present = rng->data_present(rng, wait);
else
Reported by FlawFinder.
Line: 192
Column: 15
CWE codes:
120
20
BUG_ON(!mutex_is_locked(&reading_mutex));
if (rng->read)
return rng->read(rng, (void *)buffer, size, wait);
if (rng->data_present)
present = rng->data_present(rng, wait);
else
present = 1;
Reported by FlawFinder.
Line: 392
Column: 9
CWE codes:
126
strlcat(buf, "\n", PAGE_SIZE);
mutex_unlock(&rng_mutex);
return strlen(buf);
}
static ssize_t rng_selected_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 469
Column: 46
CWE codes:
120
20
struct list_head *rng_list_ptr;
bool is_new_current = false;
if (!rng->name || (!rng->data_read && !rng->read))
goto out;
mutex_lock(&rng_mutex);
/* Must not register two RNGs with the same name. */
Reported by FlawFinder.
drivers/char/ipmi/ipmi_kcs_sm.c
4 issues
Line: 111
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct si_sm_data {
enum kcs_states state;
struct si_sm_io *io;
unsigned char write_data[MAX_KCS_WRITE_SIZE];
int write_pos;
int write_count;
int orig_write_count;
unsigned char read_data[MAX_KCS_READ_SIZE];
int read_pos;
Reported by FlawFinder.
Line: 115
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int write_pos;
int write_count;
int orig_write_count;
unsigned char read_data[MAX_KCS_READ_SIZE];
int read_pos;
int truncated;
unsigned int error_retries;
long ibf_timeout;
Reported by FlawFinder.
Line: 285
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_cont("\n");
}
kcs->error_retries = 0;
memcpy(kcs->write_data, data, size);
kcs->write_count = size;
kcs->orig_write_count = size;
kcs->write_pos = 0;
kcs->read_pos = 0;
kcs->state = KCS_START_OP;
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kcs->truncated = 1;
}
memcpy(data, kcs->read_data, kcs->read_pos);
if ((length >= 3) && (kcs->read_pos < 3)) {
/* Guarantee that we return at least 3 bytes, with an
error in the third byte if it is too short. */
data[2] = IPMI_ERR_UNSPECIFIED;
Reported by FlawFinder.
drivers/char/ipmi/ipmi_smic_sm.c
4 issues
Line: 93
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct si_sm_data {
enum smic_states state;
struct si_sm_io *io;
unsigned char write_data[MAX_SMIC_WRITE_SIZE];
int write_pos;
int write_count;
int orig_write_count;
unsigned char read_data[MAX_SMIC_READ_SIZE];
int read_pos;
Reported by FlawFinder.
Line: 97
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int write_pos;
int write_count;
int orig_write_count;
unsigned char read_data[MAX_SMIC_READ_SIZE];
int read_pos;
int truncated;
unsigned int error_retries;
long smic_timeout;
};
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_cont("\n");
}
smic->error_retries = 0;
memcpy(smic->write_data, data, size);
smic->write_count = size;
smic->orig_write_count = size;
smic->write_pos = 0;
smic->read_pos = 0;
smic->state = SMIC_START_OP;
Reported by FlawFinder.
Line: 169
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
smic->read_pos = length;
smic->truncated = 1;
}
memcpy(data, smic->read_data, smic->read_pos);
if ((length >= 3) && (smic->read_pos < 3)) {
data[2] = IPMI_ERR_UNSPECIFIED;
smic->read_pos = 3;
}
Reported by FlawFinder.
drivers/char/pcmcia/cm4040_cs.c
4 issues
Line: 78
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wait_queue_head_t write_wait;
unsigned long buffer_status;
unsigned long timeout;
unsigned char s_buf[READ_WRITE_BUFFER_SIZE];
unsigned char r_buf[READ_WRITE_BUFFER_SIZE];
struct timer_list poll_timer;
};
static struct pcmcia_device *dev_table[CM_MAX_DEV];
Reported by FlawFinder.
Line: 79
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long buffer_status;
unsigned long timeout;
unsigned char s_buf[READ_WRITE_BUFFER_SIZE];
unsigned char r_buf[READ_WRITE_BUFFER_SIZE];
struct timer_list poll_timer;
};
static struct pcmcia_device *dev_table[CM_MAX_DEV];
Reported by FlawFinder.
Line: 451
Column: 12
CWE codes:
362
goto out;
}
if (link->open) {
ret = -EBUSY;
goto out;
}
dev = link->priv;
Reported by FlawFinder.
Line: 506
Column: 15
CWE codes:
362
struct reader_dev *dev = link->priv;
DEBUGP(3, dev, "-> cm4040_reader_release\n");
while (link->open) {
DEBUGP(3, dev, MODULE_NAME ": delaying release "
"until process has terminated\n");
wait_event(dev->devq, (link->open == 0));
}
DEBUGP(3, dev, "<- cm4040_reader_release\n");
Reported by FlawFinder.