The following issues were found
drivers/usb/serial/io_edgeport.c
24 issues
Line: 179
Column: 9
CWE codes:
362
__u8 validDataMask;
__u32 baudRate;
bool open;
bool openPending;
bool commandPending;
bool closePending;
bool chaseResponsePending;
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This structure holds all of the individual device information */
struct edgeport_serial {
char name[MAX_NAME_LEN+2]; /* string name of this device */
struct edge_manuf_descriptor manuf_descriptor; /* the manufacturer descriptor */
struct edge_boot_descriptor boot_descriptor; /* the boot firmware descriptor */
struct edgeport_product_info product_info; /* Product Info */
struct edge_compatibility_descriptor epic_descriptor; /* Edgeport compatible descriptor */
Reported by FlawFinder.
Line: 482
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
product_info->BootBuildNumber =
edge_serial->boot_descriptor.BuildNumber;
memcpy(product_info->ManufactureDescDate,
edge_serial->manuf_descriptor.DescDate,
sizeof(edge_serial->manuf_descriptor.DescDate));
/* check if this is 2nd generation hardware */
if (le16_to_cpu(edge_serial->serial->dev->descriptor.idProduct)
Reported by FlawFinder.
Line: 545
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
300);
if (result == sizeof(*epic)) {
ep->is_epic = 1;
memcpy(&ep->epic_descriptor, epic, sizeof(*epic));
memset(product_info, 0, sizeof(struct edgeport_product_info));
product_info->NumPorts = epic->NumPorts;
product_info->ProdInfoVer = 0;
product_info->FirmwareMajorVersion = epic->MajorVersion;
Reported by FlawFinder.
Line: 676
Column: 33
CWE codes:
362
if (txCredits) {
port = edge_serial->serial->port[portNumber];
edge_port = usb_get_serial_port_data(port);
if (edge_port && edge_port->open) {
spin_lock_irqsave(&edge_port->ep_lock,
flags);
edge_port->txCredits += txCredits;
spin_unlock_irqrestore(&edge_port->ep_lock,
flags);
Reported by FlawFinder.
Line: 786
Column: 17
CWE codes:
362
__func__, status);
}
if (edge_port->open)
tty_port_tty_wakeup(&edge_port->port->port);
/* Release the Write URB */
edge_port->write_in_progress = false;
Reported by FlawFinder.
Line: 827
Column: 17
CWE codes:
362
}
/* tell the tty driver that something has changed */
if (edge_port->open)
tty_port_tty_wakeup(&edge_port->port->port);
/* we have completed the command */
edge_port->commandPending = false;
wake_up(&edge_port->wait_command);
Reported by FlawFinder.
Line: 935
Column: 18
CWE codes:
362
wait_event_timeout(edge_port->wait_open, !edge_port->openPending,
OPEN_TIMEOUT);
if (!edge_port->open) {
/* open timed out */
dev_dbg(dev, "%s - open timedout\n", __func__);
edge_port->openPending = false;
return -ENODEV;
}
Reported by FlawFinder.
Line: 1191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
firsthalf, bytesleft);
/* now copy our data */
memcpy(&fifo->fifo[fifo->head], data, firsthalf);
usb_serial_debug_data(&port->dev, __func__, firsthalf, &fifo->fifo[fifo->head]);
/* update the index and size */
fifo->head += firsthalf;
fifo->count += firsthalf;
Reported by FlawFinder.
Line: 1206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (secondhalf) {
dev_dbg(&port->dev, "%s - copy rest of data %d\n", __func__, secondhalf);
memcpy(&fifo->fifo[fifo->head], &data[firsthalf], secondhalf);
usb_serial_debug_data(&port->dev, __func__, secondhalf, &fifo->fifo[fifo->head]);
/* update the index and size */
fifo->count += secondhalf;
fifo->head += secondhalf;
/* No need to check for wrap since we can not get to end of
Reported by FlawFinder.
net/netfilter/nf_conntrack_sip.c
23 issues
Line: 256
Column: 24
CWE codes:
126
return 0;
/* Find SIP URI */
for (; dptr < limit - strlen("sip:"); dptr++) {
if (*dptr == '\r' || *dptr == '\n')
return -1;
if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
dptr += strlen("sip:");
break;
Reported by FlawFinder.
Line: 259
Column: 33
CWE codes:
126
for (; dptr < limit - strlen("sip:"); dptr++) {
if (*dptr == '\r' || *dptr == '\n')
return -1;
if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
dptr += strlen("sip:");
break;
}
}
if (!skp_epaddr_len(ct, dptr, limit, &shift))
Reported by FlawFinder.
Line: 260
Column: 12
CWE codes:
126
if (*dptr == '\r' || *dptr == '\n')
return -1;
if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
dptr += strlen("sip:");
break;
}
}
if (!skp_epaddr_len(ct, dptr, limit, &shift))
return 0;
Reported by FlawFinder.
Line: 446
Column: 48
CWE codes:
126
dptr += dataoff;
dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
if (!dptr)
return 0;
dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
if (!dptr)
Reported by FlawFinder.
Line: 547
Column: 59
CWE codes:
126
const char *start;
const char *end;
limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
Reported by FlawFinder.
Line: 551
Column: 60
CWE codes:
126
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
return 0;
start += strlen(name);
end = ct_sip_header_search(start, limit, ";", strlen(";"));
Reported by FlawFinder.
Line: 554
Column: 11
CWE codes:
126
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
return 0;
start += strlen(name);
end = ct_sip_header_search(start, limit, ";", strlen(";"));
if (!end)
end = limit;
Reported by FlawFinder.
Line: 556
Column: 48
CWE codes:
126
return 0;
start += strlen(name);
end = ct_sip_header_search(start, limit, ";", strlen(";"));
if (!end)
end = limit;
*matchoff = start - dptr;
*matchlen = end - start;
Reported by FlawFinder.
Line: 575
Column: 59
CWE codes:
126
const char *limit = dptr + datalen;
const char *start, *end;
limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
Reported by FlawFinder.
Line: 579
Column: 60
CWE codes:
126
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
return 0;
start += strlen(name);
if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
Reported by FlawFinder.
crypto/drbg.c
23 issues
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!drbg->fips_primed) {
/* Priming of FIPS test */
memcpy(drbg->prev, entropy, entropylen);
drbg->fips_primed = true;
/* priming: another round is needed */
return -EAGAIN;
}
ret = memcmp(drbg->prev, entropy, entropylen);
Reported by FlawFinder.
Line: 268
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = memcmp(drbg->prev, entropy, entropylen);
if (!ret)
panic("DRBG continuous self test failed\n");
memcpy(drbg->prev, entropy, entropylen);
/* the test shall pass when the two values are not equal */
return 0;
}
Reported by FlawFinder.
Line: 402
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head *seedlist)
{
int ret = -EFAULT;
unsigned char L_N[8];
/* S3 is input */
struct drbg_string S1, S2, S4, cipherin;
LIST_HEAD(bcc_list);
unsigned char *pad = df_data + drbg_statelen(drbg);
unsigned char *iv = pad + drbg_blocklen(drbg);
Reported by FlawFinder.
Line: 503
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
drbg_blocklen(drbg) :
(bytes_to_return - generated_len);
/* 10.4.2 step 13.2 and 14 */
memcpy(df_data + generated_len, X, blocklen);
generated_len += blocklen;
}
ret = 0;
Reported by FlawFinder.
Line: 577
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
goto out;
/* 10.2.1.2 step 6 */
memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
/* See above: increment counter by one to compensate timing of CTR op */
crypto_inc(drbg->V, drbg_blocklen(drbg));
ret = 0;
out:
Reported by FlawFinder.
Line: 735
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
drbg_blocklen(drbg) : (buflen - len);
/* 10.1.2.5 step 4.2 */
memcpy(buf + len, drbg->V, outlen);
len += outlen;
}
/* 10.1.2.5 step 6 */
if (addtl && !list_empty(addtl))
Reported by FlawFinder.
Line: 827
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ret = 0;
size_t len = 0;
unsigned char input[5];
unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
struct drbg_string data;
/* 10.4.1 step 3 */
input[0] = 1;
Reported by FlawFinder.
Line: 850
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
input[0]++;
blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
drbg_blocklen(drbg) : (outlen - len);
memcpy(outval + len, tmp, blocklen);
len += blocklen;
}
out:
memset(tmp, 0, drbg_blocklen(drbg));
Reported by FlawFinder.
Line: 875
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (reseed) {
/* 10.1.1.3 step 1 */
memcpy(V, drbg->V, drbg_statelen(drbg));
drbg_string_fill(&data1, &prefix, 1);
list_add_tail(&data1.list, &datalist);
drbg_string_fill(&data2, V, drbg_statelen(drbg));
list_add_tail(&data2.list, &datalist);
}
Reported by FlawFinder.
Line: 947
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
LIST_HEAD(datalist);
/* 10.1.1.4 step hashgen 2 */
memcpy(src, drbg->V, drbg_statelen(drbg));
drbg_string_fill(&data, src, drbg_statelen(drbg));
list_add_tail(&data.list, &datalist);
while (len < buflen) {
unsigned int outlen = 0;
Reported by FlawFinder.
drivers/parport/procfs.c
23 issues
Line: 54
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (dev = port->devices; dev ; dev = dev->next) {
if(dev == port->cad) {
len += sprintf(buffer, "%s\n", dev->name);
}
}
if(!len) {
len += sprintf(buffer, "%s\n", "none");
Reported by FlawFinder.
Line: 59
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if(!len) {
len += sprintf(buffer, "%s\n", "none");
}
if (len > *lenp)
len = *lenp;
else
Reported by FlawFinder.
Line: 90
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if ((str = info->class_name) != NULL)
len += sprintf (buffer + len, "CLASS:%s;\n", str);
if ((str = info->model) != NULL)
len += sprintf (buffer + len, "MODEL:%s;\n", str);
if ((str = info->mfr) != NULL)
Reported by FlawFinder.
Line: 93
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf (buffer + len, "CLASS:%s;\n", str);
if ((str = info->model) != NULL)
len += sprintf (buffer + len, "MODEL:%s;\n", str);
if ((str = info->mfr) != NULL)
len += sprintf (buffer + len, "MANUFACTURER:%s;\n", str);
if ((str = info->description) != NULL)
Reported by FlawFinder.
Line: 96
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf (buffer + len, "MODEL:%s;\n", str);
if ((str = info->mfr) != NULL)
len += sprintf (buffer + len, "MANUFACTURER:%s;\n", str);
if ((str = info->description) != NULL)
len += sprintf (buffer + len, "DESCRIPTION:%s;\n", str);
if ((str = info->cmdset) != NULL)
Reported by FlawFinder.
Line: 99
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf (buffer + len, "MANUFACTURER:%s;\n", str);
if ((str = info->description) != NULL)
len += sprintf (buffer + len, "DESCRIPTION:%s;\n", str);
if ((str = info->cmdset) != NULL)
len += sprintf (buffer + len, "COMMAND SET:%s;\n", str);
if (len > *lenp)
Reported by FlawFinder.
Line: 102
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf (buffer + len, "DESCRIPTION:%s;\n", str);
if ((str = info->cmdset) != NULL)
len += sprintf (buffer + len, "COMMAND SET:%s;\n", str);
if (len > *lenp)
len = *lenp;
else
*lenp = len;
Reported by FlawFinder.
Line: 216
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
#define printmode(x) \
do { \
if (port->modes & PARPORT_MODE_##x) \
len += sprintf(buffer + len, "%s%s", f++ ? "," : "", #x); \
} while (0)
int f = 0;
printmode(PCSPP);
printmode(TRISTATE);
printmode(COMPAT);
Reported by FlawFinder.
Line: 40
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *result, size_t *lenp, loff_t *ppos)
{
struct parport *port = (struct parport *)table->extra1;
char buffer[256];
struct pardevice *dev;
int len = 0;
if (write) /* can't happen anyway */
return -EACCES;
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*lenp = len;
*ppos += len;
memcpy(result, buffer, len);
return 0;
}
#ifdef CONFIG_PARPORT_1284
static int do_autoprobe(struct ctl_table *table, int write,
Reported by FlawFinder.
tools/testing/selftests/bpf/progs/test_xdp_noinline.c
23 issues
Line: 211
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} ctl_array SEC(".maps");
struct eth_hdr {
unsigned char eth_dest[6];
unsigned char eth_source[6];
unsigned short eth_proto;
};
static __noinline __u64 calc_offset(bool is_ipv6, bool is_icmp)
Reported by FlawFinder.
Line: 212
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct eth_hdr {
unsigned char eth_dest[6];
unsigned char eth_source[6];
unsigned short eth_proto;
};
static __noinline __u64 calc_offset(bool is_ipv6, bool is_icmp)
{
Reported by FlawFinder.
Line: 299
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (new_eth + 1 > data_end ||
old_eth + 1 > data_end || ip6h + 1 > data_end)
return 0;
memcpy(new_eth->eth_dest, cval->mac, 6);
memcpy(new_eth->eth_source, old_eth->eth_dest, 6);
new_eth->eth_proto = 56710;
ip6h->version = 6;
ip6h->priority = 0;
memset(ip6h->flow_lbl, 0, sizeof(ip6h->flow_lbl));
Reported by FlawFinder.
Line: 300
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_eth + 1 > data_end || ip6h + 1 > data_end)
return 0;
memcpy(new_eth->eth_dest, cval->mac, 6);
memcpy(new_eth->eth_source, old_eth->eth_dest, 6);
new_eth->eth_proto = 56710;
ip6h->version = 6;
ip6h->priority = 0;
memset(ip6h->flow_lbl, 0, sizeof(ip6h->flow_lbl));
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip6h->saddr.in6_u.u6_addr32[1] = 2;
ip6h->saddr.in6_u.u6_addr32[2] = 3;
ip6h->saddr.in6_u.u6_addr32[3] = ip_suffix;
memcpy(ip6h->daddr.in6_u.u6_addr32, dst->dstv6, 16);
return 1;
}
static __attribute__ ((noinline))
bool encap_v4(struct xdp_md *xdp, struct ctl_value *cval,
Reported by FlawFinder.
Line: 347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (new_eth + 1 > data_end ||
old_eth + 1 > data_end || iph + 1 > data_end)
return 0;
memcpy(new_eth->eth_dest, cval->mac, 6);
memcpy(new_eth->eth_source, old_eth->eth_dest, 6);
new_eth->eth_proto = 8;
iph->version = 4;
iph->ihl = 5;
iph->frag_off = 0;
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_eth + 1 > data_end || iph + 1 > data_end)
return 0;
memcpy(new_eth->eth_dest, cval->mac, 6);
memcpy(new_eth->eth_source, old_eth->eth_dest, 6);
new_eth->eth_proto = 8;
iph->version = 4;
iph->ihl = 5;
iph->frag_off = 0;
iph->protocol = IPPROTO_IPIP;
Reported by FlawFinder.
Line: 382
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_eth = *data;
new_eth = *data + sizeof(struct ipv6hdr);
memcpy(new_eth->eth_source, old_eth->eth_source, 6);
memcpy(new_eth->eth_dest, old_eth->eth_dest, 6);
if (inner_v4)
new_eth->eth_proto = 8;
else
new_eth->eth_proto = 56710;
Reported by FlawFinder.
Line: 383
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_eth = *data;
new_eth = *data + sizeof(struct ipv6hdr);
memcpy(new_eth->eth_source, old_eth->eth_source, 6);
memcpy(new_eth->eth_dest, old_eth->eth_dest, 6);
if (inner_v4)
new_eth->eth_proto = 8;
else
new_eth->eth_proto = 56710;
if (bpf_xdp_adjust_head(xdp, (int)sizeof(struct ipv6hdr)))
Reported by FlawFinder.
Line: 403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old_eth = *data;
new_eth = *data + sizeof(struct iphdr);
memcpy(new_eth->eth_source, old_eth->eth_source, 6);
memcpy(new_eth->eth_dest, old_eth->eth_dest, 6);
new_eth->eth_proto = 8;
if (bpf_xdp_adjust_head(xdp, (int)sizeof(struct iphdr)))
return 0;
*data = (void *)(long)xdp->data;
Reported by FlawFinder.
kernel/kcsan/kcsan_test.c
23 issues
Line: 144
Column: 4
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void *addr; /* Address of access; unchecked if NULL. */
size_t size; /* Size of access; unchecked if @addr is NULL. */
int type; /* Access type, see KCSAN_ACCESS definitions. */
} access[2];
};
/* Check observed report matches information in @r. */
__no_kcsan
static bool report_matches(const struct expect_report *r)
Reported by FlawFinder.
Line: 151
Column: 49
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
__no_kcsan
static bool report_matches(const struct expect_report *r)
{
const bool is_assert = (r->access[0].type | r->access[1].type) & KCSAN_ACCESS_ASSERT;
bool ret = false;
unsigned long flags;
typeof(observed.lines) expect;
const char *end;
char *cur;
Reported by FlawFinder.
Line: 151
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
__no_kcsan
static bool report_matches(const struct expect_report *r)
{
const bool is_assert = (r->access[0].type | r->access[1].type) & KCSAN_ACCESS_ASSERT;
bool ret = false;
unsigned long flags;
typeof(observed.lines) expect;
const char *end;
char *cur;
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
end = &expect[0][sizeof(expect[0]) - 1];
cur += scnprintf(cur, end - cur, "BUG: KCSAN: %s in ",
is_assert ? "assert: race" : "data-race");
if (r->access[1].fn) {
char tmp[2][64];
int cmp;
/* Expect lexographically sorted function names in title. */
scnprintf(tmp[0], sizeof(tmp[0]), "%pS", r->access[0].fn);
Reported by FlawFinder.
Line: 175
Column: 47
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int cmp;
/* Expect lexographically sorted function names in title. */
scnprintf(tmp[0], sizeof(tmp[0]), "%pS", r->access[0].fn);
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
Reported by FlawFinder.
Line: 176
Column: 47
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* Expect lexographically sorted function names in title. */
scnprintf(tmp[0], sizeof(tmp[0]), "%pS", r->access[0].fn);
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
Reported by FlawFinder.
Line: 179
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
Reported by FlawFinder.
Line: 179
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
Reported by FlawFinder.
Line: 180
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
if (cur)
Reported by FlawFinder.
Line: 180
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
if (cur)
Reported by FlawFinder.
sound/pci/ice1712/ice1724.c
23 issues
Line: 1316
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pcm->private_data = ice;
pcm->info_flags = 0;
strcpy(pcm->name, name);
snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV,
&ice->pci->dev, 256*1024, 256*1024);
ice->pcm = pcm;
Reported by FlawFinder.
Line: 1823
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
uinfo->value.enumerated.item = uinfo->value.enumerated.items - 1;
if (uinfo->value.enumerated.item >= hw_rates_count)
/* ext_clock items */
strcpy(uinfo->value.enumerated.name,
ice->ext_clock_names[
uinfo->value.enumerated.item - hw_rates_count]);
else
/* int clock items */
sprintf(uinfo->value.enumerated.name, "%d",
Reported by FlawFinder.
Line: 2608
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if ((model[dev] && c->model &&
!strcmp(model[dev], c->model)) ||
(c->subvendor == ice->eeprom.subvendor)) {
strcpy(card->shortname, c->name);
if (c->driver) /* specific driver? */
strcpy(card->driver, c->driver);
if (c->chip_init) {
err = c->chip_init(ice);
if (err < 0) {
Reported by FlawFinder.
Line: 2610
Column: 6
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
(c->subvendor == ice->eeprom.subvendor)) {
strcpy(card->shortname, c->name);
if (c->driver) /* specific driver? */
strcpy(card->driver, c->driver);
if (c->chip_init) {
err = c->chip_init(ice);
if (err < 0) {
snd_card_free(card);
return err;
Reported by FlawFinder.
Line: 2728
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
}
sprintf(card->longname, "%s at 0x%lx, irq %i",
card->shortname, ice->port, ice->irq);
err = snd_card_register(card);
if (err < 0) {
snd_card_free(card);
Reported by FlawFinder.
Line: 49
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP; /* Enable this card */
static char *model[SNDRV_CARDS];
module_param_array(index, int, NULL, 0444);
MODULE_PARM_DESC(index, "Index value for ICE1724 soundcard.");
Reported by FlawFinder.
Line: 51
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP; /* Enable this card */
static char *model[SNDRV_CARDS];
module_param_array(index, int, NULL, 0444);
MODULE_PARM_DESC(index, "Index value for ICE1724 soundcard.");
module_param_array(id, charp, NULL, 0444);
MODULE_PARM_DESC(id, "ID string for ICE1724 soundcard.");
Reported by FlawFinder.
Line: 76
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int PRO_RATE_RESET = 1;
static unsigned int PRO_RATE_DEFAULT = 44100;
static const char * const ext_clock_names[1] = { "IEC958 In" };
/*
* Basic I/O
*/
Reported by FlawFinder.
Line: 1121
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pcm->private_data = ice;
pcm->info_flags = 0;
strcpy(pcm->name, "ICE1724");
snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV,
&ice->pci->dev, 256*1024, 256*1024);
ice->pcm_pro = pcm;
Reported by FlawFinder.
Line: 1201
Column: 21
CWE codes:
362
snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES,
VT1724_BUFFER_ALIGN);
constrain_rate_if_locked(substream);
if (ice->spdif.ops.open)
ice->spdif.ops.open(ice, substream);
return 0;
}
static int snd_vt1724_playback_spdif_close(struct snd_pcm_substream *substream)
Reported by FlawFinder.
drivers/net/ethernet/intel/igbvf/netdev.c
23 issues
Line: 1430
CWE codes:
682
/* prepare a packed array of only addresses. */
i = 0;
netdev_for_each_mc_addr(ha, netdev)
memcpy(mta_list + (i++ * ETH_ALEN), ha->addr, ETH_ALEN);
spin_lock_bh(&hw->mbx_lock);
hw->mac.ops.update_mc_addr_list(hw, mta_list, i, 0, 0);
Reported by Cppcheck.
Line: 1056
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int err = 0, vector = 0;
if (strlen(netdev->name) < (IFNAMSIZ - 5)) {
sprintf(adapter->tx_ring->name, "%s-tx-0", netdev->name);
sprintf(adapter->rx_ring->name, "%s-rx-0", netdev->name);
} else {
memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ);
memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ);
}
Reported by FlawFinder.
Line: 1057
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (strlen(netdev->name) < (IFNAMSIZ - 5)) {
sprintf(adapter->tx_ring->name, "%s-tx-0", netdev->name);
sprintf(adapter->rx_ring->name, "%s-rx-0", netdev->name);
} else {
memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ);
memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ);
}
Reported by FlawFinder.
Line: 1059
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sprintf(adapter->tx_ring->name, "%s-tx-0", netdev->name);
sprintf(adapter->rx_ring->name, "%s-rx-0", netdev->name);
} else {
memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ);
memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ);
}
err = request_irq(adapter->msix_entries[vector].vector,
igbvf_intr_msix_tx, 0, adapter->tx_ring->name,
Reported by FlawFinder.
Line: 1060
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sprintf(adapter->rx_ring->name, "%s-rx-0", netdev->name);
} else {
memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ);
memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ);
}
err = request_irq(adapter->msix_entries[vector].vector,
igbvf_intr_msix_tx, 0, adapter->tx_ring->name,
netdev);
Reported by FlawFinder.
Line: 1430
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* prepare a packed array of only addresses. */
i = 0;
netdev_for_each_mc_addr(ha, netdev)
memcpy(mta_list + (i++ * ETH_ALEN), ha->addr, ETH_ALEN);
spin_lock_bh(&hw->mbx_lock);
hw->mac.ops.update_mc_addr_list(hw, mta_list, i, 0, 0);
Reported by FlawFinder.
Line: 1530
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_unlock_bh(&hw->mbx_lock);
if (is_valid_ether_addr(adapter->hw.mac.addr)) {
memcpy(netdev->dev_addr, adapter->hw.mac.addr,
netdev->addr_len);
memcpy(netdev->perm_addr, adapter->hw.mac.addr,
netdev->addr_len);
}
Reported by FlawFinder.
Line: 1532
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_valid_ether_addr(adapter->hw.mac.addr)) {
memcpy(netdev->dev_addr, adapter->hw.mac.addr,
netdev->addr_len);
memcpy(netdev->perm_addr, adapter->hw.mac.addr,
netdev->addr_len);
}
adapter->last_reset = jiffies;
}
Reported by FlawFinder.
Line: 1805
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
memcpy(hw->mac.addr, addr->sa_data, netdev->addr_len);
spin_lock_bh(&hw->mbx_lock);
hw->mac.ops.rar_set(hw, hw->mac.addr, 0);
Reported by FlawFinder.
Line: 1816
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ether_addr_equal(addr->sa_data, hw->mac.addr))
return -EADDRNOTAVAIL;
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
return 0;
}
#define UPDATE_VF_COUNTER(reg, name) \
Reported by FlawFinder.
arch/mips/cavium-octeon/executive/octeon-model.c
23 issues
Line: 480
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
family = fuse_model;
} else if (suffix && !model) {
/* Only have suffix, so add suffix to 'normal' model number */
sprintf(fuse_model, "%s%c", core_model, 'A' + suffix - 1);
core_model = fuse_model;
} else {
/* Don't have suffix, so just use model from fuses */
sprintf(fuse_model, "%d", model);
core_model = "";
Reported by FlawFinder.
Line: 490
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
}
}
sprintf(buffer, "CN%s%sp%s-%d-%s", family, core_model, pass, clock_mhz, suffix);
return buffer;
}
/**
* Given the chip processor ID from COP0, this function returns a
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const char *family;
const char *core_model;
char pass[4];
int clock_mhz;
const char *suffix;
int num_cores;
union cvmx_mio_fus_dat2 fus_dat2;
union cvmx_mio_fus_dat3 fus_dat3;
Reported by FlawFinder.
Line: 69
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int num_cores;
union cvmx_mio_fus_dat2 fus_dat2;
union cvmx_mio_fus_dat3 fus_dat3;
char fuse_model[10];
uint32_t fuse_data = 0;
uint64_t l2d_fus3 = 0;
if (OCTEON_IS_MODEL(OCTEON_CN3XXX) || OCTEON_IS_MODEL(OCTEON_CN5XXX))
l2d_fus3 = (cvmx_read_csr(CVMX_L2D_FUS3) >> 34) & 0x3;
Reported by FlawFinder.
Line: 115
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* Assume pass number is encoded using <5:3><2:0>. Exceptions
* will be fixed later.
*/
sprintf(pass, "%d.%d", (int)((chip_id >> 3) & 7) + 1, (int)chip_id & 7);
/*
* Use the number of cores to determine the last 2 digits of
* the model number. There are some exceptions that are fixed
* later.
Reported by FlawFinder.
Line: 211
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*/
switch (chip_id & 0xf) {
case 0:
strcpy(pass, "1.X");
break;
case 1:
strcpy(pass, "2.X");
break;
case 3:
Reported by FlawFinder.
Line: 214
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(pass, "1.X");
break;
case 1:
strcpy(pass, "2.X");
break;
case 3:
strcpy(pass, "3.X");
break;
default:
Reported by FlawFinder.
Line: 217
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(pass, "2.X");
break;
case 3:
strcpy(pass, "3.X");
break;
default:
strcpy(pass, "X.X");
break;
}
Reported by FlawFinder.
Line: 220
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(pass, "3.X");
break;
default:
strcpy(pass, "X.X");
break;
}
break;
case 1: /* CN31XX or CN3020 */
if ((chip_id & 0x10) || l2d_fus3)
Reported by FlawFinder.
Line: 235
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*/
switch (chip_id & 0xf) {
case 0:
strcpy(pass, "1.0");
break;
case 2:
strcpy(pass, "1.1");
break;
default:
Reported by FlawFinder.
crypto/asymmetric_keys/asym_tpm.c
23 issues
Line: 35
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *keyblob, int keybloblen,
uint32_t *newhandle)
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
Reported by FlawFinder.
Line: 36
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t *newhandle)
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
int ret;
Reported by FlawFinder.
Line: 37
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
int ret;
Reported by FlawFinder.
Line: 113
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *blob, uint32_t bloblen,
void *out, uint32_t outlen)
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
Reported by FlawFinder.
Line: 114
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *out, uint32_t outlen)
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
uint32_t datalen;
Reported by FlawFinder.
Line: 115
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
uint32_t datalen;
int ret;
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
}
memcpy(out, tb->data + TPM_DATA_OFFSET + sizeof(uint32_t),
min(outlen, datalen));
return datalen;
}
Reported by FlawFinder.
Line: 196
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *blob, uint32_t bloblen,
void *out, uint32_t outlen)
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
Reported by FlawFinder.
Line: 197
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *out, uint32_t outlen)
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
uint32_t datalen;
Reported by FlawFinder.
Line: 198
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned char nonceodd[TPM_NONCE_SIZE];
unsigned char enonce[TPM_NONCE_SIZE];
unsigned char authdata[SHA1_DIGEST_SIZE];
uint32_t authhandle = 0;
unsigned char cont = 0;
uint32_t ordinal;
uint32_t datalen;
int ret;
Reported by FlawFinder.