The following issues were found
drivers/ntb/ntb_transport.c
4 issues
Line: 1212
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
qp->tx_max_entry = tx_size / qp->tx_max_frame;
if (nt->debugfs_node_dir) {
char debugfs_name[4];
snprintf(debugfs_name, 4, "qp%d", qp_num);
qp->debugfs_dir = debugfs_create_dir(debugfs_name,
nt->debugfs_node_dir);
Reported by FlawFinder.
Line: 1514
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *buf = entry->buf;
size_t len = entry->len;
memcpy(buf, offset, len);
/* Ensure that the data is fully copied out before clearing the flag */
wmb();
ntb_rx_copy_callback(entry, NULL);
Reported by FlawFinder.
Line: 289
Column: 44
CWE codes:
126
static int ntb_transport_bus_match(struct device *dev,
struct device_driver *drv)
{
return !strncmp(dev_name(dev), drv->name, strlen(drv->name));
}
static int ntb_transport_bus_probe(struct device *dev)
{
const struct ntb_transport_client *client;
Reported by FlawFinder.
Line: 370
Column: 10
CWE codes:
126
list_for_each_entry(nt, &ntb_transport_list, entry)
list_for_each_entry_safe(client, cd, &nt->client_devs, entry)
if (!strncmp(dev_name(&client->dev), device_name,
strlen(device_name))) {
list_del(&client->entry);
device_unregister(&client->dev);
}
}
EXPORT_SYMBOL_GPL(ntb_transport_unregister_client_dev);
Reported by FlawFinder.
drivers/regulator/da9055-regulator.c
4 issues
Line: 427
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
if (pdata->gpio_ren && pdata->gpio_ren[id]) {
char name[18];
int gpio_mux = pdata->gpio_ren[id];
config->ena_gpiod = pdata->ena_gpiods[id];
/*
Reported by FlawFinder.
Line: 436
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* GPI pin is muxed with regulator to control the
* regulator state.
*/
sprintf(name, "DA9055 GPI %d", gpio_mux);
ret = devm_gpio_request_one(config->dev, gpio_mux, GPIOF_DIR_IN,
name);
if (ret < 0)
goto err;
Reported by FlawFinder.
Line: 455
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if (pdata->gpio_rsel && pdata->gpio_rsel[id]) {
char name[18];
int gpio_mux = pdata->gpio_rsel[id];
regulator->reg_rselect = pdata->reg_rsel[id];
/*
Reported by FlawFinder.
Line: 464
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* GPI pin is muxed with regulator to select the
* regulator register set A/B for voltage ramping.
*/
sprintf(name, "DA9055 GPI %d", gpio_mux);
ret = devm_gpio_request_one(config->dev, gpio_mux, GPIOF_DIR_IN,
name);
if (ret < 0)
goto err;
Reported by FlawFinder.
drivers/nubus/nubus.c
4 issues
Line: 419
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
switch (ent->type) {
case NUBUS_RESID_MAC_ADDRESS:
{
char addr[6];
nubus_get_rsrc_mem(addr, ent, 6);
pr_debug(" MAC address: %pM\n", addr);
nubus_proc_add_rsrc_mem(procdir, ent, 6);
break;
Reported by FlawFinder.
Line: 527
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
case NUBUS_RESID_NAME:
{
char name[64];
unsigned int len;
len = nubus_get_rsrc_str(name, &ent, sizeof(name));
pr_debug(" name: %s\n", name);
nubus_proc_add_rsrc_mem(dir.procdir, &ent, len + 1);
Reported by FlawFinder.
Line: 610
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct nubus_dir dir;
struct nubus_dirent ent;
static char *vendor_fields[6] = { "ID", "serial", "revision",
"part", "date", "unknown field" };
pr_debug(" vendor info:\n");
nubus_get_subdir(parent, &dir);
dir.procdir = nubus_proc_add_rsrc_dir(procdir, parent, board);
Reported by FlawFinder.
Line: 618
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
dir.procdir = nubus_proc_add_rsrc_dir(procdir, parent, board);
while (nubus_readdir(&dir, &ent) != -1) {
char name[64];
unsigned int len;
/* These are all strings, we think */
len = nubus_get_rsrc_str(name, &ent, sizeof(name));
if (ent.type < 1 || ent.type > 5)
Reported by FlawFinder.
drivers/nubus/proc.c
4 issues
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct proc_dir_entry *nubus_proc_add_board(struct nubus_board *board)
{
char name[2];
if (!proc_bus_nubus_dir)
return NULL;
snprintf(name, sizeof(name), "%x", board->slot);
return proc_mkdir(name, proc_bus_nubus_dir);
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct nubus_dirent *ent,
struct nubus_board *board)
{
char name[9];
int lanes = board->lanes;
if (!procdir)
return NULL;
snprintf(name, sizeof(name), "%x", ent->type);
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct nubus_dirent *ent,
unsigned int size)
{
char name[9];
struct nubus_proc_pde_data *pde_data;
if (!procdir)
return;
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void nubus_proc_add_rsrc(struct proc_dir_entry *procdir,
const struct nubus_dirent *ent)
{
char name[9];
unsigned char *data = (unsigned char *)ent->data;
if (!procdir)
return;
Reported by FlawFinder.
drivers/nvdimm/bus.c
4 issues
Line: 643
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
return sprintf(buf, ND_DEVICE_MODALIAS_FMT "\n",
to_nd_device_type(dev));
}
static DEVICE_ATTR_RO(modalias);
static ssize_t devtype_show(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 651
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t devtype_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%s\n", dev->type->name);
}
static DEVICE_ATTR_RO(devtype);
static struct attribute *nd_device_attributes[] = {
&dev_attr_modalias.attr,
Reported by FlawFinder.
Line: 671
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t numa_node_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", dev_to_node(dev));
}
static DEVICE_ATTR_RO(numa_node);
static int nvdimm_dev_to_target_node(struct device *dev)
{
Reported by FlawFinder.
Line: 693
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t target_node_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", nvdimm_dev_to_target_node(dev));
}
static DEVICE_ATTR_RO(target_node);
static struct attribute *nd_numa_attributes[] = {
&dev_attr_numa_node.attr,
Reported by FlawFinder.
drivers/rpmsg/qcom_glink_native.c
4 issues
Line: 432
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
req.msg.cmd = cpu_to_le16(RPM_CMD_OPEN);
req.msg.param1 = cpu_to_le16(channel->lcid);
req.msg.param2 = cpu_to_le32(name_len);
strcpy(req.name, channel->name);
ret = qcom_glink_tx(glink, &req, req_len, NULL, 0, true);
if (ret)
goto remove_idr;
Reported by FlawFinder.
Line: 412
Column: 17
CWE codes:
126
struct glink_msg msg;
u8 name[GLINK_NAME_SIZE];
} __packed req;
int name_len = strlen(channel->name) + 1;
int req_len = ALIGN(sizeof(req.msg) + name_len, 8);
int ret;
unsigned long flags;
kref_get(&channel->refcount);
Reported by FlawFinder.
Line: 1443
Column: 3
CWE codes:
120
}
rpdev->ept = &channel->ept;
strncpy(rpdev->id.name, name, RPMSG_NAME_SIZE);
rpdev->src = RPMSG_ADDR_ANY;
rpdev->dst = RPMSG_ADDR_ANY;
rpdev->ops = &glink_device_ops;
node = qcom_glink_match_channel(glink->dev->of_node, name);
Reported by FlawFinder.
Line: 1491
Column: 3
CWE codes:
120
cancel_work_sync(&channel->intent_work);
if (channel->rpdev) {
strncpy(chinfo.name, channel->name, sizeof(chinfo.name));
chinfo.src = RPMSG_ADDR_ANY;
chinfo.dst = RPMSG_ADDR_ANY;
rpmsg_unregister_device(glink->dev, &chinfo);
}
Reported by FlawFinder.
drivers/rtc/rtc-twl.c
4 issues
Line: 261
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int twl_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
struct twl_rtc *twl_rtc = dev_get_drvdata(dev);
unsigned char rtc_data[ALL_TIME_REGS];
int ret;
u8 save_control;
u8 rtc_control;
ret = twl_rtc_read_u8(twl_rtc, &save_control, REG_RTC_CTRL_REG);
Reported by FlawFinder.
Line: 330
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct twl_rtc *twl_rtc = dev_get_drvdata(dev);
unsigned char save_control;
unsigned char rtc_data[ALL_TIME_REGS];
int ret;
rtc_data[0] = bin2bcd(tm->tm_sec);
rtc_data[1] = bin2bcd(tm->tm_min);
rtc_data[2] = bin2bcd(tm->tm_hour);
Reported by FlawFinder.
Line: 372
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int twl_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alm)
{
struct twl_rtc *twl_rtc = dev_get_drvdata(dev);
unsigned char rtc_data[ALL_TIME_REGS];
int ret;
ret = twl_i2c_read(TWL_MODULE_RTC, rtc_data,
twl_rtc->reg_map[REG_ALARM_SECONDS_REG], ALL_TIME_REGS);
if (ret < 0) {
Reported by FlawFinder.
Line: 401
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct twl_rtc *twl_rtc = dev_get_drvdata(dev);
unsigned char alarm_data[ALL_TIME_REGS];
int ret;
ret = twl_rtc_alarm_irq_enable(dev, 0);
if (ret)
goto out;
Reported by FlawFinder.
drivers/remoteproc/stm32_rproc.c
4 issues
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct stm32_rproc_mem {
char name[20];
void __iomem *cpu_addr;
phys_addr_t bus_addr;
u32 dev_addr;
size_t size;
};
Reported by FlawFinder.
Line: 73
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct stm32_mbox {
const unsigned char name[10];
struct mbox_chan *chan;
struct mbox_client client;
struct work_struct vq_work;
int vq_id;
};
Reported by FlawFinder.
Line: 362
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct mbox_client *cl;
/* Initialise mailbox structure table */
memcpy(ddata->mb, stm32_rproc_mbox, sizeof(stm32_rproc_mbox));
for (i = 0; i < MBOX_NB_MBX; i++) {
name = ddata->mb[i].name;
cl = &ddata->mb[i].client;
Reported by FlawFinder.
Line: 203
Column: 41
CWE codes:
126
int i;
for (i = 0; i < ARRAY_SIZE(ddata->mb); i++) {
if (!strncmp(ddata->mb[i].name, name, strlen(name)))
return i;
}
dev_err(&rproc->dev, "mailbox %s not found\n", name);
return -EINVAL;
Reported by FlawFinder.
drivers/parport/parport_pc.c
4 issues
Line: 610
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count = maxlen;
if (!dma_handle) /* bounce buffer ! */
memcpy(priv->dma_buf, buf, count);
dmaflag = claim_dma_lock();
disable_dma(port->dma);
clear_dma_ff(port->dma);
set_dma_mode(port->dma, DMA_MODE_WRITE);
Reported by FlawFinder.
Line: 2052
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!base_res)
goto out4;
memcpy(ops, &parport_pc_ops, sizeof(struct parport_operations));
priv->ctr = 0xc;
priv->ctr_writable = ~0x10;
priv->ecr = 0;
priv->fifo_depth = 0;
priv->dma_buf = NULL;
Reported by FlawFinder.
Line: 3117
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
#ifdef MODULE
static char *irq[PARPORT_PC_MAX_PORTS];
static char *dma[PARPORT_PC_MAX_PORTS];
MODULE_PARM_DESC(io, "Base I/O address (SPP regs)");
module_param_hw_array(io, int, ioport, NULL, 0);
MODULE_PARM_DESC(io_hi, "Base I/O address (ECR)");
Reported by FlawFinder.
Line: 3118
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef MODULE
static char *irq[PARPORT_PC_MAX_PORTS];
static char *dma[PARPORT_PC_MAX_PORTS];
MODULE_PARM_DESC(io, "Base I/O address (SPP regs)");
module_param_hw_array(io, int, ioport, NULL, 0);
MODULE_PARM_DESC(io_hi, "Base I/O address (ECR)");
module_param_hw_array(io_hi, int, ioport, NULL, 0);
Reported by FlawFinder.
tools/testing/selftests/powerpc/signal/sigreturn_vdso.c
4 issues
Line: 29
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int search_proc_maps(char *needle, unsigned long *low, unsigned long *high)
{
unsigned long start, end;
static char buf[4096];
char name[128];
FILE *f;
int rc = -1;
f = fopen("/proc/self/maps", "r");
Reported by FlawFinder.
Line: 30
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned long start, end;
static char buf[4096];
char name[128];
FILE *f;
int rc = -1;
f = fopen("/proc/self/maps", "r");
if (!f) {
Reported by FlawFinder.
Line: 34
Column: 6
CWE codes:
362
FILE *f;
int rc = -1;
f = fopen("/proc/self/maps", "r");
if (!f) {
perror("fopen");
return -1;
}
Reported by FlawFinder.
Line: 41
Column: 8
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
}
while (fgets(buf, sizeof(buf), f)) {
rc = sscanf(buf, "%lx-%lx %*c%*c%*c%*c %*x %*d:%*d %*d %127s\n",
&start, &end, name);
if (rc == 2)
continue;
if (rc != 3) {
Reported by FlawFinder.