The following issues were found
drivers/hid/usbhid/hiddev.c
4 issues
Line: 226
Column: 23
CWE codes:
362
spin_unlock_irqrestore(&list->hiddev->list_lock, flags);
mutex_lock(&list->hiddev->existancelock);
if (!--list->hiddev->open) {
if (list->hiddev->exist) {
hid_hw_close(list->hiddev->hid);
hid_hw_power(list->hiddev->hid, PM_HINT_NORMAL);
} else {
mutex_unlock(&list->hiddev->existancelock);
Reported by FlawFinder.
Line: 937
Column: 14
CWE codes:
362
mutex_lock(&hiddev->existancelock);
hiddev->exist = 0;
if (hiddev->open) {
hid_hw_close(hiddev->hid);
wake_up_interruptible(&hiddev->wait);
mutex_unlock(&hiddev->existancelock);
} else {
mutex_unlock(&hiddev->existancelock);
Reported by FlawFinder.
Line: 824
Column: 14
CWE codes:
126
break;
if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGNAME(0))) {
int len = strlen(hid->name) + 1;
if (len > _IOC_SIZE(cmd))
len = _IOC_SIZE(cmd);
r = copy_to_user(user_arg, hid->name, len) ?
-EFAULT : len;
break;
Reported by FlawFinder.
Line: 833
Column: 14
CWE codes:
126
}
if (_IOC_NR(cmd) == _IOC_NR(HIDIOCGPHYS(0))) {
int len = strlen(hid->phys) + 1;
if (len > _IOC_SIZE(cmd))
len = _IOC_SIZE(cmd);
r = copy_to_user(user_arg, hid->phys, len) ?
-EFAULT : len;
break;
Reported by FlawFinder.
drivers/greybus/bundle.c
4 issues
Line: 38
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!bundle->state)
return sprintf(buf, "\n");
return sprintf(buf, "%s\n", bundle->state);
}
static ssize_t state_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t size)
{
Reported by FlawFinder.
Line: 17
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gb_bundle *bundle = to_gb_bundle(dev);
return sprintf(buf, "0x%02x\n", bundle->class);
}
static DEVICE_ATTR_RO(bundle_class);
static ssize_t bundle_id_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 26
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gb_bundle *bundle = to_gb_bundle(dev);
return sprintf(buf, "%u\n", bundle->id);
}
static DEVICE_ATTR_RO(bundle_id);
static ssize_t state_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 36
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct gb_bundle *bundle = to_gb_bundle(dev);
if (!bundle->state)
return sprintf(buf, "\n");
return sprintf(buf, "%s\n", bundle->state);
}
static ssize_t state_store(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
drivers/isdn/hardware/mISDN/hfcsusb.h
4 issues
Line: 303
Column: 8
CWE codes:
362
__u8 protocol;
int nt_timer;
int open;
__u8 timers;
__u8 initdone;
char name[MISDN_MAX_IDLEN];
};
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int open;
__u8 timers;
__u8 initdone;
char name[MISDN_MAX_IDLEN];
};
/* private vendor specific data */
struct hfcsusb_vdata {
__u8 led_scheme; /* led display scheme */
Reported by FlawFinder.
Line: 320
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define HFC_MAX_TE_LAYER1_STATE 8
#define HFC_MAX_NT_LAYER1_STATE 4
static const char *HFC_TE_LAYER1_STATES[HFC_MAX_TE_LAYER1_STATE + 1] = {
"TE F0 - Reset",
"TE F1 - Reset",
"TE F2 - Sensing",
"TE F3 - Deactivated",
"TE F4 - Awaiting signal",
Reported by FlawFinder.
Line: 332
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"TE F8 - Lost framing",
};
static const char *HFC_NT_LAYER1_STATES[HFC_MAX_NT_LAYER1_STATE + 1] = {
"NT G0 - Reset",
"NT G1 - Deactive",
"NT G2 - Pending activation",
"NT G3 - Active",
"NT G4 - Pending deactivation",
Reported by FlawFinder.
drivers/infiniband/core/iwcm.c
4 issues
Line: 522
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
cm_id->m_local_addr = cm_id->local_addr;
cm_id->m_remote_addr = cm_id->remote_addr;
strcpy(pm_reg_msg.dev_name, devname);
strcpy(pm_reg_msg.if_name, ifname);
if (iwpm_register_pid(&pm_reg_msg, RDMA_NL_IWCM) ||
!iwpm_valid_pid())
return 0;
Reported by FlawFinder.
Line: 523
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
cm_id->m_remote_addr = cm_id->remote_addr;
strcpy(pm_reg_msg.dev_name, devname);
strcpy(pm_reg_msg.if_name, ifname);
if (iwpm_register_pid(&pm_reg_msg, RDMA_NL_IWCM) ||
!iwpm_valid_pid())
return 0;
Reported by FlawFinder.
Line: 515
Column: 6
CWE codes:
126
struct iwpm_sa_data pm_msg;
int status;
if (strlen(devname) >= sizeof(pm_reg_msg.dev_name) ||
strlen(ifname) >= sizeof(pm_reg_msg.if_name))
return -EINVAL;
cm_id->m_local_addr = cm_id->local_addr;
cm_id->m_remote_addr = cm_id->remote_addr;
Reported by FlawFinder.
Line: 516
Column: 6
CWE codes:
126
int status;
if (strlen(devname) >= sizeof(pm_reg_msg.dev_name) ||
strlen(ifname) >= sizeof(pm_reg_msg.if_name))
return -EINVAL;
cm_id->m_local_addr = cm_id->local_addr;
cm_id->m_remote_addr = cm_id->remote_addr;
Reported by FlawFinder.
drivers/i2c/i2c-core-base.c
4 issues
Line: 741
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
name_show(struct device *dev, struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", dev->type == &i2c_client_type ?
to_i2c_client(dev)->name : to_i2c_adapter(dev)->name);
}
static DEVICE_ATTR_RO(name);
static ssize_t
Reported by FlawFinder.
Line: 760
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (len != -ENODEV)
return len;
return sprintf(buf, "%s%s\n", I2C_MODULE_PREFIX, client->name);
}
static DEVICE_ATTR_RO(modalias);
static struct attribute *i2c_dev_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
Line: 1292
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_err(dev, "%s: Invalid device name\n", "new_device");
return -EINVAL;
}
memcpy(info.type, buf, blank - buf);
/* Parse remaining parameters, reject extra parameters */
res = sscanf(++blank, "%hi%c", &info.addr, &end);
if (res < 1) {
dev_err(dev, "%s: Can't parse I2C address\n", "new_device");
Reported by FlawFinder.
Line: 2616
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
if (xferred && msg->flags & I2C_M_RD)
memcpy(msg->buf, buf, msg->len);
kfree(buf);
}
EXPORT_SYMBOL_GPL(i2c_put_dma_safe_msg_buf);
Reported by FlawFinder.
drivers/input/keyboard/locomokbd.c
4 issues
Line: 33
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define KEY_CONTACT KEY_F18
#define KEY_CENTER KEY_F15
static const unsigned char
locomokbd_keycode[LOCOMOKBD_NUMKEYS] = {
0, KEY_ESC, KEY_ACTIVITY, 0, 0, 0, 0, 0, 0, 0, /* 0 - 9 */
0, 0, 0, 0, 0, 0, 0, KEY_MENU, KEY_HOME, KEY_CONTACT, /* 10 - 19 */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20 - 29 */
0, 0, 0, KEY_CENTER, 0, KEY_MAIL, 0, 0, 0, 0, /* 30 - 39 */
Reported by FlawFinder.
Line: 59
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define SCAN_INTERVAL (HZ/10)
struct locomokbd {
unsigned char keycode[LOCOMOKBD_NUMKEYS];
struct input_dev *input;
char phys[32];
unsigned long base;
spinlock_t lock;
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct locomokbd {
unsigned char keycode[LOCOMOKBD_NUMKEYS];
struct input_dev *input;
char phys[32];
unsigned long base;
spinlock_t lock;
struct timer_list timer;
Reported by FlawFinder.
Line: 257
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
locomokbd->suspend_jiffies = jiffies;
locomokbd->input = input_dev;
strcpy(locomokbd->phys, "locomokbd/input0");
input_dev->name = "LoCoMo keyboard";
input_dev->phys = locomokbd->phys;
input_dev->id.bustype = BUS_HOST;
input_dev->id.vendor = 0x0001;
Reported by FlawFinder.
drivers/infiniband/core/user_mad.c
4 issues
Line: 277
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
packet->mad.hdr.gid_index = grh->sgid_index;
packet->mad.hdr.hop_limit = grh->hop_limit;
packet->mad.hdr.traffic_class = grh->traffic_class;
memcpy(packet->mad.hdr.gid, &grh->dgid, 16);
packet->mad.hdr.flow_label = cpu_to_be32(grh->flow_label);
rdma_destroy_ah_attr(&ah_attr);
}
if (queue_packet(file, agent, packet))
Reported by FlawFinder.
Line: 594
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
packet->msg->context[0] = packet;
/* Copy MAD header. Any RMPP header is already in place. */
memcpy(packet->msg->mad, packet->mad.data, IB_MGMT_MAD_HDR);
if (!rmpp_active) {
if (copy_from_user(packet->msg->mad + copy_offset,
buf + copy_offset,
hdr_len + data_len - copy_offset)) {
Reported by FlawFinder.
Line: 724
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&req, 0, sizeof(req));
req.mgmt_class = ureq.mgmt_class;
req.mgmt_class_version = ureq.mgmt_class_version;
memcpy(req.oui, ureq.oui, sizeof req.oui);
if (compat_method_mask) {
u32 *umm = (u32 *) ureq.method_mask;
int i;
Reported by FlawFinder.
Line: 734
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.method_mask[i] =
umm[i * 2] | ((u64) umm[i * 2 + 1] << 32);
} else
memcpy(req.method_mask, ureq.method_mask,
sizeof req.method_mask);
}
agent = ib_register_mad_agent(file->port->ib_dev, file->port->port_num,
ureq.qpn ? IB_QPT_GSI : IB_QPT_SMI,
Reported by FlawFinder.
drivers/i2c/busses/i2c-altera.c
4 issues
Line: 238
Column: 7
CWE codes:
120
20
static irqreturn_t altr_i2c_isr(int irq, void *_dev)
{
int ret;
bool read, finish = false;
struct altr_i2c_dev *idev = _dev;
u32 status = idev->isr_status;
mutex_lock(&idev->isr_mutex);
if (!idev->msg) {
Reported by FlawFinder.
Line: 261
Column: 13
CWE codes:
120
20
altr_i2c_int_clear(idev, ALTR_I2C_ISR_NACK);
altr_i2c_stop(idev);
finish = true;
} else if (read && unlikely(status & ALTR_I2C_ISR_RXOF)) {
/* handle RX FIFO Overflow */
altr_i2c_empty_rx_fifo(idev);
altr_i2c_int_clear(idev, ALTR_I2C_ISR_RXRDY);
altr_i2c_stop(idev);
dev_err(idev->dev, "RX FIFO Overflow\n");
Reported by FlawFinder.
Line: 268
Column: 13
CWE codes:
120
20
altr_i2c_stop(idev);
dev_err(idev->dev, "RX FIFO Overflow\n");
finish = true;
} else if (read && (status & ALTR_I2C_ISR_RXRDY)) {
/* RX FIFO needs service? */
altr_i2c_empty_rx_fifo(idev);
altr_i2c_int_clear(idev, ALTR_I2C_ISR_RXRDY);
if (!idev->msg_len)
finish = true;
Reported by FlawFinder.
Line: 274
Column: 14
CWE codes:
120
20
altr_i2c_int_clear(idev, ALTR_I2C_ISR_RXRDY);
if (!idev->msg_len)
finish = true;
} else if (!read && (status & ALTR_I2C_ISR_TXRDY)) {
/* TX FIFO needs service? */
altr_i2c_int_clear(idev, ALTR_I2C_ISR_TXRDY);
if (idev->msg_len > 0)
altr_i2c_fill_tx_fifo(idev);
else
Reported by FlawFinder.
drivers/hwtracing/stm/policy.c
4 issues
Line: 294
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct stp_policy *policy = to_stp_policy(item);
ssize_t count;
count = sprintf(page, "%s\n",
(policy && policy->stm) ?
policy->stm->data->name :
"<none>");
return count;
Reported by FlawFinder.
Line: 310
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct stp_policy *policy = to_stp_policy(item);
ssize_t count;
count = sprintf(page, "%s\n",
(policy && policy->stm) ?
policy->stm->pdrv->name :
"<none>");
return count;
Reported by FlawFinder.
Line: 90
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct stp_policy_node *policy_node = to_stp_policy_node(item);
ssize_t count;
count = sprintf(page, "%u %u\n", policy_node->first_master,
policy_node->last_master);
return count;
}
Reported by FlawFinder.
Line: 137
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct stp_policy_node *policy_node = to_stp_policy_node(item);
ssize_t count;
count = sprintf(page, "%u %u\n", policy_node->first_channel,
policy_node->last_channel);
return count;
}
Reported by FlawFinder.
drivers/hwtracing/stm/p_sys-t.c
4 issues
Line: 123
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sys_t_policy_node *pn = to_pdrv_policy_node(item);
return sprintf(page, "%pU\n", &pn->uuid);
}
static ssize_t
sys_t_policy_uuid_store(struct config_item *item, const char *page,
size_t count)
Reported by FlawFinder.
Line: 148
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sys_t_policy_node *pn = to_pdrv_policy_node(item);
return sprintf(page, "%d\n", pn->do_len);
}
static ssize_t
sys_t_policy_do_len_store(struct config_item *item, const char *page,
size_t count)
Reported by FlawFinder.
Line: 173
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sys_t_policy_node *pn = to_pdrv_policy_node(item);
return sprintf(page, "%u\n", jiffies_to_msecs(pn->ts_interval));
}
static ssize_t
sys_t_policy_ts_interval_store(struct config_item *item, const char *page,
size_t count)
Reported by FlawFinder.
Line: 204
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sys_t_policy_node *pn = to_pdrv_policy_node(item);
return sprintf(page, "%u\n", jiffies_to_msecs(pn->clocksync_interval));
}
static ssize_t
sys_t_policy_clocksync_interval_store(struct config_item *item,
const char *page, size_t count)
Reported by FlawFinder.