The following issues were found
drivers/block/paride/pcd.c
23 issues
Line: 345
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
disk->major = major;
disk->first_minor = unit;
disk->minors = 1;
strcpy(disk->disk_name, cd->name); /* umm... */
disk->fops = &pcd_bdops;
disk->flags = GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE;
disk->events = DISK_EVENT_MEDIA_CHANGE;
}
}
Reported by FlawFinder.
Line: 209
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct pcd_unit pcd[PCD_UNITS];
static char pcd_scratch[64];
static char pcd_buffer[2048]; /* raw block buffer */
static int pcd_bufblk = -1; /* block in buffer, in CD units,
-1 for nothing there. See also
pd_unit.
*/
Reported by FlawFinder.
Line: 210
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct pcd_unit pcd[PCD_UNITS];
static char pcd_scratch[64];
static char pcd_buffer[2048]; /* raw block buffer */
static int pcd_bufblk = -1; /* block in buffer, in CD units,
-1 for nothing there. See also
pd_unit.
*/
Reported by FlawFinder.
Line: 488
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pcd_req_sense(struct pcd_unit *cd, char *fun)
{
char rs_cmd[12] = { 0x03, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0 };
char buf[16];
int r, c;
r = pcd_command(cd, rs_cmd, 16, "Request sense");
mdelay(1);
Reported by FlawFinder.
Line: 489
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pcd_req_sense(struct pcd_unit *cd, char *fun)
{
char rs_cmd[12] = { 0x03, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0 };
char buf[16];
int r, c;
r = pcd_command(cd, rs_cmd, 16, "Request sense");
mdelay(1);
if (!r)
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcd_lock_door(struct cdrom_device_info *cdi, int lock)
{
char un_cmd[12] = { 0x1e, 0, 0, 0, lock, 0, 0, 0, 0, 0, 0, 0 };
return pcd_atapi(cdi->handle, un_cmd, 0, pcd_scratch,
lock ? "lock door" : "unlock door");
}
Reported by FlawFinder.
Line: 553
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcd_tray_move(struct cdrom_device_info *cdi, int position)
{
char ej_cmd[12] = { 0x1b, 0, 0, 0, 3 - position, 0, 0, 0, 0, 0, 0, 0 };
return pcd_atapi(cdi->handle, ej_cmd, 0, pcd_scratch,
position ? "eject" : "close tray");
}
Reported by FlawFinder.
Line: 603
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcd_ready_wait(struct pcd_unit *cd, int tmo)
{
char tr_cmd[12] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
int k, p;
k = 0;
while (k < tmo) {
cd->last_sense = 0;
Reported by FlawFinder.
Line: 623
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcd_drive_status(struct cdrom_device_info *cdi, int slot_nr)
{
char rc_cmd[12] = { 0x25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
struct pcd_unit *cd = cdi->handle;
if (pcd_ready_wait(cd, PCD_READY_TMO))
return CDS_DRIVE_NOT_READY;
if (pcd_atapi(cd, rc_cmd, 8, pcd_scratch, DBMSG("check media")))
Reported by FlawFinder.
Line: 636
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pcd_identify(struct pcd_unit *cd, char *id)
{
int k, s;
char id_cmd[12] = { 0x12, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
pcd_bufblk = -1;
s = pcd_atapi(cd, id_cmd, 36, pcd_buffer, "identify");
Reported by FlawFinder.
Documentation/sphinx/kfigure.py
23 issues
Line: 52
Column: 1
from os import path
import subprocess
from hashlib import sha1
from docutils import nodes
from docutils.statemachine import ViewList
from docutils.parsers.rst import directives
from docutils.parsers.rst.directives import images
import sphinx
from sphinx.util.nodes import clean_astext
Reported by Pylint.
Line: 53
Column: 1
import subprocess
from hashlib import sha1
from docutils import nodes
from docutils.statemachine import ViewList
from docutils.parsers.rst import directives
from docutils.parsers.rst.directives import images
import sphinx
from sphinx.util.nodes import clean_astext
import kernellog
Reported by Pylint.
Line: 54
Column: 1
from hashlib import sha1
from docutils import nodes
from docutils.statemachine import ViewList
from docutils.parsers.rst import directives
from docutils.parsers.rst.directives import images
import sphinx
from sphinx.util.nodes import clean_astext
import kernellog
Reported by Pylint.
Line: 55
Column: 1
from docutils import nodes
from docutils.statemachine import ViewList
from docutils.parsers.rst import directives
from docutils.parsers.rst.directives import images
import sphinx
from sphinx.util.nodes import clean_astext
import kernellog
# Get Sphinx version
Reported by Pylint.
Line: 56
Column: 1
from docutils.statemachine import ViewList
from docutils.parsers.rst import directives
from docutils.parsers.rst.directives import images
import sphinx
from sphinx.util.nodes import clean_astext
import kernellog
# Get Sphinx version
major, minor, patch = sphinx.version_info[:3]
Reported by Pylint.
Line: 57
Column: 1
from docutils.parsers.rst import directives
from docutils.parsers.rst.directives import images
import sphinx
from sphinx.util.nodes import clean_astext
import kernellog
# Get Sphinx version
major, minor, patch = sphinx.version_info[:3]
if major == 1 and minor > 3:
Reported by Pylint.
Line: 64
Column: 5
major, minor, patch = sphinx.version_info[:3]
if major == 1 and minor > 3:
# patches.Figure only landed in Sphinx 1.4
from sphinx.directives.patches import Figure # pylint: disable=C0413
else:
Figure = images.Figure
__version__ = '1.0.0'
Reported by Pylint.
Line: 336
Column: 5
class kernel_image(nodes.image):
"""Node for ``kernel-image`` directive."""
pass
class KernelImage(images.Image):
u"""KernelImage directive
Earns everything from ``.. image::`` directive, except *remote URI* and
Reported by Pylint.
Line: 427
Suggestion:
https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
code = literal_block.astext()
hashobj = code.encode('utf-8') # str(node.attributes)
fname = path.join('%s-%s' % (srclang, sha1(hashobj).hexdigest()))
tmp_fname = path.join(
self.builder.outdir, self.builder.imagedir, fname + tmp_ext)
if not path.isfile(tmp_fname):
Reported by Bandit.
Line: 448
Column: 5
class kernel_render(nodes.General, nodes.Inline, nodes.Element):
"""Node for ``kernel-render`` directive."""
pass
class KernelRender(Figure):
u"""KernelRender directive
Render content by external tool. Has all the options known from the
Reported by Pylint.
kernel/kcsan/kcsan_test.c
23 issues
Line: 144
Column: 4
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void *addr; /* Address of access; unchecked if NULL. */
size_t size; /* Size of access; unchecked if @addr is NULL. */
int type; /* Access type, see KCSAN_ACCESS definitions. */
} access[2];
};
/* Check observed report matches information in @r. */
__no_kcsan
static bool report_matches(const struct expect_report *r)
Reported by FlawFinder.
Line: 151
Column: 49
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
__no_kcsan
static bool report_matches(const struct expect_report *r)
{
const bool is_assert = (r->access[0].type | r->access[1].type) & KCSAN_ACCESS_ASSERT;
bool ret = false;
unsigned long flags;
typeof(observed.lines) expect;
const char *end;
char *cur;
Reported by FlawFinder.
Line: 151
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
__no_kcsan
static bool report_matches(const struct expect_report *r)
{
const bool is_assert = (r->access[0].type | r->access[1].type) & KCSAN_ACCESS_ASSERT;
bool ret = false;
unsigned long flags;
typeof(observed.lines) expect;
const char *end;
char *cur;
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
end = &expect[0][sizeof(expect[0]) - 1];
cur += scnprintf(cur, end - cur, "BUG: KCSAN: %s in ",
is_assert ? "assert: race" : "data-race");
if (r->access[1].fn) {
char tmp[2][64];
int cmp;
/* Expect lexographically sorted function names in title. */
scnprintf(tmp[0], sizeof(tmp[0]), "%pS", r->access[0].fn);
Reported by FlawFinder.
Line: 175
Column: 47
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int cmp;
/* Expect lexographically sorted function names in title. */
scnprintf(tmp[0], sizeof(tmp[0]), "%pS", r->access[0].fn);
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
Reported by FlawFinder.
Line: 176
Column: 47
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* Expect lexographically sorted function names in title. */
scnprintf(tmp[0], sizeof(tmp[0]), "%pS", r->access[0].fn);
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
Reported by FlawFinder.
Line: 179
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
Reported by FlawFinder.
Line: 179
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
scnprintf(tmp[1], sizeof(tmp[1]), "%pS", r->access[1].fn);
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
Reported by FlawFinder.
Line: 180
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
if (cur)
Reported by FlawFinder.
Line: 180
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
cmp = strcmp(tmp[0], tmp[1]);
cur += scnprintf(cur, end - cur, "%ps / %ps",
cmp < 0 ? r->access[0].fn : r->access[1].fn,
cmp < 0 ? r->access[1].fn : r->access[0].fn);
} else {
scnprintf(cur, end - cur, "%pS", r->access[0].fn);
/* The exact offset won't match, remove it. */
cur = strchr(expect[0], '+');
if (cur)
Reported by FlawFinder.
fs/cifs/sess.c
23 issues
Line: 215
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
/* UNC and paths */
/* XXX: Use ses->server->hostname? */
sprintf(unc, unc_fmt, ses->ip_addr);
ctx.UNC = unc;
ctx.prepath = "";
/* Reuse same version as master connection */
ctx.vals = ses->server->vals;
Reported by FlawFinder.
Line: 457
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(bcc_ptr, "Linux version ");
bcc_ptr += strlen("Linux version ");
strcpy(bcc_ptr, init_utsname()->release);
bcc_ptr += strlen(init_utsname()->release) + 1;
strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(bcc_ptr, init_utsname()->release);
bcc_ptr += strlen(init_utsname()->release) + 1;
strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
*pbcc_area = bcc_ptr;
}
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cifs_chan *chan;
struct smb3_fs_context ctx = {NULL};
static const char unc_fmt[] = "\\%s\\foo";
char unc[sizeof(unc_fmt)+SERVER_NAME_LEN_WITH_NULL] = {0};
struct sockaddr_in *ipv4 = (struct sockaddr_in *)&iface->sockaddr;
struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)&iface->sockaddr;
int rc;
unsigned int xid = get_xid();
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Use RDMA if possible */
ctx.rdma = iface->rdma_capable;
memcpy(&ctx.dstaddr, &iface->sockaddr, sizeof(struct sockaddr_storage));
/* reuse master con client guid */
memcpy(&ctx.client_guid, ses->server->client_guid,
SMB2_CLIENT_GUID_SIZE);
ctx.use_client_guid = true;
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&ctx.dstaddr, &iface->sockaddr, sizeof(struct sockaddr_storage));
/* reuse master con client guid */
memcpy(&ctx.client_guid, ses->server->client_guid,
SMB2_CLIENT_GUID_SIZE);
ctx.use_client_guid = true;
mutex_lock(&ses->session_mutex);
Reported by FlawFinder.
Line: 455
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* BB check for overflow here */
strcpy(bcc_ptr, "Linux version ");
bcc_ptr += strlen("Linux version ");
strcpy(bcc_ptr, init_utsname()->release);
bcc_ptr += strlen(init_utsname()->release) + 1;
strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
Reported by FlawFinder.
Line: 517
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ses->serverOS = kmalloc(len + 1, GFP_KERNEL);
if (ses->serverOS) {
memcpy(ses->serverOS, bcc_ptr, len);
ses->serverOS[len] = 0;
if (strncmp(ses->serverOS, "OS/2", 4) == 0)
cifs_dbg(FYI, "OS/2 server\n");
}
Reported by FlawFinder.
Line: 534
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ses->serverNOS = kmalloc(len + 1, GFP_KERNEL);
if (ses->serverNOS) {
memcpy(ses->serverNOS, bcc_ptr, len);
ses->serverNOS[len] = 0;
}
bcc_ptr += len + 1;
bleft -= len + 1;
Reported by FlawFinder.
Line: 577
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(ses->ntlmssp->cryptkey, pblob->Challenge, CIFS_CRYPTO_KEY_SIZE);
/* BB we could decode pblob->NegotiateFlags; some may be useful */
/* In particular we can examine sign flags */
/* BB spec says that if AvId field of MsvAvTimestamp is populated then
we must set the MIC field of the AUTHENTICATE_MESSAGE */
ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
Reported by FlawFinder.
arch/s390/kernel/dis.c
23 issues
Line: 535
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
/* Decode the instructions. */
ptr = buffer;
ptr += sprintf(ptr, "%s Code:", mode);
hops = 0;
while (start < end && hops < 8) {
opsize = insn_length(code[start]);
if (start + opsize == 32)
*ptr++ = '#';
Reported by FlawFinder.
Line: 55
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct s390_insn {
union {
const char name[5];
struct {
unsigned char zero;
unsigned int offset;
} __packed;
};
Reported by FlawFinder.
Line: 435
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
insn = find_insn(code);
if (insn) {
if (insn->zero == 0)
ptr += sprintf(ptr, "%.7s\t",
long_insn_name[insn->offset]);
else
ptr += sprintf(ptr, "%.5s\t", insn->name);
/* Extract the operands. */
separator = 0;
Reported by FlawFinder.
Line: 438
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ptr += sprintf(ptr, "%.7s\t",
long_insn_name[insn->offset]);
else
ptr += sprintf(ptr, "%.5s\t", insn->name);
/* Extract the operands. */
separator = 0;
for (ops = formats[insn->format], i = 0;
*ops != 0 && i < 6; ops++, i++) {
operand = operands + *ops;
Reported by FlawFinder.
Line: 453
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
continue;
}
if (separator)
ptr += sprintf(ptr, "%c", separator);
if (operand->flags & OPERAND_GPR)
ptr += sprintf(ptr, "%%r%i", value);
else if (operand->flags & OPERAND_FPR)
ptr += sprintf(ptr, "%%f%i", value);
else if (operand->flags & OPERAND_AR)
Reported by FlawFinder.
Line: 455
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (separator)
ptr += sprintf(ptr, "%c", separator);
if (operand->flags & OPERAND_GPR)
ptr += sprintf(ptr, "%%r%i", value);
else if (operand->flags & OPERAND_FPR)
ptr += sprintf(ptr, "%%f%i", value);
else if (operand->flags & OPERAND_AR)
ptr += sprintf(ptr, "%%a%i", value);
else if (operand->flags & OPERAND_CR)
Reported by FlawFinder.
Line: 457
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (operand->flags & OPERAND_GPR)
ptr += sprintf(ptr, "%%r%i", value);
else if (operand->flags & OPERAND_FPR)
ptr += sprintf(ptr, "%%f%i", value);
else if (operand->flags & OPERAND_AR)
ptr += sprintf(ptr, "%%a%i", value);
else if (operand->flags & OPERAND_CR)
ptr += sprintf(ptr, "%%c%i", value);
else if (operand->flags & OPERAND_VR)
Reported by FlawFinder.
Line: 459
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (operand->flags & OPERAND_FPR)
ptr += sprintf(ptr, "%%f%i", value);
else if (operand->flags & OPERAND_AR)
ptr += sprintf(ptr, "%%a%i", value);
else if (operand->flags & OPERAND_CR)
ptr += sprintf(ptr, "%%c%i", value);
else if (operand->flags & OPERAND_VR)
ptr += sprintf(ptr, "%%v%i", value);
else if (operand->flags & OPERAND_PCREL) {
Reported by FlawFinder.
Line: 461
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (operand->flags & OPERAND_AR)
ptr += sprintf(ptr, "%%a%i", value);
else if (operand->flags & OPERAND_CR)
ptr += sprintf(ptr, "%%c%i", value);
else if (operand->flags & OPERAND_VR)
ptr += sprintf(ptr, "%%v%i", value);
else if (operand->flags & OPERAND_PCREL) {
void *pcrel = (void *)((int)value + addr);
Reported by FlawFinder.
Line: 463
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (operand->flags & OPERAND_CR)
ptr += sprintf(ptr, "%%c%i", value);
else if (operand->flags & OPERAND_VR)
ptr += sprintf(ptr, "%%v%i", value);
else if (operand->flags & OPERAND_PCREL) {
void *pcrel = (void *)((int)value + addr);
ptr += sprintf(ptr, "%px", pcrel);
} else if (operand->flags & OPERAND_SIGNED)
Reported by FlawFinder.
drivers/net/wireless/microchip/wilc1000/hif.c
23 issues
Line: 193
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < request->n_ssids; i++) {
*buffer++ = request->ssids[i].ssid_len;
memcpy(buffer, request->ssids[i].ssid,
request->ssids[i].ssid_len);
buffer += request->ssids[i].ssid_len;
}
wid_list[index].size = (s32)(valuesize + 1);
index++;
Reported by FlawFinder.
Line: 383
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ssid_elm = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
if (ssid_elm) {
if (ssid_elm[1] <= IEEE80211_MAX_SSID_LEN)
memcpy(param->ssid, ssid_elm + 2, ssid_elm[1]);
}
tim_elm = cfg80211_find_ie(WLAN_EID_TIM, ies->data, ies->len);
if (tim_elm && tim_elm[1] >= 2)
param->dtim_period = tim_elm[3];
Reported by FlawFinder.
Line: 399
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rates_len > WILC_MAX_RATES_SUPPORTED)
rates_len = WILC_MAX_RATES_SUPPORTED;
param->supp_rates[0] = rates_len;
memcpy(¶m->supp_rates[1], rates_ie + 2, rates_len);
}
if (rates_len < WILC_MAX_RATES_SUPPORTED) {
supp_rates_ie = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
ies->data, ies->len);
Reported by FlawFinder.
Line: 413
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
param->supp_rates[0] += ext_rates;
memcpy(¶m->supp_rates[rates_len + 1],
supp_rates_ie + 2,
(param->supp_rates[0] - rates_len));
}
}
Reported by FlawFinder.
Line: 477
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* extract RSN capabilities */
offset += (rsn_ie[offset] * 4) + 2;
offset += (rsn_ie[offset] * 4) + 2;
memcpy(param->rsn_cap, &rsn_ie[offset], 2);
}
if (param->rsn_found) {
int i;
Reported by FlawFinder.
Line: 800
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*cur_byte++ = params->supported_rates_len;
if (params->supported_rates_len > 0)
memcpy(cur_byte, params->supported_rates,
params->supported_rates_len);
cur_byte += params->supported_rates_len;
if (params->ht_capa) {
*cur_byte++ = true;
Reported by FlawFinder.
Line: 806
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (params->ht_capa) {
*cur_byte++ = true;
memcpy(cur_byte, params->ht_capa,
sizeof(struct ieee80211_ht_cap));
} else {
*cur_byte++ = false;
}
cur_byte += sizeof(struct ieee80211_ht_cap);
Reported by FlawFinder.
Line: 953
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur_byte += 4;
if (set_mc->cnt > 0 && set_mc->mc_list)
memcpy(cur_byte, set_mc->mc_list, set_mc->cnt * ETH_ALEN);
result = wilc_send_config_pkt(vif, WILC_SET_CFG, &wid, 1);
if (result)
netdev_err(vif->ndev, "Failed to send setup multicast\n");
Reported by FlawFinder.
Line: 1069
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wep_key->index = index;
wep_key->key_len = len;
memcpy(wep_key->key, key, len);
result = wilc_send_config_pkt(vif, WILC_SET_CFG, &wid, 1);
if (result)
netdev_err(vif->ndev,
"Failed to add wep key config packet\n");
Reported by FlawFinder.
Line: 1108
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wep_key->index = index;
wep_key->key_len = len;
memcpy(wep_key->key, key, len);
result = wilc_send_config_pkt(vif, WILC_SET_CFG, wid_list,
ARRAY_SIZE(wid_list));
if (result)
netdev_err(vif->ndev,
"Failed to add wep ap key config packet\n");
Reported by FlawFinder.
drivers/misc/bh1770glc.c
23 issues
Line: 498
CWE codes:
908
/* Set proximity detection rate based on above or below value */
if (ret == 0) {
bh1770_prox_rate(chip, mode);
sysfs_notify(&chip->client->dev.kobj, NULL, "prox0_raw");
}
out:
return ret;
}
Reported by Cppcheck.
Line: 933
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct bh1770_chip *chip = dev_get_drvdata(dev);
return sprintf(buf, "%s rev %d\n", chip->chipname, chip->revision);
}
static ssize_t bh1770_lux_calib_default_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bh1770_chip {
struct bh1770_platform_data *pdata;
char chipname[10];
u8 revision;
struct i2c_client *client;
struct regulator_bulk_data regs[2];
struct mutex mutex; /* avoid parallel access */
wait_queue_head_t wait;
Reported by FlawFinder.
Line: 675
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t bh1770_power_state_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", !pm_runtime_suspended(dev));
}
static ssize_t bh1770_lux_result_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 695
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -EIO;
mutex_lock(&chip->mutex);
ret = sprintf(buf, "%d\n", bh1770_lux_read_result(chip));
mutex_unlock(&chip->mutex);
return ret;
}
Reported by FlawFinder.
Line: 704
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t bh1770_lux_range_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", BH1770_LUX_RANGE);
}
static ssize_t bh1770_prox_enable_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 746
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t len;
mutex_lock(&chip->mutex);
len = sprintf(buf, "%d\n", chip->prox_enable_count);
mutex_unlock(&chip->mutex);
return len;
}
static ssize_t bh1770_prox_result_show(struct device *dev,
Reported by FlawFinder.
Line: 759
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_lock(&chip->mutex);
if (chip->prox_enable_count && !pm_runtime_suspended(dev))
ret = sprintf(buf, "%d\n", chip->prox_data);
else
ret = -EIO;
mutex_unlock(&chip->mutex);
return ret;
}
Reported by FlawFinder.
Line: 769
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t bh1770_prox_range_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", BH1770_PROX_RANGE);
}
static ssize_t bh1770_get_prox_rate_avail(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 778
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i;
int pos = 0;
for (i = 0; i < ARRAY_SIZE(prox_rates_hz); i++)
pos += sprintf(buf + pos, "%d ", prox_rates_hz[i]);
sprintf(buf + pos - 1, "\n");
return pos;
}
static ssize_t bh1770_get_prox_rate_above(struct device *dev,
Reported by FlawFinder.
fs/ceph/xattr.c
23 issues
Line: 128
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
char buf[96]; /* NB: reevaluate size if new vxattrs are added */
va_start(args, fmt);
ret = vsnprintf(buf, size ? sizeof(buf) : 0, fmt, args);
va_end(args);
/* Sanity check */
if (size && ret + 1 > sizeof(buf)) {
WARN_ONCE(true, "Returned length too big (%d)", ret);
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
s64 pool = ci->i_layout.pool_id;
const char *pool_name;
const char *ns_field = " pool_namespace=";
char buf[128];
size_t len, total_len = 0;
ssize_t ret;
pool_ns = ceph_try_get_string(ci->i_layout.pool_ns);
Reported by FlawFinder.
Line: 94
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = total_len;
if (size >= total_len) {
memcpy(val, buf, len);
ret = len;
if (pool_name) {
len = strlen(pool_name);
memcpy(val + ret, pool_name, len);
ret += len;
Reported by FlawFinder.
Line: 98
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = len;
if (pool_name) {
len = strlen(pool_name);
memcpy(val + ret, pool_name, len);
ret += len;
}
if (pool_ns) {
len = strlen(ns_field);
memcpy(val + ret, ns_field, len);
Reported by FlawFinder.
Line: 103
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (pool_ns) {
len = strlen(ns_field);
memcpy(val + ret, ns_field, len);
ret += len;
memcpy(val + ret, pool_ns->str, pool_ns->len);
ret += pool_ns->len;
}
}
Reported by FlawFinder.
Line: 105
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = strlen(ns_field);
memcpy(val + ret, ns_field, len);
ret += len;
memcpy(val + ret, pool_ns->str, pool_ns->len);
ret += pool_ns->len;
}
}
up_read(&osdc->lock);
ceph_put_string(pool_ns);
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ret;
va_list args;
char buf[96]; /* NB: reevaluate size if new vxattrs are added */
va_start(args, fmt);
ret = vsnprintf(buf, size ? sizeof(buf) : 0, fmt, args);
va_end(args);
Reported by FlawFinder.
Line: 138
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (ret <= size)
memcpy(val, buf, ret);
return ret;
}
static ssize_t ceph_vxattrcb_layout_stripe_unit(struct ceph_inode_info *ci,
char *val, size_t size)
Reported by FlawFinder.
Line: 174
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pool_name) {
ret = strlen(pool_name);
if (ret <= size)
memcpy(val, pool_name, ret);
} else {
ret = ceph_fmt_xattr(val, size, "%lld", pool);
}
up_read(&osdc->lock);
return ret;
Reported by FlawFinder.
Line: 191
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ns) {
ret = ns->len;
if (ret <= size)
memcpy(val, ns->str, ret);
ceph_put_string(ns);
}
return ret;
}
Reported by FlawFinder.
net/netfilter/nf_conntrack_sip.c
23 issues
Line: 256
Column: 24
CWE codes:
126
return 0;
/* Find SIP URI */
for (; dptr < limit - strlen("sip:"); dptr++) {
if (*dptr == '\r' || *dptr == '\n')
return -1;
if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
dptr += strlen("sip:");
break;
Reported by FlawFinder.
Line: 259
Column: 33
CWE codes:
126
for (; dptr < limit - strlen("sip:"); dptr++) {
if (*dptr == '\r' || *dptr == '\n')
return -1;
if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
dptr += strlen("sip:");
break;
}
}
if (!skp_epaddr_len(ct, dptr, limit, &shift))
Reported by FlawFinder.
Line: 260
Column: 12
CWE codes:
126
if (*dptr == '\r' || *dptr == '\n')
return -1;
if (strncasecmp(dptr, "sip:", strlen("sip:")) == 0) {
dptr += strlen("sip:");
break;
}
}
if (!skp_epaddr_len(ct, dptr, limit, &shift))
return 0;
Reported by FlawFinder.
Line: 446
Column: 48
CWE codes:
126
dptr += dataoff;
dptr = ct_sip_header_search(dptr, limit, ",", strlen(","));
if (!dptr)
return 0;
dptr = ct_sip_header_search(dptr, limit, hdr->search, hdr->slen);
if (!dptr)
Reported by FlawFinder.
Line: 547
Column: 59
CWE codes:
126
const char *start;
const char *end;
limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
Reported by FlawFinder.
Line: 551
Column: 60
CWE codes:
126
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
return 0;
start += strlen(name);
end = ct_sip_header_search(start, limit, ";", strlen(";"));
Reported by FlawFinder.
Line: 554
Column: 11
CWE codes:
126
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
return 0;
start += strlen(name);
end = ct_sip_header_search(start, limit, ";", strlen(";"));
if (!end)
end = limit;
Reported by FlawFinder.
Line: 556
Column: 48
CWE codes:
126
return 0;
start += strlen(name);
end = ct_sip_header_search(start, limit, ";", strlen(";"));
if (!end)
end = limit;
*matchoff = start - dptr;
*matchlen = end - start;
Reported by FlawFinder.
Line: 575
Column: 59
CWE codes:
126
const char *limit = dptr + datalen;
const char *start, *end;
limit = ct_sip_header_search(dptr + dataoff, limit, ",", strlen(","));
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
Reported by FlawFinder.
Line: 579
Column: 60
CWE codes:
126
if (!limit)
limit = dptr + datalen;
start = ct_sip_header_search(dptr + dataoff, limit, name, strlen(name));
if (!start)
return 0;
start += strlen(name);
if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
Reported by FlawFinder.
drivers/staging/rtl8723bs/hal/rtl8723b_cmd.c
23 issues
Line: 81
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit;
if (CmdLen <= 3)
memcpy((u8 *)(&h2c_cmd)+1, pCmdBuffer, CmdLen);
else {
memcpy((u8 *)(&h2c_cmd)+1, pCmdBuffer, 3);
memcpy((u8 *)(&h2c_cmd_ex), pCmdBuffer+3, CmdLen-3);
/* *(u8 *)(&h2c_cmd) |= BIT(7); */
}
Reported by FlawFinder.
Line: 83
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (CmdLen <= 3)
memcpy((u8 *)(&h2c_cmd)+1, pCmdBuffer, CmdLen);
else {
memcpy((u8 *)(&h2c_cmd)+1, pCmdBuffer, 3);
memcpy((u8 *)(&h2c_cmd_ex), pCmdBuffer+3, CmdLen-3);
/* *(u8 *)(&h2c_cmd) |= BIT(7); */
}
*(u8 *)(&h2c_cmd) |= ElementID;
Reported by FlawFinder.
Line: 84
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy((u8 *)(&h2c_cmd)+1, pCmdBuffer, CmdLen);
else {
memcpy((u8 *)(&h2c_cmd)+1, pCmdBuffer, 3);
memcpy((u8 *)(&h2c_cmd_ex), pCmdBuffer+3, CmdLen-3);
/* *(u8 *)(&h2c_cmd) |= BIT(7); */
}
*(u8 *)(&h2c_cmd) |= ElementID;
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*(fctrl) = 0;
eth_broadcast_addr(pwlanhdr->addr1);
memcpy(pwlanhdr->addr2, myid(&(padapter->eeprompriv)), ETH_ALEN);
memcpy(pwlanhdr->addr3, get_my_bssid(cur_network), ETH_ALEN);
SetSeqNum(pwlanhdr, 0/*pmlmeext->mgnt_seq*/);
/* pmlmeext->mgnt_seq++; */
SetFrameSubType(pframe, WIFI_BEACON);
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eth_broadcast_addr(pwlanhdr->addr1);
memcpy(pwlanhdr->addr2, myid(&(padapter->eeprompriv)), ETH_ALEN);
memcpy(pwlanhdr->addr3, get_my_bssid(cur_network), ETH_ALEN);
SetSeqNum(pwlanhdr, 0/*pmlmeext->mgnt_seq*/);
/* pmlmeext->mgnt_seq++; */
SetFrameSubType(pframe, WIFI_BEACON);
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pktlen += 8;
/* beacon interval: 2 bytes */
memcpy(pframe, (unsigned char *)(rtw_get_beacon_interval_from_ie(cur_network->IEs)), 2);
pframe += 2;
pktlen += 2;
/* capability info: 2 bytes */
Reported by FlawFinder.
Line: 145
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pktlen += 2;
/* capability info: 2 bytes */
memcpy(pframe, (unsigned char *)(rtw_get_capability_from_ie(cur_network->IEs)), 2);
pframe += 2;
pktlen += 2;
if ((pmlmeinfo->state&0x03) == WIFI_FW_AP_STATE) {
Reported by FlawFinder.
Line: 152
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((pmlmeinfo->state&0x03) == WIFI_FW_AP_STATE) {
pktlen += cur_network->IELength - sizeof(struct ndis_802_11_fix_ie);
memcpy(pframe, cur_network->IEs+sizeof(struct ndis_802_11_fix_ie), pktlen);
goto _ConstructBeacon;
}
/* below for ad-hoc mode */
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SetDuration(pframe, (pmlmeinfo->aid | 0xc000));
/* BSSID. */
memcpy(pwlanhdr->addr1, get_my_bssid(&(pmlmeinfo->network)), ETH_ALEN);
/* TA. */
memcpy(pwlanhdr->addr2, myid(&(padapter->eeprompriv)), ETH_ALEN);
*pLength = 16;
Reported by FlawFinder.
Line: 219
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pwlanhdr->addr1, get_my_bssid(&(pmlmeinfo->network)), ETH_ALEN);
/* TA. */
memcpy(pwlanhdr->addr2, myid(&(padapter->eeprompriv)), ETH_ALEN);
*pLength = 16;
}
static void ConstructNullFunctionData(
Reported by FlawFinder.