The following issues were found
drivers/hwmon/shtc1.c
4 issues
Line: 105
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct shtc1_data *data = dev_get_drvdata(dev);
struct i2c_client *client = data->client;
unsigned char buf[SHTC1_RESPONSE_LENGTH];
int val;
int ret = 0;
mutex_lock(&data->update_lock);
Reported by FlawFinder.
Line: 146
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(data))
return PTR_ERR(data);
return sprintf(buf, "%d\n", data->temperature);
}
static ssize_t humidity1_input_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 156
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(data))
return PTR_ERR(data);
return sprintf(buf, "%d\n", data->humidity);
}
static DEVICE_ATTR_RO(temp1_input);
static DEVICE_ATTR_RO(humidity1_input);
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ret;
u16 id_reg;
char id_reg_buf[2];
struct shtc1_data *data;
struct device *hwmon_dev;
enum shtcx_chips chip = i2c_match_id(shtc1_id, client)->driver_data;
struct i2c_adapter *adap = client->adapter;
struct device *dev = &client->dev;
Reported by FlawFinder.
drivers/isdn/mISDN/l1oip_core.c
4 issues
Line: 318
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = l1oip_law_to_4bit(buf, len, p,
&hc->chan[channel].codecstate);
else
memcpy(p, buf, len);
}
len += p - frame;
/* check for socket in safe condition */
spin_lock(&hc->socket_lock);
Reported by FlawFinder.
Line: 398
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (remotecodec == 3)
len = l1oip_4bit_to_law(buf, len, p);
else
memcpy(p, buf, len);
/* send message up */
if (dch && len >= 2) {
dch->rx_skb = nskb;
recv_Dchannel(dch);
Reported by FlawFinder.
Line: 1299
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
hc->b_num = pri ? 30 : 2;
hc->bundle = bundle;
if (hc->pri)
sprintf(hc->name, "l1oip-e1.%d", l1oip_cnt + 1);
else
sprintf(hc->name, "l1oip-s0.%d", l1oip_cnt + 1);
switch (codec[l1oip_cnt]) {
case 0: /* as is */
Reported by FlawFinder.
Line: 1301
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (hc->pri)
sprintf(hc->name, "l1oip-e1.%d", l1oip_cnt + 1);
else
sprintf(hc->name, "l1oip-s0.%d", l1oip_cnt + 1);
switch (codec[l1oip_cnt]) {
case 0: /* as is */
case 1: /* alaw */
case 2: /* ulaw */
Reported by FlawFinder.
drivers/hwmon/sht21.c
4 issues
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int temperature;
int humidity;
char valid;
char eic[18];
};
/**
* sht21_temp_ticks_to_millicelsius() - convert raw temperature ticks to
* milli celsius
Reported by FlawFinder.
Line: 135
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sht21_update_measurements(dev);
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", sht21->temperature);
}
/**
* sht21_show_humidity() - show humidity measurement value in sysfs
* @dev: device
Reported by FlawFinder.
Line: 156
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sht21_update_measurements(dev);
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", sht21->humidity);
}
static ssize_t eic_read(struct sht21 *sht21)
{
struct i2c_client *client = sht21->client;
Reported by FlawFinder.
Line: 234
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!sht21->eic[0])
ret = eic_read(sht21);
if (ret > 0)
memcpy(buf, sht21->eic, ret);
mutex_unlock(&sht21->lock);
return ret;
}
/* sysfs attributes */
Reported by FlawFinder.
drivers/hid/hid-led.c
4 issues
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hidled_led {
struct led_classdev cdev;
struct hidled_rgb *rgb;
char name[32];
};
struct hidled_rgb {
struct hidled_device *ldev;
struct hidled_led red;
Reported by FlawFinder.
Line: 123
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* buffer provided to hid_hw_raw_request must not be on the stack
* and must not be part of a data structure
*/
memcpy(ldev->buf, buf, ldev->config->report_size);
if (ldev->config->report_type == RAW_REQUEST)
ret = hid_hw_raw_request(ldev->hdev, buf[0], ldev->buf,
ldev->config->report_size,
HID_FEATURE_REPORT,
Reported by FlawFinder.
Line: 154
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&ldev->lock);
memcpy(ldev->buf, buf, ldev->config->report_size);
ret = hid_hw_raw_request(ldev->hdev, buf[0], ldev->buf,
ldev->config->report_size,
HID_FEATURE_REPORT,
HID_REQ_SET_REPORT);
Reported by FlawFinder.
Line: 168
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
HID_FEATURE_REPORT,
HID_REQ_GET_REPORT);
memcpy(buf, ldev->buf, ldev->config->report_size);
err:
mutex_unlock(&ldev->lock);
return ret < 0 ? ret : 0;
}
Reported by FlawFinder.
drivers/hwmon/sht15.c
4 issues
Line: 774
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct platform_device *pdev = to_platform_device(dev);
return sprintf(buf, "%s\n", pdev->name);
}
static SENSOR_DEVICE_ATTR_RO(temp1_input, sht15_temp, 0);
static SENSOR_DEVICE_ATTR_RO(humidity1_input, sht15_humidity, 0);
static SENSOR_DEVICE_ATTR_RO(temp1_fault, sht15_status,
Reported by FlawFinder.
Line: 689
Column: 21
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sht15_update_status(data);
return ret ? ret : sprintf(buf, "%d\n", !!(data->val_status & bit));
}
/**
* sht15_store_heater() - change heater state via sysfs
* @dev: device.
Reported by FlawFinder.
Line: 745
Column: 21
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Technically no need to read humidity as well */
ret = sht15_update_measurements(data);
return ret ? ret : sprintf(buf, "%d\n",
sht15_calc_temp(data));
}
/**
* sht15_show_humidity() - show humidity measurement value in sysfs
Reported by FlawFinder.
Line: 766
Column: 21
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sht15_update_measurements(data);
return ret ? ret : sprintf(buf, "%d\n", sht15_calc_humid(data));
}
static ssize_t name_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/scheduler.c
4 issues
Line: 401
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* get shadow ring buffer va */
workload->shadow_ring_buffer_va = cs;
memcpy(cs, shadow_ring_buffer_va,
workload->rb_len);
cs += workload->rb_len / sizeof(u32);
intel_ring_advance(workload->req, cs);
Reported by FlawFinder.
Line: 236
Column: 9
CWE codes:
120
20
gpa_base = context_gpa;
dst = context_base + (i << I915_GTT_PAGE_SHIFT);
} else if (context_gpa != gpa_base + gpa_size)
goto read;
gpa_size += I915_GTT_PAGE_SIZE;
if (i == context_page_num - 1)
goto read;
Reported by FlawFinder.
Line: 245
Column: 1
CWE codes:
120
20
continue;
read:
intel_gvt_hypervisor_read_gpa(vgpu, gpa_base, dst, gpa_size);
gpa_base = context_gpa;
gpa_size = I915_GTT_PAGE_SIZE;
dst = context_base + (i << I915_GTT_PAGE_SHIFT);
}
Reported by FlawFinder.
drivers/iommu/iommu.c
4 issues
Line: 406
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t iommu_group_show_name(struct iommu_group *group, char *buf)
{
return sprintf(buf, "%s\n", group->name);
}
/**
* iommu_insert_resv_region - Insert a new region in the
* list of reserved regions.
Reported by FlawFinder.
Line: 518
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
iommu_get_group_resv_regions(group, &group_resv_regions);
list_for_each_entry_safe(region, next, &group_resv_regions, list) {
str += sprintf(str, "0x%016llx 0x%016llx %s\n",
(long long int)region->start,
(long long int)(region->start +
region->length - 1),
iommu_group_resv_type_string[region->type]);
kfree(region);
Reported by FlawFinder.
Line: 552
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
}
mutex_unlock(&group->mutex);
strcpy(buf, type);
return strlen(type);
}
static IOMMU_GROUP_ATTR(name, S_IRUGO, iommu_group_show_name, NULL);
Reported by FlawFinder.
Line: 554
Column: 9
CWE codes:
126
mutex_unlock(&group->mutex);
strcpy(buf, type);
return strlen(type);
}
static IOMMU_GROUP_ATTR(name, S_IRUGO, iommu_group_show_name, NULL);
static IOMMU_GROUP_ATTR(reserved_regions, 0444,
Reported by FlawFinder.
drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c
4 issues
Line: 160
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d.%06u\n",
latency / 1000,
(latency % 1000) * 1000);
}
static IIO_DEVICE_ATTR(hwfifo_timeout, 0644,
Reported by FlawFinder.
Line: 176
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct cros_ec_sensors_core_state *st = iio_priv(indio_dev);
return sprintf(buf, "%d\n", st->fifo_max_event_count);
}
static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0);
static const struct attribute *cros_ec_sensor_fifo_attributes[] = {
Reported by FlawFinder.
Line: 394
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
state->msg->insize = state->ec->max_response;
memcpy(state->msg->data, &state->param, sizeof(state->param));
ret = cros_ec_cmd_xfer_status(state->ec, state->msg);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 402
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret &&
state->resp != (struct ec_response_motion_sense *)state->msg->data)
memcpy(state->resp, state->msg->data, ret);
return 0;
}
EXPORT_SYMBOL_GPL(cros_ec_motion_send_host_cmd);
Reported by FlawFinder.
drivers/infiniband/core/sysfs.c
4 issues
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct port_table_attribute {
struct ib_port_attribute attr;
char name[8];
int index;
__be16 attr_id;
};
struct gid_attr_group {
Reported by FlawFinder.
Line: 589
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -EINVAL;
goto out;
}
memcpy(data, out_mad->data + offset, size);
ret = size;
out:
kfree(in_mad);
kfree(out_mad);
return ret;
Reported by FlawFinder.
Line: 1353
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!dev->ops.modify_device)
return -EOPNOTSUPP;
memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
ret = ib_modify_device(dev, IB_DEVICE_MODIFY_NODE_DESC, &desc);
if (ret)
return ret;
return count;
Reported by FlawFinder.
Line: 1366
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *buf)
{
struct ib_device *dev = rdma_device_to_ibdev(device);
char version[IB_FW_VERSION_NAME_MAX] = {};
ib_get_device_fw_str(dev, version);
return sysfs_emit(buf, "%s\n", version);
}
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/engine/fifo/tu102.c
4 issues
Line: 293
Column: 54
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ec = nvkm_enum_find(fifo->func->fault.gpcclient, info->client);
snprintf(ct, sizeof(ct), "GPC%d/", info->gpc);
}
ea = nvkm_enum_find(fifo->func->fault.access, info->access);
if (ee && ee->data2) {
switch (ee->data2) {
case NVKM_SUBDEV_BAR:
nvkm_bar_bar1_reset(device);
Reported by FlawFinder.
Line: 293
Column: 40
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ec = nvkm_enum_find(fifo->func->fault.gpcclient, info->client);
snprintf(ct, sizeof(ct), "GPC%d/", info->gpc);
}
ea = nvkm_enum_find(fifo->func->fault.access, info->access);
if (ee && ee->data2) {
switch (ee->data2) {
case NVKM_SUBDEV_BAR:
nvkm_bar_bar1_reset(device);
Reported by FlawFinder.
Line: 329
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
nvkm_error(subdev,
"fault %02x [%s] at %016llx engine %02x [%s] client %02x "
"[%s%s] reason %02x [%s] on channel %d [%010llx %s]\n",
info->access, ea ? ea->name : "", info->addr,
info->engine, ee ? ee->name : en,
info->client, ct, ec ? ec->name : "",
info->reason, er ? er->name : "", chan ? chan->chid : -1,
info->inst, chan ? chan->object.client->name : "unknown");
Reported by FlawFinder.
Line: 282
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nvkm_fifo_chan *chan;
unsigned long flags;
const char *en = "";
char ct[8] = "HUB/";
int engn;
er = nvkm_enum_find(fifo->func->fault.reason, info->reason);
ee = nvkm_enum_find(fifo->func->fault.engine, info->engine);
if (info->hub) {
Reported by FlawFinder.