The following issues were found
drivers/memstick/core/memstick.c
3 issues
Line: 330
CWE codes:
908
struct ms_id_register id_reg;
if (!(*mrq)) {
memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg,
sizeof(struct ms_id_register));
*mrq = &card->current_mrq;
return 0;
}
if (!(*mrq)->error) {
Reported by Cppcheck.
Line: 152
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
{ \
struct memstick_dev *card = container_of(dev, struct memstick_dev, \
dev); \
return sprintf(buf, format, card->id.name); \
} \
static DEVICE_ATTR_RO(name);
MEMSTICK_ATTR(type, "%02X");
MEMSTICK_ATTR(category, "%02X");
Reported by FlawFinder.
Line: 306
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mrq->data_len = length > sizeof(mrq->data) ? sizeof(mrq->data) : length;
if (mrq->data_dir == WRITE)
memcpy(mrq->data, buf, mrq->data_len);
mrq->long_data = 0;
if (tpc == MS_TPC_SET_CMD || tpc == MS_TPC_EX_SET_CMD)
mrq->need_card_int = 1;
Reported by FlawFinder.
drivers/mfd/88pm860x-core.c
3 issues
Line: 495
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pm860x_chip *chip = irq_data_get_irq_chip_data(data);
struct pm860x_irq_data *irq_data;
struct i2c_client *i2c;
static unsigned char cached[3] = {0x0, 0x0, 0x0};
unsigned char mask[3];
int i;
i2c = (chip->id == CHIP_PM8607) ? chip->client : chip->companion;
/* Load cached value. In initial, all IRQs are masked */
Reported by FlawFinder.
Line: 496
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pm860x_irq_data *irq_data;
struct i2c_client *i2c;
static unsigned char cached[3] = {0x0, 0x0, 0x0};
unsigned char mask[3];
int i;
i2c = (chip->id == CHIP_PM8607) ? chip->client : chip->companion;
/* Load cached value. In initial, all IRQs are masked */
for (i = 0; i < 3; i++)
Reported by FlawFinder.
Line: 572
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_client *i2c = (chip->id == CHIP_PM8607) ?
chip->client : chip->companion;
unsigned char status_buf[INT_STATUS_NUM];
unsigned long flags = IRQF_TRIGGER_FALLING | IRQF_ONESHOT;
int data, mask, ret = -EINVAL;
int nr_irqs, irq_base = -1;
struct device_node *node = i2c->dev.of_node;
Reported by FlawFinder.
drivers/mfd/aat2870-core.c
3 issues
Line: 222
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t count = 0;
int ret;
count += sprintf(buf, "aat2870 registers\n");
for (addr = 0; addr < AAT2870_REG_NUM; addr++) {
count += snprintf(buf + count, PAGE_SIZE - count, "0x%02x: ", addr);
if (count >= PAGE_SIZE - 1)
break;
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *ppos)
{
struct aat2870_data *aat2870 = file->private_data;
char buf[32];
ssize_t buf_size;
char *start = buf;
unsigned long addr, val;
int ret;
Reported by FlawFinder.
Line: 228
Column: 18
CWE codes:
120
20
if (count >= PAGE_SIZE - 1)
break;
ret = aat2870->read(aat2870, addr, &val);
if (ret == 0)
count += snprintf(buf + count, PAGE_SIZE - count,
"0x%02x", val);
else
count += snprintf(buf + count, PAGE_SIZE - count,
Reported by FlawFinder.
drivers/mfd/gateworks-gsc.c
3 issues
Line: 79
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gsc_powerdown(struct gsc_dev *gsc, unsigned long secs)
{
int ret;
unsigned char regs[4];
dev_info(&gsc->i2c->dev, "GSC powerdown for %ld seconds\n",
secs);
put_unaligned_le32(secs, regs);
Reported by FlawFinder.
Line: 113
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int rz = 0;
if (strcasecmp(name, "fw_version") == 0)
rz = sprintf(buf, "%d\n", gsc->fwver);
else if (strcasecmp(name, "fw_crc") == 0)
rz = sprintf(buf, "0x%04x\n", gsc->fwcrc);
else
dev_err(dev, "invalid command: '%s'\n", name);
Reported by FlawFinder.
Line: 115
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (strcasecmp(name, "fw_version") == 0)
rz = sprintf(buf, "%d\n", gsc->fwver);
else if (strcasecmp(name, "fw_crc") == 0)
rz = sprintf(buf, "0x%04x\n", gsc->fwcrc);
else
dev_err(dev, "invalid command: '%s'\n", name);
return rz;
}
Reported by FlawFinder.
drivers/mfd/max8925-core.c
3 issues
Line: 547
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct max8925_chip *chip = irq_data_get_irq_chip_data(data);
struct max8925_irq_data *irq_data;
static unsigned char cache_chg[2] = {0xff, 0xff};
static unsigned char cache_on[2] = {0xff, 0xff};
static unsigned char cache_rtc = 0xff, cache_tsc = 0xff;
unsigned char irq_chg[2], irq_on[2];
unsigned char irq_rtc, irq_tsc;
int i;
Reported by FlawFinder.
Line: 548
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct max8925_chip *chip = irq_data_get_irq_chip_data(data);
struct max8925_irq_data *irq_data;
static unsigned char cache_chg[2] = {0xff, 0xff};
static unsigned char cache_on[2] = {0xff, 0xff};
static unsigned char cache_rtc = 0xff, cache_tsc = 0xff;
unsigned char irq_chg[2], irq_on[2];
unsigned char irq_rtc, irq_tsc;
int i;
Reported by FlawFinder.
Line: 550
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char cache_chg[2] = {0xff, 0xff};
static unsigned char cache_on[2] = {0xff, 0xff};
static unsigned char cache_rtc = 0xff, cache_tsc = 0xff;
unsigned char irq_chg[2], irq_on[2];
unsigned char irq_rtc, irq_tsc;
int i;
/* Load cached value. In initial, all IRQs are masked */
irq_chg[0] = cache_chg[0];
Reported by FlawFinder.
drivers/mfd/mc13xxx-core.c
3 issues
Line: 375
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
};
/* there is no asnprintf in the kernel :-( */
if (snprintf(buf, sizeof(buf), format, name) > sizeof(buf))
return -E2BIG;
cell.name = kmemdup(buf, strlen(buf) + 1, GFP_KERNEL);
if (!cell.name)
return -ENOMEM;
Reported by FlawFinder.
Line: 366
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mc13xxx_add_subdevice_pdata(struct mc13xxx *mc13xxx,
const char *format, void *pdata, size_t pdata_size)
{
char buf[30];
const char *name = mc13xxx_get_chipname(mc13xxx);
struct mfd_cell cell = {
.platform_data = pdata,
.pdata_size = pdata_size,
Reported by FlawFinder.
Line: 378
Column: 27
CWE codes:
126
if (snprintf(buf, sizeof(buf), format, name) > sizeof(buf))
return -E2BIG;
cell.name = kmemdup(buf, strlen(buf) + 1, GFP_KERNEL);
if (!cell.name)
return -ENOMEM;
return mfd_add_devices(mc13xxx->dev, -1, &cell, 1, NULL, 0,
regmap_irq_get_domain(mc13xxx->irq_data));
Reported by FlawFinder.
drivers/mfd/mc13xxx-spi.c
3 issues
Line: 64
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mc13xxx_spi_read(void *context, const void *reg, size_t reg_size,
void *val, size_t val_size)
{
unsigned char w[4] = { *((unsigned char *) reg), 0, 0, 0};
unsigned char r[4];
unsigned char *p = val;
struct device *dev = context;
struct spi_device *spi = to_spi_device(dev);
struct spi_transfer t = {
Reported by FlawFinder.
Line: 65
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *val, size_t val_size)
{
unsigned char w[4] = { *((unsigned char *) reg), 0, 0, 0};
unsigned char r[4];
unsigned char *p = val;
struct device *dev = context;
struct spi_device *spi = to_spi_device(dev);
struct spi_transfer t = {
.tx_buf = w,
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spi_message_add_tail(&t, &m);
ret = spi_sync(spi, &m);
memcpy(p, &r[1], 3);
return ret;
}
static int mc13xxx_spi_write(void *context, const void *data, size_t count)
Reported by FlawFinder.
drivers/mfd/wm831x-irq.c
3 issues
Line: 455
Column: 6
CWE codes:
120
20
unsigned int i;
int primary, status_addr, ret;
int status_regs[WM831X_NUM_IRQ_REGS] = { 0 };
int read[WM831X_NUM_IRQ_REGS] = { 0 };
int *status;
primary = wm831x_reg_read(wm831x, WM831X_SYSTEM_INTERRUPTS);
if (primary < 0) {
dev_err(wm831x->dev, "Failed to read system interrupt: %d\n",
Reported by FlawFinder.
Line: 488
Column: 8
CWE codes:
120
20
/* Hopefully there should only be one register to read
* each time otherwise we ought to do a block read. */
if (!read[offset]) {
status_addr = irq_data_to_status_reg(&wm831x_irqs[i]);
*status = wm831x_reg_read(wm831x, status_addr);
if (*status < 0) {
dev_err(wm831x->dev,
Reported by FlawFinder.
Line: 499
Column: 4
CWE codes:
120
20
goto out;
}
read[offset] = 1;
/* Ignore any bits that we don't think are masked */
*status &= ~wm831x->irq_masks_cur[offset];
/* Acknowledge now so we don't miss
Reported by FlawFinder.
drivers/mfd/wm831x-otp.c
3 issues
Line: 46
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct wm831x *wm831x = dev_get_drvdata(dev);
int rval;
char id[WM831X_UNIQUE_ID_LEN];
rval = wm831x_unique_id_read(wm831x, id);
if (rval < 0)
return 0;
Reported by FlawFinder.
Line: 52
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rval < 0)
return 0;
return sprintf(buf, "%*phN\n", WM831X_UNIQUE_ID_LEN, id);
}
static DEVICE_ATTR_RO(unique_id);
int wm831x_otp_init(struct wm831x *wm831x)
Reported by FlawFinder.
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int wm831x_otp_init(struct wm831x *wm831x)
{
char uuid[WM831X_UNIQUE_ID_LEN];
int ret;
ret = device_create_file(wm831x->dev, &dev_attr_unique_id);
if (ret != 0)
dev_err(wm831x->dev, "Unique ID attribute not created: %d\n",
Reported by FlawFinder.
drivers/misc/ad525x_dpot.c
3 issues
Line: 421
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
s32 value;
if (reg & DPOT_ADDR_OTP_EN)
return sprintf(buf, "%s\n",
test_bit(DPOT_RDAC_MASK & reg, data->otp_en_mask) ?
"enabled" : "disabled");
mutex_lock(&data->update_lock);
Reported by FlawFinder.
Line: 441
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*/
if (reg & DPOT_REG_TOL)
return sprintf(buf, "0x%04x\n", value & 0xFFFF);
else
return sprintf(buf, "%u\n", value & data->rdac_mask);
}
static ssize_t sysfs_set_reg(struct device *dev,
Reported by FlawFinder.
Line: 443
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (reg & DPOT_REG_TOL)
return sprintf(buf, "0x%04x\n", value & 0xFFFF);
else
return sprintf(buf, "%u\n", value & data->rdac_mask);
}
static ssize_t sysfs_set_reg(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count, u32 reg)
Reported by FlawFinder.