The following issues were found
drivers/scsi/dc395x.c
3 issues
Line: 2509
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(srb->state & SRB_DISCONNECT))
goto mingx0;
memcpy(srb->msgin_buf, dcb->active_srb->msgin_buf, acb->msg_len);
srb->state |= dcb->active_srb->state;
srb->state |= SRB_DATA_XFER;
dcb->active_srb = srb;
/* How can we make the DORS happy? */
return srb;
Reported by FlawFinder.
Line: 2616
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dprintkl(KERN_DEBUG, "msgin_set_sync: answer w/%ins %i\n",
srb->msgin_buf[3] << 2, srb->msgin_buf[4]);
memcpy(srb->msgout_buf, srb->msgin_buf, 5);
srb->msg_count = 5;
DC395x_ENABLE_MSGOUT;
dcb->sync_mode |= SYNC_NEGO_DONE;
} else {
if ((dcb->sync_mode & WIDE_NEGO_ENABLE)
Reported by FlawFinder.
Line: 2668
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dprintkl(KERN_DEBUG,
"msgin_set_wide: Wide nego initiated <%02i>\n",
dcb->target_id);
memcpy(srb->msgout_buf, srb->msgin_buf, 4);
srb->msg_count = 4;
srb->state |= SRB_DO_WIDE_NEGO;
DC395x_ENABLE_MSGOUT;
}
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
3 issues
Line: 161
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
IWL_HCMD_DFL_DUP))) {
copy = cmd->len[i];
memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], copy);
cmd_pos += copy;
copy_size += copy;
continue;
}
Reported by FlawFinder.
Line: 174
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
copy = min_t(int, TFD_MAX_PAYLOAD_SIZE - cmd_pos, cmd->len[i]);
memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], copy);
cmd_pos += copy;
/* However, treat copy_size the proper way, we need it below */
if (copy_size < IWL_FIRST_TB_SIZE) {
copy = IWL_FIRST_TB_SIZE - copy_size;
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* start the TFD with the minimum copy bytes */
tb0_size = min_t(int, copy_size, IWL_FIRST_TB_SIZE);
memcpy(&txq->first_tb_bufs[idx], out_cmd, tb0_size);
iwl_txq_gen2_set_tb(trans, tfd, iwl_txq_get_first_tb_dma(txq, idx),
tb0_size);
/* map first command fragment, if any remains */
if (copy_size > tb0_size) {
Reported by FlawFinder.
drivers/pci/hotplug/ibmphp_ebda.c
3 issues
Line: 658
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
}
sprintf(str, "%s%dslot%d",
which == 0 ? "chassis" : "rxe",
number, slot_num - first_slot + 1);
return str;
}
Reported by FlawFinder.
Line: 599
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct opt_rio *opt_vg_ptr = NULL;
struct opt_rio_lo *opt_lo_ptr = NULL;
static char str[SLOT_NAME_SIZE];
int which = 0; /* rxe = 1, chassis = 0 */
u8 number = 1; /* either chassis or rxe # */
u8 first_slot = 1;
u8 slot_num;
u8 flag = 0;
Reported by FlawFinder.
Line: 693
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bus_info *bus_info_ptr1, *bus_info_ptr2;
int rc;
struct slot *tmp_slot;
char name[SLOT_NAME_SIZE];
addr = hpc_list_ptr->phys_addr;
for (ctlr = 0; ctlr < hpc_list_ptr->num_ctlrs; ctlr++) {
bus_index = 1;
ctlr_id = readb(io_mem + addr);
Reported by FlawFinder.
drivers/scsi/aic94xx/aic94xx_init.c
3 issues
Line: 347
Column: 8
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
}
filename_ptr = cmd_ptr + count;
res = sscanf(buf, "%s %s", cmd_ptr, filename_ptr);
if (res != 2) {
err = FAIL_PARAMETERS;
goto out1;
}
Reported by FlawFinder.
Line: 191
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
asd_unmap_memio(asd_ha);
}
static const char *asd_dev_rev[30] = {
[0] = "A0",
[1] = "A1",
[8] = "B0",
};
Reported by FlawFinder.
Line: 355
Column: 15
CWE codes:
126
for (i = 0; flash_command_table[i].code != FLASH_CMD_NONE; i++) {
if (!memcmp(flash_command_table[i].command,
cmd_ptr, strlen(cmd_ptr))) {
flash_command = flash_command_table[i].code;
break;
}
}
if (flash_command == FLASH_CMD_NONE) {
Reported by FlawFinder.
drivers/pci/pci-sysfs.c
3 issues
Line: 1183
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sysfs_bin_attr_init(res_attr);
if (write_combine) {
pdev->res_attr_wc[num] = res_attr;
sprintf(res_attr_name, "resource%d_wc", num);
res_attr->mmap = pci_mmap_resource_wc;
} else {
pdev->res_attr[num] = res_attr;
sprintf(res_attr_name, "resource%d", num);
if (pci_resource_flags(pdev, num) & IORESOURCE_IO) {
Reported by FlawFinder.
Line: 1187
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
res_attr->mmap = pci_mmap_resource_wc;
} else {
pdev->res_attr[num] = res_attr;
sprintf(res_attr_name, "resource%d", num);
if (pci_resource_flags(pdev, num) & IORESOURCE_IO) {
res_attr->read = pci_read_resource_io;
res_attr->write = pci_write_resource_io;
if (arch_can_pci_mmap_io())
res_attr->mmap = pci_mmap_resource_uc;
Reported by FlawFinder.
Line: 566
Column: 6
CWE codes:
126
device_lock(dev);
old = pdev->driver_override;
if (strlen(driver_override)) {
pdev->driver_override = driver_override;
} else {
kfree(driver_override);
pdev->driver_override = NULL;
}
Reported by FlawFinder.
drivers/pci/pcie/aspm.c
3 issues
Line: 1174
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i, cnt = 0;
for (i = 0; i < ARRAY_SIZE(policy_str); i++)
if (i == aspm_policy)
cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]);
else
cnt += sprintf(buffer + cnt, "%s ", policy_str[i]);
cnt += sprintf(buffer + cnt, "\n");
return cnt;
}
Reported by FlawFinder.
Line: 1176
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i == aspm_policy)
cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]);
else
cnt += sprintf(buffer + cnt, "%s ", policy_str[i]);
cnt += sprintf(buffer + cnt, "\n");
return cnt;
}
module_param_call(policy, pcie_aspm_set_policy, pcie_aspm_get_policy,
Reported by FlawFinder.
Line: 1177
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]);
else
cnt += sprintf(buffer + cnt, "%s ", policy_str[i]);
cnt += sprintf(buffer + cnt, "\n");
return cnt;
}
module_param_call(policy, pcie_aspm_set_policy, pcie_aspm_get_policy,
NULL, 0644);
Reported by FlawFinder.
drivers/regulator/of_regulator.c
3 issues
Line: 67
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
};
for (j = 0; j < ARRAY_SIZE(lvl); j++) {
snprintf(prop, 255, props[i], lvl[j]);
found = !of_property_read_u32(np, prop, &pval);
if (found)
fill_limit(l[j], pval);
set[i] |= found;
}
Reported by FlawFinder.
Line: 18
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "internal.h"
static const char *const regulator_states[PM_SUSPEND_MAX + 1] = {
[PM_SUSPEND_STANDBY] = "regulator-state-standby",
[PM_SUSPEND_MEM] = "regulator-state-mem",
[PM_SUSPEND_MAX] = "regulator-state-disk",
};
Reported by FlawFinder.
Line: 56
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Protection limits: */
for (i = 0; i < ARRAY_SIZE(props); i++) {
char prop[255];
bool found;
int j;
static const char *const lvl[] = {
"protection", "error", "warn"
};
Reported by FlawFinder.
drivers/pci/probe.c
3 issues
Line: 981
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
else
fmt = " (bus address [%#010llx-%#010llx])";
snprintf(addr, sizeof(addr), fmt,
(unsigned long long)(res->start - offset),
(unsigned long long)(res->end - offset));
} else
addr[0] = '\0';
Reported by FlawFinder.
Line: 1415
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
pci_write_config_byte(dev, PCI_SUBORDINATE_BUS, max);
}
sprintf(child->name,
(is_cardbus ? "PCI CardBus %04x:%02x" : "PCI Bus %04x:%02x"),
pci_domain_nr(bus), child->number);
/* Check that all devices are accessible */
while (bus->parent) {
Reported by FlawFinder.
Line: 885
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
resource_size_t offset;
LIST_HEAD(resources);
struct resource *res;
char addr[64], *fmt;
const char *name;
int err;
bus = pci_alloc_bus(NULL);
if (!bus)
Reported by FlawFinder.
drivers/pci/switch/switchtec.c
3 issues
Line: 65
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 return_code;
size_t data_len;
size_t read_len;
unsigned char data[SWITCHTEC_MRPC_PAYLOAD_SIZE];
int event_cnt;
};
static struct switchtec_user *stuser_create(struct switchtec_dev *stdev)
{
Reported by FlawFinder.
Line: 220
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
if (stdev->dma_mrpc)
memcpy(stuser->data, &stdev->dma_mrpc->data,
stuser->read_len);
else
memcpy_fromio(stuser->data, &stdev->mmio_mrpc->output_data,
stuser->read_len);
out:
Reported by FlawFinder.
Line: 314
Column: 9
CWE codes:
126
buf[i + 1] = 0;
}
return strlen(buf);
}
#define DEVICE_ATTR_SYS_INFO_STR(field) \
static ssize_t field ## _show(struct device *dev, \
struct device_attribute *attr, char *buf) \
Reported by FlawFinder.
drivers/pci/vpd.c
3 issues
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static size_t pci_vpd_size(struct pci_dev *dev, size_t old_size)
{
size_t off = 0;
unsigned char header[1+2]; /* 1 byte tag, 2 bytes length */
while (off < old_size && pci_read_vpd(dev, off, 1, header) == 1) {
unsigned char tag;
if (!header[0] && !off) {
Reported by FlawFinder.
Line: 17
Column: 12
CWE codes:
120
20
/* VPD access through PCI 2.2+ VPD capability */
struct pci_vpd_ops {
ssize_t (*read)(struct pci_dev *dev, loff_t pos, size_t count, void *buf);
ssize_t (*write)(struct pci_dev *dev, loff_t pos, size_t count, const void *buf);
};
struct pci_vpd {
const struct pci_vpd_ops *ops;
Reported by FlawFinder.
Line: 47
Column: 24
CWE codes:
120
20
{
if (!dev->vpd || !dev->vpd->ops)
return -ENODEV;
return dev->vpd->ops->read(dev, pos, count, buf);
}
EXPORT_SYMBOL(pci_read_vpd);
/**
* pci_write_vpd - Write entry to Vital Product Data
Reported by FlawFinder.