The following issues were found
drivers/accessibility/speakup/synth.c
3 issues
Line: 225
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
int r;
va_start(args, fmt);
r = vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (r > sizeof(buf) - 1)
r = sizeof(buf) - 1;
p = buf;
Reported by FlawFinder.
Line: 23
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static LIST_HEAD(synths);
struct spk_synth *synth;
char spk_pitch_buff[32] = "";
static int module_status;
bool spk_quiet_boot;
struct speakup_info_t speakup_info = {
/*
Reported by FlawFinder.
Line: 221
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void synth_printf(const char *fmt, ...)
{
va_list args;
unsigned char buf[160], *p;
int r;
va_start(args, fmt);
r = vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
Reported by FlawFinder.
drivers/edac/pnd2_edac.c
3 issues
Line: 1147
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dram_addr *daddr)
{
enum hw_event_mc_err_type tp_event;
char *optype, msg[PND2_MSG_SIZE];
bool ripv = m->mcgstatus & MCG_STATUS_RIPV;
bool overflow = m->status & MCI_STATUS_OVER;
bool uc_err = m->status & MCI_STATUS_UC;
bool recov = m->status & MCI_STATUS_S;
u32 core_err_cnt = GET_BITFIELD(m->status, 38, 52);
Reported by FlawFinder.
Line: 1445
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static u64 pnd2_fake_addr;
#define PND2_BLOB_SIZE 1024
static char pnd2_result[PND2_BLOB_SIZE];
static struct dentry *pnd2_test;
static struct debugfs_blob_wrapper pnd2_blob = {
.data = pnd2_result,
.size = 0
};
Reported by FlawFinder.
Line: 1466
Column: 19
CWE codes:
126
snprintf(pnd2_blob.data, PND2_BLOB_SIZE,
"SysAddr=%llx Channel=%d DIMM=%d Rank=%d Bank=%d Row=%d Column=%d\n",
m.addr, daddr.chan, daddr.dimm, daddr.rank, daddr.bank, daddr.row, daddr.col);
pnd2_blob.size = strlen(pnd2_blob.data);
return 0;
}
DEFINE_DEBUGFS_ATTRIBUTE(fops_u64_wo, NULL, debugfs_u64_set, "%llu\n");
Reported by FlawFinder.
crypto/ctr.c
3 issues
Line: 179
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (keylen < CTR_RFC3686_NONCE_SIZE)
return -EINVAL;
memcpy(ctx->nonce, key + (keylen - CTR_RFC3686_NONCE_SIZE),
CTR_RFC3686_NONCE_SIZE);
keylen -= CTR_RFC3686_NONCE_SIZE;
crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 *iv = rctx->iv;
/* set up counter block */
memcpy(iv, ctx->nonce, CTR_RFC3686_NONCE_SIZE);
memcpy(iv + CTR_RFC3686_NONCE_SIZE, req->iv, CTR_RFC3686_IV_SIZE);
/* initialize counter portion of counter block */
*(__be32 *)(iv + CTR_RFC3686_NONCE_SIZE + CTR_RFC3686_IV_SIZE) =
cpu_to_be32(1);
Reported by FlawFinder.
Line: 203
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* set up counter block */
memcpy(iv, ctx->nonce, CTR_RFC3686_NONCE_SIZE);
memcpy(iv + CTR_RFC3686_NONCE_SIZE, req->iv, CTR_RFC3686_IV_SIZE);
/* initialize counter portion of counter block */
*(__be32 *)(iv + CTR_RFC3686_NONCE_SIZE + CTR_RFC3686_IV_SIZE) =
cpu_to_be32(1);
Reported by FlawFinder.
drivers/acpi/acpica/nsconvert.c
3 issues
Line: 19
#include "amlresrc.h"
#define _COMPONENT ACPI_NAMESPACE
ACPI_MODULE_NAME("nsconvert")
/*******************************************************************************
*
* FUNCTION: acpi_ns_convert_to_integer
*
Reported by Cppcheck.
Line: 155
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Copy the raw buffer data with no transform. String is already NULL
* terminated at Length+1.
*/
memcpy(new_object->string.pointer,
original_object->buffer.pointer, length);
break;
default:
Reported by FlawFinder.
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return (AE_NO_MEMORY);
}
memcpy(new_object->buffer.pointer,
original_object->string.pointer,
original_object->string.length);
break;
case ACPI_TYPE_PACKAGE:
Reported by FlawFinder.
drivers/clk/tegra/clk-bpmp.c
3 issues
Line: 22
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tegra_bpmp_clk_info {
unsigned int id;
char name[MRQ_CLK_NAME_MAXLEN];
unsigned int parents[MRQ_CLK_MAX_PARENTS];
unsigned int num_parents;
unsigned long flags;
};
Reported by FlawFinder.
Line: 77
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* doing so would require changing the ABI header and increase the
* maintenance burden.
*/
memcpy(req + 4, clk->tx.data, clk->tx.size);
memset(&msg, 0, sizeof(msg));
msg.mrq = MRQ_CLK;
msg.tx.data = &request;
msg.tx.size = sizeof(request);
Reported by FlawFinder.
Line: 365
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *prefix = "";
struct seq_buf buf;
unsigned int i;
char flags[64];
seq_buf_init(&buf, flags, sizeof(flags));
if (info->flags)
seq_buf_printf(&buf, "(");
Reported by FlawFinder.
drivers/edac/fsl_ddr_edac.c
3 issues
Line: 65
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct mem_ctl_info *mci = to_mci(dev);
struct fsl_mc_pdata *pdata = mci->pvt_info;
return sprintf(data, "0x%08x",
ddr_in32(pdata->mc_vbase + FSL_MC_DATA_ERR_INJECT_HI));
}
static ssize_t fsl_mc_inject_data_lo_show(struct device *dev,
struct device_attribute *mattr,
Reported by FlawFinder.
Line: 75
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct mem_ctl_info *mci = to_mci(dev);
struct fsl_mc_pdata *pdata = mci->pvt_info;
return sprintf(data, "0x%08x",
ddr_in32(pdata->mc_vbase + FSL_MC_DATA_ERR_INJECT_LO));
}
static ssize_t fsl_mc_inject_ctrl_show(struct device *dev,
struct device_attribute *mattr,
Reported by FlawFinder.
Line: 85
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct mem_ctl_info *mci = to_mci(dev);
struct fsl_mc_pdata *pdata = mci->pvt_info;
return sprintf(data, "0x%08x",
ddr_in32(pdata->mc_vbase + FSL_MC_ECC_ERR_INJECT));
}
static ssize_t fsl_mc_inject_data_hi_store(struct device *dev,
struct device_attribute *mattr,
Reported by FlawFinder.
drivers/char/dtlk.c
3 issues
Line: 443
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
buffer[b++] = inb_p(dtlk_port_lpc); \
__delay(loops_per_jiffy/(1000000/HZ)); \
}
char buffer[1000];
int b = 0, i, j;
LOOK
outb_p(0xff, dtlk_port_lpc);
buffer[b++] = 0;
Reported by FlawFinder.
Line: 473
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
buffer[b++] = inb_p(dtlk_port_tts); \
__delay(loops_per_jiffy/(1000000/HZ)); /* 1 us */ \
}
char buffer[1000];
int b = 0, i, j;
mdelay(10); /* 10 ms */
LOOK
outb_p(0x03, dtlk_port_tts);
Reported by FlawFinder.
Line: 514
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct dtlk_settings *dtlk_interrogate(void)
{
unsigned char *t;
static char buf[sizeof(struct dtlk_settings) + 1];
int total, i;
static struct dtlk_settings status;
TRACE_TEXT("(dtlk_interrogate");
dtlk_write_bytes("\030\001?", 3);
for (total = 0, i = 0; i < 50; i++) {
Reported by FlawFinder.
drivers/ata/pata_mpc52xx.c
3 issues
Line: 452
Column: 6
CWE codes:
120
20
struct scatterlist *sg;
int count = 0;
if (read)
bcom_ata_rx_prepare(priv->dmatsk);
else
bcom_ata_tx_prepare(priv->dmatsk);
for_each_sg(qc->sg, sg, qc->n_elem, si) {
Reported by FlawFinder.
Line: 466
Column: 8
CWE codes:
120
20
bd = (struct bcom_ata_bd *)
bcom_prepare_next_buffer(priv->dmatsk);
if (read) {
bd->status = tc;
bd->src_pa = (__force u32) priv->ata_regs_pa +
offsetof(struct mpc52xx_ata, fifo_data);
bd->dst_pa = (__force u32) cur_addr;
} else {
Reported by FlawFinder.
Line: 517
Column: 6
CWE codes:
120
20
dev_alert(ap->dev, "%s: FIFO error detected: 0x%02x!\n",
__func__, in_8(&priv->ata_regs->fifo_status));
if (read) {
dma_mode = MPC52xx_ATA_DMAMODE_IE | MPC52xx_ATA_DMAMODE_READ |
MPC52xx_ATA_DMAMODE_FE;
/* Setup FIFO if direction changed */
if (priv->mpc52xx_ata_dma_last_write != 0) {
Reported by FlawFinder.
drivers/accessibility/speakup/speakup_soft.c
3 issues
Line: 163
Column: 14
CWE codes:
134
Suggestion:
Make format string constant
while (var->var_id != MAXVARS) {
if (var->var_id != CAPS_START && var->var_id != CAPS_STOP &&
var->var_id != PAUSE && var->var_id != DIRECT)
cp = cp + sprintf(cp, var->u.n.synth_fmt,
var->u.n.value);
var++;
}
cp = cp + sprintf(cp, "\n");
return buf;
Reported by FlawFinder.
Line: 153
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *get_initstring(void)
{
static char buf[40];
char *cp;
struct var_t *var;
memset(buf, 0, sizeof(buf));
cp = buf;
Reported by FlawFinder.
Line: 167
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
var->u.n.value);
var++;
}
cp = cp + sprintf(cp, "\n");
return buf;
}
static int softsynth_open(struct inode *inode, struct file *fp)
{
Reported by FlawFinder.
drivers/acpi/acpica/dbhistry.c
3 issues
Line: 73
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
acpi_os_allocate(cmd_len + 1);
}
strcpy(acpi_gbl_history_buffer[acpi_gbl_next_history_index].command,
command_line);
acpi_gbl_history_buffer[acpi_gbl_next_history_index].cmd_num =
acpi_gbl_next_cmd_num;
Reported by FlawFinder.
Line: 50
Column: 17
CWE codes:
126
/* Put command into the next available slot */
cmd_len = (u16)strlen(command_line);
if (!cmd_len) {
return;
}
if (acpi_gbl_history_buffer[acpi_gbl_next_history_index].command !=
Reported by FlawFinder.
Line: 59
Column: 7
CWE codes:
126
NULL) {
buffer_len =
(u16)
strlen(acpi_gbl_history_buffer[acpi_gbl_next_history_index].
command);
if (cmd_len > buffer_len) {
acpi_os_free(acpi_gbl_history_buffer
[acpi_gbl_next_history_index].command);
Reported by FlawFinder.