The following issues were found
sound/usb/mixer.c
20 issues
Line: 711
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
for (names = iterm_names; names->type; names++) {
if (names->type == iterm->type) {
strcpy(name, names->name);
return strlen(names->name);
}
}
return 0;
Reported by FlawFinder.
Line: 1348
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (!cval->initialized) {
get_min_max_with_quirks(cval, 0, kcontrol);
if (cval->initialized && cval->dBmin >= cval->dBmax) {
kcontrol->vd[0].access &=
~(SNDRV_CTL_ELEM_ACCESS_TLV_READ |
SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK);
snd_ctl_notify(cval->head.mixer->chip->card,
SNDRV_CTL_EVENT_MASK_INFO,
&kcontrol->id);
Reported by FlawFinder.
Line: 1749
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
check_mapped_dB(map, cval);
if (cval->dBmin < cval->dBmax || !cval->initialized) {
kctl->tlv.c = snd_usb_mixer_vol_tlv;
kctl->vd[0].access |=
SNDRV_CTL_ELEM_ACCESS_TLV_READ |
SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK;
}
}
Reported by FlawFinder.
Line: 310
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int validx, int *value_ret)
{
struct snd_usb_audio *chip = cval->head.mixer->chip;
unsigned char buf[2];
int val_len = cval->val_type >= USB_MIXER_S16 ? 2 : 1;
int timeout = 10;
int idx = 0, err;
err = snd_usb_lock_shutdown(chip);
Reported by FlawFinder.
Line: 347
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct snd_usb_audio *chip = cval->head.mixer->chip;
/* enough space for one range */
unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)];
unsigned char *val;
int idx = 0, ret, val_size, size;
__u8 bRequest;
val_size = uac2_ctl_value_size(cval->val_type);
Reported by FlawFinder.
Line: 462
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int request, int validx, int value_set)
{
struct snd_usb_audio *chip = cval->head.mixer->chip;
unsigned char buf[4];
int idx = 0, val_len, err, timeout = 10;
validx += cval->idx_off;
Reported by FlawFinder.
Line: 678
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return 0;
switch (iterm->type >> 16) {
case UAC3_SELECTOR_UNIT:
strcpy(name, "Selector");
return 8;
case UAC3_PROCESSING_UNIT:
strcpy(name, "Process Unit");
return 12;
case UAC3_EXTENSION_UNIT:
Reported by FlawFinder.
Line: 681
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(name, "Selector");
return 8;
case UAC3_PROCESSING_UNIT:
strcpy(name, "Process Unit");
return 12;
case UAC3_EXTENSION_UNIT:
strcpy(name, "Ext Unit");
return 8;
case UAC3_MIXER_UNIT:
Reported by FlawFinder.
Line: 684
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(name, "Process Unit");
return 12;
case UAC3_EXTENSION_UNIT:
strcpy(name, "Ext Unit");
return 8;
case UAC3_MIXER_UNIT:
strcpy(name, "Mixer");
return 5;
default:
Reported by FlawFinder.
Line: 687
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(name, "Ext Unit");
return 8;
case UAC3_MIXER_UNIT:
strcpy(name, "Mixer");
return 5;
default:
return sprintf(name, "Unit %d", iterm->id);
}
}
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas/mesh.c
20 issues
Line: 113
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (priv->mesh_dev) {
mesh_wdev = priv->mesh_dev->ieee80211_ptr;
ie->val.mesh_id_len = mesh_wdev->mesh_id_up_len;
memcpy(ie->val.mesh_id, mesh_wdev->ssid,
mesh_wdev->mesh_id_up_len);
}
ie->len = sizeof(struct mrvl_meshie_val) -
IEEE80211_MAX_SSID_LEN + ie->val.mesh_id_len;
Reported by FlawFinder.
Line: 350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return -EOPNOTSUPP;
memcpy(defs, &cmd.data[0], sizeof(struct mrvl_mesh_defaults));
return 0;
}
/**
Reported by FlawFinder.
Line: 537
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
defs.meshie.val.mesh_id_len = IEEE80211_MAX_SSID_LEN;
}
memcpy(buf, defs.meshie.val.mesh_id, defs.meshie.val.mesh_id_len);
buf[defs.meshie.val.mesh_id_len] = '\n';
buf[defs.meshie.val.mesh_id_len + 1] = '\0';
return defs.meshie.val.mesh_id_len + 1;
}
Reported by FlawFinder.
Line: 573
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd.length = cpu_to_le16(sizeof(struct mrvl_meshie));
/* transfer IE elements */
memcpy(ie, &defs.meshie, sizeof(struct mrvl_meshie));
len = count - 1;
memcpy(ie->val.mesh_id, buf, len);
/* SSID len */
ie->val.mesh_id_len = len;
Reported by FlawFinder.
Line: 576
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ie, &defs.meshie, sizeof(struct mrvl_meshie));
len = count - 1;
memcpy(ie->val.mesh_id, buf, len);
/* SSID len */
ie->val.mesh_id_len = len;
/* IE len */
ie->len = sizeof(struct mrvl_meshie_val) - IEEE80211_MAX_SSID_LEN + len;
Reported by FlawFinder.
Line: 641
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* transfer IE elements */
ie = (struct mrvl_meshie *) &cmd.data[0];
memcpy(ie, &defs.meshie, sizeof(struct mrvl_meshie));
/* update protocol id */
ie->val.active_protocol_id = datum;
ret = lbs_mesh_config_send(priv, &cmd, CMD_ACT_MESH_CONFIG_SET,
CMD_TYPE_MESH_SET_MESH_IE);
Reported by FlawFinder.
Line: 703
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* transfer IE elements */
ie = (struct mrvl_meshie *) &cmd.data[0];
memcpy(ie, &defs.meshie, sizeof(struct mrvl_meshie));
/* update metric id */
ie->val.active_metric_id = datum;
ret = lbs_mesh_config_send(priv, &cmd, CMD_ACT_MESH_CONFIG_SET,
CMD_TYPE_MESH_SET_MESH_IE);
Reported by FlawFinder.
Line: 765
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* transfer IE elements */
ie = (struct mrvl_meshie *) &cmd.data[0];
memcpy(ie, &defs.meshie, sizeof(struct mrvl_meshie));
/* update value */
ie->val.mesh_capability = datum;
ret = lbs_mesh_config_send(priv, &cmd, CMD_ACT_MESH_CONFIG_SET,
CMD_TYPE_MESH_SET_MESH_IE);
Reported by FlawFinder.
Line: 989
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mesh_wdev->wiphy = priv->wdev->wiphy;
if (priv->mesh_tlv) {
sprintf(mesh_wdev->ssid, "mesh");
mesh_wdev->mesh_id_up_len = 4;
}
mesh_wdev->netdev = mesh_dev;
Reported by FlawFinder.
Line: 1083
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Ethtool related
*/
static const char mesh_stat_strings[MESH_STATS_NUM][ETH_GSTRING_LEN] = {
"drop_duplicate_bcast",
"drop_ttl_zero",
"drop_no_fwd_route",
"drop_no_buffers",
"fwded_unicast_cnt",
Reported by FlawFinder.
include/linux/bcm963xx_tag.h
20 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bcm_tag {
/* 0-3: Version of the image tag */
char tag_version[TAGVER_LEN];
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 0-3: Version of the image tag */
char tag_version[TAGVER_LEN];
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
Reported by FlawFinder.
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
Reported by FlawFinder.
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
char flash_image_start[ADDRESS_LEN];
/* 106-115: Size of rootfs */
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
char flash_image_start[ADDRESS_LEN];
/* 106-115: Size of rootfs */
char root_length[IMAGE_LEN];
/* 116-127: Address in memory of kernel */
char kernel_address[ADDRESS_LEN];
/* 128-137: Size of kernel */
Reported by FlawFinder.
fs/proc/base.c
19 issues
Line: 3738
* with the leader and walk nr threads forward.
*/
pos = task = task->group_leader;
do {
if (!nr--)
goto found;
} while_each_thread(task, pos);
fail:
pos = NULL;
Reported by Cppcheck.
Line: 602
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!lock_task_sighand(task, &flags))
return 0;
memcpy(rlim, task->signal->rlim, sizeof(struct rlimit) * RLIM_NLIMITS);
unlock_task_sighand(task, &flags);
/*
* print the file header
*/
Reported by FlawFinder.
Line: 1039
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
int oom_adj = OOM_ADJUST_MIN;
size_t len;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t oom_adj_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char buffer[PROC_NUMBUF];
int oom_adj;
int err;
memset(buffer, 0, sizeof(buffer));
if (count > sizeof(buffer) - 1)
Reported by FlawFinder.
Line: 1198
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
short oom_score_adj = OOM_SCORE_ADJ_MIN;
size_t len;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1213
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t oom_score_adj_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char buffer[PROC_NUMBUF];
int oom_score_adj;
int err;
memset(buffer, 0, sizeof(buffer));
if (count > sizeof(buffer) - 1)
Reported by FlawFinder.
Line: 1253
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode * inode = file_inode(file);
struct task_struct *task = get_proc_task(inode);
ssize_t length;
char tmpbuf[TMPBUFLEN];
if (!task)
return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
from_kuid(file->f_cred->user_ns,
Reported by FlawFinder.
Line: 1319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode * inode = file_inode(file);
struct task_struct *task = get_proc_task(inode);
ssize_t length;
char tmpbuf[TMPBUFLEN];
if (!task)
return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
audit_get_sessionid(task));
Reported by FlawFinder.
Line: 1340
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
size_t len;
int make_it_fail;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user * buf, size_t count, loff_t *ppos)
{
struct task_struct *task;
char buffer[PROC_NUMBUF];
int make_it_fail;
int rv;
if (!capable(CAP_SYS_RESOURCE))
return -EPERM;
Reported by FlawFinder.
tools/perf/bench/numa.c
19 issues
Line: 47
Column: 61
CWE codes:
134
Suggestion:
Use a constant for the format specification
/*
* Regular printout to the terminal, suppressed if -q is specified:
*/
#define tprintf(x...) do { if (g && g->p.show_details >= 0) printf(x); } while (0)
/*
* Debug printf:
*/
#undef dprintf
Reported by FlawFinder.
Line: 53
Column: 61
CWE codes:
134
Suggestion:
Use a constant for the format specification
* Debug printf:
*/
#undef dprintf
#define dprintf(x...) do { if (g && g->p.show_details >= 1) printf(x); } while (0)
struct thread_data {
int curr_cpu;
cpu_set_t bind_cpumask;
int bind_node;
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
do { \
char name[20]; \
\
snprintf(name, 20, fmt); \
prctl(PR_SET_NAME, name); \
} while (0)
static u8 *alloc_data(ssize_t bytes0, int map_flags,
int init_zero, int init_cpu0, int thp, int init_random)
Reported by FlawFinder.
Line: 1855
Column: 8
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
int ret;
int i;
ret = system("echo ' #'; echo ' # Running test on: '$(uname -a); echo ' #'");
BUG_ON(ret < 0);
for (i = 0; i < nr; i++) {
run_bench_numa(tests[i][0], tests[i] + 1);
}
Reported by FlawFinder.
Line: 370
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define set_taskname(fmt...) \
do { \
char name[20]; \
\
snprintf(name, 20, fmt); \
prctl(PR_SET_NAME, name); \
} while (0)
Reported by FlawFinder.
Line: 547
Column: 30
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
dprintf("\ntoken: {%s}, end: {%s}\n", tok, tok_end);
if (!tok_end) {
/* Single CPU specified: */
bind_cpu_0 = bind_cpu_1 = atol(tok);
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
Reported by FlawFinder.
Line: 550
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
bind_cpu_0 = bind_cpu_1 = atol(tok);
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
step = 1;
tok_step = strstr(tok, "#");
Reported by FlawFinder.
Line: 551
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
step = 1;
tok_step = strstr(tok, "#");
if (tok_step) {
Reported by FlawFinder.
Line: 557
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
step = 1;
tok_step = strstr(tok, "#");
if (tok_step) {
step = atol(tok_step + 1);
BUG_ON(step <= 0 || step >= g->p.nr_cpus);
}
/*
* Mask length.
Reported by FlawFinder.
Line: 569
Column: 15
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
bind_len = 1;
tok_len = strstr(tok, "_");
if (tok_len) {
bind_len = atol(tok_len + 1);
BUG_ON(bind_len <= 0 || bind_len > g->p.nr_cpus);
}
/* Multiplicator shortcut, "0x8" is a shortcut for: "0,0,0,0,0,0,0,0" */
mul = 1;
Reported by FlawFinder.
drivers/acpi/acpica/acdebug.h
19 issues
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
Line: 89
void acpi_db_display_handlers(void);
ACPI_HW_DEPENDENT_RETURN_VOID(void
acpi_db_generate_gpe(char *gpe_arg,
char *block_arg))
ACPI_HW_DEPENDENT_RETURN_VOID(void acpi_db_generate_sci(void))
void acpi_db_execute_test(char *type_arg);
Reported by Cppcheck.
drivers/md/md-cluster.c
19 issues
Line: 111
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* TODO: Unionize this for smaller footprint */
__le64 low;
__le64 high;
char uuid[16];
__le32 raid_slot;
};
static void sync_ast(void *arg)
{
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret = 0;
dlm_lock_sync(lockres, DLM_LOCK_CR);
memcpy(&ri, lockres->lksb.sb_lvbptr, sizeof(struct resync_info));
if (le64_to_cpu(ri.hi) > 0) {
cinfo->suspend_hi = le64_to_cpu(ri.hi);
cinfo->suspend_lo = le64_to_cpu(ri.lo);
ret = 1;
}
Reported by FlawFinder.
Line: 291
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mddev *mddev = thread->mddev;
struct md_cluster_info *cinfo = mddev->cluster_info;
struct dlm_lock_resource *bm_lockres;
char str[64];
int slot, ret;
sector_t lo, hi;
while (cinfo->recovery_map) {
slot = fls64((u64)cinfo->recovery_map) - 1;
Reported by FlawFinder.
Line: 506
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void process_add_new_disk(struct mddev *mddev, struct cluster_msg *cmsg)
{
char disk_uuid[64];
struct md_cluster_info *cinfo = mddev->cluster_info;
char event_name[] = "EVENT=ADD_DEVICE";
char raid_slot[16];
char *envp[] = {event_name, disk_uuid, raid_slot, NULL};
int len;
Reported by FlawFinder.
Line: 509
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char disk_uuid[64];
struct md_cluster_info *cinfo = mddev->cluster_info;
char event_name[] = "EVENT=ADD_DEVICE";
char raid_slot[16];
char *envp[] = {event_name, disk_uuid, raid_slot, NULL};
int len;
len = snprintf(disk_uuid, 64, "DEVICE_UUID=");
sprintf(disk_uuid + len, "%pU", cmsg->uuid);
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len;
len = snprintf(disk_uuid, 64, "DEVICE_UUID=");
sprintf(disk_uuid + len, "%pU", cmsg->uuid);
snprintf(raid_slot, 16, "RAID_DISK=%d", le32_to_cpu(cmsg->raid_slot));
pr_info("%s:%d Sending kobject change with %s and %s\n", __func__, __LINE__, disk_uuid, raid_slot);
init_completion(&cinfo->newdisk_completion);
set_bit(MD_CLUSTER_WAITING_FOR_NEWDISK, &cinfo->state);
kobject_uevent_env(&disk_to_dev(mddev->gendisk)->kobj, KOBJ_CHANGE, envp);
Reported by FlawFinder.
Line: 637
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* read lvb and wake up thread to process this message_lockres */
memcpy(&msg, message_lockres->lksb.sb_lvbptr, sizeof(struct cluster_msg));
ret = process_recvd_msg(thread->mddev, &msg);
if (ret)
goto out;
/*release CR on ack_lockres*/
Reported by FlawFinder.
Line: 746
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto failed_message;
}
memcpy(cinfo->message_lockres->lksb.sb_lvbptr, (void *)cmsg,
sizeof(struct cluster_msg));
/*down-convert EX to CW on Message*/
error = dlm_lock_sync(cinfo->message_lockres, DLM_LOCK_CW);
if (error) {
pr_err("md-cluster: failed to convert EX to CW on MESSAGE(%d)\n",
Reported by FlawFinder.
Line: 802
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct md_cluster_info *cinfo = mddev->cluster_info;
int i, ret = 0;
struct dlm_lock_resource *bm_lockres;
char str[64];
sector_t lo, hi;
for (i = 0; i < total_slots; i++) {
memset(str, '\0', 64);
Reported by FlawFinder.
Line: 860
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct md_cluster_info *cinfo;
int ret, ops_rv;
char str[64];
cinfo = kzalloc(sizeof(struct md_cluster_info), GFP_KERNEL);
if (!cinfo)
return -ENOMEM;
Reported by FlawFinder.
drivers/md/dm-ioctl.c
19 issues
Line: 618
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
disk = dm_disk(hc->md);
nl->dev = huge_encode_dev(disk_devt(disk));
nl->next = 0;
strcpy(nl->name, hc->name);
old_nl = nl;
event_nr = align_ptr(nl->name + strlen(hc->name) + 1);
event_nr[0] = dm_get_event_nr(hc->md);
event_nr[1] = 0;
Reported by FlawFinder.
Line: 628
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (param->flags & DM_UUID_FLAG) {
if (hc->uuid) {
event_nr[1] |= DM_NAME_LIST_FLAG_HAS_UUID;
strcpy(uuid_ptr, hc->uuid);
uuid_ptr = align_ptr(uuid_ptr + strlen(hc->uuid) + 1);
} else {
event_nr[1] |= DM_NAME_LIST_FLAG_DOESNT_HAVE_UUID;
}
}
Reported by FlawFinder.
Line: 675
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
info->vers->version[1] = tt->version[1];
info->vers->version[2] = tt->version[2];
info->vers->next = 0;
strcpy(info->vers->name, tt->name);
info->old_vers = info->vers;
info->vers = align_ptr(((void *) ++info->vers) + strlen(tt->name) + 1);
}
Reported by FlawFinder.
Line: 2111
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (name)
strcpy(name, hc->name);
if (uuid)
strcpy(uuid, hc->uuid ? : "");
out:
mutex_unlock(&dm_hash_cells_mutex);
Reported by FlawFinder.
Line: 2113
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (name)
strcpy(name, hc->name);
if (uuid)
strcpy(uuid, hc->uuid ? : "");
out:
mutex_unlock(&dm_hash_cells_mutex);
return r;
Reported by FlawFinder.
Line: 1869
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*param_flags |= DM_PARAMS_MALLOC;
/* Copy from param_kernel (which was already copied from user) */
memcpy(dmi, param_kernel, minimum_data_size);
if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
param_kernel->data_size - minimum_data_size))
goto bad;
data_copied:
Reported by FlawFinder.
Line: 549
Column: 12
CWE codes:
126
size_t val_len, pfx_len;
val = hc->name;
val_len = strlen(val);
pfx_len = strnlen(pfx_name, DM_NAME_LEN);
if (pfx_len > val_len)
return false;
if (memcmp(val, pfx_name, pfx_len))
return false;
Reported by FlawFinder.
Line: 557
Column: 12
CWE codes:
126
return false;
val = hc->uuid ? hc->uuid : "";
val_len = strlen(val);
pfx_len = strnlen(pfx_uuid, DM_UUID_LEN);
if (pfx_len > val_len)
return false;
if (memcmp(val, pfx_uuid, pfx_len))
return false;
Reported by FlawFinder.
Line: 586
Column: 61
CWE codes:
126
hc = container_of(n, struct hash_cell, name_node);
if (!filter_device(hc, param->name, param->uuid))
continue;
needed += align_val(offsetof(struct dm_name_list, name) + strlen(hc->name) + 1);
needed += align_val(sizeof(uint32_t) * 2);
if (param->flags & DM_UUID_FLAG && hc->uuid)
needed += align_val(strlen(hc->uuid) + 1);
}
Reported by FlawFinder.
Line: 589
Column: 24
CWE codes:
126
needed += align_val(offsetof(struct dm_name_list, name) + strlen(hc->name) + 1);
needed += align_val(sizeof(uint32_t) * 2);
if (param->flags & DM_UUID_FLAG && hc->uuid)
needed += align_val(strlen(hc->uuid) + 1);
}
/*
* Grab our output buffer.
*/
Reported by FlawFinder.
drivers/mtd/ubi/build.c
19 issues
Line: 442
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
int i, err;
dev_t dev;
sprintf(ubi->ubi_name, UBI_NAME_STR "%d", ubi->ubi_num);
/*
* Major numbers for the UBI character devices are allocated
* dynamically. Major numbers of volume character devices are
* equivalent to ones of the corresponding UBI character device. Minor
Reported by FlawFinder.
Line: 1401
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return 0;
}
strcpy(buf, val);
/* Get rid of the final newline */
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
Reported by FlawFinder.
Line: 1416
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
p = &mtd_dev_param[mtd_devs];
strcpy(&p->name[0], tokens[0]);
token = tokens[1];
if (token) {
p->vid_hdr_offs = bytes_str_to_int(token);
Reported by FlawFinder.
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @max_beb_per1024: maximum expected number of bad PEBs per 1024 PEBs
*/
struct mtd_dev_param {
char name[MTD_PARAM_LEN_MAX];
int ubi_num;
int vid_hdr_offs;
int max_beb_per1024;
};
Reported by FlawFinder.
Line: 99
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t version_show(struct class *class, struct class_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", UBI_VERSION);
}
static CLASS_ATTR_RO(version);
static struct attribute *ubi_class_attrs[] = {
&class_attr_version.attr,
Reported by FlawFinder.
Line: 359
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENODEV;
if (attr == &dev_eraseblock_size)
ret = sprintf(buf, "%d\n", ubi->leb_size);
else if (attr == &dev_avail_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->avail_pebs);
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (attr == &dev_eraseblock_size)
ret = sprintf(buf, "%d\n", ubi->leb_size);
else if (attr == &dev_avail_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->avail_pebs);
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
Reported by FlawFinder.
Line: 363
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (attr == &dev_avail_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->avail_pebs);
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
ret = sprintf(buf, "%d\n", ubi->max_ec);
else if (attr == &dev_reserved_for_bad)
Reported by FlawFinder.
Line: 365
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
ret = sprintf(buf, "%d\n", ubi->max_ec);
else if (attr == &dev_reserved_for_bad)
ret = sprintf(buf, "%d\n", ubi->beb_rsvd_pebs);
else if (attr == &dev_bad_peb_count)
Reported by FlawFinder.
Line: 367
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
ret = sprintf(buf, "%d\n", ubi->max_ec);
else if (attr == &dev_reserved_for_bad)
ret = sprintf(buf, "%d\n", ubi->beb_rsvd_pebs);
else if (attr == &dev_bad_peb_count)
ret = sprintf(buf, "%d\n", ubi->bad_peb_count);
else if (attr == &dev_max_vol_count)
Reported by FlawFinder.
arch/mips/include/asm/ip32/mace.h
19 issues
Line: 74
Column: 21
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int _pad[0xcf8/4 - 4];
volatile unsigned int config_addr;
union {
volatile unsigned char b[4];
volatile unsigned short w[2];
volatile unsigned int l;
} config_data;
};
#define MACEPCI_LOW_MEMORY 0x1a000000
Reported by FlawFinder.
Line: 290
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mace_perif {
struct mace_audio audio;
char _pad0[0x10000 - sizeof(struct mace_audio)];
struct mace_isactrl ctrl;
char _pad1[0x10000 - sizeof(struct mace_isactrl)];
struct mace_ps2 ps2;
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char _pad0[0x10000 - sizeof(struct mace_audio)];
struct mace_isactrl ctrl;
char _pad1[0x10000 - sizeof(struct mace_isactrl)];
struct mace_ps2 ps2;
char _pad2[0x10000 - sizeof(struct mace_ps2)];
struct mace_i2c i2c;
Reported by FlawFinder.
Line: 296
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char _pad1[0x10000 - sizeof(struct mace_isactrl)];
struct mace_ps2 ps2;
char _pad2[0x10000 - sizeof(struct mace_ps2)];
struct mace_i2c i2c;
char _pad3[0x10000 - sizeof(struct mace_i2c)];
struct mace_timers timers;
Reported by FlawFinder.
Line: 299
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char _pad2[0x10000 - sizeof(struct mace_ps2)];
struct mace_i2c i2c;
char _pad3[0x10000 - sizeof(struct mace_i2c)];
struct mace_timers timers;
char _pad4[0x10000 - sizeof(struct mace_timers)];
};
Reported by FlawFinder.
Line: 302
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char _pad3[0x10000 - sizeof(struct mace_i2c)];
struct mace_timers timers;
char _pad4[0x10000 - sizeof(struct mace_timers)];
};
/*
* ISA peripherals
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mace_isa {
struct mace_parallel parallel;
char _pad1[0x8000 - sizeof(struct mace_parallel)];
struct mace_ecp1284 ecp1284;
char _pad2[0x8000 - sizeof(struct mace_ecp1284)];
struct mace_serial serial1;
Reported by FlawFinder.
Line: 327
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char _pad1[0x8000 - sizeof(struct mace_parallel)];
struct mace_ecp1284 ecp1284;
char _pad2[0x8000 - sizeof(struct mace_ecp1284)];
struct mace_serial serial1;
char _pad3[0x8000 - sizeof(struct mace_serial)];
struct mace_serial serial2;
Reported by FlawFinder.
Line: 330
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char _pad2[0x8000 - sizeof(struct mace_ecp1284)];
struct mace_serial serial1;
char _pad3[0x8000 - sizeof(struct mace_serial)];
struct mace_serial serial2;
char _pad4[0x8000 - sizeof(struct mace_serial)];
volatile unsigned char rtc[0x10000];
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char _pad3[0x8000 - sizeof(struct mace_serial)];
struct mace_serial serial2;
char _pad4[0x8000 - sizeof(struct mace_serial)];
volatile unsigned char rtc[0x10000];
};
struct sgi_mace {
Reported by FlawFinder.