The following issues were found
drivers/tty/hvc/hvc_iucv.c
19 issues
Line: 1007
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_unlock_bh(&priv->lock);
EBCASC(ipuser, 8);
return sprintf(buf, "%s:%s\n", vmid, ipuser);
}
/* HVC operations */
static const struct hv_ops hvc_iucv_ops = {
Reported by FlawFinder.
Line: 271
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (rb->mbuf->type) {
case MSG_TYPE_DATA:
written = min_t(int, rb->mbuf->datalen - rb->offset, count);
memcpy(buf, rb->mbuf->data + rb->offset, written);
if (written < (rb->mbuf->datalen - rb->offset)) {
rb->offset += written;
*has_more_data = 1;
goto out_written;
}
Reported by FlawFinder.
Line: 371
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!len)
return 0;
memcpy(priv->sndbuf + priv->sndbuf_len, buf, len);
priv->sndbuf_len += len;
if (priv->iucv_state == IUCV_CONNECTED)
schedule_delayed_work(&priv->sndbuf_work, QUEUE_SNDBUF_DELAY);
Reported by FlawFinder.
Line: 409
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!sb)
return -ENOMEM;
memcpy(sb->mbuf->data, priv->sndbuf, priv->sndbuf_len);
sb->mbuf->datalen = (u16) priv->sndbuf_len;
sb->msg.length = MSG_SIZE(sb->mbuf->datalen);
list_add_tail(&sb->list, &priv->tty_outqueue);
Reported by FlawFinder.
Line: 828
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc) {
iucv_path_sever(path, ipuser);
iucv_path_free(path);
memcpy(vm_user_id, ipvmid, 8);
vm_user_id[8] = 0;
pr_info("A connection request from z/VM user ID %s "
"was refused\n", vm_user_id);
return 0;
}
Reported by FlawFinder.
Line: 847
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* accept path */
memcpy(nuser_data, ipuser + 8, 8); /* remote service (for af_iucv) */
memcpy(nuser_data + 8, ipuser, 8); /* local service (for af_iucv) */
path->msglim = 0xffff; /* IUCV MSGLIMIT */
path->flags &= ~IUCV_IPRMDATA; /* TODO: use IUCV_IPRMDATA */
rc = iucv_path_accept(path, &hvc_iucv_handler, nuser_data, priv);
if (rc) {
Reported by FlawFinder.
Line: 848
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* accept path */
memcpy(nuser_data, ipuser + 8, 8); /* remote service (for af_iucv) */
memcpy(nuser_data + 8, ipuser, 8); /* local service (for af_iucv) */
path->msglim = 0xffff; /* IUCV MSGLIMIT */
path->flags &= ~IUCV_IPRMDATA; /* TODO: use IUCV_IPRMDATA */
rc = iucv_path_accept(path, &hvc_iucv_handler, nuser_data, priv);
if (rc) {
iucv_path_sever(path, ipuser);
Reported by FlawFinder.
Line: 861
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->iucv_state = IUCV_CONNECTED;
/* store path information */
memcpy(priv->info_path, ipvmid, 8);
memcpy(priv->info_path + 8, ipuser + 8, 8);
/* flush buffered output data... */
schedule_delayed_work(&priv->sndbuf_work, 5);
Reported by FlawFinder.
Line: 862
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* store path information */
memcpy(priv->info_path, ipvmid, 8);
memcpy(priv->info_path + 8, ipuser + 8, 8);
/* flush buffered output data... */
schedule_delayed_work(&priv->sndbuf_work, 5);
out_path_handled:
Reported by FlawFinder.
Line: 975
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t len;
len = sizeof(priv->srv_name);
memcpy(buf, priv->srv_name, len);
EBCASC(buf, len);
buf[len++] = '\n';
return len;
}
Reported by FlawFinder.
drivers/scsi/pm8001/pm8001_hwi.c
19 issues
Line: 1340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nb > (pm8001_ha->iomb_size - sizeof(struct mpi_msg_hdr)))
nb = pm8001_ha->iomb_size - sizeof(struct mpi_msg_hdr);
memcpy(pMessage, payload, nb);
if (nb + sizeof(struct mpi_msg_hdr) < pm8001_ha->iomb_size)
memset(pMessage + nb, 0, pm8001_ha->iomb_size -
(nb + sizeof(struct mpi_msg_hdr)));
/*Build the header*/
Reported by FlawFinder.
Line: 1862
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sata_cmd.tag = cpu_to_le32(ccb_tag);
sata_cmd.device_id = cpu_to_le32(pm8001_ha_dev->device_id);
sata_cmd.ncqtag_atap_dir_m |= ((0x1 << 7) | (0x5 << 9));
memcpy(&sata_cmd.sata_fis, &fis, sizeof(struct host_to_dev_fis));
res = pm8001_mpi_build_cmd(pm8001_ha, circularQ, opc, &sata_cmd,
sizeof(sata_cmd), 0);
if (res) {
sas_free_task(task);
Reported by FlawFinder.
Line: 2357
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sata_addr_low[i] = pm8001_ha->sas_addr[j];
for (i = 0, j = 0; j <= 3 && i <= 3; i++, j++)
sata_addr_hi[i] = pm8001_ha->sas_addr[j];
memcpy(&temp_sata_addr_low, sata_addr_low,
sizeof(sata_addr_low));
memcpy(&temp_sata_addr_hi, sata_addr_hi,
sizeof(sata_addr_hi));
temp_sata_addr_hi = (((temp_sata_addr_hi >> 24) & 0xff)
|((temp_sata_addr_hi << 8) &
Reported by FlawFinder.
Line: 2359
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sata_addr_hi[i] = pm8001_ha->sas_addr[j];
memcpy(&temp_sata_addr_low, sata_addr_low,
sizeof(sata_addr_low));
memcpy(&temp_sata_addr_hi, sata_addr_hi,
sizeof(sata_addr_hi));
temp_sata_addr_hi = (((temp_sata_addr_hi >> 24) & 0xff)
|((temp_sata_addr_hi << 8) &
0xff0000) |
((temp_sata_addr_hi >> 8)
Reported by FlawFinder.
Line: 2433
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (SAS_STATUS_BUF_SIZE >= sizeof(*resp)) {
resp->frame_len = len;
memcpy(&resp->ending_fis[0], sata_resp, len);
ts->buf_valid_size = sizeof(*resp);
} else
pm8001_dbg(pm8001_ha, IO,
"response too large\n");
}
Reported by FlawFinder.
Line: 3137
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pm8001_dbg(pm8001_ha, MSG, "Get NVMD success, IR=1\n");
if ((ir_tds_bn_dps_das_nvm & NVMD_TYPE) == TWI_DEVICE) {
if (ir_tds_bn_dps_das_nvm == 0x80a80200) {
memcpy(pm8001_ha->sas_addr,
((u8 *)virt_addr + 4),
SAS_ADDR_SIZE);
pm8001_dbg(pm8001_ha, MSG, "Get SAS address from VPD successfully!\n");
}
} else if (((ir_tds_bn_dps_das_nvm & NVMD_TYPE) == C_SEEPROM)
Reported by FlawFinder.
Line: 3163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Though fw_control_context is freed below, usrAddr still needs
* to be updated as this holds the response to the request function
*/
memcpy(fw_control_context->usrAddr,
pm8001_ha->memoryMap.region[NVMD].virt_ptr,
fw_control_context->len);
kfree(ccb->fw_control_context);
/* To avoid race condition, complete should be
* called after the message is copied to
Reported by FlawFinder.
Line: 3302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
struct sas_identify_frame *idframe =
(void *) phy->sas_phy.frame_rcvd;
memcpy(sas_addr, idframe->sas_addr, SAS_ADDR_SIZE);
}
}
/**
* pm8001_hw_event_ack_req- For PM8001,some events need to acknowage to FW.
Reported by FlawFinder.
Line: 3403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy->sas_phy.oob_mode = SAS_OOB_MODE;
sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC);
spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags);
memcpy(phy->frame_rcvd, &pPayload->sas_identify,
sizeof(struct sas_identify_frame)-4);
phy->frame_rcvd_size = sizeof(struct sas_identify_frame) - 4;
pm8001_get_attached_sas_addr(phy, phy->sas_phy.attached_sas_addr);
spin_unlock_irqrestore(&phy->sas_phy.frame_rcvd_lock, flags);
if (pm8001_ha->flags == PM8001F_RUN_TIME)
Reported by FlawFinder.
Line: 3446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy->sas_phy.oob_mode = SATA_OOB_MODE;
sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC);
spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags);
memcpy(phy->frame_rcvd, ((u8 *)&pPayload->sata_fis - 4),
sizeof(struct dev_to_host_fis));
phy->frame_rcvd_size = sizeof(struct dev_to_host_fis);
phy->identify.target_port_protocols = SAS_PROTOCOL_SATA;
phy->identify.device_type = SAS_SATA_DEV;
pm8001_get_attached_sas_addr(phy, phy->sas_phy.attached_sas_addr);
Reported by FlawFinder.
drivers/firmware/efi/efivars.c
19 issues
Line: 97
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -EIO;
if (var->Attributes & EFI_VARIABLE_NON_VOLATILE)
str += sprintf(str, "EFI_VARIABLE_NON_VOLATILE\n");
if (var->Attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)
str += sprintf(str, "EFI_VARIABLE_BOOTSERVICE_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_RUNTIME_ACCESS)
str += sprintf(str, "EFI_VARIABLE_RUNTIME_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD)
Reported by FlawFinder.
Line: 99
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (var->Attributes & EFI_VARIABLE_NON_VOLATILE)
str += sprintf(str, "EFI_VARIABLE_NON_VOLATILE\n");
if (var->Attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)
str += sprintf(str, "EFI_VARIABLE_BOOTSERVICE_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_RUNTIME_ACCESS)
str += sprintf(str, "EFI_VARIABLE_RUNTIME_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD)
str += sprintf(str, "EFI_VARIABLE_HARDWARE_ERROR_RECORD\n");
if (var->Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
Reported by FlawFinder.
Line: 101
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (var->Attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)
str += sprintf(str, "EFI_VARIABLE_BOOTSERVICE_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_RUNTIME_ACCESS)
str += sprintf(str, "EFI_VARIABLE_RUNTIME_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD)
str += sprintf(str, "EFI_VARIABLE_HARDWARE_ERROR_RECORD\n");
if (var->Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
str += sprintf(str,
"EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\n");
Reported by FlawFinder.
Line: 103
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (var->Attributes & EFI_VARIABLE_RUNTIME_ACCESS)
str += sprintf(str, "EFI_VARIABLE_RUNTIME_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD)
str += sprintf(str, "EFI_VARIABLE_HARDWARE_ERROR_RECORD\n");
if (var->Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
str += sprintf(str,
"EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\n");
if (var->Attributes &
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
Reported by FlawFinder.
Line: 105
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (var->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD)
str += sprintf(str, "EFI_VARIABLE_HARDWARE_ERROR_RECORD\n");
if (var->Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
str += sprintf(str,
"EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\n");
if (var->Attributes &
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
str += sprintf(str,
"EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS\n");
Reported by FlawFinder.
Line: 109
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\n");
if (var->Attributes &
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
str += sprintf(str,
"EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_APPEND_WRITE)
str += sprintf(str, "EFI_VARIABLE_APPEND_WRITE\n");
return str - buf;
}
Reported by FlawFinder.
Line: 112
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
str += sprintf(str,
"EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS\n");
if (var->Attributes & EFI_VARIABLE_APPEND_WRITE)
str += sprintf(str, "EFI_VARIABLE_APPEND_WRITE\n");
return str - buf;
}
static ssize_t
efivar_size_read(struct efivar_entry *entry, char *buf)
Reported by FlawFinder.
Line: 132
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return -EIO;
str += sprintf(str, "0x%lx\n", var->DataSize);
return str - buf;
}
static ssize_t
efivar_data_read(struct efivar_entry *entry, char *buf)
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return -EIO;
memcpy(buf, var->Data, var->DataSize);
return var->DataSize;
}
static inline int
sanity_check(struct efi_variable *var, efi_char16_t *name, efi_guid_t vendor,
Reported by FlawFinder.
Line: 186
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void
copy_out_compat(struct efi_variable *dst, struct compat_efi_variable *src)
{
memcpy(dst->VariableName, src->VariableName, EFI_VAR_NAME_LEN);
memcpy(dst->Data, src->Data, sizeof(src->Data));
dst->VendorGuid = src->VendorGuid;
dst->DataSize = src->DataSize;
dst->Attributes = src->Attributes;
Reported by FlawFinder.
scripts/kconfig/nconf.c
19 issues
Line: 546
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
k_menu_items[items_num].is_visible = 1;
va_start(ap, fmt);
vsnprintf(k_menu_items[items_num].str,
sizeof(k_menu_items[items_num].str),
fmt, ap);
va_end(ap);
if (!k_menu_items[items_num].is_visible)
Reported by FlawFinder.
Line: 580
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(ap, fmt);
vsnprintf(new_str, sizeof(new_str), fmt, ap);
va_end(ap);
snprintf(tmp_str, sizeof(tmp_str), "%s%s",
k_menu_items[index].str, new_str);
strncpy(k_menu_items[index].str,
tmp_str,
Reported by FlawFinder.
Line: 1481
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
conf_parse(av[1]);
conf_read(NULL);
mode = getenv("NCONFIG_MODE");
if (mode) {
if (!strcasecmp(mode, "single_menu"))
single_menu_mode = 1;
}
Reported by FlawFinder.
Line: 250
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"\n";
struct mitem {
char str[256];
char tag;
void *usrptr;
int is_visible;
};
Reported by FlawFinder.
Line: 552
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
va_end(ap);
if (!k_menu_items[items_num].is_visible)
memcpy(k_menu_items[items_num].str, "XXX", 3);
curses_menu_items[items_num] = new_item(
k_menu_items[items_num].str,
k_menu_items[items_num].str);
set_item_userptr(curses_menu_items[items_num],
Reported by FlawFinder.
Line: 573
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
va_list ap;
int index = items_num-1;
char new_str[256];
char tmp_str[256];
if (index < 0)
return;
Reported by FlawFinder.
Line: 574
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
va_list ap;
int index = items_num-1;
char new_str[256];
char tmp_str[256];
if (index < 0)
return;
va_start(ap, fmt);
Reported by FlawFinder.
Line: 632
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return item_tag() == tag;
}
static char filename[PATH_MAX+1];
static char menu_backtitle[PATH_MAX+128];
static void set_config_filename(const char *config_filename)
{
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
config_filename, rootmenu.prompt->text);
Reported by FlawFinder.
Line: 633
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static char filename[PATH_MAX+1];
static char menu_backtitle[PATH_MAX+128];
static void set_config_filename(const char *config_filename)
{
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
config_filename, rootmenu.prompt->text);
Reported by FlawFinder.
Line: 1010
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int in_search;
match_f match_direction;
char pattern[256];
};
/* Return 0 means I have handled the key. In such a case, ans should hold the
* item to center, or -1 otherwise.
* Else return -1 .
Reported by FlawFinder.
drivers/dax/bus.c
19 issues
Line: 285
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
device_lock(dev);
seed = dax_region->seed;
rc = sprintf(buf, "%s\n", seed ? dev_name(seed) : "");
device_unlock(dev);
return rc;
}
static DEVICE_ATTR_RO(seed);
Reported by FlawFinder.
Line: 304
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
device_lock(dev);
youngest = dax_region->youngest;
rc = sprintf(buf, "%s\n", youngest ? dev_name(youngest) : "");
device_unlock(dev);
return rc;
}
Reported by FlawFinder.
Line: 1203
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
* We only ever expect to handle device-dax instances, i.e. the
* @type argument to MODULE_ALIAS_DAX_DEVICE() is always zero
*/
return sprintf(buf, DAX_DEVICE_MODALIAS_FMT "\n", 0);
}
static DEVICE_ATTR_RO(modalias);
static ssize_t numa_node_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 20
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DAX_NAME_LEN 30
struct dax_id {
struct list_head list;
char dev_name[DAX_NAME_LEN];
};
static int dax_bus_uevent(struct device *dev, struct kobj_uevent_env *env)
{
/*
Reported by FlawFinder.
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dax_device_driver *dax_drv = to_dax_drv(drv);
unsigned int region_id, id;
char devname[DAX_NAME_LEN];
struct dax_id *dax_id;
ssize_t rc = count;
int fields;
fields = sscanf(buf, "dax%d.%d", ®ion_id, &id);
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fields = sscanf(buf, "dax%d.%d", ®ion_id, &id);
if (fields != 2)
return -EINVAL;
sprintf(devname, "dax%d.%d", region_id, id);
if (!sysfs_streq(buf, devname))
return -EINVAL;
mutex_lock(&dax_bus_lock);
dax_id = __dax_match_id(dax_drv, buf);
Reported by FlawFinder.
Line: 219
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dax_region *dax_region = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dax_region->id);
}
static DEVICE_ATTR_RO(id);
static ssize_t region_size_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 228
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dax_region *dax_region = dev_get_drvdata(dev);
return sprintf(buf, "%llu\n", (unsigned long long)
resource_size(&dax_region->res));
}
static struct device_attribute dev_attr_region_size = __ATTR(size, 0444,
region_size_show, NULL);
Reported by FlawFinder.
Line: 239
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dax_region *dax_region = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", dax_region->align);
}
static struct device_attribute dev_attr_region_align =
__ATTR(align, 0400, region_align_show, NULL);
#define for_each_dax_region_resource(dax_region, res) \
Reported by FlawFinder.
Line: 269
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
size = dax_region_avail_size(dax_region);
device_unlock(dev);
return sprintf(buf, "%llu\n", size);
}
static DEVICE_ATTR_RO(available_size);
static ssize_t seed_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
drivers/atm/solos-pci.c
19 issues
Line: 918
Column: 12
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
return vcc;
}
static int popen(struct atm_vcc *vcc)
{
struct solos_card *card = vcc->dev->dev_data;
struct sk_buff *skb;
struct pkt_hdr *header;
Reported by FlawFinder.
Line: 1011
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
sprintf(msg, "%02X: ", i);
sprintf(item,"%02X ",*(buf->data + i));
strcat(msg, item);
if(i % 8 == 7) {
sprintf(item, "\n");
strcat(msg, item);
printk(KERN_DEBUG "%s", msg);
}
Reported by FlawFinder.
Line: 1014
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(msg, item);
if(i % 8 == 7) {
sprintf(item, "\n");
strcat(msg, item);
printk(KERN_DEBUG "%s", msg);
}
}
if (i % 8 != 0) {
sprintf(item, "\n");
Reported by FlawFinder.
Line: 1020
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
if (i % 8 != 0) {
sprintf(item, "\n");
strcat(msg, item);
printk(KERN_DEBUG "%s", msg);
}
printk(KERN_DEBUG "\n");
return 0;
Reported by FlawFinder.
Line: 1179
Column: 11
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
static const struct atmdev_ops fpga_ops = {
.open = popen,
.close = pclose,
.ioctl = NULL,
.send = psend,
.send_oam = NULL,
.phy_put = NULL,
Reported by FlawFinder.
Line: 230
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
buflen = prm.response->len;
memcpy(buf, prm.response->data, buflen);
kfree_skb(prm.response);
return buflen;
}
Reported by FlawFinder.
Line: 456
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
skb = skb_dequeue(&card->cli_queue[SOLOS_CHAN(atmdev)]);
spin_unlock(&card->cli_queue_lock);
if(skb == NULL)
return sprintf(buf, "No data.\n");
len = skb->len;
memcpy(buf, skb->data, len);
kfree_skb(skb);
Reported by FlawFinder.
Line: 459
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return sprintf(buf, "No data.\n");
len = skb->len;
memcpy(buf, skb->data, len);
kfree_skb(skb);
return len;
}
Reported by FlawFinder.
Line: 551
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data32 = ioread32(card->config_regs + GPIO_STATUS);
data32 = (data32 >> gattr->offset) & 1;
return sprintf(buf, "%d\n", data32);
}
static ssize_t hardware_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 572
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data32 = (data32 >> 5) & 0x0F;
break;
}
return sprintf(buf, "%d\n", data32);
}
static DEVICE_ATTR_RW(console);
Reported by FlawFinder.
fs/ext4/xattr.c
19 issues
Line: 368
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -EFSCORRUPTED;
goto put_bhs;
}
memcpy((char *)buf + blocksize * i, bhs[i]->b_data,
i < bh_count - 1 ? blocksize : tail_size);
}
ret = 0;
put_bhs:
for (i = 0; i < bh_count; i++)
Reported by FlawFinder.
Line: 563
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(p + size > end))
goto cleanup;
memcpy(buffer, p, size);
}
}
error = size;
cleanup:
Reported by FlawFinder.
Line: 618
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(p + size > end))
goto cleanup;
memcpy(buffer, p, size);
}
}
error = size;
cleanup:
Reported by FlawFinder.
Line: 678
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buffer) {
if (size > rest)
return -ERANGE;
memcpy(buffer, prefix, prefix_len);
buffer += prefix_len;
memcpy(buffer, entry->e_name, entry->e_name_len);
buffer += entry->e_name_len;
*buffer++ = 0;
}
Reported by FlawFinder.
Line: 680
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ERANGE;
memcpy(buffer, prefix, prefix_len);
buffer += prefix_len;
memcpy(buffer, entry->e_name, entry->e_name_len);
buffer += entry->e_name_len;
*buffer++ = 0;
}
rest -= size;
}
Reported by FlawFinder.
Line: 1378
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
goto out;
memcpy(bh->b_data, buf, csize);
set_buffer_uptodate(bh);
ext4_handle_dirty_metadata(handle, ea_inode, bh);
buf += csize;
wsize += csize;
Reported by FlawFinder.
Line: 1580
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i->value == EXT4_ZERO_XATTR_VALUE) {
memset(val, 0, new_size);
} else {
memcpy(val, i->value, i->value_len);
/* Clear padding bytes. */
memset(val + i->value_len, 0, new_size - i->value_len);
}
goto update_hash;
}
Reported by FlawFinder.
Line: 1727
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(here, 0, size);
here->e_name_index = i->name_index;
here->e_name_len = name_len;
memcpy(here->e_name, i->name, name_len);
} else {
/* This is an update, reset value info. */
here->e_value_inum = 0;
here->e_value_offs = 0;
here->e_value_size = 0;
Reported by FlawFinder.
Line: 1746
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i->value == EXT4_ZERO_XATTR_VALUE) {
memset(val, 0, new_size);
} else {
memcpy(val, i->value, i->value_len);
/* Clear padding bytes. */
memset(val + i->value_len, 0,
new_size - i->value_len);
}
}
Reported by FlawFinder.
Line: 1897
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
error = -ENOMEM;
if (s->base == NULL)
goto cleanup;
memcpy(s->base, BHDR(bs->bh), bs->bh->b_size);
s->first = ENTRY(header(s->base)+1);
header(s->base)->h_refcount = cpu_to_le32(1);
s->here = ENTRY(s->base + offset);
s->end = s->base + bs->bh->b_size;
Reported by FlawFinder.
tools/perf/util/svghelper.c
19 issues
Line: 89
Column: 12
CWE codes:
362
{
int new_width;
svgfile = fopen(filename, "w");
if (!svgfile) {
fprintf(stderr, "Cannot open %s for output\n", filename);
return;
}
first_time = start;
Reported by FlawFinder.
Line: 272
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *time_to_string(u64 duration)
{
static char text[80];
text[0] = 0;
if (duration < NSEC_PER_USEC) /* less than 1 usec */
return text;
Reported by FlawFinder.
Line: 280
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return text;
if (duration < NSEC_PER_MSEC) { /* less than 1 msec */
sprintf(text, "%.1f us", duration / (double)NSEC_PER_USEC);
return text;
}
sprintf(text, "%.1f ms", duration / (double)NSEC_PER_MSEC);
return text;
Reported by FlawFinder.
Line: 283
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(text, "%.1f us", duration / (double)NSEC_PER_USEC);
return text;
}
sprintf(text, "%.1f ms", duration / (double)NSEC_PER_MSEC);
return text;
}
void svg_waiting(int Yslot, int cpu, u64 start, u64 end, const char *backtrace)
Reported by FlawFinder.
Line: 325
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *cpu_model(void)
{
static char cpu_m[255];
char buf[256];
FILE *file;
cpu_m[0] = 0;
/* CPU type */
Reported by FlawFinder.
Line: 326
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *cpu_model(void)
{
static char cpu_m[255];
char buf[256];
FILE *file;
cpu_m[0] = 0;
/* CPU type */
file = fopen("/proc/cpuinfo", "r");
Reported by FlawFinder.
Line: 331
Column: 9
CWE codes:
362
cpu_m[0] = 0;
/* CPU type */
file = fopen("/proc/cpuinfo", "r");
if (file) {
while (fgets(buf, 255, file)) {
if (strstr(buf, "model name")) {
strlcpy(cpu_m, &buf[13], 255);
break;
Reported by FlawFinder.
Line: 343
Column: 9
CWE codes:
362
}
/* CPU type */
file = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies", "r");
if (file) {
while (fgets(buf, 255, file)) {
unsigned int freq;
freq = strtoull(buf, NULL, 10);
if (freq > max_freq)
Reported by FlawFinder.
Line: 358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void svg_cpu_box(int cpu, u64 __max_freq, u64 __turbo_freq)
{
char cpu_string[80];
if (!svgfile)
return;
max_freq = __max_freq;
turbo_frequency = __turbo_freq;
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
time2pixels(last_time)-time2pixels(first_time),
cpu2y(cpu), SLOT_MULT+SLOT_HEIGHT);
sprintf(cpu_string, "CPU %i", (int)cpu);
fprintf(svgfile, "<text x=\"%.8f\" y=\"%.8f\">%s</text>\n",
10+time2pixels(first_time), cpu2y(cpu) + SLOT_HEIGHT/2, cpu_string);
fprintf(svgfile, "<text transform=\"translate(%.8f,%.8f)\" font-size=\"1.25pt\">%s</text>\n",
10+time2pixels(first_time), cpu2y(cpu) + SLOT_MULT + SLOT_HEIGHT - 4, cpu_model());
Reported by FlawFinder.
tools/accounting/getdelays.c
19 issues
Line: 44
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define err(code, fmt, arg...) \
do { \
fprintf(stderr, fmt, ##arg); \
exit(code); \
} while (0)
int done;
int rcvbufsz;
Reported by FlawFinder.
Line: 58
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define PRINTF(fmt, arg...) { \
if (dbg) { \
printf(fmt, ##arg); \
} \
}
/* Maximum size of response requested or message sent */
#define MAX_MSG_SIZE 1024
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct nlattr *na;
int rep_len;
strcpy(name, TASKSTATS_GENL_NAME);
rc = send_cmd(sd, GENL_ID_CTRL, getpid(), CTRL_CMD_GETFAMILY,
CTRL_ATTR_FAMILY_NAME, (void *)name,
strlen(TASKSTATS_GENL_NAME)+1);
if (rc < 0)
return 0; /* sendto() failure? */
Reported by FlawFinder.
Line: 354
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (tid < 0)
err(1, "Fork failed\n");
if (tid == 0)
if (execvp(argv[optind - 1],
&argv[optind - 1]) < 0)
exit(-1);
/* Set the command type and avoid further processing */
cmd_type = TASKSTATS_CMD_ATTR_PID;
Reported by FlawFinder.
Line: 290
Column: 7
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
struct msgtemplate msg;
while (!forking) {
c = getopt(argc, argv, "qdiw:r:m:t:p:vlC:c:");
if (c < 0)
break;
switch (c) {
case 'd':
Reported by FlawFinder.
Line: 50
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int done;
int rcvbufsz;
char name[100];
int dbg;
int print_delays;
int print_io_accounting;
int print_task_context_switch_counts;
Reported by FlawFinder.
Line: 70
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct msgtemplate {
struct nlmsghdr n;
struct genlmsghdr g;
char buf[MAX_MSG_SIZE];
};
char cpumask[100+6*MAX_CPUS];
static void usage(void)
Reported by FlawFinder.
Line: 73
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char buf[MAX_MSG_SIZE];
};
char cpumask[100+6*MAX_CPUS];
static void usage(void)
{
fprintf(stderr, "getdelays [-dilv] [-w logfile] [-r bufsize] "
"[-m cpumask] [-t tgid] [-p pid]\n");
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
na = (struct nlattr *) GENLMSG_DATA(&msg);
na->nla_type = nla_type;
na->nla_len = nla_len + NLA_HDRLEN;
memcpy(NLA_DATA(na), nla_data, nla_len);
msg.n.nlmsg_len += NLMSG_ALIGN(na->nla_len);
buf = (char *) &msg;
buflen = msg.n.nlmsg_len ;
memset(&nladdr, 0, sizeof(nladdr));
Reported by FlawFinder.
Line: 168
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
struct nlmsghdr n;
struct genlmsghdr g;
char buf[256];
} ans;
int id = 0, rc;
struct nlattr *na;
int rep_len;
Reported by FlawFinder.
drivers/target/target_core_spc.c
19 issues
Line: 157
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u16 len;
if (dev->dev_flags & DF_EMULATED_VPD_UNIT_SERIAL) {
len = sprintf(&buf[4], "%s", dev->t10_wwn.unit_serial);
len++; /* Extra Byte for NULL Terminator */
buf[3] = len;
}
return 0;
}
Reported by FlawFinder.
Line: 273
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
unit_serial_len = strlen(&dev->t10_wwn.unit_serial[0]);
unit_serial_len++; /* For NULL Terminator */
id_len += sprintf(&buf[off+12], "%s:%s", prod,
&dev->t10_wwn.unit_serial[0]);
}
buf[off] = 0x2; /* ASCII */
buf[off+1] = 0x1; /* T10 Vendor ID */
buf[off+2] = 0x0;
Reported by FlawFinder.
Line: 400
Column: 19
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* UTF-8 encoding.
*/
tpgt = tpg->se_tpg_tfo->tpg_get_tag(tpg);
scsi_name_len = sprintf(&buf[off], "%s,t,0x%04x",
tpg->se_tpg_tfo->tpg_get_wwn(tpg), tpgt);
scsi_name_len += 1 /* Include NULL terminator */;
/*
* The null-terminated, null-padded (see 4.4.2) SCSI
* NAME STRING field contains a UTF-8 format string.
Reported by FlawFinder.
Line: 439
Column: 21
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* Target Port, this means "<iSCSI name>" in
* UTF-8 encoding.
*/
scsi_target_len = sprintf(&buf[off], "%s",
tpg->se_tpg_tfo->tpg_get_wwn(tpg));
scsi_target_len += 1 /* Include NULL terminator */;
/*
* The null-terminated, null-padded (see 4.4.2) SCSI
* NAME STRING field contains a UTF-8 format string.
Reported by FlawFinder.
Line: 127
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
memset(&buf[8], 0x20,
INQUIRY_VENDOR_LEN + INQUIRY_MODEL_LEN + INQUIRY_REVISION_LEN);
memcpy(&buf[8], dev->t10_wwn.vendor,
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
memcpy(&buf[16], dev->t10_wwn.model,
strnlen(dev->t10_wwn.model, INQUIRY_MODEL_LEN));
memcpy(&buf[32], dev->t10_wwn.revision,
strnlen(dev->t10_wwn.revision, INQUIRY_REVISION_LEN));
Reported by FlawFinder.
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INQUIRY_VENDOR_LEN + INQUIRY_MODEL_LEN + INQUIRY_REVISION_LEN);
memcpy(&buf[8], dev->t10_wwn.vendor,
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
memcpy(&buf[16], dev->t10_wwn.model,
strnlen(dev->t10_wwn.model, INQUIRY_MODEL_LEN));
memcpy(&buf[32], dev->t10_wwn.revision,
strnlen(dev->t10_wwn.revision, INQUIRY_REVISION_LEN));
/*
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
memcpy(&buf[16], dev->t10_wwn.model,
strnlen(dev->t10_wwn.model, INQUIRY_MODEL_LEN));
memcpy(&buf[32], dev->t10_wwn.revision,
strnlen(dev->t10_wwn.revision, INQUIRY_REVISION_LEN));
/*
* Set the VERSION DESCRIPTOR fields
*/
Reported by FlawFinder.
Line: 281
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[off+2] = 0x0;
/* left align Vendor ID and pad with spaces */
memset(&buf[off+4], 0x20, INQUIRY_VENDOR_LEN);
memcpy(&buf[off+4], dev->t10_wwn.vendor,
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
/* Extra Byte for NULL Terminator */
id_len++;
/* Identifier Length */
buf[off+3] = id_len;
Reported by FlawFinder.
Line: 778
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out:
rbuf = transport_kmap_data_sg(cmd);
if (rbuf) {
memcpy(rbuf, buf, min_t(u32, SE_INQUIRY_BUF, cmd->data_length));
transport_kunmap_data_sg(cmd);
}
kfree(buf);
if (!ret)
Reported by FlawFinder.
Line: 1021
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct se_device *dev = cmd->se_dev;
char *cdb = cmd->t_task_cdb;
unsigned char buf[SE_MODE_PAGE_BUF], *rbuf;
int type = dev->transport->get_device_type(dev);
int ten = (cmd->t_task_cdb[0] == MODE_SENSE_10);
bool dbd = !!(cdb[1] & 0x08);
bool llba = ten ? !!(cdb[1] & 0x10) : false;
u8 pc = cdb[2] >> 6;
Reported by FlawFinder.