The following issues were found
sound/isa/sb/sb16_main.c
2 issues
Line: 681
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int snd_sb16_dma_control_info(struct snd_kcontrol *kcontrol, struct snd_ctl_elem_info *uinfo)
{
static const char * const texts[3] = {
"Auto", "Playback", "Capture"
};
return snd_ctl_enum_info(uinfo, 1, 3, texts);
}
Reported by FlawFinder.
Line: 843
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
err = snd_pcm_new(card, "SB16 DSP", device, 1, 1, &pcm);
if (err < 0)
return err;
sprintf(pcm->name, "DSP v%i.%i", chip->version >> 8, chip->version & 0xff);
pcm->info_flags = SNDRV_PCM_INFO_JOINT_DUPLEX;
pcm->private_data = chip;
chip->pcm = pcm;
snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &snd_sb16_playback_ops);
Reported by FlawFinder.
samples/bpf/lathist_user.c
2 issues
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_hist(void)
{
char starstr[MAX_STARS];
struct cpu_hist *hist;
int i, j;
/* clear screen */
printf("\033[2J");
Reported by FlawFinder.
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_link *links[2];
struct bpf_program *prog;
struct bpf_object *obj;
char filename[256];
int map_fd, i = 0;
snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
obj = bpf_object__open_file(filename, NULL);
if (libbpf_get_error(obj)) {
Reported by FlawFinder.
samples/bpf/ibumad_user.c
2 issues
Line: 92
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int longindex = 0;
int opt, err = -1;
while ((opt = getopt_long(argc, argv, "hd:rSw",
long_options, &longindex)) != -1) {
switch (opt) {
case 'd':
delay = strtoul(optarg, NULL, 0);
if (delay == ULONG_MAX || delay < 0 ||
Reported by FlawFinder.
Line: 88
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct bpf_program *prog;
unsigned long delay = 5;
char filename[256];
int longindex = 0;
int opt, err = -1;
while ((opt = getopt_long(argc, argv, "hd:rSw",
long_options, &longindex)) != -1) {
Reported by FlawFinder.
samples/bpf/fds_example.c
2 issues
Line: 145
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
uint32_t key = 0, value = 0, flags = 0;
int opt, mode = BPF_M_UNSPEC;
while ((opt = getopt(argc, argv, "F:PGmk:v:po:")) != -1) {
switch (opt) {
/* General args */
case 'F':
file = optarg;
break;
Reported by FlawFinder.
Line: 33
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BPF_M_MAP 1
#define BPF_M_PROG 2
char bpf_log_buf[BPF_LOG_BUF_SIZE];
static void usage(void)
{
printf("Usage: fds_example [...]\n");
printf(" -F <file> File to pin/get object\n");
Reported by FlawFinder.
net/xfrm/xfrm_ipcomp.c
2 issues
Line: 85
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_frag_off_set(frag, 0);
skb_frag_size_set(frag, len);
memcpy(skb_frag_address(frag), scratch, len);
skb->truesize += len;
skb->data_len += len;
skb->len += len;
Reported by FlawFinder.
Line: 147
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(start + sizeof(struct ip_comp_hdr), scratch, dlen);
local_bh_enable();
pskb_trim(skb, dlen + sizeof(struct ip_comp_hdr));
return 0;
Reported by FlawFinder.
sound/oss/dmasound/dmasound_paula.c
2 issues
Line: 657
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int AmiStateInfo(char *buffer, size_t space)
{
int len = 0;
len += sprintf(buffer+len, "\tsound.volume_left = %d [0...64]\n",
dmasound.volume_left);
len += sprintf(buffer+len, "\tsound.volume_right = %d [0...64]\n",
dmasound.volume_right);
if (len >= space) {
printk(KERN_ERR "dmasound_paula: overflowed state buffer alloc.\n") ;
Reported by FlawFinder.
Line: 659
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len = 0;
len += sprintf(buffer+len, "\tsound.volume_left = %d [0...64]\n",
dmasound.volume_left);
len += sprintf(buffer+len, "\tsound.volume_right = %d [0...64]\n",
dmasound.volume_right);
if (len >= space) {
printk(KERN_ERR "dmasound_paula: overflowed state buffer alloc.\n") ;
len = space ;
}
Reported by FlawFinder.
net/x25/x25_subr.c
2 issues
Line: 114
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct x25_sock *x25 = x25_sk(sk);
struct sk_buff *skb;
unsigned char *dptr;
unsigned char facilities[X25_MAX_FAC_LEN];
unsigned char addresses[1 + X25_ADDR_LEN];
unsigned char lci1, lci2;
/*
* Default safe frame size.
*/
Reported by FlawFinder.
Line: 115
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sk_buff *skb;
unsigned char *dptr;
unsigned char facilities[X25_MAX_FAC_LEN];
unsigned char addresses[1 + X25_ADDR_LEN];
unsigned char lci1, lci2;
/*
* Default safe frame size.
*/
int len = X25_MAX_L2_LEN + X25_EXT_MIN_LEN;
Reported by FlawFinder.
net/x25/x25_route.c
2 issues
Line: 45
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!rt)
goto out;
strcpy(rt->address.x25_addr, "000000000000000");
memcpy(rt->address.x25_addr, address->x25_addr, sigdigits);
rt->sigdigits = sigdigits;
rt->dev = dev;
refcount_set(&rt->refcnt, 1);
Reported by FlawFinder.
Line: 46
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
strcpy(rt->address.x25_addr, "000000000000000");
memcpy(rt->address.x25_addr, address->x25_addr, sigdigits);
rt->sigdigits = sigdigits;
rt->dev = dev;
refcount_set(&rt->refcnt, 1);
Reported by FlawFinder.
net/wireless/pmsr.c
2 issues
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(out->addr, nla_data(tb[NL80211_PMSR_PEER_ATTR_ADDR]), ETH_ALEN);
/* reuse info->attrs */
memset(info->attrs, 0, sizeof(*info->attrs) * (NL80211_ATTR_MAX + 1));
err = nla_parse_nested_deprecated(info->attrs, NL80211_ATTR_MAX,
tb[NL80211_PMSR_PEER_ATTR_CHAN],
Reported by FlawFinder.
Line: 314
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
goto out_err;
} else {
memcpy(req->mac_addr, wdev_address(wdev), ETH_ALEN);
eth_broadcast_addr(req->mac_addr_mask);
}
idx = 0;
nla_for_each_nested(peer, peers, rem) {
Reported by FlawFinder.
sound/pci/asihpi/hpi6205.h
2 issues
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct message_buffer_6205 {
struct hpi_message message;
char data[256];
};
struct response_buffer_6205 {
struct hpi_response response;
char data[256];
Reported by FlawFinder.
Line: 70
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct response_buffer_6205 {
struct hpi_response response;
char data[256];
};
union buffer_6205 {
struct message_buffer_6205 message_buffer;
struct response_buffer_6205 response_buffer;
Reported by FlawFinder.