The following issues were found
drivers/scsi/pm8001/pm8001_hwi.c
19 issues
Line: 1340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nb > (pm8001_ha->iomb_size - sizeof(struct mpi_msg_hdr)))
nb = pm8001_ha->iomb_size - sizeof(struct mpi_msg_hdr);
memcpy(pMessage, payload, nb);
if (nb + sizeof(struct mpi_msg_hdr) < pm8001_ha->iomb_size)
memset(pMessage + nb, 0, pm8001_ha->iomb_size -
(nb + sizeof(struct mpi_msg_hdr)));
/*Build the header*/
Reported by FlawFinder.
Line: 1862
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sata_cmd.tag = cpu_to_le32(ccb_tag);
sata_cmd.device_id = cpu_to_le32(pm8001_ha_dev->device_id);
sata_cmd.ncqtag_atap_dir_m |= ((0x1 << 7) | (0x5 << 9));
memcpy(&sata_cmd.sata_fis, &fis, sizeof(struct host_to_dev_fis));
res = pm8001_mpi_build_cmd(pm8001_ha, circularQ, opc, &sata_cmd,
sizeof(sata_cmd), 0);
if (res) {
sas_free_task(task);
Reported by FlawFinder.
Line: 2357
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sata_addr_low[i] = pm8001_ha->sas_addr[j];
for (i = 0, j = 0; j <= 3 && i <= 3; i++, j++)
sata_addr_hi[i] = pm8001_ha->sas_addr[j];
memcpy(&temp_sata_addr_low, sata_addr_low,
sizeof(sata_addr_low));
memcpy(&temp_sata_addr_hi, sata_addr_hi,
sizeof(sata_addr_hi));
temp_sata_addr_hi = (((temp_sata_addr_hi >> 24) & 0xff)
|((temp_sata_addr_hi << 8) &
Reported by FlawFinder.
Line: 2359
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sata_addr_hi[i] = pm8001_ha->sas_addr[j];
memcpy(&temp_sata_addr_low, sata_addr_low,
sizeof(sata_addr_low));
memcpy(&temp_sata_addr_hi, sata_addr_hi,
sizeof(sata_addr_hi));
temp_sata_addr_hi = (((temp_sata_addr_hi >> 24) & 0xff)
|((temp_sata_addr_hi << 8) &
0xff0000) |
((temp_sata_addr_hi >> 8)
Reported by FlawFinder.
Line: 2433
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (SAS_STATUS_BUF_SIZE >= sizeof(*resp)) {
resp->frame_len = len;
memcpy(&resp->ending_fis[0], sata_resp, len);
ts->buf_valid_size = sizeof(*resp);
} else
pm8001_dbg(pm8001_ha, IO,
"response too large\n");
}
Reported by FlawFinder.
Line: 3137
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pm8001_dbg(pm8001_ha, MSG, "Get NVMD success, IR=1\n");
if ((ir_tds_bn_dps_das_nvm & NVMD_TYPE) == TWI_DEVICE) {
if (ir_tds_bn_dps_das_nvm == 0x80a80200) {
memcpy(pm8001_ha->sas_addr,
((u8 *)virt_addr + 4),
SAS_ADDR_SIZE);
pm8001_dbg(pm8001_ha, MSG, "Get SAS address from VPD successfully!\n");
}
} else if (((ir_tds_bn_dps_das_nvm & NVMD_TYPE) == C_SEEPROM)
Reported by FlawFinder.
Line: 3163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Though fw_control_context is freed below, usrAddr still needs
* to be updated as this holds the response to the request function
*/
memcpy(fw_control_context->usrAddr,
pm8001_ha->memoryMap.region[NVMD].virt_ptr,
fw_control_context->len);
kfree(ccb->fw_control_context);
/* To avoid race condition, complete should be
* called after the message is copied to
Reported by FlawFinder.
Line: 3302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
struct sas_identify_frame *idframe =
(void *) phy->sas_phy.frame_rcvd;
memcpy(sas_addr, idframe->sas_addr, SAS_ADDR_SIZE);
}
}
/**
* pm8001_hw_event_ack_req- For PM8001,some events need to acknowage to FW.
Reported by FlawFinder.
Line: 3403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy->sas_phy.oob_mode = SAS_OOB_MODE;
sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC);
spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags);
memcpy(phy->frame_rcvd, &pPayload->sas_identify,
sizeof(struct sas_identify_frame)-4);
phy->frame_rcvd_size = sizeof(struct sas_identify_frame) - 4;
pm8001_get_attached_sas_addr(phy, phy->sas_phy.attached_sas_addr);
spin_unlock_irqrestore(&phy->sas_phy.frame_rcvd_lock, flags);
if (pm8001_ha->flags == PM8001F_RUN_TIME)
Reported by FlawFinder.
Line: 3446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy->sas_phy.oob_mode = SATA_OOB_MODE;
sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC);
spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags);
memcpy(phy->frame_rcvd, ((u8 *)&pPayload->sata_fis - 4),
sizeof(struct dev_to_host_fis));
phy->frame_rcvd_size = sizeof(struct dev_to_host_fis);
phy->identify.target_port_protocols = SAS_PROTOCOL_SATA;
phy->identify.device_type = SAS_SATA_DEV;
pm8001_get_attached_sas_addr(phy, phy->sas_phy.attached_sas_addr);
Reported by FlawFinder.
scripts/kconfig/nconf.c
19 issues
Line: 546
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
k_menu_items[items_num].is_visible = 1;
va_start(ap, fmt);
vsnprintf(k_menu_items[items_num].str,
sizeof(k_menu_items[items_num].str),
fmt, ap);
va_end(ap);
if (!k_menu_items[items_num].is_visible)
Reported by FlawFinder.
Line: 580
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(ap, fmt);
vsnprintf(new_str, sizeof(new_str), fmt, ap);
va_end(ap);
snprintf(tmp_str, sizeof(tmp_str), "%s%s",
k_menu_items[index].str, new_str);
strncpy(k_menu_items[index].str,
tmp_str,
Reported by FlawFinder.
Line: 1481
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
conf_parse(av[1]);
conf_read(NULL);
mode = getenv("NCONFIG_MODE");
if (mode) {
if (!strcasecmp(mode, "single_menu"))
single_menu_mode = 1;
}
Reported by FlawFinder.
Line: 250
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"\n";
struct mitem {
char str[256];
char tag;
void *usrptr;
int is_visible;
};
Reported by FlawFinder.
Line: 552
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
va_end(ap);
if (!k_menu_items[items_num].is_visible)
memcpy(k_menu_items[items_num].str, "XXX", 3);
curses_menu_items[items_num] = new_item(
k_menu_items[items_num].str,
k_menu_items[items_num].str);
set_item_userptr(curses_menu_items[items_num],
Reported by FlawFinder.
Line: 573
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
va_list ap;
int index = items_num-1;
char new_str[256];
char tmp_str[256];
if (index < 0)
return;
Reported by FlawFinder.
Line: 574
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
va_list ap;
int index = items_num-1;
char new_str[256];
char tmp_str[256];
if (index < 0)
return;
va_start(ap, fmt);
Reported by FlawFinder.
Line: 632
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return item_tag() == tag;
}
static char filename[PATH_MAX+1];
static char menu_backtitle[PATH_MAX+128];
static void set_config_filename(const char *config_filename)
{
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
config_filename, rootmenu.prompt->text);
Reported by FlawFinder.
Line: 633
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static char filename[PATH_MAX+1];
static char menu_backtitle[PATH_MAX+128];
static void set_config_filename(const char *config_filename)
{
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
config_filename, rootmenu.prompt->text);
Reported by FlawFinder.
Line: 1010
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int in_search;
match_f match_direction;
char pattern[256];
};
/* Return 0 means I have handled the key. In such a case, ans should hold the
* item to center, or -1 otherwise.
* Else return -1 .
Reported by FlawFinder.
drivers/atm/solos-pci.c
19 issues
Line: 918
Column: 12
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
return vcc;
}
static int popen(struct atm_vcc *vcc)
{
struct solos_card *card = vcc->dev->dev_data;
struct sk_buff *skb;
struct pkt_hdr *header;
Reported by FlawFinder.
Line: 1011
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
sprintf(msg, "%02X: ", i);
sprintf(item,"%02X ",*(buf->data + i));
strcat(msg, item);
if(i % 8 == 7) {
sprintf(item, "\n");
strcat(msg, item);
printk(KERN_DEBUG "%s", msg);
}
Reported by FlawFinder.
Line: 1014
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(msg, item);
if(i % 8 == 7) {
sprintf(item, "\n");
strcat(msg, item);
printk(KERN_DEBUG "%s", msg);
}
}
if (i % 8 != 0) {
sprintf(item, "\n");
Reported by FlawFinder.
Line: 1020
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
if (i % 8 != 0) {
sprintf(item, "\n");
strcat(msg, item);
printk(KERN_DEBUG "%s", msg);
}
printk(KERN_DEBUG "\n");
return 0;
Reported by FlawFinder.
Line: 1179
Column: 11
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
static const struct atmdev_ops fpga_ops = {
.open = popen,
.close = pclose,
.ioctl = NULL,
.send = psend,
.send_oam = NULL,
.phy_put = NULL,
Reported by FlawFinder.
Line: 230
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
buflen = prm.response->len;
memcpy(buf, prm.response->data, buflen);
kfree_skb(prm.response);
return buflen;
}
Reported by FlawFinder.
Line: 456
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
skb = skb_dequeue(&card->cli_queue[SOLOS_CHAN(atmdev)]);
spin_unlock(&card->cli_queue_lock);
if(skb == NULL)
return sprintf(buf, "No data.\n");
len = skb->len;
memcpy(buf, skb->data, len);
kfree_skb(skb);
Reported by FlawFinder.
Line: 459
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return sprintf(buf, "No data.\n");
len = skb->len;
memcpy(buf, skb->data, len);
kfree_skb(skb);
return len;
}
Reported by FlawFinder.
Line: 551
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data32 = ioread32(card->config_regs + GPIO_STATUS);
data32 = (data32 >> gattr->offset) & 1;
return sprintf(buf, "%d\n", data32);
}
static ssize_t hardware_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 572
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
data32 = (data32 >> 5) & 0x0F;
break;
}
return sprintf(buf, "%d\n", data32);
}
static DEVICE_ATTR_RW(console);
Reported by FlawFinder.
drivers/dax/bus.c
19 issues
Line: 285
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
device_lock(dev);
seed = dax_region->seed;
rc = sprintf(buf, "%s\n", seed ? dev_name(seed) : "");
device_unlock(dev);
return rc;
}
static DEVICE_ATTR_RO(seed);
Reported by FlawFinder.
Line: 304
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
device_lock(dev);
youngest = dax_region->youngest;
rc = sprintf(buf, "%s\n", youngest ? dev_name(youngest) : "");
device_unlock(dev);
return rc;
}
Reported by FlawFinder.
Line: 1203
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
* We only ever expect to handle device-dax instances, i.e. the
* @type argument to MODULE_ALIAS_DAX_DEVICE() is always zero
*/
return sprintf(buf, DAX_DEVICE_MODALIAS_FMT "\n", 0);
}
static DEVICE_ATTR_RO(modalias);
static ssize_t numa_node_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 20
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DAX_NAME_LEN 30
struct dax_id {
struct list_head list;
char dev_name[DAX_NAME_LEN];
};
static int dax_bus_uevent(struct device *dev, struct kobj_uevent_env *env)
{
/*
Reported by FlawFinder.
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dax_device_driver *dax_drv = to_dax_drv(drv);
unsigned int region_id, id;
char devname[DAX_NAME_LEN];
struct dax_id *dax_id;
ssize_t rc = count;
int fields;
fields = sscanf(buf, "dax%d.%d", ®ion_id, &id);
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fields = sscanf(buf, "dax%d.%d", ®ion_id, &id);
if (fields != 2)
return -EINVAL;
sprintf(devname, "dax%d.%d", region_id, id);
if (!sysfs_streq(buf, devname))
return -EINVAL;
mutex_lock(&dax_bus_lock);
dax_id = __dax_match_id(dax_drv, buf);
Reported by FlawFinder.
Line: 219
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dax_region *dax_region = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dax_region->id);
}
static DEVICE_ATTR_RO(id);
static ssize_t region_size_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 228
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dax_region *dax_region = dev_get_drvdata(dev);
return sprintf(buf, "%llu\n", (unsigned long long)
resource_size(&dax_region->res));
}
static struct device_attribute dev_attr_region_size = __ATTR(size, 0444,
region_size_show, NULL);
Reported by FlawFinder.
Line: 239
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dax_region *dax_region = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", dax_region->align);
}
static struct device_attribute dev_attr_region_align =
__ATTR(align, 0400, region_align_show, NULL);
#define for_each_dax_region_resource(dax_region, res) \
Reported by FlawFinder.
Line: 269
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
size = dax_region_avail_size(dax_region);
device_unlock(dev);
return sprintf(buf, "%llu\n", size);
}
static DEVICE_ATTR_RO(available_size);
static ssize_t seed_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
arch/x86/events/core.c
19 issues
Line: 1838
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* string trumps id */
if (pmu_attr->event_str)
return sprintf(page, "%s", pmu_attr->event_str);
return x86_pmu.events_sysfs_show(page, config);
}
EXPORT_SYMBOL_GPL(events_sysfs_show);
Reported by FlawFinder.
Line: 1861
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* if they are owned by some other guest. The user tool
* has to re-read when a thread sibling gets onlined later.
*/
return sprintf(page, "%s",
topology_max_smt_threads() > 1 ?
pmu_attr->event_str_ht :
pmu_attr->event_str_noht);
}
Reported by FlawFinder.
Line: 1878
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i;
if (hweight64(pmu_attr->pmu_type) == 1)
return sprintf(page, "%s", pmu_attr->event_str);
/*
* Hybrid PMUs may support the same event name, but with different
* event encoding, e.g., the mem-loads event on an Atom PMU has
* different event encoding from a Core PMU.
Reported by FlawFinder.
Line: 1900
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (next_str)
return snprintf(page, next_str - str + 1, "%s", str);
else
return sprintf(page, "%s", str);
}
str = strchr(str, ';');
str++;
}
Reported by FlawFinder.
Line: 1480
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* copy new assignment, now we know it is possible
* will be used by hw_perf_enable()
*/
memcpy(cpuc->assign, assign, n*sizeof(int));
done_collect:
/*
* Commit the collect_events() state. See x86_pmu_del() and
* x86_pmu_*_txn().
Reported by FlawFinder.
Line: 1974
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* We have whole page size to spend and just little data
* to write, so we can safely use sprintf.
*/
ret = sprintf(page, "event=0x%02llx", event);
if (umask)
ret += sprintf(page + ret, ",umask=0x%02llx", umask);
if (edge)
Reported by FlawFinder.
Line: 1977
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sprintf(page, "event=0x%02llx", event);
if (umask)
ret += sprintf(page + ret, ",umask=0x%02llx", umask);
if (edge)
ret += sprintf(page + ret, ",edge");
if (pc)
Reported by FlawFinder.
Line: 1980
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret += sprintf(page + ret, ",umask=0x%02llx", umask);
if (edge)
ret += sprintf(page + ret, ",edge");
if (pc)
ret += sprintf(page + ret, ",pc");
if (any)
Reported by FlawFinder.
Line: 1983
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret += sprintf(page + ret, ",edge");
if (pc)
ret += sprintf(page + ret, ",pc");
if (any)
ret += sprintf(page + ret, ",any");
if (inv)
Reported by FlawFinder.
Line: 1986
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret += sprintf(page + ret, ",pc");
if (any)
ret += sprintf(page + ret, ",any");
if (inv)
ret += sprintf(page + ret, ",inv");
if (cmask)
Reported by FlawFinder.
drivers/target/target_core_spc.c
19 issues
Line: 157
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u16 len;
if (dev->dev_flags & DF_EMULATED_VPD_UNIT_SERIAL) {
len = sprintf(&buf[4], "%s", dev->t10_wwn.unit_serial);
len++; /* Extra Byte for NULL Terminator */
buf[3] = len;
}
return 0;
}
Reported by FlawFinder.
Line: 273
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
unit_serial_len = strlen(&dev->t10_wwn.unit_serial[0]);
unit_serial_len++; /* For NULL Terminator */
id_len += sprintf(&buf[off+12], "%s:%s", prod,
&dev->t10_wwn.unit_serial[0]);
}
buf[off] = 0x2; /* ASCII */
buf[off+1] = 0x1; /* T10 Vendor ID */
buf[off+2] = 0x0;
Reported by FlawFinder.
Line: 400
Column: 19
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* UTF-8 encoding.
*/
tpgt = tpg->se_tpg_tfo->tpg_get_tag(tpg);
scsi_name_len = sprintf(&buf[off], "%s,t,0x%04x",
tpg->se_tpg_tfo->tpg_get_wwn(tpg), tpgt);
scsi_name_len += 1 /* Include NULL terminator */;
/*
* The null-terminated, null-padded (see 4.4.2) SCSI
* NAME STRING field contains a UTF-8 format string.
Reported by FlawFinder.
Line: 439
Column: 21
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* Target Port, this means "<iSCSI name>" in
* UTF-8 encoding.
*/
scsi_target_len = sprintf(&buf[off], "%s",
tpg->se_tpg_tfo->tpg_get_wwn(tpg));
scsi_target_len += 1 /* Include NULL terminator */;
/*
* The null-terminated, null-padded (see 4.4.2) SCSI
* NAME STRING field contains a UTF-8 format string.
Reported by FlawFinder.
Line: 127
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
memset(&buf[8], 0x20,
INQUIRY_VENDOR_LEN + INQUIRY_MODEL_LEN + INQUIRY_REVISION_LEN);
memcpy(&buf[8], dev->t10_wwn.vendor,
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
memcpy(&buf[16], dev->t10_wwn.model,
strnlen(dev->t10_wwn.model, INQUIRY_MODEL_LEN));
memcpy(&buf[32], dev->t10_wwn.revision,
strnlen(dev->t10_wwn.revision, INQUIRY_REVISION_LEN));
Reported by FlawFinder.
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INQUIRY_VENDOR_LEN + INQUIRY_MODEL_LEN + INQUIRY_REVISION_LEN);
memcpy(&buf[8], dev->t10_wwn.vendor,
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
memcpy(&buf[16], dev->t10_wwn.model,
strnlen(dev->t10_wwn.model, INQUIRY_MODEL_LEN));
memcpy(&buf[32], dev->t10_wwn.revision,
strnlen(dev->t10_wwn.revision, INQUIRY_REVISION_LEN));
/*
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
memcpy(&buf[16], dev->t10_wwn.model,
strnlen(dev->t10_wwn.model, INQUIRY_MODEL_LEN));
memcpy(&buf[32], dev->t10_wwn.revision,
strnlen(dev->t10_wwn.revision, INQUIRY_REVISION_LEN));
/*
* Set the VERSION DESCRIPTOR fields
*/
Reported by FlawFinder.
Line: 281
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[off+2] = 0x0;
/* left align Vendor ID and pad with spaces */
memset(&buf[off+4], 0x20, INQUIRY_VENDOR_LEN);
memcpy(&buf[off+4], dev->t10_wwn.vendor,
strnlen(dev->t10_wwn.vendor, INQUIRY_VENDOR_LEN));
/* Extra Byte for NULL Terminator */
id_len++;
/* Identifier Length */
buf[off+3] = id_len;
Reported by FlawFinder.
Line: 778
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out:
rbuf = transport_kmap_data_sg(cmd);
if (rbuf) {
memcpy(rbuf, buf, min_t(u32, SE_INQUIRY_BUF, cmd->data_length));
transport_kunmap_data_sg(cmd);
}
kfree(buf);
if (!ret)
Reported by FlawFinder.
Line: 1021
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct se_device *dev = cmd->se_dev;
char *cdb = cmd->t_task_cdb;
unsigned char buf[SE_MODE_PAGE_BUF], *rbuf;
int type = dev->transport->get_device_type(dev);
int ten = (cmd->t_task_cdb[0] == MODE_SENSE_10);
bool dbd = !!(cdb[1] & 0x08);
bool llba = ten ? !!(cdb[1] & 0x10) : false;
u8 pc = cdb[2] >> 6;
Reported by FlawFinder.
fs/proc/base.c
19 issues
Line: 3738
* with the leader and walk nr threads forward.
*/
pos = task = task->group_leader;
do {
if (!nr--)
goto found;
} while_each_thread(task, pos);
fail:
pos = NULL;
Reported by Cppcheck.
Line: 602
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!lock_task_sighand(task, &flags))
return 0;
memcpy(rlim, task->signal->rlim, sizeof(struct rlimit) * RLIM_NLIMITS);
unlock_task_sighand(task, &flags);
/*
* print the file header
*/
Reported by FlawFinder.
Line: 1039
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
int oom_adj = OOM_ADJUST_MIN;
size_t len;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t oom_adj_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char buffer[PROC_NUMBUF];
int oom_adj;
int err;
memset(buffer, 0, sizeof(buffer));
if (count > sizeof(buffer) - 1)
Reported by FlawFinder.
Line: 1198
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
short oom_score_adj = OOM_SCORE_ADJ_MIN;
size_t len;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1213
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t oom_score_adj_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char buffer[PROC_NUMBUF];
int oom_score_adj;
int err;
memset(buffer, 0, sizeof(buffer));
if (count > sizeof(buffer) - 1)
Reported by FlawFinder.
Line: 1253
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode * inode = file_inode(file);
struct task_struct *task = get_proc_task(inode);
ssize_t length;
char tmpbuf[TMPBUFLEN];
if (!task)
return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
from_kuid(file->f_cred->user_ns,
Reported by FlawFinder.
Line: 1319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode * inode = file_inode(file);
struct task_struct *task = get_proc_task(inode);
ssize_t length;
char tmpbuf[TMPBUFLEN];
if (!task)
return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
audit_get_sessionid(task));
Reported by FlawFinder.
Line: 1340
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
size_t len;
int make_it_fail;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user * buf, size_t count, loff_t *ppos)
{
struct task_struct *task;
char buffer[PROC_NUMBUF];
int make_it_fail;
int rv;
if (!capable(CAP_SYS_RESOURCE))
return -EPERM;
Reported by FlawFinder.
tools/perf/bench/numa.c
19 issues
Line: 47
Column: 61
CWE codes:
134
Suggestion:
Use a constant for the format specification
/*
* Regular printout to the terminal, suppressed if -q is specified:
*/
#define tprintf(x...) do { if (g && g->p.show_details >= 0) printf(x); } while (0)
/*
* Debug printf:
*/
#undef dprintf
Reported by FlawFinder.
Line: 53
Column: 61
CWE codes:
134
Suggestion:
Use a constant for the format specification
* Debug printf:
*/
#undef dprintf
#define dprintf(x...) do { if (g && g->p.show_details >= 1) printf(x); } while (0)
struct thread_data {
int curr_cpu;
cpu_set_t bind_cpumask;
int bind_node;
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
do { \
char name[20]; \
\
snprintf(name, 20, fmt); \
prctl(PR_SET_NAME, name); \
} while (0)
static u8 *alloc_data(ssize_t bytes0, int map_flags,
int init_zero, int init_cpu0, int thp, int init_random)
Reported by FlawFinder.
Line: 1855
Column: 8
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
int ret;
int i;
ret = system("echo ' #'; echo ' # Running test on: '$(uname -a); echo ' #'");
BUG_ON(ret < 0);
for (i = 0; i < nr; i++) {
run_bench_numa(tests[i][0], tests[i] + 1);
}
Reported by FlawFinder.
Line: 370
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define set_taskname(fmt...) \
do { \
char name[20]; \
\
snprintf(name, 20, fmt); \
prctl(PR_SET_NAME, name); \
} while (0)
Reported by FlawFinder.
Line: 547
Column: 30
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
dprintf("\ntoken: {%s}, end: {%s}\n", tok, tok_end);
if (!tok_end) {
/* Single CPU specified: */
bind_cpu_0 = bind_cpu_1 = atol(tok);
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
Reported by FlawFinder.
Line: 550
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
bind_cpu_0 = bind_cpu_1 = atol(tok);
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
step = 1;
tok_step = strstr(tok, "#");
Reported by FlawFinder.
Line: 551
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
step = 1;
tok_step = strstr(tok, "#");
if (tok_step) {
Reported by FlawFinder.
Line: 557
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
step = 1;
tok_step = strstr(tok, "#");
if (tok_step) {
step = atol(tok_step + 1);
BUG_ON(step <= 0 || step >= g->p.nr_cpus);
}
/*
* Mask length.
Reported by FlawFinder.
Line: 569
Column: 15
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
bind_len = 1;
tok_len = strstr(tok, "_");
if (tok_len) {
bind_len = atol(tok_len + 1);
BUG_ON(bind_len <= 0 || bind_len > g->p.nr_cpus);
}
/* Multiplicator shortcut, "0x8" is a shortcut for: "0,0,0,0,0,0,0,0" */
mul = 1;
Reported by FlawFinder.
drivers/gpu/drm/radeon/radeon_pm.c
18 issues
Line: 41
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define RADEON_RECLOCK_DELAY_MS 200
#define RADEON_WAIT_VBLANK_TIMEOUT 200
static const char *radeon_pm_state_type_name[5] = {
"",
"Powersave",
"Battery",
"Balanced",
"Performance",
Reported by FlawFinder.
Line: 578
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pwm_mode = rdev->asic->dpm.fan_ctrl_get_mode(rdev);
/* never 0 (full-speed), fuse or smc-controlled always */
return sprintf(buf, "%i\n", pwm_mode == FDO_PWM_MODE_STATIC ? 1 : 2);
}
static ssize_t radeon_hwmon_set_pwm1_enable(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
Line: 613
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%i\n", 0);
}
static ssize_t radeon_hwmon_get_pwm1_max(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 620
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%i\n", 255);
}
static ssize_t radeon_hwmon_set_pwm1(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 658
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
speed = (speed * 255) / 100;
return sprintf(buf, "%i\n", speed);
}
static DEVICE_ATTR(power_profile, S_IRUGO | S_IWUSR, radeon_get_pm_profile, radeon_set_pm_profile);
static DEVICE_ATTR(power_method, S_IRUGO | S_IWUSR, radeon_get_pm_method, radeon_set_pm_method);
static DEVICE_ATTR(power_dpm_state, S_IRUGO | S_IWUSR, radeon_get_dpm_state, radeon_set_dpm_state);
Reported by FlawFinder.
Line: 384
Column: 31
CWE codes:
126
mutex_lock(&rdev->pm.mutex);
if (rdev->pm.pm_method == PM_METHOD_PROFILE) {
if (strncmp("default", buf, strlen("default")) == 0)
rdev->pm.profile = PM_PROFILE_DEFAULT;
else if (strncmp("auto", buf, strlen("auto")) == 0)
rdev->pm.profile = PM_PROFILE_AUTO;
else if (strncmp("low", buf, strlen("low")) == 0)
rdev->pm.profile = PM_PROFILE_LOW;
Reported by FlawFinder.
Line: 386
Column: 33
CWE codes:
126
if (rdev->pm.pm_method == PM_METHOD_PROFILE) {
if (strncmp("default", buf, strlen("default")) == 0)
rdev->pm.profile = PM_PROFILE_DEFAULT;
else if (strncmp("auto", buf, strlen("auto")) == 0)
rdev->pm.profile = PM_PROFILE_AUTO;
else if (strncmp("low", buf, strlen("low")) == 0)
rdev->pm.profile = PM_PROFILE_LOW;
else if (strncmp("mid", buf, strlen("mid")) == 0)
rdev->pm.profile = PM_PROFILE_MID;
Reported by FlawFinder.
Line: 388
Column: 32
CWE codes:
126
rdev->pm.profile = PM_PROFILE_DEFAULT;
else if (strncmp("auto", buf, strlen("auto")) == 0)
rdev->pm.profile = PM_PROFILE_AUTO;
else if (strncmp("low", buf, strlen("low")) == 0)
rdev->pm.profile = PM_PROFILE_LOW;
else if (strncmp("mid", buf, strlen("mid")) == 0)
rdev->pm.profile = PM_PROFILE_MID;
else if (strncmp("high", buf, strlen("high")) == 0)
rdev->pm.profile = PM_PROFILE_HIGH;
Reported by FlawFinder.
Line: 390
Column: 32
CWE codes:
126
rdev->pm.profile = PM_PROFILE_AUTO;
else if (strncmp("low", buf, strlen("low")) == 0)
rdev->pm.profile = PM_PROFILE_LOW;
else if (strncmp("mid", buf, strlen("mid")) == 0)
rdev->pm.profile = PM_PROFILE_MID;
else if (strncmp("high", buf, strlen("high")) == 0)
rdev->pm.profile = PM_PROFILE_HIGH;
else {
count = -EINVAL;
Reported by FlawFinder.
Line: 392
Column: 33
CWE codes:
126
rdev->pm.profile = PM_PROFILE_LOW;
else if (strncmp("mid", buf, strlen("mid")) == 0)
rdev->pm.profile = PM_PROFILE_MID;
else if (strncmp("high", buf, strlen("high")) == 0)
rdev->pm.profile = PM_PROFILE_HIGH;
else {
count = -EINVAL;
goto fail;
}
Reported by FlawFinder.
drivers/scsi/megaraid/megaraid_sas_base.c
18 issues
Line: 380
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
format_timestamp(uint32_t timestamp)
{
static char buffer[32];
if ((timestamp & 0xff000000) == 0xff000000)
snprintf(buffer, sizeof(buffer), "boot + %us", timestamp &
0x00ffffff);
else
Reported by FlawFinder.
Line: 393
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
format_class(int8_t class)
{
static char buffer[6];
switch (class) {
case MFI_EVT_CLASS_DEBUG:
return "debug";
case MFI_EVT_CLASS_PROGRESS:
Reported by FlawFinder.
Line: 1447
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pthru->flags = cpu_to_le16(flags);
pthru->data_xfer_len = cpu_to_le32(scsi_bufflen(scp));
memcpy(pthru->cdb, scp->cmnd, scp->cmd_len);
/*
* If the command is for the tape device, set the
* pthru timeout to the os layer timeout value.
*/
Reported by FlawFinder.
Line: 2440
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_warn(&instance->pdev->dev, "SR-IOV: "
"Got new LD/VF affiliation for scsi%d\n",
instance->host->host_no);
memcpy(instance->vf_affiliation_111,
new_affiliation_111,
sizeof(struct MR_LD_VF_AFFILIATION_111));
retval = 1;
goto out;
}
Reported by FlawFinder.
Line: 2610
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (doscan) {
dev_warn(&instance->pdev->dev, "SR-IOV: Got new LD/VF "
"affiliation for scsi%d\n", instance->host->host_no);
memcpy(instance->vf_affiliation, new_affiliation,
new_affiliation->size);
retval = 1;
}
if (new_affiliation)
Reported by FlawFinder.
Line: 3318
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] +
(buff_offset % dmachunk);
memcpy(buf, (void *)src_addr, size);
spin_unlock_irqrestore(&instance->crashdump_lock, flags);
return size;
}
Reported by FlawFinder.
Line: 3668
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdr->scsi_status == SAM_STAT_CHECK_CONDITION) {
memset(cmd->scmd->sense_buffer, 0,
SCSI_SENSE_BUFFERSIZE);
memcpy(cmd->scmd->sense_buffer, cmd->sense,
hdr->sense_len);
}
break;
Reported by FlawFinder.
Line: 8277
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* overwritten when we copy from user's frames. So set that value
* alone separately
*/
memcpy(cmd->frame, ioc->frame.raw, 2 * MEGAMFI_FRAME_SIZE);
cmd->frame->hdr.context = cpu_to_le32(cmd->index);
cmd->frame->hdr.pad_0 = 0;
cmd->frame->hdr.flags &= (~MFI_FRAME_IEEE);
Reported by FlawFinder.
Line: 8693
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t support_poll_for_event_show(struct device_driver *dd, char *buf)
{
return sprintf(buf, "%u\n", support_poll_for_event);
}
static DRIVER_ATTR_RO(support_poll_for_event);
static ssize_t support_device_change_show(struct device_driver *dd, char *buf)
{
Reported by FlawFinder.
Line: 8699
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t support_device_change_show(struct device_driver *dd, char *buf)
{
return sprintf(buf, "%u\n", support_device_change);
}
static DRIVER_ATTR_RO(support_device_change);
static ssize_t dbg_lvl_show(struct device_driver *dd, char *buf)
{
Reported by FlawFinder.