The following issues were found
drivers/net/ethernet/qlogic/qede/qede_ethtool.c
18 issues
Line: 296
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < QEDE_NUM_TQSTATS; i++) {
if (txq->is_xdp)
sprintf(*buf, "%d [XDP]: %s",
QEDE_TXQ_XDP_TO_IDX(edev, txq),
qede_tqstats_arr[i].string);
else
sprintf(*buf, "%d_%d: %s", txq->index, txq->cos,
qede_tqstats_arr[i].string);
Reported by FlawFinder.
Line: 300
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
QEDE_TXQ_XDP_TO_IDX(edev, txq),
qede_tqstats_arr[i].string);
else
sprintf(*buf, "%d_%d: %s", txq->index, txq->cos,
qede_tqstats_arr[i].string);
*buf += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 312
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i;
for (i = 0; i < QEDE_NUM_RQSTATS; i++) {
sprintf(*buf, "%d: %s", rxq->rxq_id,
qede_rqstats_arr[i].string);
*buf += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 353
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
for (i = 0; i < QEDE_NUM_STATS; i++) {
if (qede_is_irrelevant_stat(edev, i))
continue;
strcpy(buf, qede_stats_arr[i].string);
buf += ETH_GSTRING_LEN;
}
}
static void qede_get_strings(struct net_device *dev, u32 stringset, u8 *buf)
Reported by FlawFinder.
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const struct {
u64 offset;
char string[ETH_GSTRING_LEN];
} qede_rqstats_arr[] = {
QEDE_RQSTAT(rcv_pkts),
QEDE_RQSTAT(rx_hw_errors),
QEDE_RQSTAT(rx_alloc_errors),
QEDE_RQSTAT(rx_ip_frags),
Reported by FlawFinder.
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define QEDE_NUM_TQSTATS ARRAY_SIZE(qede_tqstats_arr)
static const struct {
u64 offset;
char string[ETH_GSTRING_LEN];
} qede_tqstats_arr[] = {
QEDE_TQSTAT(xmit_pkts),
QEDE_TQSTAT(stopped_cnt),
QEDE_TQSTAT(tx_mem_alloc_err),
};
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
BIT(QEDE_STAT_PF_ONLY) | BIT(QEDE_STAT_AH_ONLY))
static const struct {
u64 offset;
char string[ETH_GSTRING_LEN];
unsigned long attr;
#define QEDE_STAT_PF_ONLY 0
#define QEDE_STAT_BB_ONLY 1
#define QEDE_STAT_AH_ONLY 2
} qede_stats_arr[] = {
Reported by FlawFinder.
Line: 174
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
QEDE_PRI_FLAG_LEN,
};
static const char qede_private_arr[QEDE_PRI_FLAG_LEN][ETH_GSTRING_LEN] = {
"Coupled-Function",
"SmartAN capable",
"Recover on error",
};
Reported by FlawFinder.
Line: 190
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
QEDE_ETHTOOL_TEST_MAX
};
static const char qede_tests_str_arr[QEDE_ETHTOOL_TEST_MAX][ETH_GSTRING_LEN] = {
"Internal loopback (offline)",
"Interrupt (online)\t",
"Memory (online)\t\t",
"Register (online)\t",
"Clock (online)\t\t",
Reported by FlawFinder.
Line: 367
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qede_get_strings_stats(edev, buf);
break;
case ETH_SS_PRIV_FLAGS:
memcpy(buf, qede_private_arr,
ETH_GSTRING_LEN * QEDE_PRI_FLAG_LEN);
break;
case ETH_SS_TEST:
memcpy(buf, qede_tests_str_arr,
ETH_GSTRING_LEN * QEDE_ETHTOOL_TEST_MAX);
Reported by FlawFinder.
fs/hpfs/ea.c
18 issues
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ea->namelen = strlen(key);
ea->valuelen_lo = size;
ea->valuelen_hi = size >> 8;
strcpy(ea->name, key);
memcpy(ea_data(ea), data, size);
fnode->ea_size_s = cpu_to_le16(le16_to_cpu(fnode->ea_size_s) + strlen(key) + size + 5);
goto ret;
}
/* Most the code here is 99.9993422% unused. I hope there are no bugs.
Reported by FlawFinder.
Line: 19
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned pos = 0;
while (pos < len) {
char ex[4 + 255 + 1 + 8];
struct extended_attribute *ea = (struct extended_attribute *)ex;
if (pos + 4 > len) {
hpfs_error(s, "EAs don't end correctly, %s %08x, len %08x",
ano ? "anode" : "sectors", a, len);
return;
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned pos;
int ano, len;
secno a;
char ex[4 + 255 + 1 + 8];
struct extended_attribute *ea;
struct extended_attribute *ea_end = fnode_end_ea(fnode);
for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
if (!strcmp(ea->name, key)) {
if (ea_indirect(ea))
Reported by FlawFinder.
Line: 89
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto indirect;
if (ea_valuelen(ea) >= size)
return -EINVAL;
memcpy(buf, ea_data(ea), ea_valuelen(ea));
buf[ea_valuelen(ea)] = 0;
return 0;
}
a = le32_to_cpu(fnode->ea_secno);
len = le32_to_cpu(fnode->ea_size_l);
Reported by FlawFinder.
Line: 146
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("out of memory for EA\n");
return NULL;
}
memcpy(ret, ea_data(ea), ea_valuelen(ea));
ret[ea_valuelen(ea)] = 0;
return ret;
}
a = le32_to_cpu(fnode->ea_secno);
len = le32_to_cpu(fnode->ea_size_l);
Reported by FlawFinder.
Line: 155
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ano = fnode_in_anode(fnode);
pos = 0;
while (pos < len) {
char ex[4 + 255 + 1 + 8];
ea = (struct extended_attribute *)ex;
if (pos + 4 > len) {
hpfs_error(s, "EAs don't end correctly, %s %08x, len %08x",
ano ? "anode" : "sectors", a, len);
return NULL;
Reported by FlawFinder.
Line: 198
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned pos;
int ano, len;
secno a;
unsigned char h[4];
struct extended_attribute *ea;
struct extended_attribute *ea_end = fnode_end_ea(fnode);
for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
if (!strcmp(ea->name, key)) {
if (ea_indirect(ea)) {
Reported by FlawFinder.
Line: 207
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ea_len(ea) == size)
set_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), data, size);
} else if (ea_valuelen(ea) == size) {
memcpy(ea_data(ea), data, size);
}
return;
}
a = le32_to_cpu(fnode->ea_secno);
len = le32_to_cpu(fnode->ea_size_l);
Reported by FlawFinder.
Line: 216
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ano = fnode_in_anode(fnode);
pos = 0;
while (pos < len) {
char ex[4 + 255 + 1 + 8];
ea = (struct extended_attribute *)ex;
if (pos + 4 > len) {
hpfs_error(s, "EAs don't end correctly, %s %08x, len %08x",
ano ? "anode" : "sectors", a, len);
return;
Reported by FlawFinder.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ea->valuelen_lo = size;
ea->valuelen_hi = size >> 8;
strcpy(ea->name, key);
memcpy(ea_data(ea), data, size);
fnode->ea_size_s = cpu_to_le16(le16_to_cpu(fnode->ea_size_s) + strlen(key) + size + 5);
goto ret;
}
/* Most the code here is 99.9993422% unused. I hope there are no bugs.
But what .. HPFS.IFS has also bugs in ea management. */
Reported by FlawFinder.
drivers/hwmon/vt8231.c
18 issues
Line: 634
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*devattr, char *buf)
{
struct vt8231_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", data->name);
}
static DEVICE_ATTR_RO(name);
static struct attribute *vt8231_attributes_temps[6][5] = {
{
Reported by FlawFinder.
Line: 189
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int nr = sensor_attr->index;
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n", ((data->in[nr] - 3) * 10000) / 958);
}
static ssize_t in_min_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 199
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int nr = sensor_attr->index;
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n", ((data->in_min[nr] - 3) * 10000) / 958);
}
static ssize_t in_max_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 209
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int nr = sensor_attr->index;
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n", (((data->in_max[nr] - 3) * 10000) / 958));
}
static ssize_t in_min_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 258
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n",
(((data->in[5] - 3) * 10000 * 54) / (958 * 34)));
}
static ssize_t in5_min_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 267
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n",
(((data->in_min[5] - 3) * 10000 * 54) / (958 * 34)));
}
static ssize_t in5_max_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 276
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n",
(((data->in_max[5] - 3) * 10000 * 54) / (958 * 34)));
}
static ssize_t in5_min_store(struct device *dev,
struct device_attribute *attr, const char *buf,
Reported by FlawFinder.
Line: 345
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n", data->temp[0] * 250);
}
static ssize_t temp1_max_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 352
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n", data->temp_max[0] * 1000);
}
static ssize_t temp1_max_hyst_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 359
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct vt8231_data *data = vt8231_update_device(dev);
return sprintf(buf, "%d\n", data->temp_min[0] * 1000);
}
static ssize_t temp1_max_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
drivers/md/raid5.c
18 issues
Line: 1616
CWE codes:
908
else
/* we should only have one valid target */
BUG();
BUG_ON(target < 0);
pr_debug("%s: stripe %llu block: %d\n",
__func__, (unsigned long long)sh->sector, target);
tgt = &sh->dev[target];
BUG_ON(!test_bit(R5_Wantcompute, &tgt->flags));
Reported by Cppcheck.
Line: 2668
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct stripe_head *sh = bi->bi_private;
struct r5conf *conf = sh->raid_conf;
int disks = sh->disks, i;
char b[BDEVNAME_SIZE];
struct md_rdev *rdev = NULL;
sector_t s;
for (i=0 ; i<disks; i++)
if (bi == &sh->dev[i].req)
Reported by FlawFinder.
Line: 2875
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void raid5_error(struct mddev *mddev, struct md_rdev *rdev)
{
char b[BDEVNAME_SIZE];
struct r5conf *conf = mddev->private;
unsigned long flags;
pr_debug("raid456: error called\n");
spin_lock_irqsave(&conf->device_lock, flags);
Reported by FlawFinder.
Line: 6561
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_lock(&mddev->lock);
conf = mddev->private;
if (conf)
ret = sprintf(page, "%d\n", conf->min_nr_stripes);
spin_unlock(&mddev->lock);
return ret;
}
int
Reported by FlawFinder.
Line: 6631
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct r5conf *conf = mddev->private;
if (conf)
return sprintf(page, "%d\n", conf->rmw_level);
else
return 0;
}
static ssize_t
Reported by FlawFinder.
Line: 6677
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_lock(&mddev->lock);
conf = mddev->private;
if (conf)
ret = sprintf(page, "%lu\n", RAID5_STRIPE_SIZE(conf));
spin_unlock(&mddev->lock);
return ret;
}
#if PAGE_SIZE != DEFAULT_STRIPE_SIZE
Reported by FlawFinder.
Line: 6771
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_lock(&mddev->lock);
conf = mddev->private;
if (conf)
ret = sprintf(page, "%d\n", conf->bypass_threshold);
spin_unlock(&mddev->lock);
return ret;
}
static ssize_t
Reported by FlawFinder.
Line: 6816
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_lock(&mddev->lock);
conf = mddev->private;
if (conf)
ret = sprintf(page, "%d\n", conf->skip_copy);
spin_unlock(&mddev->lock);
return ret;
}
static ssize_t
Reported by FlawFinder.
Line: 6865
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct r5conf *conf = mddev->private;
if (conf)
return sprintf(page, "%d\n", atomic_read(&conf->active_stripes));
else
return 0;
}
static struct md_sysfs_entry
Reported by FlawFinder.
Line: 6881
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
spin_lock(&mddev->lock);
conf = mddev->private;
if (conf)
ret = sprintf(page, "%d\n", conf->worker_cnt_per_group);
spin_unlock(&mddev->lock);
return ret;
}
static int alloc_thread_groups(struct r5conf *conf, int cnt,
Reported by FlawFinder.
drivers/scsi/megaraid/megaraid_sas_base.c
18 issues
Line: 380
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
format_timestamp(uint32_t timestamp)
{
static char buffer[32];
if ((timestamp & 0xff000000) == 0xff000000)
snprintf(buffer, sizeof(buffer), "boot + %us", timestamp &
0x00ffffff);
else
Reported by FlawFinder.
Line: 393
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
format_class(int8_t class)
{
static char buffer[6];
switch (class) {
case MFI_EVT_CLASS_DEBUG:
return "debug";
case MFI_EVT_CLASS_PROGRESS:
Reported by FlawFinder.
Line: 1447
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pthru->flags = cpu_to_le16(flags);
pthru->data_xfer_len = cpu_to_le32(scsi_bufflen(scp));
memcpy(pthru->cdb, scp->cmnd, scp->cmd_len);
/*
* If the command is for the tape device, set the
* pthru timeout to the os layer timeout value.
*/
Reported by FlawFinder.
Line: 2440
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_warn(&instance->pdev->dev, "SR-IOV: "
"Got new LD/VF affiliation for scsi%d\n",
instance->host->host_no);
memcpy(instance->vf_affiliation_111,
new_affiliation_111,
sizeof(struct MR_LD_VF_AFFILIATION_111));
retval = 1;
goto out;
}
Reported by FlawFinder.
Line: 2610
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (doscan) {
dev_warn(&instance->pdev->dev, "SR-IOV: Got new LD/VF "
"affiliation for scsi%d\n", instance->host->host_no);
memcpy(instance->vf_affiliation, new_affiliation,
new_affiliation->size);
retval = 1;
}
if (new_affiliation)
Reported by FlawFinder.
Line: 3318
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] +
(buff_offset % dmachunk);
memcpy(buf, (void *)src_addr, size);
spin_unlock_irqrestore(&instance->crashdump_lock, flags);
return size;
}
Reported by FlawFinder.
Line: 3668
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdr->scsi_status == SAM_STAT_CHECK_CONDITION) {
memset(cmd->scmd->sense_buffer, 0,
SCSI_SENSE_BUFFERSIZE);
memcpy(cmd->scmd->sense_buffer, cmd->sense,
hdr->sense_len);
}
break;
Reported by FlawFinder.
Line: 8277
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* overwritten when we copy from user's frames. So set that value
* alone separately
*/
memcpy(cmd->frame, ioc->frame.raw, 2 * MEGAMFI_FRAME_SIZE);
cmd->frame->hdr.context = cpu_to_le32(cmd->index);
cmd->frame->hdr.pad_0 = 0;
cmd->frame->hdr.flags &= (~MFI_FRAME_IEEE);
Reported by FlawFinder.
Line: 8693
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t support_poll_for_event_show(struct device_driver *dd, char *buf)
{
return sprintf(buf, "%u\n", support_poll_for_event);
}
static DRIVER_ATTR_RO(support_poll_for_event);
static ssize_t support_device_change_show(struct device_driver *dd, char *buf)
{
Reported by FlawFinder.
Line: 8699
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t support_device_change_show(struct device_driver *dd, char *buf)
{
return sprintf(buf, "%u\n", support_device_change);
}
static DRIVER_ATTR_RO(support_device_change);
static ssize_t dbg_lvl_show(struct device_driver *dd, char *buf)
{
Reported by FlawFinder.
drivers/staging/rtl8723bs/core/rtw_wlan_util.c
18 issues
Line: 25
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char RALINK_OUI[] = {0x00, 0x0c, 0x43};
static unsigned char REALTEK_OUI[] = {0x00, 0xe0, 0x4c};
static unsigned char AIRGOCAP_OUI[] = {0x00, 0x0a, 0xf5};
static unsigned char RSN_TKIP_CIPHER[4] = {0x00, 0x0f, 0xac, 0x02};
static unsigned char WPA_TKIP_CIPHER[4] = {0x00, 0x50, 0xf2, 0x02};
#define R2T_PHY_DELAY (0)
/* define WAIT_FOR_BCN_TO_MIN (3000) */
Reported by FlawFinder.
Line: 26
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char REALTEK_OUI[] = {0x00, 0xe0, 0x4c};
static unsigned char AIRGOCAP_OUI[] = {0x00, 0x0a, 0xf5};
static unsigned char RSN_TKIP_CIPHER[4] = {0x00, 0x0f, 0xac, 0x02};
static unsigned char WPA_TKIP_CIPHER[4] = {0x00, 0x50, 0xf2, 0x02};
#define R2T_PHY_DELAY (0)
/* define WAIT_FOR_BCN_TO_MIN (3000) */
#define WAIT_FOR_BCN_TO_MIN (6000)
Reported by FlawFinder.
Line: 186
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void get_rate_set(struct adapter *padapter, unsigned char *pbssrate, int *bssrate_len)
{
unsigned char supportedrates[NumRates];
memset(supportedrates, 0, NumRates);
*bssrate_len = ratetbl2rateset(padapter, supportedrates);
memcpy(pbssrate, supportedrates, *bssrate_len);
}
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(supportedrates, 0, NumRates);
*bssrate_len = ratetbl2rateset(padapter, supportedrates);
memcpy(pbssrate, supportedrates, *bssrate_len);
}
void set_mcs_rate_by_mask(u8 *mcs_set, u32 mask)
{
u8 mcs_rate_1r = (u8)(mask&0xff);
Reported by FlawFinder.
Line: 282
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
#ifdef DBG_CH_SWITCH
const int len = 128;
char msg[128] = {0};
int cnt = 0;
int i = 0;
#endif /* DBG_CH_SWITCH */
struct dvobj_priv *dvobj = adapter_to_dvobj(adapter);
Reported by FlawFinder.
Line: 400
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le16 val;
memcpy((unsigned char *)&val, rtw_get_beacon_interval_from_ie(bss->IEs), 2);
return le16_to_cpu(val);
}
int is_client_associated_to_ap(struct adapter *padapter)
Reported by FlawFinder.
Line: 494
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < 6; j++) {
cmd = _ReadCAM(padapter, addr+j);
if (j > 1) /* get key from cam */
memcpy(get_key+(j-2)*4, &cmd, 4);
}
}
void _write_cam(struct adapter *padapter, u8 entry, u16 ctrl, u8 *mac, u8 *key)
{
Reported by FlawFinder.
Line: 555
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_bh(&cam_ctl->lock);
dvobj->cam_cache[id].ctrl = ctrl;
memcpy(dvobj->cam_cache[id].mac, mac, ETH_ALEN);
memcpy(dvobj->cam_cache[id].key, key, 16);
spin_unlock_bh(&cam_ctl->lock);
}
Reported by FlawFinder.
Line: 556
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dvobj->cam_cache[id].ctrl = ctrl;
memcpy(dvobj->cam_cache[id].mac, mac, ETH_ALEN);
memcpy(dvobj->cam_cache[id].key, key, 16);
spin_unlock_bh(&cam_ctl->lock);
}
void clear_cam_cache(struct adapter *adapter, u8 id)
Reported by FlawFinder.
Line: 758
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!memcmp(&(pmlmeinfo->WMM_param), (pIE->data + 6), sizeof(struct WMM_para_element)))
return false;
else
memcpy(&(pmlmeinfo->WMM_param), (pIE->data + 6), sizeof(struct WMM_para_element));
pmlmeinfo->WMM_enable = 1;
return true;
}
Reported by FlawFinder.
drivers/md/md-bitmap.c
18 issues
Line: 2528
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
if (mddev_is_clustered(mddev))
return sprintf(page, "clustered\n");
return sprintf(page, "%s\n", (mddev->bitmap_info.external
? "external" : "internal"));
}
static ssize_t metadata_store(struct mddev *mddev, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 2556
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len;
spin_lock(&mddev->lock);
if (mddev->bitmap)
len = sprintf(page, "%s\n", (mddev->bitmap->need_sync ?
"false" : "true"));
else
len = sprintf(page, "\n");
spin_unlock(&mddev->lock);
return len;
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* keep the array size field of the bitmap superblock up to date */
sb->sync_size = cpu_to_le64(bitmap->mddev->resync_max_sectors);
memcpy(sb->uuid, bitmap->mddev->uuid, 16);
set_bit(BITMAP_STALE, &bitmap->flags);
sb->state = cpu_to_le32(bitmap->flags);
bitmap->events_cleared = bitmap->mddev->events;
sb->events_cleared = cpu_to_le64(bitmap->mddev->events);
Reported by FlawFinder.
Line: 2139
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bitmap->storage.file = NULL;
if (store.sb_page && bitmap->storage.sb_page)
memcpy(page_address(store.sb_page),
page_address(bitmap->storage.sb_page),
sizeof(bitmap_super_t));
spin_lock_irq(&bitmap->counts.lock);
md_bitmap_file_unmap(&bitmap->storage);
bitmap->storage = store;
Reported by FlawFinder.
Line: 2262
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
ssize_t len;
if (mddev->bitmap_info.file)
len = sprintf(page, "file");
else if (mddev->bitmap_info.offset)
len = sprintf(page, "%+lld", (long long)mddev->bitmap_info.offset);
else
len = sprintf(page, "none");
len += sprintf(page+len, "\n");
Reported by FlawFinder.
Line: 2264
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mddev->bitmap_info.file)
len = sprintf(page, "file");
else if (mddev->bitmap_info.offset)
len = sprintf(page, "%+lld", (long long)mddev->bitmap_info.offset);
else
len = sprintf(page, "none");
len += sprintf(page+len, "\n");
return len;
}
Reported by FlawFinder.
Line: 2266
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (mddev->bitmap_info.offset)
len = sprintf(page, "%+lld", (long long)mddev->bitmap_info.offset);
else
len = sprintf(page, "none");
len += sprintf(page+len, "\n");
return len;
}
static ssize_t
Reported by FlawFinder.
Line: 2381
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
space_show(struct mddev *mddev, char *page)
{
return sprintf(page, "%lu\n", mddev->bitmap_info.space);
}
static ssize_t
space_store(struct mddev *mddev, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 2418
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
unsigned long secs = mddev->bitmap_info.daemon_sleep / HZ;
unsigned long jifs = mddev->bitmap_info.daemon_sleep % HZ;
len = sprintf(page, "%lu", secs);
if (jifs)
len += sprintf(page+len, ".%03u", jiffies_to_msecs(jifs));
len += sprintf(page+len, "\n");
return len;
}
Reported by FlawFinder.
Line: 2420
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sprintf(page, "%lu", secs);
if (jifs)
len += sprintf(page+len, ".%03u", jiffies_to_msecs(jifs));
len += sprintf(page+len, "\n");
return len;
}
static ssize_t
Reported by FlawFinder.
arch/alpha/kernel/err_marvel.c
18 issues
Line: 256
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if (EXTRACT(valid_mask, IO7__PO7_UNCRR_SYM__STRV_VTR)) {
char starvation_message[80];
scratch = EXTRACT(uncrr_sym, IO7__PO7_UNCRR_SYM__STRV_VTR);
if (scratch & IO7__STRV_VTR__IS_MSI)
sprintf(starvation_message,
"MSI Interrupt 0x%x",
Reported by FlawFinder.
Line: 260
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
scratch = EXTRACT(uncrr_sym, IO7__PO7_UNCRR_SYM__STRV_VTR);
if (scratch & IO7__STRV_VTR__IS_MSI)
sprintf(starvation_message,
"MSI Interrupt 0x%x",
EXTRACT(scratch, IO7__STRV_VTR__MSI__INTNUM));
else
sprintf(starvation_message,
"LSI INT%c for Bus:Slot (%d:%d)\n",
Reported by FlawFinder.
Line: 264
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
"MSI Interrupt 0x%x",
EXTRACT(scratch, IO7__STRV_VTR__MSI__INTNUM));
else
sprintf(starvation_message,
"LSI INT%c for Bus:Slot (%d:%d)\n",
'A' + EXTRACT(scratch,
IO7__STRV_VTR__LSI__INTX),
EXTRACT(scratch, IO7__STRV_VTR__LSI__BUS),
EXTRACT(scratch, IO7__STRV_VTR__LSI__SLOT));
Reported by FlawFinder.
Line: 279
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void
marvel_print_po7_ugbge_sym(u64 ugbge_sym)
{
char opcode_str[10];
#define IO7__PO7_UGBGE_SYM__UPH_PKT_OFF__S (6)
#define IO7__PO7_UGBGE_SYM__UPH_PKT_OFF__M (0xfffffffful)
#define IO7__PO7_UGBGE_SYM__UPH_OPCODE__S (40)
#define IO7__PO7_UGBGE_SYM__UPH_OPCODE__M (0xff)
Reported by FlawFinder.
Line: 296
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch(EXTRACT(ugbge_sym, IO7__PO7_UGBGE_SYM__UPH_OPCODE)) {
case 0x51:
sprintf(opcode_str, "Wr32");
break;
case 0x50:
sprintf(opcode_str, "WrQW");
break;
case 0x54:
Reported by FlawFinder.
Line: 299
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(opcode_str, "Wr32");
break;
case 0x50:
sprintf(opcode_str, "WrQW");
break;
case 0x54:
sprintf(opcode_str, "WrIPR");
break;
case 0xD8:
Reported by FlawFinder.
Line: 302
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(opcode_str, "WrQW");
break;
case 0x54:
sprintf(opcode_str, "WrIPR");
break;
case 0xD8:
sprintf(opcode_str, "Victim");
break;
case 0xC5:
Reported by FlawFinder.
Line: 305
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(opcode_str, "WrIPR");
break;
case 0xD8:
sprintf(opcode_str, "Victim");
break;
case 0xC5:
sprintf(opcode_str, "BlkIO");
break;
default:
Reported by FlawFinder.
Line: 308
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(opcode_str, "Victim");
break;
case 0xC5:
sprintf(opcode_str, "BlkIO");
break;
default:
sprintf(opcode_str, "0x%llx\n",
EXTRACT(ugbge_sym, IO7__PO7_UGBGE_SYM__UPH_OPCODE));
break;
Reported by FlawFinder.
Line: 311
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(opcode_str, "BlkIO");
break;
default:
sprintf(opcode_str, "0x%llx\n",
EXTRACT(ugbge_sym, IO7__PO7_UGBGE_SYM__UPH_OPCODE));
break;
}
printk("%s Up Hose Garbage Symptom:\n"
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
18 issues
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[16];
int pos, budget;
if (!iwl_mvm_is_ctdp_supported(mvm))
return -EOPNOTSUPP;
Reported by FlawFinder.
Line: 212
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[16];
int pos;
if (!mvm->temperature_test)
pos = scnprintf(buf , sizeof(buf), "disabled\n");
else
Reported by FlawFinder.
Line: 279
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[16];
int pos, ret;
s32 temp;
if (!iwl_mvm_firmware_running(mvm))
return -EIO;
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[256];
int pos = 0;
int bufsz = sizeof(buf);
int tbl_idx;
u8 *value;
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct iwl_mvm *mvm = file->private_data;
struct ieee80211_sta *sta;
char buf[400];
int i, pos = 0, bufsz = sizeof(buf);
mutex_lock(&mvm->mutex);
for (i = 0; i < mvm->fw->ucode_capa.num_stations; i++) {
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ieee80211_sta *sta = file->private_data;
struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
char buf[32];
int pos;
pos = scnprintf(buf, sizeof(buf), "current %d ", sta->max_amsdu_len);
pos += scnprintf(buf + pos, sizeof(buf) - pos, "stored %d\n",
mvmsta->orig_amsdu_len);
Reported by FlawFinder.
Line: 466
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[64];
int bufsz = sizeof(buf);
int pos = 0;
pos += scnprintf(buf+pos, bufsz-pos, "disable_power_off_d0=%d\n",
mvm->disable_power_off);
Reported by FlawFinder.
Line: 614
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct iwl_mvm *mvm = file->private_data;
struct iwl_bt_coex_ci_cmd *cmd = &mvm->last_bt_ci_cmd;
char buf[256];
int bufsz = sizeof(buf);
int pos = 0;
mutex_lock(&mvm->mutex);
Reported by FlawFinder.
Line: 653
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
iwl_dbgfs_bt_force_ant_write(struct iwl_mvm *mvm, char *buf,
size_t count, loff_t *ppos)
{
static const char * const modes_str[BT_FORCE_ANT_MAX] = {
[BT_FORCE_ANT_DIS] = "dis",
[BT_FORCE_ANT_AUTO] = "auto",
[BT_FORCE_ANT_BT] = "bt",
[BT_FORCE_ANT_WIFI] = "wifi",
};
Reported by FlawFinder.
Line: 1053
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct iwl_mvm *mvm = file->private_data;
int pos = 0;
char buf[32];
const size_t bufsz = sizeof(buf);
/* print which antennas were set for the scan command by the user */
pos += scnprintf(buf + pos, bufsz - pos, "Antennas for scan: ");
if (mvm->scan_rx_ant & ANT_A)
Reported by FlawFinder.
scripts/gdb/linux/modules.py
18 issues
Line: 14
Column: 1
# This work is licensed under the terms of the GNU GPL version 2.
#
import gdb
from linux import cpus, utils, lists
module_type = utils.CachedType("struct module")
Reported by Pylint.
Line: 16
Column: 1
import gdb
from linux import cpus, utils, lists
module_type = utils.CachedType("struct module")
Reported by Pylint.
Line: 23
Column: 5
def module_list():
global module_type
modules = utils.gdb_eval_or_none("modules")
if modules is None:
return
module_ptr_type = module_type.get_type().pointer()
Reported by Pylint.
Line: 70
Column: 22
def __init__(self):
super(LxLsmod, self).__init__("lx-lsmod", gdb.COMMAND_DATA)
def invoke(self, arg, from_tty):
gdb.write(
"Address{0} Module Size Used by\n".format(
" " if utils.get_long_type().sizeof == 8 else ""))
for module in module_list():
Reported by Pylint.
Line: 70
Column: 27
def __init__(self):
super(LxLsmod, self).__init__("lx-lsmod", gdb.COMMAND_DATA)
def invoke(self, arg, from_tty):
gdb.write(
"Address{0} Module Size Used by\n".format(
" " if utils.get_long_type().sizeof == 8 else ""))
for module in module_list():
Reported by Pylint.
Line: 1
Column: 1
#
# gdb helper commands and functions for Linux kernel debugging
#
# module tools
#
# Copyright (c) Siemens AG, 2013
#
# Authors:
# Jan Kiszka <jan.kiszka@siemens.com>
Reported by Pylint.
Line: 22
Column: 1
module_type = utils.CachedType("struct module")
def module_list():
global module_type
modules = utils.gdb_eval_or_none("modules")
if modules is None:
return
Reported by Pylint.
Line: 23
Column: 5
def module_list():
global module_type
modules = utils.gdb_eval_or_none("modules")
if modules is None:
return
module_ptr_type = module_type.get_type().pointer()
Reported by Pylint.
Line: 34
Column: 1
yield module
def find_module_by_name(name):
for module in module_list():
if module['name'].string() == name:
return module
return None
Reported by Pylint.
Line: 41
Column: 1
return None
class LxModule(gdb.Function):
"""Find module by name and return the module variable.
$lx_module("MODULE"): Given the name MODULE, iterate over all loaded modules
of the target and return that module variable which MODULE matches."""
Reported by Pylint.