The following issues were found
sound/sparc/cs4231.c
16 issues
Line: 1528
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (snd_BUG_ON(!chip || !chip->pcm))
return -EINVAL;
strcpy(card->mixername, chip->pcm->name);
for (idx = 0; idx < ARRAY_SIZE(snd_cs4231_controls); idx++) {
err = snd_ctl_add(card,
snd_ctl_new1(&snd_cs4231_controls[idx], chip));
if (err < 0)
Reported by FlawFinder.
Line: 1851
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
sprintf(card->longname, "%s at 0x%02lx:0x%016Lx, irq %d",
card->shortname,
rp->flags & 0xffL,
(unsigned long long)rp->start,
op->archdata.irqs[0]);
Reported by FlawFinder.
Line: 2043
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
sprintf(card->longname, "%s at 0x%llx, irq %d",
card->shortname,
op->resource[0].start,
op->archdata.irqs[0]);
err = snd_cs4231_ebus_create(card, op, dev);
Reported by FlawFinder.
Line: 42
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
/* Enable this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP;
module_param_array(index, int, NULL, 0444);
MODULE_PARM_DESC(index, "Index value for Sun CS4231 soundcard.");
Reported by FlawFinder.
Line: 108
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define CS4231_MODE_OPEN (CS4231_MODE_PLAY | CS4231_MODE_RECORD | \
CS4231_MODE_TIMER)
unsigned char image[32]; /* registers image */
int mce_bit;
int calibrate_mute;
struct mutex mce_mutex; /* mutex for mce register */
struct mutex open_mutex; /* mutex for ALSA open/close */
Reported by FlawFinder.
Line: 186
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Some variables
*/
static const unsigned char freq_bits[14] = {
/* 5510 */ 0x00 | CS4231_XTAL2,
/* 6620 */ 0x0E | CS4231_XTAL2,
/* 8000 */ 0x00 | CS4231_XTAL1,
/* 9600 */ 0x0E | CS4231_XTAL1,
/* 11025 */ 0x02 | CS4231_XTAL2,
Reported by FlawFinder.
Line: 220
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
&hw_constraints_rates);
}
static const unsigned char snd_cs4231_original_image[32] =
{
0x00, /* 00/00 - lic */
0x00, /* 01/01 - ric */
0x9f, /* 02/02 - la1ic */
0x9f, /* 03/03 - ra1ic */
Reported by FlawFinder.
Line: 1228
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* global setup */
pcm->private_data = chip;
pcm->info_flags = SNDRV_PCM_INFO_JOINT_DUPLEX;
strcpy(pcm->name, "CS4231");
snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV,
&chip->op->dev, 64 * 1024, 128 * 1024);
chip->pcm = pcm;
Reported by FlawFinder.
Line: 1254
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = snd_timer_new(card, "CS4231", &tid, &timer);
if (err < 0)
return err;
strcpy(timer->name, "CS4231");
timer->private_data = chip;
timer->hw = snd_cs4231_timer_table;
chip->timer = timer;
return 0;
Reported by FlawFinder.
Line: 1269
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int snd_cs4231_info_mux(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_info *uinfo)
{
static const char * const texts[4] = {
"Line", "CD", "Mic", "Mix"
};
return snd_ctl_enum_info(uinfo, 2, 4, texts);
}
Reported by FlawFinder.
include/linux/fortify-string.h
16 issues
Line: 12
Column: 67
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy);
extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove);
extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset);
extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
#else
Reported by FlawFinder.
Line: 13
Column: 67
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove);
extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset);
extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
#else
#define __underlying_memchr __builtin_memchr
Reported by FlawFinder.
Line: 41
Column: 24
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
return __underlying_strncpy(p, q, size);
}
__FORTIFY_INLINE char *strcat(char *p, const char *q)
{
size_t p_size = __builtin_object_size(p, 1);
if (p_size == (size_t)-1)
return __underlying_strcat(p, q);
Reported by FlawFinder.
Line: 274
Column: 24
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
/* defined after fortified strlen and memcpy to reuse them */
__FORTIFY_INLINE char *strcpy(char *p, const char *q)
{
size_t p_size = __builtin_object_size(p, 1);
size_t q_size = __builtin_object_size(q, 1);
size_t size;
Reported by FlawFinder.
Line: 9
Column: 89
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr);
extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp);
extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy);
extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove);
extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset);
extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
Reported by FlawFinder.
Line: 178
Column: 24
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return __underlying_memset(p, c, size);
}
__FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
{
size_t p_size = __builtin_object_size(p, 0);
size_t q_size = __builtin_object_size(q, 0);
if (__builtin_constant_p(size)) {
Reported by FlawFinder.
Line: 286
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* test here to use the more stringent object size */
if (p_size < size)
fortify_panic(__func__);
memcpy(p, q, size);
return p;
}
/* Don't use these outside the FORITFY_SOURCE implementation */
#undef __underlying_memchr
Reported by FlawFinder.
Line: 14
Column: 68
CWE codes:
126
extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset);
extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
#else
#define __underlying_memchr __builtin_memchr
#define __underlying_memcmp __builtin_memcmp
Reported by FlawFinder.
Line: 15
Column: 91
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat);
extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
#else
#define __underlying_memchr __builtin_memchr
#define __underlying_memcmp __builtin_memcmp
#define __underlying_memcpy __builtin_memcpy
Reported by FlawFinder.
Line: 16
Column: 90
CWE codes:
120
extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy);
extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen);
extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat);
extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy);
#else
#define __underlying_memchr __builtin_memchr
#define __underlying_memcmp __builtin_memcmp
#define __underlying_memcpy __builtin_memcpy
#define __underlying_memmove __builtin_memmove
Reported by FlawFinder.
drivers/net/wireless/intersil/hostap/hostap_80211_tx.c
16 issues
Line: 316
Column: 36
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
/* Called only from software IRQ */
static struct sk_buff * hostap_tx_encrypt(struct sk_buff *skb,
struct lib80211_crypt_data *crypt)
{
struct hostap_interface *iface;
local_info_t *local;
struct ieee80211_hdr *hdr;
int prefix_len, postfix_len, hdr_len, res;
Reported by FlawFinder.
Line: 414
Column: 32
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (local->host_encrypt) {
/* Set crypt to default algorithm and key; will be replaced in
* AP code if STA has own alg/key */
tx.crypt = local->crypt_info.crypt[local->crypt_info.tx_keyidx];
tx.host_encrypt = 1;
} else {
tx.crypt = NULL;
tx.host_encrypt = 0;
}
Reported by FlawFinder.
Line: 486
Column: 63
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
tx.crypt = NULL;
}
if (local->ieee_802_1x && meta->ethertype == ETH_P_PAE && tx.crypt &&
!(fc & IEEE80211_FCTL_PROTECTED)) {
no_encrypt = 1;
PDEBUG(DEBUG_EXTRA2, "%s: TX: IEEE 802.1X - passing "
"unencrypted EAPOL frame\n", dev->name);
tx.crypt = NULL; /* no encryption for IEEE 802.1X frames */
Reported by FlawFinder.
Line: 494
Column: 9
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
tx.crypt = NULL; /* no encryption for IEEE 802.1X frames */
}
if (tx.crypt && (!tx.crypt->ops || !tx.crypt->ops->encrypt_mpdu))
tx.crypt = NULL;
else if ((tx.crypt ||
local->crypt_info.crypt[local->crypt_info.tx_keyidx]) &&
!no_encrypt) {
/* Add ISWEP flag both for firmware and host based encryption
Reported by FlawFinder.
Line: 496
Column: 15
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (tx.crypt && (!tx.crypt->ops || !tx.crypt->ops->encrypt_mpdu))
tx.crypt = NULL;
else if ((tx.crypt ||
local->crypt_info.crypt[local->crypt_info.tx_keyidx]) &&
!no_encrypt) {
/* Add ISWEP flag both for firmware and host based encryption
*/
fc |= IEEE80211_FCTL_PROTECTED;
Reported by FlawFinder.
Line: 497
Column: 22
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (tx.crypt && (!tx.crypt->ops || !tx.crypt->ops->encrypt_mpdu))
tx.crypt = NULL;
else if ((tx.crypt ||
local->crypt_info.crypt[local->crypt_info.tx_keyidx]) &&
!no_encrypt) {
/* Add ISWEP flag both for firmware and host based encryption
*/
fc |= IEEE80211_FCTL_PROTECTED;
hdr->frame_control = cpu_to_le16(fc);
Reported by FlawFinder.
Line: 515
Column: 9
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
goto fail;
}
if (tx.crypt) {
skb = hostap_tx_encrypt(skb, tx.crypt);
if (skb == NULL) {
printk(KERN_DEBUG "%s: TX - encryption failed\n",
dev->name);
ret = NETDEV_TX_OK;
Reported by FlawFinder.
Line: 516
Column: 35
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
}
if (tx.crypt) {
skb = hostap_tx_encrypt(skb, tx.crypt);
if (skb == NULL) {
printk(KERN_DEBUG "%s: TX - encryption failed\n",
dev->name);
ret = NETDEV_TX_OK;
goto fail;
Reported by FlawFinder.
Line: 181
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
is_multicast_ether_addr(skb->data))
eth_broadcast_addr(hdr.addr1);
else if (iface->type == HOSTAP_INTERFACE_WDS)
memcpy(&hdr.addr1, iface->u.wds.remote_addr,
ETH_ALEN);
else
memcpy(&hdr.addr1, local->bssid, ETH_ALEN);
memcpy(&hdr.addr2, dev->dev_addr, ETH_ALEN);
skb_copy_from_linear_data(skb, &hdr.addr3, ETH_ALEN);
Reported by FlawFinder.
Line: 184
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&hdr.addr1, iface->u.wds.remote_addr,
ETH_ALEN);
else
memcpy(&hdr.addr1, local->bssid, ETH_ALEN);
memcpy(&hdr.addr2, dev->dev_addr, ETH_ALEN);
skb_copy_from_linear_data(skb, &hdr.addr3, ETH_ALEN);
} else if (local->iw_mode == IW_MODE_MASTER && !to_assoc_ap) {
fc |= IEEE80211_FCTL_FROMDS;
/* From DS: Addr1 = DA, Addr2 = BSSID, Addr3 = SA */
Reported by FlawFinder.
include/linux/nfs_xdr.h
16 issues
Line: 1751
Column: 8
CWE codes:
362
20
Suggestion:
Reconsider approach
int (*lookupp) (struct inode *, struct nfs_fh *,
struct nfs_fattr *, struct nfs4_label *);
int (*access) (struct inode *, struct nfs_access_entry *);
int (*readlink)(struct inode *, struct page *, unsigned int,
unsigned int);
int (*create) (struct inode *, struct dentry *,
struct iattr *, int);
int (*remove) (struct inode *, struct dentry *);
void (*unlink_setup) (struct rpc_message *, struct dentry *, struct inode *);
Reported by FlawFinder.
Line: 462
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int open_flags;
fmode_t fmode;
u32 share_access;
u32 access;
__u64 clientid;
struct stateowner_id id;
union {
struct {
struct iattr * attrs; /* UNCHECKED, GUARDED, EXCLUSIVE4_1 */
Reported by FlawFinder.
Line: 907
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct nfs3_accessargs {
struct nfs_fh * fh;
__u32 access;
};
struct nfs3_createargs {
struct nfs_fh * fh;
const char * name;
Reported by FlawFinder.
Line: 968
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct nfs3_accessres {
struct nfs_fattr * fattr;
__u32 access;
};
struct nfs3_readlinkargs {
struct nfs_fh * fh;
unsigned int pgbase;
Reported by FlawFinder.
Line: 1006
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct nfs4_sequence_args seq_args;
const struct nfs_fh * fh;
const u32 * bitmask;
u32 access;
};
struct nfs4_accessres {
struct nfs4_sequence_res seq_res;
const struct nfs_server * server;
Reported by FlawFinder.
Line: 1014
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
const struct nfs_server * server;
struct nfs_fattr * fattr;
u32 supported;
u32 access;
};
struct nfs4_create_arg {
struct nfs4_sequence_args seq_args;
u32 ftype;
Reported by FlawFinder.
Line: 1750
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct nfs4_label *);
int (*lookupp) (struct inode *, struct nfs_fh *,
struct nfs_fattr *, struct nfs4_label *);
int (*access) (struct inode *, struct nfs_access_entry *);
int (*readlink)(struct inode *, struct page *, unsigned int,
unsigned int);
int (*create) (struct inode *, struct dentry *,
struct iattr *, int);
int (*remove) (struct inode *, struct dentry *);
Reported by FlawFinder.
Line: 634
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Arguments to the write call.
*/
struct nfs_write_verifier {
char data[8];
};
struct nfs_writeverf {
struct nfs_write_verifier verifier;
enum nfs3_stable_how committed;
Reported by FlawFinder.
Line: 1168
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const nfs4_verifier * sc_verifier;
u32 sc_prog;
unsigned int sc_netid_len;
char sc_netid[RPCBIND_MAXNETIDLEN + 1];
unsigned int sc_uaddr_len;
char sc_uaddr[RPCBIND_MAXUADDRLEN + 1];
struct nfs_client *sc_clnt;
struct rpc_cred *sc_cred;
};
Reported by FlawFinder.
Line: 1170
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int sc_netid_len;
char sc_netid[RPCBIND_MAXNETIDLEN + 1];
unsigned int sc_uaddr_len;
char sc_uaddr[RPCBIND_MAXUADDRLEN + 1];
struct nfs_client *sc_clnt;
struct rpc_cred *sc_cred;
};
struct nfs4_setclientid_res {
Reported by FlawFinder.
fs/udf/inode.c
16 issues
Line: 662
CWE codes:
908
extent.extLocation.partitionReferenceNum = 0;
extent.extLength = EXT_NOT_RECORDED_NOT_ALLOCATED;
} else {
epos.offset -= adsize;
etype = udf_next_aext(inode, &epos, &extent.extLocation,
&extent.extLength, 0);
extent.extLength |= etype << 30;
}
Reported by Cppcheck.
Line: 1764
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
eid = (struct regid *)dsea->impUse;
memset(eid, 0, sizeof(*eid));
strcpy(eid->ident, UDF_ID_DEVELOPER);
eid->identSuffix[0] = UDF_OS_CLASS_UNIX;
eid->identSuffix[1] = UDF_OS_ID_LINUX;
dsea->majorDeviceIdent = cpu_to_le32(imajor(inode));
dsea->minorDeviceIdent = cpu_to_le32(iminor(inode));
}
Reported by FlawFinder.
Line: 1788
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
udf_time_to_disk_stamp(&fe->modificationTime, inode->i_mtime);
udf_time_to_disk_stamp(&fe->attrTime, inode->i_ctime);
memset(&(fe->impIdent), 0, sizeof(struct regid));
strcpy(fe->impIdent.ident, UDF_ID_DEVELOPER);
fe->impIdent.identSuffix[0] = UDF_OS_CLASS_UNIX;
fe->impIdent.identSuffix[1] = UDF_OS_ID_LINUX;
fe->uniqueID = cpu_to_le64(iinfo->i_unique);
fe->lengthExtendedAttr = cpu_to_le32(iinfo->i_lenEAttr);
fe->lengthAllocDescs = cpu_to_le32(iinfo->i_lenAlloc);
Reported by FlawFinder.
Line: 1825
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
udf_time_to_disk_stamp(&efe->attrTime, inode->i_ctime);
memset(&(efe->impIdent), 0, sizeof(efe->impIdent));
strcpy(efe->impIdent.ident, UDF_ID_DEVELOPER);
efe->impIdent.identSuffix[0] = UDF_OS_CLASS_UNIX;
efe->impIdent.identSuffix[1] = UDF_OS_ID_LINUX;
efe->uniqueID = cpu_to_le64(iinfo->i_unique);
efe->lengthExtendedAttr = cpu_to_le32(iinfo->i_lenEAttr);
efe->lengthAllocDescs = cpu_to_le32(iinfo->i_lenAlloc);
Reported by FlawFinder.
Line: 103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(iinfo->cached_extent.lstart != -1)) {
/* Cache hit */
*lbcount = iinfo->cached_extent.lstart;
memcpy(pos, &iinfo->cached_extent.epos,
sizeof(struct extent_position));
if (pos->bh)
get_bh(pos->bh);
ret = 1;
}
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__udf_clear_extent_cache(inode);
if (pos->bh)
get_bh(pos->bh);
memcpy(&iinfo->cached_extent.epos, pos, sizeof(*pos));
iinfo->cached_extent.lstart = estart;
switch (iinfo->i_alloc_type) {
case ICBTAG_FLAG_AD_SHORT:
iinfo->cached_extent.epos.offset -= sizeof(struct short_ad);
break;
Reported by FlawFinder.
Line: 292
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kaddr = kmap_atomic(page);
memset(kaddr + iinfo->i_lenAlloc, 0x00,
PAGE_SIZE - iinfo->i_lenAlloc);
memcpy(kaddr, iinfo->i_data + iinfo->i_lenEAttr,
iinfo->i_lenAlloc);
flush_dcache_page(page);
SetPageUptodate(page);
kunmap_atomic(kaddr);
}
Reported by FlawFinder.
Line: 315
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lock_page(page);
down_write(&iinfo->i_data_sem);
kaddr = kmap_atomic(page);
memcpy(iinfo->i_data + iinfo->i_lenEAttr, kaddr, inode->i_size);
kunmap_atomic(kaddr);
unlock_page(page);
iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
inode->i_data.a_ops = &udf_adinicb_aops;
up_write(&iinfo->i_data_sem);
Reported by FlawFinder.
Line: 1374
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ie->indirectICB.extLength) {
brelse(ibh);
memcpy(&iinfo->i_location, &loc,
sizeof(struct kernel_lb_addr));
if (++indirections > UDF_MAX_ICB_NESTING) {
udf_err(inode->i_sb,
"too many ICBs in ICB hierarchy"
" (max %d supported)\n",
Reported by FlawFinder.
Line: 1419
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct extendedFileEntry));
if (ret)
goto out;
memcpy(iinfo->i_data,
bh->b_data + sizeof(struct extendedFileEntry),
bs - sizeof(struct extendedFileEntry));
} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
iinfo->i_efe = 0;
iinfo->i_use = 0;
Reported by FlawFinder.
drivers/crypto/qat/qat_common/qat_uclo.c
16 issues
Line: 132
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char *ptr = (unsigned char *)val;
while (num_in_bytes) {
memcpy(&outval, ptr, 4);
SRAM_WRITE(handle, addr, outval);
num_in_bytes -= 4;
ptr += 4;
addr += 4;
}
Reported by FlawFinder.
Line: 151
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
addr >>= 0x2; /* convert to uword address */
while (num_in_bytes) {
memcpy(&outval, ptr, 4);
qat_hal_wr_umem(handle, ae, addr++, 1, &outval);
num_in_bytes -= 4;
ptr += 4;
}
}
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int qat_uclo_parse_num(char *str, unsigned int *num)
{
char buf[16] = {0};
unsigned long ae = 0;
int i;
strncpy(buf, str, 15);
for (i = 0; i < 16; i++) {
Reported by FlawFinder.
Line: 385
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!fill_data)
return -ENOMEM;
for (i = 0; i < ICP_QAT_UCLO_MAX_USTORE; i++)
memcpy(&fill_data[i], &uof_image->fill_pattern,
sizeof(u64));
page = image->page;
for_each_set_bit(ae, &ae_mask, handle->hal_handle->ae_max_num) {
if (!test_bit(ae, (unsigned long *)&uof_image->ae_assigned))
Reported by FlawFinder.
Line: 1142
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct icp_qat_suof_img_hdr img_header;
if (img_id != num_simgs - 1) {
memcpy(&img_header, &suof_img_hdr[num_simgs - 1],
sizeof(*suof_img_hdr));
memcpy(&suof_img_hdr[num_simgs - 1], &suof_img_hdr[img_id],
sizeof(*suof_img_hdr));
memcpy(&suof_img_hdr[img_id], &img_header,
sizeof(*suof_img_hdr));
Reported by FlawFinder.
Line: 1144
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (img_id != num_simgs - 1) {
memcpy(&img_header, &suof_img_hdr[num_simgs - 1],
sizeof(*suof_img_hdr));
memcpy(&suof_img_hdr[num_simgs - 1], &suof_img_hdr[img_id],
sizeof(*suof_img_hdr));
memcpy(&suof_img_hdr[img_id], &img_header,
sizeof(*suof_img_hdr));
}
}
Reported by FlawFinder.
Line: 1146
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(*suof_img_hdr));
memcpy(&suof_img_hdr[num_simgs - 1], &suof_img_hdr[img_id],
sizeof(*suof_img_hdr));
memcpy(&suof_img_hdr[img_id], &img_header,
sizeof(*suof_img_hdr));
}
}
static int qat_uclo_map_suof(struct icp_qat_fw_loader_handle *handle,
Reported by FlawFinder.
Line: 1400
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
auth_desc->css_hdr_low = (unsigned int)bus_addr;
virt_addr = virt_base;
memcpy((void *)(uintptr_t)virt_addr, image, sizeof(*css_hdr));
/* pub key */
bus_addr = ADD_ADDR(auth_desc->css_hdr_high, auth_desc->css_hdr_low) +
sizeof(*css_hdr);
virt_addr = virt_addr + sizeof(*css_hdr);
Reported by FlawFinder.
Line: 1409
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
auth_desc->fwsk_pub_high = (unsigned int)(bus_addr >> BITS_IN_DWORD);
auth_desc->fwsk_pub_low = (unsigned int)bus_addr;
memcpy((void *)(uintptr_t)virt_addr,
(void *)(image + sizeof(*css_hdr)),
ICP_QAT_CSS_FWSK_MODULUS_LEN(handle));
/* padding */
memset((void *)(uintptr_t)(virt_addr + ICP_QAT_CSS_FWSK_MODULUS_LEN(handle)),
0, ICP_QAT_CSS_FWSK_PAD_LEN(handle));
Reported by FlawFinder.
Line: 1417
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0, ICP_QAT_CSS_FWSK_PAD_LEN(handle));
/* exponent */
memcpy((void *)(uintptr_t)(virt_addr + ICP_QAT_CSS_FWSK_MODULUS_LEN(handle) +
ICP_QAT_CSS_FWSK_PAD_LEN(handle)),
(void *)(image + sizeof(*css_hdr) +
ICP_QAT_CSS_FWSK_MODULUS_LEN(handle)),
sizeof(unsigned int));
Reported by FlawFinder.
drivers/misc/lis3lv02d/lis3lv02d.c
16 issues
Line: 806
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
res = ok;
break;
}
return sprintf(buf, "%s %d %d %d\n", res,
values[0], values[1], values[2]);
}
static ssize_t lis3lv02d_position_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 820
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_lock(&lis3->mutex);
lis3lv02d_get_xyz(lis3, &x, &y, &z);
mutex_unlock(&lis3->mutex);
return sprintf(buf, "(%d,%d,%d)\n", x, y, z);
}
static ssize_t lis3lv02d_rate_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 832
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
lis3lv02d_sysfs_poweron(lis3);
odr_idx = lis3lv02d_get_odr_index(lis3);
return sprintf(buf, "%d\n", lis3->odrs[odr_idx]);
}
static ssize_t lis3lv02d_rate_set(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 129
Column: 8
CWE codes:
120
20
{
u8 lo, hi;
lis3->read(lis3, reg - 1, &lo);
lis3->read(lis3, reg, &hi);
/* In "12 bit right justified" mode, bit 6, bit 7, bit 8 = bit 5 */
return (s16)((hi << 8) | lo);
}
Reported by FlawFinder.
Line: 130
Column: 8
CWE codes:
120
20
u8 lo, hi;
lis3->read(lis3, reg - 1, &lo);
lis3->read(lis3, reg, &hi);
/* In "12 bit right justified" mode, bit 6, bit 7, bit 8 = bit 5 */
return (s16)((hi << 8) | lo);
}
/* 12bits for 2G range, 13 bits for 4G range and 14 bits for 8G range */
Reported by FlawFinder.
Line: 250
Column: 8
CWE codes:
120
20
if (!rate)
return -EINVAL;
lis3->read(lis3, CTRL_REG1, &ctrl);
ctrl &= ~lis3->odr_mask;
len = 1 << hweight_long(lis3->odr_mask); /* # of possible values */
shift = ffs(lis3->odr_mask) - 1;
for (i = 0; i < len; i++)
Reported by FlawFinder.
tools/perf/util/llvm-utils.c
16 issues
Line: 80
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
output[0] = '\0';
if (def && def[0] != '\0') {
if (def[0] == '/') {
if (access(def, F_OK) == 0) {
strlcpy(output, def, PATH_MAX);
return 0;
}
} else if (def[0] != '\0')
name = def;
Reported by FlawFinder.
Line: 99
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
path = strtok_r(env, ":", &tmp);
while (path) {
scnprintf(buf, sizeof(buf), "%s/%s", path, name);
if (access(buf, F_OK) == 0) {
strlcpy(output, buf, PATH_MAX);
ret = 0;
break;
}
path = strtok_r(NULL, ":", &tmp);
Reported by FlawFinder.
Line: 121
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
size_t read_sz = 0, buf_sz = 0;
char serr[STRERR_BUFSIZE];
file = popen(cmd, "r");
if (!file) {
pr_err("ERROR: unable to popen cmd: %s\n",
str_error_r(errno, serr, sizeof(serr)));
return -EINVAL;
}
Reported by FlawFinder.
Line: 259
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (err < 0)
return -ENOMEM;
if (access(autoconf_path, R_OK) == 0) {
free(autoconf_path);
err = asprintf(kbuild_dir, "%s%s%s", prefix_dir, test_dir,
suffix_dir);
if (err < 0)
Reported by FlawFinder.
Line: 88
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
name = def;
}
env = getenv("PATH");
if (!env)
return -1;
env = strdup(env);
if (!env)
return -1;
Reported by FlawFinder.
Line: 451
Column: 24
CWE codes:
120/785!
Suggestion:
Ensure that the destination buffer is at least of size MAXPATHLEN, andto protect against implementation problems, the input argument should also be checked to ensure it is no larger than MAXPATHLEN
char *command_echo = NULL, *command_out;
char *perf_include_dir = system_path(PERF_INCLUDE_DIR);
if (path[0] != '-' && realpath(path, abspath) == NULL) {
err = errno;
pr_err("ERROR: problems with path %s: %s\n",
path, str_error_r(err, serr, sizeof(serr)));
return -err;
}
Reported by FlawFinder.
Line: 74
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *output)
{
char *env, *path, *tmp = NULL;
char buf[PATH_MAX];
int ret;
output[0] = '\0';
if (def && def[0] != '\0') {
if (def[0] == '/') {
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *buf = NULL;
FILE *file = NULL;
size_t read_sz = 0, buf_sz = 0;
char serr[STRERR_BUFSIZE];
file = popen(cmd, "r");
if (!file) {
pr_err("ERROR: unable to popen cmd: %s\n",
str_error_r(errno, serr, sizeof(serr)));
Reported by FlawFinder.
Line: 175
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* easier. If buf is not string, that '\0' is out of space
* indicated by read_sz so caller won't even notice it.
*/
((char *)buf)[read_sz] = '\0';
if (!p_buf)
free(buf);
else
*p_buf = buf;
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *suffix_dir = "";
/* _UTSNAME_LENGTH is 65 */
char release[128];
char *autoconf_path;
int err;
Reported by FlawFinder.
sound/core/oss/mixer_oss.c
16 issues
Line: 977
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GLOBAL);
if (err)
return err;
sprintf(str, "%s Switch", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_GSWITCH);
if (err)
return err;
sprintf(str, "%s Route", ptr->name);
Reported by FlawFinder.
Line: 982
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GSWITCH);
if (err)
return err;
sprintf(str, "%s Route", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_GROUTE);
if (err)
return err;
sprintf(str, "%s Volume", ptr->name);
Reported by FlawFinder.
Line: 987
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GROUTE);
if (err)
return err;
sprintf(str, "%s Volume", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_GVOLUME);
if (err)
return err;
sprintf(str, "%s Playback Switch", ptr->name);
Reported by FlawFinder.
Line: 992
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_GVOLUME);
if (err)
return err;
sprintf(str, "%s Playback Switch", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_PSWITCH);
if (err)
return err;
sprintf(str, "%s Playback Route", ptr->name);
Reported by FlawFinder.
Line: 997
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_PSWITCH);
if (err)
return err;
sprintf(str, "%s Playback Route", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_PROUTE);
if (err)
return err;
sprintf(str, "%s Playback Volume", ptr->name);
Reported by FlawFinder.
Line: 1002
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_PROUTE);
if (err)
return err;
sprintf(str, "%s Playback Volume", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_PVOLUME);
if (err)
return err;
sprintf(str, "%s Capture Switch", ptr->name);
Reported by FlawFinder.
Line: 1007
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_PVOLUME);
if (err)
return err;
sprintf(str, "%s Capture Switch", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_CSWITCH);
if (err)
return err;
sprintf(str, "%s Capture Route", ptr->name);
Reported by FlawFinder.
Line: 1012
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_CSWITCH);
if (err)
return err;
sprintf(str, "%s Capture Route", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_CROUTE);
if (err)
return err;
sprintf(str, "%s Capture Volume", ptr->name);
Reported by FlawFinder.
Line: 1017
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
SNDRV_MIXER_OSS_ITEM_CROUTE);
if (err)
return err;
sprintf(str, "%s Capture Volume", ptr->name);
err = snd_mixer_oss_build_test(mixer, slot, str, ptr->index,
SNDRV_MIXER_OSS_ITEM_CVOLUME);
if (err)
return err;
Reported by FlawFinder.
Line: 1067
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
kfree(uinfo);
return 0;
}
strcpy(str, ptr->name);
if (!strcmp(str, "Master"))
strcpy(str, "Mix");
if (!strcmp(str, "Master Mono"))
strcpy(str, "Mix Mono");
slot.capture_item = 0;
Reported by FlawFinder.
drivers/crypto/padlock-sha.c
16 issues
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* We can't store directly to *out as it may be unaligned. */
/* BTW Don't reduce the buffer size below 128 Bytes!
* PadLock microcode needs it that big. */
char buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
((aligned(STACK_ALIGN)));
char *result = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
struct sha1_state state;
unsigned int space;
Reported by FlawFinder.
Line: 105
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count -= space;
in += space;
} else {
memcpy(state.buffer + leftover, in, count);
in = state.buffer;
count += leftover;
state.count &= ~(SHA1_BLOCK_SIZE - 1);
}
}
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(result, &state.state, SHA1_DIGEST_SIZE);
asm volatile (".byte 0xf3,0x0f,0xa6,0xc8" /* rep xsha1 */
: \
: "c"((unsigned long)state.count + count), \
"a"((unsigned long)state.count), \
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* We can't store directly to *out as it may be unaligned. */
/* BTW Don't reduce the buffer size below 128 Bytes!
* PadLock microcode needs it that big. */
char buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
((aligned(STACK_ALIGN)));
char *result = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
struct sha256_state state;
unsigned int space;
Reported by FlawFinder.
Line: 166
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count -= space;
in += space;
} else {
memcpy(state.buf + leftover, in, count);
in = state.buf;
count += leftover;
state.count &= ~(SHA1_BLOCK_SIZE - 1);
}
}
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(result, &state.state, SHA256_DIGEST_SIZE);
asm volatile (".byte 0xf3,0x0f,0xa6,0xd0" /* rep xsha256 */
: \
: "c"((unsigned long)state.count + count), \
"a"((unsigned long)state.count), \
Reported by FlawFinder.
Line: 295
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sctx->count += len;
done = 0;
src = data;
memcpy(dst, (u8 *)(sctx->state), SHA1_DIGEST_SIZE);
if ((partial + len) >= SHA1_BLOCK_SIZE) {
/* Append the bytes in state's buffer to a block to handle */
if (partial) {
Reported by FlawFinder.
Line: 302
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Append the bytes in state's buffer to a block to handle */
if (partial) {
done = -partial;
memcpy(sctx->buffer + partial, data,
done + SHA1_BLOCK_SIZE);
src = sctx->buffer;
asm volatile (".byte 0xf3,0x0f,0xa6,0xc8"
: "+S"(src), "+D"(dst) \
: "a"((long)-1), "c"((unsigned long)1));
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
partial = 0;
}
memcpy((u8 *)(sctx->state), dst, SHA1_DIGEST_SIZE);
memcpy(sctx->buffer + partial, src, len - done);
return 0;
}
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
partial = 0;
}
memcpy((u8 *)(sctx->state), dst, SHA1_DIGEST_SIZE);
memcpy(sctx->buffer + partial, src, len - done);
return 0;
}
static int padlock_sha1_final_nano(struct shash_desc *desc, u8 *out)
Reported by FlawFinder.