The following issues were found
drivers/crypto/n2_core.c
14 issues
Line: 1545
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p->irq = dev->archdata.irqs[index];
sprintf(p->irq_name, "%s-%d", irq_name, index);
return request_irq(p->irq, handler, 0, p->irq_name, p);
}
static struct kmem_cache *queue_cache[2];
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long devino;
char irq_name[32];
unsigned int irq;
struct list_head list;
};
Reported by FlawFinder.
Line: 298
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct crypto_shash *child_shash;
int hash_key_len;
unsigned char hash_key[N2_HASH_KEY_MAX];
};
struct n2_hash_req_ctx {
union {
struct md5_state md5;
Reported by FlawFinder.
Line: 483
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
keylen = ds;
} else if (keylen <= N2_HASH_KEY_MAX)
memcpy(ctx->hash_key, key, keylen);
ctx->hash_key_len = keylen;
return err;
}
Reported by FlawFinder.
Line: 601
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_unlock_irqrestore(&qp->lock, flags);
if (!err)
memcpy(req->result, hash_loc, result_size);
out:
put_cpu();
return err;
}
Reported by FlawFinder.
Line: 616
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ds = n2alg->digest_size;
if (unlikely(req->nbytes == 0)) {
memcpy(req->result, n2alg->hash_zero, ds);
return 0;
}
memcpy(&rctx->u, n2alg->hash_init, n2alg->hw_op_hashsz);
return n2_do_async_digest(req, n2alg->auth_type,
Reported by FlawFinder.
Line: 619
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(req->result, n2alg->hash_zero, ds);
return 0;
}
memcpy(&rctx->u, n2alg->hash_init, n2alg->hw_op_hashsz);
return n2_do_async_digest(req, n2alg->auth_type,
n2alg->hw_op_hashsz, ds,
&rctx->u, 0UL, 0);
}
Reported by FlawFinder.
Line: 649
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return crypto_ahash_digest(&rctx->fallback_req);
}
memcpy(&rctx->u, n2alg->derived.hash_init,
n2alg->derived.hw_op_hashsz);
return n2_do_async_digest(req, n2alg->derived.hmac_type,
n2alg->derived.hw_op_hashsz, ds,
&rctx->u,
Reported by FlawFinder.
Line: 750
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ctx->key_len = keylen;
memcpy(ctx->key.aes, key, keylen);
return 0;
}
static int n2_des_setkey(struct crypto_skcipher *skcipher, const u8 *key,
unsigned int keylen)
Reported by FlawFinder.
Line: 769
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->enc_type = n2alg->enc_type;
ctx->key_len = keylen;
memcpy(ctx->key.des, key, keylen);
return 0;
}
static int n2_3des_setkey(struct crypto_skcipher *skcipher, const u8 *key,
unsigned int keylen)
Reported by FlawFinder.
drivers/of/unittest.c
14 issues
Line: 1416
CWE codes:
570
*/
extern uint8_t __dtb_testcases_begin[];
extern uint8_t __dtb_testcases_end[];
const int size = __dtb_testcases_end - __dtb_testcases_begin;
int rc;
void *ret;
if (!size) {
pr_warn("%s: testcases is empty\n", __func__);
Reported by Cppcheck.
Line: 284
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* Baseline; check conversion with a large size limit */
memset(buf, 0xff, buf_size);
size = snprintf(buf, buf_size - 2, fmt, np);
/* use strcmp() instead of strncmp() here to be absolutely sure strings match */
unittest((strcmp(buf, expected) == 0) && (buf[size+1] == 0xff),
"sprintf failed; fmt='%s' expected='%s' rslt='%s'\n",
fmt, expected, buf);
Reported by FlawFinder.
Line: 296
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < 2; i++, size--) {
/* Clear the buffer, and make sure it works correctly still */
memset(buf, 0xff, buf_size);
snprintf(buf, size+1, fmt, np);
unittest(strncmp(buf, expected, size) == 0 && (buf[size+1] == 0xff),
"snprintf failed; size=%i fmt='%s' expected='%s' rslt='%s'\n",
size, fmt, expected, buf);
}
kfree(buf);
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct device_node *np;
const char *full_name = "/testcase-data/platform-tests/test-device@1/dev@100";
char phandle_str[16] = "";
np = of_find_node_by_path(full_name);
if (!np) {
unittest(np, "testcase data missing\n");
return;
Reported by FlawFinder.
Line: 685
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init of_unittest_property_string(void)
{
const char *strings[4];
struct device_node *np;
int rc;
np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-a");
if (!np) {
Reported by FlawFinder.
Line: 1431
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
unittest_data_align = PTR_ALIGN(unittest_data, FDT_ALIGN_SIZE);
memcpy(unittest_data_align, __dtb_testcases_begin, size);
ret = of_fdt_unflatten_tree(unittest_data_align, NULL, &unittest_data_node);
if (!ret) {
pr_warn("%s: unflatten testcases tree failed\n", __func__);
kfree(unittest_data);
Reported by FlawFinder.
Line: 1856
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *unittest_path(int nr, enum overlay_type ovtype)
{
const char *base;
static char buf[256];
switch (ovtype) {
case PDEV_OVERLAY:
base = "/testcase-data/overlay-node/test-bus";
break;
Reported by FlawFinder.
Line: 1891
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *overlay_name_from_nr(int nr)
{
static char buf[256];
snprintf(buf, sizeof(buf) - 1,
"overlay_%d", nr);
buf[sizeof(buf) - 1] = '\0';
Reported by FlawFinder.
Line: 2971
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(new_fdt, info->dtb_begin, size);
__unflatten_device_tree(new_fdt, NULL, &overlay_base_root,
dt_alloc_memory, true);
}
Reported by FlawFinder.
Line: 186
Column: 17
CWE codes:
126
/* Add a new property - should pass*/
prop->name = "new-property";
prop->value = "new-property-data";
prop->length = strlen(prop->value) + 1;
unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
/* Try to add an existing property - should fail */
prop++;
prop->name = "new-property";
Reported by FlawFinder.
arch/mips/boot/elf2ecoff.c
14 issues
Line: 70
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void copy(int out, int in, off_t offset, off_t size)
{
char ibuf[4096];
int remaining, cur, count;
/* Go to the start of the ELF symbol table... */
if (lseek(in, offset, SEEK_SET) < 0) {
perror("copy: lseek");
Reported by FlawFinder.
Line: 300
Column: 16
CWE codes:
362
}
/* Try the input file... */
if ((infile = open(argv[1], O_RDONLY)) < 0) {
fprintf(stderr, "Can't open %s for read: %s\n",
argv[1], strerror(errno));
exit(1);
}
Reported by FlawFinder.
Line: 449
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
efh.f_flags = 0x100f; /* Stripped, not sharable. */
memset(esecs, 0, sizeof esecs);
strcpy(esecs[0].s_name, ".text");
strcpy(esecs[1].s_name, ".data");
strcpy(esecs[2].s_name, ".bss");
if (addflag) {
strcpy(esecs[3].s_name, ".rdata");
strcpy(esecs[4].s_name, ".sdata");
Reported by FlawFinder.
Line: 450
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(esecs, 0, sizeof esecs);
strcpy(esecs[0].s_name, ".text");
strcpy(esecs[1].s_name, ".data");
strcpy(esecs[2].s_name, ".bss");
if (addflag) {
strcpy(esecs[3].s_name, ".rdata");
strcpy(esecs[4].s_name, ".sdata");
strcpy(esecs[5].s_name, ".sbss");
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(esecs, 0, sizeof esecs);
strcpy(esecs[0].s_name, ".text");
strcpy(esecs[1].s_name, ".data");
strcpy(esecs[2].s_name, ".bss");
if (addflag) {
strcpy(esecs[3].s_name, ".rdata");
strcpy(esecs[4].s_name, ".sdata");
strcpy(esecs[5].s_name, ".sbss");
}
Reported by FlawFinder.
Line: 453
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(esecs[1].s_name, ".data");
strcpy(esecs[2].s_name, ".bss");
if (addflag) {
strcpy(esecs[3].s_name, ".rdata");
strcpy(esecs[4].s_name, ".sdata");
strcpy(esecs[5].s_name, ".sbss");
}
esecs[0].s_paddr = esecs[0].s_vaddr = eah.text_start;
esecs[1].s_paddr = esecs[1].s_vaddr = eah.data_start;
Reported by FlawFinder.
Line: 454
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(esecs[2].s_name, ".bss");
if (addflag) {
strcpy(esecs[3].s_name, ".rdata");
strcpy(esecs[4].s_name, ".sdata");
strcpy(esecs[5].s_name, ".sbss");
}
esecs[0].s_paddr = esecs[0].s_vaddr = eah.text_start;
esecs[1].s_paddr = esecs[1].s_vaddr = eah.data_start;
esecs[2].s_paddr = esecs[2].s_vaddr = eah.bss_start;
Reported by FlawFinder.
Line: 455
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (addflag) {
strcpy(esecs[3].s_name, ".rdata");
strcpy(esecs[4].s_name, ".sdata");
strcpy(esecs[5].s_name, ".sbss");
}
esecs[0].s_paddr = esecs[0].s_vaddr = eah.text_start;
esecs[1].s_paddr = esecs[1].s_vaddr = eah.data_start;
esecs[2].s_paddr = esecs[2].s_vaddr = eah.bss_start;
if (addflag) {
Reported by FlawFinder.
Line: 507
Column: 17
CWE codes:
362
}
/* Make the output file... */
if ((outfile = open(argv[2], O_WRONLY | O_CREAT, 0777)) < 0) {
fprintf(stderr, "Unable to create %s: %s\n", argv[2],
strerror(errno));
exit(1);
}
Reported by FlawFinder.
Line: 570
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (ph[i].p_type == PT_LOAD && ph[i].p_filesz) {
if (cur_vma != ph[i].p_vaddr) {
uint32_t gap = ph[i].p_vaddr - cur_vma;
char obuf[1024];
if (gap > 65536) {
fprintf(stderr,
"Intersegment gap (%"PRId32" bytes) too large.\n",
gap);
exit(1);
Reported by FlawFinder.
security/keys/request_key.c
14 issues
Line: 122
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct cred *cred = current_cred();
key_serial_t prkey, sskey;
struct key *key = rka->target_key, *keyring, *session, *user_session;
char *argv[9], *envp[3], uid_str[12], gid_str[12];
char key_str[12], keyring_str[3][12];
char desc[20];
int ret, i;
kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
Reported by FlawFinder.
Line: 123
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
key_serial_t prkey, sskey;
struct key *key = rka->target_key, *keyring, *session, *user_session;
char *argv[9], *envp[3], uid_str[12], gid_str[12];
char key_str[12], keyring_str[3][12];
char desc[20];
int ret, i;
kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct key *key = rka->target_key, *keyring, *session, *user_session;
char *argv[9], *envp[3], uid_str[12], gid_str[12];
char key_str[12], keyring_str[3][12];
char desc[20];
int ret, i;
kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
ret = look_up_user_keyrings(NULL, &user_session);
Reported by FlawFinder.
Line: 134
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto error_us;
/* allocate a new session keyring */
sprintf(desc, "_req.%u", key->serial);
cred = get_current_cred();
keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto error_link;
/* record the UID and GID */
sprintf(uid_str, "%d", from_kuid(&init_user_ns, cred->fsuid));
sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
/* we say which key is under construction */
sprintf(key_str, "%d", key->serial);
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* record the UID and GID */
sprintf(uid_str, "%d", from_kuid(&init_user_ns, cred->fsuid));
sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
/* we say which key is under construction */
sprintf(key_str, "%d", key->serial);
/* we specify the process's default keyrings */
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
/* we say which key is under construction */
sprintf(key_str, "%d", key->serial);
/* we specify the process's default keyrings */
sprintf(keyring_str[0], "%d",
cred->thread_keyring ? cred->thread_keyring->serial : 0);
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(key_str, "%d", key->serial);
/* we specify the process's default keyrings */
sprintf(keyring_str[0], "%d",
cred->thread_keyring ? cred->thread_keyring->serial : 0);
prkey = 0;
if (cred->process_keyring)
prkey = cred->process_keyring->serial;
Reported by FlawFinder.
Line: 165
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
prkey = 0;
if (cred->process_keyring)
prkey = cred->process_keyring->serial;
sprintf(keyring_str[1], "%d", prkey);
session = cred->session_keyring;
if (!session)
session = user_session;
sskey = session->serial;
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
session = user_session;
sskey = session->serial;
sprintf(keyring_str[2], "%d", sskey);
/* set up a minimal environment */
i = 0;
envp[i++] = "HOME=/";
envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
Reported by FlawFinder.
drivers/nvdimm/core.c
14 issues
Line: 320
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct nvdimm_bus_descriptor *nd_desc = nvdimm_bus->nd_desc;
for_each_set_bit(cmd, &nd_desc->cmd_mask, BITS_PER_LONG)
len += sprintf(buf + len, "%s ", nvdimm_bus_cmd_name(cmd));
len += sprintf(buf + len, "\n");
return len;
}
static DEVICE_ATTR_RO(commands);
Reported by FlawFinder.
Line: 344
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct nvdimm_bus *nvdimm_bus = to_nvdimm_bus(dev);
return sprintf(buf, "%s\n", nvdimm_bus_provider(nvdimm_bus));
}
static DEVICE_ATTR_RO(provider);
static int flush_namespaces(struct device *dev, void *data)
{
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
str++;
}
memcpy(uuid_out, uuid, sizeof(uuid));
return 0;
}
/**
* nd_uuid_store: common implementation for writing 'uuid' sysfs attributes
Reported by FlawFinder.
Line: 280
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; supported[i]; i++)
if (current_size == supported[i])
len += sprintf(buf + len, "[%ld] ", supported[i]);
else
len += sprintf(buf + len, "%ld ", supported[i]);
len += sprintf(buf + len, "\n");
return len;
}
Reported by FlawFinder.
Line: 282
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (current_size == supported[i])
len += sprintf(buf + len, "[%ld] ", supported[i]);
else
len += sprintf(buf + len, "%ld ", supported[i]);
len += sprintf(buf + len, "\n");
return len;
}
ssize_t nd_size_select_store(struct device *dev, const char *buf,
Reported by FlawFinder.
Line: 377
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
nd_synchronize();
device_for_each_child(dev, NULL, flush_regions_dimms);
return sprintf(buf, "1\n");
}
static DEVICE_ATTR_RO(wait_probe);
static struct attribute *nvdimm_bus_attributes[] = {
&dev_attr_commands.attr,
Reported by FlawFinder.
Line: 408
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (cap) {
case NVDIMM_FWA_CAP_QUIESCE:
return sprintf(buf, "quiesce\n");
case NVDIMM_FWA_CAP_LIVE:
return sprintf(buf, "live\n");
default:
return -EOPNOTSUPP;
}
Reported by FlawFinder.
Line: 410
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case NVDIMM_FWA_CAP_QUIESCE:
return sprintf(buf, "quiesce\n");
case NVDIMM_FWA_CAP_LIVE:
return sprintf(buf, "live\n");
default:
return -EOPNOTSUPP;
}
}
Reported by FlawFinder.
Line: 439
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (state) {
case NVDIMM_FWA_IDLE:
return sprintf(buf, "idle\n");
case NVDIMM_FWA_BUSY:
return sprintf(buf, "busy\n");
case NVDIMM_FWA_ARMED:
return sprintf(buf, "armed\n");
case NVDIMM_FWA_ARM_OVERFLOW:
Reported by FlawFinder.
Line: 441
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case NVDIMM_FWA_IDLE:
return sprintf(buf, "idle\n");
case NVDIMM_FWA_BUSY:
return sprintf(buf, "busy\n");
case NVDIMM_FWA_ARMED:
return sprintf(buf, "armed\n");
case NVDIMM_FWA_ARM_OVERFLOW:
return sprintf(buf, "overflow\n");
default:
Reported by FlawFinder.
fs/jfs/xattr.c
14 issues
Line: 1017
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = -ENOMEM;
break;
}
strcpy(name, XATTR_SECURITY_PREFIX);
strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
err = __jfs_setxattr(*tid, inode, name,
xattr->value, xattr->value_len, 0);
kfree(name);
Reported by FlawFinder.
Line: 1018
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
break;
}
strcpy(name, XATTR_SECURITY_PREFIX);
strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
err = __jfs_setxattr(*tid, inode, name,
xattr->value, xattr->value_len, 0);
kfree(name);
if (err < 0)
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = ea->namelen;
if (!is_known_namespace(ea->name)) {
memcpy(buffer, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN);
buffer += XATTR_OS2_PREFIX_LEN;
len += XATTR_OS2_PREFIX_LEN;
}
memcpy(buffer, ea->name, ea->namelen);
buffer[ea->namelen] = 0;
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buffer += XATTR_OS2_PREFIX_LEN;
len += XATTR_OS2_PREFIX_LEN;
}
memcpy(buffer, ea->name, ea->namelen);
buffer[ea->namelen] = 0;
return len;
}
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DXDsize(ea, size);
DXDlength(ea, 0);
DXDaddress(ea, 0);
memcpy(ji->i_inline_ea, ealist, size);
ea->flag = DXD_INLINE;
ji->mode2 &= ~INLINEEA;
} else {
ea->flag = 0;
DXDsize(ea, 0);
Reported by FlawFinder.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto failed;
}
memcpy(mp->data, cp, nb);
/*
* We really need a way to propagate errors for
* forced writes like this one. --hch
*
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
!= ea_size)
return -EIO;
memcpy(ealist, ji->i_inline_ea, ea_size);
return 0;
}
/*
* NAME: ea_read
Reported by FlawFinder.
Line: 399
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(mp = read_metapage(ip, blkno + i, bytes_to_read, 1)))
return -EIO;
memcpy(cp, mp->data, nb);
release_metapage(mp);
cp += PSIZE;
nbytes -= nb;
}
Reported by FlawFinder.
Line: 758
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ea->flag = 0;
ea->namelen = namelen;
ea->valuelen = (cpu_to_le16(value_len));
memcpy(ea->name, name, namelen);
ea->name[namelen] = 0;
if (value_len)
memcpy(&ea->name[namelen + 1], value, value_len);
xattr_size += EA_SIZE(ea);
}
Reported by FlawFinder.
Line: 761
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ea->name, name, namelen);
ea->name[namelen] = 0;
if (value_len)
memcpy(&ea->name[namelen + 1], value, value_len);
xattr_size += EA_SIZE(ea);
}
/* DEBUG - If we did this right, these number match */
if (xattr_size != new_size) {
Reported by FlawFinder.
drivers/mtd/tests/torturetest.c
14 issues
Line: 73
Column: 43
CWE codes:
120
20
static int pgsize;
static ktime_t start, finish;
static void report_corrupt(unsigned char *read, unsigned char *written);
static inline void start_timing(void)
{
start = ktime_get();
}
Reported by FlawFinder.
Line: 92
Column: 9
CWE codes:
120
20
static inline int check_eraseblock(int ebnum, unsigned char *buf)
{
int err, retries = 0;
size_t read;
loff_t addr = (loff_t)ebnum * mtd->erasesize;
size_t len = mtd->erasesize;
if (pgcnt) {
addr = (loff_t)(ebnum + 1) * mtd->erasesize - pgcnt * pgsize;
Reported by FlawFinder.
Line: 102
Column: 34
CWE codes:
120
20
}
retry:
err = mtd_read(mtd, addr, len, &read, check_buf);
if (mtd_is_bitflip(err))
pr_err("single bit flip occurred at EB %d "
"MTD reported that it was fixed.\n", ebnum);
else if (err) {
pr_err("error %d while reading EB %d, "
Reported by FlawFinder.
Line: 108
Column: 36
CWE codes:
120
20
"MTD reported that it was fixed.\n", ebnum);
else if (err) {
pr_err("error %d while reading EB %d, "
"read %zd\n", err, ebnum, read);
return err;
}
if (read != len) {
pr_err("failed to read %zd bytes from EB %d, "
Reported by FlawFinder.
Line: 112
Column: 6
CWE codes:
120
20
return err;
}
if (read != len) {
pr_err("failed to read %zd bytes from EB %d, "
"read only %zd, but no error reported\n",
len, ebnum, read);
return -EIO;
}
Reported by FlawFinder.
Line: 115
Column: 22
CWE codes:
120
20
if (read != len) {
pr_err("failed to read %zd bytes from EB %d, "
"read only %zd, but no error reported\n",
len, ebnum, read);
return -EIO;
}
if (memcmp(buf, check_buf, len)) {
pr_err("read wrong data from EB %d\n", ebnum);
Reported by FlawFinder.
Line: 364
Column: 39
CWE codes:
120
20
static int countdiffs(unsigned char *buf, unsigned char *check_buf,
unsigned offset, unsigned len, unsigned *bytesp,
unsigned *bitsp);
static void print_bufs(unsigned char *read, unsigned char *written, int start,
int len);
/*
* Report the detailed information about how the read EB differs from what was
* written.
Reported by FlawFinder.
Line: 371
Column: 43
CWE codes:
120
20
* Report the detailed information about how the read EB differs from what was
* written.
*/
static void report_corrupt(unsigned char *read, unsigned char *written)
{
int i;
int bytes, bits, pages, first;
int offset, len;
size_t check_len = mtd->erasesize;
Reported by FlawFinder.
Line: 383
Column: 27
CWE codes:
120
20
bytes = bits = pages = 0;
for (i = 0; i < check_len; i += pgsize)
if (countdiffs(written, read, i, pgsize, &bytes,
&bits) >= 0)
pages++;
pr_info("verify fails on %d pages, %d bytes/%d bits\n",
pages, bytes, bits);
Reported by FlawFinder.
Line: 395
Column: 31
CWE codes:
120
20
for (i = 0; i < check_len; i += pgsize) {
cond_resched();
bytes = bits = 0;
first = countdiffs(written, read, i, pgsize, &bytes,
&bits);
if (first < 0)
continue;
printk("-------------------------------------------------------"
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
14 issues
Line: 1205
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
num_stats = ARRAY_SIZE(qlcnic_tx_queue_stats_strings);
for (i = 0; i < adapter->drv_tx_rings; i++) {
for (index = 0; index < num_stats; index++) {
sprintf(data, "tx_queue_%d %s", i,
qlcnic_tx_queue_stats_strings[index]);
data += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 17
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "qlcnic.h"
struct qlcnic_stats {
char stat_string[ETH_GSTRING_LEN];
int sizeof_stat;
int stat_offset;
};
#define QLC_SIZEOF(m) sizeof_field(struct qlcnic_adapter, m)
Reported by FlawFinder.
Line: 1028
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(data, 0x4e, QLCNIC_ILB_PKT_SIZE);
memcpy(data, mac, ETH_ALEN);
memcpy(data + ETH_ALEN, mac, ETH_ALEN);
memcpy(data + 2 * ETH_ALEN, random_data, sizeof(random_data));
}
Reported by FlawFinder.
Line: 1029
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(data, 0x4e, QLCNIC_ILB_PKT_SIZE);
memcpy(data, mac, ETH_ALEN);
memcpy(data + ETH_ALEN, mac, ETH_ALEN);
memcpy(data + 2 * ETH_ALEN, random_data, sizeof(random_data));
}
int qlcnic_check_loopback_buff(unsigned char *data, u8 mac[])
Reported by FlawFinder.
Line: 1031
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data, mac, ETH_ALEN);
memcpy(data + ETH_ALEN, mac, ETH_ALEN);
memcpy(data + 2 * ETH_ALEN, random_data, sizeof(random_data));
}
int qlcnic_check_loopback_buff(unsigned char *data, u8 mac[])
{
unsigned char buff[QLCNIC_ILB_PKT_SIZE];
Reported by FlawFinder.
Line: 1036
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int qlcnic_check_loopback_buff(unsigned char *data, u8 mac[])
{
unsigned char buff[QLCNIC_ILB_PKT_SIZE];
qlcnic_create_loopback_buff(buff, mac);
return memcmp(data, buff, QLCNIC_ILB_PKT_SIZE);
}
int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode)
Reported by FlawFinder.
Line: 1198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_TEST:
memcpy(data, *qlcnic_gstrings_test,
QLCNIC_TEST_LEN * ETH_GSTRING_LEN);
break;
case ETH_SS_STATS:
num_stats = ARRAY_SIZE(qlcnic_tx_queue_stats_strings);
for (i = 0; i < adapter->drv_tx_rings; i++) {
Reported by FlawFinder.
Line: 1212
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (index = 0; index < QLCNIC_STATS_LEN; index++) {
memcpy(data + index * ETH_GSTRING_LEN,
qlcnic_gstrings_stats[index].stat_string,
ETH_GSTRING_LEN);
}
if (qlcnic_83xx_check(adapter)) {
Reported by FlawFinder.
Line: 1220
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (qlcnic_83xx_check(adapter)) {
num_stats = ARRAY_SIZE(qlcnic_83xx_tx_stats_strings);
for (i = 0; i < num_stats; i++, index++)
memcpy(data + index * ETH_GSTRING_LEN,
qlcnic_83xx_tx_stats_strings[i],
ETH_GSTRING_LEN);
num_stats = ARRAY_SIZE(qlcnic_83xx_mac_stats_strings);
for (i = 0; i < num_stats; i++, index++)
memcpy(data + index * ETH_GSTRING_LEN,
Reported by FlawFinder.
Line: 1225
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ETH_GSTRING_LEN);
num_stats = ARRAY_SIZE(qlcnic_83xx_mac_stats_strings);
for (i = 0; i < num_stats; i++, index++)
memcpy(data + index * ETH_GSTRING_LEN,
qlcnic_83xx_mac_stats_strings[i],
ETH_GSTRING_LEN);
num_stats = ARRAY_SIZE(qlcnic_83xx_rx_stats_strings);
for (i = 0; i < num_stats; i++, index++)
memcpy(data + index * ETH_GSTRING_LEN,
Reported by FlawFinder.
lib/test-string_helpers.c
14 issues
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = strlen(strings[i].in);
/* Copy string to in buffer */
memcpy(&in[p], s, len);
p += len;
/* Copy expected result for given flags */
if (flags & strings[i].flags) {
s = strings[i].out;
Reported by FlawFinder.
Line: 88
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s = strings[i].out;
len = strlen(strings[i].out);
}
memcpy(&out_test[q_test], s, len);
q_test += len;
}
in[p++] = '\0';
/* Call string_unescape and compare result */
Reported by FlawFinder.
Line: 95
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Call string_unescape and compare result */
if (inplace) {
memcpy(out_real, in, p);
if (flags == UNESCAPE_ANY)
q_real = string_unescape_any_inplace(out_real);
else
q_real = string_unescape_inplace(out_real, flags);
} else if (flags == UNESCAPE_ANY) {
Reported by FlawFinder.
Line: 454
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy string to in buffer */
len = strlen(s2->in);
memcpy(&in[p], s2->in, len);
p += len;
/* Copy expected result for given flags */
len = strlen(out);
memcpy(&out_test[q_test], out, len);
Reported by FlawFinder.
Line: 459
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy expected result for given flags */
len = strlen(out);
memcpy(&out_test[q_test], out, len);
q_test += len;
}
q_real = string_escape_mem(in, p, out_real, out_size, flags, esc);
Reported by FlawFinder.
Line: 507
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *exp_result10,
const char *exp_result2)
{
char buf10[string_get_size_maxbuf];
char buf2[string_get_size_maxbuf];
string_get_size(size, blk_size, STRING_UNITS_10, buf10, sizeof(buf10));
string_get_size(size, blk_size, STRING_UNITS_2, buf2, sizeof(buf2));
Reported by FlawFinder.
Line: 508
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *exp_result2)
{
char buf10[string_get_size_maxbuf];
char buf2[string_get_size_maxbuf];
string_get_size(size, blk_size, STRING_UNITS_10, buf10, sizeof(buf10));
string_get_size(size, blk_size, STRING_UNITS_2, buf2, sizeof(buf2));
test_string_get_size_check("STRING_UNITS_10", exp_result10, buf10,
Reported by FlawFinder.
Line: 77
Column: 13
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(strings); i++) {
const char *s = strings[i].in;
int len = strlen(strings[i].in);
/* Copy string to in buffer */
memcpy(&in[p], s, len);
p += len;
Reported by FlawFinder.
Line: 86
Column: 10
CWE codes:
126
/* Copy expected result for given flags */
if (flags & strings[i].flags) {
s = strings[i].out;
len = strlen(strings[i].out);
}
memcpy(&out_test[q_test], s, len);
q_test += len;
}
in[p++] = '\0';
Reported by FlawFinder.
Line: 453
Column: 9
CWE codes:
126
continue;
/* Copy string to in buffer */
len = strlen(s2->in);
memcpy(&in[p], s2->in, len);
p += len;
/* Copy expected result for given flags */
len = strlen(out);
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
14 issues
Line: 688
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, (u32)offset);
return;
}
memcpy(buf, &data, size);
}
void qlcnic_83xx_write_crb(struct qlcnic_adapter *adapter, char *buf,
loff_t offset, size_t size)
{
Reported by FlawFinder.
Line: 696
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 data;
memcpy(&data, buf, size);
qlcnic_83xx_wrt_reg_indirect(adapter, (u32) offset, data);
}
int qlcnic_83xx_get_port_info(struct qlcnic_adapter *adapter)
{
Reported by FlawFinder.
Line: 1106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sds_mbx.intrpt_id = 0xffff;
sds_mbx.intrpt_val = 0;
buf = &cmd.req.arg[index];
memcpy(buf, &sds_mbx, sds_mbx_size);
index += sds_mbx_size / sizeof(u32);
}
/* send the mailbox command */
err = ahw->hw_ops->mbx_cmd(adapter, &cmd);
Reported by FlawFinder.
Line: 1227
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sds_mbx.intrpt_id = 0xffff;
sds_mbx.intrpt_val = 0;
buf = &cmd.req.arg[index];
memcpy(buf, &sds_mbx, sds_mbx_size);
index += sds_mbx_size / sizeof(u32);
}
/* set up receive rings, mbx 88-111/135 */
index = QLCNIC_HOST_RDS_MBX_IDX;
rds = &recv_ctx->rds_rings[0];
Reported by FlawFinder.
Line: 1247
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rds_mbx.jmb_ring_sz = rds->dma_size;
rds_mbx.jmb_ring_len = rds->num_desc;
buf = &cmd.req.arg[index];
memcpy(buf, &rds_mbx, rds_mbx_size);
/* send the mailbox command */
err = ahw->hw_ops->mbx_cmd(adapter, &cmd);
if (err) {
dev_err(&adapter->pdev->dev,
Reported by FlawFinder.
Line: 1367
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd.req.arg[5] = QLCNIC_SINGLE_RING | temp;
buf = &cmd.req.arg[6];
memcpy(buf, &mbx, sizeof(struct qlcnic_tx_mbx));
/* send the mailbox command*/
err = qlcnic_issue_cmd(adapter, &cmd);
if (err) {
netdev_err(adapter->netdev,
"Failed to create Tx ctx in firmware 0x%x\n", err);
Reported by FlawFinder.
Line: 2000
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
temp_ip = swab32(ntohl(ip));
memcpy(&cmd.req.arg[2], &temp_ip, sizeof(u32));
err = qlcnic_issue_cmd(adapter, &cmd);
if (err != QLCNIC_RCODE_SUCCESS)
dev_err(&adapter->netdev->dev,
"could not notify %s IP 0x%x request\n",
(mode == QLCNIC_IP_UP) ? "Add" : "Remove", ip);
Reported by FlawFinder.
Line: 2065
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((0x7ULL) << 16);
cmd.req.arg[1] = (adapter->recv_ctx->context_id);
cmd.req.arg[2] = word;
memcpy(&cmd.req.arg[4], key, sizeof(key));
err = qlcnic_issue_cmd(adapter, &cmd);
if (err)
dev_info(&adapter->pdev->dev, "RSS config failed\n");
Reported by FlawFinder.
Line: 2124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mv.mac_addr4 = addr[4];
mv.mac_addr5 = addr[5];
buf = &cmd->req.arg[2];
memcpy(buf, &mv, sizeof(struct qlcnic_macvlan_mbx));
err = qlcnic_issue_cmd(adapter, cmd);
if (!err)
return err;
qlcnic_free_mbx_args(cmd);
Reported by FlawFinder.
Line: 2140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct qlcnic_host_tx_ring *tx_ring)
{
u8 mac[ETH_ALEN];
memcpy(&mac, addr, ETH_ALEN);
qlcnic_83xx_sre_macaddr_change(adapter, mac, vlan_id, QLCNIC_MAC_ADD);
}
static void qlcnic_83xx_configure_mac(struct qlcnic_adapter *adapter, u8 *mac,
u8 type, struct qlcnic_cmd_args *cmd)
Reported by FlawFinder.