The following issues were found
drivers/xen/xen-scsiback.c
14 issues
Line: 1667
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
scsiback_wwn_version_show(struct config_item *item, char *page)
{
return sprintf(page, "xen-pvscsi fabric module %s on %s/%s on "
UTS_RELEASE"\n",
VSCSI_VERSION, utsname()->sysname, utsname()->machine);
}
CONFIGFS_ATTR_RO(scsiback_wwn_, version);
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Binary World Wide unique Port Name for pvscsi Target port */
u64 tport_wwpn;
/* ASCII formatted WWPN for pvscsi Target port */
char tport_name[VSCSI_NAMELEN];
/* Returned by scsiback_make_tport() */
struct se_wwn tport_wwn;
};
struct scsiback_tpg {
Reported by FlawFinder.
Line: 178
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Returned by scsiback_make_tpg() */
struct se_portal_group se_tpg;
/* alias used in xenstore */
char param_alias[VSCSI_NAMELEN];
/* list of info structures related to this target portal group */
struct list_head info_list;
};
#define SCSIBACK_INVALID_HANDLE (~0)
Reported by FlawFinder.
Line: 308
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&sshdr)) {
len = min_t(unsigned, 8 + sense_buffer[7],
VSCSIIF_SENSE_BUFFERSIZE);
memcpy(ring_res->sense_buffer, sense_buffer, len);
ring_res->sense_len = len;
} else {
ring_res->sense_len = 0;
}
Reported by FlawFinder.
Line: 680
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pending_req->v2p = v2p;
pending_req->sc_data_direction = ring_req->sc_data_direction;
pending_req->cmd_len = ring_req->cmd_len;
memcpy(pending_req->cmnd, ring_req->cmnd, pending_req->cmd_len);
return pending_req;
}
static int scsiback_do_cmd_fn(struct vscsibk_info *info,
Reported by FlawFinder.
Line: 1028
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ids_tuple vir;
char *val;
int device_state;
char phy[VSCSI_NAMELEN];
char str[64];
char state[64];
struct xenbus_device *dev = info->dev;
/* read status */
Reported by FlawFinder.
Line: 1029
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *val;
int device_state;
char phy[VSCSI_NAMELEN];
char str[64];
char state[64];
struct xenbus_device *dev = info->dev;
/* read status */
snprintf(state, sizeof(state), "vscsi-devs/%s/state", ent);
Reported by FlawFinder.
Line: 1030
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int device_state;
char phy[VSCSI_NAMELEN];
char str[64];
char state[64];
struct xenbus_device *dev = info->dev;
/* read status */
snprintf(state, sizeof(state), "vscsi-devs/%s/state", ent);
err = xenbus_scanf(XBT_NIL, dev->nodename, state, "%u", &device_state);
Reported by FlawFinder.
Line: 1589
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scsiback_tpg *tpg = container_of(se_tpg,
struct scsiback_tpg, se_tpg);
struct scsiback_tport *tport_wwn = tpg->tport;
unsigned char i_port[VSCSI_NAMELEN], *ptr, *port_ptr;
int ret;
/*
* Shutdown the active I_T nexus if 'NULL' is passed.
*/
if (!strncmp(page, "NULL", 4)) {
Reported by FlawFinder.
Line: 1324
Column: 6
CWE codes:
126
return ERR_PTR(-EINVAL);
check_len:
if (strlen(name) >= VSCSI_NAMELEN) {
pr_err("Emulated %s Address: %s, exceeds max: %d\n", name,
scsiback_dump_proto_id(tport), VSCSI_NAMELEN);
kfree(tport);
return ERR_PTR(-EINVAL);
}
Reported by FlawFinder.
drivers/nvdimm/core.c
14 issues
Line: 320
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct nvdimm_bus_descriptor *nd_desc = nvdimm_bus->nd_desc;
for_each_set_bit(cmd, &nd_desc->cmd_mask, BITS_PER_LONG)
len += sprintf(buf + len, "%s ", nvdimm_bus_cmd_name(cmd));
len += sprintf(buf + len, "\n");
return len;
}
static DEVICE_ATTR_RO(commands);
Reported by FlawFinder.
Line: 344
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct nvdimm_bus *nvdimm_bus = to_nvdimm_bus(dev);
return sprintf(buf, "%s\n", nvdimm_bus_provider(nvdimm_bus));
}
static DEVICE_ATTR_RO(provider);
static int flush_namespaces(struct device *dev, void *data)
{
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
str++;
}
memcpy(uuid_out, uuid, sizeof(uuid));
return 0;
}
/**
* nd_uuid_store: common implementation for writing 'uuid' sysfs attributes
Reported by FlawFinder.
Line: 280
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; supported[i]; i++)
if (current_size == supported[i])
len += sprintf(buf + len, "[%ld] ", supported[i]);
else
len += sprintf(buf + len, "%ld ", supported[i]);
len += sprintf(buf + len, "\n");
return len;
}
Reported by FlawFinder.
Line: 282
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (current_size == supported[i])
len += sprintf(buf + len, "[%ld] ", supported[i]);
else
len += sprintf(buf + len, "%ld ", supported[i]);
len += sprintf(buf + len, "\n");
return len;
}
ssize_t nd_size_select_store(struct device *dev, const char *buf,
Reported by FlawFinder.
Line: 377
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
nd_synchronize();
device_for_each_child(dev, NULL, flush_regions_dimms);
return sprintf(buf, "1\n");
}
static DEVICE_ATTR_RO(wait_probe);
static struct attribute *nvdimm_bus_attributes[] = {
&dev_attr_commands.attr,
Reported by FlawFinder.
Line: 408
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (cap) {
case NVDIMM_FWA_CAP_QUIESCE:
return sprintf(buf, "quiesce\n");
case NVDIMM_FWA_CAP_LIVE:
return sprintf(buf, "live\n");
default:
return -EOPNOTSUPP;
}
Reported by FlawFinder.
Line: 410
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case NVDIMM_FWA_CAP_QUIESCE:
return sprintf(buf, "quiesce\n");
case NVDIMM_FWA_CAP_LIVE:
return sprintf(buf, "live\n");
default:
return -EOPNOTSUPP;
}
}
Reported by FlawFinder.
Line: 439
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (state) {
case NVDIMM_FWA_IDLE:
return sprintf(buf, "idle\n");
case NVDIMM_FWA_BUSY:
return sprintf(buf, "busy\n");
case NVDIMM_FWA_ARMED:
return sprintf(buf, "armed\n");
case NVDIMM_FWA_ARM_OVERFLOW:
Reported by FlawFinder.
Line: 441
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case NVDIMM_FWA_IDLE:
return sprintf(buf, "idle\n");
case NVDIMM_FWA_BUSY:
return sprintf(buf, "busy\n");
case NVDIMM_FWA_ARMED:
return sprintf(buf, "armed\n");
case NVDIMM_FWA_ARM_OVERFLOW:
return sprintf(buf, "overflow\n");
default:
Reported by FlawFinder.
drivers/net/xen-netback/hash.c
14 issues
Line: 46
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!new)
return;
memcpy(new->tag, tag, len);
new->len = len;
new->val = val;
spin_lock_irqsave(&vif->hash.cache.lock, flags);
Reported by FlawFinder.
Line: 195
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(flags & XEN_NETIF_CTRL_HASH_TYPE_IPV4_TCP)) {
u8 data[12];
memcpy(&data[0], &flow.addrs.v4addrs.src, 4);
memcpy(&data[4], &flow.addrs.v4addrs.dst, 4);
memcpy(&data[8], &flow.ports.src, 2);
memcpy(&data[10], &flow.ports.dst, 2);
hash = xenvif_find_hash(vif, data, sizeof(data));
Reported by FlawFinder.
Line: 196
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 data[12];
memcpy(&data[0], &flow.addrs.v4addrs.src, 4);
memcpy(&data[4], &flow.addrs.v4addrs.dst, 4);
memcpy(&data[8], &flow.ports.src, 2);
memcpy(&data[10], &flow.ports.dst, 2);
hash = xenvif_find_hash(vif, data, sizeof(data));
type = PKT_HASH_TYPE_L4;
Reported by FlawFinder.
Line: 197
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&data[0], &flow.addrs.v4addrs.src, 4);
memcpy(&data[4], &flow.addrs.v4addrs.dst, 4);
memcpy(&data[8], &flow.ports.src, 2);
memcpy(&data[10], &flow.ports.dst, 2);
hash = xenvif_find_hash(vif, data, sizeof(data));
type = PKT_HASH_TYPE_L4;
} else if (flags & XEN_NETIF_CTRL_HASH_TYPE_IPV4) {
Reported by FlawFinder.
Line: 198
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&data[0], &flow.addrs.v4addrs.src, 4);
memcpy(&data[4], &flow.addrs.v4addrs.dst, 4);
memcpy(&data[8], &flow.ports.src, 2);
memcpy(&data[10], &flow.ports.dst, 2);
hash = xenvif_find_hash(vif, data, sizeof(data));
type = PKT_HASH_TYPE_L4;
} else if (flags & XEN_NETIF_CTRL_HASH_TYPE_IPV4) {
u8 data[8];
Reported by FlawFinder.
Line: 205
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (flags & XEN_NETIF_CTRL_HASH_TYPE_IPV4) {
u8 data[8];
memcpy(&data[0], &flow.addrs.v4addrs.src, 4);
memcpy(&data[4], &flow.addrs.v4addrs.dst, 4);
hash = xenvif_find_hash(vif, data, sizeof(data));
type = PKT_HASH_TYPE_L3;
}
Reported by FlawFinder.
Line: 206
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 data[8];
memcpy(&data[0], &flow.addrs.v4addrs.src, 4);
memcpy(&data[4], &flow.addrs.v4addrs.dst, 4);
hash = xenvif_find_hash(vif, data, sizeof(data));
type = PKT_HASH_TYPE_L3;
}
Reported by FlawFinder.
Line: 219
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(flags & XEN_NETIF_CTRL_HASH_TYPE_IPV6_TCP)) {
u8 data[36];
memcpy(&data[0], &flow.addrs.v6addrs.src, 16);
memcpy(&data[16], &flow.addrs.v6addrs.dst, 16);
memcpy(&data[32], &flow.ports.src, 2);
memcpy(&data[34], &flow.ports.dst, 2);
hash = xenvif_find_hash(vif, data, sizeof(data));
Reported by FlawFinder.
Line: 220
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 data[36];
memcpy(&data[0], &flow.addrs.v6addrs.src, 16);
memcpy(&data[16], &flow.addrs.v6addrs.dst, 16);
memcpy(&data[32], &flow.ports.src, 2);
memcpy(&data[34], &flow.ports.dst, 2);
hash = xenvif_find_hash(vif, data, sizeof(data));
type = PKT_HASH_TYPE_L4;
Reported by FlawFinder.
Line: 221
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&data[0], &flow.addrs.v6addrs.src, 16);
memcpy(&data[16], &flow.addrs.v6addrs.dst, 16);
memcpy(&data[32], &flow.ports.src, 2);
memcpy(&data[34], &flow.ports.dst, 2);
hash = xenvif_find_hash(vif, data, sizeof(data));
type = PKT_HASH_TYPE_L4;
} else if (flags & XEN_NETIF_CTRL_HASH_TYPE_IPV6) {
Reported by FlawFinder.
lib/test_printf.c
14 issues
Line: 51
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
memset(alloced_buffer, FILL_CHAR, BUF_SIZE + 2*PAD_SIZE);
va_copy(aq, ap);
ret = vsnprintf(test_buffer, bufsize, fmt, aq);
va_end(aq);
if (ret != elen) {
pr_warn("vsnprintf(buf, %d, \"%s\", ...) returned %d, expected %d\n",
bufsize, fmt, ret, elen);
Reported by FlawFinder.
Line: 646
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
page_flags |= (pft[i].value & pft[i].mask) << pft[i].shift;
snprintf(cmp_buf + size, BUF_SIZE - size, "%s=", pft[i].name);
size = strlen(cmp_buf);
snprintf(cmp_buf + size, BUF_SIZE - size, pft[i].fmt,
pft[i].value & pft[i].mask);
size = strlen(cmp_buf);
append = true;
}
Reported by FlawFinder.
Line: 224
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __init
plain_format(void)
{
char buf[PLAIN_BUF_SIZE];
int nchars;
nchars = snprintf(buf, PLAIN_BUF_SIZE, "%p", PTR);
if (nchars != PTR_WIDTH)
Reported by FlawFinder.
Line: 284
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __init
plain_hash(void)
{
char buf[PLAIN_BUF_SIZE];
int ret;
ret = plain_hash_to_buffer(PTR, buf, PLAIN_BUF_SIZE);
if (ret)
return ret;
Reported by FlawFinder.
Line: 329
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init
test_hashed(const char *fmt, const void *p)
{
char buf[PLAIN_BUF_SIZE];
int ret;
/*
* No need to increase failed test counter since this is assumed
* to be called after plain().
Reported by FlawFinder.
Line: 404
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init
hex_string(void)
{
const char buf[3] = {0xc0, 0xff, 0xee};
test("c0 ff ee|c0:ff:ee|c0-ff-ee|c0ffee",
"%3ph|%3phC|%3phD|%3phN", buf, buf, buf, buf);
test("c0 ff ee|c0:ff:ee|c0-ff-ee|c0ffee",
"%*ph|%*phC|%*phD|%*phN", 3, buf, 3, buf, 3, buf, 3, buf);
Reported by FlawFinder.
Line: 454
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init
uuid(void)
{
const char uuid[16] = {0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,
0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf};
test("00010203-0405-0607-0809-0a0b0c0d0e0f", "%pUb", uuid);
test("00010203-0405-0607-0809-0A0B0C0D0E0F", "%pUB", uuid);
test("03020100-0504-0706-0809-0a0b0c0d0e0f", "%pUl", uuid);
Reported by FlawFinder.
Line: 137
Column: 17
CWE codes:
126
}
#define test(expect, fmt, ...) \
__test(expect, strlen(expect), fmt, ##__VA_ARGS__)
static void __init
test_basic(void)
{
/* Work around annoying "warning: zero-length gnu_printf format string". */
Reported by FlawFinder.
Line: 238
Column: 26
CWE codes:
126
return 0;
}
if (strncmp(buf, ZEROS, strlen(ZEROS)) != 0)
return -1;
return 0;
}
Reported by FlawFinder.
Line: 621
Column: 10
CWE codes:
126
if (flags) {
page_flags |= flags;
snprintf(cmp_buf + size, BUF_SIZE - size, "%s", name);
size = strlen(cmp_buf);
#if SECTIONS_WIDTH || NODES_WIDTH || ZONES_WIDTH || \
LAST_CPUPID_WIDTH || KASAN_TAG_WIDTH
/* Other information also included in page flags */
snprintf(cmp_buf + size, BUF_SIZE - size, "|");
size = strlen(cmp_buf);
Reported by FlawFinder.
lib/test-string_helpers.c
14 issues
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = strlen(strings[i].in);
/* Copy string to in buffer */
memcpy(&in[p], s, len);
p += len;
/* Copy expected result for given flags */
if (flags & strings[i].flags) {
s = strings[i].out;
Reported by FlawFinder.
Line: 88
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s = strings[i].out;
len = strlen(strings[i].out);
}
memcpy(&out_test[q_test], s, len);
q_test += len;
}
in[p++] = '\0';
/* Call string_unescape and compare result */
Reported by FlawFinder.
Line: 95
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Call string_unescape and compare result */
if (inplace) {
memcpy(out_real, in, p);
if (flags == UNESCAPE_ANY)
q_real = string_unescape_any_inplace(out_real);
else
q_real = string_unescape_inplace(out_real, flags);
} else if (flags == UNESCAPE_ANY) {
Reported by FlawFinder.
Line: 454
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy string to in buffer */
len = strlen(s2->in);
memcpy(&in[p], s2->in, len);
p += len;
/* Copy expected result for given flags */
len = strlen(out);
memcpy(&out_test[q_test], out, len);
Reported by FlawFinder.
Line: 459
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy expected result for given flags */
len = strlen(out);
memcpy(&out_test[q_test], out, len);
q_test += len;
}
q_real = string_escape_mem(in, p, out_real, out_size, flags, esc);
Reported by FlawFinder.
Line: 507
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *exp_result10,
const char *exp_result2)
{
char buf10[string_get_size_maxbuf];
char buf2[string_get_size_maxbuf];
string_get_size(size, blk_size, STRING_UNITS_10, buf10, sizeof(buf10));
string_get_size(size, blk_size, STRING_UNITS_2, buf2, sizeof(buf2));
Reported by FlawFinder.
Line: 508
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *exp_result2)
{
char buf10[string_get_size_maxbuf];
char buf2[string_get_size_maxbuf];
string_get_size(size, blk_size, STRING_UNITS_10, buf10, sizeof(buf10));
string_get_size(size, blk_size, STRING_UNITS_2, buf2, sizeof(buf2));
test_string_get_size_check("STRING_UNITS_10", exp_result10, buf10,
Reported by FlawFinder.
Line: 77
Column: 13
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(strings); i++) {
const char *s = strings[i].in;
int len = strlen(strings[i].in);
/* Copy string to in buffer */
memcpy(&in[p], s, len);
p += len;
Reported by FlawFinder.
Line: 86
Column: 10
CWE codes:
126
/* Copy expected result for given flags */
if (flags & strings[i].flags) {
s = strings[i].out;
len = strlen(strings[i].out);
}
memcpy(&out_test[q_test], s, len);
q_test += len;
}
in[p++] = '\0';
Reported by FlawFinder.
Line: 453
Column: 9
CWE codes:
126
continue;
/* Copy string to in buffer */
len = strlen(s2->in);
memcpy(&in[p], s2->in, len);
p += len;
/* Copy expected result for given flags */
len = strlen(out);
Reported by FlawFinder.
drivers/scsi/fnic/fnic_fcs.c
14 issues
Line: 395
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vlan = (struct fip_vlan *)eth_fr;
memset(vlan, 0, sizeof(*vlan));
memcpy(vlan->eth.h_source, fip->ctl_src_addr, ETH_ALEN);
memcpy(vlan->eth.h_dest, fcoe_all_fcfs, ETH_ALEN);
vlan->eth.h_proto = htons(ETH_P_FIP);
vlan->fip.fip_ver = FIP_VER_ENCAPS(FIP_VER);
vlan->fip.fip_op = htons(FIP_OP_VLAN);
Reported by FlawFinder.
Line: 396
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(vlan, 0, sizeof(*vlan));
memcpy(vlan->eth.h_source, fip->ctl_src_addr, ETH_ALEN);
memcpy(vlan->eth.h_dest, fcoe_all_fcfs, ETH_ALEN);
vlan->eth.h_proto = htons(ETH_P_FIP);
vlan->fip.fip_ver = FIP_VER_ENCAPS(FIP_VER);
vlan->fip.fip_op = htons(FIP_OP_VLAN);
vlan->fip.fip_subcode = FIP_SC_VL_REQ;
Reported by FlawFinder.
Line: 406
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vlan->desc.mac.fd_desc.fip_dtype = FIP_DT_MAC;
vlan->desc.mac.fd_desc.fip_dlen = sizeof(vlan->desc.mac) / FIP_BPW;
memcpy(&vlan->desc.mac.fd_mac, fip->ctl_src_addr, ETH_ALEN);
vlan->desc.wwnn.fd_desc.fip_dtype = FIP_DT_NAME;
vlan->desc.wwnn.fd_desc.fip_dlen = sizeof(vlan->desc.wwnn) / FIP_BPW;
put_unaligned_be64(fip->lp->wwnn, &vlan->desc.wwnn.fd_wwn);
atomic64_inc(&fnic_stats->vlan_stats.vlan_disc_reqs);
Reported by FlawFinder.
Line: 738
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FNIC_FCS_DBG(KERN_DEBUG, fnic->lport->host, "update_mac %pM\n", new);
if (!is_zero_ether_addr(data) && !ether_addr_equal(data, ctl))
vnic_dev_del_addr(fnic->vdev, data);
memcpy(data, new, ETH_ALEN);
if (!ether_addr_equal(new, ctl))
vnic_dev_add_addr(fnic->vdev, new);
}
/**
Reported by FlawFinder.
Line: 1033
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!fnic->vlan_hw_insert) {
eth_hdr = (struct ethhdr *)skb_mac_header(skb);
vlan_hdr = skb_push(skb, sizeof(*vlan_hdr) - sizeof(*eth_hdr));
memcpy(vlan_hdr, eth_hdr, 2 * ETH_ALEN);
vlan_hdr->h_vlan_proto = htons(ETH_P_8021Q);
vlan_hdr->h_vlan_encapsulated_proto = eth_hdr->h_proto;
vlan_hdr->h_vlan_TCI = htons(fnic->vlan_id);
if ((fnic_fc_trace_set_data(fnic->lport->host->host_no,
FNIC_FC_SEND|0x80, (char *)eth_hdr, skb->len)) != 0) {
Reported by FlawFinder.
Line: 1113
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fnic->ctlr.map_dest)
fc_fcoe_set_mac(eth_hdr->h_dest, fh->fh_d_id);
else
memcpy(eth_hdr->h_dest, fnic->ctlr.dest_addr, ETH_ALEN);
memcpy(eth_hdr->h_source, fnic->data_src_addr, ETH_ALEN);
tot_len = skb->len;
BUG_ON(tot_len % 4);
Reported by FlawFinder.
Line: 1114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fc_fcoe_set_mac(eth_hdr->h_dest, fh->fh_d_id);
else
memcpy(eth_hdr->h_dest, fnic->ctlr.dest_addr, ETH_ALEN);
memcpy(eth_hdr->h_source, fnic->data_src_addr, ETH_ALEN);
tot_len = skb->len;
BUG_ON(tot_len % 4);
memset(fcoe_hdr, 0, sizeof(*fcoe_hdr));
Reported by FlawFinder.
Line: 116
Column: 5
CWE codes:
126
spin_unlock_irqrestore(&fnic->fnic_lock, flags);
fnic_fc_trace_set_data(fnic->lport->host->host_no,
FNIC_FC_LE, "Link Status: DOWN->DOWN",
strlen("Link Status: DOWN->DOWN"));
} else {
if (old_link_down_cnt != fnic->link_down_cnt) {
/* UP -> DOWN -> UP */
fnic->lport->host_stats.link_failure_count++;
spin_unlock_irqrestore(&fnic->fnic_lock, flags);
Reported by FlawFinder.
Line: 126
Column: 6
CWE codes:
126
fnic->lport->host->host_no,
FNIC_FC_LE,
"Link Status:UP_DOWN_UP",
strlen("Link_Status:UP_DOWN_UP")
);
FNIC_FCS_DBG(KERN_DEBUG, fnic->lport->host,
"link down\n");
fcoe_ctlr_link_down(&fnic->ctlr);
if (fnic->config.flags & VFCF_FIP_CAPABLE) {
Reported by FlawFinder.
Line: 137
Column: 7
CWE codes:
126
fnic->lport->host->host_no,
FNIC_FC_LE,
"Link Status: UP_DOWN_UP_VLAN",
strlen(
"Link Status: UP_DOWN_UP_VLAN")
);
fnic_fcoe_send_vlan_req(fnic);
return;
}
Reported by FlawFinder.
drivers/mtd/tests/torturetest.c
14 issues
Line: 73
Column: 43
CWE codes:
120
20
static int pgsize;
static ktime_t start, finish;
static void report_corrupt(unsigned char *read, unsigned char *written);
static inline void start_timing(void)
{
start = ktime_get();
}
Reported by FlawFinder.
Line: 92
Column: 9
CWE codes:
120
20
static inline int check_eraseblock(int ebnum, unsigned char *buf)
{
int err, retries = 0;
size_t read;
loff_t addr = (loff_t)ebnum * mtd->erasesize;
size_t len = mtd->erasesize;
if (pgcnt) {
addr = (loff_t)(ebnum + 1) * mtd->erasesize - pgcnt * pgsize;
Reported by FlawFinder.
Line: 102
Column: 34
CWE codes:
120
20
}
retry:
err = mtd_read(mtd, addr, len, &read, check_buf);
if (mtd_is_bitflip(err))
pr_err("single bit flip occurred at EB %d "
"MTD reported that it was fixed.\n", ebnum);
else if (err) {
pr_err("error %d while reading EB %d, "
Reported by FlawFinder.
Line: 108
Column: 36
CWE codes:
120
20
"MTD reported that it was fixed.\n", ebnum);
else if (err) {
pr_err("error %d while reading EB %d, "
"read %zd\n", err, ebnum, read);
return err;
}
if (read != len) {
pr_err("failed to read %zd bytes from EB %d, "
Reported by FlawFinder.
Line: 112
Column: 6
CWE codes:
120
20
return err;
}
if (read != len) {
pr_err("failed to read %zd bytes from EB %d, "
"read only %zd, but no error reported\n",
len, ebnum, read);
return -EIO;
}
Reported by FlawFinder.
Line: 115
Column: 22
CWE codes:
120
20
if (read != len) {
pr_err("failed to read %zd bytes from EB %d, "
"read only %zd, but no error reported\n",
len, ebnum, read);
return -EIO;
}
if (memcmp(buf, check_buf, len)) {
pr_err("read wrong data from EB %d\n", ebnum);
Reported by FlawFinder.
Line: 364
Column: 39
CWE codes:
120
20
static int countdiffs(unsigned char *buf, unsigned char *check_buf,
unsigned offset, unsigned len, unsigned *bytesp,
unsigned *bitsp);
static void print_bufs(unsigned char *read, unsigned char *written, int start,
int len);
/*
* Report the detailed information about how the read EB differs from what was
* written.
Reported by FlawFinder.
Line: 371
Column: 43
CWE codes:
120
20
* Report the detailed information about how the read EB differs from what was
* written.
*/
static void report_corrupt(unsigned char *read, unsigned char *written)
{
int i;
int bytes, bits, pages, first;
int offset, len;
size_t check_len = mtd->erasesize;
Reported by FlawFinder.
Line: 383
Column: 27
CWE codes:
120
20
bytes = bits = pages = 0;
for (i = 0; i < check_len; i += pgsize)
if (countdiffs(written, read, i, pgsize, &bytes,
&bits) >= 0)
pages++;
pr_info("verify fails on %d pages, %d bytes/%d bits\n",
pages, bytes, bits);
Reported by FlawFinder.
Line: 395
Column: 31
CWE codes:
120
20
for (i = 0; i < check_len; i += pgsize) {
cond_resched();
bytes = bits = 0;
first = countdiffs(written, read, i, pgsize, &bytes,
&bits);
if (first < 0)
continue;
printk("-------------------------------------------------------"
Reported by FlawFinder.
fs/jfs/xattr.c
14 issues
Line: 1017
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = -ENOMEM;
break;
}
strcpy(name, XATTR_SECURITY_PREFIX);
strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
err = __jfs_setxattr(*tid, inode, name,
xattr->value, xattr->value_len, 0);
kfree(name);
Reported by FlawFinder.
Line: 1018
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
break;
}
strcpy(name, XATTR_SECURITY_PREFIX);
strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
err = __jfs_setxattr(*tid, inode, name,
xattr->value, xattr->value_len, 0);
kfree(name);
if (err < 0)
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = ea->namelen;
if (!is_known_namespace(ea->name)) {
memcpy(buffer, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN);
buffer += XATTR_OS2_PREFIX_LEN;
len += XATTR_OS2_PREFIX_LEN;
}
memcpy(buffer, ea->name, ea->namelen);
buffer[ea->namelen] = 0;
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buffer += XATTR_OS2_PREFIX_LEN;
len += XATTR_OS2_PREFIX_LEN;
}
memcpy(buffer, ea->name, ea->namelen);
buffer[ea->namelen] = 0;
return len;
}
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DXDsize(ea, size);
DXDlength(ea, 0);
DXDaddress(ea, 0);
memcpy(ji->i_inline_ea, ealist, size);
ea->flag = DXD_INLINE;
ji->mode2 &= ~INLINEEA;
} else {
ea->flag = 0;
DXDsize(ea, 0);
Reported by FlawFinder.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto failed;
}
memcpy(mp->data, cp, nb);
/*
* We really need a way to propagate errors for
* forced writes like this one. --hch
*
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
!= ea_size)
return -EIO;
memcpy(ealist, ji->i_inline_ea, ea_size);
return 0;
}
/*
* NAME: ea_read
Reported by FlawFinder.
Line: 399
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(mp = read_metapage(ip, blkno + i, bytes_to_read, 1)))
return -EIO;
memcpy(cp, mp->data, nb);
release_metapage(mp);
cp += PSIZE;
nbytes -= nb;
}
Reported by FlawFinder.
Line: 758
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ea->flag = 0;
ea->namelen = namelen;
ea->valuelen = (cpu_to_le16(value_len));
memcpy(ea->name, name, namelen);
ea->name[namelen] = 0;
if (value_len)
memcpy(&ea->name[namelen + 1], value, value_len);
xattr_size += EA_SIZE(ea);
}
Reported by FlawFinder.
Line: 761
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ea->name, name, namelen);
ea->name[namelen] = 0;
if (value_len)
memcpy(&ea->name[namelen + 1], value, value_len);
xattr_size += EA_SIZE(ea);
}
/* DEBUG - If we did this right, these number match */
if (xattr_size != new_size) {
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
14 issues
Line: 688
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, (u32)offset);
return;
}
memcpy(buf, &data, size);
}
void qlcnic_83xx_write_crb(struct qlcnic_adapter *adapter, char *buf,
loff_t offset, size_t size)
{
Reported by FlawFinder.
Line: 696
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 data;
memcpy(&data, buf, size);
qlcnic_83xx_wrt_reg_indirect(adapter, (u32) offset, data);
}
int qlcnic_83xx_get_port_info(struct qlcnic_adapter *adapter)
{
Reported by FlawFinder.
Line: 1106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sds_mbx.intrpt_id = 0xffff;
sds_mbx.intrpt_val = 0;
buf = &cmd.req.arg[index];
memcpy(buf, &sds_mbx, sds_mbx_size);
index += sds_mbx_size / sizeof(u32);
}
/* send the mailbox command */
err = ahw->hw_ops->mbx_cmd(adapter, &cmd);
Reported by FlawFinder.
Line: 1227
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sds_mbx.intrpt_id = 0xffff;
sds_mbx.intrpt_val = 0;
buf = &cmd.req.arg[index];
memcpy(buf, &sds_mbx, sds_mbx_size);
index += sds_mbx_size / sizeof(u32);
}
/* set up receive rings, mbx 88-111/135 */
index = QLCNIC_HOST_RDS_MBX_IDX;
rds = &recv_ctx->rds_rings[0];
Reported by FlawFinder.
Line: 1247
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rds_mbx.jmb_ring_sz = rds->dma_size;
rds_mbx.jmb_ring_len = rds->num_desc;
buf = &cmd.req.arg[index];
memcpy(buf, &rds_mbx, rds_mbx_size);
/* send the mailbox command */
err = ahw->hw_ops->mbx_cmd(adapter, &cmd);
if (err) {
dev_err(&adapter->pdev->dev,
Reported by FlawFinder.
Line: 1367
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd.req.arg[5] = QLCNIC_SINGLE_RING | temp;
buf = &cmd.req.arg[6];
memcpy(buf, &mbx, sizeof(struct qlcnic_tx_mbx));
/* send the mailbox command*/
err = qlcnic_issue_cmd(adapter, &cmd);
if (err) {
netdev_err(adapter->netdev,
"Failed to create Tx ctx in firmware 0x%x\n", err);
Reported by FlawFinder.
Line: 2000
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
temp_ip = swab32(ntohl(ip));
memcpy(&cmd.req.arg[2], &temp_ip, sizeof(u32));
err = qlcnic_issue_cmd(adapter, &cmd);
if (err != QLCNIC_RCODE_SUCCESS)
dev_err(&adapter->netdev->dev,
"could not notify %s IP 0x%x request\n",
(mode == QLCNIC_IP_UP) ? "Add" : "Remove", ip);
Reported by FlawFinder.
Line: 2065
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((0x7ULL) << 16);
cmd.req.arg[1] = (adapter->recv_ctx->context_id);
cmd.req.arg[2] = word;
memcpy(&cmd.req.arg[4], key, sizeof(key));
err = qlcnic_issue_cmd(adapter, &cmd);
if (err)
dev_info(&adapter->pdev->dev, "RSS config failed\n");
Reported by FlawFinder.
Line: 2124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mv.mac_addr4 = addr[4];
mv.mac_addr5 = addr[5];
buf = &cmd->req.arg[2];
memcpy(buf, &mv, sizeof(struct qlcnic_macvlan_mbx));
err = qlcnic_issue_cmd(adapter, cmd);
if (!err)
return err;
qlcnic_free_mbx_args(cmd);
Reported by FlawFinder.
Line: 2140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct qlcnic_host_tx_ring *tx_ring)
{
u8 mac[ETH_ALEN];
memcpy(&mac, addr, ETH_ALEN);
qlcnic_83xx_sre_macaddr_change(adapter, mac, vlan_id, QLCNIC_MAC_ADD);
}
static void qlcnic_83xx_configure_mac(struct qlcnic_adapter *adapter, u8 *mac,
u8 type, struct qlcnic_cmd_args *cmd)
Reported by FlawFinder.
drivers/of/unittest.c
14 issues
Line: 1416
CWE codes:
570
*/
extern uint8_t __dtb_testcases_begin[];
extern uint8_t __dtb_testcases_end[];
const int size = __dtb_testcases_end - __dtb_testcases_begin;
int rc;
void *ret;
if (!size) {
pr_warn("%s: testcases is empty\n", __func__);
Reported by Cppcheck.
Line: 284
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* Baseline; check conversion with a large size limit */
memset(buf, 0xff, buf_size);
size = snprintf(buf, buf_size - 2, fmt, np);
/* use strcmp() instead of strncmp() here to be absolutely sure strings match */
unittest((strcmp(buf, expected) == 0) && (buf[size+1] == 0xff),
"sprintf failed; fmt='%s' expected='%s' rslt='%s'\n",
fmt, expected, buf);
Reported by FlawFinder.
Line: 296
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < 2; i++, size--) {
/* Clear the buffer, and make sure it works correctly still */
memset(buf, 0xff, buf_size);
snprintf(buf, size+1, fmt, np);
unittest(strncmp(buf, expected, size) == 0 && (buf[size+1] == 0xff),
"snprintf failed; size=%i fmt='%s' expected='%s' rslt='%s'\n",
size, fmt, expected, buf);
}
kfree(buf);
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct device_node *np;
const char *full_name = "/testcase-data/platform-tests/test-device@1/dev@100";
char phandle_str[16] = "";
np = of_find_node_by_path(full_name);
if (!np) {
unittest(np, "testcase data missing\n");
return;
Reported by FlawFinder.
Line: 685
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init of_unittest_property_string(void)
{
const char *strings[4];
struct device_node *np;
int rc;
np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-a");
if (!np) {
Reported by FlawFinder.
Line: 1431
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
unittest_data_align = PTR_ALIGN(unittest_data, FDT_ALIGN_SIZE);
memcpy(unittest_data_align, __dtb_testcases_begin, size);
ret = of_fdt_unflatten_tree(unittest_data_align, NULL, &unittest_data_node);
if (!ret) {
pr_warn("%s: unflatten testcases tree failed\n", __func__);
kfree(unittest_data);
Reported by FlawFinder.
Line: 1856
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *unittest_path(int nr, enum overlay_type ovtype)
{
const char *base;
static char buf[256];
switch (ovtype) {
case PDEV_OVERLAY:
base = "/testcase-data/overlay-node/test-bus";
break;
Reported by FlawFinder.
Line: 1891
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *overlay_name_from_nr(int nr)
{
static char buf[256];
snprintf(buf, sizeof(buf) - 1,
"overlay_%d", nr);
buf[sizeof(buf) - 1] = '\0';
Reported by FlawFinder.
Line: 2971
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(new_fdt, info->dtb_begin, size);
__unflatten_device_tree(new_fdt, NULL, &overlay_base_root,
dt_alloc_memory, true);
}
Reported by FlawFinder.
Line: 186
Column: 17
CWE codes:
126
/* Add a new property - should pass*/
prop->name = "new-property";
prop->value = "new-property-data";
prop->length = strlen(prop->value) + 1;
unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
/* Try to add an existing property - should fail */
prop++;
prop->name = "new-property";
Reported by FlawFinder.