The following issues were found
drivers/block/floppy.c
13 issues
Line: 338
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* globals used by 'result()'
*/
static unsigned char reply_buffer[FD_RAW_REPLY_SIZE];
static int inr; /* size of reply buffer, when called from interrupt */
#define ST0 0
#define ST1 1
#define ST2 2
#define ST3 0 /* result of GETSTATUS */
Reported by FlawFinder.
Line: 2281
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct request *req = current_req;
int block;
char msg[sizeof("request done ") + sizeof(int) * 3];
probing = 0;
snprintf(msg, sizeof(msg), "request done %d", uptodate);
reschedule_timeout(MAXTIMEOUT, msg);
Reported by FlawFinder.
Line: 2996
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
raw_cmd->reply_count = inr;
if (raw_cmd->reply_count > FD_RAW_REPLY_SIZE)
raw_cmd->reply_count = 0;
memcpy(raw_cmd->reply, reply_buffer, raw_cmd->reply_count);
if (raw_cmd->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
unsigned long flags;
flags = claim_dma_lock();
raw_cmd->length = fd_get_dma_residue();
Reported by FlawFinder.
Line: 3447
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct floppy_struct **)&outparam);
if (ret)
return ret;
memcpy(&inparam.g, outparam,
offsetof(struct floppy_struct, name));
outparam = &inparam.g;
break;
case FDMSGON:
drive_params[drive].flags |= FTD_MSG;
Reported by FlawFinder.
Line: 3615
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int perp_mode:2;
unsigned int has_fifo:1;
unsigned int driver_version;
unsigned char track[4];
};
struct compat_floppy_write_errors {
unsigned int write_errors;
compat_ulong_t first_error_sector;
Reported by FlawFinder.
Line: 3677
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&floppy_mutex);
return err;
}
memcpy(&v, p, offsetof(struct floppy_struct, name));
mutex_unlock(&floppy_mutex);
if (copy_to_user(arg, &v, sizeof(struct compat_floppy_struct)))
return -EFAULT;
return 0;
}
Reported by FlawFinder.
Line: 3712
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
drive_params[drive].max_errors = v.max_errors;
drive_params[drive].flags = v.flags;
drive_params[drive].read_track = v.read_track;
memcpy(drive_params[drive].autodetect, v.autodetect,
sizeof(v.autodetect));
drive_params[drive].checkfreq = v.checkfreq;
drive_params[drive].native_format = v.native_format;
mutex_unlock(&floppy_mutex);
return 0;
Reported by FlawFinder.
Line: 3816
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v32.perp_mode = v.perp_mode;
v32.has_fifo = v.has_fifo;
v32.driver_version = v.driver_version;
memcpy(v32.track, v.track, 4);
if (copy_to_user(arg, &v32, sizeof(struct compat_floppy_fdc_state)))
return -EFAULT;
return 0;
}
Reported by FlawFinder.
Line: 3911
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int type = drive_params[drive].cmos;
struct floppy_drive_params *params;
const char *name = NULL;
char temparea[32];
if (type < ARRAY_SIZE(default_drive_params)) {
params = &default_drive_params[type].params;
if (type) {
name = default_drive_params[type].name;
Reported by FlawFinder.
Line: 4435
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int drive;
drive = p->id;
return sprintf(buf, "%X\n", drive_params[drive].cmos);
}
static DEVICE_ATTR(cmos, 0444, floppy_cmos_show, NULL);
static struct attribute *floppy_dev_attrs[] = {
Reported by FlawFinder.
fs/nfs/nfs3xdr.c
13 issues
Line: 2533
Column: 18
CWE codes:
362
20
Suggestion:
Reconsider approach
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
PROC(SYMLINK, symlink, create, 0),
Reported by FlawFinder.
Line: 2533
Column: 28
CWE codes:
362
20
Suggestion:
Reconsider approach
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
PROC(SYMLINK, symlink, create, 0),
Reported by FlawFinder.
Line: 889
Column: 27
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
const struct nfs3_accessargs *args)
{
encode_nfs_fh3(xdr, args->fh);
encode_uint32(xdr, args->access);
}
static void nfs3_xdr_enc_access3args(struct rpc_rqst *req,
struct xdr_stream *xdr,
const void *data)
Reported by FlawFinder.
Line: 1535
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto out;
if (status != NFS3_OK)
goto out_default;
error = decode_uint32(xdr, &result->access);
out:
return error;
out_default:
return nfs3_stat_to_errno(status);
}
Reported by FlawFinder.
Line: 2532
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
PROC(GETATTR, getattr, getattr, 1),
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
Reported by FlawFinder.
Line: 2532
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
PROC(GETATTR, getattr, getattr, 1),
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
Reported by FlawFinder.
Line: 277
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static __be32 *xdr_encode_cookieverf3(__be32 *p, const __be32 *verifier)
{
memcpy(p, verifier, NFS3_COOKIEVERFSIZE);
return p + XDR_QUADLEN(NFS3_COOKIEVERFSIZE);
}
static int decode_cookieverf3(struct xdr_stream *xdr, __be32 *verifier)
{
Reported by FlawFinder.
Line: 288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, NFS3_COOKIEVERFSIZE);
if (unlikely(!p))
return -EIO;
memcpy(verifier, p, NFS3_COOKIEVERFSIZE);
return 0;
}
/*
* createverf3
Reported by FlawFinder.
Line: 302
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__be32 *p;
p = xdr_reserve_space(xdr, NFS3_CREATEVERFSIZE);
memcpy(p, verifier, NFS3_CREATEVERFSIZE);
}
static int decode_writeverf3(struct xdr_stream *xdr, struct nfs_write_verifier *verifier)
{
__be32 *p;
Reported by FlawFinder.
Line: 312
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, NFS3_WRITEVERFSIZE);
if (unlikely(!p))
return -EIO;
memcpy(verifier->data, p, NFS3_WRITEVERFSIZE);
return 0;
}
/*
* size3
Reported by FlawFinder.
drivers/uio/uio.c
13 issues
Line: 53
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (unlikely(!mem->name))
mem->name = "";
return sprintf(buf, "%s\n", mem->name);
}
static ssize_t map_addr_show(struct uio_mem *mem, char *buf)
{
return sprintf(buf, "%pa\n", &mem->addr);
Reported by FlawFinder.
Line: 136
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (unlikely(!port->name))
port->name = "";
return sprintf(buf, "%s\n", port->name);
}
static ssize_t portio_start_show(struct uio_port *port, char *buf)
{
return sprintf(buf, "0x%lx\n", port->start);
Reported by FlawFinder.
Line: 156
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if ((port->porttype < 0) || (port->porttype > UIO_PORT_OTHER))
return -EINVAL;
return sprintf(buf, "port_%s\n", porttypes[port->porttype]);
}
struct portio_sysfs_entry {
struct attribute attr;
ssize_t (*show)(struct uio_port *, char *);
Reported by FlawFinder.
Line: 226
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto out;
}
ret = sprintf(buf, "%s\n", idev->info->name);
out:
mutex_unlock(&idev->info_lock);
return ret;
}
Reported by FlawFinder.
Line: 247
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto out;
}
ret = sprintf(buf, "%s\n", idev->info->version);
out:
mutex_unlock(&idev->info_lock);
return ret;
}
Reported by FlawFinder.
Line: 58
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t map_addr_show(struct uio_mem *mem, char *buf)
{
return sprintf(buf, "%pa\n", &mem->addr);
}
static ssize_t map_size_show(struct uio_mem *mem, char *buf)
{
return sprintf(buf, "%pa\n", &mem->size);
Reported by FlawFinder.
Line: 63
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t map_size_show(struct uio_mem *mem, char *buf)
{
return sprintf(buf, "%pa\n", &mem->size);
}
static ssize_t map_offset_show(struct uio_mem *mem, char *buf)
{
return sprintf(buf, "0x%llx\n", (unsigned long long)mem->offs);
Reported by FlawFinder.
Line: 68
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t map_offset_show(struct uio_mem *mem, char *buf)
{
return sprintf(buf, "0x%llx\n", (unsigned long long)mem->offs);
}
struct map_sysfs_entry {
struct attribute attr;
ssize_t (*show)(struct uio_mem *, char *);
Reported by FlawFinder.
Line: 141
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t portio_start_show(struct uio_port *port, char *buf)
{
return sprintf(buf, "0x%lx\n", port->start);
}
static ssize_t portio_size_show(struct uio_port *port, char *buf)
{
return sprintf(buf, "0x%lx\n", port->size);
Reported by FlawFinder.
Line: 146
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t portio_size_show(struct uio_port *port, char *buf)
{
return sprintf(buf, "0x%lx\n", port->size);
}
static ssize_t portio_porttype_show(struct uio_port *port, char *buf)
{
const char *porttypes[] = {"none", "x86", "gpio", "other"};
Reported by FlawFinder.
kernel/time/clocksource.c
13 issues
Line: 126
CWE codes:
908
static inline void clocksource_watchdog_lock(unsigned long *flags)
{
spin_lock_irqsave(&watchdog_lock, *flags);
}
static inline void clocksource_watchdog_unlock(unsigned long *flags)
{
spin_unlock_irqrestore(&watchdog_lock, *flags);
Reported by Cppcheck.
Line: 94
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct clocksource *suspend_clocksource;
static LIST_HEAD(clocksource_list);
static DEFINE_MUTEX(clocksource_mutex);
static char override_name[CS_NAME_LEN];
static int finished_booting;
static u64 suspend_start;
/*
* Threshold: 0.0312s, when doubled: 0.0625s.
Reported by FlawFinder.
Line: 1268
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf[cnt-1] == '\n')
cnt--;
if (cnt > 0)
memcpy(dst, buf, cnt);
dst[cnt] = 0;
return ret;
}
/**
Reported by FlawFinder.
Line: 1315
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *buf, size_t count)
{
struct clocksource *cs;
char name[CS_NAME_LEN];
ssize_t ret;
ret = sysfs_get_uname(buf, name, count);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 216
Column: 22
CWE codes:
120
20
for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) {
local_irq_disable();
*wdnow = watchdog->read(watchdog);
*csnow = cs->read(cs);
wd_end = watchdog->read(watchdog);
local_irq_enable();
wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
Reported by FlawFinder.
Line: 217
Column: 16
CWE codes:
120
20
for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) {
local_irq_disable();
*wdnow = watchdog->read(watchdog);
*csnow = cs->read(cs);
wd_end = watchdog->read(watchdog);
local_irq_enable();
wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
Reported by FlawFinder.
Line: 218
Column: 22
CWE codes:
120
20
local_irq_disable();
*wdnow = watchdog->read(watchdog);
*csnow = cs->read(cs);
wd_end = watchdog->read(watchdog);
local_irq_enable();
wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
watchdog->shift);
Reported by FlawFinder.
Line: 295
Column: 18
CWE codes:
120
20
{
struct clocksource *cs = (struct clocksource *)csin;
csnow_mid = cs->read(cs);
}
void clocksource_verify_percpu(struct clocksource *cs)
{
int64_t cs_nsec, cs_nsec_max = 0, cs_nsec_min = LLONG_MAX;
Reported by FlawFinder.
Line: 323
Column: 21
CWE codes:
120
20
for_each_cpu(cpu, &cpus_chosen) {
if (cpu == testcpu)
continue;
csnow_begin = cs->read(cs);
smp_call_function_single(cpu, clocksource_verify_one_cpu, cs, 1);
csnow_end = cs->read(cs);
delta = (s64)((csnow_mid - csnow_begin) & cs->mask);
if (delta < 0)
cpumask_set_cpu(cpu, &cpus_behind);
Reported by FlawFinder.
Line: 325
Column: 19
CWE codes:
120
20
continue;
csnow_begin = cs->read(cs);
smp_call_function_single(cpu, clocksource_verify_one_cpu, cs, 1);
csnow_end = cs->read(cs);
delta = (s64)((csnow_mid - csnow_begin) & cs->mask);
if (delta < 0)
cpumask_set_cpu(cpu, &cpus_behind);
delta = (csnow_end - csnow_mid) & cs->mask;
if (delta < 0)
Reported by FlawFinder.
fs/jfs/jfs_dtree.c
13 issues
Line: 984
CWE codes:
562
pxd = &pxdlist.pxd[0];
PXDaddress(pxd, xaddr);
PXDlength(pxd, xlen);
split->pxdlist = &pxdlist;
rc = dtSplitRoot(tid, ip, split, &rmp);
if (rc)
dbFree(ip, xaddr, xlen);
else
Reported by Cppcheck.
Line: 1033
CWE codes:
562
pxd = &pxdlist.pxd[0];
PXDaddress(pxd, nxaddr);
PXDlength(pxd, xlen + n);
split->pxdlist = &pxdlist;
if ((rc = dtExtendPage(tid, ip, split, btstack))) {
nxaddr = addressPXD(pxd);
if (xaddr != nxaddr) {
/* free relocated extent */
xlen = lengthPXD(pxd);
Reported by Cppcheck.
Line: 1083
CWE codes:
562
goto splitOut;
}
split->pxdlist = &pxdlist;
if ((rc = dtSplitPage(tid, ip, split, &rmp, &rp, &rpxd))) {
DT_PUTPAGE(smp);
/* undo allocation */
goto splitOut;
Reported by Cppcheck.
Line: 1225
CWE codes:
562
split->mp = smp;
split->index = skip; /* index at insert */
split->nslot = n;
split->key = &key;
/* split->data = data; */
/* unpin right child page */
DT_PUTPAGE(rmp);
Reported by Cppcheck.
Line: 396
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (xtInsert(tid, ip, 0, 0, sbi->nbperpage, &xaddr, 0)) {
/* This really shouldn't fail */
jfs_warn("add_index: xtInsert failed!");
memcpy(&jfs_ip->i_dirtable, temp_table,
sizeof (temp_table));
dbFree(ip, xaddr, sbi->nbperpage);
dquot_free_block(ip, sbi->nbperpage);
goto clean_up;
}
Reported by FlawFinder.
Line: 408
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!mp) {
jfs_err("add_index: get_metapage failed!");
xtTruncate(tid, ip, 0, COMMIT_PWMAP);
memcpy(&jfs_ip->i_dirtable, temp_table,
sizeof (temp_table));
goto clean_up;
}
tlck = txLock(tid, ip, mp, tlckDATA);
llck = (struct linelock *) & tlck->lock;
Reported by FlawFinder.
Line: 421
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lv->length = 6; /* tlckDATA slot size is 16 bytes */
llck->index++;
memcpy(mp->data, temp_table, sizeof(temp_table));
mark_metapage_dirty(mp);
release_metapage(mp);
/*
Reported by FlawFinder.
Line: 548
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy(dirtab_slot, slot, sizeof(struct dir_table_slot));
if (mp)
release_metapage(mp);
return 0;
Reported by FlawFinder.
Line: 1737
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
newstblindex = sp->header.maxslot;
n = xsize >> L2DTSLOTSIZE;
newstblsize = (n + 31) >> L2DTSLOTSIZE;
memcpy(&sp->slot[newstblindex], &sp->slot[oldstblindex],
sp->header.nextindex);
/*
* in-line extension: linelock old area of extended page
*/
Reported by FlawFinder.
Line: 1947
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy old stbl to new stbl at start of extended area */
rp->header.stblindex = DTROOTMAXSLOT;
stbl = (s8 *) & rp->slot[DTROOTMAXSLOT];
memcpy(stbl, sp->header.stbl, sp->header.nextindex);
rp->header.nextindex = sp->header.nextindex;
/* copy old data area to start of new data area */
memcpy(&rp->slot[1], &sp->slot[1], IDATASIZE);
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
13 issues
Line: 792
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
.type = default_ras_type,
.sub_block_index = 0,
};
strcpy(head.name, ras_block_str(i));
if (bypass) {
/*
* bypass psp. vbios enable ras for us.
* so just create the obj
*/
Reported by FlawFinder.
Line: 1377
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
list_for_each_entry(obj, &con->head, node) {
if (amdgpu_ras_is_supported(adev, obj->head.block) &&
(obj->attr_inuse == 1)) {
sprintf(fs_info.debugfs_name, "%s_err_inject",
ras_block_str(obj->head.block));
fs_info.head = obj->head;
amdgpu_ras_debugfs_create(adev, &fs_info, dir);
}
}
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.head = obj->head,
};
ssize_t s;
char val[128];
if (amdgpu_ras_query_error_status(obj->adev, &info))
return -EINVAL;
s = snprintf(val, sizeof(val), "%s: %lu\n%s: %lu\n",
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *pos, struct ras_debug_if *data)
{
ssize_t s = min_t(u64, 64, size);
char str[65];
char block_name[33];
char err[9] = "ue";
int op = -1;
int block_id;
uint32_t sub_block;
Reported by FlawFinder.
Line: 203
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
ssize_t s = min_t(u64, 64, size);
char str[65];
char block_name[33];
char err[9] = "ue";
int op = -1;
int block_id;
uint32_t sub_block;
u64 address, value;
Reported by FlawFinder.
Line: 204
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t s = min_t(u64, 64, size);
char str[65];
char block_name[33];
char err[9] = "ue";
int op = -1;
int block_id;
uint32_t sub_block;
u64 address, value;
Reported by FlawFinder.
Line: 1457
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (data->rptr != data->wptr) {
rmb();
memcpy(&entry, &data->ring[data->rptr],
data->element_size);
wmb();
data->rptr = (data->aligned_element_size +
data->rptr) % data->ring_size;
Reported by FlawFinder.
Line: 1508
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
/* Might be overflow... */
memcpy(&data->ring[data->wptr], info->entry,
data->element_size);
wmb();
data->wptr = (data->aligned_element_size +
data->wptr) % data->ring_size;
Reported by FlawFinder.
Line: 1767
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (data->bps) {
memcpy(bps, data->bps,
data->count * sizeof(*data->bps));
kfree(data->bps);
}
data->bps = bps;
Reported by FlawFinder.
Line: 1810
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bps[i].retired_page << AMDGPU_GPU_PAGE_SHIFT,
AMDGPU_GPU_PAGE_SIZE);
memcpy(&data->bps[data->count], &bps[i], sizeof(*data->bps));
data->count++;
data->space_left--;
}
out:
mutex_unlock(&con->recovery_lock);
Reported by FlawFinder.
drivers/media/usb/dvb-usb/ttusb2.c
13 issues
Line: 95
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s[1] = ++st->id;
s[2] = cmd;
s[3] = wlen;
memcpy(&s[4],wbuf,wlen);
ret = dvb_usb_generic_rw(d, s, wlen+4, r, 64, 0);
if (ret != 0 ||
r[0] != 0x55 ||
Reported by FlawFinder.
Line: 111
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (rlen > 0)
memcpy(rbuf, &r[4], rlen);
kfree(s);
kfree(r);
return 0;
Reported by FlawFinder.
Line: 126
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 rx[60];/* (64 -4) */
ret = ttusb2_msg(d, cmd, data, write_len, rx, read_len);
if (!ret)
memcpy(data, rx, read_len);
return ret;
}
static int tt3650_ci_msg_locked(struct dvb_ca_en50221 *ca, u8 cmd, u8 *data, unsigned int write_len, unsigned int read_len)
{
Reported by FlawFinder.
Line: 292
Column: 80
CWE codes:
362
return ret;
}
static int tt3650_ci_poll_slot_status(struct dvb_ca_en50221 *ca, int slot, int open)
{
u8 buf[1];
int ret;
if (slot)
Reported by FlawFinder.
Line: 414
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
obuf[2] = 0;
memcpy(&obuf[3], msg[i].buf, msg[i].len);
if (ttusb2_msg(d, CMD_I2C_XFER, obuf, obuf[1]+3, ibuf, obuf[2] + 3) < 0) {
err("i2c transfer failed.");
break;
}
Reported by FlawFinder.
Line: 422
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (write_read) {
memcpy(msg[i+1].buf, &ibuf[3], msg[i+1].len);
i++;
} else if (read)
memcpy(msg[i].buf, &ibuf[3], msg[i].len);
}
Reported by FlawFinder.
Line: 425
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(msg[i+1].buf, &ibuf[3], msg[i+1].len);
i++;
} else if (read)
memcpy(msg[i].buf, &ibuf[3], msg[i].len);
}
mutex_unlock(&d->i2c_mutex);
return i;
}
Reported by FlawFinder.
Line: 372
Column: 21
CWE codes:
120
20
{
struct dvb_usb_device *d = i2c_get_adapdata(adap);
static u8 obuf[60], ibuf[60];
int i, write_read, read;
if (mutex_lock_interruptible(&d->i2c_mutex) < 0)
return -EAGAIN;
if (num > 2)
Reported by FlawFinder.
Line: 393
Column: 14
CWE codes:
120
20
err("i2c rd len=%d too high", msg[i+1].len);
break;
}
} else if (read) {
if (3 + msg[i].len > sizeof(ibuf)) {
err("i2c rd len=%d too high", msg[i].len);
break;
}
}
Reported by FlawFinder.
fs/gfs2/xattr.c
13 issues
Line: 392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ei->ei_size + ea_size > er->er_data_len)
return -ERANGE;
memcpy(er->er_data + ei->ei_size, prefix, l);
memcpy(er->er_data + ei->ei_size + l, GFS2_EA2NAME(ea),
ea->ea_name_len);
er->er_data[ei->ei_size + ea_size - 1] = 0;
}
Reported by FlawFinder.
Line: 393
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ERANGE;
memcpy(er->er_data + ei->ei_size, prefix, l);
memcpy(er->er_data + ei->ei_size + l, GFS2_EA2NAME(ea),
ea->ea_name_len);
er->er_data[ei->ei_size + ea_size - 1] = 0;
}
ei->ei_size += ea_size;
Reported by FlawFinder.
Line: 499
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cp_size = (sdp->sd_jbsize > amount) ? amount : sdp->sd_jbsize;
if (dout) {
memcpy(dout, pos, cp_size);
dout += sdp->sd_jbsize;
}
if (din) {
gfs2_trans_add_meta(ip->i_gl, bh[x]);
Reported by FlawFinder.
Line: 505
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (din) {
gfs2_trans_add_meta(ip->i_gl, bh[x]);
memcpy(pos, din, cp_size);
din += sdp->sd_jbsize;
}
amount -= sdp->sd_jbsize;
brelse(bh[x]);
Reported by FlawFinder.
Line: 527
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ERANGE;
if (GFS2_EA_IS_STUFFED(el->el_ea)) {
memcpy(data, GFS2_EA2DATA(el->el_ea), len);
return len;
}
ret = gfs2_iter_unstuffed(ip, el->el_ea, NULL, data);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 685
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ea->ea_type = er->er_type;
ea->__pad = 0;
memcpy(GFS2_EA2NAME(ea), er->er_name, er->er_name_len);
if (GFS2_EAREQ_SIZE_STUFFED(er) <= sdp->sd_jbsize) {
ea->ea_num_ptrs = 0;
memcpy(GFS2_EA2DATA(ea), er->er_data, er->er_data_len);
} else {
Reported by FlawFinder.
Line: 689
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (GFS2_EAREQ_SIZE_STUFFED(er) <= sdp->sd_jbsize) {
ea->ea_num_ptrs = 0;
memcpy(GFS2_EA2DATA(ea), er->er_data, er->er_data_len);
} else {
__be64 *dataptr = GFS2_EA2DATAPTRS(ea);
const char *data = er->er_data;
unsigned int data_len = er->er_data_len;
unsigned int copy;
Reported by FlawFinder.
Line: 716
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy = data_len > sdp->sd_jbsize ? sdp->sd_jbsize :
data_len;
memcpy(bh->b_data + mh_size, data, copy);
if (copy < sdp->sd_jbsize)
memset(bh->b_data + mh_size + copy, 0,
sdp->sd_jbsize - copy);
*dataptr++ = cpu_to_be64(bh->b_blocknr);
Reported by FlawFinder.
Line: 207
Column: 13
CWE codes:
126
ef.type = type;
ef.name = name;
ef.namel = strlen(name);
ef.ef_el = el;
memset(el, 0, sizeof(struct gfs2_ea_location));
error = ea_foreach(ip, ea_find_i, &ef);
Reported by FlawFinder.
Line: 586
Column: 6
CWE codes:
126
if (!ip->i_eattr)
return -ENODATA;
if (strlen(name) > GFS2_EA_MAX_NAME_LEN)
return -EINVAL;
error = gfs2_ea_find(ip, type, name, &el);
if (error)
return error;
Reported by FlawFinder.
drivers/target/iscsi/iscsi_target_login.c
13 issues
Line: 238
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
memset(buf, 0, sizeof buf);
va_start(args, fmt);
vsnprintf(buf, sizeof buf, fmt, args);
va_end(args);
if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
Reported by FlawFinder.
Line: 233
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fmt, ...)
{
va_list args;
unsigned char buf[64];
memset(buf, 0, sizeof buf);
va_start(args, fmt);
vsnprintf(buf, sizeof buf, fmt, args);
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto free_sess;
sess->init_task_tag = pdu->itt;
memcpy(&sess->isid, pdu->isid, 6);
sess->exp_cmd_sn = be32_to_cpu(pdu->cmdsn);
INIT_LIST_HEAD(&sess->sess_conn_list);
INIT_LIST_HEAD(&sess->sess_ooo_cmdsn_list);
INIT_LIST_HEAD(&sess->cr_active_list);
INIT_LIST_HEAD(&sess->cr_inactive_list);
Reported by FlawFinder.
Line: 891
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Setup the np->np_sockaddr from the passed sockaddr setup
* in iscsi_target_configfs.c code..
*/
memcpy(&np->np_sockaddr, sockaddr,
sizeof(struct sockaddr_storage));
if (sockaddr->ss_family == AF_INET6)
len = sizeof(struct sockaddr_in6);
else
Reported by FlawFinder.
Line: 968
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct sockaddr *)&sock_in6, 1);
if (rc >= 0) {
if (!ipv6_addr_v4mapped(&sock_in6.sin6_addr)) {
memcpy(&conn->login_sockaddr, &sock_in6, sizeof(sock_in6));
} else {
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
Reported by FlawFinder.
Line: 973
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->login_sockaddr, &sock_in, sizeof(sock_in));
}
}
rc = conn->sock->ops->getname(conn->sock,
Reported by FlawFinder.
Line: 974
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->login_sockaddr, &sock_in, sizeof(sock_in));
}
}
rc = conn->sock->ops->getname(conn->sock,
(struct sockaddr *)&sock_in6, 0);
Reported by FlawFinder.
Line: 982
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct sockaddr *)&sock_in6, 0);
if (rc >= 0) {
if (!ipv6_addr_v4mapped(&sock_in6.sin6_addr)) {
memcpy(&conn->local_sockaddr, &sock_in6, sizeof(sock_in6));
} else {
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
Reported by FlawFinder.
Line: 987
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->local_sockaddr, &sock_in, sizeof(sock_in));
}
}
} else {
memset(&sock_in, 0, sizeof(struct sockaddr_in));
Reported by FlawFinder.
Line: 988
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->local_sockaddr, &sock_in, sizeof(sock_in));
}
}
} else {
memset(&sock_in, 0, sizeof(struct sockaddr_in));
Reported by FlawFinder.
scripts/mod/sumversion.c
13 issues
Line: 316
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (base) {
base++;
dirlen = base - objfile;
sprintf(cmd, "%.*s.%s.cmd", dirlen, objfile, base);
} else {
dirlen = 0;
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
Reported by FlawFinder.
Line: 319
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(cmd, "%.*s.%s.cmd", dirlen, objfile, base);
} else {
dirlen = 0;
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
strncpy(dir, objfile, dirlen);
dir[dirlen] = '\0';
Reported by FlawFinder.
Line: 177
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mctx->byte_count += len;
if (avail > len) {
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
data, len);
return;
}
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
data, avail);
md4_transform_helper(mctx);
data += avail;
len -= avail;
Reported by FlawFinder.
Line: 196
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len -= sizeof(mctx->block);
}
memcpy(mctx->block, data, len);
}
static void md4_final_ascii(struct md4_ctx *mctx, char *out, unsigned int len)
{
const unsigned int offset = mctx->byte_count & 0x3f;
Reported by FlawFinder.
Line: 393
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *buf, *pos, *firstline;
struct md4_ctx md;
char *fname;
char filelist[PATH_MAX + 1];
int postfix_len = 1;
if (strends(modname, ".lto.o"))
postfix_len = 5;
Reported by FlawFinder.
Line: 262
Column: 8
CWE codes:
126
unsigned long i, len;
file = read_text_file(fname);
len = strlen(file);
for (i = 0; i < len; i++) {
/* Collapse and ignore \ and CR. */
if (file[i] == '\\' && (i+1 < len) && file[i+1] == '\n') {
i++;
Reported by FlawFinder.
Line: 295
Column: 12
CWE codes:
126
/* Check whether the file is a static library or not */
static int is_static_library(const char *objfile)
{
int len = strlen(objfile);
if (objfile[len - 2] == '.' && objfile[len - 1] == 'a')
return 1;
else
return 0;
}
Reported by FlawFinder.
Line: 310
Column: 22
CWE codes:
126
const char *base;
int dirlen, ret = 0, check_files = 0;
cmd = NOFAIL(malloc(strlen(objfile) + sizeof("..cmd")));
base = strrchr(objfile, '/');
if (base) {
base++;
dirlen = base - objfile;
Reported by FlawFinder.
Line: 322
Column: 2
CWE codes:
120
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
strncpy(dir, objfile, dirlen);
dir[dirlen] = '\0';
file = read_text_file(cmd);
pos = file;
Reported by FlawFinder.