The following issues were found
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
13 issues
Line: 5177
CWE codes:
562
};
struct iwl_host_cmd hcmd = {
.id = WIDE_ID(DATA_PATH_GROUP, TRIGGER_RX_QUEUES_NOTIF_CMD),
.data[0] = &cmd,
.len[0] = sizeof(cmd),
.data[1] = data,
.len[1] = size,
.flags = sync ? 0 : CMD_ASYNC,
};
Reported by Cppcheck.
Line: 414
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hw->max_tx_fragments = mvm->trans->max_skb_frags;
BUILD_BUG_ON(ARRAY_SIZE(mvm->ciphers) < ARRAY_SIZE(mvm_ciphers) + 6);
memcpy(mvm->ciphers, mvm_ciphers, sizeof(mvm_ciphers));
hw->wiphy->n_cipher_suites = ARRAY_SIZE(mvm_ciphers);
hw->wiphy->cipher_suites = mvm->ciphers;
if (iwl_mvm_has_new_rx_api(mvm)) {
mvm->ciphers[hw->wiphy->n_cipher_suites] =
Reported by FlawFinder.
Line: 529
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hw->max_listen_interval = IWL_CONN_MAX_LISTEN_INTERVAL;
/* Extract MAC address */
memcpy(mvm->addresses[0].addr, mvm->nvm_data->hw_addr, ETH_ALEN);
hw->wiphy->addresses = mvm->addresses;
hw->wiphy->n_addresses = 1;
/* Extract additional MAC addresses if available */
num_mac = (mvm->nvm_data->n_hw_addrs > 1) ?
Reported by FlawFinder.
Line: 538
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
min(IWL_MVM_MAX_ADDRESSES, mvm->nvm_data->n_hw_addrs) : 1;
for (i = 1; i < num_mac; i++) {
memcpy(mvm->addresses[i].addr, mvm->addresses[i-1].addr,
ETH_ALEN);
mvm->addresses[i].addr[5]++;
hw->wiphy->n_addresses++;
}
Reported by FlawFinder.
Line: 1652
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
cmd->port_id = data->port_id++;
memcpy(cmd->bssid, vif->bss_conf.bssid, ETH_ALEN);
len = roundup(sizeof(*cmd) + cmd->count * ETH_ALEN, 4);
hcmd.len[0] = len;
hcmd.data[0] = cmd;
Reported by FlawFinder.
Line: 1708
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netdev_hw_addr_list_for_each(addr, mc_list) {
IWL_DEBUG_MAC80211(mvm, "mcast addr (%d): %pM\n",
cmd->count, addr->addr);
memcpy(&cmd->addr_list[cmd->count * ETH_ALEN],
addr->addr, ETH_ALEN);
cmd->count++;
}
return (u64)(unsigned long)cmd;
Reported by FlawFinder.
Line: 1781
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct iwl_fw_bcast_filter_attr *attr;
int i;
memcpy(out_filter, in_filter, sizeof(*out_filter));
for (i = 0; i < ARRAY_SIZE(out_filter->attrs); i++) {
attr = &out_filter->attrs[i];
if (!attr->mask)
Reported by FlawFinder.
Line: 1927
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct iwl_mu_group_mgmt_cmd cmd = {};
memcpy(cmd.membership_status, vif->bss_conf.mu_group.membership,
WLAN_MEMBERSHIP_LEN);
memcpy(cmd.user_position, vif->bss_conf.mu_group.position,
WLAN_USER_POSITION_LEN);
return iwl_mvm_send_cmd_pdu(mvm,
Reported by FlawFinder.
Line: 1929
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cmd.membership_status, vif->bss_conf.mu_group.membership,
WLAN_MEMBERSHIP_LEN);
memcpy(cmd.user_position, vif->bss_conf.mu_group.position,
WLAN_USER_POSITION_LEN);
return iwl_mvm_send_cmd_pdu(mvm,
WIDE_ID(DATA_PATH_GROUP,
UPDATE_MU_GROUPS_CMD),
Reported by FlawFinder.
Line: 2271
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* branch for disassociation below.
*/
if (changes & BSS_CHANGED_BSSID && !mvmvif->associated)
memcpy(mvmvif->bssid, bss_conf->bssid, ETH_ALEN);
ret = iwl_mvm_mac_ctxt_changed(mvm, vif, false, mvmvif->bssid);
if (ret)
IWL_ERR(mvm, "failed to update MAC %pM\n", vif->addr);
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/dvm/sta.c
13 issues
Line: 300
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set up the REPLY_ADD_STA command to send to device */
memset(&station->sta, 0, sizeof(struct iwl_addsta_cmd));
memcpy(station->sta.sta.addr, addr, ETH_ALEN);
station->sta.mode = 0;
station->sta.sta.sta_id = sta_id;
station->sta.station_flags = ctx->station_flags;
station->ctxid = ctx->ctxid;
Reported by FlawFinder.
Line: 368
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
priv->stations[sta_id].used |= IWL_STA_UCODE_INPROGRESS;
memcpy(&sta_cmd, &priv->stations[sta_id].sta,
sizeof(struct iwl_addsta_cmd));
spin_unlock_bh(&priv->sta_lock);
/* Add station to device's station table */
ret = iwl_send_add_sta(priv, &sta_cmd, 0);
Reported by FlawFinder.
Line: 422
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&rm_sta_cmd, 0, sizeof(rm_sta_cmd));
rm_sta_cmd.num_sta = 1;
memcpy(&rm_sta_cmd.addr, addr, ETH_ALEN);
cmd.flags |= CMD_WANT_SKB;
ret = iwl_dvm_send_cmd(priv, &cmd);
Reported by FlawFinder.
Line: 680
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < IWLAGN_STATION_COUNT; i++) {
if ((priv->stations[i].used & IWL_STA_UCODE_INPROGRESS)) {
memcpy(&sta_cmd, &priv->stations[i].sta,
sizeof(struct iwl_addsta_cmd));
send_lq = false;
if (priv->stations[i].lq) {
if (priv->wowlan)
iwl_sta_fill_lq(priv, ctx, i, &lq);
Reported by FlawFinder.
Line: 687
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (priv->wowlan)
iwl_sta_fill_lq(priv, ctx, i, &lq);
else
memcpy(&lq, priv->stations[i].lq,
sizeof(struct iwl_link_quality_cmd));
if (memcmp(&lq, &zero_lq, sizeof(lq)))
send_lq = true;
}
Reported by FlawFinder.
Line: 969
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
wep_cmd->key[i].key_size = ctx->wep_keys[i].key_size;
memcpy(&wep_cmd->key[i].key[3], ctx->wep_keys[i].key,
ctx->wep_keys[i].key_size);
}
wep_cmd->global_key_type = WEP_KEY_WEP_TYPE;
wep_cmd->num_keys = WEP_KEYS_MAX;
Reported by FlawFinder.
Line: 1037
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
keyconf->hw_key_idx = IWLAGN_HW_KEY_DEFAULT;
ctx->wep_keys[keyconf->keyidx].key_size = keyconf->keylen;
memcpy(&ctx->wep_keys[keyconf->keyidx].key, &keyconf->key,
keyconf->keylen);
ret = iwl_send_static_wepkey_cmd(priv, ctx, false);
IWL_DEBUG_WEP(priv, "Set default WEP key: len=%d idx=%d ret=%d\n",
keyconf->keylen, keyconf->keyidx, ret);
Reported by FlawFinder.
Line: 1101
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (keyconf->cipher) {
case WLAN_CIPHER_SUITE_CCMP:
key_flags |= STA_KEY_FLG_CCMP;
memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen);
break;
case WLAN_CIPHER_SUITE_TKIP:
key_flags |= STA_KEY_FLG_TKIP;
sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32;
for (i = 0; i < 5; i++)
Reported by FlawFinder.
Line: 1108
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32;
for (i = 0; i < 5; i++)
sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]);
memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen);
break;
case WLAN_CIPHER_SUITE_WEP104:
key_flags |= STA_KEY_FLG_KEY_SIZE_MSK;
fallthrough;
case WLAN_CIPHER_SUITE_WEP40:
Reported by FlawFinder.
Line: 1115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fallthrough;
case WLAN_CIPHER_SUITE_WEP40:
key_flags |= STA_KEY_FLG_WEP;
memcpy(&sta_cmd.key.key[3], keyconf->key, keyconf->keylen);
break;
default:
WARN_ON(1);
return -EINVAL;
}
Reported by FlawFinder.
fs/nfs/nfs3xdr.c
13 issues
Line: 2533
Column: 18
CWE codes:
362
20
Suggestion:
Reconsider approach
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
PROC(SYMLINK, symlink, create, 0),
Reported by FlawFinder.
Line: 2533
Column: 28
CWE codes:
362
20
Suggestion:
Reconsider approach
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
PROC(SYMLINK, symlink, create, 0),
Reported by FlawFinder.
Line: 889
Column: 27
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
const struct nfs3_accessargs *args)
{
encode_nfs_fh3(xdr, args->fh);
encode_uint32(xdr, args->access);
}
static void nfs3_xdr_enc_access3args(struct rpc_rqst *req,
struct xdr_stream *xdr,
const void *data)
Reported by FlawFinder.
Line: 1535
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto out;
if (status != NFS3_OK)
goto out_default;
error = decode_uint32(xdr, &result->access);
out:
return error;
out_default:
return nfs3_stat_to_errno(status);
}
Reported by FlawFinder.
Line: 2532
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
PROC(GETATTR, getattr, getattr, 1),
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
Reported by FlawFinder.
Line: 2532
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
PROC(GETATTR, getattr, getattr, 1),
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
Reported by FlawFinder.
Line: 277
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static __be32 *xdr_encode_cookieverf3(__be32 *p, const __be32 *verifier)
{
memcpy(p, verifier, NFS3_COOKIEVERFSIZE);
return p + XDR_QUADLEN(NFS3_COOKIEVERFSIZE);
}
static int decode_cookieverf3(struct xdr_stream *xdr, __be32 *verifier)
{
Reported by FlawFinder.
Line: 288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, NFS3_COOKIEVERFSIZE);
if (unlikely(!p))
return -EIO;
memcpy(verifier, p, NFS3_COOKIEVERFSIZE);
return 0;
}
/*
* createverf3
Reported by FlawFinder.
Line: 302
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__be32 *p;
p = xdr_reserve_space(xdr, NFS3_CREATEVERFSIZE);
memcpy(p, verifier, NFS3_CREATEVERFSIZE);
}
static int decode_writeverf3(struct xdr_stream *xdr, struct nfs_write_verifier *verifier)
{
__be32 *p;
Reported by FlawFinder.
Line: 312
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, NFS3_WRITEVERFSIZE);
if (unlikely(!p))
return -EIO;
memcpy(verifier->data, p, NFS3_WRITEVERFSIZE);
return 0;
}
/*
* size3
Reported by FlawFinder.
drivers/media/test-drivers/vivid/vivid-kthread-cap.c
13 issues
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int_part = srcw / dstw;
fract_part = srcw % dstw;
for (x = 0; x < dstw; x++, dst += twopixsize) {
memcpy(dst, src + src_x * twopixsize, twopixsize);
src_x += int_part;
error += fract_part;
if (error >= dstw) {
error -= dstw;
src_x++;
Reported by FlawFinder.
Line: 293
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* with black.
*/
for (y = 0; y < hmax / vdiv; y++, vcapbuf += stride_cap)
memcpy(vcapbuf, tpg->black_line[p], img_width);
return 0;
}
if (dev->overlay_out_enabled &&
dev->loop_vid_overlay.width && dev->loop_vid_overlay.height) {
Reported by FlawFinder.
Line: 324
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (y < dev->loop_vid_cap.top ||
y >= dev->loop_vid_cap.top + dev->loop_vid_cap.height) {
memcpy(vcapbuf, tpg->black_line[p], img_width);
continue;
}
/* fill the left border with black */
if (dev->loop_vid_cap.left)
Reported by FlawFinder.
Line: 330
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fill the left border with black */
if (dev->loop_vid_cap.left)
memcpy(vcapbuf, tpg->black_line[p], vid_cap_left);
/* fill the right border with black */
if (vid_cap_right < img_width)
memcpy(vcapbuf + vid_cap_right, tpg->black_line[p],
img_width - vid_cap_right);
Reported by FlawFinder.
Line: 334
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fill the right border with black */
if (vid_cap_right < img_width)
memcpy(vcapbuf + vid_cap_right, tpg->black_line[p],
img_width - vid_cap_right);
if (quick && !osdline) {
memcpy(vcapbuf + vid_cap_left,
voutbuf + vid_out_y * stride_out,
Reported by FlawFinder.
Line: 338
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
img_width - vid_cap_right);
if (quick && !osdline) {
memcpy(vcapbuf + vid_cap_left,
voutbuf + vid_out_y * stride_out,
tpg_hdiv(tpg, p, dev->loop_vid_cap.width));
goto update_vid_out_y;
}
if (dev->cur_scaled_line == vid_out_y) {
Reported by FlawFinder.
Line: 344
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto update_vid_out_y;
}
if (dev->cur_scaled_line == vid_out_y) {
memcpy(vcapbuf + vid_cap_left, dev->scaled_line,
tpg_hdiv(tpg, p, dev->loop_vid_cap.width));
goto update_vid_out_y;
}
if (!osdline) {
scale_line(voutbuf + vid_out_y * stride_out, dev->scaled_line,
Reported by FlawFinder.
Line: 372
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->blended_line + offset, osd,
dev->loop_vid_overlay.width, twopixsize / 2);
else
memcpy(dev->blended_line + offset,
osd, (dev->loop_vid_overlay.width * twopixsize) / 2);
scale_line(dev->blended_line, dev->scaled_line,
dev->loop_vid_copy.width, dev->loop_vid_cap.width,
tpg_g_twopixelsize(tpg, p));
}
Reported by FlawFinder.
Line: 379
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tpg_g_twopixelsize(tpg, p));
}
dev->cur_scaled_line = vid_out_y;
memcpy(vcapbuf + vid_cap_left, dev->scaled_line,
tpg_hdiv(tpg, p, dev->loop_vid_cap.width));
update_vid_out_y:
if (osdline) {
vid_overlay_y += vid_overlay_int_part;
Reported by FlawFinder.
Line: 402
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!blank)
return 0;
for (; y < img_height; y += vdiv, vcapbuf += stride_cap)
memcpy(vcapbuf, tpg->contrast_line[p], img_width);
return 0;
}
static void vivid_fillbuff(struct vivid_dev *dev, struct vivid_buffer *buf)
{
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/mvm/scan.c
13 issues
Line: 490
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
ssids[i].id = WLAN_EID_SSID;
ssids[i].len = params->match_sets[j].ssid.ssid_len;
memcpy(ssids[i].ssid, params->match_sets[j].ssid.ssid,
ssids[i].len);
}
/* add SSIDs from scan SSID list */
for (j = params->n_ssids - 1;
Reported by FlawFinder.
Line: 504
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (index < 0) {
ssids[i].id = WLAN_EID_SSID;
ssids[i].len = params->ssids[j].ssid_len;
memcpy(ssids[i].ssid, params->ssids[j].ssid,
ssids[i].len);
tmp_bitmap |= BIT(i);
} else {
tmp_bitmap |= BIT(index);
}
Reported by FlawFinder.
Line: 708
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 *newpos = pos;
if (!iwl_mvm_rrm_scan_needed(mvm)) {
memcpy(newpos, ies, len);
return newpos + len;
}
offs = ieee80211_ie_split(ies, len,
before_ds_params,
Reported by FlawFinder.
Line: 717
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ARRAY_SIZE(before_ds_params),
0);
memcpy(newpos, ies, offs);
newpos += offs;
/* Add a placeholder for DS Parameter Set element */
*newpos++ = WLAN_EID_DS_PARAMS;
*newpos++ = 1;
Reported by FlawFinder.
Line: 725
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*newpos++ = 1;
*newpos++ = 0;
memcpy(newpos, ies + offs, len - offs);
newpos += len - offs;
return newpos;
}
Reported by FlawFinder.
Line: 767
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
get_random_mask_addr(frame->sa, mac_addr,
params->mac_addr_mask);
else
memcpy(frame->sa, vif->addr, ETH_ALEN);
frame->frame_control = cpu_to_le16(IEEE80211_STYPE_PROBE_REQ);
eth_broadcast_addr(frame->da);
eth_broadcast_addr(frame->bssid);
frame->seq_ctrl = 0;
Reported by FlawFinder.
Line: 790
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
params->preq.band_data[0].len = cpu_to_le16(newpos - pos);
pos = newpos;
memcpy(pos, ies->ies[NL80211_BAND_5GHZ],
ies->len[NL80211_BAND_5GHZ]);
params->preq.band_data[1].offset = cpu_to_le16(pos - params->preq.buf);
params->preq.band_data[1].len =
cpu_to_le16(ies->len[NL80211_BAND_5GHZ]);
pos += ies->len[NL80211_BAND_5GHZ];
Reported by FlawFinder.
Line: 797
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_le16(ies->len[NL80211_BAND_5GHZ]);
pos += ies->len[NL80211_BAND_5GHZ];
memcpy(pos, ies->ies[NL80211_BAND_6GHZ],
ies->len[NL80211_BAND_6GHZ]);
params->preq.band_data[2].offset = cpu_to_le16(pos - params->preq.buf);
params->preq.band_data[2].len =
cpu_to_le16(ies->len[NL80211_BAND_6GHZ]);
pos += ies->len[NL80211_BAND_6GHZ];
Reported by FlawFinder.
Line: 803
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
params->preq.band_data[2].len =
cpu_to_le16(ies->len[NL80211_BAND_6GHZ]);
pos += ies->len[NL80211_BAND_6GHZ];
memcpy(pos, ies->common_ies, ies->common_ie_len);
params->preq.common_data.offset = cpu_to_le16(pos - params->preq.buf);
if (iwl_mvm_rrm_scan_needed(mvm) &&
!fw_has_capa(&mvm->fw->ucode_capa,
IWL_UCODE_TLV_CAPA_WFA_TPC_REP_IE_SUPPORT)) {
Reported by FlawFinder.
Line: 1088
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iwl_mvm_fill_scan_dwell(mvm, &cfg->dwell);
memcpy(&cfg->mac_addr, &mvm->addresses[0].addr, ETH_ALEN);
/* This function should not be called when using ADD_STA ver >=12 */
WARN_ON_ONCE(iwl_fw_lookup_cmd_ver(mvm->fw, LONG_GROUP,
ADD_STA, 0) >= 12);
Reported by FlawFinder.
drivers/scsi/aic7xxx/aic79xx_osm.c
13 issues
Line: 563
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
memset(bp, 0, sizeof(buffer));
strcpy(bp, "Adaptec AIC79XX PCI-X SCSI HBA DRIVER, Rev " AIC79XX_DRIVER_VERSION "\n"
" <");
strcat(bp, ahd->description);
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
strcat(bp, ahd_info);
Reported by FlawFinder.
Line: 567
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
strcat(bp, ahd_info);
return (bp);
}
/*
Reported by FlawFinder.
Line: 1239
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sprintf(buf, "scsi%d", host->host_no);
new_name = kmalloc(strlen(buf) + 1, GFP_ATOMIC);
if (new_name != NULL) {
strcpy(new_name, buf);
ahd_set_name(ahd, new_name);
}
host->unique_id = ahd->unit;
ahd_linux_initialize_scsi_bus(ahd);
ahd_intr_enable(ahd, TRUE);
Reported by FlawFinder.
Line: 553
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
ahd_linux_info(struct Scsi_Host *host)
{
static char buffer[512];
char ahd_info[256];
char *bp;
struct ahd_softc *ahd;
bp = &buffer[0];
Reported by FlawFinder.
Line: 554
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ahd_linux_info(struct Scsi_Host *host)
{
static char buffer[512];
char ahd_info[256];
char *bp;
struct ahd_softc *ahd;
bp = &buffer[0];
ahd = *(struct ahd_softc **)host->hostdata;
Reported by FlawFinder.
Line: 561
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
bp = &buffer[0];
ahd = *(struct ahd_softc **)host->hostdata;
memset(bp, 0, sizeof(buffer));
strcpy(bp, "Adaptec AIC79XX PCI-X SCSI HBA DRIVER, Rev " AIC79XX_DRIVER_VERSION "\n"
" <");
strcat(bp, ahd->description);
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcpy(bp, "Adaptec AIC79XX PCI-X SCSI HBA DRIVER, Rev " AIC79XX_DRIVER_VERSION "\n"
" <");
strcat(bp, ahd->description);
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
strcat(bp, ahd_info);
return (bp);
Reported by FlawFinder.
Line: 1211
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int
ahd_linux_register_host(struct ahd_softc *ahd, struct scsi_host_template *template)
{
char buf[80];
struct Scsi_Host *host;
char *new_name;
u_long s;
int retval;
Reported by FlawFinder.
Line: 1236
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ahd_lock(ahd, &s);
ahd_set_unit(ahd, ahd_linux_unit++);
ahd_unlock(ahd, &s);
sprintf(buf, "scsi%d", host->host_no);
new_name = kmalloc(strlen(buf) + 1, GFP_ATOMIC);
if (new_name != NULL) {
strcpy(new_name, buf);
ahd_set_name(ahd, new_name);
}
Reported by FlawFinder.
Line: 1613
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
hscb->cdb_len = cmd->cmd_len;
memcpy(hscb->shared_data.idata.cdb, cmd->cmnd, hscb->cdb_len);
scb->platform_data->xfer_len = 0;
ahd_set_residual(scb, 0);
ahd_set_sense_residual(scb, 0);
scb->sg_count = 0;
Reported by FlawFinder.
net/iucv/iucv.c
13 issues
Line: 864
Column: 25
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
* Returns the result of the CP IUCV call.
*/
int iucv_path_connect(struct iucv_path *path, struct iucv_handler *handler,
u8 *userid, u8 *system, u8 *userdata,
void *private)
{
union iucv_param *parm;
int rc;
Reported by FlawFinder.
Line: 885
Column: 6
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
ASCEBC(parm->ctrl.ipvmid, sizeof(parm->ctrl.ipvmid));
EBC_TOUPPER(parm->ctrl.ipvmid, sizeof(parm->ctrl.ipvmid));
}
if (system) {
memcpy(parm->ctrl.iptarget, system,
sizeof(parm->ctrl.iptarget));
ASCEBC(parm->ctrl.iptarget, sizeof(parm->ctrl.iptarget));
EBC_TOUPPER(parm->ctrl.iptarget, sizeof(parm->ctrl.iptarget));
}
Reported by FlawFinder.
Line: 886
Column: 31
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
EBC_TOUPPER(parm->ctrl.ipvmid, sizeof(parm->ctrl.ipvmid));
}
if (system) {
memcpy(parm->ctrl.iptarget, system,
sizeof(parm->ctrl.iptarget));
ASCEBC(parm->ctrl.iptarget, sizeof(parm->ctrl.iptarget));
EBC_TOUPPER(parm->ctrl.iptarget, sizeof(parm->ctrl.iptarget));
}
if (userdata)
Reported by FlawFinder.
Line: 149
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Error messages that are used with the iucv_sever function. They get
* converted to EBCDIC.
*/
static char iucv_error_no_listener[16] = "NO LISTENER";
static char iucv_error_no_memory[16] = "NO MEMORY";
static char iucv_error_pathid[16] = "INVALID PATHID";
/*
* iucv_handler_list: List of registered handlers.
Reported by FlawFinder.
Line: 150
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* converted to EBCDIC.
*/
static char iucv_error_no_listener[16] = "NO LISTENER";
static char iucv_error_no_memory[16] = "NO MEMORY";
static char iucv_error_pathid[16] = "INVALID PATHID";
/*
* iucv_handler_list: List of registered handlers.
*/
Reported by FlawFinder.
Line: 151
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static char iucv_error_no_listener[16] = "NO LISTENER";
static char iucv_error_no_memory[16] = "NO MEMORY";
static char iucv_error_pathid[16] = "INVALID PATHID";
/*
* iucv_handler_list: List of registered handlers.
*/
static LIST_HEAD(iucv_handler_list);
Reported by FlawFinder.
Line: 1081
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = (size < 8) ? size : 8;
for (array = buffer; size > 0; array++) {
copy = min_t(size_t, size, array->length);
memcpy((u8 *)(addr_t) array->address,
rmmsg, copy);
rmmsg += copy;
size -= copy;
}
} else {
Reported by FlawFinder.
Line: 1088
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else {
/* Copy to direct buffer. */
memcpy(buffer, rmmsg, min_t(size_t, size, 8));
}
return 0;
}
/**
Reported by FlawFinder.
Line: 1240
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
parm->dpl.ipflags1 = flags;
parm->dpl.ipmsgid = msg->id;
parm->dpl.iptrgcls = msg->class;
memcpy(parm->dpl.iprmmsg, reply, min_t(size_t, size, 8));
} else {
parm->db.ipbfadr1 = (u32)(addr_t) reply;
parm->db.ipbfln1f = (u32) size;
parm->db.ippathid = path->pathid;
parm->db.ipflags1 = flags;
Reported by FlawFinder.
Line: 1292
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
parm->dpl.iptrgcls = msg->class;
parm->dpl.ipsrccls = srccls;
parm->dpl.ipmsgtag = msg->tag;
memcpy(parm->dpl.iprmmsg, buffer, 8);
} else {
parm->db.ipbfadr1 = (u32)(addr_t) buffer;
parm->db.ipbfln1f = (u32) size;
parm->db.ippathid = path->pathid;
parm->db.ipflags1 = flags | IUCV_IPNORPY;
Reported by FlawFinder.
drivers/target/iscsi/iscsi_target_login.c
13 issues
Line: 238
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
memset(buf, 0, sizeof buf);
va_start(args, fmt);
vsnprintf(buf, sizeof buf, fmt, args);
va_end(args);
if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
Reported by FlawFinder.
Line: 233
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fmt, ...)
{
va_list args;
unsigned char buf[64];
memset(buf, 0, sizeof buf);
va_start(args, fmt);
vsnprintf(buf, sizeof buf, fmt, args);
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto free_sess;
sess->init_task_tag = pdu->itt;
memcpy(&sess->isid, pdu->isid, 6);
sess->exp_cmd_sn = be32_to_cpu(pdu->cmdsn);
INIT_LIST_HEAD(&sess->sess_conn_list);
INIT_LIST_HEAD(&sess->sess_ooo_cmdsn_list);
INIT_LIST_HEAD(&sess->cr_active_list);
INIT_LIST_HEAD(&sess->cr_inactive_list);
Reported by FlawFinder.
Line: 891
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Setup the np->np_sockaddr from the passed sockaddr setup
* in iscsi_target_configfs.c code..
*/
memcpy(&np->np_sockaddr, sockaddr,
sizeof(struct sockaddr_storage));
if (sockaddr->ss_family == AF_INET6)
len = sizeof(struct sockaddr_in6);
else
Reported by FlawFinder.
Line: 968
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct sockaddr *)&sock_in6, 1);
if (rc >= 0) {
if (!ipv6_addr_v4mapped(&sock_in6.sin6_addr)) {
memcpy(&conn->login_sockaddr, &sock_in6, sizeof(sock_in6));
} else {
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
Reported by FlawFinder.
Line: 973
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->login_sockaddr, &sock_in, sizeof(sock_in));
}
}
rc = conn->sock->ops->getname(conn->sock,
Reported by FlawFinder.
Line: 974
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->login_sockaddr, &sock_in, sizeof(sock_in));
}
}
rc = conn->sock->ops->getname(conn->sock,
(struct sockaddr *)&sock_in6, 0);
Reported by FlawFinder.
Line: 982
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct sockaddr *)&sock_in6, 0);
if (rc >= 0) {
if (!ipv6_addr_v4mapped(&sock_in6.sin6_addr)) {
memcpy(&conn->local_sockaddr, &sock_in6, sizeof(sock_in6));
} else {
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
Reported by FlawFinder.
Line: 987
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->local_sockaddr, &sock_in, sizeof(sock_in));
}
}
} else {
memset(&sock_in, 0, sizeof(struct sockaddr_in));
Reported by FlawFinder.
Line: 988
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->local_sockaddr, &sock_in, sizeof(sock_in));
}
}
} else {
memset(&sock_in, 0, sizeof(struct sockaddr_in));
Reported by FlawFinder.
drivers/media/usb/cpia2/cpia2_v4l.c
13 issues
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strscpy(vc->card, "CPiA2 Camera", sizeof(vc->card));
switch (cam->params.pnp_id.device_type) {
case DEVICE_STV_672:
strcat(vc->card, " (672/");
break;
case DEVICE_STV_676:
strcat(vc->card, " (676/");
break;
default:
Reported by FlawFinder.
Line: 221
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(vc->card, " (672/");
break;
case DEVICE_STV_676:
strcat(vc->card, " (676/");
break;
default:
strcat(vc->card, " (XXX/");
break;
}
Reported by FlawFinder.
Line: 224
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(vc->card, " (676/");
break;
default:
strcat(vc->card, " (XXX/");
break;
}
switch (cam->params.version.sensor_flags) {
case CPIA2_VP_SENSOR_FLAGS_404:
strcat(vc->card, "404)");
Reported by FlawFinder.
Line: 229
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
switch (cam->params.version.sensor_flags) {
case CPIA2_VP_SENSOR_FLAGS_404:
strcat(vc->card, "404)");
break;
case CPIA2_VP_SENSOR_FLAGS_407:
strcat(vc->card, "407)");
break;
case CPIA2_VP_SENSOR_FLAGS_409:
Reported by FlawFinder.
Line: 232
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(vc->card, "404)");
break;
case CPIA2_VP_SENSOR_FLAGS_407:
strcat(vc->card, "407)");
break;
case CPIA2_VP_SENSOR_FLAGS_409:
strcat(vc->card, "409)");
break;
case CPIA2_VP_SENSOR_FLAGS_410:
Reported by FlawFinder.
Line: 235
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(vc->card, "407)");
break;
case CPIA2_VP_SENSOR_FLAGS_409:
strcat(vc->card, "409)");
break;
case CPIA2_VP_SENSOR_FLAGS_410:
strcat(vc->card, "410)");
break;
case CPIA2_VP_SENSOR_FLAGS_500:
Reported by FlawFinder.
Line: 238
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(vc->card, "409)");
break;
case CPIA2_VP_SENSOR_FLAGS_410:
strcat(vc->card, "410)");
break;
case CPIA2_VP_SENSOR_FLAGS_500:
strcat(vc->card, "500)");
break;
default:
Reported by FlawFinder.
Line: 241
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(vc->card, "410)");
break;
case CPIA2_VP_SENSOR_FLAGS_500:
strcat(vc->card, "500)");
break;
default:
strcat(vc->card, "XXX)");
break;
}
Reported by FlawFinder.
Line: 244
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(vc->card, "500)");
break;
default:
strcat(vc->card, "XXX)");
break;
}
if (usb_make_path(cam->dev, vc->bus_info, sizeof(vc->bus_info)) < 0)
memset(vc->bus_info, 0, sizeof(vc->bus_info));
Reported by FlawFinder.
Line: 672
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
parms->APPn = cam->APPn;
parms->APP_len = cam->APP_len;
if (cam->APP_len > 0) {
memcpy(parms->APP_data, cam->APP_data, cam->APP_len);
parms->jpeg_markers |= V4L2_JPEG_MARKER_APP;
}
parms->COM_len = cam->COM_len;
if (cam->COM_len > 0) {
Reported by FlawFinder.
drivers/scsi/elx/libefc_sli/sli4.c
13 issues
Line: 1137
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sli4->params.perf_wq_id_association)
sli_set_wq_id_association(entry, q->id);
memcpy(qe, entry, q->size);
val = sli_format_wq_db_data(q->id);
writel(val, q->db_regaddr);
q->index = (q->index + 1) & (q->length - 1);
Reported by FlawFinder.
Line: 1158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qindex = q->index;
qe += q->index * q->size;
memcpy(qe, entry, q->size);
val = sli_format_mq_db_data(q->id);
writel(val, q->db_regaddr);
q->index = (q->index + 1) & (q->length - 1);
spin_unlock_irqrestore(&q->lock, flags);
Reported by FlawFinder.
Line: 1177
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qindex = q->index;
qe += q->index * q->size;
memcpy(qe, entry, q->size);
/*
* In RQ-pair, an RQ either contains the FC header
* (i.e. is_hdr == TRUE) or the payload.
*
Reported by FlawFinder.
Line: 1220
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((struct sli4_eqe *)qe)->dw0w0_flags = cpu_to_le16(wflags);
}
memcpy(entry, qe, q->size);
q->index = (q->index + 1) & (q->length - 1);
q->n_posted++;
/*
* For prism, the phase value will be used
* to check the validity of eq/cq entries.
Reported by FlawFinder.
Line: 1264
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((struct sli4_mcqe *)qe)->dw3_flags = cpu_to_le32(dwflags);
}
memcpy(entry, qe, q->size);
q->index = (q->index + 1) & (q->length - 1);
q->n_posted++;
/*
* For prism, the phase value will be used
* to check the validity of eq/cq entries.
Reported by FlawFinder.
Line: 1298
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy(entry, qe, q->size);
q->u.r_idx = (q->u.r_idx + 1) & (q->length - 1);
spin_unlock_irqrestore(&q->lock, flags);
return 0;
Reported by FlawFinder.
Line: 3218
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(buf, 0, SLI4_BMBX_SIZE);
write_nvparms->hdr.command = SLI4_MBX_CMD_WRITE_NVPARMS;
memcpy(write_nvparms->wwpn, wwpn, 8);
memcpy(write_nvparms->wwnn, wwnn, 8);
write_nvparms->hard_alpa_d_id =
cpu_to_le32((preferred_d_id << 8) | hard_alpa);
return 0;
Reported by FlawFinder.
Line: 3219
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
write_nvparms->hdr.command = SLI4_MBX_CMD_WRITE_NVPARMS;
memcpy(write_nvparms->wwpn, wwpn, 8);
memcpy(write_nvparms->wwnn, wwnn, 8);
write_nvparms->hard_alpa_d_id =
cpu_to_le32((preferred_d_id << 8) | hard_alpa);
return 0;
}
Reported by FlawFinder.
Line: 3722
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sli_cmd_fill_hdr(&nop->hdr, SLI4_CMN_NOP, SLI4_SUBSYSTEM_COMMON,
CMD_V0, SLI4_RQST_PYLD_LEN(cmn_nop));
memcpy(&nop->context, &context, sizeof(context));
return 0;
}
int
Reported by FlawFinder.
Line: 3966
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->feature = cpu_to_le32(feature);
cmd->param_len = cpu_to_le32(param_len);
memcpy(cmd->params, parameter, param_len);
return 0;
}
int
Reported by FlawFinder.