The following issues were found
sound/isa/gus/gusmax.c
13 issues
Line: 26
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE; /* Enable this card */
static long port[SNDRV_CARDS] = SNDRV_DEFAULT_PORT; /* 0x220,0x230,0x240,0x250,0x260 */
static int irq[SNDRV_CARDS] = SNDRV_DEFAULT_IRQ; /* 2,3,5,9,11,12,15 */
static int dma1[SNDRV_CARDS] = SNDRV_DEFAULT_DMA; /* 1,3,5,6,7 */
static int dma2[SNDRV_CARDS] = SNDRV_DEFAULT_DMA; /* 1,3,5,6,7 */
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(&id2, 0, sizeof(id2));
id1.iface = id2.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
/* reassign AUXA to SYNTHESIZER */
strcpy(id1.name, "Aux Playback Switch");
strcpy(id2.name, "Synth Playback Switch");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
id1.iface = id2.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
/* reassign AUXA to SYNTHESIZER */
strcpy(id1.name, "Aux Playback Switch");
strcpy(id2.name, "Synth Playback Switch");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
strcpy(id2.name, "Synth Playback Volume");
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
strcpy(id2.name, "Synth Playback Volume");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
/* reassign AUXB to CD */
Reported by FlawFinder.
Line: 145
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
strcpy(id2.name, "Synth Playback Volume");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
/* reassign AUXB to CD */
strcpy(id1.name, "Aux Playback Switch"); id1.index = 1;
Reported by FlawFinder.
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (err < 0)
return err;
/* reassign AUXB to CD */
strcpy(id1.name, "Aux Playback Switch"); id1.index = 1;
strcpy(id2.name, "CD Playback Switch");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return err;
/* reassign AUXB to CD */
strcpy(id1.name, "Aux Playback Switch"); id1.index = 1;
strcpy(id2.name, "CD Playback Switch");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
strcpy(id2.name, "CD Playback Volume");
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
strcpy(id2.name, "CD Playback Volume");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
#if 0
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (err < 0)
return err;
strcpy(id1.name, "Aux Playback Volume");
strcpy(id2.name, "CD Playback Volume");
err = snd_ctl_rename_id(card, &id1, &id2);
if (err < 0)
return err;
#if 0
/* reassign Mono Input to MIC */
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err < 0)
goto _err;
sprintf(card->longname + strlen(card->longname), " at 0x%lx, irq %i, dma %i", gus->gf1.port, xirq, xdma1);
if (xdma2 >= 0)
sprintf(card->longname + strlen(card->longname), "&%i", xdma2);
err = snd_card_register(card);
if (err < 0)
Reported by FlawFinder.
drivers/media/test-drivers/vivid/vivid-kthread-cap.c
13 issues
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int_part = srcw / dstw;
fract_part = srcw % dstw;
for (x = 0; x < dstw; x++, dst += twopixsize) {
memcpy(dst, src + src_x * twopixsize, twopixsize);
src_x += int_part;
error += fract_part;
if (error >= dstw) {
error -= dstw;
src_x++;
Reported by FlawFinder.
Line: 293
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* with black.
*/
for (y = 0; y < hmax / vdiv; y++, vcapbuf += stride_cap)
memcpy(vcapbuf, tpg->black_line[p], img_width);
return 0;
}
if (dev->overlay_out_enabled &&
dev->loop_vid_overlay.width && dev->loop_vid_overlay.height) {
Reported by FlawFinder.
Line: 324
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (y < dev->loop_vid_cap.top ||
y >= dev->loop_vid_cap.top + dev->loop_vid_cap.height) {
memcpy(vcapbuf, tpg->black_line[p], img_width);
continue;
}
/* fill the left border with black */
if (dev->loop_vid_cap.left)
Reported by FlawFinder.
Line: 330
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fill the left border with black */
if (dev->loop_vid_cap.left)
memcpy(vcapbuf, tpg->black_line[p], vid_cap_left);
/* fill the right border with black */
if (vid_cap_right < img_width)
memcpy(vcapbuf + vid_cap_right, tpg->black_line[p],
img_width - vid_cap_right);
Reported by FlawFinder.
Line: 334
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fill the right border with black */
if (vid_cap_right < img_width)
memcpy(vcapbuf + vid_cap_right, tpg->black_line[p],
img_width - vid_cap_right);
if (quick && !osdline) {
memcpy(vcapbuf + vid_cap_left,
voutbuf + vid_out_y * stride_out,
Reported by FlawFinder.
Line: 338
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
img_width - vid_cap_right);
if (quick && !osdline) {
memcpy(vcapbuf + vid_cap_left,
voutbuf + vid_out_y * stride_out,
tpg_hdiv(tpg, p, dev->loop_vid_cap.width));
goto update_vid_out_y;
}
if (dev->cur_scaled_line == vid_out_y) {
Reported by FlawFinder.
Line: 344
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto update_vid_out_y;
}
if (dev->cur_scaled_line == vid_out_y) {
memcpy(vcapbuf + vid_cap_left, dev->scaled_line,
tpg_hdiv(tpg, p, dev->loop_vid_cap.width));
goto update_vid_out_y;
}
if (!osdline) {
scale_line(voutbuf + vid_out_y * stride_out, dev->scaled_line,
Reported by FlawFinder.
Line: 372
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->blended_line + offset, osd,
dev->loop_vid_overlay.width, twopixsize / 2);
else
memcpy(dev->blended_line + offset,
osd, (dev->loop_vid_overlay.width * twopixsize) / 2);
scale_line(dev->blended_line, dev->scaled_line,
dev->loop_vid_copy.width, dev->loop_vid_cap.width,
tpg_g_twopixelsize(tpg, p));
}
Reported by FlawFinder.
Line: 379
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tpg_g_twopixelsize(tpg, p));
}
dev->cur_scaled_line = vid_out_y;
memcpy(vcapbuf + vid_cap_left, dev->scaled_line,
tpg_hdiv(tpg, p, dev->loop_vid_cap.width));
update_vid_out_y:
if (osdline) {
vid_overlay_y += vid_overlay_int_part;
Reported by FlawFinder.
Line: 402
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!blank)
return 0;
for (; y < img_height; y += vdiv, vcapbuf += stride_cap)
memcpy(vcapbuf, tpg->contrast_line[p], img_width);
return 0;
}
static void vivid_fillbuff(struct vivid_dev *dev, struct vivid_buffer *buf)
{
Reported by FlawFinder.
scripts/mod/sumversion.c
13 issues
Line: 316
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (base) {
base++;
dirlen = base - objfile;
sprintf(cmd, "%.*s.%s.cmd", dirlen, objfile, base);
} else {
dirlen = 0;
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
Reported by FlawFinder.
Line: 319
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(cmd, "%.*s.%s.cmd", dirlen, objfile, base);
} else {
dirlen = 0;
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
strncpy(dir, objfile, dirlen);
dir[dirlen] = '\0';
Reported by FlawFinder.
Line: 177
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mctx->byte_count += len;
if (avail > len) {
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
data, len);
return;
}
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy((char *)mctx->block + (sizeof(mctx->block) - avail),
data, avail);
md4_transform_helper(mctx);
data += avail;
len -= avail;
Reported by FlawFinder.
Line: 196
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len -= sizeof(mctx->block);
}
memcpy(mctx->block, data, len);
}
static void md4_final_ascii(struct md4_ctx *mctx, char *out, unsigned int len)
{
const unsigned int offset = mctx->byte_count & 0x3f;
Reported by FlawFinder.
Line: 393
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *buf, *pos, *firstline;
struct md4_ctx md;
char *fname;
char filelist[PATH_MAX + 1];
int postfix_len = 1;
if (strends(modname, ".lto.o"))
postfix_len = 5;
Reported by FlawFinder.
Line: 262
Column: 8
CWE codes:
126
unsigned long i, len;
file = read_text_file(fname);
len = strlen(file);
for (i = 0; i < len; i++) {
/* Collapse and ignore \ and CR. */
if (file[i] == '\\' && (i+1 < len) && file[i+1] == '\n') {
i++;
Reported by FlawFinder.
Line: 295
Column: 12
CWE codes:
126
/* Check whether the file is a static library or not */
static int is_static_library(const char *objfile)
{
int len = strlen(objfile);
if (objfile[len - 2] == '.' && objfile[len - 1] == 'a')
return 1;
else
return 0;
}
Reported by FlawFinder.
Line: 310
Column: 22
CWE codes:
126
const char *base;
int dirlen, ret = 0, check_files = 0;
cmd = NOFAIL(malloc(strlen(objfile) + sizeof("..cmd")));
base = strrchr(objfile, '/');
if (base) {
base++;
dirlen = base - objfile;
Reported by FlawFinder.
Line: 322
Column: 2
CWE codes:
120
sprintf(cmd, ".%s.cmd", objfile);
}
dir = NOFAIL(malloc(dirlen + 1));
strncpy(dir, objfile, dirlen);
dir[dirlen] = '\0';
file = read_text_file(cmd);
pos = file;
Reported by FlawFinder.
fs/nfs/nfs3xdr.c
13 issues
Line: 2533
Column: 18
CWE codes:
362
20
Suggestion:
Reconsider approach
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
PROC(SYMLINK, symlink, create, 0),
Reported by FlawFinder.
Line: 2533
Column: 28
CWE codes:
362
20
Suggestion:
Reconsider approach
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
PROC(SYMLINK, symlink, create, 0),
Reported by FlawFinder.
Line: 889
Column: 27
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
const struct nfs3_accessargs *args)
{
encode_nfs_fh3(xdr, args->fh);
encode_uint32(xdr, args->access);
}
static void nfs3_xdr_enc_access3args(struct rpc_rqst *req,
struct xdr_stream *xdr,
const void *data)
Reported by FlawFinder.
Line: 1535
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto out;
if (status != NFS3_OK)
goto out_default;
error = decode_uint32(xdr, &result->access);
out:
return error;
out_default:
return nfs3_stat_to_errno(status);
}
Reported by FlawFinder.
Line: 2532
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
PROC(GETATTR, getattr, getattr, 1),
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
Reported by FlawFinder.
Line: 2532
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
PROC(GETATTR, getattr, getattr, 1),
PROC(SETATTR, setattr, setattr, 0),
PROC(LOOKUP, lookup, lookup, 2),
PROC(ACCESS, access, access, 1),
PROC(READLINK, readlink, readlink, 3),
PROC(READ, read, read, 3),
PROC(WRITE, write, write, 4),
PROC(CREATE, create, create, 0),
PROC(MKDIR, mkdir, create, 0),
Reported by FlawFinder.
Line: 277
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static __be32 *xdr_encode_cookieverf3(__be32 *p, const __be32 *verifier)
{
memcpy(p, verifier, NFS3_COOKIEVERFSIZE);
return p + XDR_QUADLEN(NFS3_COOKIEVERFSIZE);
}
static int decode_cookieverf3(struct xdr_stream *xdr, __be32 *verifier)
{
Reported by FlawFinder.
Line: 288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, NFS3_COOKIEVERFSIZE);
if (unlikely(!p))
return -EIO;
memcpy(verifier, p, NFS3_COOKIEVERFSIZE);
return 0;
}
/*
* createverf3
Reported by FlawFinder.
Line: 302
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__be32 *p;
p = xdr_reserve_space(xdr, NFS3_CREATEVERFSIZE);
memcpy(p, verifier, NFS3_CREATEVERFSIZE);
}
static int decode_writeverf3(struct xdr_stream *xdr, struct nfs_write_verifier *verifier)
{
__be32 *p;
Reported by FlawFinder.
Line: 312
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, NFS3_WRITEVERFSIZE);
if (unlikely(!p))
return -EIO;
memcpy(verifier->data, p, NFS3_WRITEVERFSIZE);
return 0;
}
/*
* size3
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
13 issues
Line: 487
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (random_addr)
eth_random_addr(p2p->dev_addr);
else
memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
if (local_admin)
p2p->dev_addr[0] |= 0x02;
/* Generate the P2P Interface Address. If the discovery and connection
Reported by FlawFinder.
Line: 496
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* BSSCFGs need to simultaneously co-exist, then this address must be
* different from the P2P Device Address, but also locally administered.
*/
memcpy(p2p->conn_int_addr, p2p->dev_addr, ETH_ALEN);
p2p->conn_int_addr[0] |= 0x02;
p2p->conn_int_addr[4] ^= 0x80;
memcpy(p2p->conn2_int_addr, p2p->dev_addr, ETH_ALEN);
p2p->conn2_int_addr[0] |= 0x02;
Reported by FlawFinder.
Line: 500
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p2p->conn_int_addr[0] |= 0x02;
p2p->conn_int_addr[4] ^= 0x80;
memcpy(p2p->conn2_int_addr, p2p->dev_addr, ETH_ALEN);
p2p->conn2_int_addr[0] |= 0x02;
p2p->conn2_int_addr[4] ^= 0x90;
}
/**
Reported by FlawFinder.
Line: 690
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
sparams->ssid_le.SSID_len =
cpu_to_le32(BRCMF_P2P_WILDCARD_SSID_LEN);
memcpy(sparams->ssid_le.SSID, BRCMF_P2P_WILDCARD_SSID,
BRCMF_P2P_WILDCARD_SSID_LEN);
break;
default:
bphy_err(drvr, " invalid search state %d\n", search_state);
ret = -EINVAL;
Reported by FlawFinder.
Line: 994
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
goto exit;
memcpy(&p2p->remain_on_channel, channel, sizeof(*channel));
*cookie = p2p->remain_on_channel_cookie;
cfg80211_ready_on_channel(wdev, *cookie, channel, duration, GFP_KERNEL);
exit:
return err;
Reported by FlawFinder.
Line: 1464
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bphy_err(drvr, "No memory available for action frame\n");
return -ENOMEM;
}
memcpy(mgmt_frame->da, ifp->mac_addr, ETH_ALEN);
brcmf_fil_cmd_data_get(ifp, BRCMF_C_GET_BSSID, mgmt_frame->bssid,
ETH_ALEN);
memcpy(mgmt_frame->sa, e->addr, ETH_ALEN);
mgmt_frame->frame_control = cpu_to_le16(IEEE80211_STYPE_ACTION);
memcpy(&mgmt_frame->u, frame, mgmt_frame_len);
Reported by FlawFinder.
Line: 1467
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(mgmt_frame->da, ifp->mac_addr, ETH_ALEN);
brcmf_fil_cmd_data_get(ifp, BRCMF_C_GET_BSSID, mgmt_frame->bssid,
ETH_ALEN);
memcpy(mgmt_frame->sa, e->addr, ETH_ALEN);
mgmt_frame->frame_control = cpu_to_le16(IEEE80211_STYPE_ACTION);
memcpy(&mgmt_frame->u, frame, mgmt_frame_len);
mgmt_frame_len += offsetof(struct ieee80211_mgmt, u);
freq = ieee80211_channel_to_frequency(ch.control_ch_num,
Reported by FlawFinder.
Line: 1469
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ETH_ALEN);
memcpy(mgmt_frame->sa, e->addr, ETH_ALEN);
mgmt_frame->frame_control = cpu_to_le16(IEEE80211_STYPE_ACTION);
memcpy(&mgmt_frame->u, frame, mgmt_frame_len);
mgmt_frame_len += offsetof(struct ieee80211_mgmt, u);
freq = ieee80211_channel_to_frequency(ch.control_ch_num,
ch.band == BRCMU_CHAN_BAND_2G ?
NL80211_BAND_2GHZ :
Reported by FlawFinder.
Line: 1812
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (test_bit(BRCMF_SCAN_STATUS_BUSY, &cfg->scan_status))
brcmf_abort_scanning(cfg);
memcpy(afx_hdl->tx_dst_addr, action_frame->da, ETH_ALEN);
/* To make sure to send successfully action frame, turn off mpc */
if (config_af_params.mpc_onoff == 0)
brcmf_set_mpc(ifp, 0);
Reported by FlawFinder.
Line: 2113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
brcmf_p2p_get_current_chanspec(p2p, &chanspec);
/* fill the firmware request */
memcpy(if_request.addr, ea, ETH_ALEN);
if_request.type = cpu_to_le16((u16)iftype);
if_request.chspec = cpu_to_le16(chanspec);
err = brcmf_fil_iovar_data_set(ifp, "p2p_ifadd", &if_request,
sizeof(if_request));
Reported by FlawFinder.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
13 issues
Line: 152
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nvp->nvram_len + cplen + 1 >= BRCMF_FW_MAX_NVRAM_SIZE)
return END;
/* copy to output buffer */
memcpy(&nvp->nvram[nvp->nvram_len], skv, cplen);
nvp->nvram_len += cplen;
nvp->nvram[nvp->nvram_len] = '\0';
nvp->nvram_len++;
return IDLE;
}
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void brcmf_fw_strip_multi_v2(struct nvram_parser *nvp, u16 domain_nr,
u16 bus_nr)
{
char prefix[BRCMF_FW_NVRAM_PCIEDEV_LEN];
size_t len;
u32 i, j;
u8 *nvram;
nvram = kzalloc(nvp->nvram_len + 1 + 3 + sizeof(u32), GFP_KERNEL);
Reported by FlawFinder.
Line: 362
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nvp->boardrev_found)
return;
memcpy(&nvp->nvram[nvp->nvram_len], &BRCMF_FW_DEFAULT_BOARDREV,
strlen(BRCMF_FW_DEFAULT_BOARDREV));
nvp->nvram_len += strlen(BRCMF_FW_DEFAULT_BOARDREV);
nvp->nvram[nvp->nvram_len] = '\0';
nvp->nvram_len++;
}
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
token = (~token << 16) | (token & 0x0000FFFF);
token_le = cpu_to_le32(token);
memcpy(&nvp.nvram[*new_length], &token_le, sizeof(token_le));
*new_length += sizeof(token_le);
return nvp.nvram;
}
Reported by FlawFinder.
Line: 472
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nvram_efivar)
return NULL;
memcpy(&nvram_efivar->var.VariableName, name, sizeof(name));
nvram_efivar->var.VendorGuid = EFI_GUID(0x74b00bd9, 0x805a, 0x4d61,
0xb5, 0x1f, 0x43, 0x26,
0x81, 0x23, 0xd1, 0x13);
err = efivar_entry_size(nvram_efivar, &data_len);
Reported by FlawFinder.
Line: 605
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* nvram files are board-specific, first try a board-specific path */
if (cur->type == BRCMF_FW_TYPE_NVRAM && fwctx->req->board_type) {
char alt_path[BRCMF_FW_NAME_LEN];
strlcpy(alt_path, cur->path, BRCMF_FW_NAME_LEN);
/* strip .txt at the end */
alt_path[strlen(alt_path) - 4] = 0;
strlcat(alt_path, ".", BRCMF_FW_NAME_LEN);
Reported by FlawFinder.
Line: 696
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 n_fwnames)
{
struct brcmf_fw_request *fwreq;
char chipname[12];
const char *mp_path;
size_t mp_path_len;
u32 i, j;
char end = '\0';
Reported by FlawFinder.
Line: 253
Column: 12
CWE codes:
126
*/
snprintf(pci_path, sizeof(pci_path), "=pci/%d/%d", domain_nr,
bus_nr);
pci_len = strlen(pci_path);
snprintf(pcie_path, sizeof(pcie_path), "=pcie/%d/%d", domain_nr,
bus_nr);
pcie_len = strlen(pcie_path);
found = false;
i = 0;
Reported by FlawFinder.
Line: 256
Column: 13
CWE codes:
126
pci_len = strlen(pci_path);
snprintf(pcie_path, sizeof(pcie_path), "=pcie/%d/%d", domain_nr,
bus_nr);
pcie_len = strlen(pcie_path);
found = false;
i = 0;
while (i < nvp->nvram_len - BRCMF_FW_NVRAM_DEVPATH_LEN) {
/* Format: devpathX=pcie/Y/Z/
* Y = domain_nr, Z = bus_nr, X = virtual ID
Reported by FlawFinder.
Line: 332
Column: 8
CWE codes:
126
* Y = bus_nr.
*/
snprintf(prefix, sizeof(prefix), "pcie/%d/%d/", domain_nr, bus_nr);
len = strlen(prefix);
i = 0;
j = 0;
while (i < nvp->nvram_len - len) {
if (strncmp(&nvp->nvram[i], prefix, len) == 0) {
i += len;
Reported by FlawFinder.
fs/jfs/jfs_dtree.c
13 issues
Line: 984
CWE codes:
562
pxd = &pxdlist.pxd[0];
PXDaddress(pxd, xaddr);
PXDlength(pxd, xlen);
split->pxdlist = &pxdlist;
rc = dtSplitRoot(tid, ip, split, &rmp);
if (rc)
dbFree(ip, xaddr, xlen);
else
Reported by Cppcheck.
Line: 1033
CWE codes:
562
pxd = &pxdlist.pxd[0];
PXDaddress(pxd, nxaddr);
PXDlength(pxd, xlen + n);
split->pxdlist = &pxdlist;
if ((rc = dtExtendPage(tid, ip, split, btstack))) {
nxaddr = addressPXD(pxd);
if (xaddr != nxaddr) {
/* free relocated extent */
xlen = lengthPXD(pxd);
Reported by Cppcheck.
Line: 1083
CWE codes:
562
goto splitOut;
}
split->pxdlist = &pxdlist;
if ((rc = dtSplitPage(tid, ip, split, &rmp, &rp, &rpxd))) {
DT_PUTPAGE(smp);
/* undo allocation */
goto splitOut;
Reported by Cppcheck.
Line: 1225
CWE codes:
562
split->mp = smp;
split->index = skip; /* index at insert */
split->nslot = n;
split->key = &key;
/* split->data = data; */
/* unpin right child page */
DT_PUTPAGE(rmp);
Reported by Cppcheck.
Line: 396
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (xtInsert(tid, ip, 0, 0, sbi->nbperpage, &xaddr, 0)) {
/* This really shouldn't fail */
jfs_warn("add_index: xtInsert failed!");
memcpy(&jfs_ip->i_dirtable, temp_table,
sizeof (temp_table));
dbFree(ip, xaddr, sbi->nbperpage);
dquot_free_block(ip, sbi->nbperpage);
goto clean_up;
}
Reported by FlawFinder.
Line: 408
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!mp) {
jfs_err("add_index: get_metapage failed!");
xtTruncate(tid, ip, 0, COMMIT_PWMAP);
memcpy(&jfs_ip->i_dirtable, temp_table,
sizeof (temp_table));
goto clean_up;
}
tlck = txLock(tid, ip, mp, tlckDATA);
llck = (struct linelock *) & tlck->lock;
Reported by FlawFinder.
Line: 421
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lv->length = 6; /* tlckDATA slot size is 16 bytes */
llck->index++;
memcpy(mp->data, temp_table, sizeof(temp_table));
mark_metapage_dirty(mp);
release_metapage(mp);
/*
Reported by FlawFinder.
Line: 548
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy(dirtab_slot, slot, sizeof(struct dir_table_slot));
if (mp)
release_metapage(mp);
return 0;
Reported by FlawFinder.
Line: 1737
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
newstblindex = sp->header.maxslot;
n = xsize >> L2DTSLOTSIZE;
newstblsize = (n + 31) >> L2DTSLOTSIZE;
memcpy(&sp->slot[newstblindex], &sp->slot[oldstblindex],
sp->header.nextindex);
/*
* in-line extension: linelock old area of extended page
*/
Reported by FlawFinder.
Line: 1947
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy old stbl to new stbl at start of extended area */
rp->header.stblindex = DTROOTMAXSLOT;
stbl = (s8 *) & rp->slot[DTROOTMAXSLOT];
memcpy(stbl, sp->header.stbl, sp->header.nextindex);
rp->header.nextindex = sp->header.nextindex;
/* copy old data area to start of new data area */
memcpy(&rp->slot[1], &sp->slot[1], IDATASIZE);
Reported by FlawFinder.
drivers/edac/thunderx_edac.c
13 issues
Line: 1136
Column: 3
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
decode_register(other, OCX_OTHER_SIZE,
ocx_com_errors, ctx->reg_com_int);
strncat(msg, other, OCX_MESSAGE_SIZE);
for (lane = 0; lane < OCX_RX_LANES; lane++)
if (ctx->reg_com_int & BIT(lane)) {
snprintf(other, OCX_OTHER_SIZE,
"\n\tOCX_LNE_INT[%02d]: %016llx OCX_LNE_STAT11[%02d]: %016llx",
Reported by FlawFinder.
Line: 1145
Column: 5
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
lane, ctx->reg_lane_int[lane],
lane, ctx->reg_lane_stat11[lane]);
strncat(msg, other, OCX_MESSAGE_SIZE);
decode_register(other, OCX_OTHER_SIZE,
ocx_lane_errors,
ctx->reg_lane_int[lane]);
strncat(msg, other, OCX_MESSAGE_SIZE);
Reported by FlawFinder.
Line: 1150
Column: 5
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
decode_register(other, OCX_OTHER_SIZE,
ocx_lane_errors,
ctx->reg_lane_int[lane]);
strncat(msg, other, OCX_MESSAGE_SIZE);
}
if (ctx->reg_com_int & OCX_COM_INT_CE)
edac_device_handle_ce(ocx->edac_dev, 0, 0, msg);
Reported by FlawFinder.
Line: 1220
Column: 3
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
decode_register(other, OCX_OTHER_SIZE,
ocx_com_link_errors, ctx->reg_com_link_int);
strncat(msg, other, OCX_MESSAGE_SIZE);
if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
else if (ctx->reg_com_link_int & OCX_COM_LINK_INT_CE)
edac_device_handle_ce(ocx->edac_dev, 0, 0, msg);
Reported by FlawFinder.
Line: 1899
Column: 3
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
strncat(msg, other, L2C_MESSAGE_SIZE);
if (ctx->reg_int & mask_ue)
edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);
else if (ctx->reg_int & mask_ce)
edac_device_handle_ce(l2c->edac_dev, 0, 0, msg);
Reported by FlawFinder.
Line: 2004
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
idx = edac_device_alloc_index();
snprintf(name, sizeof(name), fmt, idx);
edac_dev = edac_device_alloc_ctl_info(sizeof(struct thunderx_l2c),
name, 1, "L2C", 1, 0,
NULL, 0, idx);
if (!edac_dev) {
Reported by FlawFinder.
Line: 234
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos) \
{ \
struct thunderx_##_type *pdata = file->private_data; \
char buf[20]; \
\
snprintf(buf, count, "0x%016llx", pdata->_field); \
return simple_read_from_buffer(data, count, ppos, \
buf, sizeof(buf)); \
} \
Reported by FlawFinder.
Line: 263
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos) \
{ \
struct thunderx_##_type *pdata = file->private_data; \
char buf[20]; \
\
sprintf(buf, "0x%016llx", readq(pdata->regs + _reg)); \
return simple_read_from_buffer(data, count, ppos, \
buf, sizeof(buf)); \
} \
Reported by FlawFinder.
Line: 265
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct thunderx_##_type *pdata = file->private_data; \
char buf[20]; \
\
sprintf(buf, "0x%016llx", readq(pdata->regs + _reg)); \
return simple_read_from_buffer(data, count, ppos, \
buf, sizeof(buf)); \
} \
\
static ssize_t thunderx_##_type##_##_name##_write(struct file *file, \
Reported by FlawFinder.
Line: 327
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct thunderx_lmc *lmc = file->private_data;
char buf[20];
u64 lmc_int = readq(lmc->regs + LMC_INT);
snprintf(buf, sizeof(buf), "0x%016llx", lmc_int);
return simple_read_from_buffer(data, count, ppos, buf, sizeof(buf));
}
Reported by FlawFinder.
drivers/scsi/aic7xxx/aic79xx_osm.c
13 issues
Line: 563
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
memset(bp, 0, sizeof(buffer));
strcpy(bp, "Adaptec AIC79XX PCI-X SCSI HBA DRIVER, Rev " AIC79XX_DRIVER_VERSION "\n"
" <");
strcat(bp, ahd->description);
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
strcat(bp, ahd_info);
Reported by FlawFinder.
Line: 567
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
strcat(bp, ahd_info);
return (bp);
}
/*
Reported by FlawFinder.
Line: 1239
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sprintf(buf, "scsi%d", host->host_no);
new_name = kmalloc(strlen(buf) + 1, GFP_ATOMIC);
if (new_name != NULL) {
strcpy(new_name, buf);
ahd_set_name(ahd, new_name);
}
host->unique_id = ahd->unit;
ahd_linux_initialize_scsi_bus(ahd);
ahd_intr_enable(ahd, TRUE);
Reported by FlawFinder.
Line: 553
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
ahd_linux_info(struct Scsi_Host *host)
{
static char buffer[512];
char ahd_info[256];
char *bp;
struct ahd_softc *ahd;
bp = &buffer[0];
Reported by FlawFinder.
Line: 554
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ahd_linux_info(struct Scsi_Host *host)
{
static char buffer[512];
char ahd_info[256];
char *bp;
struct ahd_softc *ahd;
bp = &buffer[0];
ahd = *(struct ahd_softc **)host->hostdata;
Reported by FlawFinder.
Line: 561
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
bp = &buffer[0];
ahd = *(struct ahd_softc **)host->hostdata;
memset(bp, 0, sizeof(buffer));
strcpy(bp, "Adaptec AIC79XX PCI-X SCSI HBA DRIVER, Rev " AIC79XX_DRIVER_VERSION "\n"
" <");
strcat(bp, ahd->description);
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcpy(bp, "Adaptec AIC79XX PCI-X SCSI HBA DRIVER, Rev " AIC79XX_DRIVER_VERSION "\n"
" <");
strcat(bp, ahd->description);
strcat(bp, ">\n"
" ");
ahd_controller_info(ahd, ahd_info);
strcat(bp, ahd_info);
return (bp);
Reported by FlawFinder.
Line: 1211
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int
ahd_linux_register_host(struct ahd_softc *ahd, struct scsi_host_template *template)
{
char buf[80];
struct Scsi_Host *host;
char *new_name;
u_long s;
int retval;
Reported by FlawFinder.
Line: 1236
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ahd_lock(ahd, &s);
ahd_set_unit(ahd, ahd_linux_unit++);
ahd_unlock(ahd, &s);
sprintf(buf, "scsi%d", host->host_no);
new_name = kmalloc(strlen(buf) + 1, GFP_ATOMIC);
if (new_name != NULL) {
strcpy(new_name, buf);
ahd_set_name(ahd, new_name);
}
Reported by FlawFinder.
Line: 1613
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
hscb->cdb_len = cmd->cmd_len;
memcpy(hscb->shared_data.idata.cdb, cmd->cmnd, hscb->cdb_len);
scb->platform_data->xfer_len = 0;
ahd_set_residual(scb, 0);
ahd_set_sense_residual(scb, 0);
scb->sg_count = 0;
Reported by FlawFinder.
drivers/target/iscsi/iscsi_target_login.c
13 issues
Line: 238
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
memset(buf, 0, sizeof buf);
va_start(args, fmt);
vsnprintf(buf, sizeof buf, fmt, args);
va_end(args);
if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
Reported by FlawFinder.
Line: 233
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fmt, ...)
{
va_list args;
unsigned char buf[64];
memset(buf, 0, sizeof buf);
va_start(args, fmt);
vsnprintf(buf, sizeof buf, fmt, args);
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto free_sess;
sess->init_task_tag = pdu->itt;
memcpy(&sess->isid, pdu->isid, 6);
sess->exp_cmd_sn = be32_to_cpu(pdu->cmdsn);
INIT_LIST_HEAD(&sess->sess_conn_list);
INIT_LIST_HEAD(&sess->sess_ooo_cmdsn_list);
INIT_LIST_HEAD(&sess->cr_active_list);
INIT_LIST_HEAD(&sess->cr_inactive_list);
Reported by FlawFinder.
Line: 891
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Setup the np->np_sockaddr from the passed sockaddr setup
* in iscsi_target_configfs.c code..
*/
memcpy(&np->np_sockaddr, sockaddr,
sizeof(struct sockaddr_storage));
if (sockaddr->ss_family == AF_INET6)
len = sizeof(struct sockaddr_in6);
else
Reported by FlawFinder.
Line: 968
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct sockaddr *)&sock_in6, 1);
if (rc >= 0) {
if (!ipv6_addr_v4mapped(&sock_in6.sin6_addr)) {
memcpy(&conn->login_sockaddr, &sock_in6, sizeof(sock_in6));
} else {
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
Reported by FlawFinder.
Line: 973
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->login_sockaddr, &sock_in, sizeof(sock_in));
}
}
rc = conn->sock->ops->getname(conn->sock,
Reported by FlawFinder.
Line: 974
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->login_sockaddr, &sock_in, sizeof(sock_in));
}
}
rc = conn->sock->ops->getname(conn->sock,
(struct sockaddr *)&sock_in6, 0);
Reported by FlawFinder.
Line: 982
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct sockaddr *)&sock_in6, 0);
if (rc >= 0) {
if (!ipv6_addr_v4mapped(&sock_in6.sin6_addr)) {
memcpy(&conn->local_sockaddr, &sock_in6, sizeof(sock_in6));
} else {
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
Reported by FlawFinder.
Line: 987
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Pretend to be an ipv4 socket */
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->local_sockaddr, &sock_in, sizeof(sock_in));
}
}
} else {
memset(&sock_in, 0, sizeof(struct sockaddr_in));
Reported by FlawFinder.
Line: 988
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sock_in.sin_family = AF_INET;
sock_in.sin_port = sock_in6.sin6_port;
memcpy(&sock_in.sin_addr, &sock_in6.sin6_addr.s6_addr32[3], 4);
memcpy(&conn->local_sockaddr, &sock_in, sizeof(sock_in));
}
}
} else {
memset(&sock_in, 0, sizeof(struct sockaddr_in));
Reported by FlawFinder.