The following issues were found
drivers/iommu/intel/iommu.c
12 issues
Line: 1346
CWE codes:
908
/* Make sure hardware complete it */
IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
readl, (sts & DMA_GSTS_RTPS), sts);
raw_spin_unlock_irqrestore(&iommu->register_lock, flag);
iommu->flush.flush_context(iommu, 0, 0, 0, DMA_CCMD_GLOBAL_INVL);
if (sm_supported(iommu))
Reported by Cppcheck.
Line: 1369
CWE codes:
908
/* Make sure hardware complete it */
IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
readl, (!(val & DMA_GSTS_WBFS)), val);
raw_spin_unlock_irqrestore(&iommu->register_lock, flag);
}
/* return value determine if we need a write buffer flush */
Reported by Cppcheck.
Line: 1745
CWE codes:
908
/* Make sure hardware complete it */
IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
readl, (sts & DMA_GSTS_TES), sts);
raw_spin_unlock_irqrestore(&iommu->register_lock, flags);
}
static void iommu_disable_translation(struct intel_iommu *iommu)
Reported by Cppcheck.
Line: 1765
CWE codes:
908
/* Make sure hardware complete it */
IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
readl, (!(sts & DMA_GSTS_TES)), sts);
raw_spin_unlock_irqrestore(&iommu->register_lock, flag);
}
static int iommu_init_domains(struct intel_iommu *iommu)
Reported by Cppcheck.
Line: 3715
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* on return.
*/
atsru->hdr = (void *)(atsru + 1);
memcpy(atsru->hdr, hdr, hdr->length);
atsru->include_all = atsr->flags & 0x1;
if (!atsru->include_all) {
atsru->devices = dmar_alloc_dev_scope((void *)(atsr + 1),
(void *)atsr + atsr->header.length,
&atsru->devices_cnt);
Reported by FlawFinder.
Line: 3812
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
satcu->hdr = (void *)(satcu + 1);
memcpy(satcu->hdr, hdr, hdr->length);
satcu->atc_required = satc->flags & 0x1;
satcu->devices = dmar_alloc_dev_scope((void *)(satc + 1),
(void *)satc + satc->header.length,
&satcu->devices_cnt);
if (satcu->devices_cnt && !satcu->devices) {
Reported by FlawFinder.
Line: 4153
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct intel_iommu *iommu = dev_to_intel_iommu(dev);
u32 ver = readl(iommu->reg + DMAR_VER_REG);
return sprintf(buf, "%d:%d\n",
DMAR_VER_MAJOR(ver), DMAR_VER_MINOR(ver));
}
static DEVICE_ATTR_RO(version);
static ssize_t address_show(struct device *dev,
Reported by FlawFinder.
Line: 4162
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct intel_iommu *iommu = dev_to_intel_iommu(dev);
return sprintf(buf, "%llx\n", iommu->reg_phys);
}
static DEVICE_ATTR_RO(address);
static ssize_t cap_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 4170
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct intel_iommu *iommu = dev_to_intel_iommu(dev);
return sprintf(buf, "%llx\n", iommu->cap);
}
static DEVICE_ATTR_RO(cap);
static ssize_t ecap_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 4178
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct intel_iommu *iommu = dev_to_intel_iommu(dev);
return sprintf(buf, "%llx\n", iommu->ecap);
}
static DEVICE_ATTR_RO(ecap);
static ssize_t domains_supported_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
drivers/staging/rtl8188eu/hal/hal_com.c
12 issues
Line: 22
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[128];
cnt += sprintf((buf + cnt), "Chip Version Info: CHIP_8188E_");
cnt += sprintf((buf + cnt), "%s_", chip_vers.ChipType == NORMAL_CHIP ?
"Normal_Chip" : "Test_Chip");
cnt += sprintf((buf + cnt), "%s_", chip_vers.VendorType == CHIP_VENDOR_TSMC ?
"TSMC" : "UMC");
if (chip_vers.CUTVersion == A_CUT_VERSION)
cnt += sprintf((buf + cnt), "A_CUT_");
Reported by FlawFinder.
Line: 24
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cnt += sprintf((buf + cnt), "Chip Version Info: CHIP_8188E_");
cnt += sprintf((buf + cnt), "%s_", chip_vers.ChipType == NORMAL_CHIP ?
"Normal_Chip" : "Test_Chip");
cnt += sprintf((buf + cnt), "%s_", chip_vers.VendorType == CHIP_VENDOR_TSMC ?
"TSMC" : "UMC");
if (chip_vers.CUTVersion == A_CUT_VERSION)
cnt += sprintf((buf + cnt), "A_CUT_");
else if (chip_vers.CUTVersion == B_CUT_VERSION)
cnt += sprintf((buf + cnt), "B_CUT_");
Reported by FlawFinder.
Line: 19
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void dump_chip_info(struct HAL_VERSION chip_vers)
{
uint cnt = 0;
char buf[128];
cnt += sprintf((buf + cnt), "Chip Version Info: CHIP_8188E_");
cnt += sprintf((buf + cnt), "%s_", chip_vers.ChipType == NORMAL_CHIP ?
"Normal_Chip" : "Test_Chip");
cnt += sprintf((buf + cnt), "%s_", chip_vers.VendorType == CHIP_VENDOR_TSMC ?
Reported by FlawFinder.
Line: 21
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
uint cnt = 0;
char buf[128];
cnt += sprintf((buf + cnt), "Chip Version Info: CHIP_8188E_");
cnt += sprintf((buf + cnt), "%s_", chip_vers.ChipType == NORMAL_CHIP ?
"Normal_Chip" : "Test_Chip");
cnt += sprintf((buf + cnt), "%s_", chip_vers.VendorType == CHIP_VENDOR_TSMC ?
"TSMC" : "UMC");
if (chip_vers.CUTVersion == A_CUT_VERSION)
Reported by FlawFinder.
Line: 27
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cnt += sprintf((buf + cnt), "%s_", chip_vers.VendorType == CHIP_VENDOR_TSMC ?
"TSMC" : "UMC");
if (chip_vers.CUTVersion == A_CUT_VERSION)
cnt += sprintf((buf + cnt), "A_CUT_");
else if (chip_vers.CUTVersion == B_CUT_VERSION)
cnt += sprintf((buf + cnt), "B_CUT_");
else if (chip_vers.CUTVersion == C_CUT_VERSION)
cnt += sprintf((buf + cnt), "C_CUT_");
else if (chip_vers.CUTVersion == D_CUT_VERSION)
Reported by FlawFinder.
Line: 29
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (chip_vers.CUTVersion == A_CUT_VERSION)
cnt += sprintf((buf + cnt), "A_CUT_");
else if (chip_vers.CUTVersion == B_CUT_VERSION)
cnt += sprintf((buf + cnt), "B_CUT_");
else if (chip_vers.CUTVersion == C_CUT_VERSION)
cnt += sprintf((buf + cnt), "C_CUT_");
else if (chip_vers.CUTVersion == D_CUT_VERSION)
cnt += sprintf((buf + cnt), "D_CUT_");
else if (chip_vers.CUTVersion == E_CUT_VERSION)
Reported by FlawFinder.
Line: 31
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (chip_vers.CUTVersion == B_CUT_VERSION)
cnt += sprintf((buf + cnt), "B_CUT_");
else if (chip_vers.CUTVersion == C_CUT_VERSION)
cnt += sprintf((buf + cnt), "C_CUT_");
else if (chip_vers.CUTVersion == D_CUT_VERSION)
cnt += sprintf((buf + cnt), "D_CUT_");
else if (chip_vers.CUTVersion == E_CUT_VERSION)
cnt += sprintf((buf + cnt), "E_CUT_");
else
Reported by FlawFinder.
Line: 33
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (chip_vers.CUTVersion == C_CUT_VERSION)
cnt += sprintf((buf + cnt), "C_CUT_");
else if (chip_vers.CUTVersion == D_CUT_VERSION)
cnt += sprintf((buf + cnt), "D_CUT_");
else if (chip_vers.CUTVersion == E_CUT_VERSION)
cnt += sprintf((buf + cnt), "E_CUT_");
else
cnt += sprintf((buf + cnt), "UNKNOWN_CUT(%d)_",
chip_vers.CUTVersion);
Reported by FlawFinder.
Line: 35
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (chip_vers.CUTVersion == D_CUT_VERSION)
cnt += sprintf((buf + cnt), "D_CUT_");
else if (chip_vers.CUTVersion == E_CUT_VERSION)
cnt += sprintf((buf + cnt), "E_CUT_");
else
cnt += sprintf((buf + cnt), "UNKNOWN_CUT(%d)_",
chip_vers.CUTVersion);
cnt += sprintf((buf + cnt), "1T1R_");
cnt += sprintf((buf + cnt), "RomVer(0)\n");
Reported by FlawFinder.
Line: 37
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (chip_vers.CUTVersion == E_CUT_VERSION)
cnt += sprintf((buf + cnt), "E_CUT_");
else
cnt += sprintf((buf + cnt), "UNKNOWN_CUT(%d)_",
chip_vers.CUTVersion);
cnt += sprintf((buf + cnt), "1T1R_");
cnt += sprintf((buf + cnt), "RomVer(0)\n");
pr_info("%s", buf);
Reported by FlawFinder.
drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
12 issues
Line: 271
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < cfg->vecs; i++) {
for (si = 0; si < rx_stat_cnt; si++) {
snprintf(p, ETH_GSTRING_LEN,
aq_ethtool_queue_rx_stat_names[si],
tc_string,
AQ_NIC_CFG_TCVEC2RING(cfg, tc, i));
p += ETH_GSTRING_LEN;
}
Reported by FlawFinder.
Line: 278
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
p += ETH_GSTRING_LEN;
}
for (si = 0; si < tx_stat_cnt; si++) {
snprintf(p, ETH_GSTRING_LEN,
aq_ethtool_queue_tx_stat_names[si],
tc_string,
AQ_NIC_CFG_TCVEC2RING(cfg, tc, i));
p += ETH_GSTRING_LEN;
}
Reported by FlawFinder.
Line: 297
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < max(rx_ring_cnt, tx_ring_cnt); i++) {
for (si = 0; si < rx_stat_cnt; si++) {
snprintf(p, ETH_GSTRING_LEN,
aq_ethtool_queue_rx_stat_names[si],
tc_string,
i ? PTP_HWST_RING_IDX : ptp_ring_idx);
p += ETH_GSTRING_LEN;
}
Reported by FlawFinder.
Line: 306
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (i >= tx_ring_cnt)
continue;
for (si = 0; si < tx_stat_cnt; si++) {
snprintf(p, ETH_GSTRING_LEN,
aq_ethtool_queue_tx_stat_names[si],
tc_string,
i ? PTP_HWST_RING_IDX : ptp_ring_idx);
p += ETH_GSTRING_LEN;
}
Reported by FlawFinder.
Line: 330
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (si = 0;
si < ARRAY_SIZE(aq_macsec_txsc_stat_names);
si++) {
snprintf(p, ETH_GSTRING_LEN,
aq_macsec_txsc_stat_names[si], i);
p += ETH_GSTRING_LEN;
}
aq_txsc = &nic->macsec_cfg->aq_txsc[i];
for (sa = 0; sa < MACSEC_NUM_AN; sa++) {
Reported by FlawFinder.
Line: 341
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (si = 0;
si < ARRAY_SIZE(aq_macsec_txsa_stat_names);
si++) {
snprintf(p, ETH_GSTRING_LEN,
aq_macsec_txsa_stat_names[si],
i, sa);
p += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 361
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (si = 0;
si < ARRAY_SIZE(aq_macsec_rxsa_stat_names);
si++) {
snprintf(p, ETH_GSTRING_LEN,
aq_macsec_rxsa_stat_names[si],
i, sa);
p += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 257
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case ETH_SS_STATS: {
const int rx_stat_cnt = ARRAY_SIZE(aq_ethtool_queue_rx_stat_names);
const int tx_stat_cnt = ARRAY_SIZE(aq_ethtool_queue_tx_stat_names);
char tc_string[8];
int tc;
memset(tc_string, 0, sizeof(tc_string));
memcpy(p, aq_ethtool_stat_names,
sizeof(aq_ethtool_stat_names));
Reported by FlawFinder.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int tc;
memset(tc_string, 0, sizeof(tc_string));
memcpy(p, aq_ethtool_stat_names,
sizeof(aq_ethtool_stat_names));
p = p + sizeof(aq_ethtool_stat_names);
for (tc = 0; tc < cfg->tcs; tc++) {
if (cfg->is_qos)
Reported by FlawFinder.
Line: 319
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nic->macsec_cfg)
break;
memcpy(p, aq_macsec_stat_names, sizeof(aq_macsec_stat_names));
p = p + sizeof(aq_macsec_stat_names);
for (i = 0; i < AQ_MACSEC_MAX_SC; i++) {
struct aq_macsec_txsc *aq_txsc;
if (!(test_bit(i, &nic->macsec_cfg->txsc_idx_busy)))
Reported by FlawFinder.
drivers/net/hamradio/6pack.c
12 issues
Line: 143
Column: 23
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
{
struct sixpack *sp = from_timer(sp, t, tx_t);
int actual, when = sp->slottime;
static unsigned char random;
random = random * 17 + 41;
if (((sp->status1 & SIXP_DCD_MASK) == 0) && (random < sp->persistence)) {
sp->led_state = 0x70;
Reported by FlawFinder.
Line: 145
Column: 11
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
int actual, when = sp->slottime;
static unsigned char random;
random = random * 17 + 41;
if (((sp->status1 & SIXP_DCD_MASK) == 0) && (random < sp->persistence)) {
sp->led_state = 0x70;
sp->tty->ops->write(sp->tty, &sp->led_state, 1);
sp->tx_enable = 1;
Reported by FlawFinder.
Line: 147
Column: 47
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
random = random * 17 + 41;
if (((sp->status1 & SIXP_DCD_MASK) == 0) && (random < sp->persistence)) {
sp->led_state = 0x70;
sp->tty->ops->write(sp->tty, &sp->led_state, 1);
sp->tx_enable = 1;
actual = sp->tty->ops->write(sp->tty, sp->xbuff, sp->status2);
sp->xleft -= actual;
Reported by FlawFinder.
Line: 97
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *xhead; /* next byte to XMIT */
int xleft; /* bytes left in XMIT queue */
unsigned char raw_buf[4];
unsigned char cooked_buf[400];
unsigned int rx_count;
unsigned int rx_count_cooked;
Reported by FlawFinder.
Line: 98
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int xleft; /* bytes left in XMIT queue */
unsigned char raw_buf[4];
unsigned char cooked_buf[400];
unsigned int rx_count;
unsigned int rx_count_cooked;
int mtu; /* Our mtu (to spot changes!) */
Reported by FlawFinder.
Line: 291
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netif_tx_lock_bh(dev);
netif_addr_lock(dev);
memcpy(dev->dev_addr, &sa->sax25_call, AX25_ADDR_LEN);
netif_addr_unlock(dev);
netif_tx_unlock_bh(dev);
return 0;
}
Reported by FlawFinder.
Line: 319
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->tx_queue_len = 10;
/* Only activated in AX.25 mode */
memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
memcpy(dev->dev_addr, &ax25_defaddr, AX25_ADDR_LEN);
dev->flags = 0;
}
Reported by FlawFinder.
Line: 320
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Only activated in AX.25 mode */
memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
memcpy(dev->dev_addr, &ax25_defaddr, AX25_ADDR_LEN);
dev->flags = 0;
}
/* Send one completely decapsulated IP datagram to the IP layer. */
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = skb_put(skb, count + 1);
*ptr++ = cmd; /* KISS command */
memcpy(ptr, sp->cooked_buf + 1, count);
skb->protocol = ax25_type_trans(skb, sp->dev);
netif_rx(skb);
sp->dev->stats.rx_packets++;
return;
Reported by FlawFinder.
Line: 720
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
break;
case SIOCSIFHWADDR: {
char addr[AX25_ADDR_LEN];
if (copy_from_user(&addr,
(void __user *)arg, AX25_ADDR_LEN)) {
err = -EFAULT;
break;
Reported by FlawFinder.
drivers/staging/rtl8188eu/core/rtw_security.c
12 issues
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto free_crypto_private;
}
memcpy(pframe, skb->data, skb->len);
pframe += skb->len;
pframe = (u8 *)round_up((size_t)(pframe), 4);
kfree_skb(skb);
Reported by FlawFinder.
Line: 211
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int status = _SUCCESS;
const int keyindex = prxattrib->key_index;
struct lib80211_crypto_ops *crypto_ops = lib80211_get_crypto_ops("WEP");
char iv[4], icv[4];
if (!crypto_ops) {
status = _FAIL;
goto exit;
}
Reported by FlawFinder.
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit;
}
memcpy(iv, pframe + prxattrib->hdrlen, 4);
memcpy(icv, pframe + skb->len - 4, 4);
crypto_private = crypto_ops->init(keyindex);
if (!crypto_private) {
status = _FAIL;
Reported by FlawFinder.
Line: 219
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(iv, pframe + prxattrib->hdrlen, 4);
memcpy(icv, pframe + skb->len - 4, 4);
crypto_private = crypto_ops->init(keyindex);
if (!crypto_private) {
status = _FAIL;
goto exit;
Reported by FlawFinder.
Line: 240
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_push(skb, 4);
skb_put(skb, 4);
memcpy(pframe + prxattrib->hdrlen, iv, 4);
memcpy(pframe + skb->len - 4, icv, 4);
exit:
if (crypto_ops && crypto_private)
crypto_ops->deinit(crypto_private);
Reported by FlawFinder.
Line: 241
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_put(skb, 4);
memcpy(pframe + prxattrib->hdrlen, iv, 4);
memcpy(pframe + skb->len - 4, icv, 4);
exit:
if (crypto_ops && crypto_private)
crypto_ops->deinit(crypto_private);
return status;
Reported by FlawFinder.
Line: 784
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit_crypto_ops_deinit;
}
memcpy(pframe, skb->data, skb->len);
pframe += skb->len;
pframe = (u8 *)round_up((size_t)(pframe), 8);
kfree_skb(skb);
Reported by FlawFinder.
Line: 816
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *key, *pframe = skb->data;
struct lib80211_crypto_ops *crypto_ops = lib80211_get_crypto_ops("CCMP");
struct security_priv *psecuritypriv = &padapter->securitypriv;
char iv[8], icv[8];
if (is_multicast_ether_addr(prxattrib->ra)) {
/* in concurrent we should use sw descrypt in group key, so we remove this message */
if (!psecuritypriv->binstallGrpkey) {
res = _FAIL;
Reported by FlawFinder.
Line: 836
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit_lib80211_ccmp;
}
memcpy(iv, pframe + prxattrib->hdrlen, iv_len);
memcpy(icv, pframe + skb->len - icv_len, icv_len);
crypto_private = crypto_ops->init(key_idx);
if (!crypto_private) {
res = _FAIL;
Reported by FlawFinder.
Line: 837
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(iv, pframe + prxattrib->hdrlen, iv_len);
memcpy(icv, pframe + skb->len - icv_len, icv_len);
crypto_private = crypto_ops->init(key_idx);
if (!crypto_private) {
res = _FAIL;
goto exit_lib80211_ccmp;
Reported by FlawFinder.
drivers/rtc/sysfs.c
12 issues
Line: 26
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
name_show(struct device *dev, struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%s %s\n", dev_driver_string(dev->parent),
dev_name(dev->parent));
}
static DEVICE_ATTR_RO(name);
static ssize_t
Reported by FlawFinder.
Line: 41
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (retval)
return retval;
return sprintf(buf, "%ptRd\n", &tm);
}
static DEVICE_ATTR_RO(date);
static ssize_t
time_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 55
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (retval)
return retval;
return sprintf(buf, "%ptRt\n", &tm);
}
static DEVICE_ATTR_RO(time);
static ssize_t
since_epoch_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 70
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
time64_t time;
time = rtc_tm_to_time64(&tm);
retval = sprintf(buf, "%lld\n", time);
}
return retval;
}
static DEVICE_ATTR_RO(since_epoch);
Reported by FlawFinder.
Line: 80
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
max_user_freq_show(struct device *dev, struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", to_rtc_device(dev)->max_user_freq);
}
static ssize_t
max_user_freq_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t n)
Reported by FlawFinder.
Line: 120
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rtc_hctosys_ret == 0 &&
strcmp(dev_name(&to_rtc_device(dev)->dev),
CONFIG_RTC_HCTOSYS_DEVICE) == 0)
return sprintf(buf, "1\n");
#endif
return sprintf(buf, "0\n");
}
static DEVICE_ATTR_RO(hctosys);
Reported by FlawFinder.
Line: 122
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
CONFIG_RTC_HCTOSYS_DEVICE) == 0)
return sprintf(buf, "1\n");
#endif
return sprintf(buf, "0\n");
}
static DEVICE_ATTR_RO(hctosys);
static ssize_t
wakealarm_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 144
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
retval = rtc_read_alarm(to_rtc_device(dev), &alm);
if (retval == 0 && alm.enabled) {
alarm = rtc_tm_to_time64(&alm.time);
retval = sprintf(buf, "%lld\n", alarm);
}
return retval;
}
Reported by FlawFinder.
Line: 225
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
retval = rtc_read_offset(to_rtc_device(dev), &offset);
if (retval == 0)
retval = sprintf(buf, "%ld\n", offset);
return retval;
}
static ssize_t
Reported by FlawFinder.
Line: 248
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
range_show(struct device *dev, struct device_attribute *attr, char *buf)
{
return sprintf(buf, "[%lld,%llu]\n", to_rtc_device(dev)->range_min,
to_rtc_device(dev)->range_max);
}
static DEVICE_ATTR_RO(range);
static struct attribute *rtc_attrs[] = {
Reported by FlawFinder.
drivers/staging/media/zoran/zr36060.c
12 issues
Line: 161
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* it and initialize from there, as e.g. the linux zr36057/60 driver does it.
* =========================================================================
*/
static const char zr36060_dqt[0x86] = {
0xff, 0xdb, //Marker: DQT
0x00, 0x84, //Length: 2*65+2
0x00, //Pq,Tq first table
0x10, 0x0b, 0x0c, 0x0e, 0x0c, 0x0a, 0x10, 0x0e,
0x0d, 0x0e, 0x12, 0x11, 0x10, 0x13, 0x18, 0x28,
Reported by FlawFinder.
Line: 184
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63
};
static const char zr36060_dht[0x1a4] = {
0xff, 0xc4, //Marker: DHT
0x01, 0xa2, //Length: 2*AC, 2*DC
0x00, //DC first table
0x00, 0x01, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
Reported by FlawFinder.
Line: 244
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* jpeg baseline setup, this is just fixed in this driver (YUV pictures) */
#define NO_OF_COMPONENTS 0x3 //Y,U,V
#define BASELINE_PRECISION 0x8 //MCU size (?)
static const char zr36060_tq[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's QT
static const char zr36060_td[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's DC
static const char zr36060_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36060_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
Reported by FlawFinder.
Line: 245
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NO_OF_COMPONENTS 0x3 //Y,U,V
#define BASELINE_PRECISION 0x8 //MCU size (?)
static const char zr36060_tq[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's QT
static const char zr36060_td[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's DC
static const char zr36060_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36060_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36060_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
Reported by FlawFinder.
Line: 246
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BASELINE_PRECISION 0x8 //MCU size (?)
static const char zr36060_tq[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's QT
static const char zr36060_td[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's DC
static const char zr36060_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36060_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36060_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
Reported by FlawFinder.
Line: 249
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char zr36060_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36060_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36060_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
/* SOF (start of frame) segment depends on width, height and sampling ratio of each color component */
static int zr36060_set_sof(struct zr36060 *ptr)
{
Reported by FlawFinder.
Line: 250
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36060_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36060_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
/* SOF (start of frame) segment depends on width, height and sampling ratio of each color component */
static int zr36060_set_sof(struct zr36060 *ptr)
{
char sof_data[34]; // max. size of register set
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* SOF (start of frame) segment depends on width, height and sampling ratio of each color component */
static int zr36060_set_sof(struct zr36060 *ptr)
{
char sof_data[34]; // max. size of register set
int i;
dprintk(3, "%s: write SOF (%dx%d, %d components)\n", ptr->name,
ptr->width, ptr->height, NO_OF_COMPONENTS);
sof_data[0] = 0xff;
Reported by FlawFinder.
Line: 283
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* SOS (start of scan) segment depends on the used scan components of each color component */
static int zr36060_set_sos(struct zr36060 *ptr)
{
char sos_data[16]; // max. size of register set
int i;
dprintk(3, "%s: write SOS\n", ptr->name);
sos_data[0] = 0xff;
sos_data[1] = 0xda;
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* DRI (define restart interval) */
static int zr36060_set_dri(struct zr36060 *ptr)
{
char dri_data[6]; // max. size of register set
dprintk(3, "%s: write DRI\n", ptr->name);
dri_data[0] = 0xff;
dri_data[1] = 0xdd;
dri_data[2] = 0x00;
Reported by FlawFinder.
drivers/staging/media/zoran/zr36050.c
12 issues
Line: 205
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
it and initialize from there, as e.g. the linux zr36057/60 driver does it.
========================================================================= */
static const char zr36050_dqt[0x86] = {
0xff, 0xdb, //Marker: DQT
0x00, 0x84, //Length: 2*65+2
0x00, //Pq,Tq first table
0x10, 0x0b, 0x0c, 0x0e, 0x0c, 0x0a, 0x10, 0x0e,
0x0d, 0x0e, 0x12, 0x11, 0x10, 0x13, 0x18, 0x28,
Reported by FlawFinder.
Line: 228
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63
};
static const char zr36050_dht[0x1a4] = {
0xff, 0xc4, //Marker: DHT
0x01, 0xa2, //Length: 2*AC, 2*DC
0x00, //DC first table
0x00, 0x01, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
Reported by FlawFinder.
Line: 288
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* jpeg baseline setup, this is just fixed in this driver (YUV pictures) */
#define NO_OF_COMPONENTS 0x3 //Y,U,V
#define BASELINE_PRECISION 0x8 //MCU size (?)
static const char zr36050_tq[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's QT
static const char zr36050_td[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's DC
static const char zr36050_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36050_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
Reported by FlawFinder.
Line: 289
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NO_OF_COMPONENTS 0x3 //Y,U,V
#define BASELINE_PRECISION 0x8 //MCU size (?)
static const char zr36050_tq[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's QT
static const char zr36050_td[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's DC
static const char zr36050_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36050_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36050_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
Reported by FlawFinder.
Line: 290
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BASELINE_PRECISION 0x8 //MCU size (?)
static const char zr36050_tq[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's QT
static const char zr36050_td[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's DC
static const char zr36050_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36050_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36050_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
Reported by FlawFinder.
Line: 293
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char zr36050_ta[8] = { 0, 1, 1, 0, 0, 0, 0, 0 }; //table idx's AC
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36050_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36050_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
/* =========================================================================
Local helper functions:
Reported by FlawFinder.
Line: 294
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* horizontal 422 decimation setup (maybe we support 411 or so later, too) */
static const char zr36050_decimation_h[8] = { 2, 1, 1, 0, 0, 0, 0, 0 };
static const char zr36050_decimation_v[8] = { 1, 1, 1, 0, 0, 0, 0, 0 };
/* =========================================================================
Local helper functions:
calculation and setup of parameter-dependent JPEG baseline segments
Reported by FlawFinder.
Line: 310
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int zr36050_set_sof(struct zr36050 *ptr)
{
char sof_data[34]; // max. size of register set
int i;
dprintk(3, "%s: write SOF (%dx%d, %d components)\n", ptr->name,
ptr->width, ptr->height, NO_OF_COMPONENTS);
sof_data[0] = 0xff;
Reported by FlawFinder.
Line: 341
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int zr36050_set_sos(struct zr36050 *ptr)
{
char sos_data[16]; // max. size of register set
int i;
dprintk(3, "%s: write SOS\n", ptr->name);
sos_data[0] = 0xff;
sos_data[1] = 0xda;
Reported by FlawFinder.
Line: 368
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int zr36050_set_dri(struct zr36050 *ptr)
{
char dri_data[6]; // max. size of register set
dprintk(3, "%s: write DRI\n", ptr->name);
dri_data[0] = 0xff;
dri_data[1] = 0xdd;
dri_data[2] = 0x00;
Reported by FlawFinder.
kernel/trace/trace_functions_graph.c
12 issues
Line: 345
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_graph_proc(struct trace_seq *s, pid_t pid)
{
char comm[TASK_COMM_LEN];
/* sign + log10(MAX_INT) + '\0' */
char pid_str[11];
int spaces = 0;
int len;
int i;
Reported by FlawFinder.
Line: 347
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char comm[TASK_COMM_LEN];
/* sign + log10(MAX_INT) + '\0' */
char pid_str[11];
int spaces = 0;
int len;
int i;
trace_find_cmdline(pid, comm);
Reported by FlawFinder.
Line: 354
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
trace_find_cmdline(pid, comm);
comm[7] = '\0';
sprintf(pid_str, "%d", pid);
/* 1 stands for the "-" character */
len = strlen(comm) + strlen(pid_str) + 1;
if (len < TRACE_GRAPH_PROCINFO_LENGTH)
Reported by FlawFinder.
Line: 563
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned long nsecs_rem = do_div(duration, 1000);
/* log10(ULONG_MAX) + '\0' */
char usecs_str[21];
char nsecs_str[5];
int len;
int i;
sprintf(usecs_str, "%lu", (unsigned long) duration);
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long nsecs_rem = do_div(duration, 1000);
/* log10(ULONG_MAX) + '\0' */
char usecs_str[21];
char nsecs_str[5];
int len;
int i;
sprintf(usecs_str, "%lu", (unsigned long) duration);
Reported by FlawFinder.
Line: 568
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len;
int i;
sprintf(usecs_str, "%lu", (unsigned long) duration);
/* Print msecs */
trace_seq_printf(s, "%s", usecs_str);
len = strlen(usecs_str);
Reported by FlawFinder.
Line: 1320
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
graph_depth_read(struct file *filp, char __user *ubuf, size_t cnt,
loff_t *ppos)
{
char buf[15]; /* More than enough to hold UINT_MAX + "\n"*/
int n;
n = sprintf(buf, "%d\n", fgraph_max_depth);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, n);
Reported by FlawFinder.
Line: 1323
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[15]; /* More than enough to hold UINT_MAX + "\n"*/
int n;
n = sprintf(buf, "%d\n", fgraph_max_depth);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, n);
}
static const struct file_operations graph_depth_fops = {
Reported by FlawFinder.
Line: 357
Column: 8
CWE codes:
126
sprintf(pid_str, "%d", pid);
/* 1 stands for the "-" character */
len = strlen(comm) + strlen(pid_str) + 1;
if (len < TRACE_GRAPH_PROCINFO_LENGTH)
spaces = TRACE_GRAPH_PROCINFO_LENGTH - len;
/* First spaces to align center */
Reported by FlawFinder.
Line: 357
Column: 23
CWE codes:
126
sprintf(pid_str, "%d", pid);
/* 1 stands for the "-" character */
len = strlen(comm) + strlen(pid_str) + 1;
if (len < TRACE_GRAPH_PROCINFO_LENGTH)
spaces = TRACE_GRAPH_PROCINFO_LENGTH - len;
/* First spaces to align center */
Reported by FlawFinder.
fs/ext2/xattr.c
12 issues
Line: 113
CWE codes:
476
#endif
};
const struct xattr_handler *ext2_xattr_handlers[] = {
&ext2_xattr_user_handler,
&ext2_xattr_trusted_handler,
#ifdef CONFIG_EXT2_FS_POSIX_ACL
&posix_acl_access_xattr_handler,
&posix_acl_default_xattr_handler,
Reported by Cppcheck.
Line: 373
CWE codes:
476
* d_inode(dentry)->i_mutex: don't care
*/
ssize_t
ext2_listxattr(struct dentry *dentry, char *buffer, size_t size)
{
return ext2_xattr_list(dentry, buffer, size);
}
/*
Reported by Cppcheck.
Line: 265
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size > buffer_size)
goto cleanup;
/* return value of attribute */
memcpy(buffer, bh->b_data + le16_to_cpu(entry->e_value_offs),
size);
}
error = size;
cleanup:
Reported by FlawFinder.
Line: 349
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
error = -ERANGE;
goto cleanup;
}
memcpy(buffer, prefix, prefix_len);
buffer += prefix_len;
memcpy(buffer, entry->e_name, entry->e_name_len);
buffer += entry->e_name_len;
*buffer++ = 0;
}
Reported by FlawFinder.
Line: 351
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(buffer, prefix, prefix_len);
buffer += prefix_len;
memcpy(buffer, entry->e_name, entry->e_name_len);
buffer += entry->e_name_len;
*buffer++ = 0;
}
rest -= size;
}
Reported by FlawFinder.
Line: 572
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(here, 0, size);
here->e_name_index = name_index;
here->e_name_len = name_len;
memcpy(here->e_name, name, name_len);
} else {
if (here->e_value_size) {
char *first_val = (char *)header + min_offs;
size_t offs = le16_to_cpu(here->e_value_offs);
char *val = (char *)header + offs;
Reported by FlawFinder.
Line: 587
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
here->e_value_size = cpu_to_le32(value_len);
memset(val + size - EXT2_XATTR_PAD, 0,
EXT2_XATTR_PAD); /* Clear pad bytes. */
memcpy(val, value, value_len);
goto skip_replace;
}
/* Remove the old value. */
memmove(first_val + size, first_val, val - first_val);
Reported by FlawFinder.
Line: 628
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_le16((char *)val - (char *)header);
memset(val + size - EXT2_XATTR_PAD, 0,
EXT2_XATTR_PAD); /* Clear the pad bytes. */
memcpy(val, value, value_len);
}
}
skip_replace:
if (IS_LAST_ENTRY(ENTRY(header+1))) {
Reported by FlawFinder.
Line: 710
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto cleanup;
}
lock_buffer(new_bh);
memcpy(new_bh->b_data, header, new_bh->b_size);
set_buffer_uptodate(new_bh);
unlock_buffer(new_bh);
ext2_xattr_cache_insert(ea_block_cache, new_bh);
ext2_xattr_update_super_block(sb);
Reported by FlawFinder.
Line: 211
Column: 13
CWE codes:
126
if (name == NULL)
return -EINVAL;
name_len = strlen(name);
if (name_len > 255)
return -ERANGE;
down_read(&EXT2_I(inode)->xattr_sem);
error = -ENODATA;
Reported by FlawFinder.