The following issues were found
kernel/power/hibernate.c
12 issues
Line: 1089
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
continue;
}
if (i == hibernation_mode)
buf += sprintf(buf, "[%s] ", hibernation_modes[i]);
else
buf += sprintf(buf, "%s ", hibernation_modes[i]);
}
buf += sprintf(buf, "\n");
return buf-start;
Reported by FlawFinder.
Line: 1091
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i == hibernation_mode)
buf += sprintf(buf, "[%s] ", hibernation_modes[i]);
else
buf += sprintf(buf, "%s ", hibernation_modes[i]);
}
buf += sprintf(buf, "\n");
return buf-start;
}
Reported by FlawFinder.
Line: 45
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int nohibernate;
static int resume_wait;
static unsigned int resume_delay;
static char resume_file[256] = CONFIG_PM_STD_PARTITION;
dev_t swsusp_resume_device;
sector_t swsusp_resume_block;
__visible int in_suspend __nosavedata;
enum {
Reported by FlawFinder.
Line: 1069
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *start = buf;
if (!hibernation_available())
return sprintf(buf, "[disabled]\n");
for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
if (!hibernation_modes[i])
continue;
switch (i) {
Reported by FlawFinder.
Line: 1151
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t resume_show(struct kobject *kobj, struct kobj_attribute *attr,
char *buf)
{
return sprintf(buf, "%d:%d\n", MAJOR(swsusp_resume_device),
MINOR(swsusp_resume_device));
}
static ssize_t resume_store(struct kobject *kobj, struct kobj_attribute *attr,
const char *buf, size_t n)
Reported by FlawFinder.
Line: 1188
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t resume_offset_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%llu\n", (unsigned long long)swsusp_resume_block);
}
static ssize_t resume_offset_store(struct kobject *kobj,
struct kobj_attribute *attr, const char *buf,
size_t n)
Reported by FlawFinder.
Line: 1211
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t image_size_show(struct kobject *kobj, struct kobj_attribute *attr,
char *buf)
{
return sprintf(buf, "%lu\n", image_size);
}
static ssize_t image_size_store(struct kobject *kobj, struct kobj_attribute *attr,
const char *buf, size_t n)
{
Reported by FlawFinder.
Line: 1232
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t reserved_size_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%lu\n", reserved_size);
}
static ssize_t reserved_size_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t n)
Reported by FlawFinder.
Line: 937
Column: 7
CWE codes:
126
if (swsusp_resume_device)
goto Check_image;
if (!strlen(resume_file)) {
error = -ENOENT;
goto Unlock;
}
pm_pr_dbg("Checking hibernation image partition %s\n", resume_file);
Reported by FlawFinder.
Line: 1093
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
buf += sprintf(buf, "%s ", hibernation_modes[i]);
}
buf += sprintf(buf, "\n");
return buf-start;
}
static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
const char *buf, size_t n)
Reported by FlawFinder.
drivers/net/ethernet/myricom/myri10ge/myri10ge.c
12 issues
Line: 1795
CWE codes:
758
memset(&link_stats, 0, sizeof(link_stats));
(void)myri10ge_get_stats(netdev, &link_stats);
for (i = 0; i < MYRI10GE_NET_STATS_LEN; i++)
data[i] = ((u64 *)&link_stats)[i];
data[i++] = (unsigned int)mgp->tx_boundary;
data[i++] = (unsigned int)mgp->pdev->irq;
data[i++] = (unsigned int)mgp->msi_enabled;
data[i++] = (unsigned int)mgp->msix_enabled;
Reported by Cppcheck.
Line: 193
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cpu;
__be32 __iomem *dca_tag;
#endif
char irq_desc[32];
};
struct myri10ge_priv {
struct myri10ge_slice_state *ss;
int tx_boundary; /* boundary transmits cannot cross */
Reported by FlawFinder.
Line: 235
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int pause;
bool fw_name_allocated;
char *fw_name;
char eeprom_strings[MYRI10GE_EEPROM_STRINGS_SIZE];
char *product_code_string;
char fw_version[128];
int fw_ver_major;
int fw_ver_minor;
int fw_ver_tiny;
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *fw_name;
char eeprom_strings[MYRI10GE_EEPROM_STRINGS_SIZE];
char *product_code_string;
char fw_version[128];
int fw_ver_major;
int fw_ver_minor;
int fw_ver_tiny;
int adopted_rx_filter_bug;
u8 mac_addr[ETH_ALEN]; /* eeprom mac address */
Reported by FlawFinder.
Line: 272
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_PARM_DESC(myri10ge_fw_name, "Firmware image name");
#define MYRI10GE_MAX_BOARDS 8
static char *myri10ge_fw_names[MYRI10GE_MAX_BOARDS] =
{[0 ... (MYRI10GE_MAX_BOARDS - 1)] = NULL };
module_param_array_named(myri10ge_fw_names, myri10ge_fw_names, charp, NULL,
0444);
MODULE_PARM_DESC(myri10ge_fw_names, "Firmware image names per board");
Reported by FlawFinder.
Line: 381
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct myri10ge_cmd *data, int atomic)
{
struct mcp_cmd *buf;
char buf_bytes[sizeof(*buf) + 8];
struct mcp_cmd_response *response = mgp->cmd;
char __iomem *cmd_addr = mgp->sram + MXGEFW_ETH_CMD;
u32 dma_low, dma_high, result, value;
int sleep_total = 0;
Reported by FlawFinder.
Line: 1756
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
memcpy(data, *myri10ge_gstrings_main_stats,
sizeof(myri10ge_gstrings_main_stats));
data += sizeof(myri10ge_gstrings_main_stats);
for (i = 0; i < mgp->num_slices; i++) {
memcpy(data, *myri10ge_gstrings_slice_stats,
sizeof(myri10ge_gstrings_slice_stats));
Reported by FlawFinder.
Line: 1760
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(myri10ge_gstrings_main_stats));
data += sizeof(myri10ge_gstrings_main_stats);
for (i = 0; i < mgp->num_slices; i++) {
memcpy(data, *myri10ge_gstrings_slice_stats,
sizeof(myri10ge_gstrings_slice_stats));
data += sizeof(myri10ge_gstrings_slice_stats);
}
break;
}
Reported by FlawFinder.
Line: 2977
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Walk the multicast list, and add each address */
netdev_for_each_mc_addr(ha, dev) {
memcpy(data, &ha->addr, ETH_ALEN);
cmd.data0 = ntohl(data[0]);
cmd.data1 = ntohl(data[1]);
err = myri10ge_send_cmd(mgp, MXGEFW_JOIN_MULTICAST_GROUP,
&cmd, 1);
Reported by FlawFinder.
Line: 3020
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* change the dev structure */
memcpy(dev->dev_addr, sa->sa_data, ETH_ALEN);
return 0;
}
static int myri10ge_change_mtu(struct net_device *dev, int new_mtu)
{
Reported by FlawFinder.
kernel/params.c
12 issues
Line: 855
CWE codes:
570
struct module_kobject *mk;
int err;
for (vattr = __start___modver; vattr < __stop___modver; vattr++) {
mk = locate_module_kobject(vattr->module_name);
if (mk) {
err = sysfs_create_file(&mk->kobj, &vattr->mattr.attr);
WARN_ON_ONCE(err);
kobject_uevent(&mk->kobj, KOBJ_ADD);
Reported by Cppcheck.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*(char **)kp->arg = kmalloc_parameter(strlen(val)+1);
if (!*(char **)kp->arg)
return -ENOMEM;
strcpy(*(char **)kp->arg, val);
} else
*(const char **)kp->arg = val;
return 0;
}
Reported by FlawFinder.
Line: 501
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
kp->name, kps->maxlen-1);
return -ENOSPC;
}
strcpy(kps->string, val);
return 0;
}
EXPORT_SYMBOL(param_set_copystring);
int param_get_string(char *buffer, const struct kernel_param *kp)
Reported by FlawFinder.
Line: 302
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_bool(char *buffer, const struct kernel_param *kp)
{
/* Y and N chosen as being relatively non-coder friendly */
return sprintf(buffer, "%c\n", *(bool *)kp->arg ? 'Y' : 'N');
}
EXPORT_SYMBOL(param_get_bool);
const struct kernel_param_ops param_ops_bool = {
.flags = KERNEL_PARAM_OPS_FL_NOARG,
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_invbool(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%c\n", (*(bool *)kp->arg) ? 'N' : 'Y');
}
EXPORT_SYMBOL(param_get_invbool);
const struct kernel_param_ops param_ops_invbool = {
.set = param_set_invbool,
Reported by FlawFinder.
Line: 426
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* nul-terminate and parse */
save = val[len];
((char *)val)[len] = '\0';
check_kparam_locked(mod);
ret = set(val, &kp);
if (ret != 0)
return ret;
Reported by FlawFinder.
Line: 816
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct kernel_param *kp;
unsigned int name_len;
char modname[MODULE_NAME_LEN];
for (kp = __start___param; kp < __stop___param; kp++) {
char *dot;
if (kp->perm == 0)
Reported by FlawFinder.
Line: 827
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dot = strchr(kp->name, '.');
if (!dot) {
/* This happens for core_param() */
strcpy(modname, "kernel");
name_len = 0;
} else {
name_len = dot - kp->name + 1;
strlcpy(modname, kp->name, name_len);
}
Reported by FlawFinder.
Line: 97
Column: 24
CWE codes:
126
bool parameq(const char *a, const char *b)
{
return parameqn(a, b, strlen(a)+1);
}
static bool param_check_unsafe(const struct kernel_param *kp)
{
if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
Reported by FlawFinder.
Line: 248
Column: 6
CWE codes:
126
int param_set_charp(const char *val, const struct kernel_param *kp)
{
if (strlen(val) > 1024) {
pr_err("%s: string parameter too long\n", kp->name);
return -ENOSPC;
}
maybe_kfree_parameter(*(char **)kp->arg);
Reported by FlawFinder.
drivers/firmware/stratix10-rsu.c
12 issues
Line: 287
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08lx\n", priv->status.current_image);
}
static ssize_t fail_image_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 298
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08lx\n", priv->status.fail_image);
}
static ssize_t version_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 309
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->status.version);
}
static ssize_t state_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 320
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->status.state);
}
static ssize_t error_location_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 331
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->status.error_location);
}
static ssize_t error_details_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 342
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->status.error_details);
}
static ssize_t retry_counter_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 353
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->retry_counter);
}
static ssize_t max_retry_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 364
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->max_retry);
}
static ssize_t dcmf0_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 375
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->dcmf_version.dcmf0);
}
static ssize_t dcmf1_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 386
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!priv)
return -ENODEV;
return sprintf(buf, "0x%08x\n", priv->dcmf_version.dcmf1);
}
static ssize_t dcmf2_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
drivers/acpi/acpica/exconcat.c
12 issues
Line: 232
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* Concatenate the strings */
strcpy(buffer, local_operand0->string.pointer);
strcat(buffer, local_operand1->string.pointer);
break;
case ACPI_TYPE_BUFFER:
Reported by FlawFinder.
Line: 233
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
/* Concatenate the strings */
strcpy(buffer, local_operand0->string.pointer);
strcat(buffer, local_operand1->string.pointer);
break;
case ACPI_TYPE_BUFFER:
/* Result of two Buffers is a Buffer */
Reported by FlawFinder.
Line: 315
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
strcpy(return_desc->string.pointer, "[");
strcat(return_desc->string.pointer, type_string);
strcat(return_desc->string.pointer, " Object]");
*result_desc = return_desc;
return (AE_OK);
}
Reported by FlawFinder.
Line: 204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the first integer, LSB first */
memcpy(buffer, &operand0->integer.value,
acpi_gbl_integer_byte_width);
/* Copy the second integer (LSB first) after the first */
memcpy(buffer + acpi_gbl_integer_byte_width,
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the second integer (LSB first) after the first */
memcpy(buffer + acpi_gbl_integer_byte_width,
&local_operand1->integer.value,
acpi_gbl_integer_byte_width);
break;
case ACPI_TYPE_STRING:
Reported by FlawFinder.
Line: 254
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Concatenate the buffers */
memcpy(buffer, operand0->buffer.pointer,
operand0->buffer.length);
memcpy(buffer + operand0->buffer.length,
local_operand1->buffer.pointer,
local_operand1->buffer.length);
break;
Reported by FlawFinder.
Line: 256
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buffer, operand0->buffer.pointer,
operand0->buffer.length);
memcpy(buffer + operand0->buffer.length,
local_operand1->buffer.pointer,
local_operand1->buffer.length);
break;
default:
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcpy(return_desc->string.pointer, "[");
strcat(return_desc->string.pointer, type_string);
strcat(return_desc->string.pointer, " Object]");
*result_desc = return_desc;
return (AE_OK);
}
Reported by FlawFinder.
Line: 393
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* end_tag descriptor is copied from Operand1.
*/
new_buf = return_desc->buffer.pointer;
memcpy(new_buf, operand0->buffer.pointer, length0);
memcpy(new_buf + length0, operand1->buffer.pointer, length1);
/* Insert end_tag and set the checksum to zero, means "ignore checksum" */
new_buf[new_length - 1] = 0;
Reported by FlawFinder.
Line: 394
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
new_buf = return_desc->buffer.pointer;
memcpy(new_buf, operand0->buffer.pointer, length0);
memcpy(new_buf + length0, operand1->buffer.pointer, length1);
/* Insert end_tag and set the checksum to zero, means "ignore checksum" */
new_buf[new_length - 1] = 0;
new_buf[new_length - 2] = ACPI_RESOURCE_NAME_END_TAG | 1;
Reported by FlawFinder.
drivers/scsi/scsi_transport_spi.c
12 issues
Line: 279
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct spi_transport_attrs *tp; \
\
tp = (struct spi_transport_attrs *)&starget->starget_data; \
return snprintf(buf, 20, format_string, tp->field); \
}
#define spi_transport_store_simple(field, format_string) \
\
static ssize_t \
Reported by FlawFinder.
Line: 312
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
tp = (struct spi_transport_attrs *)&starget->starget_data; \
if (i->f->get_##field) \
i->f->get_##field(starget); \
return snprintf(buf, 20, format_string, tp->field); \
}
#define spi_transport_store_function(field, format_string) \
static ssize_t \
store_spi_transport_##field(struct device *dev, \
Reported by FlawFinder.
Line: 569
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i->f->get_signalling)
i->f->get_signalling(shost);
return sprintf(buf, "%s\n", spi_signal_to_string(spi_signalling(shost)));
}
static ssize_t store_spi_host_signalling(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 597
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct Scsi_Host *shost = transport_class_to_shost(cdev);
return sprintf(buf, "%s\n", shost->max_id == 16 ? "wide" : "narrow");
}
static DEVICE_ATTR(host_width, S_IRUGO,
show_spi_host_width, NULL);
static ssize_t show_spi_host_hba_id(struct device *cdev,
Reported by FlawFinder.
Line: 90
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int sprint_frac(char *dest, int value, int denom)
{
int frac = value % denom;
int result = sprintf(dest, "%d", value / denom);
if (frac == 0)
return result;
dest[result++] = '.';
Reported by FlawFinder.
Line: 98
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
do {
denom /= 10;
sprintf(dest + result, "%d", frac / denom);
result++;
frac %= denom;
} while (frac);
dest[result++] = '\0';
Reported by FlawFinder.
Line: 113
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scsi_sense_hdr *sshdr)
{
int i, result;
unsigned char sense[SCSI_SENSE_BUFFERSIZE];
struct scsi_sense_hdr sshdr_tmp;
if (!sshdr)
sshdr = &sshdr_tmp;
Reported by FlawFinder.
Line: 426
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (picosec == -1) {
len = sprintf(buf, "reserved");
} else {
len = sprint_frac(buf, picosec, 1000);
}
return len;
Reported by FlawFinder.
Line: 608
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct Scsi_Host *shost = transport_class_to_shost(cdev);
return sprintf(buf, "%d\n", shost->this_id);
}
static DEVICE_ATTR(hba_id, S_IRUGO,
show_spi_host_hba_id, NULL);
#define DV_SET(x, y) \
Reported by FlawFinder.
Line: 1137
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (tp->offset > 0 && tp->period > 0) {
unsigned int picosec, kb100;
char *scsi = "FAST-?";
char tmp[8];
if (tp->period <= SPI_STATIC_PPR) {
picosec = ppr_to_ps[tp->period];
switch (tp->period) {
case 7: scsi = "FAST-320"; break;
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/core.c
12 issues
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit;
}
if (!is_wow) {
memcpy(rtlpriv->rtlhal.pfirmware, firmware->data,
firmware->size);
rtlpriv->rtlhal.fwsize = firmware->size;
} else {
memcpy(rtlpriv->rtlhal.wowlan_firmware, firmware->data,
firmware->size);
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
firmware->size);
rtlpriv->rtlhal.fwsize = firmware->size;
} else {
memcpy(rtlpriv->rtlhal.wowlan_firmware, firmware->data,
firmware->size);
rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
}
release_firmware(firmware);
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->vif = vif;
mac->opmode = vif->type;
rtlpriv->cfg->ops->set_network_type(hw, vif->type);
memcpy(mac->mac_addr, vif->addr, ETH_ALEN);
rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_ETHER_ADDR, mac->mac_addr);
mac->retry_long = retry_limit;
mac->retry_short = retry_limit;
rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RETRY_LIMIT,
Reported by FlawFinder.
Line: 927
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mac->p2p)
sta->supp_rates[0] &= 0xfffffff0;
memcpy(sta_entry->mac_addr, sta->addr, ETH_ALEN);
rtl_dbg(rtlpriv, COMP_MAC80211, DBG_DMESG,
"Add sta addr is %pM\n", sta->addr);
rtlpriv->cfg->ops->update_rate_tbl(hw, sta, 0, true);
}
Reported by FlawFinder.
Line: 1003
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->ac[aci].cw_min = cpu_to_le16(param->cw_min);
mac->ac[aci].cw_max = cpu_to_le16(param->cw_max);
mac->ac[aci].tx_op = cpu_to_le16(param->txop);
memcpy(&mac->edca_param[aci], param, sizeof(*param));
rtlpriv->cfg->ops->set_qos(hw, aci);
return 0;
}
static void send_beacon_frame(struct ieee80211_hw *hw,
Reported by FlawFinder.
Line: 1115
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->link_state = MAC80211_LINKED;
mac->cnt_after_linked = 0;
mac->assoc_id = bss_conf->aid;
memcpy(mac->bssid, bss_conf->bssid, ETH_ALEN);
if (rtlpriv->cfg->ops->linked_set_reg)
rtlpriv->cfg->ops->linked_set_reg(hw);
rcu_read_lock();
Reported by FlawFinder.
Line: 1289
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"bssid: %pM\n", bss_conf->bssid);
mac->vendor = PEER_UNKNOWN;
memcpy(mac->bssid, bss_conf->bssid, ETH_ALEN);
rcu_read_lock();
sta = ieee80211_find_sta(vif, (u8 *)bss_conf->bssid);
if (!sta) {
rcu_read_unlock();
Reported by FlawFinder.
Line: 1645
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rtlpriv->sec.pairwise_enc_algorithm = key_type;
rtlpriv->sec.group_enc_algorithm = key_type;
/*set local buf about wep key. */
memcpy(rtlpriv->sec.key_buf[key_idx],
key->key, key->keylen);
rtlpriv->sec.key_len[key_idx] = key->keylen;
eth_zero_addr(mac_addr);
} else if (group_key) { /* group key */
rtl_dbg(rtlpriv, COMP_SEC, DBG_DMESG,
Reported by FlawFinder.
Line: 1655
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* group key */
rtlpriv->sec.group_enc_algorithm = key_type;
/*set local buf about group key. */
memcpy(rtlpriv->sec.key_buf[key_idx],
key->key, key->keylen);
rtlpriv->sec.key_len[key_idx] = key->keylen;
memcpy(mac_addr, bcast_addr, ETH_ALEN);
} else { /* pairwise key */
rtl_dbg(rtlpriv, COMP_SEC, DBG_DMESG,
Reported by FlawFinder.
Line: 1658
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rtlpriv->sec.key_buf[key_idx],
key->key, key->keylen);
rtlpriv->sec.key_len[key_idx] = key->keylen;
memcpy(mac_addr, bcast_addr, ETH_ALEN);
} else { /* pairwise key */
rtl_dbg(rtlpriv, COMP_SEC, DBG_DMESG,
"set pairwise key\n");
if (!sta) {
WARN_ONCE(true,
Reported by FlawFinder.
drivers/video/fbdev/sis/oem300.h
12 issues
Line: 53
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*
*/
static const unsigned char SiS300_OEMTVDelay301[8][4] =
{
{0x08,0x08,0x08,0x08},
{0x08,0x08,0x08,0x08},
{0x08,0x08,0x08,0x08},
{0x2c,0x2c,0x2c,0x2c},
Reported by FlawFinder.
Line: 65
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_OEMTVDelayLVDS[8][4] =
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 77
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_OEMTVFlicker[8][4] =
{
{0x00,0x00,0x00,0x00},
{0x00,0x00,0x00,0x00},
{0x00,0x00,0x00,0x00},
{0x00,0x00,0x00,0x00},
Reported by FlawFinder.
Line: 89
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x00,0x00,0x00,0x00}
};
static const unsigned char SiS300_OEMLCDDelay2[64][4] = /* for 301/301b/302b/301LV/302LV */
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 157
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_OEMLCDDelay4[12][4] =
{
{0x2c,0x2c,0x2c,0x2c},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x2c,0x2c,0x2c,0x2c},
Reported by FlawFinder.
Line: 173
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x24,0x24,0x24,0x24}
};
static const unsigned char SiS300_OEMLCDDelay5[32][4] =
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 209
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20},
};
static const unsigned char SiS300_OEMLCDDelay3[64][4] = /* For LVDS */
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 277
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_Phase1[8][5][4] =
{
{
{0x21,0xed,0x00,0x08},
{0x21,0xed,0x8a,0x08},
{0x21,0xed,0x8a,0x08},
Reported by FlawFinder.
Line: 337
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
};
static const unsigned char SiS300_Phase2[8][5][4] =
{
{
{0x21,0xed,0x00,0x08},
{0x21,0xed,0x8a,0x08},
{0x21,0xed,0x8a,0x08},
Reported by FlawFinder.
Line: 397
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
};
static const unsigned char SiS300_Filter1[10][16][4] =
{
{
{0x00,0xf4,0x10,0x38},
{0x00,0xf4,0x10,0x38},
{0xeb,0x04,0x10,0x18},
Reported by FlawFinder.
drivers/virtio/virtio_mmio.c
12 issues
Line: 168
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (len) {
case 1:
b = readb(base + offset);
memcpy(buf, &b, sizeof b);
break;
case 2:
w = cpu_to_le16(readw(base + offset));
memcpy(buf, &w, sizeof w);
break;
Reported by FlawFinder.
Line: 172
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 2:
w = cpu_to_le16(readw(base + offset));
memcpy(buf, &w, sizeof w);
break;
case 4:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
break;
Reported by FlawFinder.
Line: 176
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 4:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
break;
case 8:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
l = cpu_to_le32(ioread32(base + offset + sizeof l));
Reported by FlawFinder.
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 8:
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
l = cpu_to_le32(ioread32(base + offset + sizeof l));
memcpy(buf + sizeof l, &l, sizeof l);
break;
default:
BUG();
Reported by FlawFinder.
Line: 182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
l = cpu_to_le32(readl(base + offset));
memcpy(buf, &l, sizeof l);
l = cpu_to_le32(ioread32(base + offset + sizeof l));
memcpy(buf + sizeof l, &l, sizeof l);
break;
default:
BUG();
}
}
Reported by FlawFinder.
Line: 210
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (len) {
case 1:
memcpy(&b, buf, sizeof b);
writeb(b, base + offset);
break;
case 2:
memcpy(&w, buf, sizeof w);
writew(le16_to_cpu(w), base + offset);
Reported by FlawFinder.
Line: 214
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writeb(b, base + offset);
break;
case 2:
memcpy(&w, buf, sizeof w);
writew(le16_to_cpu(w), base + offset);
break;
case 4:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
Reported by FlawFinder.
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writew(le16_to_cpu(w), base + offset);
break;
case 4:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
break;
case 8:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
Reported by FlawFinder.
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writel(le32_to_cpu(l), base + offset);
break;
case 8:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
memcpy(&l, buf + sizeof l, sizeof l);
writel(le32_to_cpu(l), base + offset + sizeof l);
break;
default:
Reported by FlawFinder.
Line: 224
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 8:
memcpy(&l, buf, sizeof l);
writel(le32_to_cpu(l), base + offset);
memcpy(&l, buf + sizeof l, sizeof l);
writel(le32_to_cpu(l), base + offset + sizeof l);
break;
default:
BUG();
}
Reported by FlawFinder.
drivers/video/fbdev/matrox/matroxfb_base.h
12 issues
Line: 465
Column: 28
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct matrox_bios bios;
struct {
struct matrox_pll_limits pixel;
struct matrox_pll_limits system;
struct matrox_pll_limits video;
} limits;
struct {
struct matrox_pll_cache pixel;
struct matrox_pll_cache system;
Reported by FlawFinder.
Line: 470
Column: 27
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} limits;
struct {
struct matrox_pll_cache pixel;
struct matrox_pll_cache system;
struct matrox_pll_cache video;
} cache;
struct {
struct {
unsigned int video;
Reported by FlawFinder.
Line: 476
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct {
struct {
unsigned int video;
unsigned int system;
} pll;
struct {
u_int32_t opt;
u_int32_t opt2;
u_int32_t opt3;
Reported by FlawFinder.
Line: 266
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct matrox_hw_state {
u_int32_t MXoptionReg;
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
Reported by FlawFinder.
Line: 267
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct matrox_hw_state {
u_int32_t MXoptionReg;
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
Reported by FlawFinder.
Line: 269
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
Reported by FlawFinder.
Line: 270
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
Reported by FlawFinder.
Line: 271
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
Reported by FlawFinder.
Line: 272
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
Reported by FlawFinder.
Line: 274
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
/* TVOut only */
struct mavenregs maven;
Reported by FlawFinder.