The following issues were found
drivers/net/wireless/realtek/rtlwifi/core.c
12 issues
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit;
}
if (!is_wow) {
memcpy(rtlpriv->rtlhal.pfirmware, firmware->data,
firmware->size);
rtlpriv->rtlhal.fwsize = firmware->size;
} else {
memcpy(rtlpriv->rtlhal.wowlan_firmware, firmware->data,
firmware->size);
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
firmware->size);
rtlpriv->rtlhal.fwsize = firmware->size;
} else {
memcpy(rtlpriv->rtlhal.wowlan_firmware, firmware->data,
firmware->size);
rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
}
release_firmware(firmware);
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->vif = vif;
mac->opmode = vif->type;
rtlpriv->cfg->ops->set_network_type(hw, vif->type);
memcpy(mac->mac_addr, vif->addr, ETH_ALEN);
rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_ETHER_ADDR, mac->mac_addr);
mac->retry_long = retry_limit;
mac->retry_short = retry_limit;
rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RETRY_LIMIT,
Reported by FlawFinder.
Line: 927
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mac->p2p)
sta->supp_rates[0] &= 0xfffffff0;
memcpy(sta_entry->mac_addr, sta->addr, ETH_ALEN);
rtl_dbg(rtlpriv, COMP_MAC80211, DBG_DMESG,
"Add sta addr is %pM\n", sta->addr);
rtlpriv->cfg->ops->update_rate_tbl(hw, sta, 0, true);
}
Reported by FlawFinder.
Line: 1003
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->ac[aci].cw_min = cpu_to_le16(param->cw_min);
mac->ac[aci].cw_max = cpu_to_le16(param->cw_max);
mac->ac[aci].tx_op = cpu_to_le16(param->txop);
memcpy(&mac->edca_param[aci], param, sizeof(*param));
rtlpriv->cfg->ops->set_qos(hw, aci);
return 0;
}
static void send_beacon_frame(struct ieee80211_hw *hw,
Reported by FlawFinder.
Line: 1115
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->link_state = MAC80211_LINKED;
mac->cnt_after_linked = 0;
mac->assoc_id = bss_conf->aid;
memcpy(mac->bssid, bss_conf->bssid, ETH_ALEN);
if (rtlpriv->cfg->ops->linked_set_reg)
rtlpriv->cfg->ops->linked_set_reg(hw);
rcu_read_lock();
Reported by FlawFinder.
Line: 1289
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"bssid: %pM\n", bss_conf->bssid);
mac->vendor = PEER_UNKNOWN;
memcpy(mac->bssid, bss_conf->bssid, ETH_ALEN);
rcu_read_lock();
sta = ieee80211_find_sta(vif, (u8 *)bss_conf->bssid);
if (!sta) {
rcu_read_unlock();
Reported by FlawFinder.
Line: 1645
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rtlpriv->sec.pairwise_enc_algorithm = key_type;
rtlpriv->sec.group_enc_algorithm = key_type;
/*set local buf about wep key. */
memcpy(rtlpriv->sec.key_buf[key_idx],
key->key, key->keylen);
rtlpriv->sec.key_len[key_idx] = key->keylen;
eth_zero_addr(mac_addr);
} else if (group_key) { /* group key */
rtl_dbg(rtlpriv, COMP_SEC, DBG_DMESG,
Reported by FlawFinder.
Line: 1655
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* group key */
rtlpriv->sec.group_enc_algorithm = key_type;
/*set local buf about group key. */
memcpy(rtlpriv->sec.key_buf[key_idx],
key->key, key->keylen);
rtlpriv->sec.key_len[key_idx] = key->keylen;
memcpy(mac_addr, bcast_addr, ETH_ALEN);
} else { /* pairwise key */
rtl_dbg(rtlpriv, COMP_SEC, DBG_DMESG,
Reported by FlawFinder.
Line: 1658
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rtlpriv->sec.key_buf[key_idx],
key->key, key->keylen);
rtlpriv->sec.key_len[key_idx] = key->keylen;
memcpy(mac_addr, bcast_addr, ETH_ALEN);
} else { /* pairwise key */
rtl_dbg(rtlpriv, COMP_SEC, DBG_DMESG,
"set pairwise key\n");
if (!sta) {
WARN_ONCE(true,
Reported by FlawFinder.
fs/ceph/file.c
12 issues
Line: 197
Column: 14
CWE codes:
362
if (IS_ERR(req))
goto out;
req->r_fmode = ceph_flags_to_mode(flags);
req->r_args.open.flags = ceph_flags_sys2wire(flags);
req->r_args.open.mode = cpu_to_le32(create_mode);
out:
return req;
}
Reported by FlawFinder.
Line: 198
Column: 14
CWE codes:
362
goto out;
req->r_fmode = ceph_flags_to_mode(flags);
req->r_args.open.flags = ceph_flags_sys2wire(flags);
req->r_args.open.mode = cpu_to_le32(create_mode);
out:
return req;
}
static int ceph_init_file_info(struct inode *inode, struct file *file,
Reported by FlawFinder.
Line: 275
Column: 23
CWE codes:
362
BUG_ON(inode->i_fop->release == ceph_release);
/* call the proper open fop */
ret = inode->i_fop->open(inode, file);
}
return ret;
}
/*
Reported by FlawFinder.
Line: 489
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*pino = ino;
ceph_take_cap_refs(ci, want, false);
memcpy(lo, &ci->i_cached_layout, sizeof(*lo));
rcu_assign_pointer(lo->pool_ns,
ceph_try_get_string(ci->i_cached_layout.pool_ns));
got = want;
no_async:
spin_unlock(&ci->i_ceph_lock);
Reported by FlawFinder.
Line: 575
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ceph_file_layout *lo)
{
int ret;
char xattr_buf[4];
struct ceph_mds_reply_inode in = { };
struct ceph_mds_reply_info_in iinfo = { .in = &in };
struct ceph_inode_info *ci = ceph_inode(dir);
struct inode *inode;
struct timespec64 now;
Reported by FlawFinder.
Line: 707
Column: 14
CWE codes:
362
mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
if (ceph_security_xattr_wanted(dir))
mask |= CEPH_CAP_XATTR_SHARED;
req->r_args.open.mask = cpu_to_le32(mask);
req->r_parent = dir;
ihold(dir);
if (flags & O_CREAT) {
struct ceph_file_layout lo;
Reported by FlawFinder.
Line: 725
Column: 16
CWE codes:
362
try_prep_async_create(dir, dentry, &lo,
&req->r_deleg_ino))) {
set_bit(CEPH_MDS_R_ASYNC, &req->r_req_flags);
req->r_args.open.flags |= cpu_to_le32(CEPH_O_EXCL);
req->r_callback = ceph_async_create_cb;
err = ceph_mdsc_submit_request(mdsc, dir, req);
if (!err) {
err = ceph_finish_async_create(dir, dentry,
file, mode, req,
Reported by FlawFinder.
Line: 1611
Column: 22
CWE codes:
120
20
i_size = i_size_read(inode);
if (retry_op == READ_INLINE) {
BUG_ON(ret > 0 || read > 0);
if (iocb->ki_pos < i_size &&
iocb->ki_pos < PAGE_SIZE) {
loff_t end = min_t(loff_t, i_size,
iocb->ki_pos + len);
end = min_t(loff_t, end, PAGE_SIZE);
Reported by FlawFinder.
Line: 1625
Column: 33
CWE codes:
120
20
iocb->ki_pos += ret;
read += ret;
}
if (iocb->ki_pos < i_size && read < len) {
size_t zlen = min_t(size_t, len - read,
i_size - iocb->ki_pos);
ret = iov_iter_zero(zlen, to);
iocb->ki_pos += ret;
read += ret;
Reported by FlawFinder.
Line: 1626
Column: 39
CWE codes:
120
20
read += ret;
}
if (iocb->ki_pos < i_size && read < len) {
size_t zlen = min_t(size_t, len - read,
i_size - iocb->ki_pos);
ret = iov_iter_zero(zlen, to);
iocb->ki_pos += ret;
read += ret;
}
Reported by FlawFinder.
drivers/video/fbdev/sis/oem300.h
12 issues
Line: 53
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*
*/
static const unsigned char SiS300_OEMTVDelay301[8][4] =
{
{0x08,0x08,0x08,0x08},
{0x08,0x08,0x08,0x08},
{0x08,0x08,0x08,0x08},
{0x2c,0x2c,0x2c,0x2c},
Reported by FlawFinder.
Line: 65
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_OEMTVDelayLVDS[8][4] =
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 77
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_OEMTVFlicker[8][4] =
{
{0x00,0x00,0x00,0x00},
{0x00,0x00,0x00,0x00},
{0x00,0x00,0x00,0x00},
{0x00,0x00,0x00,0x00},
Reported by FlawFinder.
Line: 89
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x00,0x00,0x00,0x00}
};
static const unsigned char SiS300_OEMLCDDelay2[64][4] = /* for 301/301b/302b/301LV/302LV */
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 157
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_OEMLCDDelay4[12][4] =
{
{0x2c,0x2c,0x2c,0x2c},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x2c,0x2c,0x2c,0x2c},
Reported by FlawFinder.
Line: 173
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x24,0x24,0x24,0x24}
};
static const unsigned char SiS300_OEMLCDDelay5[32][4] =
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 209
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20},
};
static const unsigned char SiS300_OEMLCDDelay3[64][4] = /* For LVDS */
{
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
{0x20,0x20,0x20,0x20},
Reported by FlawFinder.
Line: 277
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{0x20,0x20,0x20,0x20}
};
static const unsigned char SiS300_Phase1[8][5][4] =
{
{
{0x21,0xed,0x00,0x08},
{0x21,0xed,0x8a,0x08},
{0x21,0xed,0x8a,0x08},
Reported by FlawFinder.
Line: 337
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
};
static const unsigned char SiS300_Phase2[8][5][4] =
{
{
{0x21,0xed,0x00,0x08},
{0x21,0xed,0x8a,0x08},
{0x21,0xed,0x8a,0x08},
Reported by FlawFinder.
Line: 397
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
};
static const unsigned char SiS300_Filter1[10][16][4] =
{
{
{0x00,0xf4,0x10,0x38},
{0x00,0xf4,0x10,0x38},
{0xeb,0x04,0x10,0x18},
Reported by FlawFinder.
drivers/accessibility/speakup/main.c
12 issues
Line: 1881
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
win_left = 0;
win_right = vc->vc_cols - 1;
win_bottom = spk_y;
snprintf(info, sizeof(info), spk_msg_get(MSG_WINDOW_LINE),
(int)win_top + 1);
} else {
if (!win_start) {
win_top = spk_y;
win_left = spk_x;
Reported by FlawFinder.
Line: 1891
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
win_bottom = spk_y;
win_right = spk_x;
}
snprintf(info, sizeof(info), spk_msg_get(MSG_WINDOW_BOUNDARY),
(win_start) ?
spk_msg_get(MSG_END) : spk_msg_get(MSG_START),
(int)spk_y + 1, (int)spk_x + 1);
}
synth_printf("%s\n", info);
Reported by FlawFinder.
Line: 68
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int spk_say_ctrl, spk_bell_pos;
short spk_punc_mask;
int spk_punc_level, spk_reading_punc;
char spk_str_caps_start[MAXVARLEN + 1] = "\0";
char spk_str_caps_stop[MAXVARLEN + 1] = "\0";
char spk_str_pause[MAXVARLEN + 1] = "\0";
bool spk_paused;
const struct st_bits_data spk_punc_info[] = {
{"none", "", 0},
Reported by FlawFinder.
Line: 69
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
short spk_punc_mask;
int spk_punc_level, spk_reading_punc;
char spk_str_caps_start[MAXVARLEN + 1] = "\0";
char spk_str_caps_stop[MAXVARLEN + 1] = "\0";
char spk_str_pause[MAXVARLEN + 1] = "\0";
bool spk_paused;
const struct st_bits_data spk_punc_info[] = {
{"none", "", 0},
{"some", "/$%&@", SOME},
Reported by FlawFinder.
Line: 70
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int spk_punc_level, spk_reading_punc;
char spk_str_caps_start[MAXVARLEN + 1] = "\0";
char spk_str_caps_stop[MAXVARLEN + 1] = "\0";
char spk_str_pause[MAXVARLEN + 1] = "\0";
bool spk_paused;
const struct st_bits_data spk_punc_info[] = {
{"none", "", 0},
{"some", "/$%&@", SOME},
{"most", "$%&#()=+*/@^<>|\\", MOST},
Reported by FlawFinder.
Line: 122
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* initialized to default_chars and user selectable via
* /proc/speakup/characters
*/
char *spk_characters[256];
char *spk_default_chars[256] = {
/*000*/ "null", "^a", "^b", "^c", "^d", "^e", "^f", "^g",
/*008*/ "^h", "^i", "^j", "^k", "^l", "^m", "^n", "^o",
/*016*/ "^p", "^q", "^r", "^s", "^t", "^u", "^v", "^w",
Reported by FlawFinder.
Line: 124
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
char *spk_characters[256];
char *spk_default_chars[256] = {
/*000*/ "null", "^a", "^b", "^c", "^d", "^e", "^f", "^g",
/*008*/ "^h", "^i", "^j", "^k", "^l", "^m", "^n", "^o",
/*016*/ "^p", "^q", "^r", "^s", "^t", "^u", "^v", "^w",
/*024*/ "^x", "^y", "^z", "control", "control", "control", "control",
"control",
Reported by FlawFinder.
Line: 1246
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spk_shift_table = k_buffer;
spk_our_keys[0] = spk_shift_table;
cp1 += SHIFT_TBL_SIZE;
memcpy(cp1, cp, key_data_len + 3);
/* get num_keys, states and data */
cp1 += 2; /* now pointing at shift states */
for (i = 1; i <= states; i++) {
ch = *cp1++;
if (ch >= SHIFT_TBL_SIZE) {
Reported by FlawFinder.
Line: 1308
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(spk_characters[i]);
}
memcpy(spk_characters, spk_default_chars, sizeof(spk_default_chars));
}
void spk_reset_default_chartab(void)
{
memcpy(spk_chartab, default_chartab, sizeof(default_chartab));
Reported by FlawFinder.
Line: 1313
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void spk_reset_default_chartab(void)
{
memcpy(spk_chartab, default_chartab, sizeof(default_chartab));
}
static const struct st_bits_data *pb_edit;
static int edit_bits(struct vc_data *vc, u_char type, u_char ch, u_short key)
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlxsw/core_env.c
12 issues
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mlxsw_env_validate_cable_ident(struct mlxsw_core *core, int id,
bool *qsfp, bool *cmis)
{
char mcia_pl[MLXSW_REG_MCIA_LEN];
char *eeprom_tmp;
u8 ident;
int err;
mlxsw_reg_mcia_pack(mcia_pl, id, 0, MLXSW_REG_MCIA_PAGE0_LO_OFF, 0, 1,
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 offset, u16 size, void *data,
bool qsfp, unsigned int *p_read_size)
{
char mcia_pl[MLXSW_REG_MCIA_LEN];
char *eeprom_tmp;
u16 i2c_addr;
u8 page = 0;
int status;
int err;
Reported by FlawFinder.
Line: 120
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
eeprom_tmp = mlxsw_reg_mcia_eeprom_data(mcia_pl);
memcpy(data, eeprom_tmp, size);
*p_read_size = size;
return 0;
}
Reported by FlawFinder.
Line: 134
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 buf[MLXSW_REG_MCIA_TH_ITEM_SIZE];
u16 temp;
} temp_thresh;
char mcia_pl[MLXSW_REG_MCIA_LEN] = {0};
char mtmp_pl[MLXSW_REG_MTMP_LEN];
char *eeprom_tmp;
bool qsfp, cmis;
int page;
int err;
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 temp;
} temp_thresh;
char mcia_pl[MLXSW_REG_MCIA_LEN] = {0};
char mtmp_pl[MLXSW_REG_MTMP_LEN];
char *eeprom_tmp;
bool qsfp, cmis;
int page;
int err;
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
eeprom_tmp = mlxsw_reg_mcia_eeprom_data(mcia_pl);
memcpy(temp_thresh.buf, eeprom_tmp, MLXSW_REG_MCIA_TH_ITEM_SIZE);
*temp = temp_thresh.temp * 1000;
return 0;
}
Reported by FlawFinder.
Line: 360
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
device_addr = page->offset;
while (bytes_read < page->length) {
char mcia_pl[MLXSW_REG_MCIA_LEN];
char *eeprom_tmp;
u8 size;
int err;
size = min_t(u8, page->length - bytes_read,
Reported by FlawFinder.
Line: 384
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
eeprom_tmp = mlxsw_reg_mcia_eeprom_data(mcia_pl);
memcpy(page->data + bytes_read, eeprom_tmp, size);
bytes_read += size;
}
return bytes_read;
}
Reported by FlawFinder.
Line: 396
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 module,
bool *p_has_temp_sensor)
{
char mtbr_pl[MLXSW_REG_MTBR_LEN];
u16 temp;
int err;
mlxsw_reg_mtbr_pack(mtbr_pl, MLXSW_REG_MTBR_BASE_MODULE_INDEX + module,
1);
Reported by FlawFinder.
Line: 424
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mlxsw_env_temp_event_set(struct mlxsw_core *mlxsw_core,
u16 sensor_index, bool enable)
{
char mtmp_pl[MLXSW_REG_MTMP_LEN] = {0};
enum mlxsw_reg_mtmp_tee tee;
int err, threshold_hi;
mlxsw_reg_mtmp_sensor_index_set(mtmp_pl, sensor_index);
err = mlxsw_reg_query(mlxsw_core, MLXSW_REG(mtmp), mtmp_pl);
Reported by FlawFinder.
drivers/video/fbdev/matrox/matroxfb_base.h
12 issues
Line: 465
Column: 28
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct matrox_bios bios;
struct {
struct matrox_pll_limits pixel;
struct matrox_pll_limits system;
struct matrox_pll_limits video;
} limits;
struct {
struct matrox_pll_cache pixel;
struct matrox_pll_cache system;
Reported by FlawFinder.
Line: 470
Column: 27
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} limits;
struct {
struct matrox_pll_cache pixel;
struct matrox_pll_cache system;
struct matrox_pll_cache video;
} cache;
struct {
struct {
unsigned int video;
Reported by FlawFinder.
Line: 476
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct {
struct {
unsigned int video;
unsigned int system;
} pll;
struct {
u_int32_t opt;
u_int32_t opt2;
u_int32_t opt3;
Reported by FlawFinder.
Line: 266
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct matrox_hw_state {
u_int32_t MXoptionReg;
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
Reported by FlawFinder.
Line: 267
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct matrox_hw_state {
u_int32_t MXoptionReg;
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
Reported by FlawFinder.
Line: 269
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACclk[6];
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
Reported by FlawFinder.
Line: 270
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACreg[80];
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
Reported by FlawFinder.
Line: 271
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char MiscOutReg;
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
Reported by FlawFinder.
Line: 272
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char DACpal[768];
unsigned char CRTC[25];
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
Reported by FlawFinder.
Line: 274
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char CRTCEXT[9];
unsigned char SEQ[5];
/* unused for MGA mode, but who knows... */
unsigned char GCTL[9];
/* unused for MGA mode, but who knows... */
unsigned char ATTR[21];
/* TVOut only */
struct mavenregs maven;
Reported by FlawFinder.
kernel/ksysfs.c
12 issues
Line: 43
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t uevent_helper_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", uevent_helper);
}
static ssize_t uevent_helper_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 34
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t uevent_seqnum_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%llu\n", (unsigned long long)uevent_seqnum);
}
KERNEL_ATTR_RO(uevent_seqnum);
#ifdef CONFIG_UEVENT_HELPER
/* uevent helper program, used during early boot */
Reported by FlawFinder.
Line: 51
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (count+1 > UEVENT_HELPER_PATH_LEN)
return -ENOENT;
memcpy(uevent_helper, buf, count);
uevent_helper[count] = '\0';
if (count && uevent_helper[count-1] == '\n')
uevent_helper[count-1] = '\0';
return count;
}
Reported by FlawFinder.
Line: 64
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t profiling_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", prof_on);
}
static ssize_t profiling_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 95
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t kexec_loaded_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", !!kexec_image);
}
KERNEL_ATTR_RO(kexec_loaded);
static ssize_t kexec_crash_loaded_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 102
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t kexec_crash_loaded_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", kexec_crash_loaded());
}
KERNEL_ATTR_RO(kexec_crash_loaded);
static ssize_t kexec_crash_size_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 109
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t kexec_crash_size_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%zu\n", crash_get_memory_size());
}
static ssize_t kexec_crash_size_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 134
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct kobj_attribute *attr, char *buf)
{
phys_addr_t vmcore_base = paddr_vmcoreinfo_note();
return sprintf(buf, "%pa %x\n", &vmcore_base,
(unsigned int)VMCOREINFO_NOTE_SIZE);
}
KERNEL_ATTR_RO(vmcoreinfo);
#endif /* CONFIG_CRASH_CORE */
Reported by FlawFinder.
Line: 145
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fscaps_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", file_caps_enabled);
}
KERNEL_ATTR_RO(fscaps);
#ifndef CONFIG_TINY_RCU
int rcu_expedited;
Reported by FlawFinder.
Line: 154
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t rcu_expedited_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", READ_ONCE(rcu_expedited));
}
static ssize_t rcu_expedited_store(struct kobject *kobj,
struct kobj_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/media/usb/pvrusb2/pvrusb2-hdw.c
12 issues
Line: 1468
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = 0;
for (address = 0; address < fwsize; address += 0x800) {
memcpy(fw_ptr, fw_entry->data + address, 0x800);
ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address,
0, fw_ptr, 0x800, HZ);
}
trace_firmware("Upload done, releasing device's CPU");
Reported by FlawFinder.
Line: 1591
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (fw_done = 0; fw_done < fw_len;) {
bcnt = fw_len - fw_done;
if (bcnt > FIRMWARE_CHUNK_SIZE) bcnt = FIRMWARE_CHUNK_SIZE;
memcpy(fw_ptr, fw_entry->data + fw_done, bcnt);
/* Usbsnoop log shows that we must swap bytes... */
/* Some background info: The data being swapped here is a
firmware image destined for the mpeg encoder chip that
lives at the other end of a USB endpoint. The encoder
chip always talks in 32 bit chunks and its storage is
Reported by FlawFinder.
Line: 1861
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pvr2_hdw_setup_std(struct pvr2_hdw *hdw)
{
char buf[40];
unsigned int bcnt;
v4l2_std_id std1,std2,std3;
std1 = get_default_standard(hdw);
std3 = std1 ? 0 : hdw->hdw_desc->default_std_mask;
Reported by FlawFinder.
Line: 2975
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pvr2_ctrl *cptr;
int value;
int commit_flag = hdw->force_dirty;
char buf[100];
unsigned int bcnt,ccnt;
for (idx = 0; idx < hdw->control_cnt; idx++) {
cptr = hdw->controls + idx;
if (!cptr->info->is_dirty) continue;
Reported by FlawFinder.
Line: 3274
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
LOCK_TAKE(hdw->big_lock);
stat = pvr2_hdw_check_cropcap(hdw);
if (!stat) {
memcpy(pp, &hdw->cropcap_info, sizeof(hdw->cropcap_info));
}
LOCK_GIVE(hdw->big_lock);
return stat;
}
Reported by FlawFinder.
Line: 3288
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdw->tuner_signal_stale) {
pvr2_hdw_status_poll(hdw);
}
memcpy(vtp,&hdw->tuner_signal_info,sizeof(struct v4l2_tuner));
} while (0); LOCK_GIVE(hdw->big_lock);
return 0;
}
Reported by FlawFinder.
Line: 3495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offs + cnt > hdw->fw_size) cnt = hdw->fw_size - offs;
memcpy(buf,hdw->fw_buffer+offs,cnt);
pvr2_trace(PVR2_TRACE_FIRMWARE,
"Read firmware data offs=%d cnt=%d",
offs,cnt);
ret = cnt;
Reported by FlawFinder.
Line: 3629
Column: 36
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
hdw->cmd_debug_state = 1;
if (write_len && write_data)
hdw->cmd_debug_code = ((unsigned char *)write_data)[0];
else
hdw->cmd_debug_code = 0;
hdw->cmd_debug_write_len = write_len;
hdw->cmd_debug_read_len = read_len;
Reported by FlawFinder.
Line: 3648
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Transfer write data to internal buffer */
for (idx = 0; idx < write_len; idx++) {
hdw->ctl_write_buffer[idx] =
((unsigned char *)write_data)[idx];
}
/* Initiate a write request */
usb_fill_bulk_urb(hdw->ctl_write_urb,
hdw->usb_dev,
usb_sndbulkpipe(hdw->usb_dev,
Reported by FlawFinder.
Line: 3789
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
/* Transfer retrieved data out from internal buffer */
for (idx = 0; idx < read_len; idx++) {
((unsigned char *)read_data)[idx] =
hdw->ctl_read_buffer[idx];
}
}
done:
Reported by FlawFinder.
drivers/net/ethernet/mellanox/mlx5/core/fpga/cmd.c
12 issues
Line: 60
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLX5_SET(fpga_access_reg, in, size, size);
MLX5_SET64(fpga_access_reg, in, address, addr);
if (write)
memcpy(MLX5_ADDR_OF(fpga_access_reg, in, data), buf, size);
err = mlx5_core_access_reg(dev, in, sizeof(in), out, sizeof(out),
MLX5_REG_FPGA_ACCESS_REG, 0, write);
if (err)
return err;
Reported by FlawFinder.
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
if (!write)
memcpy(buf, MLX5_ADDR_OF(fpga_access_reg, out, data), size);
return 0;
}
int mlx5_fpga_caps(struct mlx5_core_dev *dev)
Reported by FlawFinder.
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret;
MLX5_SET(fpga_create_qp_in, in, opcode, MLX5_CMD_OP_FPGA_CREATE_QP);
memcpy(MLX5_ADDR_OF(fpga_create_qp_in, in, fpga_qpc), fpga_qpc,
MLX5_FLD_SZ_BYTES(fpga_create_qp_in, fpga_qpc));
ret = mlx5_cmd_exec_inout(dev, fpga_create_qp, in, out);
if (ret)
return ret;
Reported by FlawFinder.
Line: 157
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(fpga_qpc, MLX5_ADDR_OF(fpga_create_qp_out, out, fpga_qpc),
MLX5_FLD_SZ_BYTES(fpga_create_qp_out, fpga_qpc));
*fpga_qpn = MLX5_GET(fpga_create_qp_out, out, fpga_qpn);
return ret;
}
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLX5_SET(fpga_modify_qp_in, in, opcode, MLX5_CMD_OP_FPGA_MODIFY_QP);
MLX5_SET(fpga_modify_qp_in, in, field_select, fields);
MLX5_SET(fpga_modify_qp_in, in, fpga_qpn, fpga_qpn);
memcpy(MLX5_ADDR_OF(fpga_modify_qp_in, in, fpga_qpc), fpga_qpc,
MLX5_FLD_SZ_BYTES(fpga_modify_qp_in, fpga_qpc));
return mlx5_cmd_exec_in(dev, fpga_modify_qp, in);
}
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(fpga_qpc, MLX5_ADDR_OF(fpga_query_qp_out, out, fpga_qpc),
MLX5_FLD_SZ_BYTES(fpga_query_qp_out, fpga_qpc));
return ret;
}
int mlx5_fpga_destroy_qp(struct mlx5_core_dev *dev, u32 fpga_qpn)
Reported by FlawFinder.
Line: 97
Column: 15
CWE codes:
120
20
{
unsigned int cap_size = MLX5_CAP_FPGA(dev, sandbox_extended_caps_len);
u64 addr = MLX5_CAP64_FPGA(dev, sandbox_extended_caps_addr);
unsigned int read;
int ret = 0;
if (cap_size > size) {
mlx5_core_warn(dev, "Not enough buffer %u for FPGA SBU caps %u",
size, cap_size);
Reported by FlawFinder.
Line: 110
Column: 35
CWE codes:
120
20
read = min_t(unsigned int, cap_size,
MLX5_FPGA_ACCESS_REG_SIZE_MAX);
ret = mlx5_fpga_access_reg(dev, read, addr, caps, false);
if (ret) {
mlx5_core_warn(dev, "Error reading FPGA SBU caps %u bytes at address 0x%llx: %d",
read, addr, ret);
return ret;
}
Reported by FlawFinder.
Line: 113
Column: 12
CWE codes:
120
20
ret = mlx5_fpga_access_reg(dev, read, addr, caps, false);
if (ret) {
mlx5_core_warn(dev, "Error reading FPGA SBU caps %u bytes at address 0x%llx: %d",
read, addr, ret);
return ret;
}
cap_size -= read;
addr += read;
Reported by FlawFinder.
kernel/params.c
12 issues
Line: 855
CWE codes:
570
struct module_kobject *mk;
int err;
for (vattr = __start___modver; vattr < __stop___modver; vattr++) {
mk = locate_module_kobject(vattr->module_name);
if (mk) {
err = sysfs_create_file(&mk->kobj, &vattr->mattr.attr);
WARN_ON_ONCE(err);
kobject_uevent(&mk->kobj, KOBJ_ADD);
Reported by Cppcheck.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*(char **)kp->arg = kmalloc_parameter(strlen(val)+1);
if (!*(char **)kp->arg)
return -ENOMEM;
strcpy(*(char **)kp->arg, val);
} else
*(const char **)kp->arg = val;
return 0;
}
Reported by FlawFinder.
Line: 501
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
kp->name, kps->maxlen-1);
return -ENOSPC;
}
strcpy(kps->string, val);
return 0;
}
EXPORT_SYMBOL(param_set_copystring);
int param_get_string(char *buffer, const struct kernel_param *kp)
Reported by FlawFinder.
Line: 302
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_bool(char *buffer, const struct kernel_param *kp)
{
/* Y and N chosen as being relatively non-coder friendly */
return sprintf(buffer, "%c\n", *(bool *)kp->arg ? 'Y' : 'N');
}
EXPORT_SYMBOL(param_get_bool);
const struct kernel_param_ops param_ops_bool = {
.flags = KERNEL_PARAM_OPS_FL_NOARG,
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_invbool(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%c\n", (*(bool *)kp->arg) ? 'N' : 'Y');
}
EXPORT_SYMBOL(param_get_invbool);
const struct kernel_param_ops param_ops_invbool = {
.set = param_set_invbool,
Reported by FlawFinder.
Line: 426
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* nul-terminate and parse */
save = val[len];
((char *)val)[len] = '\0';
check_kparam_locked(mod);
ret = set(val, &kp);
if (ret != 0)
return ret;
Reported by FlawFinder.
Line: 816
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct kernel_param *kp;
unsigned int name_len;
char modname[MODULE_NAME_LEN];
for (kp = __start___param; kp < __stop___param; kp++) {
char *dot;
if (kp->perm == 0)
Reported by FlawFinder.
Line: 827
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dot = strchr(kp->name, '.');
if (!dot) {
/* This happens for core_param() */
strcpy(modname, "kernel");
name_len = 0;
} else {
name_len = dot - kp->name + 1;
strlcpy(modname, kp->name, name_len);
}
Reported by FlawFinder.
Line: 97
Column: 24
CWE codes:
126
bool parameq(const char *a, const char *b)
{
return parameqn(a, b, strlen(a)+1);
}
static bool param_check_unsafe(const struct kernel_param *kp)
{
if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
Reported by FlawFinder.
Line: 248
Column: 6
CWE codes:
126
int param_set_charp(const char *val, const struct kernel_param *kp)
{
if (strlen(val) > 1024) {
pr_err("%s: string parameter too long\n", kp->name);
return -ENOSPC;
}
maybe_kfree_parameter(*(char **)kp->arg);
Reported by FlawFinder.