The following issues were found
drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c
11 issues
Line: 148
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list args;
va_start(args, size);
vsnprintf(*p, ETH_GSTRING_LEN, stats[i].stat_string, args);
*p += ETH_GSTRING_LEN;
va_end(args);
}
}
Reported by FlawFinder.
Line: 15
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* should use the same format specifiers as they will be formatted
* using the same variadic arguments.
*/
char stat_string[ETH_GSTRING_LEN];
int sizeof_stat;
int stat_offset;
};
#define FM10K_STAT_FIELDS(_type, _name, _stat) { \
Reported by FlawFinder.
Line: 136
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
FM10K_PRV_FLAG_LEN,
};
static const char fm10k_prv_flags[FM10K_PRV_FLAG_LEN][ETH_GSTRING_LEN] = {
};
static void __fm10k_add_stat_strings(u8 **p, const struct fm10k_stats stats[],
const unsigned int size, ...)
{
Reported by FlawFinder.
Line: 185
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
switch (stringset) {
case ETH_SS_TEST:
memcpy(data, fm10k_gstrings_test,
FM10K_TEST_LEN * ETH_GSTRING_LEN);
break;
case ETH_SS_STATS:
fm10k_get_stat_strings(dev, data);
break;
Reported by FlawFinder.
Line: 192
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fm10k_get_stat_strings(dev, data);
break;
case ETH_SS_PRIV_FLAGS:
memcpy(data, fm10k_prv_flags,
FM10K_PRV_FLAG_LEN * ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
Line: 575
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (new_tx_count != interface->tx_ring_count) {
for (i = 0; i < interface->num_tx_queues; i++) {
memcpy(&temp_ring[i], interface->tx_ring[i],
sizeof(struct fm10k_ring));
temp_ring[i].count = new_tx_count;
err = fm10k_setup_tx_resources(&temp_ring[i]);
if (err) {
Reported by FlawFinder.
Line: 592
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < interface->num_tx_queues; i++) {
fm10k_free_tx_resources(interface->tx_ring[i]);
memcpy(interface->tx_ring[i], &temp_ring[i],
sizeof(struct fm10k_ring));
}
interface->tx_ring_count = new_tx_count;
}
Reported by FlawFinder.
Line: 602
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Repeat the process for the Rx rings if needed */
if (new_rx_count != interface->rx_ring_count) {
for (i = 0; i < interface->num_rx_queues; i++) {
memcpy(&temp_ring[i], interface->rx_ring[i],
sizeof(struct fm10k_ring));
temp_ring[i].count = new_rx_count;
err = fm10k_setup_rx_resources(&temp_ring[i]);
if (err) {
Reported by FlawFinder.
Line: 619
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < interface->num_rx_queues; i++) {
fm10k_free_rx_resources(interface->rx_ring[i]);
memcpy(interface->rx_ring[i], &temp_ring[i],
sizeof(struct fm10k_ring));
}
interface->rx_ring_count = new_rx_count;
}
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
{
struct fm10k_intfc *interface = netdev_priv(dev);
strncpy(info->driver, fm10k_driver_name,
sizeof(info->driver) - 1);
strncpy(info->bus_info, pci_name(interface->pdev),
sizeof(info->bus_info) - 1);
}
Reported by FlawFinder.
tools/perf/builtin-report.c
11 issues
Line: 494
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
if (rep->mem_mode) {
ret += fprintf(fp, "\n# Total weight : %" PRIu64, nr_events);
ret += fprintf(fp, "\n# Sort order : %s", sort_order ? : default_mem_sort_order);
} else
ret += fprintf(fp, "\n# Event count (approx.): %" PRIu64, nr_events);
if (socked_id > -1)
Reported by FlawFinder.
Line: 497
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
ret += fprintf(fp, "\n# Total weight : %" PRIu64, nr_events);
ret += fprintf(fp, "\n# Sort order : %s", sort_order ? : default_mem_sort_order);
} else
ret += fprintf(fp, "\n# Event count (approx.): %" PRIu64, nr_events);
if (socked_id > -1)
ret += fprintf(fp, "\n# Processor Socket: %d", socked_id);
return ret + fprintf(fp, "\n#\n");
Reported by FlawFinder.
Line: 1382
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
perf_quiet_option();
if (symbol_conf.vmlinux_name &&
access(symbol_conf.vmlinux_name, R_OK)) {
pr_err("Invalid file: %s\n", symbol_conf.vmlinux_name);
ret = -EINVAL;
goto exit;
}
if (symbol_conf.kallsyms_name &&
Reported by FlawFinder.
Line: 1388
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto exit;
}
if (symbol_conf.kallsyms_name &&
access(symbol_conf.kallsyms_name, R_OK)) {
pr_err("Invalid file: %s\n", symbol_conf.kallsyms_name);
ret = -EINVAL;
goto exit;
}
Reported by FlawFinder.
Line: 448
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long nr_samples = hists->stats.nr_samples;
u64 nr_events = hists->stats.total_period;
struct evsel *evsel = hists_to_evsel(hists);
char buf[512];
size_t size = sizeof(buf);
int socked_id = hists->socket_filter;
if (quiet)
return 0;
Reported by FlawFinder.
Line: 1078
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (arg) {
int err = regcomp(&ignore_callees_regex, arg, REG_EXTENDED);
if (err) {
char buf[BUFSIZ];
regerror(err, &ignore_callees_regex, buf, sizeof(buf));
pr_err("Invalid --ignore-callees regex: %s\n%s", arg, buf);
return -1;
}
have_ignore_callees = 1;
Reported by FlawFinder.
Line: 1346
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.mode = PERF_DATA_MODE_READ,
};
int ret = hists__init();
char sort_tmp[128];
if (ret < 0)
goto exit;
ret = perf_config(report__config, &report);
Reported by FlawFinder.
Line: 334
Column: 33
CWE codes:
120
20
if (rep->show_threads) {
const char *name = evsel__name(evsel);
int err = perf_read_values_add_value(&rep->show_threads_values,
event->read.pid, event->read.tid,
evsel->core.idx,
name,
event->read.value);
if (err)
Reported by FlawFinder.
Line: 334
Column: 16
CWE codes:
120
20
if (rep->show_threads) {
const char *name = evsel__name(evsel);
int err = perf_read_values_add_value(&rep->show_threads_values,
event->read.pid, event->read.tid,
evsel->core.idx,
name,
event->read.value);
if (err)
Reported by FlawFinder.
drivers/net/ethernet/intel/e1000e/ethtool.c
11 issues
Line: 20
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum { NETDEV_STATS, E1000_STATS };
struct e1000_stats {
char stat_string[ETH_GSTRING_LEN];
int type;
int sizeof_stat;
int stat_offset;
};
Reported by FlawFinder.
Line: 551
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
le16_to_cpus(&eeprom_buff[i]);
}
memcpy(bytes, (u8 *)eeprom_buff + (eeprom->offset & 1), eeprom->len);
kfree(eeprom_buff);
return ret_val;
}
Reported by FlawFinder.
Line: 611
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < last_word - first_word + 1; i++)
le16_to_cpus(&eeprom_buff[i]);
memcpy(ptr, bytes, eeprom->len);
for (i = 0; i < last_word - first_word + 1; i++)
cpu_to_le16s(&eeprom_buff[i]);
ret_val = e1000_write_nvm(hw, first_word,
Reported by FlawFinder.
Line: 733
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* structs. First, attempt to allocate new resources...
*/
if (set_tx) {
memcpy(temp_tx, adapter->tx_ring, size);
temp_tx->count = new_tx_count;
err = e1000e_setup_tx_resources(temp_tx);
if (err)
goto err_setup;
}
Reported by FlawFinder.
Line: 740
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_setup;
}
if (set_rx) {
memcpy(temp_rx, adapter->rx_ring, size);
temp_rx->count = new_rx_count;
err = e1000e_setup_rx_resources(temp_rx);
if (err)
goto err_setup_rx;
}
Reported by FlawFinder.
Line: 750
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* ...then free the old resources and copy back any new ring data */
if (set_tx) {
e1000e_free_tx_resources(adapter->tx_ring);
memcpy(adapter->tx_ring, temp_tx, size);
adapter->tx_ring_count = new_tx_count;
}
if (set_rx) {
e1000e_free_rx_resources(adapter->rx_ring);
memcpy(adapter->rx_ring, temp_rx, size);
Reported by FlawFinder.
Line: 755
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (set_rx) {
e1000e_free_rx_resources(adapter->rx_ring);
memcpy(adapter->rx_ring, temp_rx, size);
adapter->rx_ring_count = new_rx_count;
}
err_setup_rx:
if (err && set_tx)
Reported by FlawFinder.
Line: 2100
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_TEST:
memcpy(data, e1000_gstrings_test, sizeof(e1000_gstrings_test));
break;
case ETH_SS_STATS:
for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) {
memcpy(p, e1000_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
Reported by FlawFinder.
Line: 2104
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case ETH_SS_STATS:
for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) {
memcpy(p, e1000_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
break;
case ETH_SS_PRIV_FLAGS:
Reported by FlawFinder.
Line: 2110
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
break;
case ETH_SS_PRIV_FLAGS:
memcpy(data, e1000e_priv_flags_strings,
E1000E_PRIV_FLAGS_STR_LEN * ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
drivers/net/ethernet/intel/e1000/e1000_ethtool.c
11 issues
Line: 13
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum {NETDEV_STATS, E1000_STATS};
struct e1000_stats {
char stat_string[ETH_GSTRING_LEN];
int type;
int sizeof_stat;
int stat_offset;
};
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < last_word - first_word + 1; i++)
le16_to_cpus(&eeprom_buff[i]);
memcpy(bytes, (u8 *)eeprom_buff + (eeprom->offset & 1),
eeprom->len);
kfree(eeprom_buff);
return ret_val;
}
Reported by FlawFinder.
Line: 513
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < last_word - first_word + 1; i++)
le16_to_cpus(&eeprom_buff[i]);
memcpy(ptr, bytes, eeprom->len);
for (i = 0; i < last_word - first_word + 1; i++)
cpu_to_le16s(&eeprom_buff[i]);
ret_val = e1000_write_eeprom(hw, first_word,
Reported by FlawFinder.
Line: 1839
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_TEST:
memcpy(data, e1000_gstrings_test, sizeof(e1000_gstrings_test));
break;
case ETH_SS_STATS:
for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) {
memcpy(p, e1000_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
Reported by FlawFinder.
Line: 1843
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case ETH_SS_STATS:
for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) {
memcpy(p, e1000_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
/* BUG_ON(p - data != E1000_STATS_LEN * ETH_GSTRING_LEN); */
break;
Reported by FlawFinder.
Line: 659
Column: 6
CWE codes:
120
20
0x5A5A5A5A, 0xA5A5A5A5, 0x00000000, 0xFFFFFFFF
};
u8 __iomem *address = hw->hw_addr + reg;
u32 read;
int i;
for (i = 0; i < ARRAY_SIZE(test); i++) {
writel(write & test[i], address);
read = readl(address);
Reported by FlawFinder.
Line: 665
Column: 7
CWE codes:
120
20
for (i = 0; i < ARRAY_SIZE(test); i++) {
writel(write & test[i], address);
read = readl(address);
if (read != (write & test[i] & mask)) {
e_err(drv, "pattern test reg %04X failed: "
"got 0x%08X expected 0x%08X\n",
reg, read, (write & test[i] & mask));
*data = reg;
return true;
Reported by FlawFinder.
Line: 668
Column: 15
CWE codes:
120
20
if (read != (write & test[i] & mask)) {
e_err(drv, "pattern test reg %04X failed: "
"got 0x%08X expected 0x%08X\n",
reg, read, (write & test[i] & mask));
*data = reg;
return true;
}
}
return false;
Reported by FlawFinder.
Line: 681
Column: 6
CWE codes:
120
20
{
struct e1000_hw *hw = &adapter->hw;
u8 __iomem *address = hw->hw_addr + reg;
u32 read;
writel(write & mask, address);
read = readl(address);
if ((read & mask) != (write & mask)) {
e_err(drv, "set/check reg %04X test failed: "
Reported by FlawFinder.
Line: 685
Column: 7
CWE codes:
120
20
writel(write & mask, address);
read = readl(address);
if ((read & mask) != (write & mask)) {
e_err(drv, "set/check reg %04X test failed: "
"got 0x%08X expected 0x%08X\n",
reg, (read & mask), (write & mask));
*data = reg;
return true;
Reported by FlawFinder.
drivers/net/ethernet/intel/i40e/i40e_ethtool.c
11 issues
Line: 208
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list args;
va_start(args, size);
vsnprintf(*p, ETH_GSTRING_LEN, stats[i].stat_string, args);
*p += ETH_GSTRING_LEN;
va_end(args);
}
}
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* arguments to the i40e_add_stat_string() helper function.
**/
struct i40e_stats {
char stat_string[ETH_GSTRING_LEN];
int sizeof_stat;
int stat_offset;
};
/* Helper macro to define an i40e_stat structure with proper size and type.
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define I40E_TEST_LEN (sizeof(i40e_gstrings_test) / ETH_GSTRING_LEN)
struct i40e_priv_flags {
char flag_string[ETH_GSTRING_LEN];
u64 flag;
bool read_only;
};
#define I40E_PRIV_FLAG(_name, _flag, _read_only) { \
Reported by FlawFinder.
Line: 1188
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy the ksettings to copy_ks to avoid modifying the origin */
memcpy(©_ks, ks, sizeof(struct ethtool_link_ksettings));
/* save autoneg out of ksettings */
autoneg = copy_ks.base.autoneg;
/* get our own copy of the bits to check against */
Reported by FlawFinder.
Line: 1842
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
i40e_release_nvm(hw);
memcpy(bytes, (u8 *)eeprom_buff, eeprom->len);
free_buff:
kfree(eeprom_buff);
return ret_val;
}
Reported by FlawFinder.
Line: 2428
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
switch (stringset) {
case ETH_SS_TEST:
memcpy(data, i40e_gstrings_test,
I40E_TEST_LEN * ETH_GSTRING_LEN);
break;
case ETH_SS_STATS:
i40e_get_stat_strings(netdev, data);
break;
Reported by FlawFinder.
Line: 3270
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
fsp->h_u.tcp_ip6_spec.psrc = rule->dst_port;
fsp->h_u.tcp_ip6_spec.pdst = rule->src_port;
memcpy(fsp->h_u.tcp_ip6_spec.ip6dst, rule->src_ip6,
sizeof(__be32) * 4);
memcpy(fsp->h_u.tcp_ip6_spec.ip6src, rule->dst_ip6,
sizeof(__be32) * 4);
} else {
/* Reverse the src and dest notion, since the HW views them
Reported by FlawFinder.
Line: 3272
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fsp->h_u.tcp_ip6_spec.pdst = rule->src_port;
memcpy(fsp->h_u.tcp_ip6_spec.ip6dst, rule->src_ip6,
sizeof(__be32) * 4);
memcpy(fsp->h_u.tcp_ip6_spec.ip6src, rule->dst_ip6,
sizeof(__be32) * 4);
} else {
/* Reverse the src and dest notion, since the HW views them
* from Tx perspective where as the user expects it from
* Rx filter view.
Reported by FlawFinder.
Line: 4765
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
input->ipl4_proto = fsp->h_u.usr_ip6_spec.l4_proto;
input->dst_port = fsp->h_u.tcp_ip6_spec.psrc;
input->src_port = fsp->h_u.tcp_ip6_spec.pdst;
memcpy(input->dst_ip6, fsp->h_u.ah_ip6_spec.ip6src,
sizeof(__be32) * 4);
memcpy(input->src_ip6, fsp->h_u.ah_ip6_spec.ip6dst,
sizeof(__be32) * 4);
} else {
/* Reverse the src and dest notion, since the HW expects them
Reported by FlawFinder.
Line: 4767
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
input->src_port = fsp->h_u.tcp_ip6_spec.pdst;
memcpy(input->dst_ip6, fsp->h_u.ah_ip6_spec.ip6src,
sizeof(__be32) * 4);
memcpy(input->src_ip6, fsp->h_u.ah_ip6_spec.ip6dst,
sizeof(__be32) * 4);
} else {
/* Reverse the src and dest notion, since the HW expects them
* to be from Tx perspective where as the input from user is
* from Rx filter view.
Reported by FlawFinder.
drivers/hid/hid-core.c
11 issues
Line: 1981
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (hdev->claimed & HID_CLAIMED_INPUT)
len += sprintf(buf + len, "input");
if (hdev->claimed & HID_CLAIMED_HIDDEV)
len += sprintf(buf + len, "%shiddev%d", len ? "," : "",
((struct hiddev *)hdev->hiddev)->minor);
if (hdev->claimed & HID_CLAIMED_HIDRAW)
len += sprintf(buf + len, "%shidraw%d", len ? "," : "",
((struct hidraw *)hdev->hidraw)->minor);
Reported by FlawFinder.
Line: 1984
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf(buf + len, "%shiddev%d", len ? "," : "",
((struct hiddev *)hdev->hiddev)->minor);
if (hdev->claimed & HID_CLAIMED_HIDRAW)
len += sprintf(buf + len, "%shidraw%d", len ? "," : "",
((struct hidraw *)hdev->hidraw)->minor);
type = "Device";
for (i = 0; i < hdev->maxcollection; i++) {
struct hid_collection *col = &hdev->collection[i];
Reported by FlawFinder.
Line: 154
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hid_err(parser->device, "failed to reallocate collection array\n");
return -ENOMEM;
}
memcpy(collection, parser->device->collection,
sizeof(struct hid_collection) *
parser->device->collection_size);
memset(collection + parser->device->collection_size, 0,
sizeof(struct hid_collection) *
parser->device->collection_size);
Reported by FlawFinder.
Line: 378
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
memcpy(parser->global_stack + parser->global_stack_ptr++,
&parser->global, sizeof(struct hid_global));
return 0;
case HID_GLOBAL_ITEM_TAG_POP:
Reported by FlawFinder.
Line: 389
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
memcpy(&parser->global, parser->global_stack +
--parser->global_stack_ptr, sizeof(struct hid_global));
return 0;
case HID_GLOBAL_ITEM_TAG_USAGE_PAGE:
parser->global.usage_page = item_udata(item);
Reported by FlawFinder.
Line: 1583
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt);
}
memcpy(field->value, value, count * sizeof(__s32));
exit:
kfree(value);
}
/*
Reported by FlawFinder.
Line: 1906
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (off + count > hdev->rsize)
count = hdev->rsize - off;
memcpy(buf, hdev->rdesc + off, count);
return count;
}
static ssize_t
Reported by FlawFinder.
Line: 1917
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hid_device *hdev = to_hid_device(dev);
return sprintf(buf, "%02x\n", hdev->country & 0xff);
}
static struct bin_attribute dev_bin_attr_report_desc = {
.attr = { .name = "report_descriptor", .mode = 0444 },
.read = read_report_descriptor,
Reported by FlawFinder.
Line: 1938
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Multi-Axis Controller"
};
const char *type, *bus;
char buf[64] = "";
unsigned int i;
int len;
int ret;
if (hdev->quirks & HID_QUIRK_HIDDEV_FORCE)
Reported by FlawFinder.
Line: 1979
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = 0;
if (hdev->claimed & HID_CLAIMED_INPUT)
len += sprintf(buf + len, "input");
if (hdev->claimed & HID_CLAIMED_HIDDEV)
len += sprintf(buf + len, "%shiddev%d", len ? "," : "",
((struct hiddev *)hdev->hiddev)->minor);
if (hdev->claimed & HID_CLAIMED_HIDRAW)
len += sprintf(buf + len, "%shidraw%d", len ? "," : "",
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/dvm/lib.c
11 issues
Line: 286
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
priv->bt_enable_flag = basic.flags;
if (priv->bt_full_concurrent)
memcpy(basic.bt3_lookup_table, iwlagn_concurrent_lookup,
sizeof(iwlagn_concurrent_lookup));
else
memcpy(basic.bt3_lookup_table, iwlagn_def_3w_lookup,
sizeof(iwlagn_def_3w_lookup));
Reported by FlawFinder.
Line: 289
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(basic.bt3_lookup_table, iwlagn_concurrent_lookup,
sizeof(iwlagn_concurrent_lookup));
else
memcpy(basic.bt3_lookup_table, iwlagn_def_3w_lookup,
sizeof(iwlagn_def_3w_lookup));
IWL_DEBUG_COEX(priv, "BT coex %s in %s mode\n",
basic.flags ? "active" : "disabled",
priv->bt_full_concurrent ?
Reported by FlawFinder.
Line: 298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"full concurrency" : "3-wire");
if (priv->lib->bt_params->bt_session_2) {
memcpy(&bt_cmd_v2.basic, &basic,
sizeof(basic));
ret = iwl_dvm_send_cmd_pdu(priv, REPLY_BT_CONFIG,
0, sizeof(bt_cmd_v2), &bt_cmd_v2);
} else {
memcpy(&bt_cmd_v1.basic, &basic,
Reported by FlawFinder.
Line: 303
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = iwl_dvm_send_cmd_pdu(priv, REPLY_BT_CONFIG,
0, sizeof(bt_cmd_v2), &bt_cmd_v2);
} else {
memcpy(&bt_cmd_v1.basic, &basic,
sizeof(basic));
ret = iwl_dvm_send_cmd_pdu(priv, REPLY_BT_CONFIG,
0, sizeof(bt_cmd_v1), &bt_cmd_v1);
}
if (ret)
Reported by FlawFinder.
Line: 925
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ieee80211_get_tkip_p1k_iv(key, seq.tkip.iv32, p1k);
iwlagn_convert_p1k(p1k, data->tkip->tx.p1k);
memcpy(data->tkip->mic_keys.tx,
&key->key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY],
IWLAGN_MIC_KEY_SIZE);
rx_mic_key = data->tkip->mic_keys.rx_unicast;
} else {
Reported by FlawFinder.
Line: 957
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur_rx_iv32 + 1, p1k);
iwlagn_convert_p1k(p1k, rx_p1ks[1].p1k);
memcpy(rx_mic_key,
&key->key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY],
IWLAGN_MIC_KEY_SIZE);
data->use_tkip = true;
data->use_rsc_tsc = true;
Reported by FlawFinder.
Line: 1023
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < wowlan->n_patterns; i++) {
int mask_len = DIV_ROUND_UP(wowlan->patterns[i].pattern_len, 8);
memcpy(&pattern_cmd->patterns[i].mask,
wowlan->patterns[i].mask, mask_len);
memcpy(&pattern_cmd->patterns[i].pattern,
wowlan->patterns[i].pattern,
wowlan->patterns[i].pattern_len);
pattern_cmd->patterns[i].mask_size = mask_len;
Reported by FlawFinder.
Line: 1025
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&pattern_cmd->patterns[i].mask,
wowlan->patterns[i].mask, mask_len);
memcpy(&pattern_cmd->patterns[i].pattern,
wowlan->patterns[i].pattern,
wowlan->patterns[i].pattern_len);
pattern_cmd->patterns[i].mask_size = mask_len;
pattern_cmd->patterns[i].pattern_size =
wowlan->patterns[i].pattern_len;
Reported by FlawFinder.
Line: 1132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
goto out;
memcpy(&ctx->staging, &rxon, sizeof(rxon));
ret = iwlagn_commit_rxon(priv, ctx);
if (ret)
goto out;
ret = iwl_power_update_mode(priv, true);
Reported by FlawFinder.
Line: 1185
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (priv->have_rekey_data) {
memset(&kek_kck_cmd, 0, sizeof(kek_kck_cmd));
memcpy(kek_kck_cmd.kck, priv->kck, NL80211_KCK_LEN);
kek_kck_cmd.kck_len = cpu_to_le16(NL80211_KCK_LEN);
memcpy(kek_kck_cmd.kek, priv->kek, NL80211_KEK_LEN);
kek_kck_cmd.kek_len = cpu_to_le16(NL80211_KEK_LEN);
kek_kck_cmd.replay_ctr = priv->replay_ctr;
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/dvm/rx.c
11 issues
Line: 89
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(&priv->measure_report, report, sizeof(*report));
priv->measurement_status |= MEASUREMENT_READY;
}
static void iwlagn_rx_pm_sleep_notif(struct iwl_priv *priv,
struct iwl_rx_cmd_buffer *rxb)
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iwlagn_recover_from_statistics(priv, rx_ofdm, rx_ofdm_ht, tx, stamp);
priv->statistics.flag = *flag;
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
Reported by FlawFinder.
Line: 417
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->statistics.flag = *flag;
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
Reported by FlawFinder.
Line: 418
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->statistics.flag = *flag;
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
Reported by FlawFinder.
Line: 419
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.common, common, sizeof(*common));
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
Reported by FlawFinder.
Line: 420
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.rx_non_phy, rx_non_phy, sizeof(*rx_non_phy));
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
sizeof(*bt_activity));
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.rx_ofdm, rx_ofdm, sizeof(*rx_ofdm));
memcpy(&priv->statistics.rx_ofdm_ht, rx_ofdm_ht, sizeof(*rx_ofdm_ht));
memcpy(&priv->statistics.rx_cck, rx_cck, sizeof(*rx_cck));
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
sizeof(*bt_activity));
#endif
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->statistics.tx, tx, sizeof(*tx));
#ifdef CONFIG_IWLWIFI_DEBUGFS
if (bt_activity)
memcpy(&priv->statistics.bt_activity, bt_activity,
sizeof(*bt_activity));
#endif
priv->rx_statistics_jiffies = stamp;
Reported by FlawFinder.
Line: 552
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->last_phy_res_valid = true;
priv->ampdu_ref++;
memcpy(&priv->last_phy_res, pkt->data,
sizeof(struct iwl_rx_phy_res));
}
/*
* returns non-zero if packet should be dropped
Reported by FlawFinder.
Line: 674
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats));
ieee80211_rx_napi(priv->hw, NULL, skb, priv->napi);
}
static u32 iwlagn_translate_rx_status(struct iwl_priv *priv, u32 decrypt_in)
Reported by FlawFinder.
drivers/scsi/ipr.h
11 issues
Line: 1237
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
dma_addr_t hostrcb_dma;
struct list_head queue;
struct ipr_ioa_cfg *ioa_cfg;
char rp_buffer[IPR_MAX_RES_PATH_LENGTH];
};
/* IPR smart dump table structures */
struct ipr_sdt_entry {
__be32 start_token;
Reported by FlawFinder.
Line: 1467
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Per-controller data */
struct ipr_ioa_cfg {
char eye_catcher[8];
#define IPR_EYECATCHER "iprcfg"
struct list_head queue;
u8 in_reset_reload:1;
Reported by FlawFinder.
Line: 1510
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define IPR_NUM_TRACE_ENTRIES (1 << IPR_NUM_TRACE_INDEX_BITS)
#define IPR_TRACE_INDEX_MASK (IPR_NUM_TRACE_ENTRIES - 1)
#define IPR_TRACE_SIZE (sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES)
char trace_start[8];
#define IPR_TRACE_START_LABEL "trace"
struct ipr_trace_entry *trace;
atomic_t trace_index;
char cfg_table_start[8];
Reported by FlawFinder.
Line: 1515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ipr_trace_entry *trace;
atomic_t trace_index;
char cfg_table_start[8];
#define IPR_CFG_TBL_START "cfg"
union {
struct ipr_config_table *cfg_table;
struct ipr_config_table64 *cfg_table64;
} u;
Reported by FlawFinder.
Line: 1525
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 cfg_table_size;
u32 max_devs_supported;
char resource_table_label[8];
#define IPR_RES_TABLE_LABEL "res_tbl"
struct ipr_resource_entry *res_entries;
struct list_head free_res_q;
struct list_head used_res_q;
Reported by FlawFinder.
Line: 1531
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head free_res_q;
struct list_head used_res_q;
char ipr_hcam_label[8];
#define IPR_HCAM_LABEL "hcams"
struct ipr_hostrcb *hostrcb[IPR_MAX_HCAMS];
dma_addr_t hostrcb_dma[IPR_MAX_HCAMS];
struct list_head hostrcb_free_q;
struct list_head hostrcb_pending_q;
Reported by FlawFinder.
Line: 1586
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int (*reset) (struct ipr_cmnd *);
struct ata_host ata_host;
char ipr_cmd_label[8];
#define IPR_CMD_LABEL "ipr_cmd"
u32 max_cmds;
struct ipr_cmnd **ipr_cmnd_list;
dma_addr_t *ipr_cmnd_list_dma;
Reported by FlawFinder.
Line: 1595
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int nvectors;
struct {
char desc[22];
} vectors_info[IPR_MAX_MSIX_VECTORS];
u32 iopoll_weight;
}; /* struct ipr_ioa_cfg */
Reported by FlawFinder.
Line: 1644
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct ipr_ses_table_entry {
char product_id[17];
char compare_product_id_byte[17];
u32 max_bus_speed_limit; /* MB/sec limit for this backplane */
};
struct ipr_dump_header {
Reported by FlawFinder.
Line: 1645
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ipr_ses_table_entry {
char product_id[17];
char compare_product_id_byte[17];
u32 max_bus_speed_limit; /* MB/sec limit for this backplane */
};
struct ipr_dump_header {
u32 eye_catcher;
Reported by FlawFinder.
drivers/scsi/hpsa.h
11 issues
Line: 188
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
# define MEMQ_MODE_INT 3
unsigned int msix_vectors;
int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
struct access_method access;
/* queue and queue Info */
unsigned int Qdepth;
unsigned int maxSG;
spinlock_t lock;
Reported by FlawFinder.
Line: 669
Column: 24
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct board_type {
u32 board_id;
char *product_name;
struct access_method *access;
};
#endif /* HPSA_H */
Reported by FlawFinder.
Line: 65
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hpsa_scsi_dev_t {
unsigned int devtype;
int bus, target, lun; /* as presented to the OS */
unsigned char scsi3addr[8]; /* as presented to the HW */
u8 physical_device : 1;
u8 expose_device;
u8 removed : 1; /* device is marked for death */
u8 was_removed : 1; /* device actually removed */
#define RAID_CTLR_LUNID "\0\0\0\0\0\0\0\0"
Reported by FlawFinder.
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 removed : 1; /* device is marked for death */
u8 was_removed : 1; /* device actually removed */
#define RAID_CTLR_LUNID "\0\0\0\0\0\0\0\0"
unsigned char device_id[16]; /* from inquiry pg. 0x83 */
u64 sas_address;
u64 eli; /* from report diags. */
unsigned char vendor[8]; /* bytes 8-15 of inquiry data */
unsigned char model[16]; /* bytes 16-31 of inquiry data */
unsigned char rev; /* byte 2 of inquiry data */
Reported by FlawFinder.
Line: 74
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char device_id[16]; /* from inquiry pg. 0x83 */
u64 sas_address;
u64 eli; /* from report diags. */
unsigned char vendor[8]; /* bytes 8-15 of inquiry data */
unsigned char model[16]; /* bytes 16-31 of inquiry data */
unsigned char rev; /* byte 2 of inquiry data */
unsigned char raid_level; /* from inquiry page 0xC1 */
unsigned char volume_offline; /* discovered via TUR or VPD */
u16 queue_depth; /* max queue_depth for this device */
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 sas_address;
u64 eli; /* from report diags. */
unsigned char vendor[8]; /* bytes 8-15 of inquiry data */
unsigned char model[16]; /* bytes 16-31 of inquiry data */
unsigned char rev; /* byte 2 of inquiry data */
unsigned char raid_level; /* from inquiry page 0xC1 */
unsigned char volume_offline; /* discovered via TUR or VPD */
u16 queue_depth; /* max queue_depth for this device */
atomic_t commands_outstanding; /* track commands sent to device */
Reported by FlawFinder.
Line: 141
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 expand_priority;
u8 host_sdb_asic_fix;
u8 pdpi_burst_from_host_disabled;
char software_name[64];
char hardware_name[32];
u8 bridge_revision;
u8 snapshot_priority;
u32 os_specific;
u8 post_prompt_timeout;
Reported by FlawFinder.
Line: 142
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 host_sdb_asic_fix;
u8 pdpi_burst_from_host_disabled;
char software_name[64];
char hardware_name[32];
u8 bridge_revision;
u8 snapshot_priority;
u32 os_specific;
u8 post_prompt_timeout;
u8 automatic_drive_slamming;
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ctlr_info {
unsigned int *reply_map;
int ctlr;
char devname[8];
char *product_name;
struct pci_dev *pdev;
u32 board_id;
u64 sas_address;
void __iomem *vaddr;
Reported by FlawFinder.
Line: 258
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int remove_in_progress;
/* Address of h->q[x] is passed to intr handler to know which queue */
u8 q[MAX_REPLY_QUEUES];
char intrname[MAX_REPLY_QUEUES][16]; /* "hpsa0-msix00" names */
u32 TMFSupportFlags; /* cache what task mgmt funcs are supported. */
#define HPSATMF_BITS_SUPPORTED (1 << 0)
#define HPSATMF_PHYS_LUN_RESET (1 << 1)
#define HPSATMF_PHYS_NEX_RESET (1 << 2)
#define HPSATMF_PHYS_TASK_ABORT (1 << 3)
Reported by FlawFinder.