The following issues were found
drivers/scsi/qla2xxx/qla_mr.c
11 issues
Line: 1960
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (fx_type == FXDISC_GET_PORT_INFO) {
struct port_info_data *pinfo =
(struct port_info_data *) fdisc->u.fxiocb.rsp_addr;
memcpy(vha->node_name, pinfo->node_name, WWN_SIZE);
memcpy(vha->port_name, pinfo->port_name, WWN_SIZE);
vha->d_id.b.domain = pinfo->port_id[0];
vha->d_id.b.area = pinfo->port_id[1];
vha->d_id.b.al_pa = pinfo->port_id[2];
qlafx00_update_host_attr(vha, pinfo);
Reported by FlawFinder.
Line: 1961
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct port_info_data *pinfo =
(struct port_info_data *) fdisc->u.fxiocb.rsp_addr;
memcpy(vha->node_name, pinfo->node_name, WWN_SIZE);
memcpy(vha->port_name, pinfo->port_name, WWN_SIZE);
vha->d_id.b.domain = pinfo->port_id[0];
vha->d_id.b.area = pinfo->port_id[1];
vha->d_id.b.al_pa = pinfo->port_id[2];
qlafx00_update_host_attr(vha, pinfo);
ql_dump_buffer(ql_dbg_init + ql_dbg_buffer, vha, 0x0141,
Reported by FlawFinder.
Line: 1971
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (fx_type == FXDISC_GET_TGT_NODE_INFO) {
struct qlafx00_tgt_node_info *pinfo =
(struct qlafx00_tgt_node_info *) fdisc->u.fxiocb.rsp_addr;
memcpy(fcport->node_name, pinfo->tgt_node_wwnn, WWN_SIZE);
memcpy(fcport->port_name, pinfo->tgt_node_wwpn, WWN_SIZE);
fcport->port_type = FCT_TARGET;
ql_dump_buffer(ql_dbg_init + ql_dbg_buffer, vha, 0x0144,
pinfo, 16);
} else if (fx_type == FXDISC_GET_TGT_NODE_LIST) {
Reported by FlawFinder.
Line: 1972
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct qlafx00_tgt_node_info *pinfo =
(struct qlafx00_tgt_node_info *) fdisc->u.fxiocb.rsp_addr;
memcpy(fcport->node_name, pinfo->tgt_node_wwnn, WWN_SIZE);
memcpy(fcport->port_name, pinfo->tgt_node_wwpn, WWN_SIZE);
fcport->port_type = FCT_TARGET;
ql_dump_buffer(ql_dbg_init + ql_dbg_buffer, vha, 0x0144,
pinfo, 16);
} else if (fx_type == FXDISC_GET_TGT_NODE_LIST) {
struct qlafx00_tgt_node_info *pinfo =
Reported by FlawFinder.
Line: 1981
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct qlafx00_tgt_node_info *) fdisc->u.fxiocb.rsp_addr;
ql_dump_buffer(ql_dbg_init + ql_dbg_buffer, vha, 0x0146,
pinfo, 16);
memcpy(vha->hw->gid_list, pinfo, QLAFX00_TGT_NODE_LIST_SIZE);
} else if (fx_type == FXDISC_ABORT_IOCTL)
fdisc->u.fxiocb.result =
(fdisc->u.fxiocb.result ==
cpu_to_le32(QLAFX00_IOCTL_ICOB_ABORT_SUCCESS)) ?
cpu_to_le32(QLA_SUCCESS) : cpu_to_le32(QLA_FUNCTION_FAILED);
Reported by FlawFinder.
Line: 2144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sense_len > par_sense_len)
sense_len = par_sense_len;
memcpy(cp->sense_buffer, sense_data, sense_len);
SET_FW_SENSE_LEN(sp, GET_FW_SENSE_LEN(sp) - sense_len);
SET_CMD_SENSE_PTR(sp, cp->sense_buffer + sense_len);
track_sense_len -= sense_len;
Reported by FlawFinder.
Line: 2242
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fstatus.res_count = pkt->residuallen;
fstatus.status = pkt->status;
fstatus.seq_number = pkt->seq_no;
memcpy(fstatus.reserved_3,
pkt->reserved_2, 20 * sizeof(uint8_t));
fw_sts_ptr = bsg_job->reply + sizeof(struct fc_bsg_reply);
memcpy(fw_sts_ptr, &fstatus, sizeof(fstatus));
Reported by FlawFinder.
Line: 2247
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fw_sts_ptr = bsg_job->reply + sizeof(struct fc_bsg_reply);
memcpy(fw_sts_ptr, &fstatus, sizeof(fstatus));
bsg_job->reply_len = sizeof(struct fc_bsg_reply) +
sizeof(struct qla_mt_iocb_rsp_fx00) + sizeof(uint8_t);
ql_dump_buffer(ql_dbg_user + ql_dbg_verbose,
sp->vha, 0x5080, pkt, sizeof(*pkt));
Reported by FlawFinder.
Line: 2597
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Move sense data. */
ql_dump_buffer(ql_dbg_io + ql_dbg_buffer, vha, 0x304e,
pkt, sizeof(*pkt));
memcpy(sense_ptr, pkt->data, sense_sz);
ql_dump_buffer(ql_dbg_io + ql_dbg_buffer, vha, 0x304a,
sense_ptr, sense_sz);
sense_len -= sense_sz;
sense_ptr += sense_sz;
Reported by FlawFinder.
Line: 3214
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct scsi_lun));
}
memcpy(ptm_iocb, &tm_iocb,
sizeof(struct tsk_mgmt_entry_fx00));
wmb();
}
void
Reported by FlawFinder.
drivers/usb/atm/ueagle-atm.c
11 issues
Line: 1574
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
} else
file = cmv_file[sc->modem_index];
strcpy(cmv_name, FW_DIR);
strlcat(cmv_name, file, UEA_FW_NAME_MAX);
if (ver == 2)
strlcat(cmv_name, ".v2", UEA_FW_NAME_MAX);
kernel_param_unlock(THIS_MODULE);
}
Reported by FlawFinder.
Line: 2367
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
delin = "LOSS";
}
ret = sprintf(buf, "%s\n", delin);
out:
mutex_unlock(&uea_mutex);
return ret;
}
Reported by FlawFinder.
Line: 530
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned int altsetting[NB_MODEM] = {
[0 ... (NB_MODEM - 1)] = FASTEST_ISO_INTF};
static bool sync_wait[NB_MODEM];
static char *cmv_file[NB_MODEM];
static int annex[NB_MODEM];
module_param(debug, uint, 0644);
MODULE_PARM_DESC(debug, "module debug level (0=off,1=on,2=verbose)");
module_param_array(altsetting, uint, NULL, 0644);
Reported by FlawFinder.
Line: 1586
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ret, size;
u8 *data;
char cmv_name[UEA_FW_NAME_MAX]; /* 30 bytes stack variable */
cmvs_file_name(sc, cmv_name, 1);
ret = request_firmware(fw, cmv_name, &sc->usb_dev->dev);
if (ret < 0) {
uea_err(INS_TO_USBDEV(sc),
Reported by FlawFinder.
Line: 1620
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret, size;
u32 crc;
u8 *data;
char cmv_name[UEA_FW_NAME_MAX]; /* 30 bytes stack variable */
cmvs_file_name(sc, cmv_name, 2);
ret = request_firmware(fw, cmv_name, &sc->usb_dev->dev);
if (ret < 0) {
/* if caller can handle old version, try to provide it */
Reported by FlawFinder.
Line: 2321
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (modem_state) {
case 0:
ret = sprintf(buf, "Modem is booting\n");
break;
case 1:
ret = sprintf(buf, "Modem is initializing\n");
break;
case 2:
Reported by FlawFinder.
Line: 2324
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sprintf(buf, "Modem is booting\n");
break;
case 1:
ret = sprintf(buf, "Modem is initializing\n");
break;
case 2:
ret = sprintf(buf, "Modem is operational\n");
break;
case 3:
Reported by FlawFinder.
Line: 2327
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sprintf(buf, "Modem is initializing\n");
break;
case 2:
ret = sprintf(buf, "Modem is operational\n");
break;
case 3:
ret = sprintf(buf, "Modem synchronization failed\n");
break;
default:
Reported by FlawFinder.
Line: 2330
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sprintf(buf, "Modem is operational\n");
break;
case 3:
ret = sprintf(buf, "Modem synchronization failed\n");
break;
default:
ret = sprintf(buf, "Modem state is unknown\n");
break;
}
Reported by FlawFinder.
Line: 2333
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sprintf(buf, "Modem synchronization failed\n");
break;
default:
ret = sprintf(buf, "Modem state is unknown\n");
break;
}
out:
mutex_unlock(&uea_mutex);
return ret;
Reported by FlawFinder.
drivers/staging/media/av7110/av7110_av.c
11 issues
Line: 675
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p->pes[2] = 0x01;
p->pes[3] = buf[c];
p->pos = 4;
memcpy(p->pes + p->pos, buf + c, (TS_SIZE - 4) - p->pos);
c += (TS_SIZE - 4) - p->pos;
p_to_t(p->pes, (TS_SIZE - 4), pid, &p->counter, p->feed);
clear_p2t(p);
break;
Reported by FlawFinder.
Line: 695
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
l = c2+c;
else
l = (TS_SIZE - 4) - p->pos;
memcpy(p->pes + p->pos, buf, l);
c += l;
p->pos += l;
p_to_t(p->pes, p->pos, pid, &p->counter, p->feed);
clear_p2t(p);
}
Reported by FlawFinder.
Line: 719
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rest = l % (TS_SIZE - 4);
l -= rest;
p_to_t(buf + c, l, pid, &p->counter, p->feed);
memcpy(p->pes, buf + c + l, rest);
p->pos = rest;
c = length;
}
}
}
Reported by FlawFinder.
Line: 742
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tshead[1] |= (u8)((pid & 0x1F00) >> 8);
tshead[2] |= (u8)(pid & 0x00FF);
tshead[3] |= ((*counter)++ & 0x0F);
memcpy(buf, tshead, 4);
c += 4;
if (fill) {
buf[4] = fill - 1;
c++;
Reported by FlawFinder.
Line: 796
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (length - c >= (TS_SIZE - 4)){
l = write_ts_header2(pid, counter, pes_start,
obuf, (TS_SIZE - 4));
memcpy(obuf + l, buf + c, TS_SIZE - l);
c += TS_SIZE - l;
} else {
l = write_ts_header2(pid, counter, pes_start,
obuf, length - c);
memcpy(obuf + l, buf + c, TS_SIZE - l);
Reported by FlawFinder.
Line: 801
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
l = write_ts_header2(pid, counter, pes_start,
obuf, length - c);
memcpy(obuf + l, buf + c, TS_SIZE - l);
c = length;
}
feed->cb.ts(obuf, 188, NULL, 0, &feed->feed.ts, NULL);
pes_start = 0;
}
Reported by FlawFinder.
Line: 882
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
//FIXME: timestamp?
memcpy(&events->events[events->eventw], event, sizeof(struct video_event));
events->eventw = wp;
spin_unlock_bh(&events->lock);
wake_up_interruptible(&events->wait_queue);
Reported by FlawFinder.
Line: 913
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_bh(&events->lock);
memcpy(event, &events->events[events->eventr],
sizeof(struct video_event));
events->eventr = (events->eventr + 1) % MAX_VIDEO_EVENT;
spin_unlock_bh(&events->lock);
Reported by FlawFinder.
Line: 1206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case VIDEO_GET_STATUS:
memcpy(parg, &av7110->videostate, sizeof(struct video_status));
break;
#ifdef CONFIG_COMPAT
case VIDEO_GET_EVENT32:
ret = dvb_compat_video_get_event(av7110, parg, file->f_flags);
Reported by FlawFinder.
Line: 1220
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case VIDEO_GET_SIZE:
memcpy(parg, &av7110->video_size, sizeof(video_size_t));
break;
case VIDEO_SET_DISPLAY_FORMAT:
{
video_displayformat_t format = (video_displayformat_t) arg;
Reported by FlawFinder.
drivers/scsi/mpi3mr/mpi3mr_fw.c
11 issues
Line: 371
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmdptr->state &= ~MPI3MR_CMD_PENDING;
if (def_reply) {
cmdptr->state |= MPI3MR_CMD_REPLY_VALID;
memcpy((u8 *)cmdptr->reply, (u8 *)def_reply,
mrioc->facts.reply_sz);
}
if (cmdptr->is_waiting) {
complete(&cmdptr->done);
cmdptr->is_waiting = 0;
Reported by FlawFinder.
Line: 1238
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
areq_entry = (u8 *)mrioc->admin_req_base +
(areq_pi * MPI3MR_ADMIN_REQ_FRAME_SZ);
memset(areq_entry, 0, MPI3MR_ADMIN_REQ_FRAME_SZ);
memcpy(areq_entry, (u8 *)admin_req, admin_req_sz);
if (++areq_pi == max_entries)
areq_pi = 0;
mrioc->admin_req_pi = areq_pi;
Reported by FlawFinder.
Line: 1885
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((pi % op_req_q->segment_qd) * req_sz);
memset(req_entry, 0, req_sz);
memcpy(req_entry, req, MPI3MR_ADMIN_REQ_FRAME_SZ);
if (++pi == max_entries)
pi = 0;
op_req_q->pi = pi;
Reported by FlawFinder.
Line: 2279
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
retval = -1;
goto out_unlock;
}
memcpy(facts_data, (u8 *)data, data_len);
out_unlock:
mrioc->init_cmds.state = MPI3MR_CMD_NOTUSED;
mutex_unlock(&mrioc->init_cmds.mutex);
out:
Reported by FlawFinder.
Line: 2618
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strscpy(drv_info->driver_release_date, MPI3MR_DRIVER_RELDATE,
sizeof(drv_info->driver_release_date));
drv_info->driver_capabilities = 0;
memcpy((u8 *)&mrioc->driver_info, (u8 *)drv_info,
sizeof(mrioc->driver_info));
memset(&iocinit_req, 0, sizeof(iocinit_req));
mutex_lock(&mrioc->init_cmds.mutex);
if (mrioc->init_cmds.state & MPI3MR_CMD_PENDING) {
Reported by FlawFinder.
Line: 3022
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mpi3mr_print_ioc_info(struct mpi3mr_ioc *mrioc)
{
int i = 0, bytes_wrote = 0;
char personality[16];
char protocol[50] = {0};
char capabilities[100] = {0};
bool is_string_nonempty = false;
struct mpi3mr_compimg_ver *fwver = &mrioc->facts.fw_ver;
Reported by FlawFinder.
Line: 3023
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i = 0, bytes_wrote = 0;
char personality[16];
char protocol[50] = {0};
char capabilities[100] = {0};
bool is_string_nonempty = false;
struct mpi3mr_compimg_ver *fwver = &mrioc->facts.fw_ver;
switch (mrioc->facts.personality) {
Reported by FlawFinder.
Line: 3024
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i = 0, bytes_wrote = 0;
char personality[16];
char protocol[50] = {0};
char capabilities[100] = {0};
bool is_string_nonempty = false;
struct mpi3mr_compimg_ver *fwver = &mrioc->facts.fw_ver;
switch (mrioc->facts.personality) {
case MPI3_IOCFACTS_FLAGS_PERSONALITY_EHBA:
Reported by FlawFinder.
Line: 3030
Column: 3
CWE codes:
120
switch (mrioc->facts.personality) {
case MPI3_IOCFACTS_FLAGS_PERSONALITY_EHBA:
strncpy(personality, "Enhanced HBA", sizeof(personality));
break;
case MPI3_IOCFACTS_FLAGS_PERSONALITY_RAID_DDR:
strncpy(personality, "RAID", sizeof(personality));
break;
default:
Reported by FlawFinder.
Line: 3033
Column: 3
CWE codes:
120
strncpy(personality, "Enhanced HBA", sizeof(personality));
break;
case MPI3_IOCFACTS_FLAGS_PERSONALITY_RAID_DDR:
strncpy(personality, "RAID", sizeof(personality));
break;
default:
strncpy(personality, "Unknown", sizeof(personality));
break;
}
Reported by FlawFinder.
drivers/staging/rtl8712/rtl871x_cmd.c
11 issues
Line: 197
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pssid && pssid->SsidLength) {
int len = min_t(int, pssid->SsidLength, IW_ESSID_MAX_SIZE);
memcpy(psurveyPara->ss_ssid, pssid->Ssid, len);
psurveyPara->ss_ssidlen = cpu_to_le32(len);
}
set_fwstate(pmlmepriv, _FW_UNDER_SURVEY);
r8712_enqueue_cmd(pcmdpriv, ph2c);
mod_timer(&pmlmepriv->scan_to_timer,
Reported by FlawFinder.
Line: 226
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
init_h2fwcmd_w_parm_no_rsp(ph2c, pbsetdataratepara,
GEN_CMD_CODE(_SetDataRate));
pbsetdataratepara->mac_id = 5;
memcpy(pbsetdataratepara->datarates, rateset, NumRates);
r8712_enqueue_cmd(pcmdpriv, ph2c);
return 0;
}
void r8712_set_chplan_cmd(struct _adapter *padapter, int chplan)
Reported by FlawFinder.
Line: 373
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
psecnetwork = &psecuritypriv->sec_bss;
memcpy(psecnetwork, &pnetwork->network, sizeof(*psecnetwork));
psecuritypriv->authenticator_ie[0] = (unsigned char)
psecnetwork->IELength;
if ((psecnetwork->IELength - 12) < (256 - 1))
memcpy(&psecuritypriv->authenticator_ie[1],
&psecnetwork->IEs[12], psecnetwork->IELength - 12);
Reported by FlawFinder.
Line: 377
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
psecuritypriv->authenticator_ie[0] = (unsigned char)
psecnetwork->IELength;
if ((psecnetwork->IELength - 12) < (256 - 1))
memcpy(&psecuritypriv->authenticator_ie[1],
&psecnetwork->IEs[12], psecnetwork->IELength - 12);
else
memcpy(&psecuritypriv->authenticator_ie[1],
&psecnetwork->IEs[12], (256 - 1));
psecnetwork->IELength = 0;
Reported by FlawFinder.
Line: 380
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&psecuritypriv->authenticator_ie[1],
&psecnetwork->IEs[12], psecnetwork->IELength - 12);
else
memcpy(&psecuritypriv->authenticator_ie[1],
&psecnetwork->IEs[12], (256 - 1));
psecnetwork->IELength = 0;
/*
* If the driver wants to use the bssid to create the connection.
* If not, we copy the connecting AP's MAC address to it so that
Reported by FlawFinder.
Line: 429
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
psecuritypriv->supplicant_ie[0] = (u8)psecnetwork->IELength;
if (psecnetwork->IELength < 255)
memcpy(&psecuritypriv->supplicant_ie[1], &psecnetwork->IEs[0],
psecnetwork->IELength);
else
memcpy(&psecuritypriv->supplicant_ie[1], &psecnetwork->IEs[0],
255);
/* get cmdsz before endian conversion */
Reported by FlawFinder.
Line: 432
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&psecuritypriv->supplicant_ie[1], &psecnetwork->IEs[0],
psecnetwork->IELength);
else
memcpy(&psecuritypriv->supplicant_ie[1], &psecnetwork->IEs[0],
255);
/* get cmdsz before endian conversion */
pcmd->cmdsz = r8712_get_wlan_bssid_ex_sz(psecnetwork);
#ifdef __BIG_ENDIAN
/* wlan_network endian conversion */
Reported by FlawFinder.
Line: 549
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GET_ENCRY_ALGO(psecuritypriv, sta,
psetstakey_para->algorithm, false);
if (unicast_key)
memcpy(&psetstakey_para->key, &sta->x_UncstKey, 16);
else
memcpy(&psetstakey_para->key,
&psecuritypriv->XGrpKey[
psecuritypriv->XGrpKeyid - 1]. skey, 16);
r8712_enqueue_cmd(pcmdpriv, ph2c);
Reported by FlawFinder.
Line: 551
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unicast_key)
memcpy(&psetstakey_para->key, &sta->x_UncstKey, 16);
else
memcpy(&psetstakey_para->key,
&psecuritypriv->XGrpKey[
psecuritypriv->XGrpKeyid - 1]. skey, 16);
r8712_enqueue_cmd(pcmdpriv, ph2c);
}
Reported by FlawFinder.
Line: 715
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&pmlmepriv->scanned_queue.queue);
}
pnetwork->Length = r8712_get_wlan_bssid_ex_sz(pnetwork);
memcpy(&(pwlan->network), pnetwork, pnetwork->Length);
pwlan->fixed = true;
memcpy(&tgt_network->network, pnetwork,
(r8712_get_wlan_bssid_ex_sz(pnetwork)));
if (pmlmepriv->fw_state & _FW_UNDER_LINKING)
pmlmepriv->fw_state ^= _FW_UNDER_LINKING;
Reported by FlawFinder.
drivers/staging/rtl8188eu/core/rtw_cmd.c
11 issues
Line: 268
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ssid_num && i < RTW_SSID_SCAN_AMOUNT; i++) {
if (ssid[i].ssid_length) {
memcpy(&psurveyPara->ssid[i], &ssid[i],
sizeof(struct ndis_802_11_ssid));
psurveyPara->ssid_num++;
}
}
}
Reported by FlawFinder.
Line: 281
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ch_num && i < RTW_CHANNEL_SCAN_AMOUNT; i++) {
if (ch[i].hw_value && !(ch[i].flags & RTW_IEEE80211_CHAN_DISABLED)) {
memcpy(&psurveyPara->ch[i], &ch[i],
sizeof(struct rtw_ieee80211_channel));
psurveyPara->ch_num++;
}
}
}
Reported by FlawFinder.
Line: 393
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(psecnetwork, 0, t_len);
memcpy(psecnetwork, &pnetwork->network, get_wlan_bssid_ex_sz(&pnetwork->network));
psecuritypriv->authenticator_ie[0] = (unsigned char)psecnetwork->ie_length;
if (psecnetwork->ie_length - 12 < 255)
memcpy(&psecuritypriv->authenticator_ie[1], &psecnetwork->ies[12],
Reported by FlawFinder.
Line: 398
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
psecuritypriv->authenticator_ie[0] = (unsigned char)psecnetwork->ie_length;
if (psecnetwork->ie_length - 12 < 255)
memcpy(&psecuritypriv->authenticator_ie[1], &psecnetwork->ies[12],
psecnetwork->ie_length - 12);
else
memcpy(&psecuritypriv->authenticator_ie[1], &psecnetwork->ies[12], 255);
psecnetwork->ie_length = 0;
Reported by FlawFinder.
Line: 401
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&psecuritypriv->authenticator_ie[1], &psecnetwork->ies[12],
psecnetwork->ie_length - 12);
else
memcpy(&psecuritypriv->authenticator_ie[1], &psecnetwork->ies[12], 255);
psecnetwork->ie_length = 0;
/* Added by Albert 2009/02/18 */
/* If the driver wants to use the bssid to create the connection. */
/* If not, we have to copy the connecting AP's MAC address to it so that */
Reported by FlawFinder.
Line: 410
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* the driver just has the bssid information for PMKIDList searching. */
if (!pmlmepriv->assoc_by_bssid)
memcpy(&pmlmepriv->assoc_bssid[0], &pnetwork->network.MacAddress[0], ETH_ALEN);
psecnetwork->ie_length = rtw_restruct_sec_ie(padapter, &pnetwork->network.ies[0],
&psecnetwork->ies[0],
pnetwork->network.ie_length);
Reported by FlawFinder.
Line: 566
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GET_ENCRY_ALGO(psecuritypriv, sta, psetstakey_para->algorithm, false);
if (unicast_key)
memcpy(&psetstakey_para->key, &sta->dot118021x_UncstKey, 16);
else
memcpy(&psetstakey_para->key,
&psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey, 16);
/* jeff: set this because at least sw key is ready */
Reported by FlawFinder.
Line: 568
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unicast_key)
memcpy(&psetstakey_para->key, &sta->dot118021x_UncstKey, 16);
else
memcpy(&psetstakey_para->key,
&psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey, 16);
/* jeff: set this because at least sw key is ready */
padapter->securitypriv.busetkipkey = true;
Reported by FlawFinder.
Line: 648
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
paddbareq_parm->tid = tid;
memcpy(paddbareq_parm->addr, addr, ETH_ALEN);
init_h2fwcmd_w_parm_no_rsp(ph2c, paddbareq_parm, _AddBAReq_CMD_);
res = rtw_enqueue_cmd(pcmdpriv, ph2c);
Reported by FlawFinder.
Line: 1184
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pnetwork->Length = get_wlan_bssid_ex_sz(pnetwork);
memcpy(&pwlan->network, pnetwork, pnetwork->Length);
memcpy(&tgt_network->network, pnetwork, (get_wlan_bssid_ex_sz(pnetwork)));
_clr_fwstate_(pmlmepriv, _FW_UNDER_LINKING);
Reported by FlawFinder.
drivers/vfio/pci/vfio_pci_config.c
11 issues
Line: 180
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 virt = 0;
memcpy(val, vdev->vconfig + pos, count);
memcpy(&virt, perm->virt + offset, count);
/* Any non-virtualized bits? */
if (cpu_to_le32(~0U >> (32 - (count * 8))) != virt) {
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos, count);
memcpy(&virt, perm->virt + offset, count);
/* Any non-virtualized bits? */
if (cpu_to_le32(~0U >> (32 - (count * 8))) != virt) {
struct pci_dev *pdev = vdev->pdev;
__le32 phys_val = 0;
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 virt = 0, write = 0;
memcpy(&write, perm->write + offset, count);
if (!write)
return count; /* drop, no writable bits */
memcpy(&virt, perm->virt + offset, count);
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!write)
return count; /* drop, no writable bits */
memcpy(&virt, perm->virt + offset, count);
/* Virtualized and writable bits go to vconfig */
if (write & virt) {
__le32 virt_val = 0;
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (write & virt) {
__le32 virt_val = 0;
memcpy(&virt_val, vdev->vconfig + pos, count);
virt_val &= ~(write & virt);
virt_val |= (val & (write & virt));
memcpy(vdev->vconfig + pos, &virt_val, count);
Reported by FlawFinder.
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
virt_val &= ~(write & virt);
virt_val |= (val & (write & virt));
memcpy(vdev->vconfig + pos, &virt_val, count);
}
/* Non-virtualzed and writable bits go to hardware */
if (write & ~virt) {
struct pci_dev *pdev = vdev->pdev;
Reported by FlawFinder.
Line: 259
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pos >= PCI_CFG_SPACE_SIZE) { /* Extended cap header mangling */
if (offset < 4)
memcpy(val, vdev->vconfig + pos, count);
} else if (pos >= PCI_STD_HEADER_SIZEOF) { /* Std cap mangling */
if (offset == PCI_CAP_LIST_ID && count > 1)
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
Reported by FlawFinder.
Line: 262
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos, count);
} else if (pos >= PCI_STD_HEADER_SIZEOF) { /* Std cap mangling */
if (offset == PCI_CAP_LIST_ID && count > 1)
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
memcpy(val, vdev->vconfig + pos, 1);
}
Reported by FlawFinder.
Line: 265
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
memcpy(val, vdev->vconfig + pos, 1);
}
return count;
}
Reported by FlawFinder.
Line: 303
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int count, struct perm_bits *perm,
int offset, __le32 val)
{
memcpy(vdev->vconfig + pos, &val, count);
return count;
}
static int vfio_virt_config_read(struct vfio_pci_device *vdev, int pos,
int count, struct perm_bits *perm,
Reported by FlawFinder.
drivers/acpi/acpica/aclocal.h
11 issues
Line: 296
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* expected_return_btypes - Allowed type(s) for the return value
*/
struct acpi_name_info {
char name[ACPI_NAMESEG_SIZE];
u16 argument_list;
u8 expected_btypes;
};
/*
Reported by FlawFinder.
Line: 373
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
converted_object);
struct acpi_simple_repair_info {
char name[ACPI_NAMESEG_SIZE];
u32 unexpected_btypes;
u32 package_index;
acpi_object_converter object_converter;
};
Reported by FlawFinder.
Line: 751
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 disasm_flags; /* Used during AML disassembly */\
u8 disasm_opcode; /* Subtype used for disassembly */\
char *operator_symbol; /* Used for C-style operator name strings */\
char aml_op_name[16]) /* Op name (debug only) */\
ACPI_CONVERTER_ONLY_MEMBERS (\
char *inline_comment; /* Inline comment */\
char *end_node_comment; /* End of node comment */\
char *name_comment; /* Comment associated with the first parameter of the name node */\
char *close_brace_comment; /* Comments that come after } on the same as } */\
Reported by FlawFinder.
Line: 854
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *parent_filename;
char *external_name;
char *namepath;
char name_seg[4];
u32 extra_value;
u32 column;
u32 line_number;
u32 logical_line_number;
u32 logical_byte_offset;
Reported by FlawFinder.
Line: 872
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 aml_opcode_length;
u8 aml_pkg_len_bytes;
u8 extra;
char parse_op_name[ACPI_MAX_PARSEOP_NAME];
};
union acpi_parse_object {
struct acpi_parse_obj_common common;
struct acpi_parse_obj_named named;
Reported by FlawFinder.
Line: 1189
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *name;
u32 flags;
u32 num_loops;
char pathname[ACPI_DB_LINE_BUFFER_SIZE];
char **args;
acpi_object_type *types;
/*
* Arguments to be passed to method for the commands Threads and
Reported by FlawFinder.
Line: 1204
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef ACPI_DEBUGGER
acpi_object_type arg_types[ACPI_METHOD_NUM_ARGS];
#endif
char *arguments[ACPI_METHOD_NUM_ARGS];
char num_threads_str[11];
char id_of_thread_str[11];
char index_of_thread_str[11];
};
Reported by FlawFinder.
Line: 1205
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
acpi_object_type arg_types[ACPI_METHOD_NUM_ARGS];
#endif
char *arguments[ACPI_METHOD_NUM_ARGS];
char num_threads_str[11];
char id_of_thread_str[11];
char index_of_thread_str[11];
};
struct acpi_integrity_info {
Reported by FlawFinder.
Line: 1206
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
char *arguments[ACPI_METHOD_NUM_ARGS];
char num_threads_str[11];
char id_of_thread_str[11];
char index_of_thread_str[11];
};
struct acpi_integrity_info {
u32 nodes;
Reported by FlawFinder.
Line: 1207
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *arguments[ACPI_METHOD_NUM_ARGS];
char num_threads_str[11];
char id_of_thread_str[11];
char index_of_thread_str[11];
};
struct acpi_integrity_info {
u32 nodes;
u32 objects;
Reported by FlawFinder.
drivers/crypto/hisilicon/sec2/sec_crypto.c
11 issues
Line: 810
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
}
memcpy(c_ctx->c_key, key, keylen);
if (c_ctx->fallback) {
ret = crypto_sync_skcipher_setkey(c_ctx->fbtfm, key, keylen);
if (ret) {
dev_err(dev, "failed to set fallback skcipher key!\n");
return ret;
Reported by FlawFinder.
Line: 871
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tfm = crypto_aead_reqtfm(aead_req);
authsize = crypto_aead_authsize(tfm);
mac_offset = qp_ctx->res[req_id].pbuf + copy_size - authsize;
memcpy(a_req->out_mac, mac_offset, authsize);
}
req->in_dma = qp_ctx->res[req_id].pbuf_dma;
c_req->c_out_dma = req->in_dma;
Reported by FlawFinder.
Line: 1036
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("hisi_sec2: aead aes key error!\n");
return -EINVAL;
}
memcpy(c_ctx->c_key, keys->enckey, keys->enckeylen);
return 0;
}
static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
Reported by FlawFinder.
Line: 1063
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ctx->a_key_len = digestsize;
} else {
memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
ctx->a_key_len = keys->authkeylen;
}
return 0;
}
Reported by FlawFinder.
Line: 1116
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_err(dev, "set sec aes ccm cipher key err!\n");
return ret;
}
memcpy(c_ctx->c_key, key, keylen);
if (unlikely(a_ctx->fallback_aead_tfm)) {
ret = sec_aead_fallback_setkey(a_ctx, tfm, key, keylen);
if (ret)
return ret;
Reported by FlawFinder.
Line: 1223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct skcipher_request *sk_req = req->c_req.sk_req;
struct sec_cipher_req *c_req = &req->c_req;
memcpy(c_req->c_ivin, sk_req->iv, ctx->c_ctx.ivsize);
}
static int sec_skcipher_bd_fill(struct sec_ctx *ctx, struct sec_req *req)
{
struct sec_cipher_ctx *c_ctx = &ctx->c_ctx;
Reported by FlawFinder.
Line: 1443
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (aead_req->assoclen)
flage |= 0x01 << IV_FLAGS_OFFSET;
memcpy(a_req->a_ivin, c_req->c_ivin, ctx->c_ctx.ivsize);
a_req->a_ivin[0] = flage;
/*
* the last 32bit is counter's initial number,
* but the nonce uses the first 16bit
Reported by FlawFinder.
Line: 1469
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sec_cipher_req *c_req = &req->c_req;
struct sec_aead_req *a_req = &req->aead_req;
memcpy(c_req->c_ivin, aead_req->iv, ctx->c_ctx.ivsize);
if (ctx->c_ctx.c_mode == SEC_CMODE_CCM) {
/*
* CCM 16Byte Cipher_IV: {1B_Flage,13B_IV,2B_counter},
* the counter must set to 0x01
Reported by FlawFinder.
Line: 1484
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* GCM 12Byte Cipher_IV == Auth_IV */
if (ctx->c_ctx.c_mode == SEC_CMODE_GCM) {
ctx->a_ctx.mac_len = authsize;
memcpy(a_req->a_ivin, c_req->c_ivin, SEC_AIV_SIZE);
}
}
static void sec_auth_bd_fill_xcm(struct sec_auth_ctx *ctx, int dir,
struct sec_req *req, struct sec_sqe *sec_sqe)
Reported by FlawFinder.
Line: 1751
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* As failing, restore the IV from user */
if (ctx->c_ctx.c_mode == SEC_CMODE_CBC && !req->c_req.encrypt) {
if (ctx->alg_type == SEC_SKCIPHER)
memcpy(req->c_req.sk_req->iv, c_req->c_ivin,
ctx->c_ctx.ivsize);
else
memcpy(req->aead_req.aead_req->iv, c_req->c_ivin,
ctx->c_ctx.ivsize);
}
Reported by FlawFinder.
drivers/char/random.c
11 issues
Line: 1301
Column: 22
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
#ifdef CONFIG_BLOCK
void add_disk_randomness(struct gendisk *disk)
{
if (!disk || !disk->random)
return;
/* first major is 1, so we get >= 0x200 here */
add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS(&input_pool));
}
Reported by FlawFinder.
Line: 1304
Column: 29
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (!disk || !disk->random)
return;
/* first major is 1, so we get >= 0x200 here */
add_timer_randomness(disk->random, 0x100 + disk_devt(disk));
trace_add_disk_randomness(disk_devt(disk), ENTROPY_BITS(&input_pool));
}
EXPORT_SYMBOL_GPL(add_disk_randomness);
#endif
Reported by FlawFinder.
Line: 1419
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hash.w[1] ^= hash.w[4];
hash.w[2] ^= rol32(hash.w[2], 16);
memcpy(out, &hash, EXTRACT_SIZE);
memzero_explicit(&hash, sizeof(hash));
}
static ssize_t _extract_entropy(struct entropy_store *r, void *buf,
size_t nbytes, int fips)
Reported by FlawFinder.
Line: 1437
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&r->lock, flags);
if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
panic("Hardware RNG duplicated output!\n");
memcpy(r->last_data, tmp, EXTRACT_SIZE);
spin_unlock_irqrestore(&r->lock, flags);
}
i = min_t(int, nbytes, EXTRACT_SIZE);
memcpy(buf, tmp, i);
nbytes -= i;
Reported by FlawFinder.
Line: 1441
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_unlock_irqrestore(&r->lock, flags);
}
i = min_t(int, nbytes, EXTRACT_SIZE);
memcpy(buf, tmp, i);
nbytes -= i;
buf += i;
ret += i;
}
Reported by FlawFinder.
Line: 1478
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ENTROPY_BITS(r), _RET_IP_);
extract_buf(r, tmp);
spin_lock_irqsave(&r->lock, flags);
memcpy(r->last_data, tmp, EXTRACT_SIZE);
}
spin_unlock_irqrestore(&r->lock, flags);
}
trace_extract_entropy(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
Reported by FlawFinder.
Line: 1539
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nbytes > 0) {
extract_crng(tmp);
memcpy(buf, tmp, nbytes);
crng_backtrack_protect(tmp, nbytes);
} else
crng_backtrack_protect(tmp, CHACHA_BLOCK_SIZE);
memzero_explicit(tmp, sizeof(tmp));
}
Reported by FlawFinder.
Line: 1731
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!arch_get_random_long(&v))
break;
memcpy(p, &v, chunk);
p += chunk;
left -= chunk;
}
return nbytes - left;
Reported by FlawFinder.
Line: 2024
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int min_write_thresh;
static int max_write_thresh = INPUT_POOL_WORDS * 32;
static int random_min_urandom_seed = 60;
static char sysctl_bootid[16];
/*
* This function is used to return both the bootid UUID, and random
* UUID. The difference is in whether table->data is NULL; if it is,
* then a new UUID is generated and returned to the user.
Reported by FlawFinder.
Line: 2039
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *buffer, size_t *lenp, loff_t *ppos)
{
struct ctl_table fake_table;
unsigned char buf[64], tmp_uuid[16], *uuid;
uuid = table->data;
if (!uuid) {
uuid = tmp_uuid;
generate_random_uuid(uuid);
Reported by FlawFinder.