The following issues were found
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
11 issues
Line: 1346
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gfx_v9_0_init_cp_gfx_microcode(struct amdgpu_device *adev,
const char *chip_name)
{
char fw_name[30];
int err;
struct amdgpu_firmware_info *info = NULL;
const struct common_firmware_header *header = NULL;
const struct gfx_firmware_header_v1_0 *cp_hdr;
Reported by FlawFinder.
Line: 1426
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gfx_v9_0_init_rlc_microcode(struct amdgpu_device *adev,
const char *chip_name)
{
char fw_name[30];
int err;
struct amdgpu_firmware_info *info = NULL;
const struct common_firmware_header *header = NULL;
const struct rlc_firmware_header_v2_0 *rlc_hdr;
unsigned int *tmp = NULL;
Reported by FlawFinder.
Line: 1567
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gfx_v9_0_init_cp_compute_microcode(struct amdgpu_device *adev,
const char *chip_name)
{
char fw_name[30];
int err;
struct amdgpu_firmware_info *info = NULL;
const struct common_firmware_header *header = NULL;
const struct gfx_firmware_header_v1_0 *cp_hdr;
Reported by FlawFinder.
Line: 2042
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return r;
}
memcpy(fw, fw_data, fw_size);
amdgpu_bo_kunmap(adev->gfx.mec.mec_fw_obj);
amdgpu_bo_unreserve(adev->gfx.mec.mec_fw_obj);
return 0;
Reported by FlawFinder.
Line: 2288
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ring->doorbell_index = (adev->doorbell_index.mec_ring0 + ring_id) << 1;
ring->eop_gpu_addr = adev->gfx.mec.hpd_eop_gpu_addr
+ (ring_id * GFX9_MEC_HPD_SIZE);
sprintf(ring->name, "comp_%d.%d.%d", ring->me, ring->pipe, ring->queue);
irq_type = AMDGPU_CP_IRQ_COMPUTE_MEC1_PIPE0_EOP
+ ((ring->me - 1) * adev->gfx.mec.num_pipe_per_mec)
+ ring->pipe;
hw_prio = amdgpu_gfx_is_high_priority_compute_queue(adev, ring) ?
Reported by FlawFinder.
Line: 2381
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ring = &adev->gfx.gfx_ring[i];
ring->ring_obj = NULL;
if (!i)
sprintf(ring->name, "gfx");
else
sprintf(ring->name, "gfx_%d", i);
ring->use_doorbell = true;
ring->doorbell_index = adev->doorbell_index.gfx_ring0 << 1;
r = amdgpu_ring_init(adev, ring, 1024, &adev->gfx.eop_irq,
Reported by FlawFinder.
Line: 2383
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!i)
sprintf(ring->name, "gfx");
else
sprintf(ring->name, "gfx_%d", i);
ring->use_doorbell = true;
ring->doorbell_index = adev->doorbell_index.gfx_ring0 << 1;
r = amdgpu_ring_init(adev, ring, 1024, &adev->gfx.eop_irq,
AMDGPU_CP_IRQ_GFX_ME0_PIPE0_EOP,
AMDGPU_RING_PRIO_DEFAULT, NULL);
Reported by FlawFinder.
Line: 3783
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (amdgpu_in_reset(adev) && tmp_mqd->cp_hqd_pq_control){
/* for GPU_RESET case , reset MQD to a clean status */
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(mqd, adev->gfx.mec.mqd_backup[mqd_idx], sizeof(struct v9_mqd_allocation));
/* reset ring buffer */
ring->wptr = 0;
amdgpu_ring_clear_ring(ring);
Reported by FlawFinder.
Line: 3806
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&adev->srbm_mutex);
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(adev->gfx.mec.mqd_backup[mqd_idx], mqd, sizeof(struct v9_mqd_allocation));
}
return 0;
}
Reported by FlawFinder.
Line: 3836
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&adev->srbm_mutex);
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(adev->gfx.mec.mqd_backup[mqd_idx], mqd, sizeof(struct v9_mqd_allocation));
} else if (amdgpu_in_reset(adev)) { /* for GPU_RESET case */
/* reset MQD to a clean status */
if (adev->gfx.mec.mqd_backup[mqd_idx])
memcpy(mqd, adev->gfx.mec.mqd_backup[mqd_idx], sizeof(struct v9_mqd_allocation));
Reported by FlawFinder.
drivers/char/ipmi/ipmi_si_intf.c
11 issues
Line: 366
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void start_check_enables(struct smi_info *smi_info)
{
unsigned char msg[2];
msg[0] = (IPMI_NETFN_APP_REQUEST << 2);
msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD;
start_new_msg(smi_info, msg, 2);
Reported by FlawFinder.
Line: 377
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void start_clear_flags(struct smi_info *smi_info)
{
unsigned char msg[3];
/* Make sure the watchdog pre-timeout flag is not set at startup. */
msg[0] = (IPMI_NETFN_APP_REQUEST << 2);
msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD;
msg[2] = WDT_PRE_TIMEOUT_INT;
Reported by FlawFinder.
Line: 565
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_GETTING_FLAGS:
{
unsigned char msg[4];
unsigned int len;
/* We got the flags from the SMI, now handle them. */
len = smi_info->handlers->get_result(smi_info->si_sm, msg, 4);
if (msg[2] != 0) {
Reported by FlawFinder.
Line: 588
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_CLEARING_FLAGS:
{
unsigned char msg[3];
/* We cleared the flags. */
smi_info->handlers->get_result(smi_info->si_sm, msg, 3);
if (msg[2] != 0) {
/* Error clearing flags */
Reported by FlawFinder.
Line: 679
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_CHECKING_ENABLES:
{
unsigned char msg[4];
u8 enables;
bool irq_on;
/* We got the flags from the SMI, now handle them. */
smi_info->handlers->get_result(smi_info->si_sm, msg, 4);
Reported by FlawFinder.
Line: 720
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case SI_SETTING_ENABLES:
{
unsigned char msg[4];
smi_info->handlers->get_result(smi_info->si_sm, msg, 4);
if (msg[2] != 0)
dev_warn(smi_info->io.dev,
"Could not set the global enables: 0x%x.\n",
Reported by FlawFinder.
Line: 796
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* this if there is not yet an upper layer to handle anything.
*/
if (si_sm_result == SI_SM_ATTN || smi_info->got_attn) {
unsigned char msg[2];
if (smi_info->si_state != SI_NORMAL) {
/*
* We got an ATTN, but we are doing something else.
* Handle the ATTN later.
Reported by FlawFinder.
Line: 1310
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int try_get_dev_id(struct smi_info *smi_info)
{
unsigned char msg[2];
unsigned char *resp;
unsigned long resp_len;
int rv = 0;
unsigned int retry_count = 0;
Reported by FlawFinder.
Line: 1360
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_global_enables(struct smi_info *smi_info, u8 *enables)
{
unsigned char msg[3];
unsigned char *resp;
unsigned long resp_len;
int rv;
resp = kmalloc(IPMI_MAX_MSG_LENGTH, GFP_KERNEL);
Reported by FlawFinder.
Line: 1407
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int set_global_enables(struct smi_info *smi_info, u8 enables)
{
unsigned char msg[3];
unsigned char *resp;
unsigned long resp_len;
int rv;
resp = kmalloc(IPMI_MAX_MSG_LENGTH, GFP_KERNEL);
Reported by FlawFinder.
drivers/block/paride/pg.c
11 issues
Line: 217
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
unsigned long timeout; /* timeout requested */
int status; /* last sense key */
int drive; /* drive */
unsigned long access; /* count of active opens ... */
int present; /* device present ? */
char *bufptr;
char name[PG_NAMELEN]; /* pg0, pg1, ... */
};
Reported by FlawFinder.
Line: 252
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int *parm = *drives[unit];
struct pg *dev = &devices[unit];
dev->pi = &dev->pia;
clear_bit(0, &dev->access);
dev->busy = 0;
dev->present = 0;
dev->bufptr = NULL;
dev->drive = parm[D_SLV];
snprintf(dev->name, PG_NAMELEN, "%s%c", name, 'a'+unit);
Reported by FlawFinder.
Line: 538
Column: 32
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto out;
}
if (test_and_set_bit(0, &dev->access)) {
ret = -EBUSY;
goto out;
}
if (dev->busy) {
Reported by FlawFinder.
Line: 552
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
dev->bufptr = kmalloc(PG_MAX_DATA, GFP_KERNEL);
if (dev->bufptr == NULL) {
clear_bit(0, &dev->access);
printk("%s: buffer allocation failed\n", dev->name);
ret = -ENOMEM;
goto out;
}
Reported by FlawFinder.
Line: 571
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
kfree(dev->bufptr);
dev->bufptr = NULL;
clear_bit(0, &dev->access);
return 0;
}
static ssize_t pg_write(struct file *filp, const char __user *buf, size_t count, loff_t *ppos)
Reported by FlawFinder.
Line: 220
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long access; /* count of active opens ... */
int present; /* device present ? */
char *bufptr;
char name[PG_NAMELEN]; /* pg0, pg1, ... */
};
static struct pg devices[PG_UNITS];
static int pg_identify(struct pg *dev, int log);
Reported by FlawFinder.
Line: 227
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pg_identify(struct pg *dev, int log);
static char pg_scratch[512]; /* scratch block buffer */
static struct class *pg_class;
static void *par_drv; /* reference of parport driver */
/* kernel glue structures */
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pg_identify(struct pg *dev, int log)
{
int s;
char *ms[2] = { "master", "slave" };
char mf[10], id[18];
char id_cmd[12] = { ATAPI_IDENTIFY, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
char buf[36];
s = pg_command(dev, id_cmd, 36, jiffies + PG_TMO);
Reported by FlawFinder.
Line: 441
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int s;
char *ms[2] = { "master", "slave" };
char mf[10], id[18];
char id_cmd[12] = { ATAPI_IDENTIFY, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
char buf[36];
s = pg_command(dev, id_cmd, 36, jiffies + PG_TMO);
if (s)
Reported by FlawFinder.
Line: 442
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int s;
char *ms[2] = { "master", "slave" };
char mf[10], id[18];
char id_cmd[12] = { ATAPI_IDENTIFY, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
char buf[36];
s = pg_command(dev, id_cmd, 36, jiffies + PG_TMO);
if (s)
return -1;
Reported by FlawFinder.
drivers/char/pcmcia/cm4000_cs.c
11 issues
Line: 108
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cm4000_dev {
struct pcmcia_device *p_dev;
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
Reported by FlawFinder.
Line: 109
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pcmcia_device *p_dev;
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char atr[MAX_ATR];
unsigned char rbuf[512];
unsigned char sbuf[512];
wait_queue_head_t devq; /* when removing cardman must not be
zeroed! */
wait_queue_head_t ioq; /* if IO is locked, wait on this Q */
Reported by FlawFinder.
Line: 139
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long flags; /* lock+flags (MONITOR,IO,ATR) * for concurrent
access */
unsigned char pts[4];
struct timer_list timer; /* used to keep monitor running */
int monitor_running;
};
Reported by FlawFinder.
Line: 156
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This table doesn't use spaces after the comma between fields and thus
* violates process/coding-style.rst. However, I don't really think wrapping it around will
* make it any clearer to read -HW */
static unsigned char fi_di_table[10][14] = {
/*FI 00 01 02 03 04 05 06 07 08 09 10 11 12 13 */
/*DI */
/* 0 */ {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11},
/* 1 */ {0x01,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x91,0x11,0x11,0x11,0x11},
/* 2 */ {0x02,0x12,0x22,0x32,0x11,0x11,0x11,0x11,0x11,0x92,0xA2,0xB2,0x11,0x11},
Reported by FlawFinder.
Line: 401
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct card_fixup {
char atr[12];
u_int8_t atr_len;
u_int8_t stopbits;
};
static struct card_fixup card_fixups[] = {
Reported by FlawFinder.
Line: 454
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long tmp, i;
unsigned short num_bytes_read;
unsigned char pts_reply[4];
ssize_t rc;
unsigned int iobase = dev->p_dev->resource[0]->start;
rc = 0;
Reported by FlawFinder.
Line: 1413
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc;
void __user *argp = (void __user *)arg;
#ifdef CM4000_DEBUG
char *ioctl_names[CM_IOC_MAXNR + 1] = {
[_IOC_NR(CM_IOCGSTATUS)] "CM_IOCGSTATUS",
[_IOC_NR(CM_IOCGATR)] "CM_IOCGATR",
[_IOC_NR(CM_IOCARDOFF)] "CM_IOCARDOFF",
[_IOC_NR(CM_IOCSPTS)] "CM_IOCSPTS",
[_IOC_NR(CM_IOSDBGLVL)] "CM4000_DBGLVL",
Reported by FlawFinder.
Line: 1640
Column: 12
CWE codes:
362
goto out;
}
if (link->open) {
ret = -EBUSY;
goto out;
}
dev = link->priv;
Reported by FlawFinder.
Line: 1719
Column: 15
CWE codes:
362
* close doing that for us.
*/
DEBUGP(3, dev, "-> cmm_cm4000_release\n");
while (link->open) {
printk(KERN_INFO MODULE_NAME ": delaying release until "
"process has terminated\n");
/* note: don't interrupt us:
* close the applications which own
* the devices _first_ !
Reported by FlawFinder.
include/sound/info.h
11 issues
Line: 74
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void *private_data;
void (*private_free)(struct snd_info_entry *entry);
struct proc_dir_entry *p;
struct mutex access;
struct list_head children;
struct list_head list;
};
#if defined(CONFIG_SND_OSSEMUL) && defined(CONFIG_SND_PROC_FS)
Reported by FlawFinder.
Line: 37
Column: 8
CWE codes:
362
};
struct snd_info_entry_ops {
int (*open)(struct snd_info_entry *entry,
unsigned short mode, void **file_private_data);
int (*release)(struct snd_info_entry *entry,
unsigned short mode, void *file_private_data);
ssize_t (*read)(struct snd_info_entry *entry, void *file_private_data,
struct file *file, char __user *buf,
Reported by FlawFinder.
Line: 30
Column: 9
CWE codes:
120
20
struct snd_info_entry;
struct snd_info_entry_text {
void (*read)(struct snd_info_entry *entry,
struct snd_info_buffer *buffer);
void (*write)(struct snd_info_entry *entry,
struct snd_info_buffer *buffer);
};
Reported by FlawFinder.
Line: 41
Column: 12
CWE codes:
120
20
unsigned short mode, void **file_private_data);
int (*release)(struct snd_info_entry *entry,
unsigned short mode, void *file_private_data);
ssize_t (*read)(struct snd_info_entry *entry, void *file_private_data,
struct file *file, char __user *buf,
size_t count, loff_t pos);
ssize_t (*write)(struct snd_info_entry *entry, void *file_private_data,
struct file *file, const char __user *buf,
size_t count, loff_t pos);
Reported by FlawFinder.
Line: 141
Column: 9
CWE codes:
120
20
static inline void snd_info_set_text_ops(struct snd_info_entry *entry,
void *private_data,
void (*read)(struct snd_info_entry *, struct snd_info_buffer *))
{
entry->private_data = private_data;
entry->c.text.read = read;
}
Reported by FlawFinder.
Line: 144
Column: 23
CWE codes:
120
20
void (*read)(struct snd_info_entry *, struct snd_info_buffer *))
{
entry->private_data = private_data;
entry->c.text.read = read;
}
int snd_card_rw_proc_new(struct snd_card *card, const char *name,
void *private_data,
void (*read)(struct snd_info_entry *,
Reported by FlawFinder.
Line: 149
Column: 12
CWE codes:
120
20
int snd_card_rw_proc_new(struct snd_card *card, const char *name,
void *private_data,
void (*read)(struct snd_info_entry *,
struct snd_info_buffer *),
void (*write)(struct snd_info_entry *entry,
struct snd_info_buffer *buffer));
int snd_info_check_reserved_words(const char *str);
Reported by FlawFinder.
Line: 182
Column: 14
CWE codes:
120
20
struct snd_info_entry **entryp) { return -EINVAL; }
static inline void snd_info_set_text_ops(struct snd_info_entry *entry __attribute__((unused)),
void *private_data,
void (*read)(struct snd_info_entry *, struct snd_info_buffer *)) {}
static inline int snd_card_rw_proc_new(struct snd_card *card, const char *name,
void *private_data,
void (*read)(struct snd_info_entry *,
struct snd_info_buffer *),
void (*write)(struct snd_info_entry *entry,
Reported by FlawFinder.
Line: 185
Column: 19
CWE codes:
120
20
void (*read)(struct snd_info_entry *, struct snd_info_buffer *)) {}
static inline int snd_card_rw_proc_new(struct snd_card *card, const char *name,
void *private_data,
void (*read)(struct snd_info_entry *,
struct snd_info_buffer *),
void (*write)(struct snd_info_entry *entry,
struct snd_info_buffer *buffer))
{
return 0;
Reported by FlawFinder.
Line: 209
Column: 15
CWE codes:
120
20
static inline int
snd_card_ro_proc_new(struct snd_card *card, const char *name,
void *private_data,
void (*read)(struct snd_info_entry *,
struct snd_info_buffer *))
{
return snd_card_rw_proc_new(card, name, private_data, read, NULL);
}
Reported by FlawFinder.
net/mac80211/key.c
11 issues
Line: 694
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
key->flags |= KEY_FLAG_CIPHER_SCHEME;
}
}
memcpy(key->conf.key, key_data, key_len);
INIT_LIST_HEAD(&key->list);
return key;
}
Reported by FlawFinder.
Line: 787
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new->conf.cipher == WLAN_CIPHER_SUITE_TKIP &&
new->conf.keylen == WLAN_KEY_LEN_TKIP &&
!(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP);
memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP);
memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8);
memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8);
tk_old = tkip_old;
tk_new = tkip_new;
Reported by FlawFinder.
Line: 788
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new->conf.keylen == WLAN_KEY_LEN_TKIP &&
!(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP);
memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP);
memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8);
memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8);
tk_old = tkip_old;
tk_new = tkip_new;
}
Reported by FlawFinder.
Line: 1168
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pn = key->u.ccmp.rx_pn[IEEE80211_NUM_TIDS];
else
pn = key->u.ccmp.rx_pn[tid];
memcpy(seq->ccmp.pn, pn, IEEE80211_CCMP_PN_LEN);
break;
case WLAN_CIPHER_SUITE_AES_CMAC:
case WLAN_CIPHER_SUITE_BIP_CMAC_256:
if (WARN_ON(tid != 0))
return;
Reported by FlawFinder.
Line: 1175
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (WARN_ON(tid != 0))
return;
pn = key->u.aes_cmac.rx_pn;
memcpy(seq->aes_cmac.pn, pn, IEEE80211_CMAC_PN_LEN);
break;
case WLAN_CIPHER_SUITE_BIP_GMAC_128:
case WLAN_CIPHER_SUITE_BIP_GMAC_256:
if (WARN_ON(tid != 0))
return;
Reported by FlawFinder.
Line: 1182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (WARN_ON(tid != 0))
return;
pn = key->u.aes_gmac.rx_pn;
memcpy(seq->aes_gmac.pn, pn, IEEE80211_GMAC_PN_LEN);
break;
case WLAN_CIPHER_SUITE_GCMP:
case WLAN_CIPHER_SUITE_GCMP_256:
if (WARN_ON(tid < -1 || tid >= IEEE80211_NUM_TIDS))
return;
Reported by FlawFinder.
Line: 1192
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pn = key->u.gcmp.rx_pn[IEEE80211_NUM_TIDS];
else
pn = key->u.gcmp.rx_pn[tid];
memcpy(seq->gcmp.pn, pn, IEEE80211_GCMP_PN_LEN);
break;
}
}
EXPORT_SYMBOL(ieee80211_get_key_rx_seq);
Reported by FlawFinder.
Line: 1221
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pn = key->u.ccmp.rx_pn[IEEE80211_NUM_TIDS];
else
pn = key->u.ccmp.rx_pn[tid];
memcpy(pn, seq->ccmp.pn, IEEE80211_CCMP_PN_LEN);
break;
case WLAN_CIPHER_SUITE_AES_CMAC:
case WLAN_CIPHER_SUITE_BIP_CMAC_256:
if (WARN_ON(tid != 0))
return;
Reported by FlawFinder.
Line: 1228
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (WARN_ON(tid != 0))
return;
pn = key->u.aes_cmac.rx_pn;
memcpy(pn, seq->aes_cmac.pn, IEEE80211_CMAC_PN_LEN);
break;
case WLAN_CIPHER_SUITE_BIP_GMAC_128:
case WLAN_CIPHER_SUITE_BIP_GMAC_256:
if (WARN_ON(tid != 0))
return;
Reported by FlawFinder.
Line: 1235
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (WARN_ON(tid != 0))
return;
pn = key->u.aes_gmac.rx_pn;
memcpy(pn, seq->aes_gmac.pn, IEEE80211_GMAC_PN_LEN);
break;
case WLAN_CIPHER_SUITE_GCMP:
case WLAN_CIPHER_SUITE_GCMP_256:
if (WARN_ON(tid < -1 || tid >= IEEE80211_NUM_TIDS))
return;
Reported by FlawFinder.
net/netfilter/ipset/ip_set_hash_gen.h
11 issues
Line: 552
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!test_bit(j, n->used))
continue;
data = ahash_data(n, j, dsize);
memcpy(tmp->value + d * dsize,
data, dsize);
set_bit(d, tmp->used);
d++;
}
tmp->pos = d;
Reported by FlawFinder.
Line: 701
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* so the live data cannot be modified.
*/
flags = 0;
memcpy(tmp, data, dsize);
data = tmp;
mtype_data_reset_flags(data, &flags);
#endif
key = HKEY(data, h->initval, htable_bits);
m = __ipset_dereference(hbucket(t, key));
Reported by FlawFinder.
Line: 736
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (ret < 0)
goto cleanup;
memcpy(ht, m, sizeof(struct hbucket) +
m->size * dsize);
ht->size = m->size + AHASH_INIT_SIZE;
t->hregion[nr].ext_size +=
ext_size(AHASH_INIT_SIZE,
dsize);
Reported by FlawFinder.
Line: 747
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
RCU_INIT_POINTER(hbucket(t, key), ht);
}
d = ahash_data(m, m->pos, dsize);
memcpy(d, data, dsize);
set_bit(m->pos++, m->used);
t->hregion[nr].elements++;
#ifdef IP_SET_HASH_WITH_NETS
mtype_data_reset_flags(d, &flags);
#endif
Reported by FlawFinder.
Line: 954
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -ENOMEM;
goto unlock;
}
memcpy(n, old, sizeof(struct hbucket) +
old->size * set->dsize);
n->size = old->size + AHASH_INIT_SIZE;
t->hregion[r].ext_size +=
ext_size(AHASH_INIT_SIZE, set->dsize);
}
Reported by FlawFinder.
Line: 970
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < IPSET_NET_COUNT; i++)
mtype_add_cidr(set, h, NCIDR_PUT(DCIDR_GET(d->cidr, i)), i);
#endif
memcpy(data, d, sizeof(struct mtype_elem));
overwrite_extensions:
#ifdef IP_SET_HASH_WITH_NETS
mtype_data_set_flags(data, flags);
#endif
if (SET_WITH_COUNTER(set))
Reported by FlawFinder.
Line: 1003
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Don't bother */
goto out;
x->ad = IPSET_ADD;
memcpy(&x->d, value, sizeof(struct mtype_elem));
memcpy(&x->ext, ext, sizeof(struct ip_set_ext));
memcpy(&x->mext, mext, sizeof(struct ip_set_ext));
x->flags = flags;
spin_lock_bh(&set->lock);
list_add_tail(&x->list, &h->ad);
Reported by FlawFinder.
Line: 1004
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
x->ad = IPSET_ADD;
memcpy(&x->d, value, sizeof(struct mtype_elem));
memcpy(&x->ext, ext, sizeof(struct ip_set_ext));
memcpy(&x->mext, mext, sizeof(struct ip_set_ext));
x->flags = flags;
spin_lock_bh(&set->lock);
list_add_tail(&x->list, &h->ad);
spin_unlock_bh(&set->lock);
Reported by FlawFinder.
Line: 1005
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
x->ad = IPSET_ADD;
memcpy(&x->d, value, sizeof(struct mtype_elem));
memcpy(&x->ext, ext, sizeof(struct ip_set_ext));
memcpy(&x->mext, mext, sizeof(struct ip_set_ext));
x->flags = flags;
spin_lock_bh(&set->lock);
list_add_tail(&x->list, &h->ad);
spin_unlock_bh(&set->lock);
}
Reported by FlawFinder.
Line: 1090
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GFP_ATOMIC);
if (x) {
x->ad = IPSET_DEL;
memcpy(&x->d, value,
sizeof(struct mtype_elem));
x->flags = flags;
}
}
for (; i < n->pos; i++) {
Reported by FlawFinder.
kernel/rcu/refscale.c
11 issues
Line: 586
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (i % 5 == 0)
strcat(buf, "\n");
strcat(buf, buf1);
sum += rt->last_duration_ns;
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 681
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
break;
avg = div_u64_rem(result_avg[exp], 1000, &rem);
sprintf(buf1, "%d\t%llu.%03u\n", exp + 1, avg, rem);
strcat(buf, buf1);
}
if (!errexit)
SCALEOUT("%s", buf);
Reported by FlawFinder.
Line: 569
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
struct reader_task *rt;
char buf1[64];
char *buf;
u64 sum = 0;
buf = kmalloc(128 + nreaders * 32, GFP_KERNEL);
if (!buf)
Reported by FlawFinder.
Line: 577
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!buf)
return 0;
buf[0] = 0;
sprintf(buf, "Experiment #%d (Format: <THREAD-NUM>:<Total loop time in ns>)",
exp_idx);
for (i = 0; i < n && !torture_must_stop(); i++) {
rt = &(reader_tasks[i]);
sprintf(buf1, "%d: %llu\t", i, rt->last_duration_ns);
Reported by FlawFinder.
Line: 582
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < n && !torture_must_stop(); i++) {
rt = &(reader_tasks[i]);
sprintf(buf1, "%d: %llu\t", i, rt->last_duration_ns);
if (i % 5 == 0)
strcat(buf, "\n");
strcat(buf, buf1);
Reported by FlawFinder.
Line: 608
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
bool errexit = false;
int exp, r;
char buf1[64];
char *buf;
u64 *result_avg;
set_cpus_allowed_ptr(current, cpumask_of(nreaders % nr_cpu_ids));
set_user_nice(current, MAX_NICE);
Reported by FlawFinder.
Line: 670
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (!errexit) {
buf[0] = 0;
strcat(buf, "\n");
strcat(buf, "Runs\tTime(ns)\n");
}
for (exp = 0; exp < nruns; exp++) {
u64 avg;
u32 rem;
Reported by FlawFinder.
Line: 680
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (errexit)
break;
avg = div_u64_rem(result_avg[exp], 1000, &rem);
sprintf(buf1, "%d\t%llu.%03u\n", exp + 1, avg, rem);
strcat(buf, buf1);
}
if (!errexit)
SCALEOUT("%s", buf);
Reported by FlawFinder.
Line: 585
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
sprintf(buf1, "%d: %llu\t", i, rt->last_duration_ns);
if (i % 5 == 0)
strcat(buf, "\n");
strcat(buf, buf1);
sum += rt->last_duration_ns;
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 590
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
sum += rt->last_duration_ns;
}
strcat(buf, "\n");
SCALEOUT("%s\n", buf);
kfree(buf);
return sum;
Reported by FlawFinder.
kernel/bpf/syscall.c
11 issues
Line: 1657
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
BPF_AUDIT_MAX,
};
static const char * const bpf_audit_str[BPF_AUDIT_MAX] = {
[BPF_AUDIT_LOAD] = "LOAD",
[BPF_AUDIT_UNLOAD] = "UNLOAD",
};
static void bpf_audit_prog(const struct bpf_prog *prog, unsigned int op)
Reported by FlawFinder.
Line: 1811
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void bpf_prog_show_fdinfo(struct seq_file *m, struct file *filp)
{
const struct bpf_prog *prog = filp->private_data;
char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
struct bpf_prog_stats stats;
bpf_prog_get_stats(prog, &stats);
bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
seq_printf(m,
Reported by FlawFinder.
Line: 2140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_prog *prog, *dst_prog = NULL;
struct btf *attach_btf = NULL;
int err;
char license[128];
bool is_gpl;
if (CHECK_ATTR(BPF_PROG_LOAD))
return -EINVAL;
Reported by FlawFinder.
Line: 2446
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct bpf_link *link = filp->private_data;
const struct bpf_prog *prog = link->prog;
char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
seq_printf(m,
"link_type:\t%s\n"
"link_id:\t%u\n"
Reported by FlawFinder.
Line: 2885
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_raw_event_map *btp;
struct bpf_prog *prog;
const char *tp_name;
char buf[128];
int err;
if (CHECK_ATTR(BPF_RAW_TRACEPOINT_OPEN))
return -EINVAL;
Reported by FlawFinder.
Line: 3499
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prog->aux->user->uid);
info.gpl_compatible = prog->gpl_compatible;
memcpy(info.tag, prog->tag, sizeof(prog->tag));
memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
mutex_lock(&prog->aux->used_maps_mutex);
ulen = info.nr_map_ids;
info.nr_map_ids = prog->aux->used_map_cnt;
Reported by FlawFinder.
Line: 3500
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.gpl_compatible = prog->gpl_compatible;
memcpy(info.tag, prog->tag, sizeof(prog->tag));
memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
mutex_lock(&prog->aux->used_maps_mutex);
ulen = info.nr_map_ids;
info.nr_map_ids = prog->aux->used_map_cnt;
ulen = min_t(u32, info.nr_map_ids, ulen);
Reported by FlawFinder.
Line: 3774
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.value_size = map->value_size;
info.max_entries = map->max_entries;
info.map_flags = map->map_flags;
memcpy(info.name, map->name, sizeof(map->name));
if (map->btf) {
info.btf_id = btf_obj_id(map->btf);
info.btf_key_type_id = map->btf_key_type_id;
info.btf_value_type_id = map->btf_value_type_id;
Reported by FlawFinder.
Line: 4408
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_unlock;
}
memcpy(used_maps_new, used_maps_old,
sizeof(used_maps_old[0]) * prog->aux->used_map_cnt);
used_maps_new[prog->aux->used_map_cnt] = map;
prog->aux->used_map_cnt++;
prog->aux->used_maps = used_maps_new;
Reported by FlawFinder.
Line: 2843
Column: 18
CWE codes:
126
char __user *ubuf = u64_to_user_ptr(info->raw_tracepoint.tp_name);
const char *tp_name = raw_tp_link->btp->tp->name;
u32 ulen = info->raw_tracepoint.tp_name_len;
size_t tp_len = strlen(tp_name);
if (!ulen ^ !ubuf)
return -EINVAL;
info->raw_tracepoint.tp_name_len = tp_len + 1;
Reported by FlawFinder.
net/ipv4/netfilter/ip_tables.c
11 issues
Line: 985
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sizeof(info.underflow));
info.num_entries = private->number;
info.size = private->size;
strcpy(info.name, name);
if (copy_to_user(user, &info, *len) != 0)
ret = -EFAULT;
else
ret = 0;
Reported by FlawFinder.
Line: 230
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xt_table *table)
{
unsigned int hook = state->hook;
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct iphdr *ip;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
const char *indev, *outdev;
const void *table_base;
Reported by FlawFinder.
Line: 878
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (v > 0)
v += xt_compat_calc_jump(AF_INET, v);
memcpy(dst, &v, sizeof(v));
}
static int compat_standard_to_user(void __user *dst, const void *src)
{
compat_int_t cv = *(int *)src;
Reported by FlawFinder.
Line: 932
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
/* we dont care about newinfo->entries */
memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
newinfo->initial_entries = 0;
loc_cpu_entry = info->entries;
ret = xt_compat_init_offsets(AF_INET, info->number);
if (ret)
return ret;
Reported by FlawFinder.
Line: 949
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_info(struct net *net, void __user *user, const int *len)
{
char name[XT_TABLE_MAXNAMELEN];
struct xt_table *t;
int ret;
if (*len != sizeof(struct ipt_getinfo))
return -EINVAL;
Reported by FlawFinder.
Line: 1204
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
struct compat_ipt_replace {
char name[XT_TABLE_MAXNAMELEN];
u32 valid_hooks;
u32 num_entries;
u32 size;
u32 hook_entry[NF_INET_NUMHOOKS];
u32 underflow[NF_INET_NUMHOOKS];
Reported by FlawFinder.
Line: 1365
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
origsize = *size;
de = *dstptr;
memcpy(de, e, sizeof(struct ipt_entry));
memcpy(&de->counters, &e->counters, sizeof(e->counters));
*dstptr += sizeof(struct ipt_entry);
*size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
Reported by FlawFinder.
Line: 1366
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
origsize = *size;
de = *dstptr;
memcpy(de, e, sizeof(struct ipt_entry));
memcpy(&de->counters, &e->counters, sizeof(e->counters));
*dstptr += sizeof(struct ipt_entry);
*size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
xt_ematch_foreach(ematch, e)
Reported by FlawFinder.
Line: 1455
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xt_compat_flush_offsets(AF_INET);
xt_compat_unlock(AF_INET);
memcpy(&repl, compatr, sizeof(*compatr));
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
repl.hook_entry[i] = newinfo->hook_entry[i];
repl.underflow[i] = newinfo->underflow[i];
}
Reported by FlawFinder.
Line: 1538
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct compat_ipt_get_entries {
char name[XT_TABLE_MAXNAMELEN];
compat_uint_t size;
struct compat_ipt_entry entrytable[];
};
static int
Reported by FlawFinder.