The following issues were found
drivers/net/ethernet/chelsio/cxgb4/sge.c
10 issues
Line: 883
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int part0 = (u8 *)q->stat - (u8 *)sgl->sge, part1;
if (likely(part0))
memcpy(sgl->sge, buf, part0);
part1 = (u8 *)end - (u8 *)q->stat;
memcpy(q->desc, (u8 *)buf + part0, part1);
end = (void *)q->desc + part1;
}
if ((uintptr_t)end & 8) /* 0-pad to multiple of 16 */
Reported by FlawFinder.
Line: 885
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (likely(part0))
memcpy(sgl->sge, buf, part0);
part1 = (u8 *)end - (u8 *)q->stat;
memcpy(q->desc, (u8 *)buf + part0, part1);
end = (void *)q->desc + part1;
}
if ((uintptr_t)end & 8) /* 0-pad to multiple of 16 */
*end = 0;
}
Reported by FlawFinder.
Line: 986
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 part0 = (u8 *)q->stat - (u8 *)sgl->sge, part1;
if (likely(part0))
memcpy(sgl->sge, buf, part0);
part1 = (u8 *)end - (u8 *)q->stat;
memcpy(q->desc, (u8 *)buf + part0, part1);
end = (void *)q->desc + part1;
}
Reported by FlawFinder.
Line: 988
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (likely(part0))
memcpy(sgl->sge, buf, part0);
part1 = (u8 *)end - (u8 *)q->stat;
memcpy(q->desc, (u8 *)buf + part0, part1);
end = (void *)q->desc + part1;
}
/* 0-pad to multiple of 16 */
if ((uintptr_t)end & 8)
Reported by FlawFinder.
Line: 1138
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int left = (void *)q->stat - pos;
if (likely(length <= left)) {
memcpy(pos, skb->data, length);
pos += length;
} else {
memcpy(pos, skb->data, left);
memcpy(q->desc, skb->data + left, length - left);
pos = (void *)q->desc + (length - left);
Reported by FlawFinder.
Line: 1141
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pos, skb->data, length);
pos += length;
} else {
memcpy(pos, skb->data, left);
memcpy(q->desc, skb->data + left, length - left);
pos = (void *)q->desc + (length - left);
}
/* 0-pad to multiple of 16 */
p = PTR_ALIGN(pos, 8);
Reported by FlawFinder.
Line: 1142
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos += length;
} else {
memcpy(pos, skb->data, left);
memcpy(q->desc, skb->data + left, length - left);
pos = (void *)q->desc + (length - left);
}
/* 0-pad to multiple of 16 */
p = PTR_ALIGN(pos, 8);
if ((uintptr_t)p & 8) {
Reported by FlawFinder.
Line: 3194
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u64 *p;
if (likely(length <= left)) {
memcpy(pos, src, length);
pos += length;
} else {
memcpy(pos, src, left);
memcpy(q->desc, src + left, length - left);
pos = (void *)q->desc + (length - left);
Reported by FlawFinder.
Line: 3197
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pos, src, length);
pos += length;
} else {
memcpy(pos, src, left);
memcpy(q->desc, src + left, length - left);
pos = (void *)q->desc + (length - left);
}
/* 0-pad to multiple of 16 */
p = PTR_ALIGN(pos, 8);
Reported by FlawFinder.
Line: 3198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos += length;
} else {
memcpy(pos, src, left);
memcpy(q->desc, src + left, length - left);
pos = (void *)q->desc + (length - left);
}
/* 0-pad to multiple of 16 */
p = PTR_ALIGN(pos, 8);
if ((uintptr_t)p & 8) {
Reported by FlawFinder.
drivers/misc/habanalabs/goya/goya_hwmgr.c
10 issues
Line: 272
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!hl_device_operational(hdev, NULL))
return -ENODEV;
return sprintf(buf, "%s\n",
(hdev->pm_mng_profile == PM_AUTO) ? "auto" :
(hdev->pm_mng_profile == PM_MANUAL) ? "manual" :
"unknown");
}
Reported by FlawFinder.
Line: 80
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return value;
return sprintf(buf, "%lu\n", value);
}
static ssize_t mme_clk_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 129
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return value;
return sprintf(buf, "%lu\n", value);
}
static ssize_t tpc_clk_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 178
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return value;
return sprintf(buf, "%lu\n", value);
}
static ssize_t ic_clk_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 227
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return value;
return sprintf(buf, "%lu\n", value);
}
static ssize_t tpc_clk_curr_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 244
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return value;
return sprintf(buf, "%lu\n", value);
}
static ssize_t ic_clk_curr_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 261
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return value;
return sprintf(buf, "%lu\n", value);
}
static ssize_t pm_mng_profile_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 341
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!hl_device_operational(hdev, NULL))
return -ENODEV;
return sprintf(buf, "%u\n", hdev->high_pll);
}
static ssize_t high_pll_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 297
Column: 27
CWE codes:
126
goto unlock_mutex;
}
if (strncmp("auto", buf, strlen("auto")) == 0) {
/* Make sure we are in LOW PLL when changing modes */
if (hdev->pm_mng_profile == PM_MANUAL) {
hdev->curr_pll_profile = PLL_HIGH;
hdev->pm_mng_profile = PM_AUTO;
hl_device_set_frequency(hdev, PLL_LOW);
Reported by FlawFinder.
Line: 304
Column: 36
CWE codes:
126
hdev->pm_mng_profile = PM_AUTO;
hl_device_set_frequency(hdev, PLL_LOW);
}
} else if (strncmp("manual", buf, strlen("manual")) == 0) {
if (hdev->pm_mng_profile == PM_AUTO) {
/* Must release the lock because the work thread also
* takes this lock. But before we release it, set
* the mode to manual so nothing will change if a user
* suddenly opens the device
Reported by FlawFinder.
drivers/net/ethernet/cavium/liquidio/lio_main.c
10 issues
Line: 1702
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
tmp_fw_type = fw_type;
}
sprintf(fw_name, "%s%s%s_%s%s", LIO_FW_DIR, LIO_FW_BASE_NAME,
octeon_get_conf(oct)->card_name, tmp_fw_type,
LIO_FW_NAME_SUFFIX);
ret = request_firmware(&fw, fw_name, &oct->pci_dev->dev);
if (ret) {
Reported by FlawFinder.
Line: 62
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param(debug, int, 0644);
MODULE_PARM_DESC(debug, "NETIF_MSG debug bits");
static char fw_type[LIO_MAX_FW_TYPE_LEN] = LIO_FW_NAME_TYPE_AUTO;
module_param_string(fw_type, fw_type, sizeof(fw_type), 0444);
MODULE_PARM_DESC(fw_type, "Type of firmware to be loaded (default is \"auto\"), which uses firmware in flash, if present, else loads \"nic\".");
static u32 console_bitmask;
module_param(console_bitmask, int, 0644);
Reported by FlawFinder.
Line: 1692
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ret = 0;
const struct firmware *fw;
char fw_name[LIO_MAX_FW_FILENAME_LEN];
char *tmp_fw_type;
if (fw_type_is_auto()) {
tmp_fw_type = LIO_FW_NAME_TYPE_NIC;
strncpy(fw_type, tmp_fw_type, sizeof(fw_type));
Reported by FlawFinder.
Line: 1965
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mc = &nctrl.udd[0];
netdev_for_each_mc_addr(ha, netdev) {
*mc = 0;
memcpy(((u8 *)mc) + 2, ha->addr, ETH_ALEN);
/* no need to swap bytes */
if (++mc > &nctrl.udd[mc_count])
break;
}
Reported by FlawFinder.
Line: 2010
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nctrl.udd[0] = 0;
/* The MAC Address is presented in network byte order. */
memcpy((u8 *)&nctrl.udd[0] + 2, addr->sa_data, ETH_ALEN);
ret = octnet_send_nic_ctrl_pkt(lio->oct_dev, &nctrl);
if (ret < 0) {
dev_err(&oct->pci_dev->dev, "MAC Address change failed\n");
return -ENOMEM;
Reported by FlawFinder.
Line: 2025
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(((u8 *)&lio->linfo.hw_addr) + 2, addr->sa_data, ETH_ALEN);
return 0;
}
Reported by FlawFinder.
Line: 2026
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(netdev->dev_addr, addr->sa_data, netdev->addr_len);
memcpy(((u8 *)&lio->linfo.hw_addr) + 2, addr->sa_data, ETH_ALEN);
return 0;
}
static void
Reported by FlawFinder.
Line: 1697
Column: 3
CWE codes:
120
if (fw_type_is_auto()) {
tmp_fw_type = LIO_FW_NAME_TYPE_NIC;
strncpy(fw_type, tmp_fw_type, sizeof(fw_type));
} else {
tmp_fw_type = fw_type;
}
sprintf(fw_name, "%s%s%s_%s%s", LIO_FW_DIR, LIO_FW_BASE_NAME,
Reported by FlawFinder.
Line: 3451
Column: 7
CWE codes:
126
fw_ver = octeon_dev->fw_info.liquidio_firmware_version;
if (memcmp(LIQUIDIO_BASE_VERSION,
fw_ver,
strlen(LIQUIDIO_BASE_VERSION))) {
dev_err(&octeon_dev->pci_dev->dev,
"Unmatched firmware version. Expected %s.x, got %s.\n",
LIQUIDIO_BASE_VERSION, fw_ver);
WRITE_ONCE(sc->caller_is_done, true);
goto setup_nic_dev_done;
Reported by FlawFinder.
Line: 3465
Column: 24
CWE codes:
126
}
/* extract micro version field; point past '<maj>.<min>.' */
micro_ver = fw_ver + strlen(LIQUIDIO_BASE_VERSION) + 1;
if (kstrtoul(micro_ver, 10, µ) != 0)
micro = 0;
octeon_dev->fw_info.ver.maj = LIQUIDIO_BASE_MAJOR_VERSION;
octeon_dev->fw_info.ver.min = LIQUIDIO_BASE_MINOR_VERSION;
octeon_dev->fw_info.ver.rev = micro;
Reported by FlawFinder.
drivers/media/pci/cx18/cx18-vbi.c
10 issues
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
linemask[1] |= (1 << (l - 32));
dst[sd + 12 + line * 43] = cx18_service2vbi(sdata->id);
memcpy(dst + sd + 12 + line * 43 + 1, sdata->data, 42);
line++;
}
memcpy(dst, mpeg_hdr_data, sizeof(mpeg_hdr_data));
if (line == 36) {
/* All lines are used, so there is no space for the linemask
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst + sd + 12 + line * 43 + 1, sdata->data, 42);
line++;
}
memcpy(dst, mpeg_hdr_data, sizeof(mpeg_hdr_data));
if (line == 36) {
/* All lines are used, so there is no space for the linemask
(the max size of the VBI data is 36 * 43 + 4 bytes).
So in this case we use the magic number 'ITV0'. */
memcpy(dst + sd, "ITV0", 4);
Reported by FlawFinder.
Line: 72
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* All lines are used, so there is no space for the linemask
(the max size of the VBI data is 36 * 43 + 4 bytes).
So in this case we use the magic number 'ITV0'. */
memcpy(dst + sd, "ITV0", 4);
memmove(dst + sd + 4, dst + sd + 12, line * 43);
size = 4 + ((43 * line + 3) & ~3);
} else {
memcpy(dst + sd, "itv0", 4);
cpu_to_le32s(&linemask[0]);
Reported by FlawFinder.
Line: 76
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memmove(dst + sd + 4, dst + sd + 12, line * 43);
size = 4 + ((43 * line + 3) & ~3);
} else {
memcpy(dst + sd, "itv0", 4);
cpu_to_le32s(&linemask[0]);
cpu_to_le32s(&linemask[1]);
memcpy(dst + sd + 4, &linemask[0], 8);
size = 12 + ((43 * line + 3) & ~3);
}
Reported by FlawFinder.
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst + sd, "itv0", 4);
cpu_to_le32s(&linemask[0]);
cpu_to_le32s(&linemask[1]);
memcpy(dst + sd + 4, &linemask[0], 8);
size = 12 + ((43 * line + 3) & ~3);
}
dst[4+16] = (size + 10) >> 8;
dst[5+16] = (size + 10) & 0xff;
dst[9+16] = 0x21 | ((pts_stamp >> 29) & 0x6);
Reported by FlawFinder.
Line: 116
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
if (i == lines - 1) {
/* last line is hdr_size bytes short - extrapolate it */
memcpy(q, p + 4, line_size - 4 - hdr_size);
q += line_size - 4 - hdr_size;
p += line_size - hdr_size - 1;
memset(q, (int) *p, hdr_size);
} else {
memcpy(q, p + 4, line_size - 4);
Reported by FlawFinder.
Line: 121
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += line_size - hdr_size - 1;
memset(q, (int) *p, hdr_size);
} else {
memcpy(q, p + 4, line_size - 4);
q += line_size - 4;
}
}
return lines * (line_size - 4);
}
Reported by FlawFinder.
Line: 168
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cx->vbi.sliced_data[line].id = vbi.type;
cx->vbi.sliced_data[line].field = vbi.is_second_field;
cx->vbi.sliced_data[line].line = vbi.line;
memcpy(cx->vbi.sliced_data[line].data, vbi.p, 42);
line++;
}
}
return line;
}
Reported by FlawFinder.
Line: 210
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Write the frame # at the last 4 bytes of the frame
*/
p += size - 4;
memcpy(p, &cx->vbi.frame, 4);
cx->vbi.frame++;
return;
}
/* Sliced VBI data with data insertion */
Reported by FlawFinder.
Line: 230
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lines = 1;
}
buf->bytesused = size = lines * sizeof(cx->vbi.sliced_data[0]);
memcpy(p, &cx->vbi.sliced_data[0], size);
if (cx->vbi.insert_mpeg)
copy_vbi_data(cx, lines, pts);
cx->vbi.frame++;
}
Reported by FlawFinder.
drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c
10 issues
Line: 172
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int keylen = (x->aead->alg_key_len + 7) / 8;
unsigned char *key = x->aead->alg_key;
int ck_size, key_ctx_size = 0;
unsigned char ghash_h[AEAD_H_SIZE];
struct crypto_aes_ctx aes;
int ret = 0;
if (keylen > 3) {
keylen -= 4; /* nonce/salt is present in the last 4 bytes */
Reported by FlawFinder.
Line: 178
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (keylen > 3) {
keylen -= 4; /* nonce/salt is present in the last 4 bytes */
memcpy(sa_entry->salt, key + keylen, 4);
}
if (keylen == AES_KEYSIZE_128) {
ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128;
} else if (keylen == AES_KEYSIZE_192) {
Reported by FlawFinder.
Line: 193
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(sa_entry->key, key, keylen);
sa_entry->enckey_len = keylen;
key_ctx_size = sizeof(struct _key_ctx) +
((DIV_ROUND_UP(keylen, 16)) << 4) +
AEAD_H_SIZE;
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aes_encrypt(&aes, ghash_h, ghash_h);
memzero_explicit(&aes, sizeof(aes));
memcpy(sa_entry->key + (DIV_ROUND_UP(sa_entry->enckey_len, 16) *
16), ghash_h, AEAD_H_SIZE);
sa_entry->kctx_len = ((DIV_ROUND_UP(sa_entry->enckey_len, 16)) << 4) +
AEAD_H_SIZE;
out:
return ret;
Reported by FlawFinder.
Line: 444
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aadiv->spi = (esphdr->spi);
seqlo = ntohl(esphdr->seq_no);
seqno = cpu_to_be64(seqlo + ((u64)xo->seq.hi << 32));
memcpy(aadiv->seq_no, &seqno, 8);
iv = skb_transport_header(skb) + sizeof(struct ip_esp_hdr);
memcpy(aadiv->iv, iv, 8);
if (is_eth_imm(skb, sa_entry) && !skb_is_nonlinear(skb)) {
sc_imm = (struct ulptx_idata *)(pos +
Reported by FlawFinder.
Line: 446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
seqno = cpu_to_be64(seqlo + ((u64)xo->seq.hi << 32));
memcpy(aadiv->seq_no, &seqno, 8);
iv = skb_transport_header(skb) + sizeof(struct ip_esp_hdr);
memcpy(aadiv->iv, iv, 8);
if (is_eth_imm(skb, sa_entry) && !skb_is_nonlinear(skb)) {
sc_imm = (struct ulptx_idata *)(pos +
(DIV_ROUND_UP(sizeof(struct chcr_ipsec_aadiv),
sizeof(__be64)) << 3));
Reported by FlawFinder.
Line: 532
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the Key context header */
key_ctx = (struct _key_ctx *)pos;
key_ctx->ctx_hdr = sa_entry->key_ctx_hdr;
memcpy(key_ctx->salt, sa_entry->salt, MAX_SALT);
pos += sizeof(struct _key_ctx);
left -= sizeof(struct _key_ctx);
if (likely(key_len <= left)) {
memcpy(key_ctx->key, sa_entry->key, key_len);
Reported by FlawFinder.
Line: 537
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
left -= sizeof(struct _key_ctx);
if (likely(key_len <= left)) {
memcpy(key_ctx->key, sa_entry->key, key_len);
pos += key_len;
} else {
memcpy(pos, sa_entry->key, left);
memcpy(q->q.desc, sa_entry->key + left,
key_len - left);
Reported by FlawFinder.
Line: 540
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(key_ctx->key, sa_entry->key, key_len);
pos += key_len;
} else {
memcpy(pos, sa_entry->key, left);
memcpy(q->q.desc, sa_entry->key + left,
key_len - left);
pos = (u8 *)q->q.desc + (key_len - left);
}
/* Copy CPL TX PKT XT */
Reported by FlawFinder.
Line: 541
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos += key_len;
} else {
memcpy(pos, sa_entry->key, left);
memcpy(q->q.desc, sa_entry->key + left,
key_len - left);
pos = (u8 *)q->q.desc + (key_len - left);
}
/* Copy CPL TX PKT XT */
pos = copy_cpltx_pktxt(skb, dev, pos, sa_entry);
Reported by FlawFinder.
drivers/net/ethernet/cisco/enic/enic_main.c
10 issues
Line: 988
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EADDRNOTAVAIL;
}
memcpy(netdev->dev_addr, addr, netdev->addr_len);
return 0;
}
static int enic_set_mac_address_dynamic(struct net_device *netdev, void *p)
Reported by FlawFinder.
Line: 1084
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_valid_ether_addr(mac) || is_zero_ether_addr(mac)) {
if (vf == PORT_SELF_VF) {
memcpy(pp->vf_mac, mac, ETH_ALEN);
return 0;
} else {
/*
* For sriov vf's set the mac in hw
*/
Reported by FlawFinder.
Line: 1113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!port[IFLA_PORT_REQUEST])
return -EOPNOTSUPP;
memcpy(&prev_pp, pp, sizeof(*enic->pp));
memset(pp, 0, sizeof(*enic->pp));
pp->set |= ENIC_SET_REQUEST;
pp->request = nla_get_u8(port[IFLA_PORT_REQUEST]);
Reported by FlawFinder.
Line: 1121
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (port[IFLA_PORT_PROFILE]) {
pp->set |= ENIC_SET_NAME;
memcpy(pp->name, nla_data(port[IFLA_PORT_PROFILE]),
PORT_PROFILE_MAX);
}
if (port[IFLA_PORT_INSTANCE_UUID]) {
pp->set |= ENIC_SET_INSTANCE;
Reported by FlawFinder.
Line: 1127
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (port[IFLA_PORT_INSTANCE_UUID]) {
pp->set |= ENIC_SET_INSTANCE;
memcpy(pp->instance_uuid,
nla_data(port[IFLA_PORT_INSTANCE_UUID]), PORT_UUID_MAX);
}
if (port[IFLA_PORT_HOST_UUID]) {
pp->set |= ENIC_SET_HOST;
Reported by FlawFinder.
Line: 1133
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (port[IFLA_PORT_HOST_UUID]) {
pp->set |= ENIC_SET_HOST;
memcpy(pp->host_uuid,
nla_data(port[IFLA_PORT_HOST_UUID]), PORT_UUID_MAX);
}
if (vf == PORT_SELF_VF) {
/* Special case handling: mac came from IFLA_VF_MAC */
Reported by FlawFinder.
Line: 1140
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (vf == PORT_SELF_VF) {
/* Special case handling: mac came from IFLA_VF_MAC */
if (!is_zero_ether_addr(prev_pp.vf_mac))
memcpy(pp->mac_addr, prev_pp.vf_mac, ETH_ALEN);
if (is_zero_ether_addr(netdev->dev_addr))
eth_hw_addr_random(netdev);
} else {
/* SR-IOV VF: get mac from adapter */
Reported by FlawFinder.
Line: 1150
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vnic_dev_get_mac_addr, pp->mac_addr);
if (err) {
netdev_err(netdev, "Error getting mac for vf %d\n", vf);
memcpy(pp, &prev_pp, sizeof(*pp));
return enic_dev_status_to_errno(err);
}
}
err = enic_process_set_pp_request(enic, vf, &prev_pp, &restore_pp);
Reported by FlawFinder.
Line: 1161
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Things are still the way they were: Implicit
* DISASSOCIATE failed
*/
memcpy(pp, &prev_pp, sizeof(*pp));
} else {
memset(pp, 0, sizeof(*pp));
if (vf == PORT_SELF_VF)
eth_zero_addr(netdev->dev_addr);
}
Reported by FlawFinder.
Line: 1290
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return false;
dma_sync_single_for_cpu(&enic->pdev->dev, buf->dma_addr, len,
DMA_FROM_DEVICE);
memcpy(new_skb->data, (*skb)->data, len);
*skb = new_skb;
return true;
}
Reported by FlawFinder.
drivers/mtd/devices/phram.c
10 issues
Line: 231
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strnlen(val, sizeof(buf)) >= sizeof(buf))
parse_err("parameter too long\n");
strcpy(str, val);
kill_final_newline(str);
for (i = 0; i < 4; i++)
token[i] = strsep(&str, ",");
Reported by FlawFinder.
Line: 315
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strlen(val) >= sizeof(phram_paramline))
return -ENOSPC;
strcpy(phram_paramline, val);
return 0;
#endif
}
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u_char *start = mtd->priv;
memcpy(buf, start + from, len);
*retlen = len;
return 0;
}
static int phram_write(struct mtd_info *mtd, loff_t to, size_t len,
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u_char *start = mtd->priv;
memcpy(start + to, buf, len);
*retlen = len;
return 0;
}
static void unregister_devices(void)
Reported by FlawFinder.
Line: 214
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* size and 20 for the erasesize.
* Example: phram.phram=rootfs,0xa0000000,512Mi,65536
*/
static char phram_paramline[64 + 20 + 20 + 20];
#endif
static int phram_setup(const char *val)
{
char buf[64 + 20 + 20 + 20], *str = buf;
Reported by FlawFinder.
Line: 219
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int phram_setup(const char *val)
{
char buf[64 + 20 + 20 + 20], *str = buf;
char *token[4];
char *name;
uint64_t start;
uint64_t len;
uint64_t erasesize = PAGE_SIZE;
Reported by FlawFinder.
Line: 220
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int phram_setup(const char *val)
{
char buf[64 + 20 + 20 + 20], *str = buf;
char *token[4];
char *name;
uint64_t start;
uint64_t len;
uint64_t erasesize = PAGE_SIZE;
uint32_t rem;
Reported by FlawFinder.
Line: 145
Column: 8
CWE codes:
126
int shift = 0;
int ret;
len = strlen(token);
/* By dwmw2 editorial decree, "ki", "Mi" or "Gi" are to be used. */
if (len > 2) {
if (token[len - 1] == 'i') {
switch (token[len - 2]) {
case 'G':
Reported by FlawFinder.
Line: 177
Column: 8
CWE codes:
126
size_t len;
char *name;
len = strlen(token) + 1;
if (len > 64)
return -ENOSPC;
name = kstrdup(token, GFP_KERNEL);
if (!name)
Reported by FlawFinder.
Line: 313
Column: 6
CWE codes:
126
* phram_setup().
*/
if (strlen(val) >= sizeof(phram_paramline))
return -ENOSPC;
strcpy(phram_paramline, val);
return 0;
#endif
Reported by FlawFinder.
drivers/mmc/core/sd.c
10 issues
Line: 97
CWE codes:
758
card->cid.prod_name[4] = UNSTUFF_BITS(resp, 64, 8);
card->cid.hwrev = UNSTUFF_BITS(resp, 60, 4);
card->cid.fwrev = UNSTUFF_BITS(resp, 56, 4);
card->cid.serial = UNSTUFF_BITS(resp, 24, 32);
card->cid.year = UNSTUFF_BITS(resp, 12, 8);
card->cid.month = UNSTUFF_BITS(resp, 8, 4);
card->cid.year += 2000; /* SD cards year offset */
}
Reported by Cppcheck.
Line: 97
CWE codes:
190
card->cid.prod_name[4] = UNSTUFF_BITS(resp, 64, 8);
card->cid.hwrev = UNSTUFF_BITS(resp, 60, 4);
card->cid.fwrev = UNSTUFF_BITS(resp, 56, 4);
card->cid.serial = UNSTUFF_BITS(resp, 24, 32);
card->cid.year = UNSTUFF_BITS(resp, 12, 8);
card->cid.month = UNSTUFF_BITS(resp, 8, 4);
card->cid.year += 2000; /* SD cards year offset */
}
Reported by Cppcheck.
Line: 739
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENODATA; \
if (!card->info[num-1][0]) \
return 0; \
return sprintf(buf, "%s\n", card->info[num-1]); \
} \
static DEVICE_ATTR_RO(info##num)
sdio_info_attr(1);
sdio_info_attr(2);
Reported by FlawFinder.
Line: 718
Column: 23
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mmc_host *host = card->host;
if (card->csd.dsr_imp && host->dsr_req)
return sprintf(buf, "0x%x\n", host->dsr);
else
/* return default DSR value */
return sprintf(buf, "0x%x\n", 0x404);
}
Reported by FlawFinder.
Line: 721
Column: 23
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "0x%x\n", host->dsr);
else
/* return default DSR value */
return sprintf(buf, "0x%x\n", 0x404);
}
static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
MMC_DEV_ATTR(vendor, "0x%04x\n", card->cis.vendor);
Reported by FlawFinder.
Line: 1196
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EFAULT;
/* Standard Function Code */
memcpy(&sfc, &gen_info_buf[ext], 2);
/* Address to the next extension. */
memcpy(next_ext_addr, &gen_info_buf[ext + 40], 2);
/* Number of registers for this extension. */
Reported by FlawFinder.
Line: 1199
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&sfc, &gen_info_buf[ext], 2);
/* Address to the next extension. */
memcpy(next_ext_addr, &gen_info_buf[ext + 40], 2);
/* Number of registers for this extension. */
num_regs = gen_info_buf[ext + 42];
/* We support only one register per extension. */
Reported by FlawFinder.
Line: 1209
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
/* Extension register address. */
memcpy(®_addr, &gen_info_buf[ext + 44], 4);
/* 9 bits (0 to 8) contains the offset address. */
offset = reg_addr & 0x1ff;
/* 8 bits (9 to 16) contains the page number. */
Reported by FlawFinder.
Line: 1259
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* General info structure revision. */
memcpy(&rev, &gen_info_buf[0], 2);
/* Length of general info in bytes. */
memcpy(&len, &gen_info_buf[2], 2);
/* Number of extensions to be find. */
Reported by FlawFinder.
Line: 1262
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&rev, &gen_info_buf[0], 2);
/* Length of general info in bytes. */
memcpy(&len, &gen_info_buf[2], 2);
/* Number of extensions to be find. */
num_ext = gen_info_buf[4];
/* We support revision 0, but limit it to 512 bytes for simplicity. */
Reported by FlawFinder.
drivers/mmc/host/dw_mmc.c
10 issues
Line: 2184
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* push final bytes to part_buf, only use during push */
static void dw_mci_set_part_bytes(struct dw_mci *host, void *buf, int cnt)
{
memcpy((void *)&host->part_buf, buf, cnt);
host->part_buf_count = cnt;
}
/* append bytes to part_buf, only use during push */
static int dw_mci_push_part_bytes(struct dw_mci *host, void *buf, int cnt)
Reported by FlawFinder.
Line: 2192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int dw_mci_push_part_bytes(struct dw_mci *host, void *buf, int cnt)
{
cnt = min(cnt, (1 << host->data_shift) - host->part_buf_count);
memcpy((void *)&host->part_buf + host->part_buf_count, buf, cnt);
host->part_buf_count += cnt;
return cnt;
}
/* pull first bytes from part_buf, only use during pull */
Reported by FlawFinder.
Line: 2202
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
cnt = min_t(int, cnt, host->part_buf_count);
if (cnt) {
memcpy(buf, (void *)&host->part_buf + host->part_buf_start,
cnt);
host->part_buf_count -= cnt;
host->part_buf_start += cnt;
}
return cnt;
Reported by FlawFinder.
Line: 2213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* pull final bytes from the part_buf, assuming it's just been filled */
static void dw_mci_pull_final_bytes(struct dw_mci *host, void *buf, int cnt)
{
memcpy(buf, &host->part_buf, cnt);
host->part_buf_start = cnt;
host->part_buf_count = (1 << host->data_shift) - cnt;
}
static void dw_mci_push_data16(struct dw_mci *host, void *buf, int cnt)
Reported by FlawFinder.
Line: 2242
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int items = len >> 1;
int i;
/* memcpy from input buffer into aligned buffer */
memcpy(aligned_buf, buf, len);
buf += len;
cnt -= len;
/* push data from aligned buffer into fifo */
for (i = 0; i < items; ++i)
mci_fifo_writew(host->fifo_reg, aligned_buf[i]);
Reported by FlawFinder.
Line: 2282
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < items; ++i)
aligned_buf[i] = mci_fifo_readw(host->fifo_reg);
/* memcpy from aligned buffer into output buffer */
memcpy(buf, aligned_buf, len);
buf += len;
cnt -= len;
}
} else
#endif
Reported by FlawFinder.
Line: 2325
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int items = len >> 2;
int i;
/* memcpy from input buffer into aligned buffer */
memcpy(aligned_buf, buf, len);
buf += len;
cnt -= len;
/* push data from aligned buffer into fifo */
for (i = 0; i < items; ++i)
mci_fifo_writel(host->fifo_reg, aligned_buf[i]);
Reported by FlawFinder.
Line: 2365
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < items; ++i)
aligned_buf[i] = mci_fifo_readl(host->fifo_reg);
/* memcpy from aligned buffer into output buffer */
memcpy(buf, aligned_buf, len);
buf += len;
cnt -= len;
}
} else
#endif
Reported by FlawFinder.
Line: 2409
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int items = len >> 3;
int i;
/* memcpy from input buffer into aligned buffer */
memcpy(aligned_buf, buf, len);
buf += len;
cnt -= len;
/* push data from aligned buffer into fifo */
for (i = 0; i < items; ++i)
mci_fifo_writeq(host->fifo_reg, aligned_buf[i]);
Reported by FlawFinder.
Line: 2450
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aligned_buf[i] = mci_fifo_readq(host->fifo_reg);
/* memcpy from aligned buffer into output buffer */
memcpy(buf, aligned_buf, len);
buf += len;
cnt -= len;
}
} else
#endif
Reported by FlawFinder.
drivers/media/pci/cx23885/cimax2.c
10 issues
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buffer[0] = reg;
memcpy(&buffer[1], buf, len);
ret = i2c_transfer(i2c_adap, &msg, 1);
if (ret != 1) {
ci_dbg_print("%s: i2c write error, Reg=[0x%02x], Status=%d\n",
Reported by FlawFinder.
Line: 399
Column: 24
CWE codes:
362
}
int netup_poll_ci_slot_status(struct dvb_ca_en50221 *en50221,
int slot, int open)
{
struct netup_ci_state *state = en50221->data;
if (0 != slot)
return -EINVAL;
Reported by FlawFinder.
Line: 406
Column: 28
CWE codes:
362
if (0 != slot)
return -EINVAL;
netup_ci_set_irq(en50221, open ? (NETUP_IRQ_DETAM | ci_irq_flags())
: NETUP_IRQ_DETAM);
return state->status;
}
Reported by FlawFinder.
Line: 168
Column: 17
CWE codes:
120
20
}
static int netup_ci_op_cam(struct dvb_ca_en50221 *en50221, int slot,
u8 flag, u8 read, int addr, u8 data)
{
struct netup_ci_state *state = en50221->data;
struct cx23885_tsport *port = state->priv;
struct cx23885_dev *dev = port->dev;
Reported by FlawFinder.
Line: 208
Column: 6
CWE codes:
120
20
NETUP_ADHI | (0xff & (addr >> 8)));
cx_clear(MC417_RWD, NETUP_ADHI);
if (read) { /* data in */
cx_write(MC417_OEN, NETUP_EN_ALL | NETUP_DATA);
} else /* data out */
cx_write(MC417_RWD, NETUP_CTRL_OFF | data);
/* choose chip */
Reported by FlawFinder.
Line: 217
Column: 23
CWE codes:
120
20
cx_clear(MC417_RWD,
(state->ci_i2c_addr == 0x40) ? NETUP_CS0 : NETUP_CS1);
/* read/write */
cx_clear(MC417_RWD, (read) ? NETUP_RD : NETUP_WR);
mem = netup_ci_get_mem(dev);
mutex_unlock(&dev->gpio_lock);
if (!read)
Reported by FlawFinder.
Line: 222
Column: 7
CWE codes:
120
20
mutex_unlock(&dev->gpio_lock);
if (!read)
if (mem < 0)
return -EREMOTEIO;
ci_dbg_print("%s: %s: chipaddr=[0x%x] addr=[0x%02x], %s=%x\n", __func__,
(read) ? "read" : "write", state->ci_i2c_addr, addr,
Reported by FlawFinder.
Line: 227
Column: 5
CWE codes:
120
20
return -EREMOTEIO;
ci_dbg_print("%s: %s: chipaddr=[0x%x] addr=[0x%02x], %s=%x\n", __func__,
(read) ? "read" : "write", state->ci_i2c_addr, addr,
(flag == NETUP_CI_CTL) ? "ctl" : "mem",
(read) ? mem : data);
if (read)
return mem;
Reported by FlawFinder.
Line: 229
Column: 5
CWE codes:
120
20
ci_dbg_print("%s: %s: chipaddr=[0x%x] addr=[0x%02x], %s=%x\n", __func__,
(read) ? "read" : "write", state->ci_i2c_addr, addr,
(flag == NETUP_CI_CTL) ? "ctl" : "mem",
(read) ? mem : data);
if (read)
return mem;
return 0;
Reported by FlawFinder.