The following issues were found
drivers/net/bonding/bond_options.c
10 issues
Line: 1197
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strncmp(slave->dev->name, primary, IFNAMSIZ) == 0) {
slave_dbg(bond->dev, slave->dev, "Setting as primary slave\n");
rcu_assign_pointer(bond->primary_slave, slave);
strcpy(bond->params.primary, slave->dev->name);
bond->force_primary = true;
bond_select_active_slave(bond);
goto out;
}
}
Reported by FlawFinder.
Line: 512
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct bond_opt_value *bond_opt_parse(const struct bond_option *opt,
struct bond_opt_value *val)
{
char *p, valstr[BOND_OPT_MAX_NAMELEN + 1] = { 0, };
const struct bond_opt_value *tbl;
const struct bond_opt_value *ret = NULL;
bool checkval;
int i, rv;
Reported by FlawFinder.
Line: 826
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int bond_option_active_slave_set(struct bonding *bond,
const struct bond_opt_value *newval)
{
char ifname[IFNAMSIZ] = { 0, };
struct net_device *slave_dev;
int ret = 0;
sscanf(newval->string, "%15s", ifname); /* IFNAMSIZ */
if (!strlen(ifname) || newval->string[0] == '\n') {
Reported by FlawFinder.
Line: 1421
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int bond_option_slaves_set(struct bonding *bond,
const struct bond_opt_value *newval)
{
char command[IFNAMSIZ + 1] = { 0, };
struct net_device *dev;
char *ifname;
int ret;
sscanf(newval->string, "%16s", command); /* IFNAMSIZ*/
Reported by FlawFinder.
Line: 541
Column: 9
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
* and sets checkval appropriately
*/
if (*p) {
rv = sscanf(val->string, "%32s", valstr);
} else {
rv = sscanf(val->string, "%llu", &val->value);
checkval = true;
}
if (!rv)
Reported by FlawFinder.
Line: 830
Column: 2
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
struct net_device *slave_dev;
int ret = 0;
sscanf(newval->string, "%15s", ifname); /* IFNAMSIZ */
if (!strlen(ifname) || newval->string[0] == '\n') {
slave_dev = NULL;
} else {
slave_dev = __dev_get_by_name(dev_net(bond->dev), ifname);
if (!slave_dev)
Reported by FlawFinder.
Line: 831
Column: 7
CWE codes:
126
int ret = 0;
sscanf(newval->string, "%15s", ifname); /* IFNAMSIZ */
if (!strlen(ifname) || newval->string[0] == '\n') {
slave_dev = NULL;
} else {
slave_dev = __dev_get_by_name(dev_net(bond->dev), ifname);
if (!slave_dev)
return -ENODEV;
Reported by FlawFinder.
Line: 1185
Column: 7
CWE codes:
126
if (p)
*p = '\0';
/* check to see if we are clearing primary */
if (!strlen(primary)) {
netdev_dbg(bond->dev, "Setting primary slave to None\n");
RCU_INIT_POINTER(bond->primary_slave, NULL);
memset(bond->params.primary, 0, sizeof(bond->params.primary));
bond_select_active_slave(bond);
goto out;
Reported by FlawFinder.
Line: 1426
Column: 2
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
char *ifname;
int ret;
sscanf(newval->string, "%16s", command); /* IFNAMSIZ*/
ifname = command + 1;
if ((strlen(command) <= 1) ||
(command[0] != '+' && command[0] != '-') ||
!dev_valid_name(ifname))
goto err_no_cmd;
Reported by FlawFinder.
Line: 1428
Column: 7
CWE codes:
126
sscanf(newval->string, "%16s", command); /* IFNAMSIZ*/
ifname = command + 1;
if ((strlen(command) <= 1) ||
(command[0] != '+' && command[0] != '-') ||
!dev_valid_name(ifname))
goto err_no_cmd;
dev = __dev_get_by_name(dev_net(bond->dev), ifname);
Reported by FlawFinder.
drivers/mtd/devices/block2mtd.c
10 issues
Line: 395
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return 0;
}
strcpy(str, val);
kill_final_newline(str);
for (i = 0; i < 2; i++)
token[i] = strsep(&str, ",");
Reported by FlawFinder.
Line: 121
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (IS_ERR(page))
return PTR_ERR(page);
memcpy(buf, page_address(page) + offset, cpylen);
put_page(page);
if (retlen)
*retlen += cpylen;
buf += cpylen;
Reported by FlawFinder.
Line: 157
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (memcmp(page_address(page)+offset, buf, cpylen)) {
lock_page(page);
memcpy(page_address(page) + offset, buf, cpylen);
set_page_dirty(page);
unlock_page(page);
balance_dirty_pages_ratelimited(mapping);
}
put_page(page);
Reported by FlawFinder.
Line: 376
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifndef MODULE
static int block2mtd_init_called = 0;
/* 80 for device, 12 for erase size */
static char block2mtd_paramline[80 + 12];
#endif
static int block2mtd_setup2(const char *val)
{
/* 80 for device, 12 for erase size, 80 for name, 8 for timeout */
Reported by FlawFinder.
Line: 382
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int block2mtd_setup2(const char *val)
{
/* 80 for device, 12 for erase size, 80 for name, 8 for timeout */
char buf[80 + 12 + 80 + 8];
char *str = buf;
char *token[2];
char *name;
size_t erase_size = PAGE_SIZE;
unsigned long timeout = MTD_DEFAULT_TIMEOUT;
Reported by FlawFinder.
Line: 384
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 80 for device, 12 for erase size, 80 for name, 8 for timeout */
char buf[80 + 12 + 80 + 8];
char *str = buf;
char *token[2];
char *name;
size_t erase_size = PAGE_SIZE;
unsigned long timeout = MTD_DEFAULT_TIMEOUT;
int i, ret;
Reported by FlawFinder.
Line: 308
Column: 19
CWE codes:
126
list_add(&dev->list, &blkmtd_device_list);
pr_info("mtd%d: [%s] erase_size = %dKiB [%d]\n",
dev->mtd.index,
dev->mtd.name + strlen("block2mtd: "),
dev->mtd.erasesize >> 10, dev->mtd.erasesize);
return dev;
err_destroy_mutex:
mutex_destroy(&dev->write_mutex);
Reported by FlawFinder.
Line: 412
Column: 6
CWE codes:
126
}
name = token[0];
if (strlen(name) + 1 > 80) {
pr_err("device name too long\n");
return 0;
}
if (token[1]) {
Reported by FlawFinder.
Line: 466
Column: 6
CWE codes:
126
int ret = 0;
#ifndef MODULE
if (strlen(block2mtd_paramline))
ret = block2mtd_setup2(block2mtd_paramline);
block2mtd_init_called = 1;
#endif
return ret;
Reported by FlawFinder.
Line: 487
Column: 20
CWE codes:
126
mutex_destroy(&dev->write_mutex);
pr_info("mtd%d: [%s] removed\n",
dev->mtd.index,
dev->mtd.name + strlen("block2mtd: "));
list_del(&dev->list);
block2mtd_free_device(dev);
}
}
Reported by FlawFinder.
drivers/rapidio/devices/tsi721.c
10 issues
Line: 772
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
* Copy MSI-X vector information into tsi721 private structure
*/
priv->msix[TSI721_VECT_IDB].vector = entries[TSI721_VECT_IDB].vector;
snprintf(priv->msix[TSI721_VECT_IDB].irq_name, IRQ_DEVICE_NAME_MAX,
DRV_NAME "-idb@pci:%s", pci_name(priv->pdev));
priv->msix[TSI721_VECT_PWRX].vector = entries[TSI721_VECT_PWRX].vector;
snprintf(priv->msix[TSI721_VECT_PWRX].irq_name, IRQ_DEVICE_NAME_MAX,
DRV_NAME "-pwrx@pci:%s", pci_name(priv->pdev));
Reported by FlawFinder.
Line: 775
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
snprintf(priv->msix[TSI721_VECT_IDB].irq_name, IRQ_DEVICE_NAME_MAX,
DRV_NAME "-idb@pci:%s", pci_name(priv->pdev));
priv->msix[TSI721_VECT_PWRX].vector = entries[TSI721_VECT_PWRX].vector;
snprintf(priv->msix[TSI721_VECT_PWRX].irq_name, IRQ_DEVICE_NAME_MAX,
DRV_NAME "-pwrx@pci:%s", pci_name(priv->pdev));
for (i = 0; i < RIO_MAX_MBOX; i++) {
priv->msix[TSI721_VECT_IMB0_RCV + i].vector =
entries[TSI721_VECT_IMB0_RCV + i].vector;
Reported by FlawFinder.
Line: 781
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < RIO_MAX_MBOX; i++) {
priv->msix[TSI721_VECT_IMB0_RCV + i].vector =
entries[TSI721_VECT_IMB0_RCV + i].vector;
snprintf(priv->msix[TSI721_VECT_IMB0_RCV + i].irq_name,
IRQ_DEVICE_NAME_MAX, DRV_NAME "-imbr%d@pci:%s",
i, pci_name(priv->pdev));
priv->msix[TSI721_VECT_IMB0_INT + i].vector =
entries[TSI721_VECT_IMB0_INT + i].vector;
Reported by FlawFinder.
Line: 787
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
priv->msix[TSI721_VECT_IMB0_INT + i].vector =
entries[TSI721_VECT_IMB0_INT + i].vector;
snprintf(priv->msix[TSI721_VECT_IMB0_INT + i].irq_name,
IRQ_DEVICE_NAME_MAX, DRV_NAME "-imbi%d@pci:%s",
i, pci_name(priv->pdev));
priv->msix[TSI721_VECT_OMB0_DONE + i].vector =
entries[TSI721_VECT_OMB0_DONE + i].vector;
Reported by FlawFinder.
Line: 793
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
priv->msix[TSI721_VECT_OMB0_DONE + i].vector =
entries[TSI721_VECT_OMB0_DONE + i].vector;
snprintf(priv->msix[TSI721_VECT_OMB0_DONE + i].irq_name,
IRQ_DEVICE_NAME_MAX, DRV_NAME "-ombd%d@pci:%s",
i, pci_name(priv->pdev));
priv->msix[TSI721_VECT_OMB0_INT + i].vector =
entries[TSI721_VECT_OMB0_INT + i].vector;
Reported by FlawFinder.
Line: 799
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
priv->msix[TSI721_VECT_OMB0_INT + i].vector =
entries[TSI721_VECT_OMB0_INT + i].vector;
snprintf(priv->msix[TSI721_VECT_OMB0_INT + i].irq_name,
IRQ_DEVICE_NAME_MAX, DRV_NAME "-ombi%d@pci:%s",
i, pci_name(priv->pdev));
}
#ifdef CONFIG_RAPIDIO_DMA_ENGINE
Reported by FlawFinder.
Line: 808
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < TSI721_DMA_CHNUM; i++) {
priv->msix[TSI721_VECT_DMA0_DONE + i].vector =
entries[TSI721_VECT_DMA0_DONE + i].vector;
snprintf(priv->msix[TSI721_VECT_DMA0_DONE + i].irq_name,
IRQ_DEVICE_NAME_MAX, DRV_NAME "-dmad%d@pci:%s",
i, pci_name(priv->pdev));
priv->msix[TSI721_VECT_DMA0_INT + i].vector =
entries[TSI721_VECT_DMA0_INT + i].vector;
Reported by FlawFinder.
Line: 814
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
priv->msix[TSI721_VECT_DMA0_INT + i].vector =
entries[TSI721_VECT_DMA0_INT + i].vector;
snprintf(priv->msix[TSI721_VECT_DMA0_INT + i].irq_name,
IRQ_DEVICE_NAME_MAX, DRV_NAME "-dmai%d@pci:%s",
i, pci_name(priv->pdev));
}
#endif /* CONFIG_RAPIDIO_DMA_ENGINE */
Reported by FlawFinder.
Line: 1684
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tx_slot = priv->omsg_ring[mbox].tx_slot;
/* Copy copy message into transfer buffer */
memcpy(priv->omsg_ring[mbox].omq_base[tx_slot], buffer, len);
if (len & 0x7)
len += 8;
/* Build descriptor associated with buffer */
Reported by FlawFinder.
Line: 2482
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (msg_size == 0)
msg_size = RIO_MAX_MSG_SIZE;
memcpy(buf, rx_virt, msg_size);
priv->imsg_ring[mbox].imq_base[rx_slot] = NULL;
desc->msg_info &= cpu_to_le32(~TSI721_IMD_HO);
if (++priv->imsg_ring[mbox].desc_rdptr == priv->imsg_ring[mbox].size)
priv->imsg_ring[mbox].desc_rdptr = 0;
Reported by FlawFinder.
drivers/scsi/lpfc/lpfc.h
10 issues
Line: 326
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define LPFC_VMID_REQ_REGISTER 0x2
#define LPFC_VMID_REGISTERED 0x4
#define LPFC_VMID_DE_REGISTER 0x8
char host_vmid[LPFC_MAX_VMID_SIZE];
union lpfc_vmid_io_tag un;
struct hlist_node hnode;
u64 io_rd_cnt;
u64 io_wr_cnt;
u8 vmid_len;
Reported by FlawFinder.
Line: 725
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DBG_LOG_SZ 256
struct dbg_log_ent {
char log[DBG_LOG_STR_SZ];
u64 t_ns;
};
enum lpfc_irq_chann_mode {
/* Assign IRQs to all possible cpus that have hardware queues */
Reported by FlawFinder.
Line: 1089
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t *hbq_get; /* Host mem address of HBQ get ptrs */
int brd_no; /* FC board number */
char SerialNumber[32]; /* adapter Serial Number */
char OptionROMVersion[32]; /* adapter BIOS / Fcode version */
char BIOSVersion[16]; /* Boot BIOS version */
char ModelDesc[256]; /* Model Description */
char ModelName[80]; /* Model Name */
char ProgramType[256]; /* Program Type */
Reported by FlawFinder.
Line: 1090
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int brd_no; /* FC board number */
char SerialNumber[32]; /* adapter Serial Number */
char OptionROMVersion[32]; /* adapter BIOS / Fcode version */
char BIOSVersion[16]; /* Boot BIOS version */
char ModelDesc[256]; /* Model Description */
char ModelName[80]; /* Model Name */
char ProgramType[256]; /* Program Type */
char Port[20]; /* Port No */
Reported by FlawFinder.
Line: 1091
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int brd_no; /* FC board number */
char SerialNumber[32]; /* adapter Serial Number */
char OptionROMVersion[32]; /* adapter BIOS / Fcode version */
char BIOSVersion[16]; /* Boot BIOS version */
char ModelDesc[256]; /* Model Description */
char ModelName[80]; /* Model Name */
char ProgramType[256]; /* Program Type */
char Port[20]; /* Port No */
uint8_t vpd_flag; /* VPD data flag */
Reported by FlawFinder.
Line: 1092
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char SerialNumber[32]; /* adapter Serial Number */
char OptionROMVersion[32]; /* adapter BIOS / Fcode version */
char BIOSVersion[16]; /* Boot BIOS version */
char ModelDesc[256]; /* Model Description */
char ModelName[80]; /* Model Name */
char ProgramType[256]; /* Program Type */
char Port[20]; /* Port No */
uint8_t vpd_flag; /* VPD data flag */
Reported by FlawFinder.
Line: 1093
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char OptionROMVersion[32]; /* adapter BIOS / Fcode version */
char BIOSVersion[16]; /* Boot BIOS version */
char ModelDesc[256]; /* Model Description */
char ModelName[80]; /* Model Name */
char ProgramType[256]; /* Program Type */
char Port[20]; /* Port No */
uint8_t vpd_flag; /* VPD data flag */
#define VPD_MODEL_DESC 0x1 /* valid vpd model description */
Reported by FlawFinder.
Line: 1094
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char BIOSVersion[16]; /* Boot BIOS version */
char ModelDesc[256]; /* Model Description */
char ModelName[80]; /* Model Name */
char ProgramType[256]; /* Program Type */
char Port[20]; /* Port No */
uint8_t vpd_flag; /* VPD data flag */
#define VPD_MODEL_DESC 0x1 /* valid vpd model description */
#define VPD_MODEL_NAME 0x2 /* valid vpd model name */
Reported by FlawFinder.
Line: 1095
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char ModelDesc[256]; /* Model Description */
char ModelName[80]; /* Model Name */
char ProgramType[256]; /* Program Type */
char Port[20]; /* Port No */
uint8_t vpd_flag; /* VPD data flag */
#define VPD_MODEL_DESC 0x1 /* valid vpd model description */
#define VPD_MODEL_NAME 0x2 /* valid vpd model name */
#define VPD_PROGRAM_TYPE 0x4 /* valid vpd program type */
Reported by FlawFinder.
Line: 1355
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define LPFC_POLL_FASTPATH 0 /* called from fastpath */
#define LPFC_POLL_SLOWPATH 1 /* called from slowpath */
char os_host_name[MAXHOSTNAMELEN];
/* SCSI host template information - for physical port */
struct scsi_host_template port_template;
/* SCSI host template information - for all vports */
struct scsi_host_template vport_template;
Reported by FlawFinder.
drivers/scsi/isci/request.c
10 issues
Line: 178
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_iu = &ireq->ssp.cmd;
memcpy(cmd_iu->LUN, task->ssp_task.LUN, 8);
cmd_iu->add_cdb_len = 0;
cmd_iu->_r_a = 0;
cmd_iu->_r_b = 0;
cmd_iu->en_fburst = 0; /* unsupported */
cmd_iu->task_prio = task->ssp_task.task_prio;
Reported by FlawFinder.
Line: 201
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(task_iu, 0, sizeof(struct ssp_task_iu));
memcpy(task_iu->LUN, task->ssp_task.LUN, 8);
task_iu->task_func = isci_tmf->tmf_code;
task_iu->task_tag =
(test_bit(IREQ_TMF, &ireq->flags)) ?
isci_tmf->io_tag :
Reported by FlawFinder.
Line: 988
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SSP_RESP_IU_MAX_SIZE,
be32_to_cpu(ssp_response->response_data_len));
memcpy(resp_buf, ssp_response->resp_data, len);
}
static enum sci_status
request_started_state_tc_event(struct isci_request *ireq,
u32 completion_code)
Reported by FlawFinder.
Line: 1426
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy_len = min_t(int, total_len, sg_dma_len(sg));
kaddr = kmap_atomic(page);
memcpy(kaddr + sg->offset, src_addr, copy_len);
kunmap_atomic(kaddr);
total_len -= copy_len;
src_addr += copy_len;
sg = sg_next(sg);
}
Reported by FlawFinder.
Line: 1434
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else {
BUG_ON(task->total_xfer_len < total_len);
memcpy(task->scatter, src_addr, total_len);
}
return SCI_SUCCESS;
}
Reported by FlawFinder.
Line: 1653
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* change the H2D fis content.
*/
memset(&ireq->stp.cmd, 0, sizeof(struct host_to_dev_fis));
memcpy(((u8 *)&ireq->stp.cmd + sizeof(u32)), atapi_cdb, ATAPI_CDB_LEN);
memset(&(task_context->type.stp), 0, sizeof(struct stp_task_context));
task_context->type.stp.fis_type = FIS_DATA;
task_context->transfer_length_bytes = dev->cdb_len;
}
Reported by FlawFinder.
Line: 1682
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
task_context->type.stp.fis_type = FIS_DATA;
memset(&ireq->stp.cmd, 0, sizeof(ireq->stp.cmd));
memcpy(&ireq->stp.cmd.lbal, task->ata_task.atapi_packet, cdb_len);
task_context->ssp_command_iu_length = cdb_len / sizeof(u32);
/* task phase is set to TX_CMD */
task_context->task_phase = 0x1;
Reported by FlawFinder.
Line: 2715
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ata_task_resp *resp = (void *)&ts->buf[0];
resp->frame_len = sizeof(*fis);
memcpy(resp->ending_fis, fis, sizeof(*fis));
ts->buf_valid_size = sizeof(*resp);
/* If an error is flagged let libata decode the fis */
if (ac_err_mask(fis->status))
ts->stat = SAS_PROTO_RESPONSE;
Reported by FlawFinder.
Line: 3156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__,
ireq);
memcpy(fis, &task->ata_task.fis, sizeof(struct host_to_dev_fis));
if (!task->ata_task.device_control_reg_update)
fis->flags |= 0x80;
fis->flags &= 0xF0;
status = sci_io_request_construct_basic_sata(ireq);
Reported by FlawFinder.
Line: 3269
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* 18h ~ 30h, protocol specific
* since commandIU has been build by framework at this point, we just
* copy the frist DWord from command IU to this location. */
memcpy(&task_context->type.smp, &cmd, sizeof(u32));
/*
* 40h
* "For SMP you could program it to zero. We would prefer that way
* so that done code will be consistent." - Venki
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/11n.c
10 issues
Line: 56
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
IEEE80211_HT_AMPDU_PARM_DENSITY_SHIFT) &
IEEE80211_HT_AMPDU_PARM_DENSITY);
memcpy((u8 *)&ht_cap->mcs, &sband->ht_cap.mcs,
sizeof(sband->ht_cap.mcs));
if (priv->bss_mode == NL80211_IFTYPE_STATION ||
(sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40 &&
(priv->adapter->sec_chan_offset !=
Reported by FlawFinder.
Line: 337
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ht_cap->header.type = cpu_to_le16(WLAN_EID_HT_CAPABILITY);
ht_cap->header.len =
cpu_to_le16(sizeof(struct ieee80211_ht_cap));
memcpy((u8 *) ht_cap + sizeof(struct mwifiex_ie_types_header),
(u8 *)bss_desc->bcn_ht_cap,
le16_to_cpu(ht_cap->header.len));
mwifiex_fill_cap_info(priv, radio_type, &ht_cap->ht_cap);
/* Update HT40 capability from current channel information */
Reported by FlawFinder.
Line: 390
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_le16(
sizeof(struct ieee80211_ht_operation));
memcpy((u8 *) ht_info +
sizeof(struct mwifiex_ie_types_header),
(u8 *)bss_desc->bcn_ht_oper,
le16_to_cpu(ht_info->header.len));
if (!(sband->ht_cap.cap &
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bss_co_2040->header.len =
cpu_to_le16(sizeof(bss_co_2040->bss_co_2040));
memcpy((u8 *) bss_co_2040 +
sizeof(struct mwifiex_ie_types_header),
bss_desc->bcn_bss_co_2040 +
sizeof(struct ieee_types_header),
le16_to_cpu(bss_co_2040->header.len));
Reported by FlawFinder.
Line: 455
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ext_cap->header.type = cpu_to_le16(WLAN_EID_EXT_CAPABILITY);
ext_cap->header.len = cpu_to_le16(hdr->len);
memcpy((u8 *)ext_cap->ext_capab,
bss_desc->bcn_ext_cap + sizeof(struct ieee_types_header),
le16_to_cpu(ext_cap->header.len));
if (hdr->len > 3 &&
ext_cap->ext_capab[3] & WLAN_EXT_CAPA4_INTERWORKING_ENABLED)
Reported by FlawFinder.
Line: 579
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_node->tid = tid;
new_node->ba_status = ba_status;
memcpy(new_node->ra, ra, ETH_ALEN);
spin_lock_bh(&priv->tx_ba_stream_tbl_lock);
list_add_tail(&new_node->list, &priv->tx_ba_stream_tbl_ptr);
spin_unlock_bh(&priv->tx_ba_stream_tbl_lock);
}
Reported by FlawFinder.
Line: 640
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dialog_tok = 1;
add_ba_req.dialog_token = dialog_tok;
memcpy(&add_ba_req.peer_mac_addr, peer_mac, ETH_ALEN);
/* We don't wait for the response of this command */
ret = mwifiex_send_cmd(priv, HostCmd_CMD_11N_ADDBA_REQ,
0, 0, &add_ba_req, false);
Reported by FlawFinder.
Line: 668
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
del_ba_param_set &= ~IEEE80211_DELBA_PARAM_INITIATOR_MASK;
memcpy(&delba.peer_mac_addr, peer_mac, ETH_ALEN);
/* We don't wait for the response of this command */
ret = mwifiex_send_cmd(priv, HostCmd_CMD_11N_DELBA,
HostCmd_ACT_GEN_SET, 0, &delba, false);
Reported by FlawFinder.
Line: 729
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_for_each_entry(rx_reorder_tbl_ptr, &priv->rx_reorder_tbl_ptr,
list) {
rx_reo_tbl->tid = (u16) rx_reorder_tbl_ptr->tid;
memcpy(rx_reo_tbl->ta, rx_reorder_tbl_ptr->ta, ETH_ALEN);
rx_reo_tbl->start_win = rx_reorder_tbl_ptr->start_win;
rx_reo_tbl->win_size = rx_reorder_tbl_ptr->win_size;
for (i = 0; i < rx_reorder_tbl_ptr->win_size; ++i) {
if (rx_reorder_tbl_ptr->rx_reorder_ptr[i])
rx_reo_tbl->buffer[i] = true;
Reported by FlawFinder.
Line: 764
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rx_reo_tbl->tid = (u16) tx_ba_tsr_tbl->tid;
mwifiex_dbg(priv->adapter, DATA, "data: %s tid=%d\n",
__func__, rx_reo_tbl->tid);
memcpy(rx_reo_tbl->ra, tx_ba_tsr_tbl->ra, ETH_ALEN);
rx_reo_tbl->amsdu = tx_ba_tsr_tbl->amsdu;
rx_reo_tbl++;
count++;
if (count >= MWIFIEX_MAX_TX_BASTREAM_SUPPORTED)
break;
Reported by FlawFinder.
drivers/s390/crypto/pkey_api.c
10 issues
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* prepare param block */
memset(paramblock, 0, sizeof(paramblock));
memcpy(paramblock, clrkey->clrkey, keysize);
/* call the pckmo instruction */
cpacf_pckmo(fc, paramblock);
/* copy created protected key */
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy created protected key */
protkey->type = keytype;
protkey->len = keysize + 32;
memcpy(protkey->protkey, paramblock, keysize + 32);
return 0;
}
/*
Reported by FlawFinder.
Line: 431
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((t->keytype == PKEY_KEYTYPE_AES_128 && t->len == 16)
|| (t->keytype == PKEY_KEYTYPE_AES_192 && t->len == 24)
|| (t->keytype == PKEY_KEYTYPE_AES_256 && t->len == 32))
memcpy(ckey.clrkey, t->clearkey, t->len);
else
goto out;
/* alloc temp key buffer space */
tmpbuf = kmalloc(tmpbuflen, GFP_ATOMIC);
if (!tmpbuf) {
Reported by FlawFinder.
Line: 941
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (*nr_apqns < _nr_apqns)
rc = -ENOSPC;
else
memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
}
*nr_apqns = _nr_apqns;
out:
kfree(_apqns);
Reported by FlawFinder.
Line: 1006
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (*nr_apqns < _nr_apqns)
rc = -ENOSPC;
else
memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
}
*nr_apqns = _nr_apqns;
out:
kfree(_apqns);
Reported by FlawFinder.
Line: 1077
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = pkey_nonccatok2pkey(key, keylen, &pkey);
if (rc)
return rc;
memcpy(protkey, pkey.protkey, pkey.len);
*protkeylen = pkey.len;
*protkeytype = pkey.type;
return 0;
} else {
DEBUG_ERR("%s unknown/unsupported blob type %d\n",
Reported by FlawFinder.
Line: 1610
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rc;
protkeytoken.len = protkey.len;
memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
memcpy(buf, &protkeytoken, sizeof(protkeytoken));
if (is_xts) {
rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
Reported by FlawFinder.
Line: 1612
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
protkeytoken.len = protkey.len;
memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
memcpy(buf, &protkeytoken, sizeof(protkeytoken));
if (is_xts) {
rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
if (rc)
return rc;
Reported by FlawFinder.
Line: 1620
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rc;
protkeytoken.len = protkey.len;
memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
memcpy(buf + sizeof(protkeytoken), &protkeytoken,
sizeof(protkeytoken));
return 2 * sizeof(protkeytoken);
Reported by FlawFinder.
Line: 1622
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
protkeytoken.len = protkey.len;
memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
memcpy(buf + sizeof(protkeytoken), &protkeytoken,
sizeof(protkeytoken));
return 2 * sizeof(protkeytoken);
}
Reported by FlawFinder.
drivers/s390/char/vmur.h
10 issues
Line: 31
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* z/VM spool file control block SFBLOK */
struct file_control_block {
char reserved_1[8];
char user_owner[8];
char user_orig[8];
__s32 data_recs;
__s16 rec_len;
__s16 file_num;
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* z/VM spool file control block SFBLOK */
struct file_control_block {
char reserved_1[8];
char user_owner[8];
char user_orig[8];
__s32 data_recs;
__s16 rec_len;
__s16 file_num;
__u8 file_stat;
Reported by FlawFinder.
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct file_control_block {
char reserved_1[8];
char user_owner[8];
char user_orig[8];
__s32 data_recs;
__s16 rec_len;
__s16 file_num;
__u8 file_stat;
__u8 dev_type;
Reported by FlawFinder.
Line: 39
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__s16 file_num;
__u8 file_stat;
__u8 dev_type;
char reserved_2[6];
char file_name[12];
char file_type[12];
char create_date[8];
char create_time[8];
char reserved_3[6];
Reported by FlawFinder.
Line: 40
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 file_stat;
__u8 dev_type;
char reserved_2[6];
char file_name[12];
char file_type[12];
char create_date[8];
char create_time[8];
char reserved_3[6];
__u8 file_class;
Reported by FlawFinder.
Line: 41
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 dev_type;
char reserved_2[6];
char file_name[12];
char file_type[12];
char create_date[8];
char create_time[8];
char reserved_3[6];
__u8 file_class;
__u8 sfb_lok;
Reported by FlawFinder.
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char reserved_2[6];
char file_name[12];
char file_type[12];
char create_date[8];
char create_time[8];
char reserved_3[6];
__u8 file_class;
__u8 sfb_lok;
__u64 distr_code;
Reported by FlawFinder.
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char file_name[12];
char file_type[12];
char create_date[8];
char create_time[8];
char reserved_3[6];
__u8 file_class;
__u8 sfb_lok;
__u64 distr_code;
__u32 reserved_4;
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char file_type[12];
char create_date[8];
char create_time[8];
char reserved_3[6];
__u8 file_class;
__u8 sfb_lok;
__u64 distr_code;
__u32 reserved_4;
__u8 current_starting_copy_number;
Reported by FlawFinder.
Line: 53
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 sfblock_cntrl_flags;
__u8 reserved_5;
__u8 more_status_flags;
char rest[200];
} __attribute__ ((packed));
#define FLG_SYSTEM_HOLD 0x04
#define FLG_CP_DUMP 0x10
#define FLG_USER_HOLD 0x20
Reported by FlawFinder.
drivers/nfc/s3fwrn5/firmware.c
10 issues
Line: 481
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
fw_info->parity = 0x00;
fw_info->rsp = NULL;
fw_info->fw.fw = NULL;
strcpy(fw_info->fw_name, fw_name);
init_completion(&fw_info->completion);
}
void s3fwrn5_fw_cleanup(struct s3fwrn5_fw_info *fw_info)
{
Reported by FlawFinder.
Line: 102
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(bootinfo, rsp->data + S3FWRN5_FW_HDR_SIZE, 10);
out:
kfree_skb(rsp);
return ret;
}
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(fw->date, fw->fw->data + 0x00, 12);
fw->date[12] = '\0';
memcpy(&fw->version, fw->fw->data + 0x10, 4);
memcpy(&sig_off, fw->fw->data + 0x14, 4);
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(fw->date, fw->fw->data + 0x00, 12);
fw->date[12] = '\0';
memcpy(&fw->version, fw->fw->data + 0x10, 4);
memcpy(&sig_off, fw->fw->data + 0x14, 4);
fw->sig = fw->fw->data + sig_off;
memcpy(&fw->sig_size, fw->fw->data + 0x18, 4);
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&fw->version, fw->fw->data + 0x10, 4);
memcpy(&sig_off, fw->fw->data + 0x14, 4);
fw->sig = fw->fw->data + sig_off;
memcpy(&fw->sig_size, fw->fw->data + 0x18, 4);
memcpy(&image_off, fw->fw->data + 0x1C, 4);
fw->image = fw->fw->data + image_off;
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&sig_off, fw->fw->data + 0x14, 4);
fw->sig = fw->fw->data + sig_off;
memcpy(&fw->sig_size, fw->fw->data + 0x18, 4);
memcpy(&image_off, fw->fw->data + 0x1C, 4);
fw->image = fw->fw->data + image_off;
memcpy(&fw->image_sectors, fw->fw->data + 0x20, 4);
Reported by FlawFinder.
Line: 310
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fw->sig = fw->fw->data + sig_off;
memcpy(&fw->sig_size, fw->fw->data + 0x18, 4);
memcpy(&image_off, fw->fw->data + 0x1C, 4);
fw->image = fw->fw->data + image_off;
memcpy(&fw->image_sectors, fw->fw->data + 0x20, 4);
memcpy(&custom_sig_off, fw->fw->data + 0x24, 4);
fw->custom_sig = fw->fw->data + custom_sig_off;
Reported by FlawFinder.
Line: 312
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&image_off, fw->fw->data + 0x1C, 4);
fw->image = fw->fw->data + image_off;
memcpy(&fw->image_sectors, fw->fw->data + 0x20, 4);
memcpy(&custom_sig_off, fw->fw->data + 0x24, 4);
fw->custom_sig = fw->fw->data + custom_sig_off;
memcpy(&fw->custom_sig_size, fw->fw->data + 0x28, 4);
Reported by FlawFinder.
Line: 314
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fw->image = fw->fw->data + image_off;
memcpy(&fw->image_sectors, fw->fw->data + 0x20, 4);
memcpy(&custom_sig_off, fw->fw->data + 0x24, 4);
fw->custom_sig = fw->fw->data + custom_sig_off;
memcpy(&fw->custom_sig_size, fw->fw->data + 0x28, 4);
return 0;
}
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&custom_sig_off, fw->fw->data + 0x24, 4);
fw->custom_sig = fw->fw->data + custom_sig_off;
memcpy(&fw->custom_sig_size, fw->fw->data + 0x28, 4);
return 0;
}
static void s3fwrn5_fw_release_firmware(struct s3fwrn5_fw_info *fw_info)
Reported by FlawFinder.
drivers/platform/x86/dell/dell-laptop.c
10 issues
Line: 1823
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
buf[len++] = '+';
else
buf[len++] = '-';
len += sprintf(buf+len, "%s ", kbd_led_triggers[i]);
}
}
if (len)
buf[len - 1] = '\n';
Reported by FlawFinder.
Line: 1674
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
unit = state.timeout_unit;
}
len = sprintf(buf, "%d", value);
switch (unit) {
case KBD_TIMEOUT_SECONDS:
return len + sprintf(buf+len, "s\n");
case KBD_TIMEOUT_MINUTES:
Reported by FlawFinder.
Line: 1678
Column: 16
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (unit) {
case KBD_TIMEOUT_SECONDS:
return len + sprintf(buf+len, "s\n");
case KBD_TIMEOUT_MINUTES:
return len + sprintf(buf+len, "m\n");
case KBD_TIMEOUT_HOURS:
return len + sprintf(buf+len, "h\n");
case KBD_TIMEOUT_DAYS:
Reported by FlawFinder.
Line: 1680
Column: 16
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case KBD_TIMEOUT_SECONDS:
return len + sprintf(buf+len, "s\n");
case KBD_TIMEOUT_MINUTES:
return len + sprintf(buf+len, "m\n");
case KBD_TIMEOUT_HOURS:
return len + sprintf(buf+len, "h\n");
case KBD_TIMEOUT_DAYS:
return len + sprintf(buf+len, "d\n");
default:
Reported by FlawFinder.
Line: 1682
Column: 16
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case KBD_TIMEOUT_MINUTES:
return len + sprintf(buf+len, "m\n");
case KBD_TIMEOUT_HOURS:
return len + sprintf(buf+len, "h\n");
case KBD_TIMEOUT_DAYS:
return len + sprintf(buf+len, "d\n");
default:
return -EINVAL;
}
Reported by FlawFinder.
Line: 1684
Column: 16
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case KBD_TIMEOUT_HOURS:
return len + sprintf(buf+len, "h\n");
case KBD_TIMEOUT_DAYS:
return len + sprintf(buf+len, "d\n");
default:
return -EINVAL;
}
return len;
Reported by FlawFinder.
Line: 1710
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kbd_state state;
bool triggers_enabled = false;
int trigger_bit = -1;
char trigger[21];
int i, ret;
ret = sscanf(buf, "%20s", trigger);
if (ret != 1)
return -EINVAL;
Reported by FlawFinder.
Line: 1908
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
enabled = kbd_is_als_mode_bit(state.mode_bit);
return sprintf(buf, "%d\n", enabled ? 1 : 0);
}
static DEVICE_ATTR(als_enabled, S_IRUGO | S_IWUSR,
kbd_led_als_enabled_show, kbd_led_als_enabled_store);
Reported by FlawFinder.
Line: 1957
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%d\n", state.als_setting);
}
static DEVICE_ATTR(als_setting, S_IRUGO | S_IWUSR,
kbd_led_als_setting_show, kbd_led_als_setting_store);
Reported by FlawFinder.
Line: 1713
Column: 8
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
char trigger[21];
int i, ret;
ret = sscanf(buf, "%20s", trigger);
if (ret != 1)
return -EINVAL;
if (trigger[0] != '+' && trigger[0] != '-')
return -EINVAL;
Reported by FlawFinder.