The following issues were found
drivers/net/wireless/ath/wil6210/cfg80211.c
10 issues
Line: 978
CWE codes:
562
vif->scan_request = request;
mod_timer(&vif->scan_timer, jiffies + WIL6210_SCAN_TO);
memset(&cmd, 0, sizeof(cmd));
cmd.cmd.scan_type = WMI_ACTIVE_SCAN;
cmd.cmd.num_channels = 0;
n = min(request->n_channels, 4U);
for (i = 0; i < n; i++) {
int ch = request->channels[i]->hw_value;
Reported by Cppcheck.
Line: 1016
CWE codes:
562
if (vif->mid == 0)
wil->radio_wdev = wdev;
rc = wmi_send(wil, WMI_START_SCAN_CMDID, vif->mid,
&cmd, sizeof(cmd.cmd) +
cmd.cmd.num_channels * sizeof(cmd.cmd.channel_list[0]));
out_restore:
if (rc) {
del_timer_sync(&vif->scan_timer);
Reported by Cppcheck.
Line: 1353
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
conn.ssid_len = min_t(u8, ssid_eid[1], 32);
memcpy(conn.ssid, ssid_eid+2, conn.ssid_len);
conn.channel = ch - 1;
rc = wil_get_wmi_edmg_channel(wil, sme->edmg.bw_config,
sme->edmg.channels, &conn.edmg_channel);
if (rc < 0)
Reported by FlawFinder.
Line: 1575
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (tid = 0; tid < WIL_STA_TID_NUM; tid++) {
cc = &cs->tid_crypto_rx[tid].key_id[key_index];
if (params->seq)
memcpy(cc->pn, params->seq,
IEEE80211_GCMP_PN_LEN);
else
memset(cc->pn, 0, IEEE80211_GCMP_PN_LEN);
cc->key_set = true;
}
Reported by FlawFinder.
Line: 1585
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case WMI_KEY_USE_RX_GROUP:
cc = &cs->group_crypto_rx.key_id[key_index];
if (params->seq)
memcpy(cc->pn, params->seq, IEEE80211_GCMP_PN_LEN);
else
memset(cc->pn, 0, IEEE80211_GCMP_PN_LEN);
cc->key_set = true;
break;
default:
Reported by FlawFinder.
Line: 1685
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (key_usage == WMI_KEY_USE_TX_GROUP && params->key &&
params->key_len <= WMI_MAX_KEY_LEN) {
vif->gtk_index = key_index;
memcpy(vif->gtk, params->key, params->key_len);
vif->gtk_len = params->key_len;
}
/* in FT set crypto will take place upon receiving
* WMI_RING_EN_EVENTID event
*/
Reported by FlawFinder.
Line: 1822
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buf)
return -ENOMEM;
if (ies1)
memcpy(buf, ies1, ies1_len);
dpos = buf + ies1_len;
spos = ies2;
while (spos && (spos + 1 < ies2 + ies2_len)) {
/* IE tag at offset 0, length at offset 1 */
u16 ielen = 2 + spos[1];
Reported by FlawFinder.
Line: 1834
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (spos[0] == WLAN_EID_VENDOR_SPECIFIC &&
(!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len,
spos, ielen))) {
memcpy(dpos, spos, ielen);
dpos += ielen;
}
spos += ielen;
}
Reported by FlawFinder.
Line: 2000
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vif->hidden_ssid = hidden_ssid;
vif->pbss = pbss;
vif->bi = bi;
memcpy(vif->ssid, ssid, ssid_len);
vif->ssid_len = ssid_len;
netif_carrier_on(ndev);
if (!wil_has_other_active_ifaces(wil, ndev, false, true))
wil6210_bus_request(wil, WIL_MAX_BUS_REQUEST_KBPS);
Reported by FlawFinder.
Line: 2100
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bcon->tail_len))
privacy = 1;
memcpy(vif->ssid, wdev->ssid, wdev->ssid_len);
vif->ssid_len = wdev->ssid_len;
/* in case privacy has changed, need to restart the AP */
if (vif->privacy != privacy) {
wil_dbg_misc(wil, "privacy changed %d=>%d. Restarting AP\n",
Reported by FlawFinder.
drivers/net/wireless/broadcom/b43/lo.c
10 issues
Line: 606
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (end > 8)
end -= 8;
memcpy(&orig_loctl, probe_loctl, sizeof(struct b43_loctl));
i = begin;
d->current_state = i;
while (1) {
B43_WARN_ON(!(i >= 1 && i <= 8));
memcpy(&test_loctl, &orig_loctl, sizeof(struct b43_loctl));
Reported by FlawFinder.
Line: 611
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
d->current_state = i;
while (1) {
B43_WARN_ON(!(i >= 1 && i <= 8));
memcpy(&test_loctl, &orig_loctl, sizeof(struct b43_loctl));
test_loctl.i += modifiers[i - 1].i * d->state_val_multiplier;
test_loctl.q += modifiers[i - 1].q * d->state_val_multiplier;
if ((test_loctl.i != prev_loctl.i ||
test_loctl.q != prev_loctl.q) &&
(abs(test_loctl.i) <= 16 && abs(test_loctl.q) <= 16)) {
Reported by FlawFinder.
Line: 622
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gphy->pga_gain,
gphy->trsw_rx_gain);
if (feedth < d->lowest_feedth) {
memcpy(probe_loctl, &test_loctl,
sizeof(struct b43_loctl));
found_lower = 1;
d->lowest_feedth = feedth;
if ((d->nr_measured < 2) &&
!has_loopback_gain(phy))
Reported by FlawFinder.
Line: 661
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (has_loopback_gain(phy))
d.state_val_multiplier = 3;
memcpy(&d.min_loctl, loctl, sizeof(struct b43_loctl));
if (has_loopback_gain(phy))
max_repeat = 4;
do {
b43_lo_write(dev, &d.min_loctl);
feedth = lo_measure_feedthrough(dev, gphy->lna_gain,
Reported by FlawFinder.
Line: 685
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
B43_WARN_ON(!
(d.current_state >= 0
&& d.current_state <= 8));
memcpy(&probe_loctl, &d.min_loctl,
sizeof(struct b43_loctl));
found_lower =
lo_probe_possible_loctls(dev, &probe_loctl, &d);
if (!found_lower)
break;
Reported by FlawFinder.
Line: 694
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((probe_loctl.i == d.min_loctl.i) &&
(probe_loctl.q == d.min_loctl.q))
break;
memcpy(&d.min_loctl, &probe_loctl,
sizeof(struct b43_loctl));
d.nr_measured++;
} while (d.nr_measured < 24);
memcpy(loctl, &d.min_loctl, sizeof(struct b43_loctl));
Reported by FlawFinder.
Line: 698
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct b43_loctl));
d.nr_measured++;
} while (d.nr_measured < 24);
memcpy(loctl, &d.min_loctl, sizeof(struct b43_loctl));
if (has_loopback_gain(phy)) {
if (d.lowest_feedth > 0x1194)
*max_rx_gain -= 6;
else if (d.lowest_feedth < 0x5DC)
Reported by FlawFinder.
Line: 774
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b43warn(dev->wl, "LO calib: out of memory\n");
return NULL;
}
memcpy(&cal->bbatt, bbatt, sizeof(*bbatt));
memcpy(&cal->rfatt, rfatt, sizeof(*rfatt));
memcpy(&cal->ctl, &loctl, sizeof(loctl));
cal->calib_time = jiffies;
INIT_LIST_HEAD(&cal->list);
Reported by FlawFinder.
Line: 775
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
memcpy(&cal->bbatt, bbatt, sizeof(*bbatt));
memcpy(&cal->rfatt, rfatt, sizeof(*rfatt));
memcpy(&cal->ctl, &loctl, sizeof(loctl));
cal->calib_time = jiffies;
INIT_LIST_HEAD(&cal->list);
return cal;
Reported by FlawFinder.
Line: 776
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(&cal->bbatt, bbatt, sizeof(*bbatt));
memcpy(&cal->rfatt, rfatt, sizeof(*rfatt));
memcpy(&cal->ctl, &loctl, sizeof(loctl));
cal->calib_time = jiffies;
INIT_LIST_HEAD(&cal->list);
return cal;
}
Reported by FlawFinder.
arch/powerpc/boot/main.c
10 issues
Line: 27
CWE codes:
570
{
char elfheader[256];
unsigned char *vmlinuz_addr = (unsigned char *)_vmlinux_start;
unsigned long vmlinuz_size = _vmlinux_end - _vmlinux_start;
void *addr = 0;
struct elf_info ei;
long len;
int uncompressed_image = 0;
Reported by Cppcheck.
Line: 107
CWE codes:
570
{
/* If we have an image attached to us, it overrides anything
* supplied by the loader. */
if (&_initrd_end > &_initrd_start) {
printf("Attached initrd image at 0x%p-0x%p\n\r",
_initrd_start, _initrd_end);
initrd_addr = (unsigned long)_initrd_start;
initrd_size = _initrd_end - _initrd_start;
} else if (initrd_size > 0) {
Reported by Cppcheck.
Line: 111
CWE codes:
570
printf("Attached initrd image at 0x%p-0x%p\n\r",
_initrd_start, _initrd_end);
initrd_addr = (unsigned long)_initrd_start;
initrd_size = _initrd_end - _initrd_start;
} else if (initrd_size > 0) {
printf("Using loader supplied ramdisk at 0x%lx-0x%lx\n\r",
initrd_addr, initrd_addr + initrd_size);
}
Reported by Cppcheck.
Line: 155
CWE codes:
570
unsigned long esm_blob_addr, esm_blob_size;
/* Do we have an ESM (Enter Secure Mode) blob? */
if (&_esm_blob_end <= &_esm_blob_start)
return;
printf("Attached ESM blob at 0x%p-0x%p\n\r",
_esm_blob_start, _esm_blob_end);
esm_blob_addr = (unsigned long)_esm_blob_start;
Reported by Cppcheck.
Line: 161
CWE codes:
570
printf("Attached ESM blob at 0x%p-0x%p\n\r",
_esm_blob_start, _esm_blob_end);
esm_blob_addr = (unsigned long)_esm_blob_start;
esm_blob_size = _esm_blob_end - _esm_blob_start;
/*
* If the ESM blob is too low it will be clobbered when the
* kernel relocates to its final location. In this case,
* allocate a safer place and move it.
Reported by Cppcheck.
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct addr_range prep_kernel(void)
{
char elfheader[256];
unsigned char *vmlinuz_addr = (unsigned char *)_vmlinux_start;
unsigned long vmlinuz_size = _vmlinux_end - _vmlinux_start;
void *addr = 0;
struct elf_info ei;
long len;
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (uncompressed_image) {
memcpy(addr, vmlinuz_addr + ei.elfoffset, ei.loadsize);
printf("0x%lx bytes of uncompressed data copied\n\r",
ei.loadsize);
goto out;
}
Reported by FlawFinder.
Line: 193
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* edit the command line passed to vmlinux (by setting /chosen/bootargs).
* The buffer is put in it's own section so that tools may locate it easier.
*/
static char cmdline[BOOT_COMMAND_LINE_SIZE]
__attribute__((__section__("__builtin_cmdline")));
static void prep_cmdline(void *chosen)
{
unsigned int getline_timeout = 5000;
Reported by FlawFinder.
Line: 241
Column: 39
CWE codes:
362
memmove(cmdline, loader_info.cmdline,
min(loader_info.cmdline_len, BOOT_COMMAND_LINE_SIZE-1));
if (console_ops.open && (console_ops.open() < 0))
exit();
if (platform_ops.fixups)
platform_ops.fixups();
printf("\n\rzImage starting: loaded at 0x%p (sp: 0x%p)\n\r",
Reported by FlawFinder.
Line: 241
Column: 18
CWE codes:
362
memmove(cmdline, loader_info.cmdline,
min(loader_info.cmdline_len, BOOT_COMMAND_LINE_SIZE-1));
if (console_ops.open && (console_ops.open() < 0))
exit();
if (platform_ops.fixups)
platform_ops.fixups();
printf("\n\rzImage starting: loaded at 0x%p (sp: 0x%p)\n\r",
Reported by FlawFinder.
arch/mips/rb532/prom.c
10 issues
Line: 86
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
mips_machtype = MACH_MIKROTIK_RB532;
}
strcpy(cp, prom_argv[i]);
cp += strlen(prom_argv[i]);
}
*(cp++) = ' ';
i = strlen(arcs_cmdline);
Reported by FlawFinder.
Line: 94
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
i = strlen(arcs_cmdline);
if (i > 0) {
*(cp++) = ' ';
strcpy(cp, arcs_cmdline);
cp += strlen(arcs_cmdline);
}
cmd_line[COMMAND_LINE_SIZE - 1] = '\0';
strcpy(arcs_cmdline, cmd_line);
Reported by FlawFinder.
Line: 99
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
cmd_line[COMMAND_LINE_SIZE - 1] = '\0';
strcpy(arcs_cmdline, cmd_line);
}
void __init prom_init(void)
{
struct ddr_ram __iomem *ddr;
Reported by FlawFinder.
Line: 52
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __init prom_setup_cmdline(void)
{
static char cmd_line[COMMAND_LINE_SIZE] __initdata;
char *cp, *board;
int prom_argc;
char **prom_argv;
int i;
Reported by FlawFinder.
Line: 39
Column: 27
CWE codes:
126
static inline int match_tag(char *arg, const char *tag)
{
return strncmp(arg, tag, strlen(tag)) == 0;
}
static inline unsigned long tag2ul(char *arg, const char *tag)
{
char *num;
Reported by FlawFinder.
Line: 46
Column: 14
CWE codes:
126
{
char *num;
num = arg + strlen(tag);
return simple_strtoul(num, 0, 10);
}
void __init prom_setup_cmdline(void)
{
Reported by FlawFinder.
Line: 78
Column: 27
CWE codes:
126
if (i > 0)
*(cp++) = ' ';
if (match_tag(prom_argv[i], BOARD_TAG)) {
board = prom_argv[i] + strlen(BOARD_TAG);
if (match_tag(board, BOARD_RB532A))
mips_machtype = MACH_MIKROTIK_RB532A;
else
mips_machtype = MACH_MIKROTIK_RB532;
Reported by FlawFinder.
Line: 87
Column: 9
CWE codes:
126
}
strcpy(cp, prom_argv[i]);
cp += strlen(prom_argv[i]);
}
*(cp++) = ' ';
i = strlen(arcs_cmdline);
if (i > 0) {
Reported by FlawFinder.
Line: 91
Column: 6
CWE codes:
126
}
*(cp++) = ' ';
i = strlen(arcs_cmdline);
if (i > 0) {
*(cp++) = ' ';
strcpy(cp, arcs_cmdline);
cp += strlen(arcs_cmdline);
}
Reported by FlawFinder.
Line: 95
Column: 9
CWE codes:
126
if (i > 0) {
*(cp++) = ' ';
strcpy(cp, arcs_cmdline);
cp += strlen(arcs_cmdline);
}
cmd_line[COMMAND_LINE_SIZE - 1] = '\0';
strcpy(arcs_cmdline, cmd_line);
}
Reported by FlawFinder.
arch/s390/boot/kaslr.c
10 issues
Line: 57
Column: 22
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
0x49, 0xD8, 0x23, 0xF3, 0x7E, 0x21, 0xEC, 0xA0
},
};
unsigned long seed, random;
struct prno_parm prno;
__u64 entropy[4];
int mode, i;
mode = check_prng();
Reported by FlawFinder.
Line: 66
Column: 31
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
seed = get_tod_clock_fast();
switch (mode) {
case PRNG_MODE_TRNG:
cpacf_trng(NULL, 0, (u8 *) &random, sizeof(random));
break;
case PRNG_MODE_SHA512:
cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED, &prno, NULL, 0,
(u8 *) &seed, sizeof(seed));
cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN, &prno, (u8 *) &random,
Reported by FlawFinder.
Line: 66
Column: 46
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
seed = get_tod_clock_fast();
switch (mode) {
case PRNG_MODE_TRNG:
cpacf_trng(NULL, 0, (u8 *) &random, sizeof(random));
break;
case PRNG_MODE_SHA512:
cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED, &prno, NULL, 0,
(u8 *) &seed, sizeof(seed));
cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN, &prno, (u8 *) &random,
Reported by FlawFinder.
Line: 71
Column: 57
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
case PRNG_MODE_SHA512:
cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED, &prno, NULL, 0,
(u8 *) &seed, sizeof(seed));
cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN, &prno, (u8 *) &random,
sizeof(random), NULL, 0);
break;
case PRNG_MODE_TDES:
/* add entropy */
*(unsigned long *) prng.parm_block ^= seed;
Reported by FlawFinder.
Line: 72
Column: 14
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
cpacf_prno(CPACF_PRNO_SHA512_DRNG_SEED, &prno, NULL, 0,
(u8 *) &seed, sizeof(seed));
cpacf_prno(CPACF_PRNO_SHA512_DRNG_GEN, &prno, (u8 *) &random,
sizeof(random), NULL, 0);
break;
case PRNG_MODE_TDES:
/* add entropy */
*(unsigned long *) prng.parm_block ^= seed;
for (i = 0; i < 16; i++) {
Reported by FlawFinder.
Line: 84
Column: 54
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
memcpy(prng.parm_block, entropy, sizeof(entropy));
}
random = seed;
cpacf_kmc(CPACF_KMC_PRNG, prng.parm_block, (u8 *) &random,
(u8 *) &random, sizeof(random));
break;
default:
return -1;
}
Reported by FlawFinder.
Line: 85
Column: 14
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
}
random = seed;
cpacf_kmc(CPACF_KMC_PRNG, prng.parm_block, (u8 *) &random,
(u8 *) &random, sizeof(random));
break;
default:
return -1;
}
*value = random % limit;
Reported by FlawFinder.
Line: 85
Column: 29
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
}
random = seed;
cpacf_kmc(CPACF_KMC_PRNG, prng.parm_block, (u8 *) &random,
(u8 *) &random, sizeof(random));
break;
default:
return -1;
}
*value = random % limit;
Reported by FlawFinder.
Line: 90
Column: 11
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
default:
return -1;
}
*value = random % limit;
return 0;
}
/*
* To randomize kernel base address we have to consider several facts:
Reported by FlawFinder.
Line: 81
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpacf_kmc(CPACF_KMC_PRNG, prng.parm_block,
(u8 *) entropy, (u8 *) entropy,
sizeof(entropy));
memcpy(prng.parm_block, entropy, sizeof(entropy));
}
random = seed;
cpacf_kmc(CPACF_KMC_PRNG, prng.parm_block, (u8 *) &random,
(u8 *) &random, sizeof(random));
break;
Reported by FlawFinder.
arch/s390/kernel/lgr.c
10 issues
Line: 31
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Level of system (1 = CEC, 2 = LPAR, 3 = z/VM */
u32 level;
/* Level 1: CEC info (stsi 1.1.1) */
char manufacturer[16];
char type[4];
char sequence[16];
char plant[4];
char model[16];
/* Level 2: LPAR info (stsi 2.2.2) */
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 level;
/* Level 1: CEC info (stsi 1.1.1) */
char manufacturer[16];
char type[4];
char sequence[16];
char plant[4];
char model[16];
/* Level 2: LPAR info (stsi 2.2.2) */
u16 lpar_number;
Reported by FlawFinder.
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Level 1: CEC info (stsi 1.1.1) */
char manufacturer[16];
char type[4];
char sequence[16];
char plant[4];
char model[16];
/* Level 2: LPAR info (stsi 2.2.2) */
u16 lpar_number;
char name[8];
Reported by FlawFinder.
Line: 34
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char manufacturer[16];
char type[4];
char sequence[16];
char plant[4];
char model[16];
/* Level 2: LPAR info (stsi 2.2.2) */
u16 lpar_number;
char name[8];
/* Level 3: VM info (stsi 3.2.2) */
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char type[4];
char sequence[16];
char plant[4];
char model[16];
/* Level 2: LPAR info (stsi 2.2.2) */
u16 lpar_number;
char name[8];
/* Level 3: VM info (stsi 3.2.2) */
u8 vm_count;
Reported by FlawFinder.
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char model[16];
/* Level 2: LPAR info (stsi 2.2.2) */
u16 lpar_number;
char name[8];
/* Level 3: VM info (stsi 3.2.2) */
u8 vm_count;
struct {
char name[8];
char cpi[16];
Reported by FlawFinder.
Line: 42
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Level 3: VM info (stsi 3.2.2) */
u8 vm_count;
struct {
char name[8];
char cpi[16];
} vm[VM_LEVEL_MAX];
} __packed __aligned(8);
/*
Reported by FlawFinder.
Line: 43
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 vm_count;
struct {
char name[8];
char cpi[16];
} vm[VM_LEVEL_MAX];
} __packed __aligned(8);
/*
* LGR globals
Reported by FlawFinder.
Line: 50
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* LGR globals
*/
static char lgr_page[PAGE_SIZE] __aligned(PAGE_SIZE);
static struct lgr_info lgr_info_last;
static struct lgr_info lgr_info_cur;
static struct debug_info *lgr_dbf;
/*
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static void cpascii(char *dst, char *src, int size)
{
memcpy(dst, src, size);
EBCASC(dst, size);
}
/*
* Fill LGR info with 1.1.1 stsi data
Reported by FlawFinder.
arch/sparc/boot/piggyback.c
10 issues
Line: 104
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int *end)
{
FILE *map;
char buffer[1024];
*start = 0;
*end = 0;
map = fopen(filename, "r");
if (!map)
Reported by FlawFinder.
Line: 108
Column: 8
CWE codes:
362
*start = 0;
*end = 0;
map = fopen(filename, "r");
if (!map)
die(filename);
while (fgets(buffer, 1024, map)) {
if (start_line(buffer))
*start = strtoul(buffer, NULL, 16);
Reported by FlawFinder.
Line: 137
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static off_t get_hdrs_offset(int kernelfd, const char *filename)
{
char buffer[BUFSIZE];
off_t offset;
int i;
if (lseek(kernelfd, 0, SEEK_SET) < 0)
die("lseek");
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int main(int argc,char **argv)
{
static char aout_magic[] = { 0x01, 0x03, 0x01, 0x07 };
char buffer[1024];
unsigned int i, start, end;
off_t offset;
struct stat s;
int image, tail;
Reported by FlawFinder.
Line: 198
Column: 15
CWE codes:
362
argv[3]);
exit(1);
}
if ((image = open(argv[2], O_RDWR)) < 0)
die(argv[2]);
if (read(image, buffer, 512) != 512)
die(argv[2]);
if (memcmp(buffer, aout_magic, 4) != 0) {
fprintf (stderr, "Not a.out. Don't blame me.\n");
Reported by FlawFinder.
Line: 255
Column: 14
CWE codes:
362
/* seek page aligned boundary in the image file and add boot image */
if (lseek(image, AOUT_TEXT_OFFSET - start + align(end + 32), 0) < 0)
die("lseek");
if ((tail = open(argv[4], O_RDONLY)) < 0)
die(argv[4]);
while ((i = read(tail, buffer, 1024)) > 0)
if (write(image, buffer, i) != i)
die(argv[2]);
if (close(image) < 0)
Reported by FlawFinder.
Line: 143
Column: 6
CWE codes:
120
20
if (lseek(kernelfd, 0, SEEK_SET) < 0)
die("lseek");
if (read(kernelfd, buffer, BUFSIZE) != BUFSIZE)
die(filename);
if (buffer[40] == 'H' && buffer[41] == 'd' &&
buffer[42] == 'r' && buffer[43] == 'S') {
return 40;
Reported by FlawFinder.
Line: 163
Column: 7
CWE codes:
120
20
}
if (lseek(kernelfd, offset, SEEK_SET) < 0)
die("lseek");
if (read(kernelfd, buffer, BUFSIZE) != BUFSIZE)
die(filename);
for (i = 0; i < LOOKBACK; i += 4) {
if (buffer[i + 0] == 'H' && buffer[i + 1] == 'd' &&
buffer[i + 2] == 'r' && buffer[i + 3] == 'S') {
Reported by FlawFinder.
Line: 200
Column: 6
CWE codes:
120
20
}
if ((image = open(argv[2], O_RDWR)) < 0)
die(argv[2]);
if (read(image, buffer, 512) != 512)
die(argv[2]);
if (memcmp(buffer, aout_magic, 4) != 0) {
fprintf (stderr, "Not a.out. Don't blame me.\n");
exit(1);
}
Reported by FlawFinder.
Line: 257
Column: 14
CWE codes:
120
20
die("lseek");
if ((tail = open(argv[4], O_RDONLY)) < 0)
die(argv[4]);
while ((i = read(tail, buffer, 1024)) > 0)
if (write(image, buffer, i) != i)
die(argv[2]);
if (close(image) < 0)
die("close");
if (close(tail) < 0)
Reported by FlawFinder.
arch/mips/include/asm/sgiarcs.h
10 issues
Line: 53
Column: 2
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
* device inventory queries.
*/
enum linux_devclass {
system, processor, cache, adapter, controller, peripheral, memory
};
enum linux_devtypes {
/* Generic stuff. */
Arc, Cpu, Fpu,
Reported by FlawFinder.
Line: 359
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
unsigned long magic;
void (*handler)(void); /* Breakpoint routine. */
unsigned long dtable_base; /* Base addr of dbg table. */
int (*printf)(const char *fmt, ...);
unsigned long btable_base; /* Breakpoint table. */
unsigned long mpflushreqs; /* SMP cache flush request list. */
unsigned long ntab; /* Name table. */
unsigned long stab; /* Symbol table. */
int smax; /* Max # of symbols. */
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct linux_component pcomponent;
struct linux_sysid {
char vend[8], prod[8];
};
/* ARCS prom memory descriptors. */
enum arcs_memtypes {
arcs_eblock, /* exception block */
Reported by FlawFinder.
Line: 149
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct linux_vdirent {
ULONG namelen;
unsigned char attr;
char fname[32]; /* XXX empirical, should be a define */
};
/* Other stuff for files. */
enum linux_omode {
rdonly, wronly, rdwr, wronly_creat, rdwr_creat,
Reported by FlawFinder.
Line: 184
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum linux_devtypes dtype;
unsigned long namelen;
unsigned char attr;
char name[32]; /* XXX empirical, should be define */
};
/* This describes the vector containing function pointers to the ARC
firmware functions. */
struct linux_romvec {
Reported by FlawFinder.
Line: 223
Column: 7
CWE codes:
362
/* File type operations. */
LONG get_vdirent;
LONG open;
LONG close;
LONG read;
LONG get_rstatus;
LONG write;
LONG seek;
Reported by FlawFinder.
Line: 327
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define SGIBBLOCK_MAXPART 0x0004
struct sgi_bootblock {
unsigned char _unused[446];
struct sgi_partition partitions[SGIBBLOCK_MAXPART];
unsigned short magic;
};
/* BIOS parameter block. */
Reported by FlawFinder.
Line: 348
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct sgi_bsector {
unsigned char jmpinfo[3];
unsigned char manuf_name[8];
struct sgi_bparm_block info;
};
/* Debugging block used with SGI symmon symbolic debugger. */
Reported by FlawFinder.
Line: 349
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sgi_bsector {
unsigned char jmpinfo[3];
unsigned char manuf_name[8];
struct sgi_bparm_block info;
};
/* Debugging block used with SGI symmon symbolic debugger. */
#define SMB_DEBUG_MAGIC 0xfeeddead
Reported by FlawFinder.
arch/sparc/kernel/ldc.c
10 issues
Line: 168
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 state;
#define LDC_IRQ_NAME_MAX 32
char rx_irq_name[LDC_IRQ_NAME_MAX];
char tx_irq_name[LDC_IRQ_NAME_MAX];
struct hlist_head mh_list;
struct hlist_node list;
Reported by FlawFinder.
Line: 169
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define LDC_IRQ_NAME_MAX 32
char rx_irq_name[LDC_IRQ_NAME_MAX];
char tx_irq_name[LDC_IRQ_NAME_MAX];
struct hlist_head mh_list;
struct hlist_node list;
};
Reported by FlawFinder.
Line: 362
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p->stype = stype;
p->ctrl = ctrl;
if (data)
memcpy(p->u.u_data, data, dlen);
}
return p;
}
static int start_handshake(struct ldc_channel *lp)
Reported by FlawFinder.
Line: 1521
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!p)
return -EAGAIN;
memcpy(p, buf, size);
err = send_tx_packet(lp, p, new_tail);
if (!err)
err = size;
Reported by FlawFinder.
Line: 1554
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
p = lp->rx_base + (lp->rx_head / LDC_PACKET_SIZE);
memcpy(buf, p, LDC_PACKET_SIZE);
new = rx_advance(lp, lp->rx_head);
lp->rx_head = new;
err = __set_rx_head(lp, new);
Reported by FlawFinder.
Line: 1625
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p->env,
p->seqid);
memcpy(data, buf, data_len);
buf += data_len;
copied += data_len;
tail = tx_advance(lp, tail);
}
Reported by FlawFinder.
Line: 1866
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Ok, we are gonna eat this one. */
new = rx_advance(lp, new);
memcpy(buf,
(lp->cfg.mode == LDC_MODE_UNRELIABLE ?
p->u.u_data : p->u.r.r_data), pkt_len);
buf += pkt_len;
copied += pkt_len;
Reported by FlawFinder.
Line: 1924
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size > lp->mssbuf_len)
size = lp->mssbuf_len;
memcpy(buf, lp->mssbuf + lp->mssbuf_off, size);
lp->mssbuf_off += size;
lp->mssbuf_len -= size;
return size;
Reported by FlawFinder.
Line: 96
Column: 8
CWE codes:
120
20
struct ldc_mode_ops {
int (*write)(struct ldc_channel *, const void *, unsigned int);
int (*read)(struct ldc_channel *, void *, unsigned int);
};
static const struct ldc_mode_ops raw_ops;
static const struct ldc_mode_ops nonraw_ops;
static const struct ldc_mode_ops stream_ops;
Reported by FlawFinder.
Line: 1979
Column: 19
CWE codes:
120
20
if (lp->hs_state != LDC_HS_COMPLETE)
err = -ENOTCONN;
else
err = lp->mops->read(lp, buf, size);
spin_unlock_irqrestore(&lp->lock, flags);
ldcdbg(RX, "%s: mode=%d, head=%lu, tail=%lu rv=%d\n", __func__,
lp->cfg.mode, lp->rx_head, lp->rx_tail, err);
Reported by FlawFinder.
arch/powerpc/include/asm/book3s/64/mmu-hash.h
10 issues
Line: 458
Column: 59
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
long hpte_insert_repeating(unsigned long hash, unsigned long vpn, unsigned long pa,
unsigned long rlags, unsigned long vflags, int psize, int ssize);
extern int __hash_page_4K(unsigned long ea, unsigned long access,
unsigned long vsid, pte_t *ptep, unsigned long trap,
unsigned long flags, int ssize, int subpage_prot);
extern int __hash_page_64K(unsigned long ea, unsigned long access,
unsigned long vsid, pte_t *ptep, unsigned long trap,
unsigned long flags, int ssize);
Reported by FlawFinder.
Line: 461
Column: 60
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
extern int __hash_page_4K(unsigned long ea, unsigned long access,
unsigned long vsid, pte_t *ptep, unsigned long trap,
unsigned long flags, int ssize, int subpage_prot);
extern int __hash_page_64K(unsigned long ea, unsigned long access,
unsigned long vsid, pte_t *ptep, unsigned long trap,
unsigned long flags, int ssize);
struct mm_struct;
unsigned int hash_page_do_lazy_icache(unsigned int pp, pte_t pte, int trap);
extern int hash_page_mm(struct mm_struct *mm, unsigned long ea,
Reported by FlawFinder.
Line: 467
Column: 18
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct mm_struct;
unsigned int hash_page_do_lazy_icache(unsigned int pp, pte_t pte, int trap);
extern int hash_page_mm(struct mm_struct *mm, unsigned long ea,
unsigned long access, unsigned long trap,
unsigned long flags);
extern int hash_page(unsigned long ea, unsigned long access, unsigned long trap,
unsigned long dsisr);
void low_hash_fault(struct pt_regs *regs, unsigned long address, int rc);
int __hash_page(unsigned long trap, unsigned long ea, unsigned long dsisr, unsigned long msr);
Reported by FlawFinder.
Line: 469
Column: 54
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
extern int hash_page_mm(struct mm_struct *mm, unsigned long ea,
unsigned long access, unsigned long trap,
unsigned long flags);
extern int hash_page(unsigned long ea, unsigned long access, unsigned long trap,
unsigned long dsisr);
void low_hash_fault(struct pt_regs *regs, unsigned long address, int rc);
int __hash_page(unsigned long trap, unsigned long ea, unsigned long dsisr, unsigned long msr);
int __hash_page_huge(unsigned long ea, unsigned long access, unsigned long vsid,
pte_t *ptep, unsigned long trap, unsigned long flags,
Reported by FlawFinder.
Line: 473
Column: 54
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
unsigned long dsisr);
void low_hash_fault(struct pt_regs *regs, unsigned long address, int rc);
int __hash_page(unsigned long trap, unsigned long ea, unsigned long dsisr, unsigned long msr);
int __hash_page_huge(unsigned long ea, unsigned long access, unsigned long vsid,
pte_t *ptep, unsigned long trap, unsigned long flags,
int ssize, unsigned int shift, unsigned int mmu_psize);
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
extern int __hash_page_thp(unsigned long ea, unsigned long access,
unsigned long vsid, pmd_t *pmdp, unsigned long trap,
Reported by FlawFinder.
Line: 477
Column: 60
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
pte_t *ptep, unsigned long trap, unsigned long flags,
int ssize, unsigned int shift, unsigned int mmu_psize);
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
extern int __hash_page_thp(unsigned long ea, unsigned long access,
unsigned long vsid, pmd_t *pmdp, unsigned long trap,
unsigned long flags, int ssize, unsigned int psize);
#else
static inline int __hash_page_thp(unsigned long ea, unsigned long access,
unsigned long vsid, pmd_t *pmdp,
Reported by FlawFinder.
Line: 481
Column: 67
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
unsigned long vsid, pmd_t *pmdp, unsigned long trap,
unsigned long flags, int ssize, unsigned int psize);
#else
static inline int __hash_page_thp(unsigned long ea, unsigned long access,
unsigned long vsid, pmd_t *pmdp,
unsigned long trap, unsigned long flags,
int ssize, unsigned int psize)
{
BUG();
Reported by FlawFinder.
Line: 490
Column: 64
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -1;
}
#endif
extern void hash_failure_debug(unsigned long ea, unsigned long access,
unsigned long vsid, unsigned long trap,
int ssize, int psize, int lpsize,
unsigned long pte);
extern int htab_bolt_mapping(unsigned long vstart, unsigned long vend,
unsigned long pstart, unsigned long prot,
Reported by FlawFinder.
Line: 710
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 user_psize; /* page size index */
/* SLB page size encodings*/
unsigned char low_slices_psize[LOW_SLICE_ARRAY_SZ];
unsigned char high_slices_psize[SLICE_ARRAY_SIZE];
unsigned long slb_addr_limit;
#ifdef CONFIG_PPC_64K_PAGES
struct slice_mask mask_64k;
#endif
Reported by FlawFinder.
Line: 711
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* SLB page size encodings*/
unsigned char low_slices_psize[LOW_SLICE_ARRAY_SZ];
unsigned char high_slices_psize[SLICE_ARRAY_SIZE];
unsigned long slb_addr_limit;
#ifdef CONFIG_PPC_64K_PAGES
struct slice_mask mask_64k;
#endif
struct slice_mask mask_4k;
Reported by FlawFinder.