The following issues were found
drivers/staging/ks7010/ks_hostif.c
39 issues
Line: 400
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
priv->wpa.mic_failure.last_failure_time = now;
/* needed parameters: count, keyid, key type, TSC */
sprintf(buf,
"MLME-MICHAELMICFAILURE.indication(keyid=%d %scast addr=%pM)",
key_index,
eth_hdr->h_dest[0] & 0x01 ? "broad" : "uni",
eth_hdr->h_source);
memset(&wrqu, 0, sizeof(wrqu));
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ether_addr_copy(ap->bssid, ap_info->bssid);
memcpy(ap->ssid.body, priv->reg.ssid.body,
priv->reg.ssid.size);
ap->ssid.size = priv->reg.ssid.size;
memcpy(ap->rate_set.body, ap_info->rate_set.body,
ap_info->rate_set.size);
ap->rate_set.size = ap_info->rate_set.size;
Reported by FlawFinder.
Line: 120
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ap->ssid.body, priv->reg.ssid.body,
priv->reg.ssid.size);
ap->ssid.size = priv->reg.ssid.size;
memcpy(ap->rate_set.body, ap_info->rate_set.body,
ap_info->rate_set.size);
ap->rate_set.size = ap_info->rate_set.size;
if (ap_info->ext_rate_set.size != 0) {
memcpy(&ap->rate_set.body[ap->rate_set.size],
ap_info->ext_rate_set.body,
Reported by FlawFinder.
Line: 124
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ap_info->rate_set.size);
ap->rate_set.size = ap_info->rate_set.size;
if (ap_info->ext_rate_set.size != 0) {
memcpy(&ap->rate_set.body[ap->rate_set.size],
ap_info->ext_rate_set.body,
ap_info->ext_rate_set.size);
ap->rate_set.size += ap_info->ext_rate_set.size;
}
ap->channel = ap_info->ds_parameter.channel;
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(priv->wpa.version == IW_AUTH_WPA_VERSION_WPA2)) {
ap->rsn_ie.id = RSN_INFO_ELEM_ID;
ap->rsn_ie.size = size;
memcpy(ap->rsn_ie.body, ap_info->rsn.body, size);
} else if ((ap_info->rsn_mode & RSN_MODE_WPA) &&
(priv->wpa.version == IW_AUTH_WPA_VERSION_WPA)) {
ap->wpa_ie.id = WPA_INFO_ELEM_ID;
ap->wpa_ie.size = size;
memcpy(ap->wpa_ie.body, ap_info->rsn.body, size);
Reported by FlawFinder.
Line: 145
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(priv->wpa.version == IW_AUTH_WPA_VERSION_WPA)) {
ap->wpa_ie.id = WPA_INFO_ELEM_ID;
ap->wpa_ie.size = size;
memcpy(ap->wpa_ie.body, ap_info->rsn.body, size);
} else {
ap->rsn_ie.id = 0;
ap->rsn_ie.size = 0;
ap->wpa_ie.id = 0;
ap->wpa_ie.size = 0;
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u8 size = (*(bp + 1) <= max) ? *(bp + 1) : max;
memcpy(body, bp + 2, size);
return size;
}
static int
michael_mic(u8 *key, u8 *data, unsigned int len, u8 priority, u8 *result)
Reported by FlawFinder.
Line: 287
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case WLAN_EID_EXT_SUPP_RATES:
if ((*(bp + 1) + ap->rate_set.size) <=
RATE_SET_MAX_SIZE) {
memcpy(&ap->rate_set.body[ap->rate_set.size],
bp + 2, *(bp + 1));
ap->rate_set.size += *(bp + 1);
} else {
memcpy(&ap->rate_set.body[ap->rate_set.size],
bp + 2,
Reported by FlawFinder.
Line: 291
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bp + 2, *(bp + 1));
ap->rate_set.size += *(bp + 1);
} else {
memcpy(&ap->rate_set.body[ap->rate_set.size],
bp + 2,
RATE_SET_MAX_SIZE - ap->rate_set.size);
ap->rate_set.size +=
(RATE_SET_MAX_SIZE - ap->rate_set.size);
}
Reported by FlawFinder.
Line: 339
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ether_hdr *eth_hdr;
unsigned short eth_proto;
unsigned char recv_mic[MICHAEL_MIC_LEN];
char buf[128];
unsigned long now;
struct mic_failure *mic_failure;
u8 mic[MICHAEL_MIC_LEN];
union iwreq_data wrqu;
Reported by FlawFinder.
scripts/kconfig/confdata.c
39 issues
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return -1;
d = depfile_path + depfile_prefix_len;
strcpy(d, name);
/* Assume directory path already exists. */
fd = open(depfile_path, O_WRONLY | O_CREAT | O_TRUNC, 0644);
if (fd == -1) {
if (errno != ENOENT)
Reported by FlawFinder.
Line: 168
Column: 26
CWE codes:
134
Suggestion:
Use a constant for the format specification
};
static void conf_warning(const char *fmt, ...)
__attribute__ ((format (printf, 1, 2)));
static void conf_message(const char *fmt, ...)
__attribute__ ((format (printf, 1, 2)));
static const char *conf_filename;
Reported by FlawFinder.
Line: 171
Column: 26
CWE codes:
134
Suggestion:
Use a constant for the format specification
__attribute__ ((format (printf, 1, 2)));
static void conf_message(const char *fmt, ...)
__attribute__ ((format (printf, 1, 2)));
static const char *conf_filename;
static int conf_lineno, conf_warnings;
static void conf_warning(const char *fmt, ...)
Reported by FlawFinder.
Line: 181
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, fmt);
fprintf(stderr, "%s:%d:warning: ", conf_filename, conf_lineno);
vfprintf(stderr, fmt, ap);
fprintf(stderr, "\n");
va_end(ap);
conf_warnings++;
}
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
conf_message_callback(buf);
va_end(ap);
}
const char *conf_get_configname(void)
Reported by FlawFinder.
Line: 218
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
const char *conf_get_configname(void)
{
char *name = getenv("KCONFIG_CONFIG");
return name ? name : ".config";
}
static const char *conf_get_autoconfig_name(void)
Reported by FlawFinder.
Line: 225
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
static const char *conf_get_autoconfig_name(void)
{
char *name = getenv("KCONFIG_AUTOCONFIG");
return name ? name : "include/config/auto.conf";
}
static int conf_set_sym_val(struct symbol *sym, int def, int def_flags, char *p)
Reported by FlawFinder.
Line: 366
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
goto load;
conf_set_changed(true);
env = getenv("KCONFIG_DEFCONFIG_LIST");
if (!env)
return 1;
while (1) {
bool is_last;
Reported by FlawFinder.
Line: 866
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (make_parent_dir(name))
return -1;
env = getenv("KCONFIG_OVERWRITECONFIG");
if (env && *env) {
*tmpname = 0;
out = fopen(name, "w");
} else {
snprintf(tmpname, sizeof(tmpname), "%s.%d.tmp",
Reported by FlawFinder.
Line: 1097
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
fclose(out);
fclose(out_h);
name = getenv("KCONFIG_AUTOHEADER");
if (!name)
name = "include/generated/autoconf.h";
if (make_parent_dir(name))
return 1;
if (rename(".tmpconfig.h", name))
Reported by FlawFinder.
drivers/s390/crypto/zcrypt_msgtype50.c
39 issues
Line: 482
CWE codes:
562
ap_msg->receive = zcrypt_cex2a_receive;
ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
atomic_inc_return(&zcrypt_step);
ap_msg->private = &work;
rc = ICAMEX_msg_to_type50MEX_msg(zq, ap_msg, mex);
if (rc)
goto out;
init_completion(&work);
rc = ap_queue_message(zq->queue, ap_msg);
Reported by Cppcheck.
Line: 527
CWE codes:
562
ap_msg->receive = zcrypt_cex2a_receive;
ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
atomic_inc_return(&zcrypt_step);
ap_msg->private = &work;
rc = ICACRT_msg_to_type50CRT_msg(zq, ap_msg, crt);
if (rc)
goto out;
init_completion(&work);
rc = ap_queue_message(zq->queue, ap_msg);
Reported by Cppcheck.
Line: 74
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct type50_meb1_msg {
struct type50_hdr header;
unsigned short keyblock_type; /* 0x0001 */
unsigned char reserved[6];
unsigned char exponent[128];
unsigned char modulus[128];
unsigned char message[128];
} __packed;
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct type50_hdr header;
unsigned short keyblock_type; /* 0x0001 */
unsigned char reserved[6];
unsigned char exponent[128];
unsigned char modulus[128];
unsigned char message[128];
} __packed;
/* Mod-Exp, with a large modulus */
Reported by FlawFinder.
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short keyblock_type; /* 0x0001 */
unsigned char reserved[6];
unsigned char exponent[128];
unsigned char modulus[128];
unsigned char message[128];
} __packed;
/* Mod-Exp, with a large modulus */
struct type50_meb2_msg {
Reported by FlawFinder.
Line: 77
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char reserved[6];
unsigned char exponent[128];
unsigned char modulus[128];
unsigned char message[128];
} __packed;
/* Mod-Exp, with a large modulus */
struct type50_meb2_msg {
struct type50_hdr header;
Reported by FlawFinder.
Line: 84
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct type50_meb2_msg {
struct type50_hdr header;
unsigned short keyblock_type; /* 0x0002 */
unsigned char reserved[6];
unsigned char exponent[256];
unsigned char modulus[256];
unsigned char message[256];
} __packed;
Reported by FlawFinder.
Line: 85
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct type50_hdr header;
unsigned short keyblock_type; /* 0x0002 */
unsigned char reserved[6];
unsigned char exponent[256];
unsigned char modulus[256];
unsigned char message[256];
} __packed;
/* Mod-Exp, with a larger modulus */
Reported by FlawFinder.
Line: 86
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short keyblock_type; /* 0x0002 */
unsigned char reserved[6];
unsigned char exponent[256];
unsigned char modulus[256];
unsigned char message[256];
} __packed;
/* Mod-Exp, with a larger modulus */
struct type50_meb3_msg {
Reported by FlawFinder.
Line: 87
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char reserved[6];
unsigned char exponent[256];
unsigned char modulus[256];
unsigned char message[256];
} __packed;
/* Mod-Exp, with a larger modulus */
struct type50_meb3_msg {
struct type50_hdr header;
Reported by FlawFinder.
usr/gen_init_cpio.c
39 issues
Line: 78
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char s[256];
const char name[] = "TRAILER!!!";
sprintf(s, "%s%08X%08X%08lX%08lX%08X%08lX"
"%08X%08X%08X%08X%08X%08X%08X",
"070701", /* magic */
0, /* ino */
0, /* mode */
(long) 0, /* uid */
Reported by FlawFinder.
Line: 110
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (name[0] == '/')
name++;
sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
"%08X%08X%08X%08X%08X%08X%08X",
"070701", /* magic */
ino++, /* ino */
S_IFLNK | mode, /* mode */
(long) uid, /* uid */
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (name[0] == '/')
name++;
sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
"%08X%08X%08X%08X%08X%08X%08X",
"070701", /* magic */
ino++, /* ino */
mode, /* mode */
(long) uid, /* uid */
Reported by FlawFinder.
Line: 253
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (name[0] == '/')
name++;
sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
"%08X%08X%08X%08X%08X%08X%08X",
"070701", /* magic */
ino++, /* ino */
mode, /* mode */
(long) uid, /* uid */
Reported by FlawFinder.
Line: 343
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (name[0] == '/')
name++;
namesize = strlen(name) + 1;
sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
"%08lX%08X%08X%08X%08X%08X%08X",
"070701", /* magic */
ino, /* ino */
mode, /* mode */
(long) uid, /* uid */
Reported by FlawFinder.
Line: 394
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
var = getenv(start + 2);
snprintf(expanded, sizeof expanded, "%s%s%s",
new_location, var ? var : "", end + 1);
strcpy(new_location, expanded);
}
return new_location;
}
Reported by FlawFinder.
Line: 391
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
while ((start = strstr(new_location, "${")) &&
(end = strchr(start + 2, '}'))) {
*start = *end = 0;
var = getenv(start + 2);
snprintf(expanded, sizeof expanded, "%s%s%s",
new_location, var ? var : "", end + 1);
strcpy(new_location, expanded);
}
Reported by FlawFinder.
Line: 532
Column: 13
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
default_mtime = time(NULL);
while (1) {
int opt = getopt(argc, argv, "t:h");
char *invalid;
if (opt == -1)
break;
switch (opt) {
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void cpio_trailer(void)
{
char s[256];
const char name[] = "TRAILER!!!";
sprintf(s, "%s%08X%08X%08lX%08lX%08X%08lX"
"%08X%08X%08X%08X%08X%08X%08X",
"070701", /* magic */
Reported by FlawFinder.
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cpio_mkslink(const char *name, const char *target,
unsigned int mode, uid_t uid, gid_t gid)
{
char s[256];
if (name[0] == '/')
name++;
sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
"%08X%08X%08X%08X%08X%08X%08X",
Reported by FlawFinder.
sound/pci/hda/patch_ca0132.c
39 issues
Line: 4236
CWE codes:
788
break;
snd_hda_power_up(codec);
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
ca0132_tuning_ctls[i].req,
&(lookup[idx]), sizeof(unsigned int));
snd_hda_power_down(codec);
return 1;
Reported by Cppcheck.
Line: 4237
CWE codes:
788
snd_hda_power_up(codec);
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
ca0132_tuning_ctls[i].req,
&(lookup[idx]), sizeof(unsigned int));
snd_hda_power_down(codec);
return 1;
}
Reported by Cppcheck.
Line: 4401
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
knew.private_value =
HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);
sprintf(namestr, "%s %s Volume", name, dirstr[dir]);
return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));
}
static int add_tuning_ctls(struct hda_codec *codec)
{
Reported by FlawFinder.
Line: 5786
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
uinfo->value.enumerated.items = MIC_BOOST_NUM_OF_STEPS;
if (uinfo->value.enumerated.item >= MIC_BOOST_NUM_OF_STEPS)
uinfo->value.enumerated.item = MIC_BOOST_NUM_OF_STEPS - 1;
sprintf(namestr, "%d %s", (uinfo->value.enumerated.item * 10), sfx);
strcpy(uinfo->value.enumerated.name, namestr);
return 0;
}
static int ca0132_alt_mic_boost_get(struct snd_kcontrol *kcontrol,
Reported by FlawFinder.
Line: 5787
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (uinfo->value.enumerated.item >= MIC_BOOST_NUM_OF_STEPS)
uinfo->value.enumerated.item = MIC_BOOST_NUM_OF_STEPS - 1;
sprintf(namestr, "%d %s", (uinfo->value.enumerated.item * 10), sfx);
strcpy(uinfo->value.enumerated.name, namestr);
return 0;
}
static int ca0132_alt_mic_boost_get(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
Reported by FlawFinder.
Line: 5838
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
uinfo->value.enumerated.items = AE5_HEADPHONE_GAIN_MAX;
if (uinfo->value.enumerated.item >= AE5_HEADPHONE_GAIN_MAX)
uinfo->value.enumerated.item = AE5_HEADPHONE_GAIN_MAX - 1;
sprintf(namestr, "%s %s",
ae5_headphone_gain_presets[uinfo->value.enumerated.item].name,
sfx);
strcpy(uinfo->value.enumerated.name, namestr);
return 0;
}
Reported by FlawFinder.
Line: 5841
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sprintf(namestr, "%s %s",
ae5_headphone_gain_presets[uinfo->value.enumerated.item].name,
sfx);
strcpy(uinfo->value.enumerated.name, namestr);
return 0;
}
static int ae5_headphone_gain_get(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
Reported by FlawFinder.
Line: 5892
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
uinfo->value.enumerated.items = AE5_SOUND_FILTER_MAX;
if (uinfo->value.enumerated.item >= AE5_SOUND_FILTER_MAX)
uinfo->value.enumerated.item = AE5_SOUND_FILTER_MAX - 1;
sprintf(namestr, "%s",
ae5_filter_presets[uinfo->value.enumerated.item].name);
strcpy(uinfo->value.enumerated.name, namestr);
return 0;
}
Reported by FlawFinder.
Line: 5894
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
uinfo->value.enumerated.item = AE5_SOUND_FILTER_MAX - 1;
sprintf(namestr, "%s",
ae5_filter_presets[uinfo->value.enumerated.item].name);
strcpy(uinfo->value.enumerated.name, namestr);
return 0;
}
static int ae5_sound_filter_get(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
Reported by FlawFinder.
Line: 5943
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
uinfo->value.enumerated.items = IN_SRC_NUM_OF_INPUTS;
if (uinfo->value.enumerated.item >= IN_SRC_NUM_OF_INPUTS)
uinfo->value.enumerated.item = IN_SRC_NUM_OF_INPUTS - 1;
strcpy(uinfo->value.enumerated.name,
in_src_str[uinfo->value.enumerated.item]);
return 0;
}
static int ca0132_alt_input_source_get(struct snd_kcontrol *kcontrol,
Reported by FlawFinder.
drivers/net/sb1000.c
39 issues
Line: 73
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int rx_frames;
short rx_error_count;
short rx_error_dpc_count;
unsigned char rx_session_id[NPIDS];
unsigned char rx_frame_id[NPIDS];
unsigned char rx_pkt_type[NPIDS];
};
/* prototypes for Linux interface */
Reported by FlawFinder.
Line: 74
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
short rx_error_count;
short rx_error_dpc_count;
unsigned char rx_session_id[NPIDS];
unsigned char rx_frame_id[NPIDS];
unsigned char rx_pkt_type[NPIDS];
};
/* prototypes for Linux interface */
extern int sb1000_probe(struct net_device *dev);
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
short rx_error_dpc_count;
unsigned char rx_session_id[NPIDS];
unsigned char rx_frame_id[NPIDS];
unsigned char rx_pkt_type[NPIDS];
};
/* prototypes for Linux interface */
extern int sb1000_probe(struct net_device *dev);
static int sb1000_open(struct net_device *dev);
Reported by FlawFinder.
Line: 439
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void
sb1000_issue_read_command(const int ioaddr[], const char* name)
{
static const unsigned char Command0[6] = {0x20, 0x00, 0x00, 0x01, 0x00, 0x00};
sb1000_wait_for_ready_clear(ioaddr, name);
outb(0xa0, ioaddr[0] + 6);
sb1000_send_command(ioaddr, name, Command0);
}
Reported by FlawFinder.
Line: 454
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
sb1000_reset(const int ioaddr[], const char* name)
{
static const unsigned char Command0[6] = {0x80, 0x16, 0x00, 0x00, 0x00, 0x00};
unsigned char st[7];
int port, status;
port = ioaddr[1] + 6;
Reported by FlawFinder.
Line: 456
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static const unsigned char Command0[6] = {0x80, 0x16, 0x00, 0x00, 0x00, 0x00};
unsigned char st[7];
int port, status;
port = ioaddr[1] + 6;
outb(0x4, port);
inb(port);
Reported by FlawFinder.
Line: 484
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
sb1000_check_CRC(const int ioaddr[], const char* name)
{
static const unsigned char Command0[6] = {0x80, 0x1f, 0x00, 0x00, 0x00, 0x00};
unsigned char st[7];
int status;
/* check CRC */
Reported by FlawFinder.
Line: 486
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static const unsigned char Command0[6] = {0x80, 0x1f, 0x00, 0x00, 0x00, 0x00};
unsigned char st[7];
int status;
/* check CRC */
if ((status = card_send_command(ioaddr, name, Command0, st)))
return status;
Reported by FlawFinder.
Line: 500
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int
sb1000_start_get_set_command(const int ioaddr[], const char* name)
{
static const unsigned char Command0[6] = {0x80, 0x1b, 0x00, 0x00, 0x00, 0x00};
unsigned char st[7];
return card_send_command(ioaddr, name, Command0, st);
}
Reported by FlawFinder.
Line: 502
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static const unsigned char Command0[6] = {0x80, 0x1b, 0x00, 0x00, 0x00, 0x00};
unsigned char st[7];
return card_send_command(ioaddr, name, Command0, st);
}
static int
Reported by FlawFinder.
drivers/net/wireless/intel/iwlegacy/4965-mac.c
39 issues
Line: 4686
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENOENT;
}
sprintf(il->firmware_name, "%s%s%s", name_pre, tag, ".ucode");
D_INFO("attempting to load firmware '%s'\n", il->firmware_name);
return request_firmware_nowait(THIS_MODULE, 1, il->firmware_name,
&il->pci_dev->dev, GFP_KERNEL, il,
Reported by FlawFinder.
Line: 603
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
il_update_stats(il, false, fc, len);
memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats));
ieee80211_rx(il->hw, skb);
}
/* Called for N_RX (legacy ABG frames), or
Reported by FlawFinder.
Line: 750
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct il_rx_pkt *pkt = rxb_addr(rxb);
il->_4965.last_phy_res_valid = true;
il->_4965.ampdu_ref++;
memcpy(&il->_4965.last_phy_res, pkt->u.raw,
sizeof(struct il_rx_phy_res));
}
static int
il4965_get_channels_for_scan(struct il_priv *il, struct ieee80211_vif *vif,
Reported by FlawFinder.
Line: 919
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scan->direct_scan[p].id = WLAN_EID_SSID;
scan->direct_scan[p].len =
il->scan_request->ssids[i].ssid_len;
memcpy(scan->direct_scan[p].ssid,
il->scan_request->ssids[i].ssid,
il->scan_request->ssids[i].ssid_len);
n_probes++;
p++;
}
Reported by FlawFinder.
Line: 1606
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (keyconf->cipher) {
case WLAN_CIPHER_SUITE_CCMP:
tx_cmd->sec_ctl = TX_CMD_SEC_CCM;
memcpy(tx_cmd->key, keyconf->key, keyconf->keylen);
if (info->flags & IEEE80211_TX_CTL_AMPDU)
tx_cmd->tx_flags |= TX_CMD_FLG_AGG_CCMP_MSK;
D_TX("tx_cmd with AES hwcrypto\n");
break;
Reported by FlawFinder.
Line: 1626
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(TX_CMD_SEC_WEP | (keyconf->keyidx & TX_CMD_SEC_MSK) <<
TX_CMD_SEC_SHIFT);
memcpy(&tx_cmd->key[3], keyconf->key, keyconf->keylen);
D_TX("Configuring packet for WEP encryption " "with key %d\n",
keyconf->keyidx);
break;
Reported by FlawFinder.
Line: 1787
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(QUEUE_TO_SEQ(txq_id) | IDX_TO_SEQ(q->write_ptr)));
/* Copy MAC header from skb into command buffer */
memcpy(tx_cmd->hdr, hdr, hdr_len);
/* Total # bytes to be transmitted */
tx_cmd->len = cpu_to_le16((u16) skb->len);
if (info->control.hw_key)
Reported by FlawFinder.
Line: 3151
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wep_cmd->key[i].key_offset = WEP_INVALID_OFFSET;
wep_cmd->key[i].key_size = key_size;
memcpy(&wep_cmd->key[i].key[3], il->_4965.wep_keys[i].key, key_size);
}
wep_cmd->global_key_type = WEP_KEY_WEP_TYPE;
wep_cmd->num_keys = WEP_KEYS_MAX;
Reported by FlawFinder.
Line: 3217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
il->stations[IL_AP_ID].keyinfo.cipher = keyconf->cipher;
il->_4965.wep_keys[idx].key_size = len;
memcpy(&il->_4965.wep_keys[idx].key, &keyconf->key, len);
ret = il4965_static_wepkey_cmd(il, false);
D_WEP("Set default WEP key: len=%d idx=%d ret=%d\n", len, idx, ret);
return ret;
Reported by FlawFinder.
Line: 3253
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
il->stations[sta_id].keyinfo.keylen = keyconf->keylen;
il->stations[sta_id].keyinfo.keyidx = keyconf->keyidx;
memcpy(il->stations[sta_id].keyinfo.key, keyconf->key, keyconf->keylen);
memcpy(&il->stations[sta_id].sta.key.key[3], keyconf->key,
keyconf->keylen);
if ((il->stations[sta_id].sta.key.
Reported by FlawFinder.
tools/testing/selftests/cgroup/cgroup_util.c
39 issues
Line: 27
Column: 7
CWE codes:
362
ssize_t len;
int fd;
fd = open(path, O_RDONLY);
if (fd < 0)
return fd;
len = read(fd, buf, max_len - 1);
if (len < 0)
Reported by FlawFinder.
Line: 45
Column: 7
CWE codes:
362
{
int fd;
fd = open(path, O_WRONLY | O_APPEND);
if (fd < 0)
return fd;
len = write(fd, buf, len);
if (len < 0) {
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cg_read(const char *cgroup, const char *control, char *buf, size_t len)
{
char path[PATH_MAX];
snprintf(path, sizeof(path), "%s/%s", cgroup, control);
if (read_text(path, buf, len) >= 0)
return 0;
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cg_read_strstr(const char *cgroup, const char *control, const char *needle)
{
char buf[PAGE_SIZE];
if (cg_read(cgroup, control, buf, sizeof(buf)))
return -1;
return strstr(buf, needle) ? 0 : -1;
Reported by FlawFinder.
Line: 141
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long cg_read_long(const char *cgroup, const char *control)
{
char buf[128];
if (cg_read(cgroup, control, buf, sizeof(buf)))
return -1;
return atol(buf);
Reported by FlawFinder.
Line: 146
Column: 9
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (cg_read(cgroup, control, buf, sizeof(buf)))
return -1;
return atol(buf);
}
long cg_read_key_long(const char *cgroup, const char *control, const char *key)
{
char buf[PAGE_SIZE];
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long cg_read_key_long(const char *cgroup, const char *control, const char *key)
{
char buf[PAGE_SIZE];
char *ptr;
if (cg_read(cgroup, control, buf, sizeof(buf)))
return -1;
Reported by FlawFinder.
Line: 161
Column: 9
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!ptr)
return -1;
return atol(ptr + strlen(key));
}
long cg_read_lc(const char *cgroup, const char *control)
{
char buf[PAGE_SIZE];
Reported by FlawFinder.
Line: 166
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long cg_read_lc(const char *cgroup, const char *control)
{
char buf[PAGE_SIZE];
const char delim[] = "\n";
char *line;
long cnt = 0;
if (cg_read(cgroup, control, buf, sizeof(buf)))
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cg_write(const char *cgroup, const char *control, char *buf)
{
char path[PATH_MAX];
ssize_t len = strlen(buf);
snprintf(path, sizeof(path), "%s/%s", cgroup, control);
if (write_text(path, buf, len) == len)
Reported by FlawFinder.
drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
39 issues
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* tar header as defined in POSIX 1003.1-1990. */
struct tar_hdr_t {
char name[100];
char mode[8];
char uid[8];
char gid[8];
char size[12];
char mtime[12];
Reported by FlawFinder.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* tar header as defined in POSIX 1003.1-1990. */
struct tar_hdr_t {
char name[100];
char mode[8];
char uid[8];
char gid[8];
char size[12];
char mtime[12];
char chksum[8];
Reported by FlawFinder.
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tar_hdr_t {
char name[100];
char mode[8];
char uid[8];
char gid[8];
char size[12];
char mtime[12];
char chksum[8];
char typeflag;
Reported by FlawFinder.
Line: 30
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[100];
char mode[8];
char uid[8];
char gid[8];
char size[12];
char mtime[12];
char chksum[8];
char typeflag;
char linkname[100];
Reported by FlawFinder.
Line: 31
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char mode[8];
char uid[8];
char gid[8];
char size[12];
char mtime[12];
char chksum[8];
char typeflag;
char linkname[100];
char magic[6];
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char uid[8];
char gid[8];
char size[12];
char mtime[12];
char chksum[8];
char typeflag;
char linkname[100];
char magic[6];
char version[2];
Reported by FlawFinder.
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char gid[8];
char size[12];
char mtime[12];
char chksum[8];
char typeflag;
char linkname[100];
char magic[6];
char version[2];
char uname[32];
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char mtime[12];
char chksum[8];
char typeflag;
char linkname[100];
char magic[6];
char version[2];
char uname[32];
char gname[32];
char devmajor[8];
Reported by FlawFinder.
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char chksum[8];
char typeflag;
char linkname[100];
char magic[6];
char version[2];
char uname[32];
char gname[32];
char devmajor[8];
char devminor[8];
Reported by FlawFinder.
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char typeflag;
char linkname[100];
char magic[6];
char version[2];
char uname[32];
char gname[32];
char devmajor[8];
char devminor[8];
char prefix[155];
Reported by FlawFinder.
drivers/s390/crypto/zcrypt_msgtype6.c
38 issues
Line: 1041
CWE codes:
562
ap_msg->receive = zcrypt_msgtype6_receive;
ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
atomic_inc_return(&zcrypt_step);
ap_msg->private = &resp_type;
rc = ICAMEX_msg_to_type6MEX_msgX(zq, ap_msg, mex);
if (rc)
goto out_free;
init_completion(&resp_type.work);
rc = ap_queue_message(zq->queue, ap_msg);
Reported by Cppcheck.
Line: 1089
CWE codes:
562
ap_msg->receive = zcrypt_msgtype6_receive;
ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
atomic_inc_return(&zcrypt_step);
ap_msg->private = &resp_type;
rc = ICACRT_msg_to_type6CRT_msgX(zq, ap_msg, crt);
if (rc)
goto out_free;
init_completion(&resp_type.work);
rc = ap_queue_message(zq->queue, ap_msg);
Reported by Cppcheck.
Line: 63
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short cprb_len; /* CPRB length */
unsigned char cprb_ver_id; /* CPRB version id. */
unsigned char pad_000; /* Alignment pad byte. */
unsigned char srpi_rtcode[4]; /* SRPI return code LELONG */
unsigned char srpi_verb; /* SRPI verb type */
unsigned char flags; /* flags */
unsigned char func_id[2]; /* function id */
unsigned char checkpoint_flag; /* */
unsigned char resv2; /* reserved */
Reported by FlawFinder.
Line: 66
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char srpi_rtcode[4]; /* SRPI return code LELONG */
unsigned char srpi_verb; /* SRPI verb type */
unsigned char flags; /* flags */
unsigned char func_id[2]; /* function id */
unsigned char checkpoint_flag; /* */
unsigned char resv2; /* reserved */
unsigned short req_parml; /* request parameter buffer */
/* length 16-bit little endian */
unsigned char req_parmp[4]; /* request parameter buffer *
Reported by FlawFinder.
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char resv2; /* reserved */
unsigned short req_parml; /* request parameter buffer */
/* length 16-bit little endian */
unsigned char req_parmp[4]; /* request parameter buffer *
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char req_datal[4]; /* request data buffer */
/* length ULELONG */
Reported by FlawFinder.
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char req_datal[4]; /* request data buffer */
/* length ULELONG */
unsigned char req_datap[4]; /* request data buffer */
/* pointer */
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
Reported by FlawFinder.
Line: 77
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* the CPRB). */
unsigned char req_datal[4]; /* request data buffer */
/* length ULELONG */
unsigned char req_datap[4]; /* request data buffer */
/* pointer */
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */
unsigned char rpl_parmp[4]; /* reply parameter buffer *
Reported by FlawFinder.
Line: 81
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* pointer */
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */
unsigned char rpl_parmp[4]; /* reply parameter buffer *
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */
Reported by FlawFinder.
Line: 82
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short rpl_parml; /* reply parameter buffer */
/* length 16-bit little endian */
unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */
unsigned char rpl_parmp[4]; /* reply parameter buffer *
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */
unsigned char rpl_datap[4]; /* reply data buffer */
Reported by FlawFinder.
Line: 86
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* pointer (means nothing: the *
* parameter buffer follows *
* the CPRB). */
unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */
unsigned char rpl_datap[4]; /* reply data buffer */
/* pointer */
unsigned short ccp_rscode; /* server reason code ULESHORT */
unsigned short ccp_rtcode; /* server return code ULESHORT */
unsigned char repd_parml[2]; /* replied parameter len ULESHORT*/
Reported by FlawFinder.