The following issues were found
drivers/of/fdt.c
9 issues
Line: 197
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pp->value = pp + 1;
*pprev = pp;
pprev = &pp->next;
memcpy(pp->value, ps, len - 1);
((char *)pp->value)[len - 1] = 0;
pr_debug("fixed up name for %s -> %s\n",
nodename, (char *)pp->value);
}
}
Reported by FlawFinder.
Line: 234
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
of_node_init(np);
np->full_name = fn = ((char *)np) + sizeof(*np);
memcpy(fn, pathp, len);
if (dad != NULL) {
np->parent = dad;
np->sibling = dad->child;
dad->child = np;
Reported by FlawFinder.
Line: 1077
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
strlcpy(data, CONFIG_CMDLINE, COMMAND_LINE_SIZE);
#else
/* No arguments from boot loader, use kernel's cmdl*/
if (!((char *)data)[0])
strlcpy(data, CONFIG_CMDLINE, COMMAND_LINE_SIZE);
#endif
#endif /* CONFIG_CMDLINE */
pr_debug("Command line is: %s\n", (char *)data);
Reported by FlawFinder.
Line: 1271
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
roundup_pow_of_two(FDT_V17_SIZE));
if (dt) {
memcpy(dt, initial_boot_params, size);
initial_boot_params = dt;
}
unflatten_device_tree();
}
Reported by FlawFinder.
Line: 1282
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct bin_attribute *bin_attr,
char *buf, loff_t off, size_t count)
{
memcpy(buf, initial_boot_params + off, count);
return count;
}
static int __init of_fdt_raw_init(void)
{
Reported by FlawFinder.
Line: 744
Column: 33
CWE codes:
126
return 0;
while (cplen > 0) {
score++;
if (of_compat_cmp(cp, compat, strlen(compat)) == 0)
return score;
l = strlen(cp) + 1;
cp += l;
cplen -= l;
}
Reported by FlawFinder.
Line: 746
Column: 7
CWE codes:
126
score++;
if (of_compat_cmp(cp, compat, strlen(compat)) == 0)
return score;
l = strlen(cp) + 1;
cp += l;
cplen -= l;
}
return 0;
Reported by FlawFinder.
Line: 848
Column: 13
CWE codes:
126
if (prop) {
while (size > 0) {
printk("'%s' ", prop);
size -= strlen(prop) + 1;
prop += strlen(prop) + 1;
}
}
printk("]\n\n");
return NULL;
Reported by FlawFinder.
Line: 849
Column: 13
CWE codes:
126
while (size > 0) {
printk("'%s' ", prop);
size -= strlen(prop) + 1;
prop += strlen(prop) + 1;
}
}
printk("]\n\n");
return NULL;
}
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/usb.c
9 issues
Line: 1313
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
case USB8997_PID_1:
case USB8997_PID_2:
adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_4K;
strcpy(adapter->fw_name, USB8997_DEFAULT_FW_NAME);
adapter->ext_scan = true;
break;
case USB8766_PID_1:
case USB8766_PID_2:
adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_2K;
Reported by FlawFinder.
Line: 1319
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
case USB8766_PID_1:
case USB8766_PID_2:
adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_2K;
strcpy(adapter->fw_name, USB8766_DEFAULT_FW_NAME);
adapter->ext_scan = true;
break;
case USB8801_PID_1:
case USB8801_PID_2:
adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_2K;
Reported by FlawFinder.
Line: 1325
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
case USB8801_PID_1:
case USB8801_PID_2:
adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_2K;
strcpy(adapter->fw_name, USB8801_DEFAULT_FW_NAME);
adapter->ext_scan = false;
break;
case USB8797_PID_1:
case USB8797_PID_2:
default:
Reported by FlawFinder.
Line: 1332
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
case USB8797_PID_2:
default:
adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_2K;
strcpy(adapter->fw_name, USB8797_DEFAULT_FW_NAME);
break;
}
adapter->usb_mc_status = false;
adapter->usb_mc_setup = false;
Reported by FlawFinder.
Line: 124
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit_restore_skb;
}
memcpy(adapter->event_body, skb->data +
MWIFIEX_EVENT_HEADER_LEN, skb->len);
adapter->event_received = true;
adapter->event_skb = skb;
break;
Reported by FlawFinder.
Line: 906
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* padding for aligning next packet header*/
pad = (align - (skb_tmp->len & (align - 1))) % align;
payload = skb_put(skb_aggr, skb_tmp->len + pad);
memcpy(payload, skb_tmp->data, skb_tmp->len);
if (skb_queue_empty(&port->tx_aggr.aggr_list)) {
/* do not padding for last packet*/
*(u16 *)payload = cpu_to_le16(skb_tmp->len);
*(u16 *)&payload[2] =
cpu_to_le16(MWIFIEX_TYPE_AGGR_DATA_V2 | 0x80);
Reported by FlawFinder.
Line: 1414
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dlen = 0;
} else {
/* copy the header of the fw_data to get the length */
memcpy(&fwdata->fw_hdr, &firmware[tlen],
sizeof(struct fw_header));
dlen = le32_to_cpu(fwdata->fw_hdr.data_len);
dnld_cmd = le32_to_cpu(fwdata->fw_hdr.dnld_cmd);
tlen += sizeof(struct fw_header);
Reported by FlawFinder.
Line: 1425
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dnld_cmd == FW_CMD_7)
dlen = 0;
memcpy(fwdata->data, &firmware[tlen], dlen);
fwdata->seq_num = cpu_to_le32(fw_seqnum);
tlen += dlen;
}
Reported by FlawFinder.
Line: 1461
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
memcpy(&sync_fw, recv_buff,
sizeof(struct fw_sync_header));
/* check 1st firmware block resp for highest bit set */
if (check_winner) {
if (le32_to_cpu(sync_fw.cmd) & 0x80000000) {
Reported by FlawFinder.
drivers/net/wireless/zydas/zd1211rw/zd_usb.c
9 issues
Line: 156
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_dbg_f(&udev->dev, "transfer size %zu\n", transfer_size);
memcpy(p, data, transfer_size);
r = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
USB_REQ_FIRMWARE_DOWNLOAD,
USB_DIR_OUT | USB_TYPE_VENDOR,
code_offset, 0, p, transfer_size, 1000 /* ms */);
if (r < 0) {
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct firmware *ur_fw = NULL;
int offset;
int r = 0;
char fw_name[128];
r = request_fw_file(&ur_fw,
get_fw_name(usb, fw_name, sizeof(fw_name), "ur"),
&udev->dev);
if (r)
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_device *udev = zd_usb_to_usbdev(usb);
const struct firmware *ub_fw = NULL;
const struct firmware *uph_fw = NULL;
char fw_name[128];
bcdDevice = get_bcdDevice(udev);
r = request_fw_file(&ub_fw,
get_fw_name(usb, fw_name, sizeof(fw_name), "ub"),
Reported by FlawFinder.
Line: 350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit;
}
r = 0;
memcpy(data, buf, len);
exit:
kfree(buf);
return r;
}
Reported by FlawFinder.
Line: 387
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (int_num == CR_INTERRUPT) {
struct zd_mac *mac = zd_hw_mac(zd_usb_to_hw(urb->context));
spin_lock(&mac->lock);
memcpy(&mac->intr_buffer, urb->transfer_buffer,
USB_MAX_EP_INT_BUFFER);
spin_unlock(&mac->lock);
schedule_work(&mac->process_intr);
} else if (atomic_read(&intr->read_regs_enabled)) {
len = urb->actual_length;
Reported by FlawFinder.
Line: 397
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > sizeof(intr->read_regs.buffer))
len = sizeof(intr->read_regs.buffer);
memcpy(intr->read_regs.buffer, urb->transfer_buffer, len);
/* Sometimes USB_INT_ID_REGS is not overridden, but comes after
* USB_INT_ID_RETRY_FAILED. Read-reg retry then gets this
* delayed USB_INT_ID_REGS, but leaves USB_INT_ID_REGS of
* retry unhandled. Next read-reg command then might catch
Reported by FlawFinder.
Line: 685
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_dbg_f(urb_dev(urb), "*** first fragment ***\n");
ZD_ASSERT(length <= ARRAY_SIZE(rx->fragment));
spin_lock_irqsave(&rx->lock, flags);
memcpy(rx->fragment, buffer, length);
rx->fragment_length = length;
spin_unlock_irqrestore(&rx->lock, flags);
goto resubmit;
}
Reported by FlawFinder.
Line: 697
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ZD_ASSERT(length + rx->fragment_length <=
ARRAY_SIZE(rx->fragment));
dev_dbg_f(urb_dev(urb), "*** second fragment ***\n");
memcpy(rx->fragment+rx->fragment_length, buffer, length);
handle_rx_packet(usb, rx->fragment,
rx->fragment_length + length);
rx->fragment_length = 0;
spin_unlock_irqrestore(&rx->lock, flags);
} else {
Reported by FlawFinder.
Line: 1251
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef DEBUG
static void print_id(struct usb_device *udev)
{
char buffer[40];
scnprint_id(udev, buffer, sizeof(buffer));
buffer[sizeof(buffer)-1] = 0;
dev_dbg_f(&udev->dev, "%s\n", buffer);
}
Reported by FlawFinder.
drivers/pcmcia/socket_sysfs.c
9 issues
Line: 101
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct pcmcia_socket *s = to_socket(dev);
return sprintf(buf, "%s\n", s->state & SOCKET_SUSPEND ? "off" : "on");
}
static ssize_t pccard_store_card_pm_state(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 180
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct pcmcia_socket *s = to_socket(dev);
return sprintf(buf, "%s\n", s->resource_setup_done ? "yes" : "no");
}
static ssize_t pccard_store_resource(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 41
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!(s->state & SOCKET_PRESENT))
return -ENODEV;
if (s->state & SOCKET_CARDBUS)
return sprintf(buf, "32-bit\n");
return sprintf(buf, "16-bit\n");
}
static DEVICE_ATTR(card_type, 0444, pccard_show_type, NULL);
static ssize_t pccard_show_voltage(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 42
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENODEV;
if (s->state & SOCKET_CARDBUS)
return sprintf(buf, "32-bit\n");
return sprintf(buf, "16-bit\n");
}
static DEVICE_ATTR(card_type, 0444, pccard_show_type, NULL);
static ssize_t pccard_show_voltage(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 54
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!(s->state & SOCKET_PRESENT))
return -ENODEV;
if (s->socket.Vcc)
return sprintf(buf, "%d.%dV\n", s->socket.Vcc / 10,
s->socket.Vcc % 10);
return sprintf(buf, "X.XV\n");
}
static DEVICE_ATTR(card_voltage, 0444, pccard_show_voltage, NULL);
Reported by FlawFinder.
Line: 56
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (s->socket.Vcc)
return sprintf(buf, "%d.%dV\n", s->socket.Vcc / 10,
s->socket.Vcc % 10);
return sprintf(buf, "X.XV\n");
}
static DEVICE_ATTR(card_voltage, 0444, pccard_show_voltage, NULL);
static ssize_t pccard_show_vpp(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 66
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct pcmcia_socket *s = to_socket(dev);
if (!(s->state & SOCKET_PRESENT))
return -ENODEV;
return sprintf(buf, "%d.%dV\n", s->socket.Vpp / 10, s->socket.Vpp % 10);
}
static DEVICE_ATTR(card_vpp, 0444, pccard_show_vpp, NULL);
static ssize_t pccard_show_vcc(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 76
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct pcmcia_socket *s = to_socket(dev);
if (!(s->state & SOCKET_PRESENT))
return -ENODEV;
return sprintf(buf, "%d.%dV\n", s->socket.Vcc / 10, s->socket.Vcc % 10);
}
static DEVICE_ATTR(card_vcc, 0444, pccard_show_vcc, NULL);
static ssize_t pccard_store_insert(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 148
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *buf)
{
struct pcmcia_socket *s = to_socket(dev);
return sprintf(buf, "0x%04x\n", s->irq_mask);
}
static ssize_t pccard_store_irq_mask(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/scsi/aic7xxx/aicasm/aicasm.c
9 issues
Line: 146
Column: 15
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
yydebug = 0;
mmdebug = 0;
#endif
while ((ch = getopt(argc, argv, "d:i:l:n:o:p:r:I:")) != -1) {
switch(ch) {
case 'd':
#if DEBUG
if (strcmp(optarg, "s") == 0) {
yy_flex_debug = 1;
Reported by FlawFinder.
Line: 171
Column: 20
CWE codes:
362
break;
case 'l':
/* Create a program listing */
if ((listfile = fopen(optarg, "w")) == NULL) {
perror(optarg);
stop(NULL, EX_CANTCREAT);
}
listfilename = optarg;
break;
Reported by FlawFinder.
Line: 187
Column: 17
CWE codes:
362
}
break;
case 'o':
if ((ofile = fopen(optarg, "w")) == NULL) {
perror(optarg);
stop(NULL, EX_CANTCREAT);
}
ofilename = optarg;
break;
Reported by FlawFinder.
Line: 195
Column: 23
CWE codes:
362
break;
case 'p':
/* Create Register Diagnostic "printing" Functions */
if ((regdiagfile = fopen(optarg, "w")) == NULL) {
perror(optarg);
stop(NULL, EX_CANTCREAT);
}
regdiagfilename = optarg;
break;
Reported by FlawFinder.
Line: 202
Column: 19
CWE codes:
362
regdiagfilename = optarg;
break;
case 'r':
if ((regfile = fopen(optarg, "w")) == NULL) {
perror(optarg);
stop(NULL, EX_CANTCREAT);
}
regfilename = optarg;
break;
Reported by FlawFinder.
Line: 332
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u_int address;
if (cur_instr->patch_label->type != LABEL) {
char buf[255];
snprintf(buf, sizeof(buf),
"Undefined label %s",
cur_instr->patch_label->name);
stop(buf, EX_DATAERR);
Reported by FlawFinder.
Line: 521
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void
output_listing(char *ifilename)
{
char buf[1024];
FILE *ifile;
struct instruction *cur_instr;
patch_t *cur_patch;
symbol_node_t *cur_func;
int *func_values;
Reported by FlawFinder.
Line: 537
Column: 15
CWE codes:
362
instrptr = 0;
line = 1;
skip_addr = 0;
if ((ifile = fopen(ifilename, "r")) == NULL) {
perror(ifilename);
stop(NULL, EX_DATAERR);
}
/*
Reported by FlawFinder.
drivers/platform/x86/samsung-laptop.c
9 issues
Line: 674
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* The logic is backwards, yeah, lots of fun... */
for (i = 0; config->performance_levels[i].name; ++i) {
if (sretval.data[0] == config->performance_levels[i].value)
return sprintf(buf, "%s\n", config->performance_levels[i].name);
}
return sprintf(buf, "%s\n", "unknown");
}
static ssize_t set_performance_level(struct device *dev,
Reported by FlawFinder.
Line: 676
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (sretval.data[0] == config->performance_levels[i].value)
return sprintf(buf, "%s\n", config->performance_levels[i].name);
}
return sprintf(buf, "%s\n", "unknown");
}
static ssize_t set_performance_level(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 355
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool handle_backlight;
bool has_stepping_quirk;
char sdiag[64];
};
struct samsung_quirks {
bool broken_acpi_video;
bool four_kbd_backlight_levels;
Reported by FlawFinder.
Line: 757
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", ret);
}
static ssize_t set_battery_life_extender(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 826
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", ret);
}
static ssize_t set_usb_charge(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 891
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", ret);
}
static ssize_t set_lid_handling(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 694
Column: 38
CWE codes:
126
for (i = 0; config->performance_levels[i].name; ++i) {
const struct sabi_performance_level *level =
&config->performance_levels[i];
if (!strncasecmp(level->name, buf, strlen(level->name))) {
sabi_set_commandb(samsung,
commands->set_performance_level,
level->value);
break;
}
Reported by FlawFinder.
Line: 931
Column: 13
CWE codes:
126
char temp = readb(memcheck + loca);
if (temp == testStr[i]) {
if (i == strlen(testStr)-1)
break;
++i;
} else {
i = 0;
}
Reported by FlawFinder.
Line: 1292
Column: 38
CWE codes:
126
samsung->debug.data_wrapper.size = sizeof(samsung->debug.data);
samsung->debug.sdiag_wrapper.data = samsung->sdiag;
samsung->debug.sdiag_wrapper.size = strlen(samsung->sdiag);
debugfs_create_u16("command", 0644, root, &samsung->debug.command);
debugfs_create_u32("d0", 0644, root, &samsung->debug.data.d0);
debugfs_create_u32("d1", 0644, root, &samsung->debug.data.d1);
debugfs_create_u16("d2", 0644, root, &samsung->debug.data.d2);
Reported by FlawFinder.
drivers/scsi/3w-xxxx.h
9 issues
Line: 297
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 length;
} TW_SG_Entry;
typedef unsigned char TW_Sector[512];
/* Command Packet */
typedef struct TW_Command {
unsigned char opcode__sgloffset;
unsigned char size;
Reported by FlawFinder.
Line: 328
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 padding[125];
} init_connection;
struct {
char version[504];
} ioctl_miniport_version;
} byte8;
} TW_Command;
#pragma pack()
Reported by FlawFinder.
Line: 341
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char parameter_id;
unsigned char parameter_size_bytes;
unsigned char unit_index;
unsigned char data[1];
} TW_Ioctl;
#pragma pack(1)
/* Structure for new chardev ioctls */
Reported by FlawFinder.
Line: 349
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Structure for new chardev ioctls */
typedef struct TAG_TW_New_Ioctl {
unsigned int data_buffer_length;
unsigned char padding [508];
TW_Command firmware_command;
char data_buffer[1];
} TW_New_Ioctl;
/* GetParam descriptor */
Reported by FlawFinder.
Line: 351
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int data_buffer_length;
unsigned char padding [508];
TW_Command firmware_command;
char data_buffer[1];
} TW_New_Ioctl;
/* GetParam descriptor */
typedef struct {
unsigned short table_id;
Reported by FlawFinder.
Line: 359
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short table_id;
unsigned char parameter_id;
unsigned char parameter_size_bytes;
unsigned char data[1];
} TW_Param, *PTW_Param;
/* Response queue */
typedef union TAG_TW_Response_Queue {
u32 response_id;
Reported by FlawFinder.
Line: 396
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char drive_head;
unsigned char command;
TW_SG_Entry sg_list[TW_ATA_PASS_SGL_MAX];
unsigned char padding[12];
} TW_Passthru;
#pragma pack()
typedef struct TAG_TW_Device_Extension {
Reported by FlawFinder.
Line: 410
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long command_packet_physical_address[TW_Q_LENGTH];
struct pci_dev *tw_pci_dev;
struct scsi_cmnd *srb[TW_Q_LENGTH];
unsigned char free_queue[TW_Q_LENGTH];
unsigned char free_head;
unsigned char free_tail;
unsigned char pending_queue[TW_Q_LENGTH];
unsigned char pending_head;
unsigned char pending_tail;
Reported by FlawFinder.
Line: 413
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char free_queue[TW_Q_LENGTH];
unsigned char free_head;
unsigned char free_tail;
unsigned char pending_queue[TW_Q_LENGTH];
unsigned char pending_head;
unsigned char pending_tail;
TW_Cmd_State state[TW_Q_LENGTH];
u32 posted_request_count;
u32 max_posted_request_count;
Reported by FlawFinder.
drivers/nfc/pn533/pn533.c
9 issues
Line: 736
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nfc_tgt->sens_res = be16_to_cpu(tgt_type_a->sens_res);
nfc_tgt->sel_res = tgt_type_a->sel_res;
nfc_tgt->nfcid1_len = tgt_type_a->nfcid_len;
memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
return 0;
}
struct pn533_target_felica {
Reported by FlawFinder.
Line: 781
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
nfc_tgt->supported_protocols = NFC_PROTO_FELICA_MASK;
memcpy(nfc_tgt->sensf_res, &tgt_felica->opcode, 9);
nfc_tgt->sensf_res_len = 9;
memcpy(nfc_tgt->nfcid2, tgt_felica->nfcid2, NFC_NFCID2_MAXSIZE);
nfc_tgt->nfcid2_len = NFC_NFCID2_MAXSIZE;
Reported by FlawFinder.
Line: 784
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(nfc_tgt->sensf_res, &tgt_felica->opcode, 9);
nfc_tgt->sensf_res_len = 9;
memcpy(nfc_tgt->nfcid2, tgt_felica->nfcid2, NFC_NFCID2_MAXSIZE);
nfc_tgt->nfcid2_len = NFC_NFCID2_MAXSIZE;
return 0;
}
Reported by FlawFinder.
Line: 830
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nfc_tgt->supported_protocols = NFC_PROTO_JEWEL_MASK;
nfc_tgt->sens_res = be16_to_cpu(tgt_jewel->sens_res);
nfc_tgt->nfcid1_len = 4;
memcpy(nfc_tgt->nfcid1, tgt_jewel->jewelid, nfc_tgt->nfcid1_len);
return 0;
}
struct pn533_type_b_prot_info {
Reported by FlawFinder.
Line: 1055
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* NFCID3 */
nfcid3 = skb_put_zero(skb, 10);
memcpy(nfcid3, felica, 8);
/* General bytes */
skb_put_u8(skb, gbytes_len);
skb_put_data(skb, gbytes, gbytes_len);
Reported by FlawFinder.
Line: 1315
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK;
nfc_target.nfcid1_len = 10;
memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len);
rc = nfc_targets_found(dev->nfc_dev, &nfc_target, 1);
if (rc)
goto error;
dev->tgt_available_prots = 0;
Reported by FlawFinder.
Line: 1933
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK;
nfc_target.nfcid1_len = 10;
memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len);
rc = nfc_targets_found(dev->nfc_dev, &nfc_target, 1);
if (rc)
goto error;
dev->tgt_available_prots = 0;
Reported by FlawFinder.
Line: 2006
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy NFCID3 (which is NFCID2 from SENSF_RES) */
if (target && target->nfcid2_len)
memcpy(skb_put(skb, NFC_NFCID3_MAXSIZE), target->nfcid2,
target->nfcid2_len);
else
skb_put_data(skb, nfcid3, NFC_NFCID3_MAXSIZE);
*next |= 2;
Reported by FlawFinder.
Line: 2088
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_put(skb, skb_len);
skb_queue_walk_safe(&dev->resp_q, tmp, t) {
memcpy(skb->data + tmp_len, tmp->data, tmp->len);
tmp_len += tmp->len;
}
out:
skb_queue_purge(&dev->resp_q);
Reported by FlawFinder.
drivers/platform/x86/hp-wmi.c
9 issues
Line: 245
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (WARN_ON(insize > sizeof(args.data)))
return -EINVAL;
memcpy(&args.data[0], buffer, insize);
wmi_evaluate_method(HPWMI_BIOS_GUID, 0, mid, &input, &output);
obj = output.pointer;
Reported by FlawFinder.
Line: 274
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_free;
actual_outsize = min(outsize, (int)(obj->buffer.length - sizeof(*bios_return)));
memcpy(buffer, obj->buffer.pointer + sizeof(*bios_return), actual_outsize);
memset(buffer + actual_outsize, 0, outsize - actual_outsize);
out_free:
kfree(obj);
return ret;
Reported by FlawFinder.
Line: 379
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int hp_wmi_rfkill2_set_block(void *data, bool blocked)
{
int rfkill_id = (int)(long)data;
char buffer[4] = { 0x01, 0x00, rfkill_id, !blocked };
int ret;
ret = hp_wmi_perform_query(HPWMI_WIRELESS2_QUERY, HPWMI_WRITE,
buffer, sizeof(buffer), 0);
Reported by FlawFinder.
Line: 427
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int value = hp_wmi_read_int(HPWMI_DISPLAY_QUERY);
if (value < 0)
return value;
return sprintf(buf, "%d\n", value);
}
static ssize_t hddtemp_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 436
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int value = hp_wmi_read_int(HPWMI_HDDTEMP_QUERY);
if (value < 0)
return value;
return sprintf(buf, "%d\n", value);
}
static ssize_t als_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 445
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int value = hp_wmi_read_int(HPWMI_ALS_QUERY);
if (value < 0)
return value;
return sprintf(buf, "%d\n", value);
}
static ssize_t dock_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 454
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int value = hp_wmi_hw_state(HPWMI_DOCK_MASK);
if (value < 0)
return value;
return sprintf(buf, "%d\n", value);
}
static ssize_t tablet_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 463
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int value = hp_wmi_hw_state(HPWMI_TABLET_MASK);
if (value < 0)
return value;
return sprintf(buf, "%d\n", value);
}
static ssize_t postcode_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 473
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int value = hp_wmi_read_int(HPWMI_POSTCODEERROR_QUERY);
if (value < 0)
return value;
return sprintf(buf, "0x%x\n", value);
}
static ssize_t als_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/scsi/atp870u.h
9 issues
Line: 30
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long baseport;
unsigned long ioport[2];
unsigned long pciport[2];
unsigned char last_cmd[2];
unsigned char in_snd[2];
unsigned char in_int[2];
unsigned char quhd[2];
unsigned char quend[2];
unsigned char global_map[2];
Reported by FlawFinder.
Line: 31
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long ioport[2];
unsigned long pciport[2];
unsigned char last_cmd[2];
unsigned char in_snd[2];
unsigned char in_int[2];
unsigned char quhd[2];
unsigned char quend[2];
unsigned char global_map[2];
unsigned char host_id[2];
Reported by FlawFinder.
Line: 32
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long pciport[2];
unsigned char last_cmd[2];
unsigned char in_snd[2];
unsigned char in_int[2];
unsigned char quhd[2];
unsigned char quend[2];
unsigned char global_map[2];
unsigned char host_id[2];
unsigned int working[2];
Reported by FlawFinder.
Line: 33
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char last_cmd[2];
unsigned char in_snd[2];
unsigned char in_int[2];
unsigned char quhd[2];
unsigned char quend[2];
unsigned char global_map[2];
unsigned char host_id[2];
unsigned int working[2];
unsigned short wide_id[2];
Reported by FlawFinder.
Line: 34
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char in_snd[2];
unsigned char in_int[2];
unsigned char quhd[2];
unsigned char quend[2];
unsigned char global_map[2];
unsigned char host_id[2];
unsigned int working[2];
unsigned short wide_id[2];
unsigned short active_id[2];
Reported by FlawFinder.
Line: 35
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char in_int[2];
unsigned char quhd[2];
unsigned char quend[2];
unsigned char global_map[2];
unsigned char host_id[2];
unsigned int working[2];
unsigned short wide_id[2];
unsigned short active_id[2];
unsigned short ultra_map[2];
Reported by FlawFinder.
Line: 36
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char quhd[2];
unsigned char quend[2];
unsigned char global_map[2];
unsigned char host_id[2];
unsigned int working[2];
unsigned short wide_id[2];
unsigned short active_id[2];
unsigned short ultra_map[2];
unsigned short async[2];
Reported by FlawFinder.
Line: 42
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short active_id[2];
unsigned short ultra_map[2];
unsigned short async[2];
unsigned char sp[2][16];
unsigned char r1f[2][16];
struct scsi_cmnd *quereq[2][qcnt];
struct atp_id
{
unsigned char dirct;
Reported by FlawFinder.
Line: 43
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short ultra_map[2];
unsigned short async[2];
unsigned char sp[2][16];
unsigned char r1f[2][16];
struct scsi_cmnd *quereq[2][qcnt];
struct atp_id
{
unsigned char dirct;
unsigned char devsp;
Reported by FlawFinder.