The following issues were found
net/tipc/bearer.c
9 issues
Line: 166
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* return bearer name components, if necessary */
if (name_parts) {
strcpy(name_parts->media_name, media_name);
strcpy(name_parts->if_name, if_name);
}
return 1;
}
Reported by FlawFinder.
Line: 167
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* return bearer name components, if necessary */
if (name_parts) {
strcpy(name_parts->media_name, media_name);
strcpy(name_parts->if_name, if_name);
}
return 1;
}
/**
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!b)
return -EINVAL;
strcpy(name, b->name);
return 0;
}
void tipc_bearer_add_dest(struct net *net, u32 bearer_id, u32 dest)
{
Reported by FlawFinder.
Line: 328
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!b)
return -ENOMEM;
strcpy(b->name, name);
b->media = m;
res = m->enable_media(net, b, attr);
if (res) {
kfree(b);
errstr = "failed to enable media";
Reported by FlawFinder.
Line: 111
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int tipc_media_addr_printf(char *buf, int len, struct tipc_media_addr *a)
{
char addr_str[MAX_ADDR_STR];
struct tipc_media *m;
int ret;
m = media_find_id(a->media_id);
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int bearer_name_validate(const char *name,
struct tipc_bearer_names *name_parts)
{
char name_copy[TIPC_MAX_BEARER_NAME];
char *media_name;
char *if_name;
u32 media_len;
u32 if_len;
Reported by FlawFinder.
Line: 445
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Autoconfigure own node identity if needed */
if (!tipc_own_id(net) && hwaddr_len <= NODE_ID_LEN) {
memcpy(node_id, dev->dev_addr, hwaddr_len);
tipc_net_init(net, node_id, 0);
}
if (!tipc_own_id(net)) {
dev_put(dev);
pr_warn("Failed to obtain node identity\n");
Reported by FlawFinder.
Line: 461
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b->pt.func = tipc_l2_rcv_msg;
dev_add_pack(&b->pt);
memset(&b->bcast_addr, 0, sizeof(b->bcast_addr));
memcpy(b->bcast_addr.value, dev->broadcast, hwaddr_len);
b->bcast_addr.media_id = b->media->type_id;
b->bcast_addr.broadcast = TIPC_BROADCAST_SUPPORT;
b->mtu = dev->mtu;
b->media->raw2addr(b, &b->addr, (char *)dev->dev_addr);
rcu_assign_pointer(dev->tipc_ptr, b);
Reported by FlawFinder.
Line: 157
Column: 11
CWE codes:
126
return 0;
*(if_name++) = 0;
media_len = if_name - media_name;
if_len = strlen(if_name) + 1;
/* validate component parts of bearer name */
if ((media_len <= 1) || (media_len > TIPC_MAX_MEDIA_NAME) ||
(if_len <= 1) || (if_len > TIPC_MAX_IF_NAME))
return 0;
Reported by FlawFinder.
security/tomoyo/common.h
9 issues
Line: 819
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool print_this_domain_only;
bool print_transition_related_only;
bool print_cond_part;
const char *w[TOMOYO_MAX_IO_READ_QUEUE];
} r;
struct {
struct tomoyo_policy_namespace *ns;
/* The position currently writing to. */
struct tomoyo_domain_info *domain;
Reported by FlawFinder.
Line: 1077
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern bool tomoyo_policy_loaded;
extern int tomoyo_enabled;
extern const char * const tomoyo_condition_keyword
[TOMOYO_MAX_CONDITION_KEYWORD];
extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
+ TOMOYO_MAX_MAC_CATEGORY_INDEX];
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
Reported by FlawFinder.
Line: 1079
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern int tomoyo_enabled;
extern const char * const tomoyo_condition_keyword
[TOMOYO_MAX_CONDITION_KEYWORD];
extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
+ TOMOYO_MAX_MAC_CATEGORY_INDEX];
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
Reported by FlawFinder.
Line: 1080
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const char * const tomoyo_condition_keyword
[TOMOYO_MAX_CONDITION_KEYWORD];
extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
+ TOMOYO_MAX_MAC_CATEGORY_INDEX];
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
Reported by FlawFinder.
Line: 1082
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
+ TOMOYO_MAX_MAC_CATEGORY_INDEX];
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
Reported by FlawFinder.
Line: 1083
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
+ TOMOYO_MAX_MAC_CATEGORY_INDEX];
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
Reported by FlawFinder.
Line: 1084
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
+ TOMOYO_MAX_MAC_CATEGORY_INDEX];
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
Reported by FlawFinder.
Line: 1085
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
extern struct list_head tomoyo_condition_list;
Reported by FlawFinder.
Line: 794
Column: 9
CWE codes:
120
20
* interfaces.
*/
struct tomoyo_io_buffer {
void (*read)(struct tomoyo_io_buffer *head);
int (*write)(struct tomoyo_io_buffer *head);
__poll_t (*poll)(struct file *file, poll_table *wait);
/* Exclusive lock for this structure. */
struct mutex io_sem;
char __user *read_user_buf;
Reported by FlawFinder.
samples/mei/mei-amt-version.c
9 issues
Line: 85
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define mei_msg(_me, fmt, ARGS...) do { \
if (_me->verbose) \
fprintf(stderr, fmt, ##ARGS); \
} while (0)
#define mei_err(_me, fmt, ARGS...) do { \
fprintf(stderr, "Error: " fmt, ##ARGS); \
} while (0)
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
} while (0)
#define mei_err(_me, fmt, ARGS...) do { \
fprintf(stderr, "Error: " fmt, ##ARGS); \
} while (0)
struct mei {
uuid_le guid;
bool initialized;
Reported by FlawFinder.
Line: 120
Column: 11
CWE codes:
362
me->verbose = verbose;
me->fd = open("/dev/mei0", O_RDWR);
if (me->fd == -1) {
mei_err(me, "Cannot establish a handle to the Intel MEI driver\n");
goto err;
}
memcpy(&me->guid, guid, sizeof(*guid));
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mei_err(me, "Cannot establish a handle to the Intel MEI driver\n");
goto err;
}
memcpy(&me->guid, guid, sizeof(*guid));
memset(&data, 0, sizeof(data));
me->initialized = true;
memcpy(&data.in_client_uuid, &me->guid, sizeof(me->guid));
result = ioctl(me->fd, IOCTL_MEI_CONNECT_CLIENT, &data);
Reported by FlawFinder.
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&data, 0, sizeof(data));
me->initialized = true;
memcpy(&data.in_client_uuid, &me->guid, sizeof(me->guid));
result = ioctl(me->fd, IOCTL_MEI_CONNECT_CLIENT, &data);
if (result) {
mei_err(me, "IOCTL_MEI_CONNECT_CLIENT receive message. err=%d\n", result);
goto err;
}
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct amt_unicode_string {
uint16_t length;
char string[AMT_UNICODE_STRING_LEN];
} __attribute__((packed));
struct amt_version_type {
struct amt_unicode_string description;
struct amt_unicode_string version;
Reported by FlawFinder.
Line: 429
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (status != AMT_STATUS_SUCCESS)
goto out;
memcpy(versions, response->data, sizeof(struct amt_code_versions));
out:
if (response != NULL)
free(response);
return status;
Reported by FlawFinder.
Line: 161
Column: 7
CWE codes:
120
20
mei_msg(me, "call read length = %zd\n", len);
rc = read(me->fd, buffer, len);
if (rc < 0) {
mei_err(me, "read failed with status %zd %s\n",
rc, strerror(errno));
mei_deinit(me);
} else {
Reported by FlawFinder.
Line: 338
Column: 14
CWE codes:
126
len = code_ver->versions[i].version.length;
if (code_ver->versions[i].version.string[len] != '\0' ||
len != strlen(code_ver->versions[i].version.string)) {
status = AMT_STATUS_INTERNAL_ERROR;
goto out;
}
}
out:
Reported by FlawFinder.
net/wireless/ibss.c
9 issues
Line: 55
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GFP_KERNEL);
#ifdef CONFIG_CFG80211_WEXT
memset(&wrqu, 0, sizeof(wrqu));
memcpy(wrqu.ap_addr.sa_data, bssid, ETH_ALEN);
wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL);
#endif
}
void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
Reported by FlawFinder.
Line: 78
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
ev->type = EVENT_IBSS_JOINED;
memcpy(ev->ij.bssid, bssid, ETH_ALEN);
ev->ij.channel = channel;
spin_lock_irqsave(&wdev->event_lock, flags);
list_add_tail(&ev->list, &wdev->event_list);
spin_unlock_irqrestore(&wdev->event_lock, flags);
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
}
memcpy(wdev->ssid, params->ssid, params->ssid_len);
wdev->ssid_len = params->ssid_len;
return 0;
}
Reported by FlawFinder.
Line: 424
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > 0 && ssid[len - 1] == '\0')
len--;
memcpy(wdev->ssid, ssid, len);
wdev->wext.ibss.ssid = wdev->ssid;
wdev->wext.ibss.ssid_len = len;
wdev_lock(wdev);
err = cfg80211_ibss_wext_join(rdev, wdev);
Reported by FlawFinder.
Line: 451
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (wdev->ssid_len) {
data->flags = 1;
data->length = wdev->ssid_len;
memcpy(ssid, wdev->ssid, data->length);
} else if (wdev->wext.ibss.ssid && wdev->wext.ibss.ssid_len) {
data->flags = 1;
data->length = wdev->wext.ibss.ssid_len;
memcpy(ssid, wdev->wext.ibss.ssid, data->length);
}
Reported by FlawFinder.
Line: 455
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (wdev->wext.ibss.ssid && wdev->wext.ibss.ssid_len) {
data->flags = 1;
data->length = wdev->wext.ibss.ssid_len;
memcpy(ssid, wdev->wext.ibss.ssid, data->length);
}
wdev_unlock(wdev);
return 0;
}
Reported by FlawFinder.
Line: 507
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
if (bssid) {
memcpy(wdev->wext.bssid, bssid, ETH_ALEN);
wdev->wext.ibss.bssid = wdev->wext.bssid;
} else
wdev->wext.ibss.bssid = NULL;
wdev_lock(wdev);
Reported by FlawFinder.
Line: 533
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wdev_lock(wdev);
if (wdev->current_bss)
memcpy(ap_addr->sa_data, wdev->current_bss->pub.bssid, ETH_ALEN);
else if (wdev->wext.ibss.bssid)
memcpy(ap_addr->sa_data, wdev->wext.ibss.bssid, ETH_ALEN);
else
eth_zero_addr(ap_addr->sa_data);
Reported by FlawFinder.
Line: 535
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (wdev->current_bss)
memcpy(ap_addr->sa_data, wdev->current_bss->pub.bssid, ETH_ALEN);
else if (wdev->wext.ibss.bssid)
memcpy(ap_addr->sa_data, wdev->wext.ibss.bssid, ETH_ALEN);
else
eth_zero_addr(ap_addr->sa_data);
wdev_unlock(wdev);
Reported by FlawFinder.
sound/pci/mixart/mixart.c
9 issues
Line: 973
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pcm->info_flags = 0;
pcm->nonatomic = true;
strcpy(pcm->name, name);
preallocate_buffers(chip, pcm);
chip->pcm = pcm;
return 0;
Reported by FlawFinder.
Line: 1007
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pcm->info_flags = 0;
pcm->nonatomic = true;
strcpy(pcm->name, name);
preallocate_buffers(chip, pcm);
chip->pcm_dig = pcm;
return 0;
Reported by FlawFinder.
Line: 1333
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return err;
}
strcpy(card->driver, CARD_NAME);
snprintf(card->shortname, sizeof(card->shortname),
"Digigram miXart [PCM #%d]", i);
snprintf(card->longname, sizeof(card->longname),
"Digigram miXart at 0x%lx & 0x%lx, irq %i [PCM #%d]",
mgr->mem[0].phys, mgr->mem[1].phys, mgr->irq, i);
Reported by FlawFinder.
Line: 37
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP; /* Enable this card */
module_param_array(index, int, NULL, 0444);
MODULE_PARM_DESC(index, "Index value for Digigram " CARD_NAME " soundcard.");
module_param_array(id, charp, NULL, 0444);
Reported by FlawFinder.
Line: 954
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int err;
struct snd_pcm *pcm;
char name[32];
sprintf(name, "miXart analog %d", chip->chip_idx);
err = snd_pcm_new(chip->card, name, MIXART_PCM_ANALOG,
MIXART_PLAYBACK_STREAMS,
MIXART_CAPTURE_STREAMS, &pcm);
Reported by FlawFinder.
Line: 956
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct snd_pcm *pcm;
char name[32];
sprintf(name, "miXart analog %d", chip->chip_idx);
err = snd_pcm_new(chip->card, name, MIXART_PCM_ANALOG,
MIXART_PLAYBACK_STREAMS,
MIXART_CAPTURE_STREAMS, &pcm);
if (err < 0) {
dev_err(chip->card->dev,
Reported by FlawFinder.
Line: 988
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int err;
struct snd_pcm *pcm;
char name[32];
sprintf(name, "miXart AES/EBU %d", chip->chip_idx);
err = snd_pcm_new(chip->card, name, MIXART_PCM_DIGITAL,
MIXART_PLAYBACK_STREAMS,
MIXART_CAPTURE_STREAMS, &pcm);
Reported by FlawFinder.
Line: 990
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct snd_pcm *pcm;
char name[32];
sprintf(name, "miXart AES/EBU %d", chip->chip_idx);
err = snd_pcm_new(chip->card, name, MIXART_PCM_DIGITAL,
MIXART_PLAYBACK_STREAMS,
MIXART_CAPTURE_STREAMS, &pcm);
if (err < 0) {
dev_err(chip->card->dev,
Reported by FlawFinder.
Line: 1316
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mgr->num_cards = MIXART_MAX_CARDS; /* 4 FIXME: configurable? */
for (i = 0; i < mgr->num_cards; i++) {
struct snd_card *card;
char tmpid[16];
int idx;
if (index[dev] < 0)
idx = index[dev];
else
Reported by FlawFinder.
drivers/scsi/qedi/qedi_fw.c
9 issues
Line: 348
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case ISCSI_CQE_UNSOLICITED_SINGLE:
case ISCSI_CQE_UNSOLICITED_FIRST:
if (len)
memcpy(ptr, (void *)qedi->bdq[idx].buf_addr, len);
break;
case ISCSI_CQE_UNSOLICITED_MIDDLE:
case ISCSI_CQE_UNSOLICITED_LAST:
break;
default:
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int tgt_async_nop = 0;
u32 lun[2];
u32 pdu_len, num_bdqs;
char bdq_data[QEDI_BDQ_BUF_SIZE];
unsigned long flags;
spin_lock_bh(&session->back_lock);
cqe_nop_in = &cqe->cqe_common.iscsi_hdr.nop_in;
Reported by FlawFinder.
Line: 457
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
conn->session->age);
lun[0] = 0xffffffff;
lun[1] = 0xffffffff;
memcpy(&hdr->lun, lun, sizeof(struct scsi_lun));
QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_TID,
"Freeing tid=0x%x for cid=0x%x\n",
cmd->task_id, qedi_conn->iscsi_conn_id);
cmd->state = RESPONSE_RECEIVED;
spin_lock(&qedi_conn->list_lock);
Reported by FlawFinder.
Line: 491
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iscsi_async *resp_hdr;
u32 lun[2];
u32 pdu_len, num_bdqs;
char bdq_data[QEDI_BDQ_BUF_SIZE];
unsigned long flags;
spin_lock_bh(&session->back_lock);
cqe_async_msg = &cqe->cqe_common.iscsi_hdr.async_msg;
Reported by FlawFinder.
Line: 515
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lun[0] = cpu_to_be32(cqe_async_msg->lun.lo);
lun[1] = cpu_to_be32(cqe_async_msg->lun.hi);
memcpy(&resp_hdr->lun, lun, sizeof(struct scsi_lun));
resp_hdr->exp_cmdsn = cpu_to_be32(cqe_async_msg->exp_cmd_sn);
resp_hdr->max_cmdsn = cpu_to_be32(cqe_async_msg->max_cmd_sn);
resp_hdr->statsn = cpu_to_be32(cqe_async_msg->stat_sn);
resp_hdr->async_event = cqe_async_msg->async_event;
Reported by FlawFinder.
Line: 641
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdr->cmd_status == SAM_STAT_CHECK_CONDITION) {
datalen = cqe_data_in->reserved2 &
ISCSI_COMMON_HDR_DATA_SEG_LEN_MASK;
memcpy((char *)conn->data, (char *)cmd->sense_buffer, datalen);
}
/* If f/w reports data underrun err then set residual to IO transfer
* length, set Underrun flag and clear Overrun flag explicitly
*/
Reported by FlawFinder.
Line: 1484
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmf_pdu_header.itt = qedi_set_itt(tid, get_itt(mtask->itt));
tmf_pdu_header.cmd_sn = be32_to_cpu(tmf_hdr->cmdsn);
memcpy(scsi_lun, &tmf_hdr->lun, sizeof(struct scsi_lun));
tmf_pdu_header.lun.lo = be32_to_cpu(scsi_lun[0]);
tmf_pdu_header.lun.hi = be32_to_cpu(scsi_lun[1]);
if ((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) ==
ISCSI_TM_FUNC_ABORT_TASK) {
Reported by FlawFinder.
Line: 1701
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SET_FIELD(nop_out_pdu_header.flags_attr, ISCSI_NOP_OUT_HDR_CONST1, 1);
SET_FIELD(nop_out_pdu_header.flags_attr, ISCSI_NOP_OUT_HDR_RSRV, 0);
memcpy(scsi_lun, &nopout_hdr->lun, sizeof(struct scsi_lun));
nop_out_pdu_header.lun.lo = be32_to_cpu(scsi_lun[0]);
nop_out_pdu_header.lun.hi = be32_to_cpu(scsi_lun[1]);
nop_out_pdu_header.cmd_sn = be32_to_cpu(nopout_hdr->cmdsn);
nop_out_pdu_header.exp_stat_sn = be32_to_cpu(nopout_hdr->exp_statsn);
Reported by FlawFinder.
Line: 1924
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lpcnt = sc->cmd_len / sizeof(dword);
srcp = (u8 *)sc->cmnd;
while (lpcnt--) {
memcpy(&dword, (const void *)srcp, 4);
*dstp = cpu_to_be32(dword);
srcp += 4;
dstp++;
}
if (sc->cmd_len & 0x3) {
Reported by FlawFinder.
drivers/usb/storage/freecom.c
9 issues
Line: 242
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* The ATAPI Command always goes out first. */
fcb->Type = FCM_PACKET_ATAPI | 0x00;
fcb->Timeout = 0;
memcpy (fcb->Atapi, srb->cmnd, 12);
memset (fcb->Filler, 0, sizeof (fcb->Filler));
US_DEBUG(pdump(us, srb->cmnd, 12));
/* Send it out. */
Reported by FlawFinder.
Line: 491
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_USB_STORAGE_DEBUG
static void pdump(struct us_data *us, void *ibuffer, int length)
{
static char line[80];
int offset = 0;
unsigned char *buffer = (unsigned char *) ibuffer;
int i, j;
int from, base;
Reported by FlawFinder.
Line: 501
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < length; i++) {
if ((i & 15) == 0) {
if (i > 0) {
offset += sprintf (line+offset, " - ");
for (j = i - 16; j < i; j++) {
if (buffer[j] >= 32 && buffer[j] <= 126)
line[offset++] = buffer[j];
else
line[offset++] = '.';
Reported by FlawFinder.
Line: 512
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
usb_stor_dbg(us, "%s\n", line);
offset = 0;
}
offset += sprintf (line+offset, "%08x:", i);
} else if ((i & 7) == 0) {
offset += sprintf (line+offset, " -");
}
offset += sprintf (line+offset, " %02x", buffer[i] & 0xff);
}
Reported by FlawFinder.
Line: 514
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
offset += sprintf (line+offset, "%08x:", i);
} else if ((i & 7) == 0) {
offset += sprintf (line+offset, " -");
}
offset += sprintf (line+offset, " %02x", buffer[i] & 0xff);
}
/* Add the last "chunk" of data. */
Reported by FlawFinder.
Line: 516
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
} else if ((i & 7) == 0) {
offset += sprintf (line+offset, " -");
}
offset += sprintf (line+offset, " %02x", buffer[i] & 0xff);
}
/* Add the last "chunk" of data. */
from = (length - 1) % 16;
base = ((length - 1) / 16) * 16;
Reported by FlawFinder.
Line: 524
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
base = ((length - 1) / 16) * 16;
for (i = from + 1; i < 16; i++)
offset += sprintf (line+offset, " ");
if (from < 8)
offset += sprintf (line+offset, " ");
offset += sprintf (line+offset, " - ");
for (i = 0; i <= from; i++) {
Reported by FlawFinder.
Line: 526
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = from + 1; i < 16; i++)
offset += sprintf (line+offset, " ");
if (from < 8)
offset += sprintf (line+offset, " ");
offset += sprintf (line+offset, " - ");
for (i = 0; i <= from; i++) {
if (buffer[base+i] >= 32 && buffer[base+i] <= 126)
line[offset++] = buffer[base+i];
Reported by FlawFinder.
Line: 527
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
offset += sprintf (line+offset, " ");
if (from < 8)
offset += sprintf (line+offset, " ");
offset += sprintf (line+offset, " - ");
for (i = 0; i <= from; i++) {
if (buffer[base+i] >= 32 && buffer[base+i] <= 126)
line[offset++] = buffer[base+i];
else
Reported by FlawFinder.
drivers/tty/mips_ejtag_fdc.c
9 issues
Line: 145
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device *dev;
struct tty_driver *driver;
unsigned int cpu;
char fdc_name[16];
char driver_name[16];
struct mips_ejtag_fdc_tty_port ports[NUM_TTY_CHANNELS];
wait_queue_head_t waitqueue;
raw_spinlock_t lock;
struct task_struct *thread;
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tty_driver *driver;
unsigned int cpu;
char fdc_name[16];
char driver_name[16];
struct mips_ejtag_fdc_tty_port ports[NUM_TTY_CHANNELS];
wait_queue_head_t waitqueue;
raw_spinlock_t lock;
struct task_struct *thread;
Reported by FlawFinder.
Line: 311
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long flags;
unsigned int i, buf_len, cpu;
bool done_cr = false;
char buf[4];
const char *buf_ptr = buf;
/* Number of bytes of input data encoded up to each byte in buf */
u8 inc[4];
local_irq_save(flags);
Reported by FlawFinder.
Line: 420
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mips_ejtag_fdc_tty_port *dport;
struct tty_struct *tty;
const char *ptrs[2];
unsigned int sizes[2] = { 0 };
struct fdc_word word = { .bytes = 0 };
unsigned long flags;
dport = &priv->ports[chan];
Reported by FlawFinder.
Line: 563
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mips_ejtag_fdc_tty_port *dport;
unsigned int stat, channel, data, cfg, i, flipped;
int len;
char buf[4];
for (;;) {
/* Find which channel the next FDC word is destined for */
stat = mips_ejtag_fdc_read(priv, REG_FDSTAT);
if (stat & REG_FDSTAT_RXE)
Reported by FlawFinder.
Line: 825
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Write the actual bytes (may need splitting if it wraps) */
for (count = total; count; count -= block) {
block = min(count, (int)(priv->xmit_size - dport->xmit_head));
memcpy(dport->port.xmit_buf + dport->xmit_head, buf, block);
dport->xmit_head += block;
if (dport->xmit_head >= priv->xmit_size)
dport->xmit_head -= priv->xmit_size;
buf += block;
}
Reported by FlawFinder.
Line: 1155
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* read buffer to allow decompaction */
static unsigned int kgdbfdc_rbuflen;
static unsigned int kgdbfdc_rpos;
static char kgdbfdc_rbuf[4];
/* write buffer to allow compaction */
static unsigned int kgdbfdc_wbuflen;
static char kgdbfdc_wbuf[4];
Reported by FlawFinder.
Line: 1159
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* write buffer to allow compaction */
static unsigned int kgdbfdc_wbuflen;
static char kgdbfdc_wbuf[4];
static void __iomem *kgdbfdc_setup(void)
{
void __iomem *regs;
unsigned int cpu;
Reported by FlawFinder.
Line: 1220
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* push an FDC word from write buffer to TX FIFO */
static void kgdbfdc_push_one(void)
{
const char *bufs[1] = { kgdbfdc_wbuf };
struct fdc_word word;
void __iomem *regs;
unsigned int i;
/* Construct a word from any data in buffer */
Reported by FlawFinder.
drivers/staging/wlan-ng/prism2fw.c
9 issues
Line: 299
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(&getmsg, 0, sizeof(getmsg));
getmsg.msgcode = DIDMSG_DOT11REQ_MIBGET;
getmsg.msglen = sizeof(getmsg);
strcpy(getmsg.devname, wlandev->name);
getmsg.mibattribute.did = DIDMSG_DOT11REQ_MIBGET_MIBATTRIBUTE;
getmsg.mibattribute.status = P80211ENUM_msgitem_status_data_ok;
getmsg.resultcode.did = DIDMSG_DOT11REQ_MIBGET_RESULTCODE;
getmsg.resultcode.status = P80211ENUM_msgitem_status_no_value;
Reported by FlawFinder.
Line: 789
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* set up the msg */
msg->msgcode = DIDMSG_P2REQ_READPDA;
msg->msglen = sizeof(msg);
strcpy(msg->devname, wlandev->name);
msg->pda.did = DIDMSG_P2REQ_READPDA_PDA;
msg->pda.len = HFA384x_PDA_LEN_MAX;
msg->pda.status = P80211ENUM_msgitem_status_no_value;
msg->resultcode.did = DIDMSG_P2REQ_READPDA_RESULTCODE;
msg->resultcode.len = sizeof(u32);
Reported by FlawFinder.
Line: 1020
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
/* Initialize the messages */
strcpy(rstmsg->devname, wlandev->name);
rstmsg->msgcode = DIDMSG_P2REQ_RAMDL_STATE;
rstmsg->msglen = sizeof(*rstmsg);
rstmsg->enable.did = DIDMSG_P2REQ_RAMDL_STATE_ENABLE;
rstmsg->exeaddr.did = DIDMSG_P2REQ_RAMDL_STATE_EXEADDR;
rstmsg->resultcode.did = DIDMSG_P2REQ_RAMDL_STATE_RESULTCODE;
Reported by FlawFinder.
Line: 1033
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
rstmsg->exeaddr.len = sizeof(u32);
rstmsg->resultcode.len = sizeof(u32);
strcpy(rwrmsg->devname, wlandev->name);
rwrmsg->msgcode = DIDMSG_P2REQ_RAMDL_WRITE;
rwrmsg->msglen = sizeof(*rwrmsg);
rwrmsg->addr.did = DIDMSG_P2REQ_RAMDL_WRITE_ADDR;
rwrmsg->len.did = DIDMSG_P2REQ_RAMDL_WRITE_LEN;
rwrmsg->data.did = DIDMSG_P2REQ_RAMDL_WRITE_DATA;
Reported by FlawFinder.
Line: 582
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
}
coffset = s3start - cstart;
memcpy(clist[j].data + coffset, s3data[i].data, s3data[i].len);
}
return result;
}
Reported by FlawFinder.
Line: 752
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(dest, 0, s3plug[i].len);
strncpy(dest, PRISM2_USB_FWFILE, s3plug[i].len - 1);
} else { /* plug a PDR */
memcpy(dest, &pda->rec[j]->data, s3plug[i].len);
}
}
return result;
}
Reported by FlawFinder.
Line: 801
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* prism2mgmt_readpda prints an errno if appropriate */
result = -1;
} else if (msg->resultcode.data == P80211ENUM_resultcode_success) {
memcpy(pda->buf, msg->pda.data, HFA384x_PDA_LEN_MAX);
result = mkpdrlist(pda);
} else {
/* resultcode must've been something other than success */
result = -1;
}
Reported by FlawFinder.
Line: 1088
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Setup the message */
rwrmsg->addr.data = currdaddr;
rwrmsg->len.data = currlen;
memcpy(rwrmsg->data.data,
fchunk[i].data + curroff, currlen);
/* Send flashdl_write(pda) */
pr_debug
("Sending xxxdl_write message addr=%06x len=%d.\n",
Reported by FlawFinder.
Line: 750
Column: 4
CWE codes:
120
if (j == -1) { /* plug the filename */
memset(dest, 0, s3plug[i].len);
strncpy(dest, PRISM2_USB_FWFILE, s3plug[i].len - 1);
} else { /* plug a PDR */
memcpy(dest, &pda->rec[j]->data, s3plug[i].len);
}
}
return result;
Reported by FlawFinder.
drivers/tty/ipwireless/hardware.c
9 issues
Line: 368
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
{
char prefix[56];
sprintf(prefix, IPWIRELESS_PCCARD_NAME ": %s %s ",
type, data_type(data, length));
print_hex_dump_bytes(prefix, 0, (void *)data,
length < DUMP_MAX_BYTES ? length : DUMP_MAX_BYTES);
}
Reported by FlawFinder.
Line: 160
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Network packet header of the following packets (if any) */
struct nl_packet_header hdr;
/* Complete network packet (header + data) */
unsigned char rawpkt[LL_MTU_MAX];
} __attribute__ ((__packed__));
#define HW_VERSION_UNKNOWN -1
#define HW_VERSION_1 1
#define HW_VERSION_2 2
Reported by FlawFinder.
Line: 366
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void dump_data_bytes(const char *type, const unsigned char *data,
unsigned length)
{
char prefix[56];
sprintf(prefix, IPWIRELESS_PCCARD_NAME ": %s %s ",
type, data_type(data, length));
print_hex_dump_bytes(prefix, 0, (void *)data,
length < DUMP_MAX_BYTES ? length : DUMP_MAX_BYTES);
Reported by FlawFinder.
Line: 490
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(unsigned char) (packet->length >> 8);
}
memcpy(pkt.rawpkt + header_size,
((unsigned char *) packet) + sizeof(struct ipw_tx_packet) +
packet->offset, fragment_data_len);
packet->offset += fragment_data_len;
packet->fragment_count++;
Reported by FlawFinder.
Line: 599
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(old_packet);
return NULL;
}
memcpy(packet, old_packet,
sizeof(struct ipw_rx_packet)
+ old_packet->length);
packet->capacity = old_packet->length + minimum_free_space;
kfree(old_packet);
}
Reported by FlawFinder.
Line: 657
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(*assem)->channel_idx = channel_idx;
/* Append this packet data onto existing data. */
memcpy((unsigned char *)(*assem) +
sizeof(struct ipw_rx_packet)
+ (*assem)->length, data, length);
(*assem)->length += length;
if (is_last) {
packet = *assem;
Reported by FlawFinder.
Line: 679
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
packet->protocol = protocol;
packet->channel_idx = channel_idx;
memcpy((unsigned char *)packet + sizeof(struct ipw_rx_packet),
data, length);
packet->length = length;
}
/*
Reported by FlawFinder.
Line: 858
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned len;
unsigned i;
unsigned char pkt[LL_MTU_MAX];
start_timing();
if (hw->hw_version == HW_VERSION_1) {
len = inw(hw->base_port + IODRR);
Reported by FlawFinder.
Line: 1307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
packet->packet_callback = callback;
packet->callback_data = callback_data;
memcpy((unsigned char *) packet + sizeof(struct ipw_tx_packet), data,
length);
send_packet(hw, PRIO_DATA, packet);
return 0;
}
Reported by FlawFinder.