The following issues were found
drivers/staging/wlan-ng/hfa384x_usb.c
9 issues
Line: 701
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENODATA;
}
memcpy(complete->riddata, rridresult.riddata, complete->riddatalen);
return 0;
}
static inline struct usbctlx_completor *
init_rrid_completor(struct usbctlx_rrid_completor *completor,
Reported by FlawFinder.
Line: 751
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct usbctlx_rmem_completor *)head;
pr_debug("rmemresp:len=%d\n", complete->rmemresp->frmlen);
memcpy(complete->data, complete->rmemresp->data, complete->len);
return 0;
}
static inline struct usbctlx_completor *
init_rmem_completor(struct usbctlx_rmem_completor *completor,
Reported by FlawFinder.
Line: 1386
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(ctlx->outbuf.wridreq.rid) +
riddatalen + 1) / 2);
ctlx->outbuf.wridreq.rid = cpu_to_le16(rid);
memcpy(ctlx->outbuf.wridreq.data, riddata, riddatalen);
ctlx->outbufsize = sizeof(ctlx->outbuf.wridreq.type) +
sizeof(ctlx->outbuf.wridreq.frmlen) +
sizeof(ctlx->outbuf.wridreq.rid) + riddatalen;
Reported by FlawFinder.
Line: 1557
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(ctlx->outbuf.wmemreq.page) + len);
ctlx->outbuf.wmemreq.offset = cpu_to_le16(offset);
ctlx->outbuf.wmemreq.page = cpu_to_le16(page);
memcpy(ctlx->outbuf.wmemreq.data, data, len);
ctlx->outbufsize = sizeof(ctlx->outbuf.wmemreq.type) +
sizeof(ctlx->outbuf.wmemreq.frmlen) +
sizeof(ctlx->outbuf.wmemreq.offset) +
sizeof(ctlx->outbuf.wmemreq.page) + len;
Reported by FlawFinder.
Line: 2519
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_le16s(&hw->txbuff.txfrm.desc.tx_control);
/* copy the header over to the txdesc */
memcpy(&hw->txbuff.txfrm.desc.frame_control, p80211_hdr,
sizeof(union p80211_hdr));
/* if we're using host WEP, increase size by IV+ICV */
if (p80211_wep->data) {
hw->txbuff.txfrm.desc.data_len = cpu_to_le16(skb->len + 8);
Reported by FlawFinder.
Line: 2535
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy over the WEP IV if we are using host WEP */
ptr = hw->txbuff.txfrm.data;
if (p80211_wep->data) {
memcpy(ptr, p80211_wep->iv, sizeof(p80211_wep->iv));
ptr += sizeof(p80211_wep->iv);
memcpy(ptr, p80211_wep->data, skb->len);
} else {
memcpy(ptr, skb->data, skb->len);
}
Reported by FlawFinder.
Line: 2537
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (p80211_wep->data) {
memcpy(ptr, p80211_wep->iv, sizeof(p80211_wep->iv));
ptr += sizeof(p80211_wep->iv);
memcpy(ptr, p80211_wep->data, skb->len);
} else {
memcpy(ptr, skb->data, skb->len);
}
/* copy over the packet data */
ptr += skb->len;
Reported by FlawFinder.
Line: 2539
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += sizeof(p80211_wep->iv);
memcpy(ptr, p80211_wep->data, skb->len);
} else {
memcpy(ptr, skb->data, skb->len);
}
/* copy over the packet data */
ptr += skb->len;
/* copy over the WEP ICV if we are using host WEP */
Reported by FlawFinder.
Line: 2546
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy over the WEP ICV if we are using host WEP */
if (p80211_wep->data)
memcpy(ptr, p80211_wep->icv, sizeof(p80211_wep->icv));
/* Send the USB packet */
usb_fill_bulk_urb(&hw->tx_urb, hw->usb,
hw->endp_out,
&hw->txbuff, ROUNDUP64(usbpktlen),
Reported by FlawFinder.
drivers/tty/hvc/hvcs.c
9 issues
Line: 333
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int retval;
spin_lock_irqsave(&hvcsd->lock, flags);
retval = sprintf(buf, "%s\n", &hvcsd->p_location_code[0]);
spin_unlock_irqrestore(&hvcsd->lock, flags);
return retval;
}
static DEVICE_ATTR(partner_clcs, S_IRUGO, hvcs_partner_clcs_show, NULL);
Reported by FlawFinder.
Line: 358
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int retval;
spin_lock_irqsave(&hvcsd->lock, flags);
retval = sprintf(buf, "%s\n", &hvcsd->p_location_code[0]);
spin_unlock_irqrestore(&hvcsd->lock, flags);
return retval;
}
static DEVICE_ATTR(current_vty,
Reported by FlawFinder.
Line: 272
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* able to send what the driver commits to sending buffering
* [e.g. tab to space conversions in n_tty.c opost()].
*/
char buffer[HVCS_BUFF_LEN];
int chars_in_buffer;
/*
* Any variable below is valid before a tty is connected and
* stays valid after the tty is disconnected. These shouldn't be
Reported by FlawFinder.
Line: 284
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int connected; /* is the vty-server currently connected to a vty? */
uint32_t p_unit_address; /* partner unit address */
uint32_t p_partition_ID; /* partner partition ID */
char p_location_code[HVCS_CLC_LENGTH + 1]; /* CLC + Null Term */
struct list_head next; /* list management */
struct vio_dev *vdev;
};
static LIST_HEAD(hvcs_structs);
Reported by FlawFinder.
Line: 319
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int retval;
spin_lock_irqsave(&hvcsd->lock, flags);
retval = sprintf(buf, "%X\n", hvcsd->p_unit_address);
spin_unlock_irqrestore(&hvcsd->lock, flags);
return retval;
}
static DEVICE_ATTR(partner_vtys, S_IRUGO, hvcs_partner_vtys_show, NULL);
Reported by FlawFinder.
Line: 412
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int retval;
spin_lock_irqsave(&hvcsd->lock, flags);
retval = sprintf(buf, "%d\n", hvcsd->connected);
spin_unlock_irqrestore(&hvcsd->lock, flags);
return retval;
}
static DEVICE_ATTR(vterm_state, S_IRUGO | S_IWUSR,
hvcs_vterm_state_show, hvcs_vterm_state_store);
Reported by FlawFinder.
Line: 427
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int retval;
spin_lock_irqsave(&hvcsd->lock, flags);
retval = sprintf(buf, "%d\n", hvcsd->index);
spin_unlock_irqrestore(&hvcsd->lock, flags);
return retval;
}
static DEVICE_ATTR(index, S_IRUGO, hvcs_index_show, NULL);
Reported by FlawFinder.
Line: 551
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
uint32_t unit_address;
struct tty_struct *tty;
char buf[HVCS_BUFF_LEN] __ALIGNED__;
unsigned long flags;
int got = 0;
spin_lock_irqsave(&hvcsd->lock, flags);
Reported by FlawFinder.
Line: 1325
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!tosend)
break;
memcpy(&hvcsd->buffer[hvcsd->chars_in_buffer],
&charbuf[total_sent],
tosend);
hvcsd->chars_in_buffer += tosend;
Reported by FlawFinder.
drivers/staging/ks7010/eap_packet.h
9 issues
Line: 10
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <uapi/linux/if_ether.h>
struct ether_hdr {
unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
unsigned char h_source[ETH_ALEN]; /* source ether addr */
unsigned char h_dest_snap;
unsigned char h_source_snap;
unsigned char h_command;
unsigned char h_vendor_id[3];
Reported by FlawFinder.
Line: 11
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ether_hdr {
unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
unsigned char h_source[ETH_ALEN]; /* source ether addr */
unsigned char h_dest_snap;
unsigned char h_source_snap;
unsigned char h_command;
unsigned char h_vendor_id[3];
__be16 h_proto; /* packet type ID field */
Reported by FlawFinder.
Line: 15
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char h_dest_snap;
unsigned char h_source_snap;
unsigned char h_command;
unsigned char h_vendor_id[3];
__be16 h_proto; /* packet type ID field */
/* followed by length octets of data */
} __packed;
#define ETHER_HDR_SIZE sizeof(struct ether_hdr)
Reported by FlawFinder.
Line: 44
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char type;
__be16 key_info;
unsigned short key_length;
unsigned char replay_counter[WPA_REPLAY_COUNTER_LEN];
unsigned char key_nonce[WPA_NONCE_LEN];
unsigned char key_iv[16];
unsigned char key_rsc[8];
unsigned char key_id[8]; /* Reserved in IEEE 802.11i/RSN */
unsigned char key_mic[16];
Reported by FlawFinder.
Line: 45
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be16 key_info;
unsigned short key_length;
unsigned char replay_counter[WPA_REPLAY_COUNTER_LEN];
unsigned char key_nonce[WPA_NONCE_LEN];
unsigned char key_iv[16];
unsigned char key_rsc[8];
unsigned char key_id[8]; /* Reserved in IEEE 802.11i/RSN */
unsigned char key_mic[16];
unsigned short key_data_length;
Reported by FlawFinder.
Line: 46
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short key_length;
unsigned char replay_counter[WPA_REPLAY_COUNTER_LEN];
unsigned char key_nonce[WPA_NONCE_LEN];
unsigned char key_iv[16];
unsigned char key_rsc[8];
unsigned char key_id[8]; /* Reserved in IEEE 802.11i/RSN */
unsigned char key_mic[16];
unsigned short key_data_length;
/* followed by key_data_length bytes of key_data */
Reported by FlawFinder.
Line: 47
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char replay_counter[WPA_REPLAY_COUNTER_LEN];
unsigned char key_nonce[WPA_NONCE_LEN];
unsigned char key_iv[16];
unsigned char key_rsc[8];
unsigned char key_id[8]; /* Reserved in IEEE 802.11i/RSN */
unsigned char key_mic[16];
unsigned short key_data_length;
/* followed by key_data_length bytes of key_data */
} __packed;
Reported by FlawFinder.
Line: 48
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char key_nonce[WPA_NONCE_LEN];
unsigned char key_iv[16];
unsigned char key_rsc[8];
unsigned char key_id[8]; /* Reserved in IEEE 802.11i/RSN */
unsigned char key_mic[16];
unsigned short key_data_length;
/* followed by key_data_length bytes of key_data */
} __packed;
Reported by FlawFinder.
Line: 49
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char key_iv[16];
unsigned char key_rsc[8];
unsigned char key_id[8]; /* Reserved in IEEE 802.11i/RSN */
unsigned char key_mic[16];
unsigned short key_data_length;
/* followed by key_data_length bytes of key_data */
} __packed;
#define WPA_KEY_INFO_TYPE_MASK GENMASK(2, 0)
Reported by FlawFinder.
drivers/staging/wfx/key.c
9 issues
Line: 38
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
WARN(key->keylen > sizeof(msg->key_data), "inconsistent data");
msg->key_length = key->keylen;
memcpy(msg->key_data, key->key, key->keylen);
ether_addr_copy(msg->peer_address, peer_addr);
return HIF_KEY_TYPE_WEP_PAIRWISE;
}
static u8 fill_wep_group(struct hif_wep_group_key *msg,
Reported by FlawFinder.
Line: 49
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
WARN(key->keylen > sizeof(msg->key_data), "inconsistent data");
msg->key_id = key->keyidx;
msg->key_length = key->keylen;
memcpy(msg->key_data, key->key, key->keylen);
return HIF_KEY_TYPE_WEP_DEFAULT;
}
static u8 fill_tkip_pair(struct hif_tkip_pairwise_key *msg,
struct ieee80211_key_conf *key, u8 *peer_addr)
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
WARN(key->keylen != sizeof(msg->tkip_key_data)
+ 2 * sizeof(msg->rx_mic_key), "inconsistent data");
msg->key_id = key->keyidx;
memcpy(msg->rx_sequence_counter,
&seq->tkip.iv16, sizeof(seq->tkip.iv16));
memcpy(msg->rx_sequence_counter + sizeof(u16),
&seq->tkip.iv32, sizeof(seq->tkip.iv32));
memcpy(msg->tkip_key_data, keybuf, sizeof(msg->tkip_key_data));
keybuf += sizeof(msg->tkip_key_data);
Reported by FlawFinder.
Line: 82
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->key_id = key->keyidx;
memcpy(msg->rx_sequence_counter,
&seq->tkip.iv16, sizeof(seq->tkip.iv16));
memcpy(msg->rx_sequence_counter + sizeof(u16),
&seq->tkip.iv32, sizeof(seq->tkip.iv32));
memcpy(msg->tkip_key_data, keybuf, sizeof(msg->tkip_key_data));
keybuf += sizeof(msg->tkip_key_data);
if (iftype == NL80211_IFTYPE_AP)
// Use Tx MIC Key
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
WARN(key->keylen != sizeof(msg->aes_key_data), "inconsistent data");
ether_addr_copy(msg->peer_address, peer_addr);
memcpy(msg->aes_key_data, key->key, key->keylen);
return HIF_KEY_TYPE_AES_PAIRWISE;
}
static u8 fill_ccmp_group(struct hif_aes_group_key *msg,
struct ieee80211_key_conf *key,
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ieee80211_key_seq *seq)
{
WARN(key->keylen != sizeof(msg->aes_key_data), "inconsistent data");
memcpy(msg->aes_key_data, key->key, key->keylen);
memcpy(msg->rx_sequence_counter, seq->ccmp.pn, sizeof(seq->ccmp.pn));
memreverse(msg->rx_sequence_counter, sizeof(seq->ccmp.pn));
msg->key_id = key->keyidx;
return HIF_KEY_TYPE_AES_GROUP;
}
Reported by FlawFinder.
Line: 110
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
WARN(key->keylen != sizeof(msg->aes_key_data), "inconsistent data");
memcpy(msg->aes_key_data, key->key, key->keylen);
memcpy(msg->rx_sequence_counter, seq->ccmp.pn, sizeof(seq->ccmp.pn));
memreverse(msg->rx_sequence_counter, sizeof(seq->ccmp.pn));
msg->key_id = key->keyidx;
return HIF_KEY_TYPE_AES_GROUP;
}
Reported by FlawFinder.
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ieee80211_key_seq *seq)
{
WARN(key->keylen != sizeof(msg->igtk_key_data), "inconsistent data");
memcpy(msg->igtk_key_data, key->key, key->keylen);
memcpy(msg->ipn, seq->aes_cmac.pn, sizeof(seq->aes_cmac.pn));
memreverse(msg->ipn, sizeof(seq->aes_cmac.pn));
msg->key_id = key->keyidx;
return HIF_KEY_TYPE_IGTK_GROUP;
}
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
WARN(key->keylen != sizeof(msg->igtk_key_data), "inconsistent data");
memcpy(msg->igtk_key_data, key->key, key->keylen);
memcpy(msg->ipn, seq->aes_cmac.pn, sizeof(seq->aes_cmac.pn));
memreverse(msg->ipn, sizeof(seq->aes_cmac.pn));
msg->key_id = key->keyidx;
return HIF_KEY_TYPE_IGTK_GROUP;
}
Reported by FlawFinder.
drivers/video/fbdev/platinumfb.h
9 issues
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct cmap_regs {
unsigned char addr;
char pad1[15];
unsigned char d1;
char pad2[15];
unsigned char d2;
char pad3[15];
unsigned char lut;
Reported by FlawFinder.
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char addr;
char pad1[15];
unsigned char d1;
char pad2[15];
unsigned char d2;
char pad3[15];
unsigned char lut;
char pad4[15];
};
Reported by FlawFinder.
Line: 31
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char d1;
char pad2[15];
unsigned char d2;
char pad3[15];
unsigned char lut;
char pad4[15];
};
/*
Reported by FlawFinder.
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char d2;
char pad3[15];
unsigned char lut;
char pad4[15];
};
/*
* Structure of the registers for the "platinum" display adaptor".
*/
Reported by FlawFinder.
Line: 41
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct preg { /* padded register */
unsigned r; /* notice this is 32 bits. */
char pad[12];
};
struct platinum_regs {
struct preg reg[128];
};
Reported by FlawFinder.
Line: 63
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int fb_offset;
int pitch[3];
unsigned regs[26];
unsigned char offset[3];
unsigned char mode[3];
unsigned char dacula_ctrl[3];
unsigned char clock_params[2][2];
};
Reported by FlawFinder.
Line: 64
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int pitch[3];
unsigned regs[26];
unsigned char offset[3];
unsigned char mode[3];
unsigned char dacula_ctrl[3];
unsigned char clock_params[2][2];
};
#define DIV2 0x20
Reported by FlawFinder.
Line: 65
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned regs[26];
unsigned char offset[3];
unsigned char mode[3];
unsigned char dacula_ctrl[3];
unsigned char clock_params[2][2];
};
#define DIV2 0x20
#define DIV4 0x40
Reported by FlawFinder.
Line: 66
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char offset[3];
unsigned char mode[3];
unsigned char dacula_ctrl[3];
unsigned char clock_params[2][2];
};
#define DIV2 0x20
#define DIV4 0x40
#define DIV8 0x60
Reported by FlawFinder.
drivers/staging/vt6655/device.h
9 issues
Line: 167
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool bZoneRegExist;
unsigned char byOriginalZonetype;
unsigned char abyCurrentNetAddr[ETH_ALEN]; __aligned(2)
bool bLinkPass; /* link status: OK or fail */
unsigned int uCurrRSSI;
unsigned char byCurrSQ;
Reported by FlawFinder.
Line: 257
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int uBBVGADiffCount;
unsigned char byBBVGANew;
unsigned char byBBVGACurrent;
unsigned char abyBBVGA[BB_VGA_LEVEL];
long ldBmThreshold[BB_VGA_LEVEL];
unsigned char byBBPreEDRSSI;
unsigned char byBBPreEDIndex;
Reported by FlawFinder.
Line: 273
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char byOFDMPwrG;
unsigned char byCurPwr;
char byCurPwrdBm;
unsigned char abyCCKPwrTbl[CB_MAX_CHANNEL_24G + 1];
unsigned char abyOFDMPwrTbl[CB_MAX_CHANNEL + 1];
char abyCCKDefaultPwr[CB_MAX_CHANNEL_24G + 1];
char abyOFDMDefaultPwr[CB_MAX_CHANNEL + 1];
char abyRegPwr[CB_MAX_CHANNEL + 1];
char abyLocalPwr[CB_MAX_CHANNEL + 1];
Reported by FlawFinder.
Line: 274
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char byCurPwr;
char byCurPwrdBm;
unsigned char abyCCKPwrTbl[CB_MAX_CHANNEL_24G + 1];
unsigned char abyOFDMPwrTbl[CB_MAX_CHANNEL + 1];
char abyCCKDefaultPwr[CB_MAX_CHANNEL_24G + 1];
char abyOFDMDefaultPwr[CB_MAX_CHANNEL + 1];
char abyRegPwr[CB_MAX_CHANNEL + 1];
char abyLocalPwr[CB_MAX_CHANNEL + 1];
Reported by FlawFinder.
Line: 275
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char byCurPwrdBm;
unsigned char abyCCKPwrTbl[CB_MAX_CHANNEL_24G + 1];
unsigned char abyOFDMPwrTbl[CB_MAX_CHANNEL + 1];
char abyCCKDefaultPwr[CB_MAX_CHANNEL_24G + 1];
char abyOFDMDefaultPwr[CB_MAX_CHANNEL + 1];
char abyRegPwr[CB_MAX_CHANNEL + 1];
char abyLocalPwr[CB_MAX_CHANNEL + 1];
/* BaseBand Loopback Use */
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char abyCCKPwrTbl[CB_MAX_CHANNEL_24G + 1];
unsigned char abyOFDMPwrTbl[CB_MAX_CHANNEL + 1];
char abyCCKDefaultPwr[CB_MAX_CHANNEL_24G + 1];
char abyOFDMDefaultPwr[CB_MAX_CHANNEL + 1];
char abyRegPwr[CB_MAX_CHANNEL + 1];
char abyLocalPwr[CB_MAX_CHANNEL + 1];
/* BaseBand Loopback Use */
unsigned char byBBCR4d;
Reported by FlawFinder.
Line: 277
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char abyOFDMPwrTbl[CB_MAX_CHANNEL + 1];
char abyCCKDefaultPwr[CB_MAX_CHANNEL_24G + 1];
char abyOFDMDefaultPwr[CB_MAX_CHANNEL + 1];
char abyRegPwr[CB_MAX_CHANNEL + 1];
char abyLocalPwr[CB_MAX_CHANNEL + 1];
/* BaseBand Loopback Use */
unsigned char byBBCR4d;
unsigned char byBBCRc9;
Reported by FlawFinder.
Line: 278
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char abyCCKDefaultPwr[CB_MAX_CHANNEL_24G + 1];
char abyOFDMDefaultPwr[CB_MAX_CHANNEL + 1];
char abyRegPwr[CB_MAX_CHANNEL + 1];
char abyLocalPwr[CB_MAX_CHANNEL + 1];
/* BaseBand Loopback Use */
unsigned char byBBCR4d;
unsigned char byBBCRc9;
unsigned char byBBCR88;
Reported by FlawFinder.
Line: 286
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char byBBCR88;
unsigned char byBBCR09;
unsigned char abyEEPROM[EEP_MAX_CONTEXT_SIZE]; /* unsigned long alignment */
unsigned short wBeaconInterval;
u16 wake_up_count;
struct work_struct interrupt_work;
Reported by FlawFinder.
drivers/staging/rts5208/rtsx_scsi.c
9 issues
Line: 445
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return TRANSPORT_GOOD;
}
static unsigned char formatter_inquiry_str[20] = {
'M', 'E', 'M', 'O', 'R', 'Y', 'S', 'T', 'I', 'C', 'K',
#ifdef SUPPORT_MAGIC_GATE
'-', 'M', 'G', /* Byte[47:49] */
#else
0x20, 0x20, 0x20, /* Byte[47:49] */
Reported by FlawFinder.
Line: 525
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (sendbytes > 8) {
memcpy(buf, inquiry_buf, 8);
strncpy(buf + 8, inquiry_string, sendbytes - 8);
if (pro_formatter_flag) {
/* Additional Length */
buf[4] = 0x33;
}
Reported by FlawFinder.
Line: 532
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[4] = 0x33;
}
} else {
memcpy(buf, inquiry_buf, sendbytes);
}
if (pro_formatter_flag) {
if (sendbytes > 36)
memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36);
Reported by FlawFinder.
Line: 537
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pro_formatter_flag) {
if (sendbytes > 36)
memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36);
}
scsi_set_resid(srb, 0);
rtsx_stor_set_xfer_buf(buf, scsi_bufflen(srb), srb);
Reported by FlawFinder.
Line: 632
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return TRANSPORT_ERROR;
tmp = (unsigned char *)sense;
memcpy(buf, tmp, scsi_bufflen(srb));
rtsx_stor_set_xfer_buf(buf, scsi_bufflen(srb), srb);
vfree(buf);
scsi_set_resid(srb, 0);
Reported by FlawFinder.
Line: 732
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = (len < 96) ? len : 96;
memcpy(buf + sys_info_offset, ms_card->raw_sys_info, len);
}
}
static int mode_sense(struct scsi_cmnd *srb, struct rtsx_chip *chip)
{
Reported by FlawFinder.
Line: 2851
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[i++] = 0x80;
if ((dev_info_id == 0x10) || (dev_info_id == 0x13)) {
/* System Information */
memcpy(buf + i, ms_card->raw_sys_info, 96);
} else {
/* Model Name */
memcpy(buf + i, ms_card->raw_model_name, 48);
}
Reported by FlawFinder.
Line: 2854
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + i, ms_card->raw_sys_info, 96);
} else {
/* Model Name */
memcpy(buf + i, ms_card->raw_model_name, 48);
}
rtsx_stor_set_xfer_buf(buf, buf_len, srb);
if (dev_info_id == 0x15)
Reported by FlawFinder.
Line: 526
Column: 3
CWE codes:
120
if (sendbytes > 8) {
memcpy(buf, inquiry_buf, 8);
strncpy(buf + 8, inquiry_string, sendbytes - 8);
if (pro_formatter_flag) {
/* Additional Length */
buf[4] = 0x33;
}
} else {
Reported by FlawFinder.
drivers/usb/serial/keyspan.c
9 issues
Line: 560
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Input endpoints and buffer for this port */
struct urb *in_urbs[2];
char *in_buffer[2];
/* Output endpoints and buffer for this port */
struct urb *out_urbs[2];
char *out_buffer[2];
/* Input ack endpoint */
Reported by FlawFinder.
Line: 563
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *in_buffer[2];
/* Output endpoints and buffer for this port */
struct urb *out_urbs[2];
char *out_buffer[2];
/* Input ack endpoint */
struct urb *inack_urb;
char *inack_buffer;
Reported by FlawFinder.
Line: 744
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
- unused so for now so set to zero */
((char *)this_urb->transfer_buffer)[0] = 0;
memcpy(this_urb->transfer_buffer + dataOffset, buf, todo);
buf += todo;
/* send the data out the bulk port */
this_urb->transfer_buffer_length = todo + dataOffset;
Reported by FlawFinder.
Line: 2161
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg.hskoa_dtr = p_priv->dtr_state;
p_priv->resend_cont = 0;
memcpy(this_urb->transfer_buffer, &msg, sizeof(msg));
/* send the data out the device on control endpoint */
this_urb->transfer_buffer_length = sizeof(msg);
err = usb_submit_urb(this_urb, GFP_ATOMIC);
Reported by FlawFinder.
Line: 2279
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
p_priv->resend_cont = 0;
memcpy(this_urb->transfer_buffer, &msg, sizeof(msg));
/* send the data out the device on control endpoint */
this_urb->transfer_buffer_length = sizeof(msg);
err = usb_submit_urb(this_urb, GFP_ATOMIC);
Reported by FlawFinder.
Line: 2448
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dr->wIndex = 0;
dr->wLength = cpu_to_le16(sizeof(msg));
memcpy(s_priv->glocont_buf, &msg, sizeof(msg));
usb_fill_control_urb(this_urb, serial->dev,
usb_sndctrlpipe(serial->dev, 0),
(unsigned char *)dr, s_priv->glocont_buf,
sizeof(msg), usa49_glocont_callback, serial);
Reported by FlawFinder.
Line: 2456
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(msg), usa49_glocont_callback, serial);
} else {
memcpy(this_urb->transfer_buffer, &msg, sizeof(msg));
/* send the data out the device on control endpoint */
this_urb->transfer_buffer_length = sizeof(msg);
}
err = usb_submit_urb(this_urb, GFP_ATOMIC);
Reported by FlawFinder.
Line: 2587
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg.dtr = p_priv->dtr_state;
p_priv->resend_cont = 0;
memcpy(this_urb->transfer_buffer, &msg, sizeof(msg));
/* send the data out the device on control endpoint */
this_urb->transfer_buffer_length = sizeof(msg);
err = usb_submit_urb(this_urb, GFP_ATOMIC);
Reported by FlawFinder.
Line: 2730
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p_priv->resend_cont = 0;
memcpy(this_urb->transfer_buffer, &msg, sizeof(msg));
/* send the data out the device on control endpoint */
this_urb->transfer_buffer_length = sizeof(msg);
err = usb_submit_urb(this_urb, GFP_ATOMIC);
Reported by FlawFinder.
drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
9 issues
Line: 365
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct mmal_msg *msg,
struct mmal_msg_context *msg_context)
{
memcpy(msg_context->u.bulk.buffer->buffer,
msg->u.buffer_from_host.short_data,
msg->u.buffer_from_host.payload_in_message);
msg_context->u.bulk.buffer_used =
msg->u.buffer_from_host.payload_in_message;
Reported by FlawFinder.
Line: 804
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
m.u.port_info_set.format.bitrate = port->format.bitrate;
m.u.port_info_set.format.flags = port->format.flags;
memcpy(&m.u.port_info_set.es, &port->es,
sizeof(union mmal_es_specific_format));
m.u.port_info_set.format.extradata_size = port->format.extradata_size;
memcpy(&m.u.port_info_set.extradata, port->format.extradata,
port->format.extradata_size);
Reported by FlawFinder.
Line: 808
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(union mmal_es_specific_format));
m.u.port_info_set.format.extradata_size = port->format.extradata_size;
memcpy(&m.u.port_info_set.extradata, port->format.extradata,
port->format.extradata_size);
ret = send_synchronous_mmal_msg(instance, &m,
sizeof(m.u.port_info_set),
&rmsg, &rmsg_handle);
Reported by FlawFinder.
Line: 906
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
port->format.flags = rmsg->u.port_info_get_reply.format.flags;
/* elementary stream format */
memcpy(&port->es,
&rmsg->u.port_info_get_reply.es,
sizeof(union mmal_es_specific_format));
port->format.es = &port->es;
port->format.extradata_size =
Reported by FlawFinder.
Line: 913
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
port->format.extradata_size =
rmsg->u.port_info_get_reply.format.extradata_size;
memcpy(port->format.extradata,
rmsg->u.port_info_get_reply.extradata,
port->format.extradata_size);
pr_debug("received port info\n");
dump_port_info(port);
Reported by FlawFinder.
Line: 1213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
m.u.port_parameter_set.port_handle = port->handle;
m.u.port_parameter_set.id = parameter_id;
m.u.port_parameter_set.size = (2 * sizeof(u32)) + value_size;
memcpy(&m.u.port_parameter_set.value, value, value_size);
ret = send_synchronous_mmal_msg(instance, &m,
(4 * sizeof(u32)) + value_size,
&rmsg, &rmsg_handle);
if (ret)
Reported by FlawFinder.
Line: 1280
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy only as much as we have space for
* but report true size of parameter
*/
memcpy(value, &rmsg->u.port_parameter_get_reply.value,
*value_size);
} else {
memcpy(value, &rmsg->u.port_parameter_get_reply.value,
rmsg->u.port_parameter_get_reply.size);
}
Reported by FlawFinder.
Line: 1283
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(value, &rmsg->u.port_parameter_get_reply.value,
*value_size);
} else {
memcpy(value, &rmsg->u.port_parameter_get_reply.value,
rmsg->u.port_parameter_get_reply.size);
}
/* Always report the size of the returned parameter to the caller */
*value_size = rmsg->u.port_parameter_get_reply.size;
Reported by FlawFinder.
Line: 943
Column: 2
CWE codes:
120
/* build component create message */
m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
m.u.component_create.client_component = component->client_component;
strncpy(m.u.component_create.name, name,
sizeof(m.u.component_create.name));
ret = send_synchronous_mmal_msg(instance, &m,
sizeof(m.u.component_create),
&rmsg, &rmsg_handle);
Reported by FlawFinder.
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
9 issues
Line: 2007
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int vchiq_dump_platform_instances(void *dump_context)
{
struct vchiq_state *state = vchiq_get_state();
char buf[80];
int len;
int i;
/*
* There is no list of instances, so instead scan all services,
Reported by FlawFinder.
Line: 2071
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct user_service *user_service =
(struct user_service *)service->base.userdata;
char buf[80];
int len;
len = scnprintf(buf, sizeof(buf), " instance %pK", service->instance);
if ((service->base.callback == service_callback) &&
Reported by FlawFinder.
Line: 2260
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct vchiq_arm_state *arm_state = vchiq_platform_get_arm_state(state);
int ret = 0;
char entity[16];
int *entity_uc;
int local_uc;
if (!arm_state) {
ret = -EINVAL;
Reported by FlawFinder.
Line: 2270
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (use_type == USE_TYPE_VCHIQ) {
sprintf(entity, "VCHIQ: ");
entity_uc = &arm_state->peer_use_count;
} else if (service) {
sprintf(entity, "%c%c%c%c:%03d",
VCHIQ_FOURCC_AS_4CHARS(service->base.fourcc),
service->client_id);
Reported by FlawFinder.
Line: 2273
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(entity, "VCHIQ: ");
entity_uc = &arm_state->peer_use_count;
} else if (service) {
sprintf(entity, "%c%c%c%c:%03d",
VCHIQ_FOURCC_AS_4CHARS(service->base.fourcc),
service->client_id);
entity_uc = &service->service_use_count;
} else {
vchiq_log_error(vchiq_susp_log_level, "%s null service ptr", __func__);
Reported by FlawFinder.
Line: 2318
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct vchiq_arm_state *arm_state = vchiq_platform_get_arm_state(state);
int ret = 0;
char entity[16];
int *entity_uc;
if (!arm_state) {
ret = -EINVAL;
goto out;
Reported by FlawFinder.
Line: 2327
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (service) {
sprintf(entity, "%c%c%c%c:%03d",
VCHIQ_FOURCC_AS_4CHARS(service->base.fourcc),
service->client_id);
entity_uc = &service->service_use_count;
} else {
sprintf(entity, "PEER: ");
Reported by FlawFinder.
Line: 2332
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
service->client_id);
entity_uc = &service->service_use_count;
} else {
sprintf(entity, "PEER: ");
entity_uc = &arm_state->peer_use_count;
}
write_lock_bh(&arm_state->susp_res_lock);
if (!arm_state->videocore_use_count || !(*entity_uc)) {
Reported by FlawFinder.
Line: 2584
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum vchiq_connstate newstate)
{
struct vchiq_arm_state *arm_state = vchiq_platform_get_arm_state(state);
char threadname[16];
vchiq_log_info(vchiq_susp_log_level, "%d: %s->%s", state->id,
get_conn_state_name(oldstate), get_conn_state_name(newstate));
if (state->conn_state != VCHIQ_CONNSTATE_CONNECTED)
return;
Reported by FlawFinder.