The following issues were found
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
9 issues
Line: 894
CWE codes:
476
size_t max_bytes = size - pos;
callback_result =
copy_callback(context, dest + pos,
pos, max_bytes);
if (callback_result < 0)
return callback_result;
Reported by Cppcheck.
Line: 875
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *context, void *dest,
size_t offset, size_t maxsize)
{
memcpy(dest + offset, context + offset, maxsize);
return maxsize;
}
static ssize_t
copy_message_data(
Reported by FlawFinder.
Line: 2271
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct vchiq_shared_state *local;
struct vchiq_shared_state *remote;
char threadname[16];
int i, ret;
if (vchiq_states[0]) {
pr_err("%s: VCHIQ state already initialized\n", __func__);
return -EINVAL;
Reported by FlawFinder.
Line: 3564
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"COMPLETION_QUEUE_FULL_COUNT"
};
int i;
char buf[80];
int len;
int err;
len = scnprintf(buf, sizeof(buf),
" %s: slots %d-%d tx_pos=%x recycle=%x",
Reported by FlawFinder.
Line: 3607
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int vchiq_dump_state(void *dump_context, struct vchiq_state *state)
{
char buf[80];
int len;
int i;
int err;
len = scnprintf(buf, sizeof(buf), "State %d: %s", state->id,
Reported by FlawFinder.
Line: 3692
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int vchiq_dump_service_state(void *dump_context, struct vchiq_service *service)
{
char buf[80];
int len;
int err;
unsigned int ref_count;
/*Don't include the lock just taken*/
Reported by FlawFinder.
Line: 3704
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ref_count);
if (service->srvstate != VCHIQ_SRVSTATE_FREE) {
char remoteport[30];
struct vchiq_service_quota *quota =
&service->state->service_quotas[service->localport];
int fourcc = service->base.fourcc;
int tx_pending, rx_pending;
Reported by FlawFinder.
Line: 3719
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
sizeof(remoteport) - len2,
" (client %x)", service->client_id);
} else {
strcpy(remoteport, "n/a");
}
len += scnprintf(buf + len, sizeof(buf) - len,
" '%c%c%c%c' remote %s (msg use %d/%d, slot use %d/%d)",
VCHIQ_FOURCC_AS_4CHARS(fourcc),
Reported by FlawFinder.
Line: 3836
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const u8 *mem = void_mem;
size_t offset;
char line_buf[100];
char *s;
while (num_bytes > 0) {
s = line_buf;
Reported by FlawFinder.
drivers/usb/gadget/udc/udc-xilinx.c
9 issues
Line: 147
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct usb_endpoint_descriptor *desc;
u32 rambase;
u32 offset;
char name[4];
u16 epnumber;
u16 maxpacket;
u16 buffer0count;
u16 buffer1count;
u8 curbufnum;
Reported by FlawFinder.
Line: 499
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Get the Buffer address and copy the transmit data.*/
eprambase = (u32 __force *)(udc->addr + ep->rambase);
if (ep->is_in) {
memcpy(eprambase, bufferptr, bytestosend);
udc->write_fn(udc->addr, ep->offset +
XUSB_EP_BUF0COUNT_OFFSET, bufferlen);
} else {
memcpy(bufferptr, eprambase, bytestosend);
}
Reported by FlawFinder.
Line: 503
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
udc->write_fn(udc->addr, ep->offset +
XUSB_EP_BUF0COUNT_OFFSET, bufferlen);
} else {
memcpy(bufferptr, eprambase, bytestosend);
}
/*
* Enable the buffer for transmission.
*/
udc->write_fn(udc->addr, XUSB_BUFFREADY_OFFSET,
Reported by FlawFinder.
Line: 517
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eprambase = (u32 __force *)(udc->addr + ep->rambase +
ep->ep_usb.maxpacket);
if (ep->is_in) {
memcpy(eprambase, bufferptr, bytestosend);
udc->write_fn(udc->addr, ep->offset +
XUSB_EP_BUF1COUNT_OFFSET, bufferlen);
} else {
memcpy(bufferptr, eprambase, bytestosend);
}
Reported by FlawFinder.
Line: 521
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
udc->write_fn(udc->addr, ep->offset +
XUSB_EP_BUF1COUNT_OFFSET, bufferlen);
} else {
memcpy(bufferptr, eprambase, bytestosend);
}
/*
* Enable the buffer for transmission.
*/
udc->write_fn(udc->addr, XUSB_BUFFREADY_OFFSET,
Reported by FlawFinder.
Line: 1023
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
udc->addr);
length = req->usb_req.actual = min_t(u32, length,
EP0_MAX_PACKET);
memcpy(corebuf, req->usb_req.buf, length);
udc->write_fn(udc->addr, XUSB_EP_BUF0COUNT_OFFSET, length);
udc->write_fn(udc->addr, XUSB_BUFFREADY_OFFSET, 1);
} else {
if (udc->setup.wLength) {
/* Enable EP0 buffer to receive data */
Reported by FlawFinder.
Line: 1743
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Load up the chapter 9 command buffer.*/
ep0rambase = (u32 __force *) (udc->addr + XUSB_SETUP_PKT_ADDR_OFFSET);
memcpy(&setup, ep0rambase, 8);
udc->setup = setup;
udc->setup.wValue = cpu_to_le16(setup.wValue);
udc->setup.wIndex = cpu_to_le16(setup.wIndex);
udc->setup.wLength = cpu_to_le16(setup.wLength);
Reported by FlawFinder.
Line: 1830
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(ep0->rambase << 2));
buffer = req->usb_req.buf + req->usb_req.actual;
req->usb_req.actual = req->usb_req.actual + bytes_to_rx;
memcpy(buffer, ep0rambase, bytes_to_rx);
if (req->usb_req.length == req->usb_req.actual) {
/* Data transfer completed get ready for Status stage */
xudc_wrstatus(udc);
} else {
Reported by FlawFinder.
Line: 1906
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(ep0->rambase << 2));
buffer = req->usb_req.buf + req->usb_req.actual;
req->usb_req.actual = req->usb_req.actual + length;
memcpy(ep0rambase, buffer, length);
}
udc->write_fn(udc->addr, XUSB_EP_BUF0COUNT_OFFSET, count);
udc->write_fn(udc->addr, XUSB_BUFFREADY_OFFSET, 1);
break;
default:
Reported by FlawFinder.
drivers/staging/fwserial/dma_fifo.c
9 issues
Line: 155
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ofs = fifo->in % fifo->capacity;
l = min(n, fifo->capacity - ofs);
memcpy(fifo->data + ofs, src, l);
memcpy(fifo->data, src + l, n - l);
if (FAIL(fifo, addr_check(fifo->done, fifo->in, fifo->in + n) ||
fifo->avail < n,
"fifo corrupt: in:%u out:%u done:%u n:%d avail:%d",
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ofs = fifo->in % fifo->capacity;
l = min(n, fifo->capacity - ofs);
memcpy(fifo->data + ofs, src, l);
memcpy(fifo->data, src + l, n - l);
if (FAIL(fifo, addr_check(fifo->done, fifo->in, fifo->in + n) ||
fifo->avail < n,
"fifo corrupt: in:%u out:%u done:%u n:%d avail:%d",
fifo->in, fifo->out, fifo->done, n, fifo->avail))
Reported by FlawFinder.
Line: 223
Column: 10
CWE codes:
362
pended->data = fifo->data + ofs;
pended->next = fifo->out;
list_add_tail(&pended->link, &fifo->pending);
++fifo->open;
if (FAIL(fifo, fifo->open > fifo->open_limit,
"past open limit:%d (limit:%d)",
fifo->open, fifo->open_limit))
return -ENXIO;
Reported by FlawFinder.
Line: 225
Column: 23
CWE codes:
362
list_add_tail(&pended->link, &fifo->pending);
++fifo->open;
if (FAIL(fifo, fifo->open > fifo->open_limit,
"past open limit:%d (limit:%d)",
fifo->open, fifo->open_limit))
return -ENXIO;
if (FAIL(fifo, fifo->out & (fifo->align - 1),
"fifo out unaligned:%u (align:%u)",
Reported by FlawFinder.
Line: 227
Column: 10
CWE codes:
362
if (FAIL(fifo, fifo->open > fifo->open_limit,
"past open limit:%d (limit:%d)",
fifo->open, fifo->open_limit))
return -ENXIO;
if (FAIL(fifo, fifo->out & (fifo->align - 1),
"fifo out unaligned:%u (align:%u)",
fifo->out, fifo->align))
return -ENXIO;
Reported by FlawFinder.
Line: 255
Column: 10
CWE codes:
362
if (FAIL(fifo, list_empty(&fifo->pending) != (fifo->open == 0),
"pending list disagrees with open count:%d",
fifo->open))
return -ENXIO;
tmp = complete->data;
*tmp = *complete;
list_replace(&complete->link, &tmp->link);
Reported by FlawFinder.
Line: 281
Column: 11
CWE codes:
362
list_del_init(&pending->link);
fifo->done = pending->next;
fifo->avail += pending->len;
--fifo->open;
df_trace("in: %u out: %u done: %u len: %u avail: %d", fifo->in,
fifo->out, fifo->done, pending->len, fifo->avail);
}
Reported by FlawFinder.
Line: 287
Column: 58
CWE codes:
362
fifo->out, fifo->done, pending->len, fifo->avail);
}
if (FAIL(fifo, fifo->open < 0, "open dma:%d < 0", fifo->open))
return -ENXIO;
if (FAIL(fifo, fifo->avail > fifo->size, "fifo avail:%d > size:%d",
fifo->avail, fifo->size))
return -ENXIO;
Reported by FlawFinder.
Line: 287
Column: 23
CWE codes:
362
fifo->out, fifo->done, pending->len, fifo->avail);
}
if (FAIL(fifo, fifo->open < 0, "open dma:%d < 0", fifo->open))
return -ENXIO;
if (FAIL(fifo, fifo->avail > fifo->size, "fifo avail:%d > size:%d",
fifo->avail, fifo->size))
return -ENXIO;
Reported by FlawFinder.
drivers/scsi/megaraid/megaraid_sas_fp.c
9 issues
Line: 202
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case RAID_MAP_DESC_TYPE_DEVHDL_INFO:
fw_map_dyn->dev_hndl_info =
(struct MR_DEV_HANDLE_INFO *)(raid_map_data + le32_to_cpu(desc_table->raid_map_desc_offset));
memcpy(pDrvRaidMap->devHndlInfo,
fw_map_dyn->dev_hndl_info,
sizeof(struct MR_DEV_HANDLE_INFO) *
le32_to_cpu(desc_table->raid_map_desc_elements));
break;
case RAID_MAP_DESC_TYPE_TGTID_INFO:
Reported by FlawFinder.
Line: 220
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fw_map_dyn->ar_map_info =
(struct MR_ARRAY_INFO *)
(raid_map_data + le32_to_cpu(desc_table->raid_map_desc_offset));
memcpy(pDrvRaidMap->arMapInfo,
fw_map_dyn->ar_map_info,
sizeof(struct MR_ARRAY_INFO) *
le32_to_cpu(desc_table->raid_map_desc_elements));
break;
case RAID_MAP_DESC_TYPE_SPAN_INFO:
Reported by FlawFinder.
Line: 230
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(struct MR_LD_SPAN_MAP *)
(raid_map_data +
le32_to_cpu(desc_table->raid_map_desc_offset));
memcpy(pDrvRaidMap->ldSpanMap,
fw_map_dyn->ld_span_map,
sizeof(struct MR_LD_SPAN_MAP) *
le32_to_cpu(desc_table->raid_map_desc_elements));
break;
default:
Reported by FlawFinder.
Line: 256
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < (MAX_LOGICAL_DRIVES_EXT); i++)
pDrvRaidMap->ldTgtIdToLd[i] =
(u16)fw_map_ext->ldTgtIdToLd[i];
memcpy(pDrvRaidMap->ldSpanMap, fw_map_ext->ldSpanMap,
sizeof(struct MR_LD_SPAN_MAP) * ld_count);
memcpy(pDrvRaidMap->arMapInfo, fw_map_ext->arMapInfo,
sizeof(struct MR_ARRAY_INFO) * MAX_API_ARRAYS_EXT);
memcpy(pDrvRaidMap->devHndlInfo, fw_map_ext->devHndlInfo,
sizeof(struct MR_DEV_HANDLE_INFO) *
Reported by FlawFinder.
Line: 258
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(u16)fw_map_ext->ldTgtIdToLd[i];
memcpy(pDrvRaidMap->ldSpanMap, fw_map_ext->ldSpanMap,
sizeof(struct MR_LD_SPAN_MAP) * ld_count);
memcpy(pDrvRaidMap->arMapInfo, fw_map_ext->arMapInfo,
sizeof(struct MR_ARRAY_INFO) * MAX_API_ARRAYS_EXT);
memcpy(pDrvRaidMap->devHndlInfo, fw_map_ext->devHndlInfo,
sizeof(struct MR_DEV_HANDLE_INFO) *
MAX_RAIDMAP_PHYSICAL_DEVICES);
Reported by FlawFinder.
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct MR_LD_SPAN_MAP) * ld_count);
memcpy(pDrvRaidMap->arMapInfo, fw_map_ext->arMapInfo,
sizeof(struct MR_ARRAY_INFO) * MAX_API_ARRAYS_EXT);
memcpy(pDrvRaidMap->devHndlInfo, fw_map_ext->devHndlInfo,
sizeof(struct MR_DEV_HANDLE_INFO) *
MAX_RAIDMAP_PHYSICAL_DEVICES);
/* New Raid map will not set totalSize, so keep expected value
* for legacy code in ValidateMapInfo
Reported by FlawFinder.
Line: 289
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ld_count; i++) {
pDrvRaidMap->ldSpanMap[i] = pFwRaidMap->ldSpanMap[i];
}
memcpy(pDrvRaidMap->arMapInfo, pFwRaidMap->arMapInfo,
sizeof(struct MR_ARRAY_INFO) * MAX_RAIDMAP_ARRAYS);
memcpy(pDrvRaidMap->devHndlInfo, pFwRaidMap->devHndlInfo,
sizeof(struct MR_DEV_HANDLE_INFO) *
MAX_RAIDMAP_PHYSICAL_DEVICES);
}
Reported by FlawFinder.
Line: 291
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(pDrvRaidMap->arMapInfo, pFwRaidMap->arMapInfo,
sizeof(struct MR_ARRAY_INFO) * MAX_RAIDMAP_ARRAYS);
memcpy(pDrvRaidMap->devHndlInfo, pFwRaidMap->devHndlInfo,
sizeof(struct MR_DEV_HANDLE_INFO) *
MAX_RAIDMAP_PHYSICAL_DEVICES);
}
return 0;
Reported by FlawFinder.
Line: 352
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
num_lds = le16_to_cpu(drv_map->raidMap.ldCount);
memcpy(instance->ld_ids_prev,
instance->ld_ids_from_raidmap,
sizeof(instance->ld_ids_from_raidmap));
memset(instance->ld_ids_from_raidmap, 0xff, MEGASAS_MAX_LD_IDS);
/*Convert Raid capability values to CPU arch */
for (i = 0; (num_lds > 0) && (i < MAX_LOGICAL_DRIVES_EXT); i++) {
Reported by FlawFinder.
drivers/vfio/pci/vfio_pci.c
9 issues
Line: 37
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DRIVER_AUTHOR "Alex Williamson <alex.williamson@redhat.com>"
#define DRIVER_DESC "VFIO PCI - User Level meta-driver"
static char ids[1024] __initdata;
module_param_string(ids, ids, sizeof(ids), 0);
MODULE_PARM_DESC(ids, "Initial PCI IDs to add to the vfio driver, format is \"vendor:device[:subvendor[:subdevice[:class[:class_mask]]]]\" and multiple comma separated entries can be specified");
static bool nointxmask;
module_param_named(nointxmask, nointxmask, bool, S_IRUGO | S_IWUSR);
Reported by FlawFinder.
Line: 1829
Column: 41
CWE codes:
126
uuid_t uuid;
int ret;
if (strncmp(pci_name(vdev->pdev), buf, strlen(pci_name(vdev->pdev))))
return 0; /* No match */
if (strlen(buf) > strlen(pci_name(vdev->pdev))) {
buf += strlen(pci_name(vdev->pdev));
Reported by FlawFinder.
Line: 1832
Column: 20
CWE codes:
126
if (strncmp(pci_name(vdev->pdev), buf, strlen(pci_name(vdev->pdev))))
return 0; /* No match */
if (strlen(buf) > strlen(pci_name(vdev->pdev))) {
buf += strlen(pci_name(vdev->pdev));
if (*buf != ' ')
return 0; /* No match: non-whitespace after name */
Reported by FlawFinder.
Line: 1832
Column: 6
CWE codes:
126
if (strncmp(pci_name(vdev->pdev), buf, strlen(pci_name(vdev->pdev))))
return 0; /* No match */
if (strlen(buf) > strlen(pci_name(vdev->pdev))) {
buf += strlen(pci_name(vdev->pdev));
if (*buf != ' ')
return 0; /* No match: non-whitespace after name */
Reported by FlawFinder.
Line: 1833
Column: 10
CWE codes:
126
return 0; /* No match */
if (strlen(buf) > strlen(pci_name(vdev->pdev))) {
buf += strlen(pci_name(vdev->pdev));
if (*buf != ' ')
return 0; /* No match: non-whitespace after name */
while (*buf) {
Reported by FlawFinder.
Line: 1845
Column: 9
CWE codes:
126
}
if (!vf_token && !strncmp(buf, VF_TOKEN_ARG,
strlen(VF_TOKEN_ARG))) {
buf += strlen(VF_TOKEN_ARG);
if (strlen(buf) < UUID_STRING_LEN)
return -EINVAL;
Reported by FlawFinder.
Line: 1846
Column: 12
CWE codes:
126
if (!vf_token && !strncmp(buf, VF_TOKEN_ARG,
strlen(VF_TOKEN_ARG))) {
buf += strlen(VF_TOKEN_ARG);
if (strlen(buf) < UUID_STRING_LEN)
return -EINVAL;
ret = uuid_parse(buf, &uuid);
Reported by FlawFinder.
Line: 1848
Column: 9
CWE codes:
126
strlen(VF_TOKEN_ARG))) {
buf += strlen(VF_TOKEN_ARG);
if (strlen(buf) < UUID_STRING_LEN)
return -EINVAL;
ret = uuid_parse(buf, &uuid);
if (ret)
return ret;
Reported by FlawFinder.
Line: 2394
Column: 8
CWE codes:
126
subdevice = PCI_ANY_ID, class = 0, class_mask = 0;
int fields;
if (!strlen(id))
continue;
fields = sscanf(id, "%x:%x:%x:%x:%x:%x",
&vendor, &device, &subvendor, &subdevice,
&class, &class_mask);
Reported by FlawFinder.
drivers/tty/serial/kgdboc.c
9 issues
Line: 334
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
mutex_lock(&config_mutex);
strcpy(config, kmessage);
/* Chop out \n char as a result of echo */
if (len && config[len - 1] == '\n')
config[len - 1] = '\0';
if (configured == 1)
Reported by FlawFinder.
Line: 413
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pr_err("config string too long\n");
return -ENOSPC;
}
strcpy(config, opt);
return 0;
}
__setup("kgdboc=", kgdboc_option_setup);
Reported by FlawFinder.
Line: 34
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int configured = -1;
static DEFINE_MUTEX(config_mutex);
static char config[MAX_CONFIG_LEN];
static struct kparam_string kps = {
.string = config,
.maxlen = MAX_CONFIG_LEN,
};
Reported by FlawFinder.
Line: 518
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
#define MAX_CONSOLE_NAME_LEN (sizeof((struct console *) 0)->name)
static char kgdboc_earlycon_param[MAX_CONSOLE_NAME_LEN] __initdata;
static bool kgdboc_earlycon_late_enable __initdata;
static int __init kgdboc_earlycon_init(char *opt)
{
struct console *con;
Reported by FlawFinder.
Line: 175
Column: 7
CWE codes:
126
char *cptr = config;
struct console *cons;
if (!strlen(config) || isspace(config[0])) {
err = 0;
goto noconfig;
}
kgdboc_io_ops.cons = NULL;
Reported by FlawFinder.
Line: 319
Column: 15
CWE codes:
126
static int param_set_kgdboc_var(const char *kmessage,
const struct kernel_param *kp)
{
size_t len = strlen(kmessage);
int ret = 0;
if (len >= MAX_CONFIG_LEN) {
pr_err("config string too long\n");
return -ENOSPC;
Reported by FlawFinder.
Line: 409
Column: 6
CWE codes:
126
return -EINVAL;
}
if (strlen(opt) >= MAX_CONFIG_LEN) {
pr_err("config string too long\n");
return -ENOSPC;
}
strcpy(config, opt);
Reported by FlawFinder.
Line: 533
Column: 26
CWE codes:
120
20
*/
console_lock();
for_each_console(con) {
if (con->write && con->read &&
(con->flags & (CON_BOOT | CON_ENABLED)) &&
(!opt || !opt[0] || strcmp(con->name, opt) == 0))
break;
}
Reported by FlawFinder.
drivers/staging/rtl8712/ieee80211.c
9 issues
Line: 93
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*pbuf = (u8)index;
*(pbuf + 1) = (u8)len;
if (len > 0)
memcpy((void *)(pbuf + 2), (void *)source, len);
*frlen = *frlen + (len + 2);
return pbuf + len + 2;
}
/* ---------------------------------------------------------------------------
Reported by FlawFinder.
Line: 131
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(rates, 0, NDIS_802_11_LENGTH_RATES_EX);
switch (mode) {
case WIRELESS_11B:
memcpy(rates, WIFI_CCKRATES, IEEE80211_CCK_RATE_LEN);
break;
case WIRELESS_11G:
case WIRELESS_11A:
memcpy(rates, WIFI_OFDMRATES, IEEE80211_NUM_OFDM_RATESLEN);
break;
Reported by FlawFinder.
Line: 135
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case WIRELESS_11G:
case WIRELESS_11A:
memcpy(rates, WIFI_OFDMRATES, IEEE80211_NUM_OFDM_RATESLEN);
break;
case WIRELESS_11BG:
memcpy(rates, WIFI_CCKRATES, IEEE80211_CCK_RATE_LEN);
memcpy(rates + IEEE80211_CCK_RATE_LEN, WIFI_OFDMRATES,
IEEE80211_NUM_OFDM_RATESLEN);
Reported by FlawFinder.
Line: 138
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rates, WIFI_OFDMRATES, IEEE80211_NUM_OFDM_RATESLEN);
break;
case WIRELESS_11BG:
memcpy(rates, WIFI_CCKRATES, IEEE80211_CCK_RATE_LEN);
memcpy(rates + IEEE80211_CCK_RATE_LEN, WIFI_OFDMRATES,
IEEE80211_NUM_OFDM_RATESLEN);
break;
}
}
Reported by FlawFinder.
Line: 139
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case WIRELESS_11BG:
memcpy(rates, WIFI_CCKRATES, IEEE80211_CCK_RATE_LEN);
memcpy(rates + IEEE80211_CCK_RATE_LEN, WIFI_OFDMRATES,
IEEE80211_NUM_OFDM_RATESLEN);
break;
}
}
Reported by FlawFinder.
Line: 222
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(wpa_oui_type)))
goto check_next_ie;
/*check version...*/
memcpy((u8 *)&val16, (buf + 6), sizeof(val16));
le16_to_cpus(&val16);
if (val16 != 0x0001)
goto check_next_ie;
*wpa_ie_len = *(buf + 1);
return buf;
Reported by FlawFinder.
Line: 377
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
authmode = in_ie[cnt];
if ((authmode == _WPA_IE_ID_) &&
(!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) {
memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
*wpa_len = in_ie[cnt + 1] + 2;
cnt += in_ie[cnt + 1] + 2; /*get next */
} else {
if (authmode == _WPA2_IE_ID_) {
memcpy(rsn_ie, &in_ie[cnt],
Reported by FlawFinder.
Line: 382
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cnt += in_ie[cnt + 1] + 2; /*get next */
} else {
if (authmode == _WPA2_IE_ID_) {
memcpy(rsn_ie, &in_ie[cnt],
in_ie[cnt + 1] + 2);
*rsn_len = in_ie[cnt + 1] + 2;
cnt += in_ie[cnt + 1] + 2; /*get next*/
} else {
cnt += in_ie[cnt + 1] + 2; /*get next*/
Reported by FlawFinder.
Line: 406
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eid = in_ie[cnt];
if ((eid == _WPA_IE_ID_) &&
(!memcmp(&in_ie[cnt + 2], wps_oui, 4))) {
memcpy(wps_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
*wps_ielen = in_ie[cnt + 1] + 2;
cnt += in_ie[cnt + 1] + 2;
match = true;
break;
}
Reported by FlawFinder.
drivers/target/target_core_pscsi.c
9 issues
Line: 806
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
snprintf(host_id, 16, "PHBA Mode");
bl = sprintf(b, "SCSI Device Bus Location:"
" Channel ID: %d Target ID: %d LUN: %d Host ID: %s\n",
pdv->pdv_channel_id, pdv->pdv_target_id, pdv->pdv_lun_id,
host_id);
if (sd) {
Reported by FlawFinder.
Line: 137
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pscsi_tape_read_blocksize(struct se_device *dev,
struct scsi_device *sdev)
{
unsigned char cdb[MAX_COMMAND_SIZE], *buf;
int ret;
buf = kzalloc(12, GFP_KERNEL);
if (!buf)
goto out_free;
Reported by FlawFinder.
Line: 186
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
pscsi_get_inquiry_vpd_serial(struct scsi_device *sdev, struct t10_wwn *wwn)
{
unsigned char cdb[MAX_COMMAND_SIZE], *buf;
int ret;
buf = kzalloc(INQUIRY_VPD_SERIAL_LEN, GFP_KERNEL);
if (!buf)
return -ENOMEM;
Reported by FlawFinder.
Line: 220
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
pscsi_get_inquiry_vpd_device_ident(struct scsi_device *sdev,
struct t10_wwn *wwn)
{
unsigned char cdb[MAX_COMMAND_SIZE], *buf, *page_83;
int ident_len, page_len, off = 4, ret;
struct t10_vpd *vpd;
buf = kzalloc(INQUIRY_VPD_SERIAL_LEN, GFP_KERNEL);
if (!buf)
Reported by FlawFinder.
Line: 798
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pscsi_hba_virt *phv = dev->se_hba->hba_ptr;
struct pscsi_dev_virt *pdv = PSCSI_DEV(dev);
struct scsi_device *sd = pdv->pdv_sd;
unsigned char host_id[16];
ssize_t bl;
if (phv->phv_mode == PHV_VIRTUAL_HOST_ID)
snprintf(host_id, 16, "%d", pdv->pdv_host_id);
else
Reported by FlawFinder.
Line: 812
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
host_id);
if (sd) {
bl += sprintf(b + bl, " Vendor: %."
__stringify(INQUIRY_VENDOR_LEN) "s", sd->vendor);
bl += sprintf(b + bl, " Model: %."
__stringify(INQUIRY_MODEL_LEN) "s", sd->model);
bl += sprintf(b + bl, " Rev: %."
__stringify(INQUIRY_REVISION_LEN) "s\n", sd->rev);
Reported by FlawFinder.
Line: 814
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (sd) {
bl += sprintf(b + bl, " Vendor: %."
__stringify(INQUIRY_VENDOR_LEN) "s", sd->vendor);
bl += sprintf(b + bl, " Model: %."
__stringify(INQUIRY_MODEL_LEN) "s", sd->model);
bl += sprintf(b + bl, " Rev: %."
__stringify(INQUIRY_REVISION_LEN) "s\n", sd->rev);
}
return bl;
Reported by FlawFinder.
Line: 816
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
__stringify(INQUIRY_VENDOR_LEN) "s", sd->vendor);
bl += sprintf(b + bl, " Model: %."
__stringify(INQUIRY_MODEL_LEN) "s", sd->model);
bl += sprintf(b + bl, " Rev: %."
__stringify(INQUIRY_REVISION_LEN) "s\n", sd->rev);
}
return bl;
}
Reported by FlawFinder.
Line: 980
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
cmd->priv = pt;
memcpy(pt->pscsi_cdb, cmd->t_task_cdb,
scsi_command_size(cmd->t_task_cdb));
req = blk_get_request(pdv->pdv_sd->request_queue,
cmd->data_direction == DMA_TO_DEVICE ?
REQ_OP_DRV_OUT : REQ_OP_DRV_IN, 0);
Reported by FlawFinder.
drivers/staging/media/hantro/hantro_jpeg.c
9 issues
Line: 39
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x48, 0x5c, 0x5f, 0x62, 0x70, 0x64, 0x67, 0x63
};
static unsigned char luma_q_table_reordered[ARRAY_SIZE(luma_q_table)];
static const unsigned char chroma_q_table[] = {
0x11, 0x12, 0x18, 0x2f, 0x63, 0x63, 0x63, 0x63,
0x12, 0x15, 0x1a, 0x42, 0x63, 0x63, 0x63, 0x63,
0x18, 0x1a, 0x38, 0x63, 0x63, 0x63, 0x63, 0x63,
Reported by FlawFinder.
Line: 52
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63
};
static unsigned char chroma_q_table_reordered[ARRAY_SIZE(chroma_q_table)];
static const unsigned char zigzag[64] = {
0, 1, 8, 16, 9, 2, 3, 10,
17, 24, 32, 25, 18, 11, 4, 5,
12, 19, 26, 33, 40, 48, 41, 34,
Reported by FlawFinder.
Line: 54
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char chroma_q_table_reordered[ARRAY_SIZE(chroma_q_table)];
static const unsigned char zigzag[64] = {
0, 1, 8, 16, 9, 2, 3, 10,
17, 24, 32, 25, 18, 11, 4, 5,
12, 19, 26, 33, 40, 48, 41, 34,
27, 20, 13, 6, 7, 14, 21, 28,
35, 42, 49, 56, 57, 50, 43, 36,
Reported by FlawFinder.
Line: 147
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* and we'll use fixed offsets to change the width, height
* quantization tables, etc.
*/
static const unsigned char hantro_jpeg_header[JPEG_HEADER_SIZE] = {
/* SOI */
0xff, 0xd8,
/* DQT */
0xff, 0xdb, 0x00, 0x84,
Reported by FlawFinder.
Line: 312
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
char *buf = ctx->buffer;
memcpy(buf, hantro_jpeg_header,
sizeof(hantro_jpeg_header));
buf[HEIGHT_OFF + 0] = ctx->height >> 8;
buf[HEIGHT_OFF + 1] = ctx->height;
buf[WIDTH_OFF + 0] = ctx->width >> 8;
Reported by FlawFinder.
Line: 320
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[WIDTH_OFF + 0] = ctx->width >> 8;
buf[WIDTH_OFF + 1] = ctx->width;
memcpy(buf + HUFF_LUMA_DC_OFF, luma_dc_table, sizeof(luma_dc_table));
memcpy(buf + HUFF_LUMA_AC_OFF, luma_ac_table, sizeof(luma_ac_table));
memcpy(buf + HUFF_CHROMA_DC_OFF, chroma_dc_table,
sizeof(chroma_dc_table));
memcpy(buf + HUFF_CHROMA_AC_OFF, chroma_ac_table,
sizeof(chroma_ac_table));
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[WIDTH_OFF + 1] = ctx->width;
memcpy(buf + HUFF_LUMA_DC_OFF, luma_dc_table, sizeof(luma_dc_table));
memcpy(buf + HUFF_LUMA_AC_OFF, luma_ac_table, sizeof(luma_ac_table));
memcpy(buf + HUFF_CHROMA_DC_OFF, chroma_dc_table,
sizeof(chroma_dc_table));
memcpy(buf + HUFF_CHROMA_AC_OFF, chroma_ac_table,
sizeof(chroma_ac_table));
Reported by FlawFinder.
Line: 322
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + HUFF_LUMA_DC_OFF, luma_dc_table, sizeof(luma_dc_table));
memcpy(buf + HUFF_LUMA_AC_OFF, luma_ac_table, sizeof(luma_ac_table));
memcpy(buf + HUFF_CHROMA_DC_OFF, chroma_dc_table,
sizeof(chroma_dc_table));
memcpy(buf + HUFF_CHROMA_AC_OFF, chroma_ac_table,
sizeof(chroma_ac_table));
jpeg_set_quality(buf, ctx->quality);
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + HUFF_LUMA_AC_OFF, luma_ac_table, sizeof(luma_ac_table));
memcpy(buf + HUFF_CHROMA_DC_OFF, chroma_dc_table,
sizeof(chroma_dc_table));
memcpy(buf + HUFF_CHROMA_AC_OFF, chroma_ac_table,
sizeof(chroma_ac_table));
jpeg_set_quality(buf, ctx->quality);
}
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_iocb.c
9 issues
Line: 409
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_pkt->control_flags = cpu_to_le16(CF_SIMPLE_TAG);
/* Load SCSI command packet. */
memcpy(cmd_pkt->scsi_cdb, cmd->cmnd, cmd->cmd_len);
cmd_pkt->byte_count = cpu_to_le32((uint32_t)scsi_bufflen(cmd));
/* Build IOCB segments */
ha->isp_ops->build_iocbs(sp, cmd_pkt, tot_dsds);
Reported by FlawFinder.
Line: 1484
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fcp_cmnd->additional_cdb_len |= 2;
int_to_scsilun(cmd->device->lun, &fcp_cmnd->lun);
memcpy(fcp_cmnd->cdb, cmd->cmnd, cmd->cmd_len);
cmd_pkt->fcp_cmnd_dseg_len = cpu_to_le16(fcp_cmnd_len);
put_unaligned_le64(crc_ctx_dma + CRC_CONTEXT_FCPCMND_OFF,
&cmd_pkt->fcp_cmnd_dseg_address);
fcp_cmnd->task_management = 0;
fcp_cmnd->task_attribute = TSK_SIMPLE;
Reported by FlawFinder.
Line: 1694
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_pkt->task = TSK_SIMPLE;
/* Load SCSI command packet. */
memcpy(cmd_pkt->fcp_cdb, cmd->cmnd, cmd->cmd_len);
host_to_fcp_swap(cmd_pkt->fcp_cdb, sizeof(cmd_pkt->fcp_cdb));
cmd_pkt->byte_count = cpu_to_le32((uint32_t)scsi_bufflen(cmd));
/* Build IOCB segments */
Reported by FlawFinder.
Line: 2054
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_pkt->task = TSK_SIMPLE;
/* Load SCSI command packet. */
memcpy(cmd_pkt->fcp_cdb, cmd->cmnd, cmd->cmd_len);
host_to_fcp_swap(cmd_pkt->fcp_cdb, sizeof(cmd_pkt->fcp_cdb));
cmd_pkt->byte_count = cpu_to_le32((uint32_t)scsi_bufflen(cmd));
/* Build IOCB segments */
Reported by FlawFinder.
Line: 2739
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
logo_pyld.s_id[1] = vha->d_id.b.area;
logo_pyld.s_id[2] = vha->d_id.b.domain;
host_to_fcp_swap(logo_pyld.s_id, sizeof(uint32_t));
memcpy(&logo_pyld.wwpn, vha->port_name, WWN_SIZE);
memcpy(elsio->u.els_logo.els_logo_pyld, &logo_pyld,
sizeof(struct els_logo_payload));
ql_dbg(ql_dbg_disc + ql_dbg_buffer, vha, 0x3075, "LOGO buffer:");
ql_dump_buffer(ql_dbg_disc + ql_dbg_buffer, vha, 0x010a,
Reported by FlawFinder.
Line: 2741
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
host_to_fcp_swap(logo_pyld.s_id, sizeof(uint32_t));
memcpy(&logo_pyld.wwpn, vha->port_name, WWN_SIZE);
memcpy(elsio->u.els_logo.els_logo_pyld, &logo_pyld,
sizeof(struct els_logo_payload));
ql_dbg(ql_dbg_disc + ql_dbg_buffer, vha, 0x3075, "LOGO buffer:");
ql_dump_buffer(ql_dbg_disc + ql_dbg_buffer, vha, 0x010a,
elsio->u.els_logo.els_logo_pyld,
sizeof(*elsio->u.els_logo.els_logo_pyld));
Reported by FlawFinder.
Line: 3070
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(ptr, 0, sizeof(struct els_plogi_payload));
memset(resp_ptr, 0, sizeof(struct els_plogi_payload));
memcpy(elsio->u.els_plogi.els_plogi_pyld->data,
&ha->plogi_els_payld.fl_csp, LOGIN_TEMPLATE_SIZE);
elsio->u.els_plogi.els_cmd = els_opcode;
elsio->u.els_plogi.els_plogi_pyld->opcode = els_opcode;
Reported by FlawFinder.
Line: 3494
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->fcp_cmnd->task_attribute |=
sp->fcport->fcp_prio << 3;
memcpy(ctx->fcp_cmnd->cdb, cmd->cmnd, cmd->cmd_len);
fcp_dl = (__be32 *)(ctx->fcp_cmnd->cdb + 16 +
additional_cdb_len);
*fcp_dl = htonl((uint32_t)scsi_bufflen(cmd));
Reported by FlawFinder.
Line: 3553
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_pkt->task |= sp->fcport->fcp_prio << 3;
/* Load SCSI command packet. */
memcpy(cmd_pkt->fcp_cdb, cmd->cmnd, cmd->cmd_len);
host_to_fcp_swap(cmd_pkt->fcp_cdb, sizeof(cmd_pkt->fcp_cdb));
cmd_pkt->byte_count = cpu_to_le32((uint32_t)scsi_bufflen(cmd));
/* Build IOCB segments */
Reported by FlawFinder.