The following issues were found
drivers/scsi/ses.c
8 issues
Line: 67
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct enclosure_component *ecomp,
unsigned char *status)
{
memcpy(dest_desc, status, 4);
dest_desc[0] = 0;
/* only clear byte 1 for ENCLOSURE_COMPONENT_DEVICE */
if (ecomp->type == ENCLOSURE_COMPONENT_DEVICE)
dest_desc[1] = 0;
dest_desc[2] &= 0xde;
Reported by FlawFinder.
Line: 96
Column: 30
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (unlikely(ret))
return ret;
recv_page_code = ((unsigned char *)buf)[0];
if (likely(recv_page_code == page_code))
return ret;
/* successful diagnostic but wrong page code. This happens to some
Reported by FlawFinder.
Line: 152
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
type_ptr[0] != ENCLOSURE_COMPONENT_ARRAY_DEVICE)
continue;
if (count++ == descriptor) {
memcpy(desc_ptr, desc, 4);
/* set select */
desc_ptr[0] |= 0x80;
/* clear reserved, just in case */
desc_ptr[0] &= 0xf0;
}
Reported by FlawFinder.
Line: 211
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct enclosure_component *ecomp,
enum enclosure_component_setting val)
{
unsigned char desc[4];
unsigned char *desc_ptr;
if (!ses_page2_supported(edev))
return -EINVAL;
Reported by FlawFinder.
Line: 271
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct enclosure_component *ecomp,
enum enclosure_component_setting val)
{
unsigned char desc[4];
unsigned char *desc_ptr;
if (!ses_page2_supported(edev))
return -EINVAL;
Reported by FlawFinder.
Line: 302
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct enclosure_component *ecomp,
enum enclosure_component_setting val)
{
unsigned char desc[4];
unsigned char *desc_ptr;
if (!ses_page2_supported(edev))
return -EINVAL;
Reported by FlawFinder.
Line: 336
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ses_device *ses_dev = edev->scratch;
unsigned long long id = get_unaligned_be64(ses_dev->page1+8+4);
return sprintf(buf, "%#llx\n", id);
}
static void ses_get_power_status(struct enclosure_device *edev,
struct enclosure_component *ecomp)
{
Reported by FlawFinder.
Line: 358
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct enclosure_component *ecomp,
int val)
{
unsigned char desc[4];
unsigned char *desc_ptr;
if (!ses_page2_supported(edev))
return -EINVAL;
Reported by FlawFinder.
drivers/usb/gadget/function/f_sourcesink.c
8 issues
Line: 896
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->pattern);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 939
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->isoc_interval);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 982
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->isoc_maxpacket);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 1025
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->isoc_mult);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 1068
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->isoc_maxburst);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 1111
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->bulk_buflen);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 1149
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->bulk_qlen);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
Line: 1187
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int result;
mutex_lock(&opts->lock);
result = sprintf(page, "%u\n", opts->iso_qlen);
mutex_unlock(&opts->lock);
return result;
}
Reported by FlawFinder.
drivers/soc/fsl/dpio/qbman-portal.c
8 issues
Line: 677
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < num_enqueued; i++) {
p = (s->addr_cena + QBMAN_CENA_SWP_EQCR(eqcr_pi & half_mask));
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
Reported by FlawFinder.
Line: 678
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = (s->addr_cena + QBMAN_CENA_SWP_EQCR(eqcr_pi & half_mask));
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
dma_wmb();
Reported by FlawFinder.
Line: 761
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < num_enqueued; i++) {
p = (s->addr_cena + QBMAN_CENA_SWP_EQCR(eqcr_pi & half_mask));
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
Reported by FlawFinder.
Line: 762
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = (s->addr_cena + QBMAN_CENA_SWP_EQCR(eqcr_pi & half_mask));
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
/* Set the verb byte, have to substitute in the valid-bit */
Reported by FlawFinder.
Line: 835
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = (s->addr_cena + QBMAN_CENA_SWP_EQCR(eqcr_pi & half_mask));
cl = (uint32_t *)(&d[i]);
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
Reported by FlawFinder.
Line: 836
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cl = (uint32_t *)(&d[i]);
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
dma_wmb();
Reported by FlawFinder.
Line: 905
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = (s->addr_cena + QBMAN_CENA_SWP_EQCR(eqcr_pi & half_mask));
cl = (uint32_t *)(&d[i]);
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
Reported by FlawFinder.
Line: 906
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cl = (uint32_t *)(&d[i]);
/* Skip copying the verb */
memcpy(&p[1], &cl[1], EQ_DESC_SIZE_WITHOUT_FD - 1);
memcpy(&p[EQ_DESC_SIZE_FD_START/sizeof(uint32_t)],
&fd[i], sizeof(*fd));
eqcr_pi++;
}
/* Set the verb byte, have to substitute in the valid-bit */
Reported by FlawFinder.
drivers/staging/media/atomisp/pci/hive_isp_css_common/dma_global.h
8 issues
Line: 95
Column: 36
CWE codes:
120
20
DMA_PACK_WIDTH_B(width_b) | \
DMA_PACK_HEIGHT(height))
#define hive_dma_move_data(dma_id, read, channel, addr_a, addr_b, to_is_var, from_is_var) \
{ \
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_MOVE_B2A_COMMAND : _DMA_V2_MOVE_A2B_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
Reported by FlawFinder.
Line: 98
Column: 45
CWE codes:
120
20
#define hive_dma_move_data(dma_id, read, channel, addr_a, addr_b, to_is_var, from_is_var) \
{ \
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_MOVE_B2A_COMMAND : _DMA_V2_MOVE_A2B_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
hive_dma_snd(dma_id, to_is_var); \
hive_dma_snd(dma_id, from_is_var); \
}
Reported by FlawFinder.
Line: 99
Column: 24
CWE codes:
120
20
{ \
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_MOVE_B2A_COMMAND : _DMA_V2_MOVE_A2B_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
hive_dma_snd(dma_id, to_is_var); \
hive_dma_snd(dma_id, from_is_var); \
}
Reported by FlawFinder.
Line: 100
Column: 24
CWE codes:
120
20
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_MOVE_B2A_COMMAND : _DMA_V2_MOVE_A2B_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
hive_dma_snd(dma_id, to_is_var); \
hive_dma_snd(dma_id, from_is_var); \
}
#define hive_dma_move_data_no_ack(dma_id, read, channel, addr_a, addr_b, to_is_var, from_is_var) \
Reported by FlawFinder.
Line: 105
Column: 43
CWE codes:
120
20
hive_dma_snd(dma_id, from_is_var); \
}
#define hive_dma_move_data_no_ack(dma_id, read, channel, addr_a, addr_b, to_is_var, from_is_var) \
{ \
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_NO_ACK_MOVE_B2A_NO_SYNC_CHK_COMMAND : _DMA_V2_NO_ACK_MOVE_A2B_NO_SYNC_CHK_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
Reported by FlawFinder.
Line: 108
Column: 45
CWE codes:
120
20
#define hive_dma_move_data_no_ack(dma_id, read, channel, addr_a, addr_b, to_is_var, from_is_var) \
{ \
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_NO_ACK_MOVE_B2A_NO_SYNC_CHK_COMMAND : _DMA_V2_NO_ACK_MOVE_A2B_NO_SYNC_CHK_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
hive_dma_snd(dma_id, to_is_var); \
hive_dma_snd(dma_id, from_is_var); \
}
Reported by FlawFinder.
Line: 109
Column: 24
CWE codes:
120
20
{ \
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_NO_ACK_MOVE_B2A_NO_SYNC_CHK_COMMAND : _DMA_V2_NO_ACK_MOVE_A2B_NO_SYNC_CHK_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
hive_dma_snd(dma_id, to_is_var); \
hive_dma_snd(dma_id, from_is_var); \
}
Reported by FlawFinder.
Line: 110
Column: 24
CWE codes:
120
20
hive_dma_snd(dma_id, DMA_PACK(_DMA_V2_SET_CRUN_COMMAND, CMD)); \
hive_dma_snd(dma_id, DMA_PACK_CMD_CHANNEL(read ? _DMA_V2_NO_ACK_MOVE_B2A_NO_SYNC_CHK_COMMAND : _DMA_V2_NO_ACK_MOVE_A2B_NO_SYNC_CHK_COMMAND, channel)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_b) : (unsigned int)(addr_a)); \
hive_dma_snd(dma_id, read ? (unsigned int)(addr_a) : (unsigned int)(addr_b)); \
hive_dma_snd(dma_id, to_is_var); \
hive_dma_snd(dma_id, from_is_var); \
}
#define hive_dma_move_b2a_data(dma_id, channel, to_addr, from_addr, to_is_var, from_is_var) \
Reported by FlawFinder.
drivers/staging/rtl8188eu/hal/rtl8188e_cmd.c
8 issues
Line: 77
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*(u8 *)(&h2c_cmd) = ElementID;
if (CmdLen <= 3) {
memcpy((u8 *)(&h2c_cmd) + 1, pCmdBuffer, CmdLen);
} else {
memcpy((u8 *)(&h2c_cmd) + 1, pCmdBuffer, 3);
ext_cmd_len = CmdLen - 3;
memcpy((u8 *)(&h2c_cmd_ex), pCmdBuffer + 3, ext_cmd_len);
Reported by FlawFinder.
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (CmdLen <= 3) {
memcpy((u8 *)(&h2c_cmd) + 1, pCmdBuffer, CmdLen);
} else {
memcpy((u8 *)(&h2c_cmd) + 1, pCmdBuffer, 3);
ext_cmd_len = CmdLen - 3;
memcpy((u8 *)(&h2c_cmd_ex), pCmdBuffer + 3, ext_cmd_len);
/* Write Ext command */
msgbox_ex_addr = REG_HMEBOX_EXT_0 + (h2c_box_num * RTL88E_EX_MESSAGE_BOX_SIZE);
Reported by FlawFinder.
Line: 81
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
memcpy((u8 *)(&h2c_cmd) + 1, pCmdBuffer, 3);
ext_cmd_len = CmdLen - 3;
memcpy((u8 *)(&h2c_cmd_ex), pCmdBuffer + 3, ext_cmd_len);
/* Write Ext command */
msgbox_ex_addr = REG_HMEBOX_EXT_0 + (h2c_box_num * RTL88E_EX_MESSAGE_BOX_SIZE);
for (cmd_idx = 0; cmd_idx < ext_cmd_len; cmd_idx++)
usb_write8(adapt, msgbox_ex_addr + cmd_idx, *((u8 *)(&h2c_cmd_ex) + cmd_idx));
Reported by FlawFinder.
Line: 215
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pktlen += 8;
/* beacon interval: 2 bytes */
memcpy(pframe, (unsigned char *)(rtw_get_beacon_interval_from_ie(cur_network->ies)), 2);
pframe += 2;
pktlen += 2;
/* capability info: 2 bytes */
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pktlen += 2;
/* capability info: 2 bytes */
memcpy(pframe, (unsigned char *)(rtw_get_capability_from_ie(cur_network->ies)), 2);
pframe += 2;
pktlen += 2;
if ((pmlmeinfo->state & 0x03) == WIFI_FW_AP_STATE) {
Reported by FlawFinder.
Line: 228
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((pmlmeinfo->state & 0x03) == WIFI_FW_AP_STATE) {
pktlen += cur_network->ie_length - sizeof(struct ndis_802_11_fixed_ie);
memcpy(pframe, cur_network->ies + sizeof(struct ndis_802_11_fixed_ie), pktlen);
goto _ConstructBeacon;
}
/* below for ad-hoc mode */
Reported by FlawFinder.
Line: 392
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cur_network->ie_length > MAX_IE_SZ)
return;
memcpy(pframe, cur_network->ies, cur_network->ie_length);
pframe += cur_network->ie_length;
pktlen += cur_network->ie_length;
*pLength = pktlen;
}
Reported by FlawFinder.
Line: 501
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pattrib->qsel = 0x10;
pattrib->last_txcmdsz = TotalPacketLen - TXDESC_OFFSET;
pattrib->pktlen = pattrib->last_txcmdsz;
memcpy(pmgntframe->buf_addr, ReservedPagePacket, TotalPacketLen);
rtw_hal_mgnt_xmit(adapt, pmgntframe);
FillH2CCmd_88E(adapt, H2C_COM_RSVD_PAGE, sizeof(RsvdPageLoc), (u8 *)&RsvdPageLoc);
Reported by FlawFinder.
drivers/target/target_core_sbc.c
8 issues
Line: 38
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *cdb = cmd->t_task_cdb;
unsigned long long blocks_long = dev->transport->get_blocks(dev);
unsigned char *rbuf;
unsigned char buf[8];
u32 blocks;
/*
* SBC-2 says:
* If the PMI bit is set to zero and the LOGICAL BLOCK
Reported by FlawFinder.
Line: 66
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rbuf = transport_kmap_data_sg(cmd);
if (rbuf) {
memcpy(rbuf, buf, min_t(u32, sizeof(buf), cmd->data_length));
transport_kunmap_data_sg(cmd);
}
target_complete_cmd_with_length(cmd, SAM_STAT_GOOD, 8);
return 0;
Reported by FlawFinder.
Line: 82
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int pi_prot_type = dev->dev_attrib.pi_prot_type;
unsigned char *rbuf;
unsigned char buf[32];
unsigned long long blocks = dev->transport->get_blocks(dev);
memset(buf, 0, sizeof(buf));
put_unaligned_be64(blocks, &buf[0]);
put_unaligned_be32(dev->dev_attrib.block_size, &buf[8]);
Reported by FlawFinder.
Line: 129
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rbuf = transport_kmap_data_sg(cmd);
if (rbuf) {
memcpy(rbuf, buf, min_t(u32, sizeof(buf), cmd->data_length));
transport_kunmap_data_sg(cmd);
}
target_complete_cmd_with_length(cmd, SAM_STAT_GOOD, 32);
return 0;
Reported by FlawFinder.
Line: 1384
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
addr = kmap_atomic(sg_page(sg)) + sg->offset + offset;
if (read)
memcpy(paddr + copied, addr, len);
else
memcpy(addr, paddr + copied, len);
left -= len;
offset += len;
Reported by FlawFinder.
Line: 1386
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (read)
memcpy(paddr + copied, addr, len);
else
memcpy(addr, paddr + copied, len);
left -= len;
offset += len;
copied += len;
psg_len -= len;
Reported by FlawFinder.
Line: 1360
Column: 71
CWE codes:
120
20
return 0;
}
void sbc_dif_copy_prot(struct se_cmd *cmd, unsigned int sectors, bool read,
struct scatterlist *sg, int sg_off)
{
struct se_device *dev = cmd->se_dev;
struct scatterlist *psg;
void *paddr, *addr;
Reported by FlawFinder.
Line: 1383
Column: 8
CWE codes:
120
20
len = min(psg_len, sg->length - offset);
addr = kmap_atomic(sg_page(sg)) + sg->offset + offset;
if (read)
memcpy(paddr + copied, addr, len);
else
memcpy(addr, paddr + copied, len);
left -= len;
Reported by FlawFinder.
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723a.c
8 issues
Line: 141
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ether_addr_copy(priv->mac_addr, efuse->mac_addr);
memcpy(priv->cck_tx_power_index_A,
efuse->cck_tx_power_index_A,
sizeof(efuse->cck_tx_power_index_A));
memcpy(priv->cck_tx_power_index_B,
efuse->cck_tx_power_index_B,
sizeof(efuse->cck_tx_power_index_B));
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(priv->cck_tx_power_index_A,
efuse->cck_tx_power_index_A,
sizeof(efuse->cck_tx_power_index_A));
memcpy(priv->cck_tx_power_index_B,
efuse->cck_tx_power_index_B,
sizeof(efuse->cck_tx_power_index_B));
memcpy(priv->ht40_1s_tx_power_index_A,
efuse->ht40_1s_tx_power_index_A,
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
efuse->cck_tx_power_index_B,
sizeof(efuse->cck_tx_power_index_B));
memcpy(priv->ht40_1s_tx_power_index_A,
efuse->ht40_1s_tx_power_index_A,
sizeof(efuse->ht40_1s_tx_power_index_A));
memcpy(priv->ht40_1s_tx_power_index_B,
efuse->ht40_1s_tx_power_index_B,
sizeof(efuse->ht40_1s_tx_power_index_B));
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(priv->ht40_1s_tx_power_index_A,
efuse->ht40_1s_tx_power_index_A,
sizeof(efuse->ht40_1s_tx_power_index_A));
memcpy(priv->ht40_1s_tx_power_index_B,
efuse->ht40_1s_tx_power_index_B,
sizeof(efuse->ht40_1s_tx_power_index_B));
memcpy(priv->ht20_tx_power_index_diff,
efuse->ht20_tx_power_index_diff,
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
efuse->ht40_1s_tx_power_index_B,
sizeof(efuse->ht40_1s_tx_power_index_B));
memcpy(priv->ht20_tx_power_index_diff,
efuse->ht20_tx_power_index_diff,
sizeof(efuse->ht20_tx_power_index_diff));
memcpy(priv->ofdm_tx_power_index_diff,
efuse->ofdm_tx_power_index_diff,
sizeof(efuse->ofdm_tx_power_index_diff));
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(priv->ht20_tx_power_index_diff,
efuse->ht20_tx_power_index_diff,
sizeof(efuse->ht20_tx_power_index_diff));
memcpy(priv->ofdm_tx_power_index_diff,
efuse->ofdm_tx_power_index_diff,
sizeof(efuse->ofdm_tx_power_index_diff));
memcpy(priv->ht40_max_power_offset,
efuse->ht40_max_power_offset,
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
efuse->ofdm_tx_power_index_diff,
sizeof(efuse->ofdm_tx_power_index_diff));
memcpy(priv->ht40_max_power_offset,
efuse->ht40_max_power_offset,
sizeof(efuse->ht40_max_power_offset));
memcpy(priv->ht20_max_power_offset,
efuse->ht20_max_power_offset,
sizeof(efuse->ht20_max_power_offset));
Reported by FlawFinder.
Line: 165
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(priv->ht40_max_power_offset,
efuse->ht40_max_power_offset,
sizeof(efuse->ht40_max_power_offset));
memcpy(priv->ht20_max_power_offset,
efuse->ht20_max_power_offset,
sizeof(efuse->ht20_max_power_offset));
if (priv->efuse_wifi.efuse8723.version >= 0x01) {
priv->has_xtalk = 1;
Reported by FlawFinder.
drivers/scsi/bnx2i/bnx2i_iscsi.c
8 issues
Line: 1574
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sysfs_format_mac(buf, hba->cnic->mac_addr, 6);
break;
case ISCSI_HOST_PARAM_NETDEV_NAME:
len = sprintf(buf, "%s\n", hba->netdev->name);
break;
case ISCSI_HOST_PARAM_IPADDRESS: {
struct list_head *active_list = &hba->ep_active_list;
read_lock_bh(&hba->ep_rdwr_lock);
Reported by FlawFinder.
Line: 1145
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
srcp = (u8 *) sc->cmnd;
dstp = (u32 *) cmd->req.cdb;
while (lpcnt--) {
memcpy(&dword, (const void *) srcp, 4);
*dstp = cpu_to_be32(dword);
srcp += 4;
dstp++;
}
if (sc->cmd_len & 0x3) {
Reported by FlawFinder.
Line: 1203
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ADD_STATS_64(hba, tx_bytes, task->data_count);
if (task->data_count) {
memcpy(bnx2i_conn->gen_pdu.req_buf, task->data,
task->data_count);
bnx2i_conn->gen_pdu.req_wr_ptr =
bnx2i_conn->gen_pdu.req_buf + task->data_count;
}
cmd->conn = conn->dd_data;
Reported by FlawFinder.
Line: 1541
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case ISCSI_PARAM_CONN_PORT:
mutex_lock(&hba->net_dev_lock);
if (bnx2i_ep->cm_sk)
len = sprintf(buf, "%hu\n", bnx2i_ep->cm_sk->dst_port);
mutex_unlock(&hba->net_dev_lock);
break;
case ISCSI_PARAM_CONN_ADDRESS:
mutex_lock(&hba->net_dev_lock);
if (bnx2i_ep->cm_sk)
Reported by FlawFinder.
Line: 1547
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case ISCSI_PARAM_CONN_ADDRESS:
mutex_lock(&hba->net_dev_lock);
if (bnx2i_ep->cm_sk)
len = sprintf(buf, "%pI4\n", &bnx2i_ep->cm_sk->dst_ip);
mutex_unlock(&hba->net_dev_lock);
break;
default:
return -ENOSYS;
}
Reported by FlawFinder.
Line: 1589
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
link);
csk = bnx2i_ep->cm_sk;
if (test_bit(SK_F_IPV6, &csk->flags))
len = sprintf(buf, "%pI6\n", csk->src_ip);
else
len = sprintf(buf, "%pI4\n", csk->src_ip);
}
read_unlock_bh(&hba->ep_rdwr_lock);
break;
Reported by FlawFinder.
Line: 1591
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (test_bit(SK_F_IPV6, &csk->flags))
len = sprintf(buf, "%pI6\n", csk->src_ip);
else
len = sprintf(buf, "%pI4\n", csk->src_ip);
}
read_unlock_bh(&hba->ep_rdwr_lock);
break;
}
default:
Reported by FlawFinder.
Line: 1657
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
stats->tmfrsp_pdus = conn->tmfrsp_pdus_cnt;
stats->digest_err = 0;
stats->timeout_err = 0;
strcpy(stats->custom[0].desc, "eh_abort_cnt");
stats->custom[0].value = conn->eh_abort_cnt;
stats->custom_length = 1;
}
Reported by FlawFinder.
drivers/scsi/bnx2fc/bnx2fc_hwi.c
8 issues
Line: 383
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
enbl_req.src_mac_addr_mid[1] = port->data_src_addr[2];
enbl_req.src_mac_addr_hi[0] = port->data_src_addr[1];
enbl_req.src_mac_addr_hi[1] = port->data_src_addr[0];
memcpy(tgt->src_addr, port->data_src_addr, ETH_ALEN);
enbl_req.dst_mac_addr_lo[0] = ctlr->dest_addr[5];
enbl_req.dst_mac_addr_lo[1] = ctlr->dest_addr[4];
enbl_req.dst_mac_addr_mid[0] = ctlr->dest_addr[3];
enbl_req.dst_mac_addr_mid[1] = ctlr->dest_addr[2];
Reported by FlawFinder.
Line: 584
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fh = (struct fc_frame_header *) fc_frame_header_get(fp);
/* Copy FC Frame header and payload into the frame */
memcpy(fh, buf, frame_len);
if (l2_oxid != FC_XID_UNKNOWN)
fh->fh_ox_id = htons(l2_oxid);
skb = fp_skb(fp);
Reported by FlawFinder.
Line: 672
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bnx2fc_get_next_rqe(tgt, 1);
spin_unlock_bh(&tgt->tgt_lock);
len = BNX2FC_RQ_BUF_SZ;
memcpy(buf1, rq_data, len);
buf1 += len;
}
}
bnx2fc_process_l2_frame_compl(tgt, buf, frame_len,
FC_XID_UNKNOWN);
Reported by FlawFinder.
Line: 760
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case FCOE_ERROR_CODE_DATA_SOFN_SEQ_ACTIVE_RESET:
BNX2FC_TGT_DBG(tgt, "REC TOV popped for xid - 0x%x\n",
xid);
memcpy(&io_req->err_entry, err_entry,
sizeof(struct fcoe_err_report_entry));
if (!test_bit(BNX2FC_FLAG_SRR_SENT,
&io_req->req_flags)) {
spin_unlock_bh(&tgt->tgt_lock);
rc = bnx2fc_send_rec(io_req);
Reported by FlawFinder.
Line: 840
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto ret_warn_rqe;
}
memcpy(&io_req->err_entry, err_entry,
sizeof(struct fcoe_err_report_entry));
if (err_warn == FCOE_ERROR_CODE_REC_TOV_TIMER_EXPIRATION)
/* REC_TOV is not a warning code */
BUG_ON(1);
Reported by FlawFinder.
Line: 985
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
work->num_rq = num_rq;
work->task = task;
if (rq_data)
memcpy(work->rq_data, rq_data, BNX2FC_RQ_BUF_SZ);
return work;
}
/* Pending work request completion */
Reported by FlawFinder.
Line: 1002
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bnx2fc_interface *interface = port->priv;
struct bnx2fc_hba *hba = interface->hba;
unsigned char *rq_data = NULL;
unsigned char rq_data_buff[BNX2FC_RQ_BUF_SZ];
int task_idx, index;
u16 xid;
u8 num_rq;
int i;
Reported by FlawFinder.
Line: 1037
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (rq_data)
memcpy(rq_data_buff, rq_data, BNX2FC_RQ_BUF_SZ);
/* return RQ entries */
for (i = 0; i < num_rq; i++)
bnx2fc_return_rqe(tgt, 1);
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/pcie/rx.c
8 issues
Line: 1472
Column: 11
CWE codes:
120
20
/* uCode's read index (stored in shared DRAM) indicates the last Rx
* buffer that the driver may process (last buffer filled by ucode). */
r = le16_to_cpu(iwl_get_closed_rb_stts(trans, rxq)) & 0x0FFF;
i = rxq->read;
/* W/A 9000 device step A0 wrap-around bug */
r &= (rxq->queue_size - 1);
/* Rx interrupt, but nothing sent from uCode */
Reported by FlawFinder.
Line: 1695
Column: 6
CWE codes:
120
20
struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
u32 inta;
u32 val = 0;
u32 read;
trace_iwlwifi_dev_irq(trans->dev);
/* Ignore interrupt if there's nothing in NIC to service.
* This may be due to IRQ shared with another device,
Reported by FlawFinder.
Line: 1703
Column: 64
CWE codes:
120
20
* This may be due to IRQ shared with another device,
* or due to sporadic interrupts thrown from our NIC. */
read = le32_to_cpu(trans_pcie->ict_tbl[trans_pcie->ict_index]);
trace_iwlwifi_dev_ict_read(trans->dev, trans_pcie->ict_index, read);
if (!read)
return 0;
/*
* Collect all entries up to the first 0, starting from ict_index;
Reported by FlawFinder.
Line: 1704
Column: 7
CWE codes:
120
20
* or due to sporadic interrupts thrown from our NIC. */
read = le32_to_cpu(trans_pcie->ict_tbl[trans_pcie->ict_index]);
trace_iwlwifi_dev_ict_read(trans->dev, trans_pcie->ict_index, read);
if (!read)
return 0;
/*
* Collect all entries up to the first 0, starting from ict_index;
* note we already read at ict_index.
Reported by FlawFinder.
Line: 1712
Column: 10
CWE codes:
120
20
* note we already read at ict_index.
*/
do {
val |= read;
IWL_DEBUG_ISR(trans, "ICT index %d value 0x%08X\n",
trans_pcie->ict_index, read);
trans_pcie->ict_tbl[trans_pcie->ict_index] = 0;
trans_pcie->ict_index =
((trans_pcie->ict_index + 1) & (ICT_COUNT - 1));
Reported by FlawFinder.
Line: 1714
Column: 28
CWE codes:
120
20
do {
val |= read;
IWL_DEBUG_ISR(trans, "ICT index %d value 0x%08X\n",
trans_pcie->ict_index, read);
trans_pcie->ict_tbl[trans_pcie->ict_index] = 0;
trans_pcie->ict_index =
((trans_pcie->ict_index + 1) & (ICT_COUNT - 1));
read = le32_to_cpu(trans_pcie->ict_tbl[trans_pcie->ict_index]);
Reported by FlawFinder.
Line: 1721
Column: 9
CWE codes:
120
20
read = le32_to_cpu(trans_pcie->ict_tbl[trans_pcie->ict_index]);
trace_iwlwifi_dev_ict_read(trans->dev, trans_pcie->ict_index,
read);
} while (read);
/* We should not get this value, just ignore it. */
if (val == 0xffffffff)
val = 0;
Reported by FlawFinder.
Line: 1722
Column: 11
CWE codes:
120
20
read = le32_to_cpu(trans_pcie->ict_tbl[trans_pcie->ict_index]);
trace_iwlwifi_dev_ict_read(trans->dev, trans_pcie->ict_index,
read);
} while (read);
/* We should not get this value, just ignore it. */
if (val == 0xffffffff)
val = 0;
Reported by FlawFinder.