The following issues were found
drivers/scsi/bfa/bfad_bsg.h
8 issues
Line: 193
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bfa_status_t status;
u16 bfad_num;
u16 rsvd;
char name[BFA_ADAPTER_SYM_NAME_LEN];
};
struct bfa_bsg_ioc_info_s {
bfa_status_t status;
u16 bfad_num;
Reported by FlawFinder.
Line: 200
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bfa_status_t status;
u16 bfad_num;
u16 rsvd;
char serialnum[64];
char hwpath[BFA_STRING_32];
char adapter_hwpath[BFA_STRING_32];
char guid[BFA_ADAPTER_SYM_NAME_LEN*2];
char name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
Reported by FlawFinder.
Line: 201
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 bfad_num;
u16 rsvd;
char serialnum[64];
char hwpath[BFA_STRING_32];
char adapter_hwpath[BFA_STRING_32];
char guid[BFA_ADAPTER_SYM_NAME_LEN*2];
char name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
char eth_name[BFA_ADAPTER_SYM_NAME_LEN];
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 rsvd;
char serialnum[64];
char hwpath[BFA_STRING_32];
char adapter_hwpath[BFA_STRING_32];
char guid[BFA_ADAPTER_SYM_NAME_LEN*2];
char name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
char eth_name[BFA_ADAPTER_SYM_NAME_LEN];
wwn_t pwwn;
Reported by FlawFinder.
Line: 203
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char serialnum[64];
char hwpath[BFA_STRING_32];
char adapter_hwpath[BFA_STRING_32];
char guid[BFA_ADAPTER_SYM_NAME_LEN*2];
char name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
char eth_name[BFA_ADAPTER_SYM_NAME_LEN];
wwn_t pwwn;
wwn_t nwwn;
Reported by FlawFinder.
Line: 204
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char hwpath[BFA_STRING_32];
char adapter_hwpath[BFA_STRING_32];
char guid[BFA_ADAPTER_SYM_NAME_LEN*2];
char name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
char eth_name[BFA_ADAPTER_SYM_NAME_LEN];
wwn_t pwwn;
wwn_t nwwn;
wwn_t factorypwwn;
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char adapter_hwpath[BFA_STRING_32];
char guid[BFA_ADAPTER_SYM_NAME_LEN*2];
char name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
char eth_name[BFA_ADAPTER_SYM_NAME_LEN];
wwn_t pwwn;
wwn_t nwwn;
wwn_t factorypwwn;
wwn_t factorynwwn;
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char guid[BFA_ADAPTER_SYM_NAME_LEN*2];
char name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
char eth_name[BFA_ADAPTER_SYM_NAME_LEN];
wwn_t pwwn;
wwn_t nwwn;
wwn_t factorypwwn;
wwn_t factorynwwn;
mac_t mac;
Reported by FlawFinder.
drivers/s390/crypto/vfio_ap_ops.c
8 issues
Line: 382
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t name_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", VFIO_AP_MDEV_NAME_HWVIRT);
}
static MDEV_TYPE_ATTR_RO(name);
static ssize_t available_instances_show(struct mdev_type *mtype,
Reported by FlawFinder.
Line: 400
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t device_api_show(struct mdev_type *mtype,
struct mdev_type_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", VFIO_DEVICE_API_AP_STRING);
}
static MDEV_TYPE_ATTR_RO(device_api);
static struct attribute *vfio_ap_mdev_type_attrs[] = {
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qstatus = vfio_ap_irq_disable(q);
out_unlock:
memcpy(&vcpu->run->s.regs.gprs[1], &qstatus, sizeof(qstatus));
vcpu->run->s.regs.gprs[1] >>= 32;
mutex_unlock(&matrix_dev->lock);
return 0;
}
Reported by FlawFinder.
Line: 391
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mdev_type_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n",
atomic_read(&matrix_dev->available_instances));
}
static MDEV_TYPE_ATTR_RO(available_instances);
Reported by FlawFinder.
Line: 1006
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_lock(&matrix_dev->lock);
for_each_set_bit_inv(id, matrix_mdev->matrix.adm, max_domid + 1) {
n = sprintf(bufpos, "%04lx\n", id);
bufpos += n;
nchars += n;
}
mutex_unlock(&matrix_dev->lock);
Reported by FlawFinder.
Line: 1040
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for_each_set_bit_inv(apid, matrix_mdev->matrix.apm, napm_bits) {
for_each_set_bit_inv(apqi, matrix_mdev->matrix.aqm,
naqm_bits) {
n = sprintf(bufpos, "%02lx.%04lx\n", apid,
apqi);
bufpos += n;
nchars += n;
}
}
Reported by FlawFinder.
Line: 1048
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
} else if (apid1 < napm_bits) {
for_each_set_bit_inv(apid, matrix_mdev->matrix.apm, napm_bits) {
n = sprintf(bufpos, "%02lx.\n", apid);
bufpos += n;
nchars += n;
}
} else if (apqi1 < naqm_bits) {
for_each_set_bit_inv(apqi, matrix_mdev->matrix.aqm, naqm_bits) {
Reported by FlawFinder.
Line: 1054
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
} else if (apqi1 < naqm_bits) {
for_each_set_bit_inv(apqi, matrix_mdev->matrix.aqm, naqm_bits) {
n = sprintf(bufpos, ".%04lx\n", apqi);
bufpos += n;
nchars += n;
}
}
Reported by FlawFinder.
drivers/scsi/bfa/bfad_drv.h
8 issues
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_msix_s {
struct bfad_s *bfad;
struct msix_entry msix;
char name[32];
};
/*
* Only append to the enums defined here to avoid any versioning
* needed between trace utility and driver version
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union bfad_tmp_buf {
/* From struct bfa_adapter_attr_s */
char manufacturer[BFA_ADAPTER_MFG_NAME_LEN];
char serial_num[BFA_ADAPTER_SERIAL_NUM_LEN];
char model[BFA_ADAPTER_MODEL_NAME_LEN];
char fw_ver[BFA_VERSION_LEN];
char optrom_ver[BFA_VERSION_LEN];
Reported by FlawFinder.
Line: 168
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union bfad_tmp_buf {
/* From struct bfa_adapter_attr_s */
char manufacturer[BFA_ADAPTER_MFG_NAME_LEN];
char serial_num[BFA_ADAPTER_SERIAL_NUM_LEN];
char model[BFA_ADAPTER_MODEL_NAME_LEN];
char fw_ver[BFA_VERSION_LEN];
char optrom_ver[BFA_VERSION_LEN];
/* From struct bfa_ioc_pci_attr_s */
Reported by FlawFinder.
Line: 169
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* From struct bfa_adapter_attr_s */
char manufacturer[BFA_ADAPTER_MFG_NAME_LEN];
char serial_num[BFA_ADAPTER_SERIAL_NUM_LEN];
char model[BFA_ADAPTER_MODEL_NAME_LEN];
char fw_ver[BFA_VERSION_LEN];
char optrom_ver[BFA_VERSION_LEN];
/* From struct bfa_ioc_pci_attr_s */
u8 chip_rev[BFA_IOC_CHIP_REV_LEN]; /* chip revision */
Reported by FlawFinder.
Line: 170
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char manufacturer[BFA_ADAPTER_MFG_NAME_LEN];
char serial_num[BFA_ADAPTER_SERIAL_NUM_LEN];
char model[BFA_ADAPTER_MODEL_NAME_LEN];
char fw_ver[BFA_VERSION_LEN];
char optrom_ver[BFA_VERSION_LEN];
/* From struct bfa_ioc_pci_attr_s */
u8 chip_rev[BFA_IOC_CHIP_REV_LEN]; /* chip revision */
Reported by FlawFinder.
Line: 171
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char serial_num[BFA_ADAPTER_SERIAL_NUM_LEN];
char model[BFA_ADAPTER_MODEL_NAME_LEN];
char fw_ver[BFA_VERSION_LEN];
char optrom_ver[BFA_VERSION_LEN];
/* From struct bfa_ioc_pci_attr_s */
u8 chip_rev[BFA_IOC_CHIP_REV_LEN]; /* chip revision */
wwn_t wwn[BFA_FCS_MAX_LPORTS];
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_cfg_param_s cfg_data;
struct bfad_msix_s msix_tab[MAX_MSIX_ENTRY];
int nvec;
char adapter_name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
struct timer_list hal_tmo;
unsigned long hs_start;
struct bfad_im_s *im; /* IM specific data */
struct bfa_trc_mod_s *trcmod;
Reported by FlawFinder.
Line: 209
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bfad_msix_s msix_tab[MAX_MSIX_ENTRY];
int nvec;
char adapter_name[BFA_ADAPTER_SYM_NAME_LEN];
char port_name[BFA_ADAPTER_SYM_NAME_LEN];
struct timer_list hal_tmo;
unsigned long hs_start;
struct bfad_im_s *im; /* IM specific data */
struct bfa_trc_mod_s *trcmod;
struct bfa_plog_s plog_buf;
Reported by FlawFinder.
drivers/platform/x86/hdaps.c
8 issues
Line: 350
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "(%d,%d)\n", x, y);
}
static ssize_t hdaps_variance_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 362
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "(%d,%d)\n", x, y);
}
static ssize_t hdaps_temp1_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 375
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%u\n", temp);
}
static ssize_t hdaps_temp2_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 388
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%u\n", temp);
}
static ssize_t hdaps_keyboard_activity_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 395
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%u\n", KEYBD_ISSET(km_activity));
}
static ssize_t hdaps_mouse_activity_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 402
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%u\n", MOUSE_ISSET(km_activity));
}
static ssize_t hdaps_calibrate_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 408
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t hdaps_calibrate_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "(%d,%d)\n", rest_x, rest_y);
}
static ssize_t hdaps_calibrate_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 425
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t hdaps_invert_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%u\n", hdaps_invert);
}
static ssize_t hdaps_invert_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/power/supply/max1721x_battery.c
8 issues
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MAX172XX_REG_TTF 0x020 /* Time to full */
struct max17211_device_info {
char name[PSY_MAX_NAME_LEN];
struct power_supply *bat;
struct power_supply_desc bat_desc;
struct device *w1_dev;
struct regmap *regmap;
/* battery design format */
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct regmap *regmap;
/* battery design format */
unsigned int rsense; /* in tenths uOhm */
char DeviceName[2 * MAX1721X_REG_DEV_NUMB + 1];
char ManufacturerName[2 * MAX1721X_REG_MFG_NUMB + 1];
char SerialNumber[13]; /* see get_sn_str() later for comment */
};
/* Convert regs value to power_supply units */
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* battery design format */
unsigned int rsense; /* in tenths uOhm */
char DeviceName[2 * MAX1721X_REG_DEV_NUMB + 1];
char ManufacturerName[2 * MAX1721X_REG_MFG_NUMB + 1];
char SerialNumber[13]; /* see get_sn_str() later for comment */
};
/* Convert regs value to power_supply units */
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int rsense; /* in tenths uOhm */
char DeviceName[2 * MAX1721X_REG_DEV_NUMB + 1];
char ManufacturerName[2 * MAX1721X_REG_MFG_NUMB + 1];
char SerialNumber[13]; /* see get_sn_str() later for comment */
};
/* Convert regs value to power_supply units */
static inline int max172xx_time_to_ps(unsigned int reg)
Reported by FlawFinder.
Line: 387
Column: 3
CWE codes:
120
}
if (!info->ManufacturerName[0])
strncpy(info->ManufacturerName, DEF_MFG_NAME,
2 * MAX1721X_REG_MFG_NUMB);
if (get_string(info, MAX1721X_REG_DEV_STR,
MAX1721X_REG_DEV_NUMB, info->DeviceName)) {
dev_err(info->w1_dev, "Can't read device. Hardware error.\n");
Reported by FlawFinder.
Line: 406
Column: 4
CWE codes:
120
switch (dev_name & MAX172XX_DEV_MASK) {
case MAX172X1_DEV:
strncpy(info->DeviceName, DEF_DEV_NAME_MAX17211,
2 * MAX1721X_REG_DEV_NUMB);
break;
case MAX172X5_DEV:
strncpy(info->DeviceName, DEF_DEV_NAME_MAX17215,
2 * MAX1721X_REG_DEV_NUMB);
Reported by FlawFinder.
Line: 410
Column: 4
CWE codes:
120
2 * MAX1721X_REG_DEV_NUMB);
break;
case MAX172X5_DEV:
strncpy(info->DeviceName, DEF_DEV_NAME_MAX17215,
2 * MAX1721X_REG_DEV_NUMB);
break;
default:
strncpy(info->DeviceName, DEF_DEV_NAME_UNKNOWN,
2 * MAX1721X_REG_DEV_NUMB);
Reported by FlawFinder.
Line: 414
Column: 4
CWE codes:
120
2 * MAX1721X_REG_DEV_NUMB);
break;
default:
strncpy(info->DeviceName, DEF_DEV_NAME_UNKNOWN,
2 * MAX1721X_REG_DEV_NUMB);
}
}
if (get_sn_string(info, info->SerialNumber)) {
Reported by FlawFinder.
drivers/platform/x86/eeepc-laptop.c
8 issues
Line: 1373
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!eeepc)
return -ENOMEM;
eeepc->handle = device->handle;
strcpy(acpi_device_name(device), EEEPC_ACPI_DEVICE_NAME);
strcpy(acpi_device_class(device), EEEPC_ACPI_CLASS);
device->driver_data = eeepc;
eeepc->device = device;
eeepc->hotplug_disabled = hotplug_disabled;
Reported by FlawFinder.
Line: 1374
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return -ENOMEM;
eeepc->handle = device->handle;
strcpy(acpi_device_name(device), EEEPC_ACPI_DEVICE_NAME);
strcpy(acpi_device_class(device), EEEPC_ACPI_CLASS);
device->driver_data = eeepc;
eeepc->device = device;
eeepc->hotplug_disabled = hotplug_disabled;
Reported by FlawFinder.
Line: 289
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (value < 0)
return -EIO;
return sprintf(buf, "%d\n", value);
}
#define EEEPC_ACPI_SHOW_FUNC(_name, _cm) \
static ssize_t _name##_show(struct device *dev, \
struct device_attribute *attr, \
Reported by FlawFinder.
Line: 351
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (get_cpufv(eeepc, &c))
return -ENODEV;
for (i = 0; i < c.num; i++)
len += sprintf(buf + len, "%d ", i);
len += sprintf(buf + len, "\n");
return len;
}
static ssize_t cpufv_show(struct device *dev,
Reported by FlawFinder.
Line: 365
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (get_cpufv(eeepc, &c))
return -ENODEV;
return sprintf(buf, "%#x\n", (c.num << 8) | c.cur);
}
static ssize_t cpufv_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 397
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct eeepc_laptop *eeepc = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", eeepc->cpufv_disabled);
}
static ssize_t cpufv_disabled_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 1029
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t show_sys_hwmon(int (*get)(void), char *buf)
{
return sprintf(buf, "%d\n", get());
}
#define EEEPC_SENSOR_SHOW_FUNC(_name, _get) \
static ssize_t _name##_show(struct device *dev, \
struct device_attribute *attr, \
Reported by FlawFinder.
Line: 352
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENODEV;
for (i = 0; i < c.num; i++)
len += sprintf(buf + len, "%d ", i);
len += sprintf(buf + len, "\n");
return len;
}
static ssize_t cpufv_show(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
drivers/net/wireless/quantenna/qtnfmac/commands.c
8 issues
Line: 186
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tlv->flags = 0;
if (len && buf)
memcpy(tlv->ie_data, buf, len);
}
static bool qtnf_cmd_start_ap_can_fit(const struct qtnf_vif *vif,
const struct cfg80211_ap_settings *s)
{
Reported by FlawFinder.
Line: 233
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tlv->eid_ext = eid_ext;
if (len && buf)
memcpy(tlv->ie_data, buf, len);
}
int qtnf_cmd_send_start_ap(struct qtnf_vif *vif,
const struct cfg80211_ap_settings *s)
{
Reported by FlawFinder.
Line: 328
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tlv->type = cpu_to_le16(WLAN_EID_HT_CAPABILITY);
tlv->len = cpu_to_le16(sizeof(*s->ht_cap));
memcpy(tlv->val, s->ht_cap, sizeof(*s->ht_cap));
}
if (s->vht_cap) {
struct qlink_tlv_hdr *tlv = (struct qlink_tlv_hdr *)
skb_put(cmd_skb, sizeof(*tlv) + sizeof(*s->vht_cap));
Reported by FlawFinder.
Line: 337
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tlv->type = cpu_to_le16(WLAN_EID_VHT_CAPABILITY);
tlv->len = cpu_to_le16(sizeof(*s->vht_cap));
memcpy(tlv->val, s->vht_cap, sizeof(*s->vht_cap));
}
if (s->he_cap)
qtnf_cmd_tlv_ie_ext_add(cmd_skb, WLAN_EID_EXT_HE_CAPABILITY,
s->he_cap, sizeof(*s->he_cap));
Reported by FlawFinder.
Line: 1300
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iftype_data->types_mask = le16_to_cpu(qlink_data->types_mask);
iftype_data->he_cap.has_he = true;
memcpy(&iftype_data->he_cap.he_cap_elem, &qlink_data->he_cap_elem,
sizeof(qlink_data->he_cap_elem));
memcpy(iftype_data->he_cap.ppe_thres, qlink_data->ppe_thres,
ARRAY_SIZE(qlink_data->ppe_thres));
iftype_data->he_cap.he_mcs_nss_supp.rx_mcs_80 =
Reported by FlawFinder.
Line: 1302
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iftype_data->he_cap.has_he = true;
memcpy(&iftype_data->he_cap.he_cap_elem, &qlink_data->he_cap_elem,
sizeof(qlink_data->he_cap_elem));
memcpy(iftype_data->he_cap.ppe_thres, qlink_data->ppe_thres,
ARRAY_SIZE(qlink_data->ppe_thres));
iftype_data->he_cap.he_mcs_nss_supp.rx_mcs_80 =
qlink_data->he_mcs_nss_supp.rx_mcs_80;
iftype_data->he_cap.he_mcs_nss_supp.tx_mcs_80 =
Reported by FlawFinder.
Line: 1978
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr->len = cpu_to_le16(sizeof(*randmac));
randmac = (struct qlink_random_mac_addr *)hdr->val;
memcpy(randmac->mac_addr, mac_addr, ETH_ALEN);
memcpy(randmac->mac_addr_mask, mac_addr_mask, ETH_ALEN);
}
int qtnf_cmd_send_scan(struct qtnf_wmac *mac)
{
Reported by FlawFinder.
Line: 1979
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
randmac = (struct qlink_random_mac_addr *)hdr->val;
memcpy(randmac->mac_addr, mac_addr, ETH_ALEN);
memcpy(randmac->mac_addr_mask, mac_addr_mask, ETH_ALEN);
}
int qtnf_cmd_send_scan(struct qtnf_wmac *mac)
{
struct cfg80211_scan_request *scan_req = mac->scan_req;
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
8 issues
Line: 298
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (cmd_len) {
case 1:
boxcontent[0] &= ~(BIT(7));
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 1);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 308
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 2:
boxcontent[0] &= ~(BIT(7));
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 2);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 318
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 3:
boxcontent[0] &= ~(BIT(7));
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 3);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 328
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 4:
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 2);
for (idx = 0; idx < 2; idx++) {
Reported by FlawFinder.
Line: 330
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 2);
for (idx = 0; idx < 2; idx++) {
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
Reported by FlawFinder.
Line: 345
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 5:
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 3);
for (idx = 0; idx < 2; idx++) {
Reported by FlawFinder.
Line: 347
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 3);
for (idx = 0; idx < 2; idx++) {
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
Reported by FlawFinder.
Line: 397
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(tmp_cmdbuf, 0, 8);
memcpy(tmp_cmdbuf, cmdbuffer, cmd_len);
_rtl92c_fill_h2c_command(hw, element_id, cmd_len, (u8 *)&tmp_cmdbuf);
return;
}
EXPORT_SYMBOL(rtl92c_fill_h2c_cmd);
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c
8 issues
Line: 383
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (cmd_len) {
case 1:
boxcontent[0] &= ~(BIT(7));
memcpy(boxcontent + 1, cmdbuffer + buf_index, 1);
for (idx = 0; idx < 4; idx++)
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
break;
case 2:
Reported by FlawFinder.
Line: 390
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 2:
boxcontent[0] &= ~(BIT(7));
memcpy(boxcontent + 1, cmdbuffer + buf_index, 2);
for (idx = 0; idx < 4; idx++)
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
break;
case 3:
Reported by FlawFinder.
Line: 397
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 3:
boxcontent[0] &= ~(BIT(7));
memcpy(boxcontent + 1, cmdbuffer + buf_index, 3);
for (idx = 0; idx < 4; idx++)
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
break;
case 4:
Reported by FlawFinder.
Line: 404
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 4:
boxcontent[0] |= (BIT(7));
memcpy(boxextcontent, cmdbuffer + buf_index, 2);
memcpy(boxcontent + 1, cmdbuffer + buf_index + 2, 2);
for (idx = 0; idx < 2; idx++)
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
for (idx = 0; idx < 4; idx++)
Reported by FlawFinder.
Line: 405
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 4:
boxcontent[0] |= (BIT(7));
memcpy(boxextcontent, cmdbuffer + buf_index, 2);
memcpy(boxcontent + 1, cmdbuffer + buf_index + 2, 2);
for (idx = 0; idx < 2; idx++)
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
for (idx = 0; idx < 4; idx++)
rtl_write_byte(rtlpriv, box_reg + idx,
Reported by FlawFinder.
Line: 415
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 5:
boxcontent[0] |= (BIT(7));
memcpy(boxextcontent, cmdbuffer + buf_index, 2);
memcpy(boxcontent + 1, cmdbuffer + buf_index + 2, 3);
for (idx = 0; idx < 2; idx++)
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
for (idx = 0; idx < 4; idx++)
Reported by FlawFinder.
Line: 416
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 5:
boxcontent[0] |= (BIT(7));
memcpy(boxextcontent, cmdbuffer + buf_index, 2);
memcpy(boxcontent + 1, cmdbuffer + buf_index + 2, 3);
for (idx = 0; idx < 2; idx++)
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
for (idx = 0; idx < 4; idx++)
rtl_write_byte(rtlpriv, box_reg + idx,
Reported by FlawFinder.
Line: 449
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 tmp_cmdbuf[2];
memset(tmp_cmdbuf, 0, 8);
memcpy(tmp_cmdbuf, cmdbuffer, cmd_len);
_rtl92d_fill_h2c_command(hw, element_id, cmd_len, (u8 *)&tmp_cmdbuf);
return;
}
static bool _rtl92d_cmd_send_packet(struct ieee80211_hw *hw,
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
8 issues
Line: 146
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (cmd_len) {
case 1:
boxcontent[0] &= ~(BIT(7));
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 1);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 156
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 2:
boxcontent[0] &= ~(BIT(7));
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 2);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 166
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 3:
boxcontent[0] &= ~(BIT(7));
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 3);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 176
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 4:
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 2);
for (idx = 0; idx < 2; idx++) {
Reported by FlawFinder.
Line: 178
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 2);
for (idx = 0; idx < 2; idx++) {
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
Reported by FlawFinder.
Line: 193
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case 5:
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 3);
for (idx = 0; idx < 2; idx++) {
Reported by FlawFinder.
Line: 195
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
boxcontent[0] |= (BIT(7));
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index, 2);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index + 2, 3);
for (idx = 0; idx < 2; idx++) {
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
Reported by FlawFinder.
Line: 244
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memset(tmp_cmdbuf, 0, 8);
memcpy(tmp_cmdbuf, cmdbuffer, cmd_len);
_rtl8723e_fill_h2c_command(hw, element_id, cmd_len,
(u8 *)&tmp_cmdbuf);
}
void rtl8723e_set_fw_pwrmode_cmd(struct ieee80211_hw *hw, u8 mode)
Reported by FlawFinder.