The following issues were found
drivers/scsi/aic7xxx/aic7xxx_core.c
8 issues
Line: 5002
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int len;
len = sprintf(buf, "%s: ", ahc_chip_names[ahc->chip & AHC_CHIPID_MASK]);
buf += len;
if ((ahc->features & AHC_TWIN) != 0)
len = sprintf(buf, "Twin Channel, A SCSI Id=%d, "
"B SCSI Id=%d, primary %c, ",
ahc->our_id, ahc->our_id_b,
Reported by FlawFinder.
Line: 5026
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
} else {
type = "Single";
}
len = sprintf(buf, "%s%s Channel %c, SCSI Id=%d, ",
speed, type, ahc->channel, ahc->our_id);
}
buf += len;
if ((ahc->flags & AHC_PAGESCBS) != 0)
Reported by FlawFinder.
Line: 586
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
q_hscb = ahc->next_queued_scb->hscb;
saved_tag = q_hscb->tag;
memcpy(q_hscb, scb->hscb, sizeof(*scb->hscb));
if ((scb->flags & SCB_CDB32_PTR) != 0) {
q_hscb->shared_data.cdb_ptr =
ahc_htole32(ahc_hscb_busaddr(ahc, q_hscb->tag)
+ offsetof(struct hardware_scb, cdb32));
}
Reported by FlawFinder.
Line: 2142
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* until an initiator talks to us.
*/
if (master_tstate != NULL) {
memcpy(tstate, master_tstate, sizeof(*tstate));
memset(tstate->enabled_luns, 0, sizeof(tstate->enabled_luns));
tstate->ultraenb = 0;
for (i = 0; i < AHC_NUM_TARGETS; i++) {
memset(&tstate->transinfo[i].curr, 0,
sizeof(tstate->transinfo[i].curr));
Reported by FlawFinder.
Line: 5005
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sprintf(buf, "%s: ", ahc_chip_names[ahc->chip & AHC_CHIPID_MASK]);
buf += len;
if ((ahc->features & AHC_TWIN) != 0)
len = sprintf(buf, "Twin Channel, A SCSI Id=%d, "
"B SCSI Id=%d, primary %c, ",
ahc->our_id, ahc->our_id_b,
(ahc->flags & AHC_PRIMARY_CHANNEL) + 'A');
else {
const char *speed;
Reported by FlawFinder.
Line: 5032
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
buf += len;
if ((ahc->flags & AHC_PAGESCBS) != 0)
sprintf(buf, "%d/%d SCBs",
ahc->scb_data->maxhscbs, AHC_MAX_QUEUE);
else
sprintf(buf, "%d SCBs", ahc->scb_data->maxhscbs);
}
Reported by FlawFinder.
Line: 5035
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(buf, "%d/%d SCBs",
ahc->scb_data->maxhscbs, AHC_MAX_QUEUE);
else
sprintf(buf, "%d SCBs", ahc->scb_data->maxhscbs);
}
int
ahc_chip_init(struct ahc_softc *ahc)
{
Reported by FlawFinder.
Line: 7878
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(atio->cdb_io.cdb_bytes, byte, atio->cdb_len);
atio->ccb_h.status |= CAM_CDB_RECVD;
if ((cmd->identify & MSG_IDENTIFY_DISCFLAG) == 0) {
/*
Reported by FlawFinder.
drivers/pci/hotplug/rpaphp_core.c
8 issues
Line: 253
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Found it */
if (my_index >= drc.drc_index_start && my_index <= drc.last_drc_index) {
int index = my_index - drc.drc_index_start;
sprintf(cell_drc_name, "%s%d", drc.drc_name_prefix,
drc.drc_name_suffix_start + index);
break;
}
}
Reported by FlawFinder.
Line: 356
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!is_php_type(drc.drc_type))
return 0;
sprintf(drc_name, "%s%d", drc.drc_name_prefix, drc.drc_name_suffix_start);
slot = alloc_slot_struct(dn, drc.drc_index_start, drc_name, drc.drc_power_domain);
if (!slot)
return -ENOMEM;
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int entries;
struct of_drc_info drc;
const __be32 *value;
char cell_drc_name[MAX_DRC_NAME_LEN];
int j;
info = of_find_property(dn->parent, "ibm,drc-info", NULL);
if (info == NULL)
return -EINVAL;
Reported by FlawFinder.
Line: 337
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct slot *slot;
struct property *info;
struct of_drc_info drc;
char drc_name[MAX_DRC_NAME_LEN];
const __be32 *cur;
u32 count;
int retval = 0;
info = of_find_property(dn, "ibm,drc-info", NULL);
Reported by FlawFinder.
Line: 214
Column: 16
CWE codes:
126
if (be32_to_cpu(indexes[i + 1]) == my_index)
break;
name_tmp += (strlen(name_tmp) + 1);
type_tmp += (strlen(type_tmp) + 1);
}
if (((drc_name == NULL) || (drc_name && !strcmp(drc_name, name_tmp))) &&
((drc_type == NULL) || (drc_type && !strcmp(drc_type, type_tmp))))
Reported by FlawFinder.
Line: 215
Column: 16
CWE codes:
126
break;
name_tmp += (strlen(name_tmp) + 1);
type_tmp += (strlen(type_tmp) + 1);
}
if (((drc_name == NULL) || (drc_name && !strcmp(drc_name, name_tmp))) &&
((drc_type == NULL) || (drc_type && !strcmp(drc_type, type_tmp))))
return 0;
Reported by FlawFinder.
Line: 411
Column: 11
CWE codes:
126
if (retval)
dealloc_slot_struct(slot);
name += strlen(name) + 1;
type += strlen(type) + 1;
}
dbg("%s - Exit: rc[%d]\n", __func__, retval);
/* XXX FIXME: reports a failure only if last entry in loop failed */
Reported by FlawFinder.
Line: 412
Column: 11
CWE codes:
126
dealloc_slot_struct(slot);
name += strlen(name) + 1;
type += strlen(type) + 1;
}
dbg("%s - Exit: rc[%d]\n", __func__, retval);
/* XXX FIXME: reports a failure only if last entry in loop failed */
return retval;
Reported by FlawFinder.
drivers/scsi/aic94xx/aic94xx_tmf.c
8 issues
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CLEAR_NEXUS_PRE;
scb->clear_nexus.nexus = NEXUS_I_T_L;
scb->clear_nexus.flags = SEND_Q | EXEC_Q | NOTINQ;
memcpy(scb->clear_nexus.ssp_task.lun, lun, 8);
scb->clear_nexus.conn_handle = cpu_to_le16((u16)(unsigned long)
dev->lldd_dev);
CLEAR_NEXUS_POST;
}
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CLEAR_NEXUS_PRE;
scb->clear_nexus.nexus = NEXUS_TAG;
memcpy(scb->clear_nexus.ssp_task.lun, task->ssp_task.LUN, 8);
scb->clear_nexus.ssp_task.tag = tascb->tag;
if (task->dev->tproto)
scb->clear_nexus.conn_handle = cpu_to_le16((u16)(unsigned long)
task->dev->lldd_dev);
CLEAR_NEXUS_POST;
Reported by FlawFinder.
Line: 436
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (task->task_proto == SAS_PROTOCOL_SSP) {
scb->abort_task.ssp_frame.frame_type = SSP_TASK;
memcpy(scb->abort_task.ssp_frame.hashed_dest_addr,
task->dev->hashed_sas_addr, HASHED_SAS_ADDR_SIZE);
memcpy(scb->abort_task.ssp_frame.hashed_src_addr,
task->dev->port->ha->hashed_sas_addr,
HASHED_SAS_ADDR_SIZE);
scb->abort_task.ssp_frame.tptt = cpu_to_be16(0xFFFF);
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scb->abort_task.ssp_frame.frame_type = SSP_TASK;
memcpy(scb->abort_task.ssp_frame.hashed_dest_addr,
task->dev->hashed_sas_addr, HASHED_SAS_ADDR_SIZE);
memcpy(scb->abort_task.ssp_frame.hashed_src_addr,
task->dev->port->ha->hashed_sas_addr,
HASHED_SAS_ADDR_SIZE);
scb->abort_task.ssp_frame.tptt = cpu_to_be16(0xFFFF);
memcpy(scb->abort_task.ssp_task.lun, task->ssp_task.LUN, 8);
Reported by FlawFinder.
Line: 443
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
HASHED_SAS_ADDR_SIZE);
scb->abort_task.ssp_frame.tptt = cpu_to_be16(0xFFFF);
memcpy(scb->abort_task.ssp_task.lun, task->ssp_task.LUN, 8);
scb->abort_task.ssp_task.tmf = TMF_ABORT_TASK;
scb->abort_task.ssp_task.tag = cpu_to_be16(0xFFFF);
}
scb->abort_task.sister_scb = cpu_to_le16(0xFFFF);
Reported by FlawFinder.
Line: 586
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scb->ssp_tmf.proto_conn_rate |= dev->linkrate;
/* SSP frame header */
scb->ssp_tmf.ssp_frame.frame_type = SSP_TASK;
memcpy(scb->ssp_tmf.ssp_frame.hashed_dest_addr,
dev->hashed_sas_addr, HASHED_SAS_ADDR_SIZE);
memcpy(scb->ssp_tmf.ssp_frame.hashed_src_addr,
dev->port->ha->hashed_sas_addr, HASHED_SAS_ADDR_SIZE);
scb->ssp_tmf.ssp_frame.tptt = cpu_to_be16(0xFFFF);
/* SSP Task IU */
Reported by FlawFinder.
Line: 588
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scb->ssp_tmf.ssp_frame.frame_type = SSP_TASK;
memcpy(scb->ssp_tmf.ssp_frame.hashed_dest_addr,
dev->hashed_sas_addr, HASHED_SAS_ADDR_SIZE);
memcpy(scb->ssp_tmf.ssp_frame.hashed_src_addr,
dev->port->ha->hashed_sas_addr, HASHED_SAS_ADDR_SIZE);
scb->ssp_tmf.ssp_frame.tptt = cpu_to_be16(0xFFFF);
/* SSP Task IU */
memcpy(scb->ssp_tmf.ssp_task.lun, lun, 8);
scb->ssp_tmf.ssp_task.tmf = tmf;
Reported by FlawFinder.
Line: 592
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->port->ha->hashed_sas_addr, HASHED_SAS_ADDR_SIZE);
scb->ssp_tmf.ssp_frame.tptt = cpu_to_be16(0xFFFF);
/* SSP Task IU */
memcpy(scb->ssp_tmf.ssp_task.lun, lun, 8);
scb->ssp_tmf.ssp_task.tmf = tmf;
scb->ssp_tmf.sister_scb = cpu_to_le16(0xFFFF);
scb->ssp_tmf.conn_handle= cpu_to_le16((u16)(unsigned long)
dev->lldd_dev);
Reported by FlawFinder.
drivers/pci/controller/pci-hyperv.c
8 issues
Line: 673
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* If the attempt is to read the IDs or the ROM BAR, simulate that.
*/
if (where + size <= PCI_COMMAND) {
memcpy(val, ((u8 *)&hpdev->desc.v_id) + where, size);
} else if (where >= PCI_CLASS_REVISION && where + size <=
PCI_CACHE_LINE_SIZE) {
memcpy(val, ((u8 *)&hpdev->desc.rev) + where -
PCI_CLASS_REVISION, size);
} else if (where >= PCI_SUBSYSTEM_VENDOR_ID && where + size <=
Reported by FlawFinder.
Line: 676
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, ((u8 *)&hpdev->desc.v_id) + where, size);
} else if (where >= PCI_CLASS_REVISION && where + size <=
PCI_CACHE_LINE_SIZE) {
memcpy(val, ((u8 *)&hpdev->desc.rev) + where -
PCI_CLASS_REVISION, size);
} else if (where >= PCI_SUBSYSTEM_VENDOR_ID && where + size <=
PCI_ROM_ADDRESS) {
memcpy(val, (u8 *)&hpdev->desc.subsystem_id + where -
PCI_SUBSYSTEM_VENDOR_ID, size);
Reported by FlawFinder.
Line: 680
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
PCI_CLASS_REVISION, size);
} else if (where >= PCI_SUBSYSTEM_VENDOR_ID && where + size <=
PCI_ROM_ADDRESS) {
memcpy(val, (u8 *)&hpdev->desc.subsystem_id + where -
PCI_SUBSYSTEM_VENDOR_ID, size);
} else if (where >= PCI_ROM_ADDRESS && where + size <=
PCI_CAPABILITY_LIST) {
/* ROM BARs are unimplemented */
*val = 0;
Reported by FlawFinder.
Line: 913
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data_len = resp_packet_size - hdr_len;
if (data_len > 0 && read_resp->status == 0) {
comp->bytes_returned = min(comp->len, data_len);
memcpy(comp->buf, read_resp->bytes, comp->bytes_returned);
} else {
comp->bytes_returned = 0;
}
comp->comp_pkt.completion_status = read_resp->status;
Reported by FlawFinder.
Line: 943
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sysdata);
struct {
struct pci_packet pkt;
char buf[sizeof(struct pci_read_block)];
} pkt;
struct hv_read_config_compl comp_pkt;
struct pci_read_block *read_blk;
int ret;
Reported by FlawFinder.
Line: 1023
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sysdata);
struct {
struct pci_packet pkt;
char buf[sizeof(struct pci_write_block)];
u32 reserved;
} pkt;
struct hv_pci_compl comp_pkt;
struct pci_write_block *write_blk;
u32 pkt_size;
Reported by FlawFinder.
Line: 1044
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
write_blk->wslot.slot = devfn_to_wslot(pdev->devfn);
write_blk->block_id = block_id;
write_blk->byte_count = len;
memcpy(write_blk->bytes, buf, len);
pkt_size = offsetof(struct pci_write_block, bytes) + len;
/*
* This quirk is required on some hosts shipped around 2018, because
* these hosts don't check the pkt_size correctly (new hosts have been
* fixed since early 2019). The quirk is also safe on very old hosts
Reported by FlawFinder.
Line: 1791
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void hv_pci_assign_slots(struct hv_pcibus_device *hbus)
{
struct hv_pci_dev *hpdev;
char name[SLOT_NAME_SIZE];
int slot_nr;
list_for_each_entry(hpdev, &hbus->children, list_entry) {
if (hpdev->pci_slot)
continue;
Reported by FlawFinder.
drivers/s390/block/dasd_alias.c
8 issues
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
server = kzalloc(sizeof(*server), GFP_KERNEL);
if (!server)
return ERR_PTR(-ENOMEM);
memcpy(server->uid.vendor, uid->vendor, sizeof(uid->vendor));
memcpy(server->uid.serial, uid->serial, sizeof(uid->serial));
INIT_LIST_HEAD(&server->server);
INIT_LIST_HEAD(&server->lculist);
return server;
}
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!server)
return ERR_PTR(-ENOMEM);
memcpy(server->uid.vendor, uid->vendor, sizeof(uid->vendor));
memcpy(server->uid.serial, uid->serial, sizeof(uid->serial));
INIT_LIST_HEAD(&server->server);
INIT_LIST_HEAD(&server->lculist);
return server;
}
Reported by FlawFinder.
Line: 145
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!lcu->rsu_cqr->data)
goto out_err4;
memcpy(lcu->uid.vendor, uid->vendor, sizeof(uid->vendor));
memcpy(lcu->uid.serial, uid->serial, sizeof(uid->serial));
lcu->uid.ssid = uid->ssid;
lcu->pav = NO_PAV;
lcu->flags = NEED_UAC_UPDATE | UPDATE_PENDING;
INIT_LIST_HEAD(&lcu->lcu);
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_err4;
memcpy(lcu->uid.vendor, uid->vendor, sizeof(uid->vendor));
memcpy(lcu->uid.serial, uid->serial, sizeof(uid->serial));
lcu->uid.ssid = uid->ssid;
lcu->pav = NO_PAV;
lcu->flags = NEED_UAC_UPDATE | UPDATE_PENDING;
INIT_LIST_HEAD(&lcu->lcu);
INIT_LIST_HEAD(&lcu->inactive_devices);
Reported by FlawFinder.
Line: 337
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
group = kzalloc(sizeof(*group), GFP_ATOMIC);
if (!group)
return -ENOMEM;
memcpy(group->uid.vendor, uid.vendor, sizeof(uid.vendor));
memcpy(group->uid.serial, uid.serial, sizeof(uid.serial));
group->uid.ssid = uid.ssid;
if (uid.type == UA_BASE_DEVICE)
group->uid.base_unit_addr = uid.real_unit_addr;
else
Reported by FlawFinder.
Line: 338
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!group)
return -ENOMEM;
memcpy(group->uid.vendor, uid.vendor, sizeof(uid.vendor));
memcpy(group->uid.serial, uid.serial, sizeof(uid.serial));
group->uid.ssid = uid.ssid;
if (uid.type == UA_BASE_DEVICE)
group->uid.base_unit_addr = uid.real_unit_addr;
else
group->uid.base_unit_addr = uid.base_unit_addr;
Reported by FlawFinder.
Line: 344
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
group->uid.base_unit_addr = uid.real_unit_addr;
else
group->uid.base_unit_addr = uid.base_unit_addr;
memcpy(group->uid.vduit, uid.vduit, sizeof(uid.vduit));
INIT_LIST_HEAD(&group->group);
INIT_LIST_HEAD(&group->baselist);
INIT_LIST_HEAD(&group->aliaslist);
list_add(&group->group, &lcu->grouplist);
}
Reported by FlawFinder.
Line: 739
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ccw1 *ccw;
cqr = lcu->rsu_cqr;
memcpy((char *) &cqr->magic, "ECKD", 4);
ASCEBC((char *) &cqr->magic, 4);
ccw = cqr->cpaddr;
ccw->cmd_code = DASD_ECKD_CCW_RSCK;
ccw->flags = CCW_FLAG_SLI;
ccw->count = 16;
Reported by FlawFinder.
drivers/scsi/be2iscsi/be_main.h
8 issues
Line: 281
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pci_dev *pcidev;
unsigned int num_cpus;
unsigned int nxt_cqid;
char *msi_name[MAX_CPUS];
struct be_mem_descriptor *init_mem;
unsigned short io_sgl_alloc_index;
unsigned short io_sgl_free_index;
unsigned short io_sgl_hndl_avbl;
Reported by FlawFinder.
Line: 365
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 mac_address[ETH_ALEN];
u8 port_name;
u8 port_speed;
char fw_ver_str[BEISCSI_VER_STRLEN];
struct workqueue_struct *wq; /* The actuak work queue */
struct be_ctrl_info ctrl;
unsigned int generation;
unsigned int interface_handle;
Reported by FlawFinder.
Line: 451
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct be_cmd_bhs {
struct iscsi_scsi_req iscsi_hdr;
unsigned char pad1[16];
struct pdu_data_out iscsi_data_pdu;
unsigned char pad2[BE_SENSE_INFO_SIZE -
sizeof(struct pdu_data_out)];
};
Reported by FlawFinder.
Line: 453
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iscsi_scsi_req iscsi_hdr;
unsigned char pad1[16];
struct pdu_data_out iscsi_data_pdu;
unsigned char pad2[BE_SENSE_INFO_SIZE -
sizeof(struct pdu_data_out)];
};
struct beiscsi_io_task {
struct wrb_handle *pwrb_handle;
Reported by FlawFinder.
Line: 475
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct be_nonio_bhs {
struct iscsi_hdr iscsi_hdr;
unsigned char pad1[16];
struct pdu_data_out iscsi_data_pdu;
unsigned char pad2[BE_SENSE_INFO_SIZE -
sizeof(struct pdu_data_out)];
};
Reported by FlawFinder.
Line: 477
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iscsi_hdr iscsi_hdr;
unsigned char pad1[16];
struct pdu_data_out iscsi_data_pdu;
unsigned char pad2[BE_SENSE_INFO_SIZE -
sizeof(struct pdu_data_out)];
};
struct be_status_bhs {
struct iscsi_scsi_req iscsi_hdr;
Reported by FlawFinder.
Line: 483
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct be_status_bhs {
struct iscsi_scsi_req iscsi_hdr;
unsigned char pad1[16];
/**
* The plus 2 below is to hold the sense info length that gets
* DMA'ed by RxULP
*/
unsigned char sense_info[BE_SENSE_INFO_SIZE];
Reported by FlawFinder.
Line: 488
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* The plus 2 below is to hold the sense info length that gets
* DMA'ed by RxULP
*/
unsigned char sense_info[BE_SENSE_INFO_SIZE];
};
struct iscsi_sge {
u32 dw[4];
};
Reported by FlawFinder.
drivers/of/base.c
8 issues
Line: 69
Column: 10
CWE codes:
126
node_name = kbasename(np->full_name);
len = strchrnul(node_name, '@') - node_name;
return (strlen(name) == len) && (strncmp(node_name, name, len) == 0);
}
EXPORT_SYMBOL(of_node_name_eq);
bool of_node_name_prefix(const struct device_node *np, const char *prefix)
{
Reported by FlawFinder.
Line: 78
Column: 51
CWE codes:
126
if (!np)
return false;
return strncmp(kbasename(np->full_name), prefix, strlen(prefix)) == 0;
}
EXPORT_SYMBOL(of_node_name_prefix);
static bool __of_node_is_type(const struct device_node *np, const char *type)
{
Reported by FlawFinder.
Line: 496
Column: 34
CWE codes:
126
prop = __of_find_property(device, "compatible", NULL);
for (cp = of_prop_next_string(prop, NULL); cp;
cp = of_prop_next_string(prop, cp), index++) {
if (of_compat_cmp(cp, compat, strlen(compat)) == 0) {
score = INT_MAX/2 - (index << 2);
break;
}
}
if (!score)
Reported by FlawFinder.
Line: 871
Column: 41
CWE codes:
126
__for_each_child_of_node(parent, child) {
const char *name = kbasename(child->full_name);
if (strncmp(path, name, len) == 0 && (strlen(name) == len))
return child;
}
return NULL;
}
Reported by FlawFinder.
Line: 940
Column: 8
CWE codes:
126
return NULL;
for_each_property_of_node(of_aliases, pp) {
if (strlen(pp->name) == len && !strncmp(pp->name, path, len)) {
np = of_find_node_by_path(pp->value);
break;
}
}
if (!np)
Reported by FlawFinder.
Line: 1181
Column: 21
CWE codes:
126
int cplen;
compatible = of_get_property(node, "compatible", &cplen);
if (!compatible || strlen(compatible) > cplen)
return -ENODEV;
p = strchr(compatible, ',');
strlcpy(modalias, p ? p + 1 : compatible, len);
return 0;
}
Reported by FlawFinder.
Line: 1946
Column: 2
CWE codes:
120
{
ap->np = np;
ap->id = id;
strncpy(ap->stem, stem, stem_len);
ap->stem[stem_len] = 0;
list_add_tail(&ap->link, &aliases_lookup);
pr_debug("adding DT alias:%s: stem=%s id=%i node=%pOF\n",
ap->alias, ap->stem, ap->id, np);
}
Reported by FlawFinder.
Line: 1989
Column: 29
CWE codes:
126
for_each_property_of_node(of_aliases, pp) {
const char *start = pp->name;
const char *end = start + strlen(start);
struct device_node *np;
struct alias_prop *ap;
int id, len;
/* Skip those we do not want to proceed */
Reported by FlawFinder.
drivers/scsi/csiostor/csio_hw.h
8 issues
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct csio_msix_entries {
void *dev_id; /* Priv object associated w/ this msix*/
char desc[24]; /* Description of this vector */
};
struct csio_scsi_qset {
int iq_idx; /* Ingress index */
int eq_idx; /* Egress index */
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct csio_adap_desc {
char model_no[16];
char description[32];
};
struct pci_params {
uint16_t vendor_id;
Reported by FlawFinder.
Line: 241
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct csio_adap_desc {
char model_no[16];
char description[32];
};
struct pci_params {
uint16_t vendor_id;
uint16_t device_id;
Reported by FlawFinder.
Line: 499
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head evt_active_q; /* active evt queue*/
/* board related info */
char name[32];
char hw_ver[16];
char model_desc[32];
char drv_version[32];
char fwrev_str[32];
uint32_t optrom_ver;
Reported by FlawFinder.
Line: 500
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* board related info */
char name[32];
char hw_ver[16];
char model_desc[32];
char drv_version[32];
char fwrev_str[32];
uint32_t optrom_ver;
uint32_t fwrev;
Reported by FlawFinder.
Line: 501
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* board related info */
char name[32];
char hw_ver[16];
char model_desc[32];
char drv_version[32];
char fwrev_str[32];
uint32_t optrom_ver;
uint32_t fwrev;
uint32_t tp_vers;
Reported by FlawFinder.
Line: 502
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[32];
char hw_ver[16];
char model_desc[32];
char drv_version[32];
char fwrev_str[32];
uint32_t optrom_ver;
uint32_t fwrev;
uint32_t tp_vers;
char chip_ver;
Reported by FlawFinder.
Line: 503
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char hw_ver[16];
char model_desc[32];
char drv_version[32];
char fwrev_str[32];
uint32_t optrom_ver;
uint32_t fwrev;
uint32_t tp_vers;
char chip_ver;
uint16_t chip_id; /* Tells T4/T5 chip */
Reported by FlawFinder.
drivers/remoteproc/qcom_q6v5_mss.c
8 issues
Line: 421
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
if (SZ_1M + dp_fw->size <= qproc->mba_size) {
memcpy(mba_region + SZ_1M, dp_fw->data, dp_fw->size);
qproc->dp_size = dp_fw->size;
}
release_firmware(dp_fw);
}
Reported by FlawFinder.
Line: 446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EBUSY;
}
memcpy(mba_region, fw->data, fw->size);
q6v5_debug_policy_load(qproc, mba_region);
memunmap(mba_region);
return 0;
}
Reported by FlawFinder.
Line: 570
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = vmalloc(MBA_LOG_SIZE);
if (data) {
memcpy(data, mba_region, MBA_LOG_SIZE);
dev_coredumpv(&rproc->dev, data, MBA_LOG_SIZE, GFP_KERNEL);
}
memunmap(mba_region);
}
Reported by FlawFinder.
Line: 842
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(ptr, metadata, size);
/* Hypervisor mapping to access metadata by modem */
mdata_perm = BIT(QCOM_SCM_VMID_HLOS);
ret = q6v5_xfer_mem_ownership(qproc, &mdata_perm, false, true,
phys, size);
Reported by FlawFinder.
Line: 1240
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto release_firmware;
}
memcpy(ptr, fw->data + phdr->p_offset, phdr->p_filesz);
} else if (phdr->p_filesz) {
/* Replace "xxx.xxx" with "xxx.bxx" */
sprintf(fw_name + fw_name_len - 3, "b%02d", i);
ret = request_firmware_into_buf(&seg_fw, fw_name, qproc->dev,
ptr, phdr->p_filesz);
Reported by FlawFinder.
Line: 1243
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
memcpy(ptr, fw->data + phdr->p_offset, phdr->p_filesz);
} else if (phdr->p_filesz) {
/* Replace "xxx.xxx" with "xxx.bxx" */
sprintf(fw_name + fw_name_len - 3, "b%02d", i);
ret = request_firmware_into_buf(&seg_fw, fw_name, qproc->dev,
ptr, phdr->p_filesz);
if (ret) {
dev_err(qproc->dev, "failed to load %s\n", fw_name);
memunmap(ptr);
Reported by FlawFinder.
Line: 1339
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = memremap(qproc->mpss_phys + offset + cp_offset, size, MEMREMAP_WC);
if (ptr) {
memcpy(dest, ptr, size);
memunmap(ptr);
} else {
memset(dest, 0xff, size);
}
Reported by FlawFinder.
Line: 1140
Column: 16
CWE codes:
126
int ret;
int i;
fw_name_len = strlen(qproc->hexagon_mdt_image);
if (fw_name_len <= 4)
return -EINVAL;
fw_name = kstrdup(qproc->hexagon_mdt_image, GFP_KERNEL);
if (!fw_name)
Reported by FlawFinder.
drivers/net/dsa/mv88e6xxx/chip.h
8 issues
Line: 262
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool mirror_ingress;
bool mirror_egress;
unsigned int serdes_irq;
char serdes_irq_name[64];
struct devlink_region *region;
};
enum mv88e6xxx_region_id {
MV88E6XXX_REGION_GLOBAL1 = 0,
Reported by FlawFinder.
Line: 337
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mv88e6xxx_irq g1_irq;
struct mv88e6xxx_irq g2_irq;
int irq;
char irq_name[64];
int device_irq;
char device_irq_name[64];
int watchdog_irq;
char watchdog_irq_name[64];
Reported by FlawFinder.
Line: 339
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int irq;
char irq_name[64];
int device_irq;
char device_irq_name[64];
int watchdog_irq;
char watchdog_irq_name[64];
int atu_prob_irq;
char atu_prob_irq_name[64];
Reported by FlawFinder.
Line: 341
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int device_irq;
char device_irq_name[64];
int watchdog_irq;
char watchdog_irq_name[64];
int atu_prob_irq;
char atu_prob_irq_name[64];
int vtu_prob_irq;
char vtu_prob_irq_name[64];
Reported by FlawFinder.
Line: 344
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char watchdog_irq_name[64];
int atu_prob_irq;
char atu_prob_irq_name[64];
int vtu_prob_irq;
char vtu_prob_irq_name[64];
struct kthread_worker *kworker;
struct kthread_delayed_work irq_poll_work;
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int atu_prob_irq;
char atu_prob_irq_name[64];
int vtu_prob_irq;
char vtu_prob_irq_name[64];
struct kthread_worker *kworker;
struct kthread_delayed_work irq_poll_work;
/* GPIO resources */
u8 gpio_data[2];
Reported by FlawFinder.
Line: 682
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define STATS_TYPE_BANK1 BIT(2)
struct mv88e6xxx_hw_stat {
char string[ETH_GSTRING_LEN];
size_t size;
int reg;
int type;
};
Reported by FlawFinder.
Line: 383
Column: 8
CWE codes:
120
20
};
struct mv88e6xxx_bus_ops {
int (*read)(struct mv88e6xxx_chip *chip, int addr, int reg, u16 *val);
int (*write)(struct mv88e6xxx_chip *chip, int addr, int reg, u16 val);
};
struct mv88e6xxx_mdio_bus {
struct mii_bus *bus;
Reported by FlawFinder.