The following issues were found
drivers/net/ethernet/broadcom/b44.c
8 issues
Line: 2287
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
bp->phy_addr);
bp->phy_addr = 0;
snprintf(bus_id, sizeof(bus_id), PHY_ID_FMT, "fixed-0",
bp->phy_addr);
} else {
snprintf(bus_id, sizeof(bus_id), PHY_ID_FMT, mii_bus->id,
bp->phy_addr);
}
Reported by FlawFinder.
Line: 2290
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
snprintf(bus_id, sizeof(bus_id), PHY_ID_FMT, "fixed-0",
bp->phy_addr);
} else {
snprintf(bus_id, sizeof(bus_id), PHY_ID_FMT, mii_bus->id,
bp->phy_addr);
}
phydev = phy_connect(bp->dev, bus_id, &b44_adjust_link,
PHY_INTERFACE_MODE_MII);
Reported by FlawFinder.
Line: 404
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/bcm47xx_nvram.h>
static void b44_wap54g10_workaround(struct b44 *bp)
{
char buf[20];
u32 val;
int err;
/*
* workaround for bad hardware design in Linksys WAP54G v1.0
Reported by FlawFinder.
Line: 1386
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!is_valid_ether_addr(addr->sa_data))
return -EINVAL;
memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
spin_lock_irq(&bp->lock);
val = br32(bp, B44_RXCONFIG);
if (!(val & RXCONFIG_CAM_ABSENT))
Reported by FlawFinder.
Line: 1745
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
val |= RXCONFIG_PROMISC;
bw32(bp, B44_RXCONFIG, val);
} else {
unsigned char zero[6] = {0, 0, 0, 0, 0, 0};
int i = 1;
__b44_set_mac_addr(bp);
if ((dev->flags & IFF_ALLMULTI) ||
Reported by FlawFinder.
Line: 2048
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
switch(stringset) {
case ETH_SS_STATS:
memcpy(data, *b44_gstrings, sizeof(b44_gstrings));
break;
}
}
static int b44_get_sset_count(struct net_device *dev, int sset)
Reported by FlawFinder.
Line: 2174
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* valid PHY address. */
bp->phy_addr &= 0x1F;
memcpy(bp->dev->dev_addr, addr, ETH_ALEN);
if (!is_valid_ether_addr(&bp->dev->dev_addr[0])){
pr_err("Invalid MAC address found in EEPROM\n");
return -EINVAL;
}
Reported by FlawFinder.
Line: 2252
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mii_bus *mii_bus;
struct ssb_device *sdev = bp->sdev;
struct phy_device *phydev;
char bus_id[MII_BUS_ID_SIZE + 3];
struct ssb_sprom *sprom = &sdev->bus->sprom;
int err;
mii_bus = mdiobus_alloc();
if (!mii_bus) {
Reported by FlawFinder.
drivers/media/usb/ttusb-dec/ttusbdecfe.c
8 issues
Line: 87
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0x00, 0x00, 0x00, 0xff };
__be32 freq = htonl(p->frequency / 1000);
memcpy(&b[4], &freq, sizeof (u32));
state->config->send_command(fe, 0x71, sizeof(b), b, NULL, NULL);
return 0;
}
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
freq = htonl(p->frequency +
(state->hi_band ? LOF_HI : LOF_LO));
memcpy(&b[4], &freq, sizeof(u32));
sym_rate = htonl(p->symbol_rate);
memcpy(&b[12], &sym_rate, sizeof(u32));
band = htonl(state->hi_band ? LOF_HI : LOF_LO);
memcpy(&b[24], &band, sizeof(u32));
lnb_voltage = htonl(state->voltage);
Reported by FlawFinder.
Line: 127
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(state->hi_band ? LOF_HI : LOF_LO));
memcpy(&b[4], &freq, sizeof(u32));
sym_rate = htonl(p->symbol_rate);
memcpy(&b[12], &sym_rate, sizeof(u32));
band = htonl(state->hi_band ? LOF_HI : LOF_LO);
memcpy(&b[24], &band, sizeof(u32));
lnb_voltage = htonl(state->voltage);
memcpy(&b[28], &lnb_voltage, sizeof(u32));
Reported by FlawFinder.
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sym_rate = htonl(p->symbol_rate);
memcpy(&b[12], &sym_rate, sizeof(u32));
band = htonl(state->hi_band ? LOF_HI : LOF_LO);
memcpy(&b[24], &band, sizeof(u32));
lnb_voltage = htonl(state->voltage);
memcpy(&b[28], &lnb_voltage, sizeof(u32));
state->config->send_command(fe, 0x71, sizeof(b), b, NULL, NULL);
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
band = htonl(state->hi_band ? LOF_HI : LOF_LO);
memcpy(&b[24], &band, sizeof(u32));
lnb_voltage = htonl(state->voltage);
memcpy(&b[28], &lnb_voltage, sizeof(u32));
state->config->send_command(fe, 0x71, sizeof(b), b, NULL, NULL);
return 0;
}
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cmd->msg_len > sizeof(b) - 4)
return -EINVAL;
memcpy(&b[4], cmd->msg, cmd->msg_len);
state->config->send_command(fe, 0x72,
sizeof(b) - (6 - cmd->msg_len), b,
NULL, NULL);
Reported by FlawFinder.
Line: 209
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->config = config;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &ttusbdecfe_dvbt_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
}
static const struct dvb_frontend_ops ttusbdecfe_dvbs_ops;
Reported by FlawFinder.
Line: 231
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->hi_band = 0;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &ttusbdecfe_dvbs_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
}
static const struct dvb_frontend_ops ttusbdecfe_dvbt_ops = {
Reported by FlawFinder.
drivers/md/dm-sysfs.c
8 issues
Line: 88
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t dm_attr_suspended_show(struct mapped_device *md, char *buf)
{
sprintf(buf, "%d\n", dm_suspended_md(md));
return strlen(buf);
}
static ssize_t dm_attr_use_blk_mq_show(struct mapped_device *md, char *buf)
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t dm_attr_use_blk_mq_show(struct mapped_device *md, char *buf)
{
/* Purely for userspace compatibility */
sprintf(buf, "%d\n", true);
return strlen(buf);
}
static DM_ATTR_RO(name);
Reported by FlawFinder.
Line: 73
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (dm_copy_name_and_uuid(md, buf, NULL))
return -EIO;
strcat(buf, "\n");
return strlen(buf);
}
static ssize_t dm_attr_uuid_show(struct mapped_device *md, char *buf)
{
Reported by FlawFinder.
Line: 74
Column: 9
CWE codes:
126
return -EIO;
strcat(buf, "\n");
return strlen(buf);
}
static ssize_t dm_attr_uuid_show(struct mapped_device *md, char *buf)
{
if (dm_copy_name_and_uuid(md, NULL, buf))
Reported by FlawFinder.
Line: 82
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (dm_copy_name_and_uuid(md, NULL, buf))
return -EIO;
strcat(buf, "\n");
return strlen(buf);
}
static ssize_t dm_attr_suspended_show(struct mapped_device *md, char *buf)
{
Reported by FlawFinder.
Line: 83
Column: 9
CWE codes:
126
return -EIO;
strcat(buf, "\n");
return strlen(buf);
}
static ssize_t dm_attr_suspended_show(struct mapped_device *md, char *buf)
{
sprintf(buf, "%d\n", dm_suspended_md(md));
Reported by FlawFinder.
Line: 90
Column: 9
CWE codes:
126
{
sprintf(buf, "%d\n", dm_suspended_md(md));
return strlen(buf);
}
static ssize_t dm_attr_use_blk_mq_show(struct mapped_device *md, char *buf)
{
/* Purely for userspace compatibility */
Reported by FlawFinder.
Line: 98
Column: 9
CWE codes:
126
/* Purely for userspace compatibility */
sprintf(buf, "%d\n", true);
return strlen(buf);
}
static DM_ATTR_RO(name);
static DM_ATTR_RO(uuid);
static DM_ATTR_RO(suspended);
Reported by FlawFinder.
drivers/net/ethernet/atheros/atlx/atl1.c
8 issues
Line: 457
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*(u32 *) ð_addr[2] = swab32(addr[0]);
*(u16 *) ð_addr[0] = swab16(*(u16 *) &addr[1]);
if (is_valid_ether_addr(eth_addr)) {
memcpy(hw->perm_mac_addr, eth_addr, ETH_ALEN);
return 0;
}
}
/* see if SPI FLAGS exist ? */
Reported by FlawFinder.
Line: 490
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*(u32 *) ð_addr[2] = swab32(addr[0]);
*(u16 *) ð_addr[0] = swab16(*(u16 *) &addr[1]);
if (is_valid_ether_addr(eth_addr)) {
memcpy(hw->perm_mac_addr, eth_addr, ETH_ALEN);
return 0;
}
/*
* On some motherboards, the MAC address is written by the
Reported by FlawFinder.
Line: 505
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*(u32 *) ð_addr[2] = swab32(addr[0]);
*(u16 *) ð_addr[0] = swab16(*(u16 *) &addr[1]);
if (is_valid_ether_addr(eth_addr)) {
memcpy(hw->perm_mac_addr, eth_addr, ETH_ALEN);
return 0;
}
return 1;
}
Reported by FlawFinder.
Line: 2301
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buffer_info = &tpd_ring->buffer_info[next_to_use];
tpd = ATL1_TPD_DESC(&adapter->tpd_ring, next_to_use);
if (tpd != ptpd)
memcpy(tpd, ptpd, sizeof(struct tx_packet_desc));
tpd->buffer_addr = cpu_to_le64(buffer_info->dma);
tpd->word2 &= ~(TPD_BUFLEN_MASK << TPD_BUFLEN_SHIFT);
tpd->word2 |= (cpu_to_le16(buffer_info->length) &
TPD_BUFLEN_MASK) << TPD_BUFLEN_SHIFT;
Reported by FlawFinder.
Line: 3030
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* mark random mac */
netdev->addr_assign_type = NET_ADDR_RANDOM;
}
memcpy(netdev->dev_addr, adapter->hw.mac_addr, netdev->addr_len);
if (!is_valid_ether_addr(netdev->dev_addr)) {
err = -EIO;
goto err_common;
}
Reported by FlawFinder.
Line: 3103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (!ether_addr_equal_unaligned(adapter->hw.mac_addr,
adapter->hw.perm_mac_addr)) {
memcpy(adapter->hw.mac_addr, adapter->hw.perm_mac_addr,
ETH_ALEN);
atl1_set_mac_addr(&adapter->hw);
}
iowrite16(0, adapter->hw.hw_addr + REG_PHY_ENABLE);
Reported by FlawFinder.
Line: 3126
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct atl1_stats {
char stat_string[ETH_GSTRING_LEN];
int sizeof_stat;
int stat_offset;
};
#define ATL1_STAT(m) \
Reported by FlawFinder.
Line: 3580
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
for (i = 0; i < ARRAY_SIZE(atl1_gstrings_stats); i++) {
memcpy(p, atl1_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
break;
}
Reported by FlawFinder.
drivers/net/ethernet/chelsio/cxgb3/t3_hw.c
8 issues
Line: 686
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int vpdstrtouint(char *s, u8 len, unsigned int base, unsigned int *val)
{
char tok[256];
memcpy(tok, s, len);
tok[len] = 0;
return kstrtouint(strim(tok), base, val);
}
Reported by FlawFinder.
Line: 688
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
char tok[256];
memcpy(tok, s, len);
tok[len] = 0;
return kstrtouint(strim(tok), base, val);
}
static int vpdstrtou16(char *s, u8 len, unsigned int base, u16 *val)
Reported by FlawFinder.
Line: 695
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int vpdstrtou16(char *s, u8 len, unsigned int base, u16 *val)
{
char tok[256];
memcpy(tok, s, len);
tok[len] = 0;
return kstrtou16(strim(tok), base, val);
}
Reported by FlawFinder.
Line: 697
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
char tok[256];
memcpy(tok, s, len);
tok[len] = 0;
return kstrtou16(strim(tok), base, val);
}
/**
Reported by FlawFinder.
Line: 745
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = vpdstrtouint(vpd.mt_data, vpd.mt_len, 10, &p->mem_timing);
if (ret)
return ret;
memcpy(p->sn, vpd.sn_data, SERNUM_LEN);
/* Old eeproms didn't have port information */
if (adapter->params.rev == 0 && !vpd.port0_data[0]) {
p->port_type[0] = uses_xaui(adapter) ? 1 : 2;
p->port_type[1] = uses_xaui(adapter) ? 6 : 2;
Reported by FlawFinder.
Line: 3174
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ActToPreDly;
unsigned char ActToRdWrDly;
unsigned char PreCyc;
unsigned char RefCyc[5];
unsigned char BkCyc;
unsigned char WrToRdDly;
unsigned char RdToWrDly;
};
Reported by FlawFinder.
Line: 3758
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* card. A port's address is derived from the base by adding
* the port's index to the base's low octet.
*/
memcpy(hw_addr, adapter->params.vpd.eth_base, 5);
hw_addr[5] = adapter->params.vpd.eth_base[5] + i;
memcpy(adapter->port[i]->dev_addr, hw_addr,
ETH_ALEN);
init_link_config(&p->link_config, p->phy.caps);
Reported by FlawFinder.
Line: 3761
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(hw_addr, adapter->params.vpd.eth_base, 5);
hw_addr[5] = adapter->params.vpd.eth_base[5] + i;
memcpy(adapter->port[i]->dev_addr, hw_addr,
ETH_ALEN);
init_link_config(&p->link_config, p->phy.caps);
p->phy.ops->power_down(&p->phy, 1);
/*
Reported by FlawFinder.
drivers/misc/enclosure.c
8 issues
Line: 187
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
static void enclosure_link_name(struct enclosure_component *cdev, char *name)
{
strcpy(name, "enclosure_device:");
strcat(name, dev_name(&cdev->cdev));
}
static void enclosure_remove_links(struct enclosure_component *cdev)
{
char name[ENCLOSURE_NAME_SIZE];
Reported by FlawFinder.
Line: 186
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
static void enclosure_link_name(struct enclosure_component *cdev, char *name)
{
strcpy(name, "enclosure_device:");
strcat(name, dev_name(&cdev->cdev));
}
static void enclosure_remove_links(struct enclosure_component *cdev)
{
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void enclosure_remove_links(struct enclosure_component *cdev)
{
char name[ENCLOSURE_NAME_SIZE];
enclosure_link_name(cdev, name);
/*
* In odd circumstances, like multipath devices, something else may
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int enclosure_add_links(struct enclosure_component *cdev)
{
int error;
char name[ENCLOSURE_NAME_SIZE];
error = sysfs_create_link(&cdev->cdev.kobj, &cdev->dev->kobj, "device");
if (error)
return error;
Reported by FlawFinder.
Line: 289
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct enclosure_component *ecomp;
struct device *cdev;
int i;
char newname[COMPONENT_NAME_SIZE];
if (number >= edev->components)
return ERR_PTR(-EINVAL);
ecomp = &edev->component[number];
Reported by FlawFinder.
Line: 521
Column: 8
CWE codes:
126
for (i = 0; enclosure_status[i]; i++) {
if (strncmp(buf, enclosure_status[i],
strlen(enclosure_status[i])) == 0 &&
(buf[strlen(enclosure_status[i])] == '\n' ||
buf[strlen(enclosure_status[i])] == '\0'))
break;
}
Reported by FlawFinder.
Line: 522
Column: 12
CWE codes:
126
for (i = 0; enclosure_status[i]; i++) {
if (strncmp(buf, enclosure_status[i],
strlen(enclosure_status[i])) == 0 &&
(buf[strlen(enclosure_status[i])] == '\n' ||
buf[strlen(enclosure_status[i])] == '\0'))
break;
}
if (enclosure_status[i] && edev->cb->set_status) {
Reported by FlawFinder.
Line: 523
Column: 12
CWE codes:
126
if (strncmp(buf, enclosure_status[i],
strlen(enclosure_status[i])) == 0 &&
(buf[strlen(enclosure_status[i])] == '\n' ||
buf[strlen(enclosure_status[i])] == '\0'))
break;
}
if (enclosure_status[i] && edev->cb->set_status) {
edev->cb->set_status(edev, ecomp, i);
Reported by FlawFinder.
drivers/media/radio/si4713/si4713.c
8 issues
Line: 95
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DBG_BUFFER(device, message, buffer, size) \
{ \
int i; \
char str[(size)*5]; \
for (i = 0; i < size; i++) \
sprintf(str + i * 5, " 0x%02x", buffer[i]); \
v4l2_dbg(2, debug, device, "%s:%s\n", message, str); \
}
#else
Reported by FlawFinder.
Line: 97
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i; \
char str[(size)*5]; \
for (i = 0; i < size; i++) \
sprintf(str + i * 5, " 0x%02x", buffer[i]); \
v4l2_dbg(2, debug, device, "%s:%s\n", message, str); \
}
#else
#define DBG_BUFFER(device, message, buffer, size)
#endif
Reported by FlawFinder.
Line: 207
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* First send the command and its arguments */
data1[0] = command;
memcpy(data1 + 1, args, argn);
DBG_BUFFER(&sdev->sd, "Parameters", data1, argn + 1);
err = i2c_master_send(client, data1, argn + 1);
if (err != argn + 1) {
v4l2_err(&sdev->sd, "Error while sending command 0x%02x\n",
Reported by FlawFinder.
Line: 850
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int si4713_set_rds_radio_text(struct si4713_device *sdev, const char *rt)
{
static const char cr[RDS_RADIOTEXT_BLK_SIZE] = { RDS_CARRIAGE_RETURN, 0 };
int rval = 0, i;
u16 t_index = 0;
u8 b_index = 0, cr_inserted = 0;
s8 left;
Reported by FlawFinder.
Line: 814
Column: 7
CWE codes:
126
u8 len = 0;
/* We want to clear the whole thing */
if (!strlen(ps_name))
memset(ps_name, 0, MAX_RDS_PS_NAME + 1);
if (sdev->power_state) {
/* Write the new ps name and clear the padding */
for (i = 0; i < MAX_RDS_PS_NAME; i += (RDS_BLOCK / 2)) {
Reported by FlawFinder.
Line: 827
Column: 7
CWE codes:
126
}
/* Setup the size to be sent */
if (strlen(ps_name))
len = strlen(ps_name) - 1;
else
len = 1;
rval = si4713_write_property(sdev,
Reported by FlawFinder.
Line: 828
Column: 10
CWE codes:
126
/* Setup the size to be sent */
if (strlen(ps_name))
len = strlen(ps_name) - 1;
else
len = 1;
rval = si4713_write_property(sdev,
SI4713_TX_RDS_PS_MESSAGE_COUNT,
Reported by FlawFinder.
Line: 863
Column: 7
CWE codes:
126
if (rval < 0)
return rval;
if (!strlen(rt))
return rval;
do {
/* RDS spec says that if the last block isn't used,
* then apply a carriage return
Reported by FlawFinder.
drivers/media/radio/wl128x/fmdrv_common.c
8 issues
Line: 1348
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fmdbg("ASIC ID: 0x%x , ASIC Version: %d\n",
be16_to_cpu(asic_id), be16_to_cpu(asic_ver));
sprintf(fw_name, "%s_%x.%d.bts", FM_FMC_FW_FILE_START,
be16_to_cpu(asic_id), be16_to_cpu(asic_ver));
ret = fm_download_firmware(fmdev, fw_name);
if (ret < 0) {
fmdbg("Failed to download firmware file %s\n", fw_name);
Reported by FlawFinder.
Line: 1356
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fmdbg("Failed to download firmware file %s\n", fw_name);
goto rel;
}
sprintf(fw_name, "%s_%x.%d.bts", (mode == FM_MODE_RX) ?
FM_RX_FW_FILE_START : FM_TX_FW_FILE_START,
be16_to_cpu(asic_id), be16_to_cpu(asic_ver));
ret = fm_download_firmware(fmdev, fw_name);
if (ret < 0) {
Reported by FlawFinder.
Line: 489
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
evt_hdr->dlen <= payload_len) {
/* Skip header info and copy only response data */
skb_pull(skb, sizeof(struct fm_event_msg_hdr));
memcpy(response, skb->data, evt_hdr->dlen);
*response_len = evt_hdr->dlen;
} else if (response_len != NULL && evt_hdr->dlen == 0) {
*response_len = 0;
}
kfree_skb(skb);
Reported by FlawFinder.
Line: 585
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Skip header info and copy only response data */
skb_pull(skb, sizeof(struct fm_event_msg_hdr));
memcpy(&fmdev->irq_info.flag, skb->data, fm_evt_hdr->dlen);
fmdev->irq_info.flag = be16_to_cpu((__force __be16)fmdev->irq_info.flag);
fmdbg("irq: flag register(0x%x)\n", fmdev->irq_info.flag);
/* Continue next function in interrupt handler table */
Reported by FlawFinder.
Line: 741
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx = array_index_nospec(blk_idx * (FM_RDS_BLK_SIZE - 1),
FM_RX_RDS_INFO_FIELD_MAX - (FM_RDS_BLK_SIZE - 1));
memcpy(&rds_fmt.data.groupdatabuff.buff[idx], rds_data,
FM_RDS_BLK_SIZE - 1);
rds->last_blk_idx = blk_idx;
/* If completed a whole group then handle it */
Reported by FlawFinder.
Line: 794
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmpbuf[0] = rds_data[0];
tmpbuf[1] = rds_data[1];
memcpy(&rds->buff[rds->wr_idx], &tmpbuf, FM_RDS_BLK_SIZE);
rds->wr_idx = (rds->wr_idx + FM_RDS_BLK_SIZE) % rds->buf_size;
/* Check for overflow & start over */
if (rds->wr_idx == rds->rd_idx) {
fmdbg("RDS buffer overflow\n");
Reported by FlawFinder.
Line: 1090
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_unlock_irqrestore(&fmdev->rds_buff_lock, flags);
break;
}
memcpy(tmpbuf, &fmdev->rx.rds.buff[fmdev->rx.rds.rd_idx],
FM_RDS_BLK_SIZE);
fmdev->rx.rds.rd_idx += FM_RDS_BLK_SIZE;
if (fmdev->rx.rds.rd_idx >= fmdev->rx.rds.buf_size)
fmdev->rx.rds.rd_idx = 0;
Reported by FlawFinder.
Line: 1456
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(skb_push(skb, 1), &skb->cb[0], 1);
skb_queue_tail(&fmdev->rx_q, skb);
tasklet_schedule(&fmdev->rx_task);
return 0;
}
Reported by FlawFinder.
drivers/mtd/nand/raw/nand_base.c
8 issues
Line: 2779
CWE codes:
476
memset(ecc, 0xff, ecclen);
if (extraoob_bitflips)
memset(extraoob, 0xff, extraooblen);
return data_bitflips + ecc_bitflips + extraoob_bitflips;
}
EXPORT_SYMBOL(nand_check_erased_ecc_chunk);
Reported by Cppcheck.
Line: 397
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case MTD_OPS_PLACE_OOB:
case MTD_OPS_RAW:
memcpy(chip->oob_poi + ops->ooboffs, oob, len);
return oob + len;
case MTD_OPS_AUTO_OOB:
ret = mtd_ooblayout_set_databytes(mtd, oob, chip->oob_poi,
ops->ooboffs, len);
Reported by FlawFinder.
Line: 2865
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
if (buf != chip->data_buf)
memcpy(buf, read_buf, mtd->writesize);
return 0;
}
EXPORT_SYMBOL(nand_monolithic_read_page_raw);
Reported by FlawFinder.
Line: 3272
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case MTD_OPS_PLACE_OOB:
case MTD_OPS_RAW:
memcpy(oob, chip->oob_poi + ops->ooboffs, len);
return oob + len;
case MTD_OPS_AUTO_OOB:
ret = mtd_ooblayout_get_databytes(mtd, oob, chip->oob_poi,
ops->ooboffs, len);
Reported by FlawFinder.
Line: 3420
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Invalidate page cache */
chip->pagecache.page = -1;
}
memcpy(buf, bufpoi + col, bytes);
}
if (unlikely(oob)) {
int toread = min(oobreadlen, max_oobsize);
Reported by FlawFinder.
Line: 3455
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf += bytes;
max_bitflips = max_t(unsigned int, max_bitflips, ret);
} else {
memcpy(buf, chip->data_buf + col, bytes);
buf += bytes;
max_bitflips = max_t(unsigned int, max_bitflips,
chip->pagecache.bitflips);
}
Reported by FlawFinder.
Line: 3845
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf != chip->data_buf) {
write_buf = nand_get_data_buf(chip);
memcpy(write_buf, buf, mtd->writesize);
}
}
return nand_prog_page_op(chip, page, 0, write_buf, size);
}
Reported by FlawFinder.
Line: 4259
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bytes = min_t(int, bytes - column, writelen);
wbuf = nand_get_data_buf(chip);
memset(wbuf, 0xff, mtd->writesize);
memcpy(&wbuf[column], buf, bytes);
}
if (unlikely(oob)) {
size_t len = min(oobwritelen, oobmaxlen);
oob = nand_fill_oob(chip, oob, len, ops);
Reported by FlawFinder.
drivers/md/raid1.c
8 issues
Line: 192
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (resync_alloc_pages(rp, gfp_flags))
goto out_free_pages;
} else {
memcpy(rp, &rps[0], sizeof(*rp));
resync_get_all_pages(rp);
}
rp->raid_bio = r1_bio;
bio->bi_private = rp;
Reported by FlawFinder.
Line: 401
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* oops, read error:
*/
char b[BDEVNAME_SIZE];
pr_err_ratelimited("md/raid1:%s: %s: rescheduling sector %llu\n",
mdname(conf->mddev),
bdevname(rdev->bdev, b),
(unsigned long long)r1_bio->sector);
set_bit(R1BIO_ReadError, &r1_bio->state);
Reported by FlawFinder.
Line: 1214
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int max_sectors;
int rdisk;
bool r1bio_existed = !!r1_bio;
char b[BDEVNAME_SIZE];
/*
* If r1_bio is set, we are blocking the raid1d thread
* so there is a tiny risk of deadlock. So ask for
* emergency memory if needed.
Reported by FlawFinder.
Line: 1231
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (rdev)
bdevname(rdev->bdev, b);
else
strcpy(b, "???");
rcu_read_unlock();
}
/*
* Still need barrier for READ in case that whole
Reported by FlawFinder.
Line: 1602
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void raid1_error(struct mddev *mddev, struct md_rdev *rdev)
{
char b[BDEVNAME_SIZE];
struct r1conf *conf = mddev->private;
unsigned long flags;
/*
* If it is not operational, then we have already marked it as dead
Reported by FlawFinder.
Line: 1656
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
rcu_read_lock();
for (i = 0; i < conf->raid_disks; i++) {
char b[BDEVNAME_SIZE];
struct md_rdev *rdev = rcu_dereference(conf->mirrors[i].rdev);
if (rdev)
pr_debug(" disk %d, wo:%d, o:%d, dev:%s\n",
i, !test_bit(In_sync, &rdev->flags),
!test_bit(Faulty, &rdev->flags),
Reported by FlawFinder.
Line: 2023
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} while (!success && d != r1_bio->read_disk);
if (!success) {
char b[BDEVNAME_SIZE];
int abort = 0;
/* Cannot read from anywhere, this block is lost.
* Record a bad block on each device. If that doesn't
* work just disable and interrupt the recovery.
* Don't fail devices as that won't really help.
Reported by FlawFinder.
Line: 2301
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
d = start;
while (d != read_disk) {
char b[BDEVNAME_SIZE];
if (d==0)
d = conf->raid_disks * 2;
d--;
rcu_read_lock();
rdev = rcu_dereference(conf->mirrors[d].rdev);
Reported by FlawFinder.