The following issues were found
drivers/net/wireless/intel/iwlwifi/dvm/rs.c
37 issues
Line: 732
CWE codes:
908
if (i >= 0)
mask = BIT(i);
for (; i >= 0; i--, mask >>= 1) {
if (rate_mask & mask) {
low = i;
break;
}
}
Reported by Cppcheck.
Line: 3112
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
lq_sta->active_legacy_rate);
desc += sprintf(buff+desc, "fixed rate 0x%X\n",
lq_sta->dbg_fixed_rate);
desc += sprintf(buff+desc, "valid_tx_ant %s%s%s\n",
(priv->nvm_data->valid_tx_ant & ANT_A) ? "ANT_A," : "",
(priv->nvm_data->valid_tx_ant & ANT_B) ? "ANT_B," : "",
(priv->nvm_data->valid_tx_ant & ANT_C) ? "ANT_C" : "");
desc += sprintf(buff+desc, "lq type %s\n",
(is_legacy(tbl->lq_type)) ? "legacy" : "HT");
Reported by FlawFinder.
Line: 3116
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
(priv->nvm_data->valid_tx_ant & ANT_A) ? "ANT_A," : "",
(priv->nvm_data->valid_tx_ant & ANT_B) ? "ANT_B," : "",
(priv->nvm_data->valid_tx_ant & ANT_C) ? "ANT_C" : "");
desc += sprintf(buff+desc, "lq type %s\n",
(is_legacy(tbl->lq_type)) ? "legacy" : "HT");
if (is_Ht(tbl->lq_type)) {
desc += sprintf(buff + desc, " %s",
(is_siso(tbl->lq_type)) ? "SISO" :
((is_mimo2(tbl->lq_type)) ? "MIMO2" : "MIMO3"));
Reported by FlawFinder.
Line: 3119
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
desc += sprintf(buff+desc, "lq type %s\n",
(is_legacy(tbl->lq_type)) ? "legacy" : "HT");
if (is_Ht(tbl->lq_type)) {
desc += sprintf(buff + desc, " %s",
(is_siso(tbl->lq_type)) ? "SISO" :
((is_mimo2(tbl->lq_type)) ? "MIMO2" : "MIMO3"));
desc += sprintf(buff + desc, " %s",
(tbl->is_ht40) ? "40MHz" : "20MHz");
desc += sprintf(buff + desc, " %s %s %s\n",
Reported by FlawFinder.
Line: 3122
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
desc += sprintf(buff + desc, " %s",
(is_siso(tbl->lq_type)) ? "SISO" :
((is_mimo2(tbl->lq_type)) ? "MIMO2" : "MIMO3"));
desc += sprintf(buff + desc, " %s",
(tbl->is_ht40) ? "40MHz" : "20MHz");
desc += sprintf(buff + desc, " %s %s %s\n",
(tbl->is_SGI) ? "SGI" : "",
(lq_sta->is_green) ? "GF enabled" : "",
(lq_sta->is_agg) ? "AGG on" : "");
Reported by FlawFinder.
Line: 3124
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
((is_mimo2(tbl->lq_type)) ? "MIMO2" : "MIMO3"));
desc += sprintf(buff + desc, " %s",
(tbl->is_ht40) ? "40MHz" : "20MHz");
desc += sprintf(buff + desc, " %s %s %s\n",
(tbl->is_SGI) ? "SGI" : "",
(lq_sta->is_green) ? "GF enabled" : "",
(lq_sta->is_agg) ? "AGG on" : "");
}
desc += sprintf(buff+desc, "last tx rate=0x%X\n",
Reported by FlawFinder.
Line: 3155
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
index = iwl_hwrate_to_plcp_idx(
le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags));
if (is_legacy(tbl->lq_type)) {
desc += sprintf(buff+desc, " rate[%d] 0x%X %smbps\n",
i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags),
iwl_rate_mcs[index].mbps);
} else {
desc += sprintf(buff+desc, " rate[%d] 0x%X %smbps (%s)\n",
i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags),
Reported by FlawFinder.
Line: 3159
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags),
iwl_rate_mcs[index].mbps);
} else {
desc += sprintf(buff+desc, " rate[%d] 0x%X %smbps (%s)\n",
i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags),
iwl_rate_mcs[index].mbps, iwl_rate_mcs[index].mcs);
}
}
Reported by FlawFinder.
Line: 3191
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENOMEM;
for (i = 0; i < LQ_SIZE; i++) {
desc += sprintf(buff+desc,
"%s type=%d SGI=%d HT40=%d DUP=%d GF=%d\n"
"rate=0x%X\n",
lq_sta->active_tbl == i ? "*" : "x",
lq_sta->lq_info[i].lq_type,
lq_sta->lq_info[i].is_SGI,
Reported by FlawFinder.
Line: 1475
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
/* Set up search table to try other antenna */
memcpy(search_tbl, tbl, sz);
if (rs_toggle_antenna(valid_tx_ant,
&search_tbl->current_rate, search_tbl)) {
update_search_tbl_counter = 1;
rs_set_expected_tpt_table(lq_sta, search_tbl);
Reported by FlawFinder.
drivers/scsi/lpfc/lpfc_ct.c
37 issues
Line: 3756
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (c == 0) {
if (flag)
sprintf(fwrevision, "%d.%d%d (%s)",
b1, b2, b3, (char *)str);
else
sprintf(fwrevision, "%d.%d%d", b1,
b2, b3);
} else {
Reported by FlawFinder.
Line: 3763
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
b2, b3);
} else {
if (flag)
sprintf(fwrevision, "%d.%d%d%c%d (%s)",
b1, b2, b3, c,
b4, (char *)str);
else
sprintf(fwrevision, "%d.%d%d%c%d",
b1, b2, b3, c, b4);
Reported by FlawFinder.
Line: 1825
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
lpfc_vport_symbolic_node_name(struct lpfc_vport *vport, char *symbol,
size_t size)
{
char fwrev[FW_REV_STR_SIZE] = {0};
char tmp[MAXHOSTNAMELEN] = {0};
memset(symbol, 0, size);
scnprintf(tmp, sizeof(tmp), "Emulex %s", vport->phba->ModelName);
Reported by FlawFinder.
Line: 1826
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t size)
{
char fwrev[FW_REV_STR_SIZE] = {0};
char tmp[MAXHOSTNAMELEN] = {0};
memset(symbol, 0, size);
scnprintf(tmp, sizeof(tmp), "Emulex %s", vport->phba->ModelName);
if (strlcat(symbol, tmp, size) >= size)
Reported by FlawFinder.
Line: 2073
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CtReq->CommandResponse.bits.CmdRsp =
cpu_to_be16(SLI_CTNS_RNN_ID);
CtReq->un.rnn.PortId = cpu_to_be32(vport->fc_myDID);
memcpy(CtReq->un.rnn.wwnn, &vport->fc_nodename,
sizeof(struct lpfc_name));
cmpl = lpfc_cmpl_ct_cmd_rnn_id;
break;
case SLI_CTNS_RSPN_ID:
Reported by FlawFinder.
Line: 2093
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vport->ct_flags &= ~FC_CT_RSNN_NN;
CtReq->CommandResponse.bits.CmdRsp =
cpu_to_be16(SLI_CTNS_RSNN_NN);
memcpy(CtReq->un.rsnn.wwnn, &vport->fc_nodename,
sizeof(struct lpfc_name));
size = sizeof(CtReq->un.rsnn.symbname);
CtReq->un.rsnn.len =
lpfc_vport_symbolic_node_name(vport,
CtReq->un.rsnn.symbname, size);
Reported by FlawFinder.
Line: 2446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ae = &ad->AttrValue;
memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName,
sizeof(struct lpfc_name));
size = FOURBYTES + sizeof(struct lpfc_name);
ad->AttrLen = cpu_to_be16(size);
ad->AttrType = cpu_to_be16(RHBA_NODENAME);
return size;
Reported by FlawFinder.
Line: 2743
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ae = &ad->AttrValue;
memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fabric_nodename,
sizeof(struct lpfc_name));
size = FOURBYTES + sizeof(struct lpfc_name);
ad->AttrLen = cpu_to_be16(size);
ad->AttrType = cpu_to_be16(RHBA_FABRIC_WWNN);
return size;
Reported by FlawFinder.
Line: 3034
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ae = &ad->AttrValue;
memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName,
sizeof(struct lpfc_name));
size = FOURBYTES + sizeof(struct lpfc_name);
ad->AttrLen = cpu_to_be16(size);
ad->AttrType = cpu_to_be16(RPRT_NODENAME);
return size;
Reported by FlawFinder.
Line: 3052
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ae = &ad->AttrValue;
memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fc_sparam.portName,
sizeof(struct lpfc_name));
size = FOURBYTES + sizeof(struct lpfc_name);
ad->AttrLen = cpu_to_be16(size);
ad->AttrType = cpu_to_be16(RPRT_PORTNAME);
return size;
Reported by FlawFinder.
tools/testing/selftests/tc-testing/plugin-lib/valgrindPlugin.py
37 issues
Line: 13
Column: 1
from string import Template
import subprocess
import time
from TdcPlugin import TdcPlugin
from TdcResults import *
from tdc_config import *
def vp_extract_num_from_string(num_as_string_maybe_with_commas):
Reported by Pylint.
Line: 14
Column: 1
import subprocess
import time
from TdcPlugin import TdcPlugin
from TdcResults import *
from tdc_config import *
def vp_extract_num_from_string(num_as_string_maybe_with_commas):
return int(num_as_string_maybe_with_commas.replace(',',''))
Reported by Pylint.
Line: 16
Column: 1
from TdcPlugin import TdcPlugin
from TdcResults import *
from tdc_config import *
def vp_extract_num_from_string(num_as_string_maybe_with_commas):
return int(num_as_string_maybe_with_commas.replace(',',''))
class SubPlugin(TdcPlugin):
Reported by Pylint.
Line: 25
Column: 21
def __init__(self):
self.sub_class = 'valgrind/SubPlugin'
self.tap = ''
self._tsr = TestSuiteReport()
super().__init__()
def pre_suite(self, testcount, testidlist):
'''run commands before test_runner goes into a test loop'''
super().pre_suite(testcount, testidlist)
Reported by Pylint.
Line: 43
Column: 19
print('{}.post_suite'.format(self.sub_class))
#print('{}'.format(self.tap))
for xx in range(index - 1, self.testcount):
res = TestResult('{}-mem'.format(self.testidlist[xx]), 'Test skipped')
res.set_result(ResultState.skip)
res.set_errormsg('Skipped because of prior setup/teardown failure')
self._add_results(res)
if self.args.verbose < 4:
subprocess.check_output('rm -f vgnd-*.log', shell=True)
Reported by Pylint.
Line: 44
Column: 28
#print('{}'.format(self.tap))
for xx in range(index - 1, self.testcount):
res = TestResult('{}-mem'.format(self.testidlist[xx]), 'Test skipped')
res.set_result(ResultState.skip)
res.set_errormsg('Skipped because of prior setup/teardown failure')
self._add_results(res)
if self.args.verbose < 4:
subprocess.check_output('rm -f vgnd-*.log', shell=True)
Reported by Pylint.
Line: 88
Column: 31
cmdlist.insert(0, '--leak-check=full')
cmdlist.insert(0, '--log-file=vgnd-{}.log'.format(self.args.testid))
cmdlist.insert(0, '-v') # ask for summary of non-leak errors
cmdlist.insert(0, ENVIR['VALGRIND_BIN'])
else:
pass
if cmdform == 'str':
command = ' '.join(cmdlist)
Reported by Pylint.
Line: 105
Column: 15
if not self.args.valgrind:
return
res = TestResult('{}-mem'.format(self.args.testid),
'{} memory leak check'.format(self.args.test_name))
if self.args.test_skip:
res.set_result(ResultState.skip)
res.set_errormsg('Test case designated as skipped.')
self._add_results(res)
Reported by Pylint.
Line: 108
Column: 28
res = TestResult('{}-mem'.format(self.args.testid),
'{} memory leak check'.format(self.args.test_name))
if self.args.test_skip:
res.set_result(ResultState.skip)
res.set_errormsg('Test case designated as skipped.')
self._add_results(res)
return
self.definitely_lost_re = re.compile(
Reported by Pylint.
Line: 147
Column: 28
mem_results = ''
if (def_num > 0) or (ind_num > 0) or (pos_num > 0) or (nle_num > 0):
mem_results += 'not '
res.set_result(ResultState.fail)
res.set_failmsg('Memory leak detected')
res.append_failmsg(content)
else:
res.set_result(ResultState.success)
Reported by Pylint.
drivers/gpu/drm/amd/pm/amdgpu_pm.c
37 issues
Line: 607
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (size >= PAGE_SIZE)
size = PAGE_SIZE - 1;
memcpy(buf, table, size);
return size;
}
static ssize_t amdgpu_set_pp_table(struct device *dev,
Reported by FlawFinder.
Line: 799
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret;
uint32_t parameter_size = 0;
long parameter[64];
char buf_cpy[128];
char *tmp_str;
char *sub_str;
const char delimiter[3] = {' ', '\n', '\0'};
uint32_t type;
Reported by FlawFinder.
Line: 802
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char buf_cpy[128];
char *tmp_str;
char *sub_str;
const char delimiter[3] = {' ', '\n', '\0'};
uint32_t type;
if (amdgpu_in_reset(adev))
return -EPERM;
if (adev->in_suspend && !adev->in_runpm)
Reported by FlawFinder.
Line: 830
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
return -EINVAL;
memcpy(buf_cpy, buf, count+1);
tmp_str = buf_cpy;
if ((type == PP_OD_EDIT_VDDC_CURVE) ||
(type == PP_OD_EDIT_VDDGFX_OFFSET))
Reported by FlawFinder.
Line: 1094
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long level;
char *sub_str = NULL;
char *tmp;
char buf_cpy[AMDGPU_MASK_BUF_MAX + 1];
const char delimiter[3] = {' ', '\n', '\0'};
size_t bytes;
*mask = 0;
Reported by FlawFinder.
Line: 1095
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *sub_str = NULL;
char *tmp;
char buf_cpy[AMDGPU_MASK_BUF_MAX + 1];
const char delimiter[3] = {' ', '\n', '\0'};
size_t bytes;
*mask = 0;
bytes = min(count, sizeof(buf_cpy) - 1);
Reported by FlawFinder.
Line: 1101
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*mask = 0;
bytes = min(count, sizeof(buf_cpy) - 1);
memcpy(buf_cpy, buf, bytes);
buf_cpy[bytes] = '\0';
tmp = buf_cpy;
while ((sub_str = strsep(&tmp, delimiter)) != NULL) {
if (strlen(sub_str)) {
ret = kstrtoul(sub_str, 0, &level);
Reported by FlawFinder.
Line: 1492
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct amdgpu_device *adev = drm_to_adev(ddev);
uint32_t parameter_size = 0;
long parameter[64];
char *sub_str, buf_cpy[128];
char *tmp_str;
uint32_t i = 0;
char tmp[2];
long int profile_mode = 0;
const char delimiter[3] = {' ', '\n', '\0'};
Reported by FlawFinder.
Line: 1495
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *sub_str, buf_cpy[128];
char *tmp_str;
uint32_t i = 0;
char tmp[2];
long int profile_mode = 0;
const char delimiter[3] = {' ', '\n', '\0'};
if (amdgpu_in_reset(adev))
return -EPERM;
Reported by FlawFinder.
Line: 1497
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t i = 0;
char tmp[2];
long int profile_mode = 0;
const char delimiter[3] = {' ', '\n', '\0'};
if (amdgpu_in_reset(adev))
return -EPERM;
if (adev->in_suspend && !adev->in_runpm)
return -EPERM;
Reported by FlawFinder.
tools/testing/selftests/net/mptcp/pm_nl_ctl.c
37 issues
Line: 75
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fprintf(stderr, "netlink ext ack msg: %s\n",
(char *)RTA_DATA(attrs));
if (attrs->rta_type == NLMSGERR_ATTR_OFFS) {
memcpy(&off, RTA_DATA(attrs), 4);
fprintf(stderr, "netlink err off %d\n",
(int)off);
}
attrs = RTA_NEXT(attrs, len);
}
Reported by FlawFinder.
Line: 150
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int resolve_mptcp_pm_netlink(int fd)
{
char data[NLMSG_ALIGN(sizeof(struct nlmsghdr)) +
NLMSG_ALIGN(sizeof(struct genlmsghdr)) +
1024];
struct nlmsghdr *nh;
struct rtattr *rta;
int namelen;
Reported by FlawFinder.
Line: 166
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
namelen = strlen(MPTCP_PM_NAME) + 1;
rta->rta_type = CTRL_ATTR_FAMILY_NAME;
rta->rta_len = RTA_LENGTH(namelen);
memcpy(RTA_DATA(rta), MPTCP_PM_NAME, namelen);
off += NLMSG_ALIGN(rta->rta_len);
do_nl_req(fd, nh, off, sizeof(data));
return genl_parse_getfamily((void *)data);
}
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int add_addr(int fd, int pm_family, int argc, char *argv[])
{
char data[NLMSG_ALIGN(sizeof(struct nlmsghdr)) +
NLMSG_ALIGN(sizeof(struct genlmsghdr)) +
1024];
struct rtattr *rta, *nest;
struct nlmsghdr *nh;
u_int32_t flags = 0;
Reported by FlawFinder.
Line: 219
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rta = (void *)(data + off);
rta->rta_type = MPTCP_PM_ADDR_ATTR_FAMILY;
rta->rta_len = RTA_LENGTH(2);
memcpy(RTA_DATA(rta), &family, 2);
off += NLMSG_ALIGN(rta->rta_len);
for (arg = 3; arg < argc; arg++) {
if (!strcmp(argv[arg], "flags")) {
char *tok, *str;
Reported by FlawFinder.
Line: 247
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rta = (void *)(data + off);
rta->rta_type = MPTCP_PM_ADDR_ATTR_FLAGS;
rta->rta_len = RTA_LENGTH(4);
memcpy(RTA_DATA(rta), &flags, 4);
off += NLMSG_ALIGN(rta->rta_len);
} else if (!strcmp(argv[arg], "id")) {
if (++arg >= argc)
error(1, 0, " missing id value");
Reported by FlawFinder.
Line: 253
Column: 9
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (++arg >= argc)
error(1, 0, " missing id value");
id = atoi(argv[arg]);
rta = (void *)(data + off);
rta->rta_type = MPTCP_PM_ADDR_ATTR_ID;
rta->rta_len = RTA_LENGTH(1);
memcpy(RTA_DATA(rta), &id, 1);
off += NLMSG_ALIGN(rta->rta_len);
Reported by FlawFinder.
Line: 257
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rta = (void *)(data + off);
rta->rta_type = MPTCP_PM_ADDR_ATTR_ID;
rta->rta_len = RTA_LENGTH(1);
memcpy(RTA_DATA(rta), &id, 1);
off += NLMSG_ALIGN(rta->rta_len);
} else if (!strcmp(argv[arg], "dev")) {
int32_t ifindex;
if (++arg >= argc)
Reported by FlawFinder.
Line: 272
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rta = (void *)(data + off);
rta->rta_type = MPTCP_PM_ADDR_ATTR_IF_IDX;
rta->rta_len = RTA_LENGTH(4);
memcpy(RTA_DATA(rta), &ifindex, 4);
off += NLMSG_ALIGN(rta->rta_len);
} else if (!strcmp(argv[arg], "port")) {
u_int16_t port;
if (++arg >= argc)
Reported by FlawFinder.
Line: 282
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!(flags & MPTCP_PM_ADDR_FLAG_SIGNAL))
error(1, 0, " flags must be signal when using port");
port = atoi(argv[arg]);
rta = (void *)(data + off);
rta->rta_type = MPTCP_PM_ADDR_ATTR_PORT;
rta->rta_len = RTA_LENGTH(2);
memcpy(RTA_DATA(rta), &port, 2);
off += NLMSG_ALIGN(rta->rta_len);
Reported by FlawFinder.
drivers/scsi/aacraid/aachba.c
37 issues
Line: 2909
CWE codes:
758
} else if (scsicmd->cmnd[2] == 0x83) {
/* vpd page 0x83 - Device Identification Page */
char *sno = (char *)&inq_data;
sno[3] = setinqserial(dev, &sno[4],
scmd_id(scsicmd));
if (aac_wwn != 2)
return aac_get_container_serial(
scsicmd);
scsicmd->result = DID_OK << 16 | SAM_STAT_GOOD;
Reported by Cppcheck.
Line: 546
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
++sp;
if (*sp) {
struct inquiry_data inq;
char d[sizeof(((struct inquiry_data *)NULL)->inqd_pid)];
int count = sizeof(d);
char *dp = d;
do {
*dp++ = (*sp) ? *sp++ : ' ';
} while (--count > 0);
Reported by FlawFinder.
Line: 554
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} while (--count > 0);
scsi_sg_copy_to_buffer(scsicmd, &inq, sizeof(inq));
memcpy(inq.inqd_pid, d, sizeof(d));
scsi_sg_copy_from_buffer(scsicmd, &inq, sizeof(inq));
}
}
scsicmd->result = DID_OK << 16 | SAM_STAT_GOOD;
Reported by FlawFinder.
Line: 835
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Local Structure to set SCSI inquiry data strings */
struct scsi_inq {
char vid[8]; /* Vendor ID */
char pid[16]; /* Product ID */
char prl[4]; /* Product Revision Level */
};
/**
Reported by FlawFinder.
Line: 836
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Local Structure to set SCSI inquiry data strings */
struct scsi_inq {
char vid[8]; /* Vendor ID */
char pid[16]; /* Product ID */
char prl[4]; /* Product Revision Level */
};
/**
* inqstrcpy - string merge
Reported by FlawFinder.
Line: 837
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scsi_inq {
char vid[8]; /* Vendor ID */
char pid[16]; /* Product ID */
char prl[4]; /* Product Revision Level */
};
/**
* inqstrcpy - string merge
* @a: string to copy from
Reported by FlawFinder.
Line: 972
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
container++) {
if (scmd_id(scsicmd) == container) {
memcpy(vpdpage83data->type3.Identifier,
dev->fsa_dev[container].identifier,
16);
break;
}
}
Reported by FlawFinder.
Line: 1083
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sizeof(vpdpage83data));
} else {
/* It must be for VPD 0x80 */
char sp[13];
/* EVPD bit set */
sp[0] = INQD_PDT_DA;
sp[1] = scsicmd->cmnd[2];
sp[2] = 0;
sp[3] = snprintf(sp+4, sizeof(sp)-4, "%08X",
Reported by FlawFinder.
Line: 1198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_sense(&dev->fsa_dev[cid].sense_data,
HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
memcpy(cmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
SCSI_SENSE_BUFFERSIZE));
cmd->scsi_done(cmd);
return 1;
}
Reported by FlawFinder.
Line: 1552
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* we fill in iu_type, request_id later in aac_hba_send */
/* we fill in emb_data_desc_count later in aac_build_sghba */
memcpy(hbacmd->cdb, cmd->cmnd, cmd->cmd_len);
hbacmd->data_length = cpu_to_le32(scsi_bufflen(cmd));
address = (u64)fib->hw_error_pa;
hbacmd->error_ptr_hi = cpu_to_le32((u32)(address >> 32));
hbacmd->error_ptr_lo = cpu_to_le32((u32)(address & 0xffffffff));
Reported by FlawFinder.
drivers/i2c/busses/i2c-mlxbf.c
37 issues
Line: 741
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & MLXBF_I2C_F_WRITE) {
write_en = 1;
write_len += operation->length;
memcpy(data_desc + data_idx,
operation->buffer, operation->length);
data_idx += operation->length;
}
/*
* We assume that read operations are performed only once per
Reported by FlawFinder.
Line: 787
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MLXBF_I2C_MASTER_DATA_DESC_ADDR);
/* Get data from Master GW data descriptor. */
memcpy(read_buf, data_desc, read_len + 1);
}
/*
* After a read operation the SMBus FSM ps (present state)
* needs to be 'manually' reset. This should be removed in
Reported by FlawFinder.
Line: 653
Column: 44
CWE codes:
120
20
}
static int mlxbf_i2c_smbus_enable(struct mlxbf_i2c_priv *priv, u8 slave,
u8 len, u8 block_en, u8 pec_en, bool read)
{
u32 command;
/* Set Master GW control word. */
if (read) {
Reported by FlawFinder.
Line: 658
Column: 6
CWE codes:
120
20
u32 command;
/* Set Master GW control word. */
if (read) {
command = MLXBF_I2C_MASTER_ENABLE_READ;
command |= rol32(len, MLXBF_I2C_MASTER_READ_SHIFT);
} else {
command = MLXBF_I2C_MASTER_ENABLE_WRITE;
command |= rol32(len, MLXBF_I2C_MASTER_WRITE_SHIFT);
Reported by FlawFinder.
Line: 806
Column: 13
CWE codes:
120
20
static void
mlxbf_i2c_smbus_quick_command(struct mlxbf_i2c_smbus_request *request,
u8 read)
{
request->operation_cnt = MLXBF_I2C_SMBUS_OP_CNT_1;
request->operation[0].length = 0;
request->operation[0].flags = MLXBF_I2C_F_WRITE;
Reported by FlawFinder.
Line: 812
Column: 33
CWE codes:
120
20
request->operation[0].length = 0;
request->operation[0].flags = MLXBF_I2C_F_WRITE;
request->operation[0].flags |= read ? MLXBF_I2C_F_READ : 0;
}
static void mlxbf_i2c_smbus_byte_func(struct mlxbf_i2c_smbus_request *request,
u8 *data, bool read, bool pec_check)
{
Reported by FlawFinder.
Line: 816
Column: 26
CWE codes:
120
20
}
static void mlxbf_i2c_smbus_byte_func(struct mlxbf_i2c_smbus_request *request,
u8 *data, bool read, bool pec_check)
{
request->operation_cnt = MLXBF_I2C_SMBUS_OP_CNT_1;
request->operation[0].length = 1;
request->operation[0].length += pec_check;
Reported by FlawFinder.
Line: 824
Column: 33
CWE codes:
120
20
request->operation[0].length += pec_check;
request->operation[0].flags = MLXBF_I2C_F_SMBUS_OPERATION;
request->operation[0].flags |= read ?
MLXBF_I2C_F_READ : MLXBF_I2C_F_WRITE;
request->operation[0].flags |= pec_check ? MLXBF_I2C_F_SMBUS_PEC : 0;
request->operation[0].buffer = data;
}
Reported by FlawFinder.
Line: 833
Column: 39
CWE codes:
120
20
static void
mlxbf_i2c_smbus_data_byte_func(struct mlxbf_i2c_smbus_request *request,
u8 *command, u8 *data, bool read, bool pec_check)
{
request->operation_cnt = MLXBF_I2C_SMBUS_OP_CNT_2;
request->operation[0].length = 1;
request->operation[0].flags =
Reported by FlawFinder.
Line: 845
Column: 32
CWE codes:
120
20
request->operation[1].length = 1;
request->operation[1].length += pec_check;
request->operation[1].flags = read ?
MLXBF_I2C_F_READ : MLXBF_I2C_F_WRITE;
request->operation[1].buffer = data;
}
static void
Reported by FlawFinder.
kernel/debug/kdb/kdb_io.c
36 issues
Line: 627
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
next_avail = kdb_buffer;
size_avail = sizeof(kdb_buffer);
}
vsnprintf(next_avail, size_avail, fmt, ap);
/*
* If kdb_parse() found that the command was cmd xxx | grep yyy
* then kdb_grepping_flag is set, and kdb_grep_string contains yyy
*
Reported by FlawFinder.
Line: 703
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* Shift the buffer left.
*/
*cphold = replaced_byte;
strcpy(kdb_buffer, cphold);
len = strlen(kdb_buffer);
next_avail = kdb_buffer + len;
size_avail = sizeof(kdb_buffer) - len;
goto kdb_print_out;
}
Reported by FlawFinder.
Line: 843
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*/
if (kdb_grepping_flag && !suspend_grep) {
*cphold = replaced_byte;
strcpy(kdb_buffer, cphold);
len = strlen(kdb_buffer);
next_avail = kdb_buffer + len;
size_avail = sizeof(kdb_buffer) - len;
}
Reported by FlawFinder.
Line: 30
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "kdb_private.h"
#define CMD_BUFLEN 256
char kdb_prompt_str[CMD_BUFLEN];
int kdb_trap_printk;
int kdb_printf_cpu = -1;
static int kgdb_transition_check(char *buffer)
Reported by FlawFinder.
Line: 44
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
int slen = strlen(buffer);
if (slen > 3 && buffer[slen - 3] == '#') {
kdb_gdb_state_pass(buffer);
strcpy(buffer, "kgdb");
KDB_STATE_SET(DOING_KGDB);
return 1;
}
}
return 0;
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
#define ESCAPE_UDELAY 1000
#define ESCAPE_DELAY (2*1000000/ESCAPE_UDELAY) /* 2 seconds worth of udelays */
char buf[4]; /* longest vt100 escape sequence is 4 bytes */
char *pbuf = buf;
int escape_delay = 0;
get_char_func *f, *f_prev = NULL;
int key;
Reported by FlawFinder.
Line: 204
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *lastchar;
char *p_tmp;
char tmp;
static char tmpbuffer[CMD_BUFLEN];
int len = strlen(buffer);
int len_tmp;
int tab = 0;
int count;
int i;
Reported by FlawFinder.
Line: 235
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 8: /* backspace */
if (cp > buffer) {
if (cp < lastchar) {
memcpy(tmpbuffer, cp, lastchar - cp);
memcpy(cp-1, tmpbuffer, lastchar - cp);
}
*(--lastchar) = '\0';
--cp;
kdb_printf("\b%s \r", cp);
Reported by FlawFinder.
Line: 236
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cp > buffer) {
if (cp < lastchar) {
memcpy(tmpbuffer, cp, lastchar - cp);
memcpy(cp-1, tmpbuffer, lastchar - cp);
}
*(--lastchar) = '\0';
--cp;
kdb_printf("\b%s \r", cp);
tmp = *cp;
Reported by FlawFinder.
Line: 259
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return buffer;
case 4: /* Del */
if (cp < lastchar) {
memcpy(tmpbuffer, cp+1, lastchar - cp - 1);
memcpy(cp, tmpbuffer, lastchar - cp - 1);
*(--lastchar) = '\0';
kdb_printf("%s \r", cp);
tmp = *cp;
*cp = '\0';
Reported by FlawFinder.
drivers/net/wireless/rndis_wlan.c
36 issues
Line: 805
CWE codes:
476
u.set->len = cpu_to_le32(len);
u.set->offset = cpu_to_le32(sizeof(*u.set) - 8);
u.set->handle = cpu_to_le32(0);
memcpy(u.buf + sizeof(*u.set), data, len);
priv->current_command_oid = oid;
ret = rndis_command(dev, u.header, buflen);
priv->current_command_oid = 0;
if (ret < 0)
Reported by Cppcheck.
Line: 36
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* NOTE: All these are settings for Broadcom chipset */
static char modparam_country[4] = "EU";
module_param_string(country, modparam_country, 4, 0444);
MODULE_PARM_DESC(country, "Country code (ISO 3166-1 alpha-2), default: EU");
static int modparam_frameburst = 1;
module_param_named(frameburst, modparam_frameburst, int, 0444);
Reported by FlawFinder.
Line: 434
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int multicast_size;
/* module parameters */
char param_country[4];
int param_frameburst;
int param_afterburner;
int param_power_save;
int param_power_output;
int param_roamtrigger;
Reported by FlawFinder.
Line: 753
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (copylen > *len)
copylen = *len;
memcpy(data, u.buf + respoffs, copylen);
*len = resplen;
ret = rndis_error_status(u.get_c->status);
if (ret < 0)
Reported by FlawFinder.
Line: 805
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u.set->len = cpu_to_le32(len);
u.set->offset = cpu_to_le32(sizeof(*u.set) - 8);
u.set->handle = cpu_to_le32(0);
memcpy(u.buf + sizeof(*u.set), data, len);
priv->current_command_oid = oid;
ret = rndis_command(dev, u.header, buflen);
priv->current_command_oid = 0;
if (ret < 0)
Reported by FlawFinder.
Line: 1350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ndis_key.size = cpu_to_le32(sizeof(ndis_key));
ndis_key.length = cpu_to_le32(key_len);
ndis_key.index = cpu_to_le32(index);
memcpy(&ndis_key.material, key, key_len);
if (index == priv->encr_tx_key_index) {
ndis_key.index |= NDIS_80211_ADDWEP_TRANSMIT_KEY;
ret = set_encr_mode(usbdev, RNDIS_WLAN_ALG_WEP,
RNDIS_WLAN_ALG_NONE);
Reported by FlawFinder.
Line: 1372
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->encr_keys[index].len = key_len;
priv->encr_keys[index].cipher = cipher;
memcpy(&priv->encr_keys[index].material, key, key_len);
eth_broadcast_addr(priv->encr_keys[index].bssid);
return 0;
}
Reported by FlawFinder.
Line: 1433
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cipher == WLAN_CIPHER_SUITE_TKIP && key_len == 32) {
/* wpa_supplicant gives us the Michael MIC RX/TX keys in
* different order than NDIS spec, so swap the order here. */
memcpy(ndis_key.material, key, 16);
memcpy(ndis_key.material + 16, key + 24, 8);
memcpy(ndis_key.material + 24, key + 16, 8);
} else
memcpy(ndis_key.material, key, key_len);
Reported by FlawFinder.
Line: 1434
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* wpa_supplicant gives us the Michael MIC RX/TX keys in
* different order than NDIS spec, so swap the order here. */
memcpy(ndis_key.material, key, 16);
memcpy(ndis_key.material + 16, key + 24, 8);
memcpy(ndis_key.material + 24, key + 16, 8);
} else
memcpy(ndis_key.material, key, key_len);
if (flags & NDIS_80211_ADDKEY_SET_INIT_RECV_SEQ)
Reported by FlawFinder.
Line: 1435
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* different order than NDIS spec, so swap the order here. */
memcpy(ndis_key.material, key, 16);
memcpy(ndis_key.material + 16, key + 24, 8);
memcpy(ndis_key.material + 24, key + 16, 8);
} else
memcpy(ndis_key.material, key, key_len);
if (flags & NDIS_80211_ADDKEY_SET_INIT_RECV_SEQ)
memcpy(ndis_key.rsc, rx_seq, seq_len);
Reported by FlawFinder.
tools/perf/scripts/python/Perf-Trace-Util/lib/Perf/Trace/Core.py
36 issues
Line: 23
Column: 39
def define_flag_value(event_name, field_name, value, field_str):
flag_fields[event_name][field_name]['values'][value] = field_str
def define_symbolic_field(event_name, field_name):
# nothing to do, really
pass
def define_symbolic_value(event_name, field_name, value, field_str):
symbolic_fields[event_name][field_name]['values'][value] = field_str
Reported by Pylint.
Line: 23
Column: 27
def define_flag_value(event_name, field_name, value, field_str):
flag_fields[event_name][field_name]['values'][value] = field_str
def define_symbolic_field(event_name, field_name):
# nothing to do, really
pass
def define_symbolic_value(event_name, field_name, value, field_str):
symbolic_fields[event_name][field_name]['values'][value] = field_str
Reported by Pylint.
Line: 80
Column: 1
if idx and (value & idx) == idx:
if print_delim:
string += " | ";
string += trace_flags[idx]
print_delim = 1
value &= ~idx
return string
Reported by Pylint.
Line: 1
Column: 1
# Core.py - Python extension for perf script, core functions
#
# Copyright (C) 2010 by Tom Zanussi <tzanussi@gmail.com>
#
# This software may be distributed under the terms of the GNU General
# Public License ("GPL") version 2 as published by the Free Software
# Foundation.
from collections import defaultdict
Reported by Pylint.
Line: 1
Column: 1
# Core.py - Python extension for perf script, core functions
#
# Copyright (C) 2010 by Tom Zanussi <tzanussi@gmail.com>
#
# This software may be distributed under the terms of the GNU General
# Public License ("GPL") version 2 as published by the Free Software
# Foundation.
from collections import defaultdict
Reported by Pylint.
Line: 11
Column: 1
from collections import defaultdict
def autodict():
return defaultdict(autodict)
flag_fields = autodict()
symbolic_fields = autodict()
Reported by Pylint.
Line: 17
Column: 1
flag_fields = autodict()
symbolic_fields = autodict()
def define_flag_field(event_name, field_name, delim):
flag_fields[event_name][field_name]['delim'] = delim
def define_flag_value(event_name, field_name, value, field_str):
flag_fields[event_name][field_name]['values'][value] = field_str
Reported by Pylint.
Line: 20
Column: 1
def define_flag_field(event_name, field_name, delim):
flag_fields[event_name][field_name]['delim'] = delim
def define_flag_value(event_name, field_name, value, field_str):
flag_fields[event_name][field_name]['values'][value] = field_str
def define_symbolic_field(event_name, field_name):
# nothing to do, really
pass
Reported by Pylint.
Line: 23
Column: 1
def define_flag_value(event_name, field_name, value, field_str):
flag_fields[event_name][field_name]['values'][value] = field_str
def define_symbolic_field(event_name, field_name):
# nothing to do, really
pass
def define_symbolic_value(event_name, field_name, value, field_str):
symbolic_fields[event_name][field_name]['values'][value] = field_str
Reported by Pylint.
Line: 27
Column: 1
# nothing to do, really
pass
def define_symbolic_value(event_name, field_name, value, field_str):
symbolic_fields[event_name][field_name]['values'][value] = field_str
def flag_str(event_name, field_name, value):
string = ""
Reported by Pylint.