The following issues were found
drivers/media/dvb-core/dvb_net.c
8 issues
Line: 76
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* The code inside DVB_ULE_DEBUG keeps a history of the
* last 100 TS cells processed.
*/
static unsigned char ule_hist[100*TS_SZ] = { 0 };
static unsigned char *ule_where = ule_hist, ule_dump;
static void hexdump(const unsigned char *buf, unsigned short len)
{
print_hex_dump_debug("", DUMP_PREFIX_OFFSET, 16, 1, buf, len, true);
Reported by FlawFinder.
Line: 96
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dmx_ts_feed *tsfeed;
int multi_num;
struct dmx_section_filter *multi_secfilter[DVB_NET_MULTICAST_MAX];
unsigned char multi_macs[DVB_NET_MULTICAST_MAX][6];
int rx_mode;
#define RX_MODE_UNI 0
#define RX_MODE_MULTI 1
#define RX_MODE_ALL_MULTI 2
#define RX_MODE_PROMISC 3
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef DVB_ULE_DEBUG
if (ule_where >= &ule_hist[100*TS_SZ])
ule_where = ule_hist;
memcpy(ule_where, h->ts, TS_SZ);
if (ule_dump) {
hexdump(ule_where, TS_SZ);
ule_dump = 0;
}
ule_where += TS_SZ;
Reported by FlawFinder.
Line: 736
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!h->priv->ule_bridged) {
skb_push(h->priv->ule_skb, ETH_HLEN);
h->ethh = (struct ethhdr *)h->priv->ule_skb->data;
memcpy(h->ethh->h_dest, dest_addr, ETH_ALEN);
eth_zero_addr(h->ethh->h_source);
h->ethh->h_proto = htons(h->priv->ule_sndu_type);
}
/* else: skb is in correct state; nothing to do. */
h->priv->ule_bridged = 0;
Reported by FlawFinder.
Line: 949
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy L3 payload */
eth = skb_put(skb, pkt_len - 12 - 4 + 14 - snap);
memcpy(eth + 14, pkt + 12 + snap, pkt_len - 12 - 4 - snap);
/* create ethernet header: */
eth[0]=pkt[0x0b];
eth[1]=pkt[0x0a];
eth[2]=pkt[0x09];
Reported by FlawFinder.
Line: 1209
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (priv->multi_num == DVB_NET_MULTICAST_MAX)
return -ENOMEM;
memcpy(priv->multi_macs[priv->multi_num], addr, ETH_ALEN);
priv->multi_num++;
return 0;
}
Reported by FlawFinder.
Line: 1275
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct dvb_net_priv *priv = netdev_priv(dev);
struct sockaddr *addr=p;
memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
if (netif_running(dev))
schedule_work(&priv->restart_net_feed_wq);
return 0;
Reported by FlawFinder.
Line: 1370
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dvbnet->dvbdev->adapter->num, if_num);
net->addr_len = 6;
memcpy(net->dev_addr, dvbnet->dvbdev->adapter->proposed_mac, 6);
dvbnet->device[if_num] = net;
priv = netdev_priv(net);
priv->net = net;
Reported by FlawFinder.
drivers/mmc/core/mmc.c
8 issues
Line: 107
CWE codes:
758
card->cid.prod_name[4] = UNSTUFF_BITS(resp, 64, 8);
card->cid.prod_name[5] = UNSTUFF_BITS(resp, 56, 8);
card->cid.prv = UNSTUFF_BITS(resp, 48, 8);
card->cid.serial = UNSTUFF_BITS(resp, 16, 32);
card->cid.month = UNSTUFF_BITS(resp, 12, 4);
card->cid.year = UNSTUFF_BITS(resp, 8, 4) + 1997;
break;
default:
Reported by Cppcheck.
Line: 107
CWE codes:
190
card->cid.prod_name[4] = UNSTUFF_BITS(resp, 64, 8);
card->cid.prod_name[5] = UNSTUFF_BITS(resp, 56, 8);
card->cid.prv = UNSTUFF_BITS(resp, 48, 8);
card->cid.serial = UNSTUFF_BITS(resp, 16, 32);
card->cid.month = UNSTUFF_BITS(resp, 12, 4);
card->cid.year = UNSTUFF_BITS(resp, 8, 4) + 1997;
break;
default:
Reported by Cppcheck.
Line: 307
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
{
card->part[card->nr_parts].size = size;
card->part[card->nr_parts].part_cfg = part_cfg;
sprintf(card->part[card->nr_parts].name, name, idx);
card->part[card->nr_parts].force_ro = ro;
card->part[card->nr_parts].area_type = area_type;
card->nr_parts++;
}
Reported by FlawFinder.
Line: 629
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* eMMC v5 or later */
if (card->ext_csd.rev >= 7) {
memcpy(card->ext_csd.fwrev, &ext_csd[EXT_CSD_FIRMWARE_VERSION],
MMC_FIRMWARE_LEN);
card->ext_csd.ffu_capable =
(ext_csd[EXT_CSD_SUPPORTED_MODE] & 0x1) &&
!(ext_csd[EXT_CSD_FW_CONFIG] & 0x1);
Reported by FlawFinder.
Line: 814
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mmc_card *card = mmc_dev_to_card(dev);
if (card->ext_csd.rev < 7) {
return sprintf(buf, "0x%x\n", card->cid.fwrev);
} else {
return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
card->ext_csd.fwrev);
}
}
Reported by FlawFinder.
Line: 816
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (card->ext_csd.rev < 7) {
return sprintf(buf, "0x%x\n", card->cid.fwrev);
} else {
return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
card->ext_csd.fwrev);
}
}
static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL);
Reported by FlawFinder.
Line: 831
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mmc_host *host = card->host;
if (card->csd.dsr_imp && host->dsr_req)
return sprintf(buf, "0x%x\n", host->dsr);
else
/* return default DSR value */
return sprintf(buf, "0x%x\n", 0x404);
}
Reported by FlawFinder.
Line: 834
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "0x%x\n", host->dsr);
else
/* return default DSR value */
return sprintf(buf, "0x%x\n", 0x404);
}
static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
static struct attribute *mmc_std_attrs[] = {
Reported by FlawFinder.
drivers/mtd/spi-nor/core.c
8 issues
Line: 228
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (usebouncebuf && nbytes > 0)
memcpy(buf, op.data.buf.in, nbytes);
return nbytes;
}
/**
Reported by FlawFinder.
Line: 277
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spi_nor_spimem_setup_op(nor, &op, nor->write_proto);
if (spi_nor_spimem_bounce(nor, &op))
memcpy(nor->bouncebuf, buf, op.data.nbytes);
if (nor->dirmap.wdesc) {
nbytes = spi_mem_dirmap_write(nor->dirmap.wdesc, op.addr.val,
op.data.nbytes, op.data.buf.out);
} else {
Reported by FlawFinder.
Line: 2526
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&sfdp_params, nor->params, sizeof(sfdp_params));
if (spi_nor_parse_sfdp(nor)) {
memcpy(nor->params, &sfdp_params, sizeof(*nor->params));
nor->addr_width = 0;
nor->flags &= ~SNOR_F_4B_OPCODES;
}
}
Reported by FlawFinder.
Line: 247
Column: 30
CWE codes:
120
20
if (nor->spimem)
return spi_nor_spimem_read_data(nor, from, len, buf);
return nor->controller_ops->read(nor, from, len, buf);
}
/**
* spi_nor_spimem_write_data() - write data to flash memory via
* spi-mem
Reported by FlawFinder.
Line: 2010
Column: 29
CWE codes:
120
20
if (!nor->dev ||
(!nor->spimem && !nor->controller_ops) ||
(!nor->spimem && nor->controller_ops &&
(!nor->controller_ops->read ||
!nor->controller_ops->write ||
!nor->controller_ops->read_reg ||
!nor->controller_ops->write_reg))) {
pr_err("spi-nor: please fill all the necessary fields!\n");
return -EINVAL;
Reported by FlawFinder.
Line: 2139
Column: 47
CWE codes:
120
20
* Returns 0 if operation is supported, -EOPNOTSUPP otherwise.
*/
static int spi_nor_spimem_check_readop(struct spi_nor *nor,
const struct spi_nor_read_command *read)
{
struct spi_mem_op op = SPI_MEM_OP(SPI_MEM_OP_CMD(read->opcode, 0),
SPI_MEM_OP_ADDR(3, 0, 0),
SPI_MEM_OP_DUMMY(1, 0),
SPI_MEM_OP_DATA_IN(1, NULL, 0));
Reported by FlawFinder.
Line: 2279
Column: 37
CWE codes:
120
20
u32 shared_hwcaps)
{
int cmd, best_match = fls(shared_hwcaps & SNOR_HWCAPS_READ_MASK) - 1;
const struct spi_nor_read_command *read;
if (best_match < 0)
return -EINVAL;
cmd = spi_nor_hwcaps_read2cmd(BIT(best_match));
Reported by FlawFinder.
drivers/message/fusion/mptctl.h
8 issues
Line: 189
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int numDevices; /* number of devices */
int FWVersion; /* FW Version (integer) */
int BIOSVersion; /* BIOS Version (integer) */
char driverVersion[MPT_IOCTL_VERSION_LENGTH]; /* Driver Version (string) */
char busChangeEvent;
char hostId;
char rsvd[2];
struct mpt_ioctl_pci_info2 pciInfo; /* Added Rev 2 */
};
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char driverVersion[MPT_IOCTL_VERSION_LENGTH]; /* Driver Version (string) */
char busChangeEvent;
char hostId;
char rsvd[2];
struct mpt_ioctl_pci_info2 pciInfo; /* Added Rev 2 */
};
struct mpt_ioctl_iocinfo_rev1 {
mpt_ioctl_header hdr;
Reported by FlawFinder.
Line: 207
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int numDevices; /* number of devices */
int FWVersion; /* FW Version (integer) */
int BIOSVersion; /* BIOS Version (integer) */
char driverVersion[MPT_IOCTL_VERSION_LENGTH]; /* Driver Version (string) */
char busChangeEvent;
char hostId;
char rsvd[2];
struct mpt_ioctl_pci_info pciInfo; /* Added Rev 1 */
};
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char driverVersion[MPT_IOCTL_VERSION_LENGTH]; /* Driver Version (string) */
char busChangeEvent;
char hostId;
char rsvd[2];
struct mpt_ioctl_pci_info pciInfo; /* Added Rev 1 */
};
/* Original structure, must always accept these
* IOCTLs. 4 byte pads can occur based on arch with
Reported by FlawFinder.
Line: 229
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int numDevices; /* number of devices */
int FWVersion; /* FW Version (integer) */
int BIOSVersion; /* BIOS Version (integer) */
char driverVersion[MPT_IOCTL_VERSION_LENGTH]; /* Driver Version (string) */
char busChangeEvent;
char hostId;
char rsvd[2];
};
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char driverVersion[MPT_IOCTL_VERSION_LENGTH]; /* Driver Version (string) */
char busChangeEvent;
char hostId;
char rsvd[2];
};
/*
* Device Information Page
* Report the number of, and ids of, all targets
Reported by FlawFinder.
Line: 332
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int dataOutSize;
int maxSenseBytes;
int dataSgeOffset;
char MF[1];
};
/*
* SPARC PLATFORM: See earlier remark.
*/
Reported by FlawFinder.
Line: 351
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int dataOutSize;
int maxSenseBytes;
int dataSgeOffset;
char MF[1];
};
#endif /*}*/
/*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
Reported by FlawFinder.
drivers/md/md.h
8 issues
Line: 313
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int persistent;
int external; /* metadata is
* managed externally */
char metadata_type[17]; /* externally set*/
int chunk_sectors;
time64_t ctime, utime;
int level, layout;
char clevel[16];
int raid_disks;
Reported by FlawFinder.
Line: 317
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int chunk_sectors;
time64_t ctime, utime;
int level, layout;
char clevel[16];
int raid_disks;
int max_disks;
sector_t dev_sectors; /* used size of
* component devices */
sector_t array_sectors; /* exported array size */
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int can_decrease_events;
char uuid[16];
/* If the array is being reshaped, we need to record the
* new shape and an indication of where we are up to.
* This is written to the superblock.
* If reshape_position is MaxSector, then no reshape is happening (yet).
Reported by FlawFinder.
Line: 478
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long max_write_behind; /* write-behind mode */
int external;
int nodes; /* Maximum number of nodes in the cluster */
char cluster_name[64]; /* Name of the cluster */
} bitmap_info;
atomic_t max_corr_read_errors; /* max read retries */
struct list_head all_mddevs;
Reported by FlawFinder.
Line: 637
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int sysfs_link_rdev(struct mddev *mddev, struct md_rdev *rdev)
{
char nm[20];
if (!test_bit(Replacement, &rdev->flags) &&
!test_bit(Journal, &rdev->flags) &&
mddev->kobj.sd) {
sprintf(nm, "rd%d", rdev->raid_disk);
return sysfs_create_link(&mddev->kobj, &rdev->kobj, nm);
Reported by FlawFinder.
Line: 641
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!test_bit(Replacement, &rdev->flags) &&
!test_bit(Journal, &rdev->flags) &&
mddev->kobj.sd) {
sprintf(nm, "rd%d", rdev->raid_disk);
return sysfs_create_link(&mddev->kobj, &rdev->kobj, nm);
} else
return 0;
}
Reported by FlawFinder.
Line: 649
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline void sysfs_unlink_rdev(struct mddev *mddev, struct md_rdev *rdev)
{
char nm[20];
if (!test_bit(Replacement, &rdev->flags) &&
!test_bit(Journal, &rdev->flags) &&
mddev->kobj.sd) {
sprintf(nm, "rd%d", rdev->raid_disk);
sysfs_remove_link(&mddev->kobj, nm);
Reported by FlawFinder.
Line: 653
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!test_bit(Replacement, &rdev->flags) &&
!test_bit(Journal, &rdev->flags) &&
mddev->kobj.sd) {
sprintf(nm, "rd%d", rdev->raid_disk);
sysfs_remove_link(&mddev->kobj, nm);
}
}
/*
Reported by FlawFinder.
drivers/mtd/maps/vmu-flash.c
8 issues
Line: 101
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!card->blockread))
return;
memcpy(card->blockread, mq->recvbuf->buf + 12,
card->blocklen/card->readcnt);
}
/* Interface with maple bus to read blocks
Reported by FlawFinder.
Line: 205
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto outA;
}
memcpy(buf + (card->blocklen/card->readcnt) * x, blockread,
card->blocklen/card->readcnt);
memcpy(pcache->buffer + (card->blocklen/card->readcnt) * x,
card->blockread, card->blocklen/card->readcnt);
card->blockread = NULL;
Reported by FlawFinder.
Line: 208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + (card->blocklen/card->readcnt) * x, blockread,
card->blocklen/card->readcnt);
memcpy(pcache->buffer + (card->blocklen/card->readcnt) * x,
card->blockread, card->blocklen/card->readcnt);
card->blockread = NULL;
pcache->block = num;
pcache->jiffies_atc = jiffies;
pcache->valid = 1;
Reported by FlawFinder.
Line: 249
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (x = 0; x < card->writecnt; x++) {
sendbuf[0] = cpu_to_be32(partition << 24 | x << 16 | num);
memcpy(&sendbuf[1], buf + phaselen * x, phaselen);
/* wait until the device is not busy doing something else
* or 1 second - which ever is longer */
if (atomic_read(&mdev->busy) == 1) {
wait_event_interruptible_timeout(mdev->maple_wait,
atomic_read(&mdev->busy) == 0, HZ);
Reported by FlawFinder.
Line: 385
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
leftover = card->blocklen - vblock->ofs;
if (vblock->ofs + len - index < card->blocklen) {
/* only a bit of this block to copy */
memcpy(buf + index,
pcache->buffer + vblock->ofs,
len - index);
index = len;
} else {
/* otherwise copy remainder of whole block */
Reported by FlawFinder.
Line: 391
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
index = len;
} else {
/* otherwise copy remainder of whole block */
memcpy(buf + index, pcache->buffer +
vblock->ofs, leftover);
index += leftover;
}
} else {
/*
Reported by FlawFinder.
Line: 529
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!part_cur->name)
goto fail_name;
sprintf(part_cur->name, "vmu%d.%d.%d",
mdev->port, mdev->unit, card->partition);
mtd_cur = &card->mtd[card->partition];
mtd_cur->name = part_cur->name;
mtd_cur->type = 8;
mtd_cur->flags = MTD_WRITEABLE|MTD_NO_ERASE;
Reported by FlawFinder.
drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
8 issues
Line: 33
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
CXGB4_ETHTOOL_MAX_TEST,
};
static const char cxgb4_selftest_strings[CXGB4_ETHTOOL_MAX_TEST][ETH_GSTRING_LEN] = {
"Loop back test (offline)",
};
static const char * const flash_region_strings[] = {
"All",
Reported by FlawFinder.
Line: 232
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void get_strings(struct net_device *dev, u32 stringset, u8 *data)
{
if (stringset == ETH_SS_STATS) {
memcpy(data, stats_strings, sizeof(stats_strings));
data += sizeof(stats_strings);
memcpy(data, adapter_stats_strings,
sizeof(adapter_stats_strings));
data += sizeof(adapter_stats_strings);
memcpy(data, loopback_stats_strings,
Reported by FlawFinder.
Line: 234
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (stringset == ETH_SS_STATS) {
memcpy(data, stats_strings, sizeof(stats_strings));
data += sizeof(stats_strings);
memcpy(data, adapter_stats_strings,
sizeof(adapter_stats_strings));
data += sizeof(adapter_stats_strings);
memcpy(data, loopback_stats_strings,
sizeof(loopback_stats_strings));
} else if (stringset == ETH_SS_PRIV_FLAGS) {
Reported by FlawFinder.
Line: 237
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data, adapter_stats_strings,
sizeof(adapter_stats_strings));
data += sizeof(adapter_stats_strings);
memcpy(data, loopback_stats_strings,
sizeof(loopback_stats_strings));
} else if (stringset == ETH_SS_PRIV_FLAGS) {
memcpy(data, cxgb4_priv_flags_strings,
sizeof(cxgb4_priv_flags_strings));
} else if (stringset == ETH_SS_TEST) {
Reported by FlawFinder.
Line: 240
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data, loopback_stats_strings,
sizeof(loopback_stats_strings));
} else if (stringset == ETH_SS_PRIV_FLAGS) {
memcpy(data, cxgb4_priv_flags_strings,
sizeof(cxgb4_priv_flags_strings));
} else if (stringset == ETH_SS_TEST) {
memcpy(data, cxgb4_selftest_strings,
sizeof(cxgb4_selftest_strings));
}
Reported by FlawFinder.
Line: 243
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data, cxgb4_priv_flags_strings,
sizeof(cxgb4_priv_flags_strings));
} else if (stringset == ETH_SS_TEST) {
memcpy(data, cxgb4_selftest_strings,
sizeof(cxgb4_selftest_strings));
}
}
/* port stats maintained per queue of the port. They should be in the same
Reported by FlawFinder.
Line: 1218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = eeprom_rd_phys(adapter, i, (u32 *)&buf[i]);
if (!err)
memcpy(data, buf + e->offset, e->len);
kvfree(buf);
return err;
}
static int set_eeprom(struct net_device *dev, struct ethtool_eeprom *eeprom,
Reported by FlawFinder.
Line: 1258
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(u32 *)&buf[aligned_len - 4]);
if (err)
goto out;
memcpy(buf + (eeprom->offset & 3), data, eeprom->len);
} else {
buf = data;
}
err = t4_seeprom_wp(adapter, false);
Reported by FlawFinder.
drivers/md/raid5-cache.c
8 issues
Line: 1724
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(offset < ctx->pool_offset ||
offset >= ctx->pool_offset + ctx->valid_pages * BLOCK_SECTORS);
memcpy(page_address(page),
page_address(ctx->ra_pool[(offset - ctx->pool_offset) >>
BLOCK_SECTOR_SHIFT]),
PAGE_SIZE);
return 0;
}
Reported by FlawFinder.
Line: 3070
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct request_queue *q = bdev_get_queue(rdev->bdev);
struct r5l_log *log;
char b[BDEVNAME_SIZE];
int ret;
pr_debug("md/raid:%s: using device %s as journal\n",
mdname(conf->mddev), bdevname(rdev->bdev, b));
Reported by FlawFinder.
Line: 2027
Column: 10
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if (r5l_recovery_verify_data_checksum(
log, ctx, page, log_offset,
payload->checksum[0]) < 0)
goto mismatch;
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_PARITY) {
if (r5l_recovery_verify_data_checksum(
log, ctx, page, log_offset,
payload->checksum[0]) < 0)
goto mismatch;
Reported by FlawFinder.
Line: 2032
Column: 10
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if (r5l_recovery_verify_data_checksum(
log, ctx, page, log_offset,
payload->checksum[0]) < 0)
goto mismatch;
if (conf->max_degraded == 2 && /* q for RAID 6 */
r5l_recovery_verify_data_checksum(
log, ctx, page,
r5l_ring_add(log, log_offset,
BLOCK_SECTORS),
Reported by FlawFinder.
Line: 2039
Column: 10
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
r5l_ring_add(log, log_offset,
BLOCK_SECTORS),
payload->checksum[1]) < 0)
goto mismatch;
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
/* nothing to do for R5LOG_PAYLOAD_FLUSH here */
} else /* not R5LOG_PAYLOAD_DATA/PARITY/FLUSH */
goto mismatch;
Reported by FlawFinder.
Line: 2043
Column: 9
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
} else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
/* nothing to do for R5LOG_PAYLOAD_FLUSH here */
} else /* not R5LOG_PAYLOAD_DATA/PARITY/FLUSH */
goto mismatch;
if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) {
mb_offset += sizeof(struct r5l_payload_flush) +
le32_to_cpu(payload_flush->size);
} else {
Reported by FlawFinder.
Line: 2062
Column: 1
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
put_page(page);
return 0;
mismatch:
put_page(page);
return -EINVAL;
}
/*
Reported by FlawFinder.
Line: 2613
Column: 7
CWE codes:
126
len--;
while (mode--)
if (strlen(r5c_journal_mode_str[mode]) == len &&
!strncmp(page, r5c_journal_mode_str[mode], len))
break;
ret = mddev_lock(mddev);
if (ret)
return ret;
Reported by FlawFinder.
drivers/media/v4l2-core/v4l2-ctrls-core.c
8 issues
Line: 119
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *p = ptr.p + idx * ctrl->elem_size;
if (ctrl->p_def.p_const)
memcpy(p, ctrl->p_def.p_const, ctrl->elem_size);
else
memset(p, 0, ctrl->elem_size);
switch ((u32)ctrl->type) {
case V4L2_CTRL_TYPE_MPEG2_SEQUENCE:
Reported by FlawFinder.
Line: 141
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case V4L2_CTRL_TYPE_MPEG2_QUANTISATION:
p_mpeg2_quant = p;
memcpy(p_mpeg2_quant->intra_quantiser_matrix,
mpeg2_intra_quant_matrix,
ARRAY_SIZE(mpeg2_intra_quant_matrix));
/*
* The default non-intra MPEG-2 quantisation
* coefficients are all 16, as per the specification.
Reported by FlawFinder.
Line: 803
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (ctrl == NULL)
return;
memcpy(to.p, from.p_const, ctrl->elems * ctrl->elem_size);
}
/* Copy the new value to the current value. */
void new_to_cur(struct v4l2_fh *fh, struct v4l2_ctrl *ctrl, u32 ch_flags)
{
Reported by FlawFinder.
Line: 1156
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl,
const struct v4l2_ctrl_ops *ops,
const struct v4l2_ctrl_type_ops *type_ops,
u32 id, const char *name, enum v4l2_ctrl_type type,
s64 min, s64 max, u64 step, s64 def,
const u32 dims[V4L2_CTRL_MAX_DIMS], u32 elem_size,
u32 flags, const char * const *qmenu,
const s64 *qmenu_int, const union v4l2_ctrl_ptr p_def,
void *priv)
Reported by FlawFinder.
Line: 1323
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctrl->elems = elems;
ctrl->nr_of_dims = nr_of_dims;
if (nr_of_dims)
memcpy(ctrl->dims, dims, nr_of_dims * sizeof(dims[0]));
ctrl->elem_size = elem_size;
if (type == V4L2_CTRL_TYPE_MENU)
ctrl->qmenu = qmenu;
else if (type == V4L2_CTRL_TYPE_INTEGER_MENU)
ctrl->qmenu_int = qmenu_int;
Reported by FlawFinder.
Line: 1343
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (type >= V4L2_CTRL_COMPOUND_TYPES && p_def.p_const) {
ctrl->p_def.p = ctrl->p_cur.p + tot_ctrl_size;
memcpy(ctrl->p_def.p, p_def.p_const, elem_size);
}
for (idx = 0; idx < elems; idx++) {
ctrl->type_ops->init(ctrl, idx, ctrl->p_cur);
ctrl->type_ops->init(ctrl, idx, ctrl->p_new);
Reported by FlawFinder.
Line: 762
Column: 9
CWE codes:
126
case V4L2_CTRL_TYPE_STRING:
idx *= ctrl->elem_size;
len = strlen(ptr.p_char + idx);
if (len < ctrl->minimum)
return -ERANGE;
if ((len - (u32)ctrl->minimum) % (u32)ctrl->step)
return -ERANGE;
return 0;
Reported by FlawFinder.
Line: 1898
Column: 8
CWE codes:
126
return;
if (!prefix)
prefix = "";
len = strlen(prefix);
if (len && prefix[len - 1] != ' ')
colon = ": ";
mutex_lock(hdl->lock);
list_for_each_entry(ctrl, &hdl->ctrls, node)
if (!(ctrl->flags & V4L2_CTRL_FLAG_DISABLED))
Reported by FlawFinder.
drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
8 issues
Line: 1180
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
seq_printf(seq, "%10u %15llu %5d %5d",
entry->seqno, entry->timestamp,
entry->access, entry->execute);
for (i = 0; i < MBOX_LEN / 8; i++) {
u64 flit = entry->cmd[i];
u32 hi = (u32)(flit >> 32);
u32 lo = (u32)flit;
Reported by FlawFinder.
Line: 457
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void field_desc_show(struct seq_file *seq, u64 v,
const struct field_desc *p)
{
char buf[32];
int line_size = 0;
while (p->name) {
u64 mask = (1ULL << p->width) - 1;
int len = scnprintf(buf, sizeof(buf), "%s: %llu", p->name,
Reported by FlawFinder.
Line: 667
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *pos)
{
int err;
char s[32];
unsigned long val;
size_t size = min(sizeof(s) - 1, count);
struct adapter *adap = file_inode(file)->i_private;
if (copy_from_user(s, buf, size))
Reported by FlawFinder.
Line: 905
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int clk_show(struct seq_file *seq, void *v)
{
char buf[32];
struct adapter *adap = seq->private;
unsigned int cclk_ps = 1000000000 / adap->params.vpd.cclk; /* in ps */
u32 res = t4_read_reg(adap, TP_TIMER_RESOLUTION_A);
unsigned int tre = TIMERRESOLUTION_G(res);
unsigned int dack_re = DELAYEDACKRESOLUTION_G(res);
Reported by FlawFinder.
Line: 1669
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
*mask = x | y;
y = (__force u64)cpu_to_be64(y);
memcpy(addr, (char *)&y + 2, ETH_ALEN);
}
static int mps_tcam_show(struct seq_file *seq, void *v)
{
struct adapter *adap = seq->private;
Reported by FlawFinder.
Line: 2202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, j;
u32 key[10];
char s[100], *p;
struct adapter *adap = file_inode(file)->i_private;
if (count > sizeof(s) - 1)
return -EINVAL;
if (copy_from_user(s, buf, count))
Reported by FlawFinder.
Line: 3458
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void mem_region_show(struct seq_file *seq, const char *name,
unsigned int from, unsigned int to)
{
char buf[40];
string_get_size((u64)to - from + 1, 1, STRING_UNITS_2, buf,
sizeof(buf));
seq_printf(seq, "%-15s %#x-%#x [%s]\n", name, from, to, buf);
}
Reported by FlawFinder.
Line: 3419
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = snprintf(buf, size - 1, "%*pb\n",
adap->sge.egr_sz, adap->sge.blocked_fl);
len += sprintf(buf + len, "\n");
size = simple_read_from_buffer(ubuf, count, ppos, buf, len);
kfree(buf);
return size;
}
Reported by FlawFinder.