The following issues were found
drivers/usb/serial/pl2303.c
7 issues
Line: 241
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
static int pl2303_vendor_read(struct usb_serial *serial, u16 value,
unsigned char buf[1])
{
struct pl2303_serial_private *spriv = usb_get_serial_data(serial);
struct device *dev = &serial->interface->dev;
u8 request;
int res;
Reported by FlawFinder.
Line: 588
Column: 56
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* NOTE: If unsupported baud rates are set directly, the PL2303 seems to
* use 9600 baud.
*/
static speed_t pl2303_encode_baud_rate_direct(unsigned char buf[4],
speed_t baud)
{
put_unaligned_le32(baud, buf);
return baud;
Reported by FlawFinder.
Line: 596
Column: 57
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return baud;
}
static speed_t pl2303_encode_baud_rate_divisor(unsigned char buf[4],
speed_t baud)
{
unsigned int baseline, mantissa, exponent;
/*
Reported by FlawFinder.
Line: 635
Column: 61
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return baud;
}
static speed_t pl2303_encode_baud_rate_divisor_alt(unsigned char buf[4],
speed_t baud)
{
unsigned int baseline, mantissa, exponent;
/*
Reported by FlawFinder.
Line: 712
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static int pl2303_get_line_request(struct usb_serial_port *port,
unsigned char buf[7])
{
struct usb_device *udev = port->serial->dev;
int ret;
ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
Reported by FlawFinder.
Line: 735
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static int pl2303_set_line_request(struct usb_serial_port *port,
unsigned char buf[7])
{
struct usb_device *udev = port->serial->dev;
int ret;
ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
Reported by FlawFinder.
Line: 871
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!old_termios || memcmp(buf, priv->line_settings, 7)) {
ret = pl2303_set_line_request(port, buf);
if (!ret)
memcpy(priv->line_settings, buf, 7);
}
/* change control lines if we are switching to or from B0 */
spin_lock_irqsave(&priv->lock, flags);
control = priv->line_control;
Reported by FlawFinder.
drivers/staging/rtl8723bs/hal/sdio_ops.c
7 issues
Line: 190
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ftaddr &= ~(u16)0x3;
sd_read(intfhdl, ftaddr, 8, tmpbuf);
memcpy(&le_tmp, tmpbuf + shift, 4);
val = le32_to_cpu(le_tmp);
kfree(tmpbuf);
}
return val;
Reported by FlawFinder.
Line: 237
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = sd_read(intfhdl, ftaddr, n, tmpbuf);
if (!err)
memcpy(buf, tmpbuf + shift, cnt);
kfree(tmpbuf);
}
return err;
}
Reported by FlawFinder.
Line: 342
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(tmpbuf);
return err;
}
memcpy(tmpbuf + shift, buf, cnt);
err = sd_write(intfhdl, ftaddr, n, tmpbuf);
kfree(tmpbuf);
}
return err;
}
Reported by FlawFinder.
Line: 512
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = _sd_read(intfhdl, addr, n, tmpbuf);
if (!err)
memcpy(buf, tmpbuf, cnt);
kfree(tmpbuf);
return err;
}
Reported by FlawFinder.
Line: 553
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = sd_read(intfhdl, addr, n, tmpbuf);
if (!err)
memcpy(buf, tmpbuf, cnt);
kfree(tmpbuf);
return err;
}
Reported by FlawFinder.
Line: 590
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!tmpbuf)
return -1;
memcpy(tmpbuf, buf, cnt);
err = sd_write(intfhdl, addr, cnt, tmpbuf);
kfree(tmpbuf);
Reported by FlawFinder.
Line: 999
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
numof_free_page = sdio_local_cmd53_read4byte(adapter, SDIO_REG_FREE_TXPG);
memcpy(hal->SdioTxFIFOFreePage, &numof_free_page, 4);
return true;
}
/* */
Reported by FlawFinder.
drivers/scsi/qla4xxx/ql4_isr.c
7 issues
Line: 43
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy sense from sts_entry pkt */
sense_len = min_t(uint16_t, sense_len, IOCB_MAX_SENSEDATA_LEN);
memcpy(cmd->sense_buffer, sts_entry->senseData, sense_len);
DEBUG2(printk(KERN_INFO "scsi%ld:%d:%d:%llu: %s: sense key = %x, "
"ASL= %02x, ASC/ASCQ = %02x/%02x\n", ha->host_no,
cmd->device->channel, cmd->device->id,
cmd->device->lun, __func__,
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy sense data. */
sense_len = min_t(uint16_t, srb->req_sense_len,
IOCB_MAX_EXT_SENSEDATA_LEN);
memcpy(srb->req_sense_ptr, sts_cont->ext_sense_data, sense_len);
DEBUG5(qla4xxx_dump_buffer(srb->req_sense_ptr, sense_len));
srb->req_sense_ptr += sense_len;
srb->req_sense_len -= sense_len;
Reported by FlawFinder.
Line: 397
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
task_data = task->dd_data;
memcpy(&task_data->sts, sts_entry, sizeof(struct passthru_status));
ha->iocb_cnt -= task_data->iocb_req_cnt;
queue_work(ha->task_wq, &task_data->task_work);
}
static struct mrb *qla4xxx_del_mrb_from_active_array(struct scsi_qla_host *ha,
Reported by FlawFinder.
Line: 640
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void qla4xxx_default_router_changed(struct scsi_qla_host *ha,
uint32_t *mbox_sts)
{
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[0],
&mbox_sts[2], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[1],
&mbox_sts[3], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[2],
&mbox_sts[4], sizeof(uint32_t));
Reported by FlawFinder.
Line: 642
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[0],
&mbox_sts[2], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[1],
&mbox_sts[3], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[2],
&mbox_sts[4], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[3],
&mbox_sts[5], sizeof(uint32_t));
Reported by FlawFinder.
Line: 644
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&mbox_sts[2], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[1],
&mbox_sts[3], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[2],
&mbox_sts[4], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[3],
&mbox_sts[5], sizeof(uint32_t));
}
Reported by FlawFinder.
Line: 646
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&mbox_sts[3], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[2],
&mbox_sts[4], sizeof(uint32_t));
memcpy(&ha->ip_config.ipv6_default_router_addr.s6_addr32[3],
&mbox_sts[5], sizeof(uint32_t));
}
/**
* qla4xxx_isr_decode_mailbox - decodes mailbox status
Reported by FlawFinder.
drivers/scsi/qla4xxx/ql4_iocb.c
7 issues
Line: 329
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int_to_scsilun(cmd->device->lun, &cmd_entry->lun);
cmd_entry->ttlByteCnt = cpu_to_le32(scsi_bufflen(cmd));
memcpy(cmd_entry->cdb, cmd->cmnd, cmd->cmd_len);
cmd_entry->dataSegCnt = cpu_to_le16(tot_dsds);
cmd_entry->hdr.entryCount = req_cnt;
/* Set data transfer direction control flags
* NOTE: Look at data_direction bits iff there is data to be
Reported by FlawFinder.
Line: 412
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Setup the out & in DSDs */
if (task_data->req_len) {
memcpy((uint8_t *)task_data->req_buffer +
sizeof(struct iscsi_hdr), task->data, task->data_count);
ctrl_flags |= PT_FLAG_SEND_BUFFER;
passthru_iocb->out_dsd.base.addrLow =
cpu_to_le32(LSDW(task_data->req_dma));
passthru_iocb->out_dsd.base.addrHigh =
Reported by FlawFinder.
Line: 495
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mrb->mbox->handle = index;
mrb->mbox->hdr.entryType = ET_MBOX_CMD;
mrb->mbox->hdr.entryCount = mrb->iocb_cnt;
memcpy(mrb->mbox->in_mbox, in_mbox, 32);
mrb->mbox_cmd = in_mbox[0];
wmb();
ha->iocb_cnt += mrb->iocb_cnt;
ha->isp_ops->queue_iocb(ha);
Reported by FlawFinder.
Line: 525
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in_mbox[0] = MBOX_CMD_PING;
in_mbox[1] = options;
memcpy(&in_mbox[2], &ipaddr[0], 4);
memcpy(&in_mbox[3], &ipaddr[4], 4);
memcpy(&in_mbox[4], &ipaddr[8], 4);
memcpy(&in_mbox[5], &ipaddr[12], 4);
in_mbox[6] = payload_size;
Reported by FlawFinder.
Line: 526
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in_mbox[0] = MBOX_CMD_PING;
in_mbox[1] = options;
memcpy(&in_mbox[2], &ipaddr[0], 4);
memcpy(&in_mbox[3], &ipaddr[4], 4);
memcpy(&in_mbox[4], &ipaddr[8], 4);
memcpy(&in_mbox[5], &ipaddr[12], 4);
in_mbox[6] = payload_size;
mrb->pid = pid;
Reported by FlawFinder.
Line: 527
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in_mbox[1] = options;
memcpy(&in_mbox[2], &ipaddr[0], 4);
memcpy(&in_mbox[3], &ipaddr[4], 4);
memcpy(&in_mbox[4], &ipaddr[8], 4);
memcpy(&in_mbox[5], &ipaddr[12], 4);
in_mbox[6] = payload_size;
mrb->pid = pid;
rval = qla4xxx_send_mbox_iocb(ha, mrb, in_mbox);
Reported by FlawFinder.
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&in_mbox[2], &ipaddr[0], 4);
memcpy(&in_mbox[3], &ipaddr[4], 4);
memcpy(&in_mbox[4], &ipaddr[8], 4);
memcpy(&in_mbox[5], &ipaddr[12], 4);
in_mbox[6] = payload_size;
mrb->pid = pid;
rval = qla4xxx_send_mbox_iocb(ha, mrb, in_mbox);
Reported by FlawFinder.
drivers/spi/spi-pxa2xx.c
7 issues
Line: 667
Column: 17
CWE codes:
120
20
if (irq_status & SSSR_TINT) {
pxa2xx_spi_write(drv_data, SSSR, SSSR_TINT);
if (drv_data->read(drv_data)) {
int_transfer_complete(drv_data);
return IRQ_HANDLED;
}
}
Reported by FlawFinder.
Line: 675
Column: 17
CWE codes:
120
20
/* Drain Rx FIFO, Fill Tx FIFO and prevent overruns */
do {
if (drv_data->read(drv_data)) {
int_transfer_complete(drv_data);
return IRQ_HANDLED;
}
} while (drv_data->write(drv_data));
Reported by FlawFinder.
Line: 681
Column: 16
CWE codes:
120
20
}
} while (drv_data->write(drv_data));
if (drv_data->read(drv_data)) {
int_transfer_complete(drv_data);
return IRQ_HANDLED;
}
if (drv_data->tx == drv_data->tx_end) {
Reported by FlawFinder.
Line: 1001
Column: 40
CWE codes:
120
20
drv_data->rx = transfer->rx_buf;
drv_data->rx_end = drv_data->rx + transfer->len;
drv_data->write = drv_data->tx ? chip->write : null_writer;
drv_data->read = drv_data->rx ? chip->read : null_reader;
/* Change speed and bit per word on a per transfer */
bits = transfer->bits_per_word;
speed = transfer->speed_hz;
Reported by FlawFinder.
Line: 1011
Column: 30
CWE codes:
120
20
if (bits <= 8) {
drv_data->n_bytes = 1;
drv_data->read = drv_data->read != null_reader ?
u8_reader : null_reader;
drv_data->write = drv_data->write != null_writer ?
u8_writer : null_writer;
} else if (bits <= 16) {
drv_data->n_bytes = 2;
Reported by FlawFinder.
Line: 1017
Column: 30
CWE codes:
120
20
u8_writer : null_writer;
} else if (bits <= 16) {
drv_data->n_bytes = 2;
drv_data->read = drv_data->read != null_reader ?
u16_reader : null_reader;
drv_data->write = drv_data->write != null_writer ?
u16_writer : null_writer;
} else if (bits <= 32) {
drv_data->n_bytes = 4;
Reported by FlawFinder.
Line: 1023
Column: 30
CWE codes:
120
20
u16_writer : null_writer;
} else if (bits <= 32) {
drv_data->n_bytes = 4;
drv_data->read = drv_data->read != null_reader ?
u32_reader : null_reader;
drv_data->write = drv_data->write != null_writer ?
u32_writer : null_writer;
}
/*
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_mr.h
7 issues
Line: 264
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct host_system_info {
uint32_t os_type;
char sysname[SYSNAME_LENGTH];
char nodename[NODENAME_LENGTH];
char release[RELEASE_LENGTH];
char version[VERSION_LENGTH];
char machine[MACHINE_LENGTH];
char domainname[DOMNAME_LENGTH];
Reported by FlawFinder.
Line: 265
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct host_system_info {
uint32_t os_type;
char sysname[SYSNAME_LENGTH];
char nodename[NODENAME_LENGTH];
char release[RELEASE_LENGTH];
char version[VERSION_LENGTH];
char machine[MACHINE_LENGTH];
char domainname[DOMNAME_LENGTH];
char hostdriver[VERSION_LENGTH];
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t os_type;
char sysname[SYSNAME_LENGTH];
char nodename[NODENAME_LENGTH];
char release[RELEASE_LENGTH];
char version[VERSION_LENGTH];
char machine[MACHINE_LENGTH];
char domainname[DOMNAME_LENGTH];
char hostdriver[VERSION_LENGTH];
uint32_t reserved[64];
Reported by FlawFinder.
Line: 267
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char sysname[SYSNAME_LENGTH];
char nodename[NODENAME_LENGTH];
char release[RELEASE_LENGTH];
char version[VERSION_LENGTH];
char machine[MACHINE_LENGTH];
char domainname[DOMNAME_LENGTH];
char hostdriver[VERSION_LENGTH];
uint32_t reserved[64];
} __packed;
Reported by FlawFinder.
Line: 268
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char nodename[NODENAME_LENGTH];
char release[RELEASE_LENGTH];
char version[VERSION_LENGTH];
char machine[MACHINE_LENGTH];
char domainname[DOMNAME_LENGTH];
char hostdriver[VERSION_LENGTH];
uint32_t reserved[64];
} __packed;
Reported by FlawFinder.
Line: 269
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char release[RELEASE_LENGTH];
char version[VERSION_LENGTH];
char machine[MACHINE_LENGTH];
char domainname[DOMNAME_LENGTH];
char hostdriver[VERSION_LENGTH];
uint32_t reserved[64];
} __packed;
struct register_host_info {
Reported by FlawFinder.
Line: 270
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char version[VERSION_LENGTH];
char machine[MACHINE_LENGTH];
char domainname[DOMNAME_LENGTH];
char hostdriver[VERSION_LENGTH];
uint32_t reserved[64];
} __packed;
struct register_host_info {
struct host_system_info hsi; /* host system info */
Reported by FlawFinder.
drivers/usb/storage/usb.c
7 issues
Line: 74
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param(delay_use, uint, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(delay_use, "seconds to delay before using a new device");
static char quirks[128];
module_param_string(quirks, quirks, sizeof(quirks), S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(quirks, "supplemental list of device IDs and their quirks");
/*
Reported by FlawFinder.
Line: 284
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int n;
n = strlen(us->unusual_dev->vendorName);
memcpy(data+8, us->unusual_dev->vendorName, min(8, n));
n = strlen(us->unusual_dev->productName);
memcpy(data+16, us->unusual_dev->productName, min(16, n));
data[32] = 0x30 + ((bcdDevice>>12) & 0x0F);
data[33] = 0x30 + ((bcdDevice>>8) & 0x0F);
Reported by FlawFinder.
Line: 286
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n = strlen(us->unusual_dev->vendorName);
memcpy(data+8, us->unusual_dev->vendorName, min(8, n));
n = strlen(us->unusual_dev->productName);
memcpy(data+16, us->unusual_dev->productName, min(16, n));
data[32] = 0x30 + ((bcdDevice>>12) & 0x0F);
data[33] = 0x30 + ((bcdDevice>>8) & 0x0F);
data[34] = 0x30 + ((bcdDevice>>4) & 0x0F);
data[35] = 0x30 + ((bcdDevice) & 0x0F);
Reported by FlawFinder.
Line: 368
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
else if ((srb->cmnd[0] == INQUIRY) &&
(us->fflags & US_FL_FIX_INQUIRY)) {
unsigned char data_ptr[36] = {
0x00, 0x80, 0x02, 0x02,
0x1F, 0x00, 0x00, 0x00};
usb_stor_dbg(us, "Faking INQUIRY command\n");
fill_inquiry_response(us, data_ptr, 36);
Reported by FlawFinder.
Line: 632
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* from the unusual_devs.h table.
*/
if (id->idVendor || id->idProduct) {
static const char *msgs[3] = {
"an unneeded SubClass entry",
"an unneeded Protocol entry",
"unneeded SubClass and Protocol entries"};
struct usb_device_descriptor *ddesc = &dev->descriptor;
int msg = -1;
Reported by FlawFinder.
Line: 283
Column: 7
CWE codes:
126
u16 bcdDevice = le16_to_cpu(us->pusb_dev->descriptor.bcdDevice);
int n;
n = strlen(us->unusual_dev->vendorName);
memcpy(data+8, us->unusual_dev->vendorName, min(8, n));
n = strlen(us->unusual_dev->productName);
memcpy(data+16, us->unusual_dev->productName, min(16, n));
data[32] = 0x30 + ((bcdDevice>>12) & 0x0F);
Reported by FlawFinder.
Line: 285
Column: 7
CWE codes:
126
n = strlen(us->unusual_dev->vendorName);
memcpy(data+8, us->unusual_dev->vendorName, min(8, n));
n = strlen(us->unusual_dev->productName);
memcpy(data+16, us->unusual_dev->productName, min(16, n));
data[32] = 0x30 + ((bcdDevice>>12) & 0x0F);
data[33] = 0x30 + ((bcdDevice>>8) & 0x0F);
data[34] = 0x30 + ((bcdDevice>>4) & 0x0F);
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_bsg.c
7 issues
Line: 590
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_config[0] = config[0] & ~INTERNAL_LOOPBACK_MASK;
ql_dbg(ql_dbg_user, vha, 0x70bf, "new_config[0]=%02x\n",
(new_config[0] & INTERNAL_LOOPBACK_MASK));
memcpy(&new_config[1], &config[1], sizeof(uint16_t) * 3) ;
ha->notify_dcbx_comp = wait;
ha->notify_lb_portup_comp = wait2;
ret = qla81xx_set_port_config(vha, new_config);
Reported by FlawFinder.
Line: 660
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ql_dbg(ql_dbg_user, vha, 0x70be,
"new_config[0]=%02x\n", (new_config[0] & INTERNAL_LOOPBACK_MASK));
memcpy(&new_config[1], &config[1], sizeof(uint16_t) * 3);
ha->notify_dcbx_comp = 1;
ret = qla81xx_set_port_config(vha, new_config);
if (ret != QLA_SUCCESS) {
ql_log(ql_log_warn, vha, 0x7021,
Reported by FlawFinder.
Line: 934
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bsg_job->reply_len = sizeof(struct fc_bsg_reply) +
sizeof(response) + sizeof(uint8_t);
fw_sts_ptr = bsg_job->reply + sizeof(struct fc_bsg_reply);
memcpy(bsg_job->reply + sizeof(struct fc_bsg_reply), response,
sizeof(response));
fw_sts_ptr += sizeof(response);
*fw_sts_ptr = command_sent;
done_free_dma_rsp:
Reported by FlawFinder.
Line: 1378
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rsp_ptr = ((uint8_t *)bsg_reply) +
sizeof(struct fc_bsg_reply);
memcpy(rsp_ptr, port_param,
sizeof(struct qla_port_param));
}
bsg_reply->result = DID_OK;
bsg_job_done(bsg_job, bsg_reply->result,
Reported by FlawFinder.
Line: 1565
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
image = list->version;
count = list->count;
while (count--) {
memcpy(sfp, &image->field_info, sizeof(image->field_info));
rval = qla2x00_write_sfp(vha, sfp_dma, sfp,
image->field_address.device, image->field_address.offset,
sizeof(image->field_info), image->field_address.option);
if (rval) {
bsg_reply->reply_data.vendor_reply.vendor_rsp[0] =
Reported by FlawFinder.
Line: 1711
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sg_copy_to_buffer(bsg_job->request_payload.sg_list,
bsg_job->request_payload.sg_cnt, i2c, sizeof(*i2c));
memcpy(sfp, i2c->buffer, i2c->length);
rval = qla2x00_write_sfp(vha, sfp_dma, sfp,
i2c->device, i2c->offset, i2c->length, i2c->option);
if (rval) {
bsg_reply->reply_data.vendor_reply.vendor_rsp[0] =
Reported by FlawFinder.
Line: 1766
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto dealloc;
}
memcpy(i2c->buffer, sfp, i2c->length);
sg_copy_from_buffer(bsg_job->reply_payload.sg_list,
bsg_job->reply_payload.sg_cnt, i2c, sizeof(*i2c));
bsg_reply->reply_data.vendor_reply.vendor_rsp[0] = 0;
Reported by FlawFinder.
drivers/scsi/qla1280.c
7 issues
Line: 674
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bdp = &ql1280_board_tbl[ha->devnum];
memset(bp, 0, sizeof(qla1280_scsi_name_buffer));
sprintf (bp,
"QLogic %s PCI to SCSI Host Adapter\n"
" Firmware version: %2d.%02d.%02d, Driver version %s",
&bdp->name[0], ha->fwver1, ha->fwver2, ha->fwver3,
QLA1280_VERSION);
return bp;
Reported by FlawFinder.
Line: 664
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
qla1280_info(struct Scsi_Host *host)
{
static char qla1280_scsi_name_buffer[125];
char *bp;
struct scsi_qla_host *ha;
struct qla_boards *bdp;
bp = &qla1280_scsi_name_buffer[0];
Reported by FlawFinder.
Line: 2490
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
optr = mb;
iptr = (uint16_t *) &ha->mailbox_out[0];
mr = MAILBOX_REGISTER_COUNT;
memcpy(optr, iptr, MAILBOX_REGISTER_COUNT * sizeof(uint16_t));
if (ha->flags.reset_marker)
qla1280_rst_aen(ha);
if (status)
Reported by FlawFinder.
Line: 2843
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Load SCSI command packet. */
pkt->cdb_len = cpu_to_le16(CMD_CDBLEN(cmd));
memcpy(pkt->scsi_cdb, CMD_CDBP(cmd), CMD_CDBLEN(cmd));
/* dprintk(1, "Build packet for command[0]=0x%x\n",pkt->scsi_cdb[0]); */
/* Set transfer direction. */
dir = qla1280_data_direction(cmd);
pkt->control_flags |= cpu_to_le16(dir);
Reported by FlawFinder.
Line: 3098
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Load SCSI command packet. */
pkt->cdb_len = cpu_to_le16(CMD_CDBLEN(cmd));
memcpy(pkt->scsi_cdb, CMD_CDBP(cmd), CMD_CDBLEN(cmd));
/*dprintk(1, "Build packet for command[0]=0x%x\n",pkt->scsi_cdb[0]); */
/* Set transfer direction. */
dir = qla1280_data_direction(cmd);
pkt->control_flags |= cpu_to_le16(dir);
Reported by FlawFinder.
Line: 3481
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* dprintk(1, "qla1280_isr: default case of switch MB \n"); */
if (mailbox[0] < MBA_ASYNC_EVENT) {
wptr = &mailbox[0];
memcpy((uint16_t *) ha->mailbox_out, wptr,
MAILBOX_REGISTER_COUNT *
sizeof(uint16_t));
if(ha->mailbox_wait != NULL)
complete(ha->mailbox_wait);
Reported by FlawFinder.
Line: 3658
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
sense_sz = CMD_SNSLEN(cmd) - 1;
memcpy(cmd->sense_buffer,
&pkt->req_sense_data, sense_sz);
} else
sense_sz = 0;
memset(cmd->sense_buffer + sense_sz, 0,
SCSI_SENSE_BUFFERSIZE - sense_sz);
Reported by FlawFinder.
drivers/staging/rtl8712/rtl8712_recv.c
7 issues
Line: 221
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* pull the ICV)
*/
recvframe_pull_tail(prframe, pfhdr->attrib.icv_len);
memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len);
recvframe_put(prframe, pnfhdr->len);
pfhdr->attrib.icv_len = pnfhdr->attrib.icv_len;
plist = plist->next;
}
/* free the defrag_q queue and return the prframe */
Reported by FlawFinder.
Line: 380
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* replace EtherType
*/
skb_pull(sub_skb, SNAP_SIZE);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->src,
ETH_ALEN);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->dst,
ETH_ALEN);
} else {
__be16 len;
Reported by FlawFinder.
Line: 382
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_pull(sub_skb, SNAP_SIZE);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->src,
ETH_ALEN);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->dst,
ETH_ALEN);
} else {
__be16 len;
/* Leave Ethernet header part of hdr and full payload */
len = htons(sub_skb->len);
Reported by FlawFinder.
Line: 388
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__be16 len;
/* Leave Ethernet header part of hdr and full payload */
len = htons(sub_skb->len);
memcpy(skb_push(sub_skb, 2), &len, 2);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->src,
ETH_ALEN);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->dst,
ETH_ALEN);
}
Reported by FlawFinder.
Line: 389
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Leave Ethernet header part of hdr and full payload */
len = htons(sub_skb->len);
memcpy(skb_push(sub_skb, 2), &len, 2);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->src,
ETH_ALEN);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->dst,
ETH_ALEN);
}
/* Indicate the packets to upper layer */
Reported by FlawFinder.
Line: 391
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(skb_push(sub_skb, 2), &len, 2);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->src,
ETH_ALEN);
memcpy(skb_push(sub_skb, ETH_ALEN), pattrib->dst,
ETH_ALEN);
}
/* Indicate the packets to upper layer */
if (sub_skb) {
sub_skb->protocol =
Reported by FlawFinder.
Line: 1041
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
precvframe->u.hdr.pkt = pkt_copy;
skb_reserve(pkt_copy, 4 - ((addr_t)(pkt_copy->data) % 4));
skb_reserve(pkt_copy, shift_sz);
memcpy(pkt_copy->data, pbuf, tmp_len);
precvframe->u.hdr.rx_head = pkt_copy->data;
precvframe->u.hdr.rx_data = pkt_copy->data;
precvframe->u.hdr.rx_tail = pkt_copy->data;
precvframe->u.hdr.rx_end = pkt_copy->data + alloc_sz;
Reported by FlawFinder.