The following issues were found
drivers/staging/rtl8192u/ieee80211/rtl819x_BAProc.c
7 issues
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BAReq = skb_put(skb, sizeof(struct rtl_80211_hdr_3addr));
memcpy(BAReq->addr1, Dst, ETH_ALEN);
memcpy(BAReq->addr2, ieee->dev->dev_addr, ETH_ALEN);
memcpy(BAReq->addr3, ieee->current_network.bssid, ETH_ALEN);
BAReq->frame_ctl = cpu_to_le16(IEEE80211_STYPE_MANAGE_ACT); //action frame
Reported by FlawFinder.
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BAReq = skb_put(skb, sizeof(struct rtl_80211_hdr_3addr));
memcpy(BAReq->addr1, Dst, ETH_ALEN);
memcpy(BAReq->addr2, ieee->dev->dev_addr, ETH_ALEN);
memcpy(BAReq->addr3, ieee->current_network.bssid, ETH_ALEN);
BAReq->frame_ctl = cpu_to_le16(IEEE80211_STYPE_MANAGE_ACT); //action frame
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(BAReq->addr1, Dst, ETH_ALEN);
memcpy(BAReq->addr2, ieee->dev->dev_addr, ETH_ALEN);
memcpy(BAReq->addr3, ieee->current_network.bssid, ETH_ALEN);
BAReq->frame_ctl = cpu_to_le16(IEEE80211_STYPE_MANAGE_ACT); //action frame
//tag += sizeof( struct rtl_80211_hdr_3addr); //move to action field
tag = skb_put(skb, 9);
Reported by FlawFinder.
Line: 161
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (type == ACT_ADDBAREQ) {
// BA Start SeqCtrl
memcpy(tag, (u8 *)&(pBA->start_seq_ctrl), 2);
tag += 2;
}
IEEE80211_DEBUG_DATA(IEEE80211_DL_DATA | IEEE80211_DL_BA, skb->data, skb->len);
return skb;
Reported by FlawFinder.
Line: 213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
Delba = skb_put(skb, sizeof(struct rtl_80211_hdr_3addr));
memcpy(Delba->addr1, dst, ETH_ALEN);
memcpy(Delba->addr2, ieee->dev->dev_addr, ETH_ALEN);
memcpy(Delba->addr3, ieee->current_network.bssid, ETH_ALEN);
Delba->frame_ctl = cpu_to_le16(IEEE80211_STYPE_MANAGE_ACT); //action frame
tag = skb_put(skb, 6);
Reported by FlawFinder.
Line: 214
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
Delba = skb_put(skb, sizeof(struct rtl_80211_hdr_3addr));
memcpy(Delba->addr1, dst, ETH_ALEN);
memcpy(Delba->addr2, ieee->dev->dev_addr, ETH_ALEN);
memcpy(Delba->addr3, ieee->current_network.bssid, ETH_ALEN);
Delba->frame_ctl = cpu_to_le16(IEEE80211_STYPE_MANAGE_ACT); //action frame
tag = skb_put(skb, 6);
Reported by FlawFinder.
Line: 215
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(Delba->addr1, dst, ETH_ALEN);
memcpy(Delba->addr2, ieee->dev->dev_addr, ETH_ALEN);
memcpy(Delba->addr3, ieee->current_network.bssid, ETH_ALEN);
Delba->frame_ctl = cpu_to_le16(IEEE80211_STYPE_MANAGE_ACT); //action frame
tag = skb_put(skb, 6);
*tag++ = ACT_CAT_BA;
Reported by FlawFinder.
drivers/scsi/qedf/qedf_els.c
7 issues
Line: 92
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill ELS Payload */
if ((op >= ELS_LS_RJT) && (op <= ELS_AUTH_ELS)) {
memcpy(mp_req->req_buf, data, data_len);
} else {
QEDF_ERR(&(qedf->dbg_ctx), "Invalid ELS op 0x%x\n", op);
els_req->cb_func = NULL;
els_req->cb_arg = NULL;
kref_put(&els_req->refcount, qedf_release_cmd);
Reported by FlawFinder.
Line: 486
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy frame header from firmware into fp */
fh = (struct fc_frame_header *)fc_frame_header_get(fp);
memcpy(fh, mp_fc_hdr, sizeof(struct fc_frame_header));
/* Copy payload from firmware into fp */
fc_payload = fc_frame_payload_get(fp, resp_len);
memcpy(fc_payload, resp_buf, resp_len);
Reported by FlawFinder.
Line: 490
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy payload from firmware into fp */
fc_payload = fc_frame_payload_get(fp, resp_len);
memcpy(fc_payload, resp_buf, resp_len);
QEDF_INFO(&(fcport->qedf->dbg_ctx), QEDF_LOG_ELS,
"Completing OX_ID 0x%x back to libfc.\n", l2_oxid);
qedf_process_l2_frame_compl(fcport, fp, l2_oxid);
Reported by FlawFinder.
Line: 596
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy frame header from firmware into fp */
fh = (struct fc_frame_header *)fc_frame_header_get(fp);
memcpy(fh, mp_fc_hdr, sizeof(struct fc_frame_header));
/* Copy payload from firmware into fp */
fc_payload = fc_frame_payload_get(fp, resp_len);
memcpy(fc_payload, resp_buf, resp_len);
Reported by FlawFinder.
Line: 600
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy payload from firmware into fp */
fc_payload = fc_frame_payload_get(fp, resp_len);
memcpy(fc_payload, resp_buf, resp_len);
opcode = fc_frame_payload_op(fp);
switch (opcode) {
case ELS_LS_ACC:
QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_ELS,
Reported by FlawFinder.
Line: 896
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy frame header from firmware into fp */
fh = (struct fc_frame_header *)fc_frame_header_get(fp);
memcpy(fh, mp_fc_hdr, sizeof(struct fc_frame_header));
/* Copy payload from firmware into fp */
fc_payload = fc_frame_payload_get(fp, resp_len);
memcpy(fc_payload, resp_buf, resp_len);
Reported by FlawFinder.
Line: 900
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy payload from firmware into fp */
fc_payload = fc_frame_payload_get(fp, resp_len);
memcpy(fc_payload, resp_buf, resp_len);
opcode = fc_frame_payload_op(fp);
if (opcode == ELS_LS_RJT) {
rjt = fc_frame_payload_get(fp, sizeof(*rjt));
if (!rjt) {
Reported by FlawFinder.
drivers/staging/android/ashmem.c
7 issues
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Warning: Mappings do NOT pin this structure; It dies on close()
*/
struct ashmem_area {
char name[ASHMEM_FULL_NAME_LEN];
struct list_head unpinned_list;
struct file *file;
size_t size;
unsigned long prot_mask;
};
Reported by FlawFinder.
Line: 265
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
INIT_LIST_HEAD(&asma->unpinned_list);
memcpy(asma->name, ASHMEM_NAME_PREFIX, ASHMEM_NAME_PREFIX_LEN);
asma->prot_mask = PROT_MASK;
file->private_data = asma;
return 0;
}
Reported by FlawFinder.
Line: 567
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int len;
int ret = 0;
char local_name[ASHMEM_NAME_LEN];
/*
* Holding the ashmem_mutex while doing a copy_from_user might cause
* an data abort which would try to access mmap_lock. If another
* thread has invoked ashmem_mmap then it will be holding the
Reported by FlawFinder.
Line: 604
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* space safely without holding any locks. So even if we proceed to
* wait for mmap_lock, it won't lead to deadlock.
*/
char local_name[ASHMEM_NAME_LEN];
mutex_lock(&ashmem_mutex);
if (asma->name[ASHMEM_NAME_PREFIX_LEN] != '\0') {
/*
* Copying only `len', instead of ASHMEM_NAME_LEN, bytes
Reported by FlawFinder.
Line: 613
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* prevents us from revealing one user's stack to another.
*/
len = strlen(asma->name + ASHMEM_NAME_PREFIX_LEN) + 1;
memcpy(local_name, asma->name + ASHMEM_NAME_PREFIX_LEN, len);
} else {
len = sizeof(ASHMEM_NAME_DEF);
memcpy(local_name, ASHMEM_NAME_DEF, len);
}
mutex_unlock(&ashmem_mutex);
Reported by FlawFinder.
Line: 616
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(local_name, asma->name + ASHMEM_NAME_PREFIX_LEN, len);
} else {
len = sizeof(ASHMEM_NAME_DEF);
memcpy(local_name, ASHMEM_NAME_DEF, len);
}
mutex_unlock(&ashmem_mutex);
/*
* Now we are just copying from the stack variable to userland
Reported by FlawFinder.
Line: 612
Column: 9
CWE codes:
126
* Copying only `len', instead of ASHMEM_NAME_LEN, bytes
* prevents us from revealing one user's stack to another.
*/
len = strlen(asma->name + ASHMEM_NAME_PREFIX_LEN) + 1;
memcpy(local_name, asma->name + ASHMEM_NAME_PREFIX_LEN, len);
} else {
len = sizeof(ASHMEM_NAME_DEF);
memcpy(local_name, ASHMEM_NAME_DEF, len);
}
Reported by FlawFinder.
drivers/vfio/vfio.c
7 issues
Line: 1061
Column: 23
CWE codes:
362
continue;
}
data = driver->ops->open(arg);
if (IS_ERR(data)) {
ret = PTR_ERR(data);
module_put(driver->ops->owner);
continue;
}
Reported by FlawFinder.
Line: 1377
Column: 21
CWE codes:
362
return -ENODEV;
}
ret = device->ops->open(device);
if (ret) {
module_put(device->dev->driver->owner);
vfio_device_put(device);
return ret;
}
Reported by FlawFinder.
Line: 1799
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (IS_ERR(header))
return PTR_ERR(header);
memcpy(header + 1, cap + 1, size - sizeof(*header));
return 0;
}
EXPORT_SYMBOL(vfio_info_add_capability);
Reported by FlawFinder.
Line: 1163
Column: 36
CWE codes:
120
20
ssize_t ret = -EINVAL;
driver = container->iommu_driver;
if (likely(driver && driver->ops->read))
ret = driver->ops->read(container->iommu_data,
buf, count, ppos);
return ret;
}
Reported by FlawFinder.
Line: 1164
Column: 22
CWE codes:
120
20
driver = container->iommu_driver;
if (likely(driver && driver->ops->read))
ret = driver->ops->read(container->iommu_data,
buf, count, ppos);
return ret;
}
Reported by FlawFinder.
Line: 1586
Column: 29
CWE codes:
120
20
{
struct vfio_device *device = filep->private_data;
if (unlikely(!device->ops->read))
return -EINVAL;
return device->ops->read(device, buf, count, ppos);
}
Reported by FlawFinder.
Line: 1589
Column: 22
CWE codes:
120
20
if (unlikely(!device->ops->read))
return -EINVAL;
return device->ops->read(device, buf, count, ppos);
}
static ssize_t vfio_device_fops_write(struct file *filep,
const char __user *buf,
size_t count, loff_t *ppos)
Reported by FlawFinder.
drivers/video/backlight/ili922x.c
7 issues
Line: 153
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct spi_message msg;
struct spi_transfer xfer;
unsigned char tbuf[CMD_BUFSIZE];
unsigned char rbuf[CMD_BUFSIZE];
int ret, i;
memset(&xfer, 0, sizeof(struct spi_transfer));
spi_message_init(&msg);
Reported by FlawFinder.
Line: 154
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct spi_message msg;
struct spi_transfer xfer;
unsigned char tbuf[CMD_BUFSIZE];
unsigned char rbuf[CMD_BUFSIZE];
int ret, i;
memset(&xfer, 0, sizeof(struct spi_transfer));
spi_message_init(&msg);
xfer.tx_buf = tbuf;
Reported by FlawFinder.
Line: 196
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct spi_message msg;
struct spi_transfer xfer_regindex, xfer_regvalue;
unsigned char tbuf[CMD_BUFSIZE];
unsigned char rbuf[CMD_BUFSIZE];
int ret, len = 0, send_bytes;
memset(&xfer_regindex, 0, sizeof(struct spi_transfer));
memset(&xfer_regvalue, 0, sizeof(struct spi_transfer));
Reported by FlawFinder.
Line: 197
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct spi_message msg;
struct spi_transfer xfer_regindex, xfer_regvalue;
unsigned char tbuf[CMD_BUFSIZE];
unsigned char rbuf[CMD_BUFSIZE];
int ret, len = 0, send_bytes;
memset(&xfer_regindex, 0, sizeof(struct spi_transfer));
memset(&xfer_regvalue, 0, sizeof(struct spi_transfer));
spi_message_init(&msg);
Reported by FlawFinder.
Line: 250
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct spi_message msg;
struct spi_transfer xfer_regindex, xfer_regvalue;
unsigned char tbuf[CMD_BUFSIZE];
unsigned char rbuf[CMD_BUFSIZE];
int ret;
memset(&xfer_regindex, 0, sizeof(struct spi_transfer));
memset(&xfer_regvalue, 0, sizeof(struct spi_transfer));
Reported by FlawFinder.
Line: 251
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct spi_message msg;
struct spi_transfer xfer_regindex, xfer_regvalue;
unsigned char tbuf[CMD_BUFSIZE];
unsigned char rbuf[CMD_BUFSIZE];
int ret;
memset(&xfer_regindex, 0, sizeof(struct spi_transfer));
memset(&xfer_regvalue, 0, sizeof(struct spi_transfer));
Reported by FlawFinder.
Line: 325
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct spi_message msg;
struct spi_transfer xfer;
unsigned char tbuf[CMD_BUFSIZE];
memset(&xfer, 0, sizeof(struct spi_transfer));
spi_message_init(&msg);
xfer.tx_buf = tbuf;
Reported by FlawFinder.
drivers/staging/rtl8192e/rtllib_softmac_wx.c
7 issues
Line: 122
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eth_zero_addr(wrqu->ap_addr.sa_data);
else
memcpy(wrqu->ap_addr.sa_data,
ieee->current_network.bssid, ETH_ALEN);
spin_unlock_irqrestore(&ieee->lock, flags);
return 0;
Reported by FlawFinder.
Line: 546
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct iw_request_info *info,
union iwreq_data *wrqu, char *extra)
{
strcpy(wrqu->name, "802.11");
if (ieee->modulation & RTLLIB_CCK_MODULATION)
strcat(wrqu->name, "b");
if (ieee->modulation & RTLLIB_OFDM_MODULATION)
strcat(wrqu->name, "g");
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
}
len = ieee->current_network.ssid_len;
wrqu->essid.length = len;
strncpy(b, ieee->current_network.ssid, len);
wrqu->essid.flags = 1;
out:
spin_unlock_irqrestore(&ieee->lock, flags);
Reported by FlawFinder.
Line: 478
Column: 3
CWE codes:
120
spin_lock_irqsave(&ieee->lock, flags);
if (wrqu->essid.flags && wrqu->essid.length) {
strncpy(ieee->current_network.ssid, extra, len);
ieee->current_network.ssid_len = len;
ieee->cannot_notify = false;
ieee->ssid_set = 1;
} else {
ieee->ssid_set = 0;
Reported by FlawFinder.
Line: 549
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcpy(wrqu->name, "802.11");
if (ieee->modulation & RTLLIB_CCK_MODULATION)
strcat(wrqu->name, "b");
if (ieee->modulation & RTLLIB_OFDM_MODULATION)
strcat(wrqu->name, "g");
if (ieee->mode & (IEEE_N_24G | IEEE_N_5G))
strcat(wrqu->name, "n");
return 0;
Reported by FlawFinder.
Line: 551
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (ieee->modulation & RTLLIB_CCK_MODULATION)
strcat(wrqu->name, "b");
if (ieee->modulation & RTLLIB_OFDM_MODULATION)
strcat(wrqu->name, "g");
if (ieee->mode & (IEEE_N_24G | IEEE_N_5G))
strcat(wrqu->name, "n");
return 0;
}
EXPORT_SYMBOL(rtllib_wx_get_name);
Reported by FlawFinder.
Line: 553
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (ieee->modulation & RTLLIB_OFDM_MODULATION)
strcat(wrqu->name, "g");
if (ieee->mode & (IEEE_N_24G | IEEE_N_5G))
strcat(wrqu->name, "n");
return 0;
}
EXPORT_SYMBOL(rtllib_wx_get_name);
Reported by FlawFinder.
drivers/staging/rtl8192e/rtllib_crypt_ccmp.c
7 issues
Line: 123
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Nonce: QC | A2 | PN */
iv[1] = qc;
memcpy(iv + 2, hdr->addr2, ETH_ALEN);
memcpy(iv + 8, pn, CCMP_PN_LEN);
/* AAD:
* FC with bits 4..6 and 11..13 masked to zero; 14 is always one
* A1 | A2 | A3
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Nonce: QC | A2 | PN */
iv[1] = qc;
memcpy(iv + 2, hdr->addr2, ETH_ALEN);
memcpy(iv + 8, pn, CCMP_PN_LEN);
/* AAD:
* FC with bits 4..6 and 11..13 masked to zero; 14 is always one
* A1 | A2 | A3
* SC with bits 4..15 (seq#) masked to zero
Reported by FlawFinder.
Line: 136
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos = (u8 *) hdr;
aad[0] = pos[0] & 0x8f;
aad[1] = pos[1] & 0xc7;
memcpy(aad + 2, hdr->addr1, 3 * ETH_ALEN);
pos = (u8 *) &hdr->seq_ctl;
aad[20] = pos[0] & 0x0f;
aad[21] = 0; /* all bits masked */
memset(aad + 22, 0, 8);
if (a4_included)
Reported by FlawFinder.
Line: 142
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aad[21] = 0; /* all bits masked */
memset(aad + 22, 0, 8);
if (a4_included)
memcpy(aad + 22, hdr->addr4, ETH_ALEN);
if (qc_included) {
aad[a4_included ? 28 : 22] = qc;
/* rest of QC masked */
}
Reported by FlawFinder.
Line: 306
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -5;
}
memcpy(key->rx_pn, pn, CCMP_PN_LEN);
}
/* Remove hdr and MIC */
memmove(skb->data + CCMP_HDR_LEN, skb->data, hdr_len);
skb_pull(skb, CCMP_HDR_LEN);
skb_trim(skb, skb->len - CCMP_MIC_LEN);
Reported by FlawFinder.
Line: 328
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data->key_idx = keyidx;
data->tfm = tfm;
if (len == CCMP_TK_LEN) {
memcpy(data->key, key, CCMP_TK_LEN);
data->key_set = 1;
if (seq) {
data->rx_pn[0] = seq[5];
data->rx_pn[1] = seq[4];
data->rx_pn[2] = seq[3];
Reported by FlawFinder.
Line: 360
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!data->key_set)
return 0;
memcpy(key, data->key, CCMP_TK_LEN);
if (seq) {
seq[0] = data->tx_pn[5];
seq[1] = data->tx_pn[4];
seq[2] = data->tx_pn[3];
Reported by FlawFinder.
drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
7 issues
Line: 412
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
ieee->current_network.ssid_len = len;
memcpy(ieee->current_network.ssid, req->essid, len);
}
}
mutex_lock(&priv->wx_mutex);
Reported by FlawFinder.
Line: 537
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wrqu->data.length = min_t(size_t, wrqu->data.length,
sizeof(priv->nick));
memset(priv->nick, 0, sizeof(priv->nick));
memcpy(priv->nick, extra, wrqu->data.length);
mutex_unlock(&priv->wx_mutex);
return 0;
}
static int _rtl92e_wx_get_nick(struct net_device *dev,
Reported by FlawFinder.
Line: 550
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&priv->wx_mutex);
wrqu->data.length = strlen(priv->nick);
memcpy(extra, priv->nick, wrqu->data.length);
wrqu->data.flags = 1; /* active */
mutex_unlock(&priv->wx_mutex);
return 0;
}
Reported by FlawFinder.
Line: 915
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ieee->pairwise_key_type = alg;
rtl92e_enable_hw_security_config(dev);
}
memcpy((u8 *)key, ext->key, 16);
if ((alg & KEY_TYPE_WEP40) && (ieee->auth_mode != 2)) {
if (ext->key_len == 13)
ieee->pairwise_key_type = alg = KEY_TYPE_WEP104;
rtl92e_set_key(dev, idx, idx, alg, zero, 0, key);
Reported by FlawFinder.
Line: 1013
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -E2BIG;
data->data.length = ieee->wpa_ie_len;
memcpy(extra, ieee->wpa_ie, ieee->wpa_ie_len);
return ret;
}
#define OID_RT_INTEL_PROMISCUOUS_MODE 0xFF0101F6
Reported by FlawFinder.
Line: 549
Column: 22
CWE codes:
126
struct r8192_priv *priv = rtllib_priv(dev);
mutex_lock(&priv->wx_mutex);
wrqu->data.length = strlen(priv->nick);
memcpy(extra, priv->nick, wrqu->data.length);
wrqu->data.flags = 1; /* active */
mutex_unlock(&priv->wx_mutex);
return 0;
}
Reported by FlawFinder.
Line: 1071
Column: 22
CWE codes:
126
snprintf(extra, 45, "PromiscuousMode:%d, FilterSrcSTAFrame:%d",
ieee->IntelPromiscuousModeInfo.bPromiscuousOn,
ieee->IntelPromiscuousModeInfo.bFilterSourceStationFrame);
wrqu->data.length = strlen(extra) + 1;
mutex_unlock(&priv->wx_mutex);
return 0;
}
Reported by FlawFinder.
drivers/staging/rtl8192e/rtl8192e/rtl_core.c
7 issues
Line: 434
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"QoS parameters change call qos_activate\n");
}
} else {
memcpy(&priv->rtllib->current_network.qos_data.parameters,
&def_qos_parameters, size);
if ((network->qos_data.active == 1) && (active_network == 1)) {
schedule_work(&priv->qos_activate);
RT_TRACE(COMP_QOS,
Reported by FlawFinder.
Line: 480
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&priv->rtllib->lock, flags);
if (network->flags & NETWORK_HAS_QOS_PARAMETERS) {
memcpy(&priv->rtllib->current_network.qos_data.parameters,
&network->qos_data.parameters,
sizeof(struct rtllib_qos_parameters));
priv->rtllib->current_network.qos_data.active = 1;
priv->rtllib->wmm_acm = network->qos_data.wmm_acm;
set_qos_param = 1;
Reported by FlawFinder.
Line: 491
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->rtllib->current_network.qos_data.param_count =
network->qos_data.param_count;
} else {
memcpy(&priv->rtllib->current_network.qos_data.parameters,
&def_qos_parameters, size);
priv->rtllib->current_network.qos_data.active = 0;
priv->rtllib->current_network.qos_data.supported = 0;
set_qos_param = 1;
}
Reported by FlawFinder.
Line: 654
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ieee->mode == WIRELESS_MODE_N_24G ||
ieee->mode == WIRELESS_MODE_N_5G) {
memcpy(ieee->Regdot11HTOperationalRateSet,
ieee->RegHTSuppRateSet, 16);
memcpy(ieee->Regdot11TxHTOperationalRateSet,
ieee->RegHTSuppRateSet, 16);
} else {
Reported by FlawFinder.
Line: 656
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ieee->mode == WIRELESS_MODE_N_5G) {
memcpy(ieee->Regdot11HTOperationalRateSet,
ieee->RegHTSuppRateSet, 16);
memcpy(ieee->Regdot11TxHTOperationalRateSet,
ieee->RegHTSuppRateSet, 16);
} else {
memset(ieee->Regdot11HTOperationalRateSet, 0, 16);
}
Reported by FlawFinder.
Line: 1613
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netdev_warn(dev, "%s(): queue index == TXCMD_QUEUE\n",
__func__);
memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
skb_push(skb, priv->rtllib->tx_headroom);
ret = _rtl92e_tx(dev, skb);
if (queue_index != MGNT_QUEUE) {
priv->rtllib->stats.tx_bytes += (skb->len -
Reported by FlawFinder.
Line: 1643
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
if (queue_index == TXCMD_QUEUE) {
_rtl92e_tx_cmd(dev, skb);
return 0;
}
Reported by FlawFinder.
drivers/staging/fieldbus/anybuss/host.c
7 issues
Line: 841
CWE codes:
476
h->offset_low = cpu_to_be16(0);
if (ext)
memcpy(h->extended, ext, ext_sz);
memcpy(pd->msg, msg_out, msg_out_sz);
pd->msg_out_sz = msg_out_sz;
pd->msg_in_sz = msg_in_sz;
err = ab_task_enqueue_wait(t, cd->powerq, &cd->qlock, &cd->wq);
if (err)
goto out;
Reported by Cppcheck.
Line: 854
CWE codes:
476
err = mbox_cmd_err(cd->dev, pd);
if (err)
goto out;
memcpy(msg_in, pd->msg, msg_in_sz);
out:
ab_task_put(t);
return err;
}
Reported by Cppcheck.
Line: 652
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ap->addr = addr;
ap->is_write = true;
ap->count = count;
memcpy(ap->buf, buf, count);
return t;
}
static struct ab_task *
create_area_user_writer(struct kmem_cache *qcache, u16 flags, u16 addr,
Reported by FlawFinder.
Line: 840
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
h->offset_high = cpu_to_be16(0);
h->offset_low = cpu_to_be16(0);
if (ext)
memcpy(h->extended, ext, ext_sz);
memcpy(pd->msg, msg_out, msg_out_sz);
pd->msg_out_sz = msg_out_sz;
pd->msg_in_sz = msg_in_sz;
err = ab_task_enqueue_wait(t, cd->powerq, &cd->qlock, &cd->wq);
if (err)
Reported by FlawFinder.
Line: 841
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
h->offset_low = cpu_to_be16(0);
if (ext)
memcpy(h->extended, ext, ext_sz);
memcpy(pd->msg, msg_out, msg_out_sz);
pd->msg_out_sz = msg_out_sz;
pd->msg_in_sz = msg_in_sz;
err = ab_task_enqueue_wait(t, cd->powerq, &cd->qlock, &cd->wq);
if (err)
goto out;
Reported by FlawFinder.
Line: 854
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = mbox_cmd_err(cd->dev, pd);
if (err)
goto out;
memcpy(msg_in, pd->msg, msg_in_sz);
out:
ab_task_put(t);
return err;
}
Reported by FlawFinder.
Line: 1074
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = ab_task_enqueue_wait(t, cd->powerq, &cd->qlock, &cd->wq);
if (ret)
goto out;
memcpy(buf, t->area_pd.buf, count);
out:
ab_task_put(t);
return ret;
}
EXPORT_SYMBOL_GPL(anybuss_read_fbctrl);
Reported by FlawFinder.