The following issues were found
drivers/net/wireless/mediatek/mt76/mt7615/mac.c
7 issues
Line: 1134
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cmd == SET_KEY) {
if (cipher == MT_CIPHER_TKIP) {
/* Rx/Tx MIC keys are swapped */
memcpy(data, key->key, 16);
memcpy(data + 16, key->key + 24, 8);
memcpy(data + 24, key->key + 16, 8);
} else {
if (cipher_mask == BIT(cipher))
memcpy(data, key->key, key->keylen);
Reported by FlawFinder.
Line: 1135
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cipher == MT_CIPHER_TKIP) {
/* Rx/Tx MIC keys are swapped */
memcpy(data, key->key, 16);
memcpy(data + 16, key->key + 24, 8);
memcpy(data + 24, key->key + 16, 8);
} else {
if (cipher_mask == BIT(cipher))
memcpy(data, key->key, key->keylen);
else if (cipher != MT_CIPHER_BIP_CMAC_128)
Reported by FlawFinder.
Line: 1136
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Rx/Tx MIC keys are swapped */
memcpy(data, key->key, 16);
memcpy(data + 16, key->key + 24, 8);
memcpy(data + 24, key->key + 16, 8);
} else {
if (cipher_mask == BIT(cipher))
memcpy(data, key->key, key->keylen);
else if (cipher != MT_CIPHER_BIP_CMAC_128)
memcpy(data, key->key, 16);
Reported by FlawFinder.
Line: 1139
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data + 24, key->key + 16, 8);
} else {
if (cipher_mask == BIT(cipher))
memcpy(data, key->key, key->keylen);
else if (cipher != MT_CIPHER_BIP_CMAC_128)
memcpy(data, key->key, 16);
if (cipher == MT_CIPHER_BIP_CMAC_128)
memcpy(data + 16, key->key, 16);
}
Reported by FlawFinder.
Line: 1141
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cipher_mask == BIT(cipher))
memcpy(data, key->key, key->keylen);
else if (cipher != MT_CIPHER_BIP_CMAC_128)
memcpy(data, key->key, 16);
if (cipher == MT_CIPHER_BIP_CMAC_128)
memcpy(data + 16, key->key, 16);
}
} else {
if (cipher == MT_CIPHER_BIP_CMAC_128)
Reported by FlawFinder.
Line: 1143
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (cipher != MT_CIPHER_BIP_CMAC_128)
memcpy(data, key->key, 16);
if (cipher == MT_CIPHER_BIP_CMAC_128)
memcpy(data + 16, key->key, 16);
}
} else {
if (cipher == MT_CIPHER_BIP_CMAC_128)
memset(data + 16, 0, 16);
else if (cipher_mask)
Reported by FlawFinder.
Line: 2259
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
}
memcpy(data, skb->data, skb->len);
data += skb->len;
dev_kfree_skb(skb);
}
dev_coredumpv(dev->mt76.dev, dump, MT76_CONNAC_COREDUMP_SZ,
Reported by FlawFinder.
drivers/scsi/aic7xxx/aic79xx_core.c
7 issues
Line: 6943
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
const char *type;
int len;
len = sprintf(buf, "%s: ", ahd_chip_names[ahd->chip & AHD_CHIPID_MASK]);
buf += len;
speed = "Ultra320 ";
if ((ahd->features & AHD_WIDE) != 0) {
type = "Wide ";
Reported by FlawFinder.
Line: 6952
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
} else {
type = "Single ";
}
len = sprintf(buf, "%s%sChannel %c, SCSI Id=%d, ",
speed, type, ahd->channel, ahd->our_id);
buf += len;
sprintf(buf, "%s, %d SCBs", ahd->bus_description,
ahd->scb_data.maxhscbs);
Reported by FlawFinder.
Line: 6956
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
speed, type, ahd->channel, ahd->our_id);
buf += len;
sprintf(buf, "%s, %d SCBs", ahd->bus_description,
ahd->scb_data.maxhscbs);
}
static const char *channel_strings[] = {
"Primary Low",
Reported by FlawFinder.
Line: 823
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
q_hscb = ahd->next_queued_hscb;
q_hscb_map = ahd->next_queued_hscb_map;
saved_hscb_busaddr = q_hscb->hscb_busaddr;
memcpy(q_hscb, scb->hscb, sizeof(*scb->hscb));
q_hscb->hscb_busaddr = saved_hscb_busaddr;
q_hscb->next_hscb_busaddr = scb->hscb->hscb_busaddr;
/* Now swap HSCB pointers. */
ahd->next_queued_hscb = scb->hscb;
Reported by FlawFinder.
Line: 3618
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* until an initiator talks to us.
*/
if (master_tstate != NULL) {
memcpy(tstate, master_tstate, sizeof(*tstate));
memset(tstate->enabled_luns, 0, sizeof(tstate->enabled_luns));
for (i = 0; i < 16; i++) {
memset(&tstate->transinfo[i].curr, 0,
sizeof(tstate->transinfo[i].curr));
memset(&tstate->transinfo[i].goal, 0,
Reported by FlawFinder.
Line: 4084
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ahd_outb(ahd, NEGOADDR, devinfo->target);
period = tinfo->period;
offset = tinfo->offset;
memcpy(iocell_opts, ahd->iocell_opts, sizeof(ahd->iocell_opts));
ppr_opts = tinfo->ppr_options & (MSG_EXT_PPR_QAS_REQ|MSG_EXT_PPR_DT_REQ
|MSG_EXT_PPR_IU_REQ|MSG_EXT_PPR_RTI);
con_opts = 0;
if (period == 0)
period = AHD_SYNCRATE_ASYNC;
Reported by FlawFinder.
Line: 10700
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(atio->cdb_io.cdb_bytes, byte, atio->cdb_len);
atio->ccb_h.status |= CAM_CDB_RECVD;
if ((cmd->identify & MSG_IDENTIFY_DISCFLAG) == 0) {
/*
Reported by FlawFinder.
drivers/scsi/a3000.h
7 issues
Line: 30
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define A3000_XFER_MASK (0x00000003)
struct a3000_scsiregs {
unsigned char pad1[2];
volatile unsigned short DAWR;
volatile unsigned int WTC;
unsigned char pad2[2];
volatile unsigned short CNTR;
volatile unsigned long ACR;
Reported by FlawFinder.
Line: 33
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char pad1[2];
volatile unsigned short DAWR;
volatile unsigned int WTC;
unsigned char pad2[2];
volatile unsigned short CNTR;
volatile unsigned long ACR;
unsigned char pad3[2];
volatile unsigned short ST_DMA;
unsigned char pad4[2];
Reported by FlawFinder.
Line: 36
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char pad2[2];
volatile unsigned short CNTR;
volatile unsigned long ACR;
unsigned char pad3[2];
volatile unsigned short ST_DMA;
unsigned char pad4[2];
volatile unsigned short FLUSH;
unsigned char pad5[2];
volatile unsigned short CINT;
Reported by FlawFinder.
Line: 38
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
volatile unsigned long ACR;
unsigned char pad3[2];
volatile unsigned short ST_DMA;
unsigned char pad4[2];
volatile unsigned short FLUSH;
unsigned char pad5[2];
volatile unsigned short CINT;
unsigned char pad6[2];
volatile unsigned short ISTR;
Reported by FlawFinder.
Line: 40
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
volatile unsigned short ST_DMA;
unsigned char pad4[2];
volatile unsigned short FLUSH;
unsigned char pad5[2];
volatile unsigned short CINT;
unsigned char pad6[2];
volatile unsigned short ISTR;
unsigned char pad7[30];
volatile unsigned short SP_DMA;
Reported by FlawFinder.
Line: 42
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
volatile unsigned short FLUSH;
unsigned char pad5[2];
volatile unsigned short CINT;
unsigned char pad6[2];
volatile unsigned short ISTR;
unsigned char pad7[30];
volatile unsigned short SP_DMA;
unsigned char pad8;
volatile unsigned char SASR;
Reported by FlawFinder.
Line: 44
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
volatile unsigned short CINT;
unsigned char pad6[2];
volatile unsigned short ISTR;
unsigned char pad7[30];
volatile unsigned short SP_DMA;
unsigned char pad8;
volatile unsigned char SASR;
unsigned char pad9;
volatile unsigned char SCMD;
Reported by FlawFinder.
drivers/power/supply/power_supply_sysfs.c
7 issues
Line: 243
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
usb_type = desc->usb_types[i];
if (value->intval == usb_type) {
count += sprintf(buf + count, "[%s] ",
POWER_SUPPLY_USB_TYPE_TEXT[usb_type]);
match = true;
} else {
count += sprintf(buf + count, "%s ",
POWER_SUPPLY_USB_TYPE_TEXT[usb_type]);
Reported by FlawFinder.
Line: 247
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
POWER_SUPPLY_USB_TYPE_TEXT[usb_type]);
match = true;
} else {
count += sprintf(buf + count, "%s ",
POWER_SUPPLY_USB_TYPE_TEXT[usb_type]);
}
}
if (!match) {
Reported by FlawFinder.
Line: 291
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ps_attr->text_values_len > 0 &&
value.intval < ps_attr->text_values_len && value.intval >= 0) {
return sprintf(buf, "%s\n", ps_attr->text_values[value.intval]);
}
switch (psp) {
case POWER_SUPPLY_PROP_USB_TYPE:
ret = power_supply_show_usb_type(dev, psy->desc,
Reported by FlawFinder.
Line: 300
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
&value, buf);
break;
case POWER_SUPPLY_PROP_MODEL_NAME ... POWER_SUPPLY_PROP_SERIAL_NUMBER:
ret = sprintf(buf, "%s\n", value.strval);
break;
default:
ret = sprintf(buf, "%d\n", value.intval);
}
Reported by FlawFinder.
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct power_supply_attr {
const char *prop_name;
char attr_name[MAX_PROP_NAME_LEN + 1];
struct device_attribute dev_attr;
const char * const *text_values;
int text_values_len;
};
Reported by FlawFinder.
Line: 303
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = sprintf(buf, "%s\n", value.strval);
break;
default:
ret = sprintf(buf, "%d\n", value.intval);
}
return ret;
}
Reported by FlawFinder.
Line: 407
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!power_supply_attrs[i].prop_name) {
pr_warn("%s: Property %d skipped because it is missing from power_supply_attrs\n",
__func__, i);
sprintf(power_supply_attrs[i].attr_name, "_err_%d", i);
} else {
str_to_lower(power_supply_attrs[i].attr_name);
}
attr = &power_supply_attrs[i].dev_attr;
Reported by FlawFinder.
drivers/scsi/3w-9xxx.h
7 issues
Line: 543
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* New command packet header */
typedef struct TAG_TW_Command_Apache_Header {
unsigned char sense_data[TW_SENSE_DATA_LENGTH];
struct {
u8 reserved[4];
__le16 error;
u8 padding;
u8 severity__reserved;
Reported by FlawFinder.
Line: 550
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 padding;
u8 severity__reserved;
} status_block;
unsigned char err_specific_desc[98];
struct {
u8 size_header;
u8 reserved[2];
u8 size_sense;
} header_desc;
Reported by FlawFinder.
Line: 594
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char retrieved;
unsigned char repeat_count;
unsigned char parameter_len;
unsigned char parameter_data[98];
} TW_Event;
typedef struct TAG_TW_Ioctl_Driver_Command {
unsigned int control_code;
unsigned int status;
Reported by FlawFinder.
Line: 608
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct TAG_TW_Ioctl_Apache {
TW_Ioctl_Driver_Command driver_command;
char padding[488];
TW_Command_Full firmware_command;
char data_buffer[];
} TW_Ioctl_Buf_Apache;
/* Lock structure for ioctl get/release lock */
Reported by FlawFinder.
Line: 638
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Compatibility information structure */
typedef struct TAG_TW_Compatibility_Info
{
char driver_version[32];
unsigned short working_srl;
unsigned short working_branch;
unsigned short working_build;
unsigned short driver_srl_high;
unsigned short driver_branch_high;
Reported by FlawFinder.
Line: 661
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
dma_addr_t command_packet_phys[TW_Q_LENGTH];
struct pci_dev *tw_pci_dev;
struct scsi_cmnd *srb[TW_Q_LENGTH];
unsigned char free_queue[TW_Q_LENGTH];
unsigned char free_head;
unsigned char free_tail;
unsigned char pending_queue[TW_Q_LENGTH];
unsigned char pending_head;
unsigned char pending_tail;
Reported by FlawFinder.
Line: 664
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char free_queue[TW_Q_LENGTH];
unsigned char free_head;
unsigned char free_tail;
unsigned char pending_queue[TW_Q_LENGTH];
unsigned char pending_head;
unsigned char pending_tail;
int state[TW_Q_LENGTH];
unsigned int posted_request_count;
unsigned int max_posted_request_count;
Reported by FlawFinder.
drivers/sbus/char/openprom.c
7 issues
Line: 280
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (len > bufsize)
return -EINVAL;
strcpy(op->oprom_array, buf);
op->oprom_size = len;
return copyout(argp, op, bufsize + sizeof(int));
}
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len <= 0 || len > bufsize)
return copyout(argp, op, sizeof(int));
memcpy(op->oprom_array, pval, len);
op->oprom_array[len] = '\0';
op->oprom_size = len;
return copyout(argp, op, sizeof(int) + bufsize);
}
Reported by FlawFinder.
Line: 170
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prop = prop->next;
}
memcpy(op->oprom_array, prop->name, len);
op->oprom_array[len] = '\0';
op->oprom_size = ++len;
return copyout(argp, op, sizeof(int) + bufsize);
}
Reported by FlawFinder.
Line: 158
Column: 9
CWE codes:
126
prop = dp->properties;
if (!prop)
return copyout(argp, op, sizeof(int));
len = strlen(prop->name);
} else {
prop = of_find_property(dp, op->oprom_array, NULL);
if (!prop ||
!prop->next ||
Reported by FlawFinder.
Line: 164
Column: 14
CWE codes:
126
if (!prop ||
!prop->next ||
(len = strlen(prop->next->name)) + 1 > bufsize)
return copyout(argp, op, sizeof(int));
prop = prop->next;
}
Reported by FlawFinder.
Line: 179
Column: 32
CWE codes:
126
static int opromsetopt(struct device_node *dp, struct openpromio *op, int bufsize)
{
char *buf = op->oprom_array + strlen(op->oprom_array) + 1;
int len = op->oprom_array + bufsize - buf;
return of_set_property(options_node, op->oprom_array, buf, len);
}
Reported by FlawFinder.
Line: 275
Column: 12
CWE codes:
126
static int opromgetbootargs(void __user *argp, struct openpromio *op, int bufsize)
{
char *buf = saved_command_line;
int len = strlen(buf);
if (len > bufsize)
return -EINVAL;
strcpy(op->oprom_array, buf);
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas/cmd.c
7 issues
Line: 38
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uint16_t copy_len;
copy_len = min(le16_to_cpu(buf->size), le16_to_cpu(resp->size));
memcpy(buf, resp, copy_len);
return 0;
}
EXPORT_SYMBOL_GPL(lbs_cmd_copyback);
/**
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&cmd, 0, sizeof(cmd));
cmd.hdr.size = cpu_to_le16(sizeof(cmd));
memcpy(cmd.permanentaddr, priv->current_addr, ETH_ALEN);
ret = lbs_cmd_with_response(priv, CMD_GET_HW_SPEC, &cmd);
if (ret)
goto out;
priv->fwcapinfo = le32_to_cpu(cmd.fwcapinfo);
Reported by FlawFinder.
Line: 153
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memmove(priv->current_addr, cmd.permanentaddr, ETH_ALEN);
if (!priv->copied_hwaddr) {
memcpy(priv->dev->dev_addr, priv->current_addr, ETH_ALEN);
if (priv->mesh_dev)
memcpy(priv->mesh_dev->dev_addr,
priv->current_addr, ETH_ALEN);
priv->copied_hwaddr = 1;
}
Reported by FlawFinder.
Line: 155
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!priv->copied_hwaddr) {
memcpy(priv->dev->dev_addr, priv->current_addr, ETH_ALEN);
if (priv->mesh_dev)
memcpy(priv->mesh_dev->dev_addr,
priv->current_addr, ETH_ALEN);
priv->copied_hwaddr = 1;
}
out:
Reported by FlawFinder.
Line: 200
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_config.gap = priv->wol_gap;
if (p_wol_config != NULL)
memcpy((uint8_t *)&cmd_config.wol_conf, (uint8_t *)p_wol_config,
sizeof(struct wol_config));
else
cmd_config.wol_conf.action = CMD_ACT_ACTION_NONE;
ret = __lbs_cmd(priv, CMD_802_11_HOST_SLEEP_CFG, &cmd_config.hdr,
Reported by FlawFinder.
Line: 210
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lbs_ret_host_sleep_cfg, 0);
if (!ret) {
if (p_wol_config)
memcpy((uint8_t *) p_wol_config,
(uint8_t *)&cmd_config.wol_conf,
sizeof(struct wol_config));
} else {
netdev_info(priv->dev, "HOST_SLEEP_CFG failed %d\n", ret);
}
Reported by FlawFinder.
Line: 1537
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmdnode->callback_arg = callback_arg;
/* Copy the incoming command to the buffer */
memcpy(cmdnode->cmdbuf, in_cmd, in_cmd_size);
/* Set command, clean result, move to buffer */
cmdnode->cmdbuf->command = cpu_to_le16(command);
cmdnode->cmdbuf->size = cpu_to_le16(in_cmd_size);
cmdnode->cmdbuf->result = 0;
Reported by FlawFinder.
drivers/scsi/arcmsr/arcmsr.h
7 issues
Line: 206
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t numbers_queue; /*2, 08-11*/
uint32_t sdram_size; /*3, 12-15*/
uint32_t ide_channels; /*4, 16-19*/
char vendor[40]; /*5, 20-59*/
char model[8]; /*15, 60-67*/
char firmware_ver[16]; /*17, 68-83*/
char device_map[16]; /*21, 84-99*/
uint32_t cfgVersion; /*25,100-103 Added for checking of new firmware capability*/
uint8_t cfgSerial[16]; /*26,104-119*/
Reported by FlawFinder.
Line: 207
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t sdram_size; /*3, 12-15*/
uint32_t ide_channels; /*4, 16-19*/
char vendor[40]; /*5, 20-59*/
char model[8]; /*15, 60-67*/
char firmware_ver[16]; /*17, 68-83*/
char device_map[16]; /*21, 84-99*/
uint32_t cfgVersion; /*25,100-103 Added for checking of new firmware capability*/
uint8_t cfgSerial[16]; /*26,104-119*/
uint32_t cfgPicStatus; /*30,120-123*/
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t ide_channels; /*4, 16-19*/
char vendor[40]; /*5, 20-59*/
char model[8]; /*15, 60-67*/
char firmware_ver[16]; /*17, 68-83*/
char device_map[16]; /*21, 84-99*/
uint32_t cfgVersion; /*25,100-103 Added for checking of new firmware capability*/
uint8_t cfgSerial[16]; /*26,104-119*/
uint32_t cfgPicStatus; /*30,120-123*/
};
Reported by FlawFinder.
Line: 209
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char vendor[40]; /*5, 20-59*/
char model[8]; /*15, 60-67*/
char firmware_ver[16]; /*17, 68-83*/
char device_map[16]; /*21, 84-99*/
uint32_t cfgVersion; /*25,100-103 Added for checking of new firmware capability*/
uint8_t cfgSerial[16]; /*26,104-119*/
uint32_t cfgPicStatus; /*30,120-123*/
};
/* signature of set and get firmware config */
Reported by FlawFinder.
Line: 928
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t firm_sdram_size;
uint32_t firm_hd_channels;
uint32_t firm_cfg_version;
char firm_model[12];
char firm_version[20];
char device_map[20]; /*21,84-99*/
struct work_struct arcmsr_do_message_isr_bh;
struct timer_list eternal_timer;
unsigned short fw_flag;
Reported by FlawFinder.
Line: 929
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t firm_hd_channels;
uint32_t firm_cfg_version;
char firm_model[12];
char firm_version[20];
char device_map[20]; /*21,84-99*/
struct work_struct arcmsr_do_message_isr_bh;
struct timer_list eternal_timer;
unsigned short fw_flag;
#define FW_NORMAL 0x0000
Reported by FlawFinder.
Line: 930
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint32_t firm_cfg_version;
char firm_model[12];
char firm_version[20];
char device_map[20]; /*21,84-99*/
struct work_struct arcmsr_do_message_isr_bh;
struct timer_list eternal_timer;
unsigned short fw_flag;
#define FW_NORMAL 0x0000
#define FW_BOG 0x0001
Reported by FlawFinder.
arch/x86/boot/video.c
7 issues
Line: 148
CWE codes:
570
int col;
nmodes = 0;
for (card = video_cards; card < video_cards_end; card++)
nmodes += card->nmodes;
modes_per_line = 1;
if (nmodes >= 20)
modes_per_line = 3;
Reported by Cppcheck.
Line: 161
CWE codes:
570
col = 0;
ch = '0';
for (card = video_cards; card < video_cards_end; card++) {
mi = card->modes;
for (i = 0; i < card->nmodes; i++, mi++) {
char resbuf[32];
int visible = mi->x && mi->y;
u16 mode_id = mi->mode ? mi->mode :
Reported by Cppcheck.
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned int get_entry(void)
{
char entry_buf[4];
int i, len = 0;
int key;
unsigned int v;
do {
Reported by FlawFinder.
Line: 164
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (card = video_cards; card < video_cards_end; card++) {
mi = card->modes;
for (i = 0; i < card->nmodes; i++, mi++) {
char resbuf[32];
int visible = mi->x && mi->y;
u16 mode_id = mi->mode ? mi->mode :
(mi->y << 8)+mi->x;
if (!visible)
Reported by FlawFinder.
Line: 173
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
continue; /* Hidden mode */
if (mi->depth)
sprintf(resbuf, "%dx%d", mi->y, mi->depth);
else
sprintf(resbuf, "%d", mi->y);
printf("%c %03X %4dx%-7s %-6s",
ch, mode_id, mi->x, resbuf, card->card_name);
Reported by FlawFinder.
Line: 175
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mi->depth)
sprintf(resbuf, "%dx%d", mi->y, mi->depth);
else
sprintf(resbuf, "%d", mi->y);
printf("%c %03X %4dx%-7s %-6s",
ch, mode_id, mi->x, resbuf, card->card_name);
col++;
if (col >= modes_per_line) {
Reported by FlawFinder.
arch/s390/boot/pgm_check_info.c
7 issues
Line: 43
CWE codes:
570
char *pivot;
char *endp;
while (a < b) {
pivot = symstart(a + (b - a) / 2);
start = simple_strtoull(pivot, &endp, 16);
size = simple_strtoull(endp + 1, &endp, 16);
if (ip < start) {
b = pivot;
Reported by Cppcheck.
Line: 64
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static noinline char *strsym(void *ip)
{
static char buf[64];
unsigned short off;
unsigned short len;
char *p;
p = findsym((unsigned long)ip, &off, &len);
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strncpy(buf, p, sizeof(buf));
/* reserve 15 bytes for offset/len in symbol+0x1234/0x1234 */
p = buf + strnlen(buf, sizeof(buf) - 15);
strcpy(p, "+0x");
p = as_hex(p + 3, off, 0);
strcpy(p, "/0x");
as_hex(p + 3, len, 0);
} else {
as_hex(buf, (unsigned long)ip, 16);
Reported by FlawFinder.
Line: 76
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
p = buf + strnlen(buf, sizeof(buf) - 15);
strcpy(p, "+0x");
p = as_hex(p + 3, off, 0);
strcpy(p, "/0x");
as_hex(p + 3, len, 0);
} else {
as_hex(buf, (unsigned long)ip, 16);
}
return buf;
Reported by FlawFinder.
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void decompressor_printk(const char *fmt, ...)
{
char buf[1024] = { 0 };
char *end = buf + sizeof(buf) - 1; /* make sure buf is 0 terminated */
unsigned long pad;
char *p = buf;
va_list args;
Reported by FlawFinder.
Line: 52
Column: 16
CWE codes:
126
continue;
}
if (ip > start + size) {
a = pivot + strlen(pivot) + 1;
continue;
}
*off = ip - start;
*len = size;
return endp + 1;
Reported by FlawFinder.
Line: 71
Column: 3
CWE codes:
120
p = findsym((unsigned long)ip, &off, &len);
if (p) {
strncpy(buf, p, sizeof(buf));
/* reserve 15 bytes for offset/len in symbol+0x1234/0x1234 */
p = buf + strnlen(buf, sizeof(buf) - 15);
strcpy(p, "+0x");
p = as_hex(p + 3, off, 0);
strcpy(p, "/0x");
Reported by FlawFinder.