The following issues were found
drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
7 issues
Line: 87
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (state->classification.flags & PP_StateClassificationFlag_Boot) {
hwmgr->boot_ps = state;
memcpy(hwmgr->current_ps, state, size);
memcpy(hwmgr->request_ps, state, size);
}
state->id = i + 1; /* assigned unique num for every power state id */
Reported by FlawFinder.
Line: 88
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (state->classification.flags & PP_StateClassificationFlag_Boot) {
hwmgr->boot_ps = state;
memcpy(hwmgr->current_ps, state, size);
memcpy(hwmgr->request_ps, state, size);
}
state->id = i + 1; /* assigned unique num for every power state id */
if (state->classification.flags & PP_StateClassificationFlag_Uvd)
Reported by FlawFinder.
Line: 172
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < table_entries; i++) {
if (state->id == state_id) {
memcpy(hwmgr->request_ps, state, hwmgr->ps_size);
return 0;
}
state = (struct pp_power_state *)((unsigned long)state + hwmgr->ps_size);
}
return -EINVAL;
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!equal || phm_check_smc_update_required_for_display_configuration(hwmgr)) {
phm_set_power_state(hwmgr, &pcurrent->hardware, &requested->hardware);
memcpy(hwmgr->current_ps, hwmgr->request_ps, hwmgr->ps_size);
}
}
int psm_adjust_power_state_dynamic(struct pp_hwmgr *hwmgr, bool skip_display_settings,
struct pp_power_state *new_ps)
Reported by FlawFinder.
Line: 246
Column: 7
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
{
struct pp_power_state *pcurrent;
struct pp_power_state *requested;
bool equal;
if (new_ps != NULL)
requested = new_ps;
else
requested = hwmgr->request_ps;
Reported by FlawFinder.
Line: 257
Column: 48
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
phm_apply_state_adjust_rules(hwmgr, requested, pcurrent);
if (pcurrent == NULL || (0 != phm_check_states_equal(hwmgr,
&pcurrent->hardware, &requested->hardware, &equal)))
equal = false;
if (!equal || phm_check_smc_update_required_for_display_configuration(hwmgr)) {
phm_set_power_state(hwmgr, &pcurrent->hardware, &requested->hardware);
memcpy(hwmgr->current_ps, hwmgr->request_ps, hwmgr->ps_size);
Reported by FlawFinder.
Line: 260
Column: 7
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
&pcurrent->hardware, &requested->hardware, &equal)))
equal = false;
if (!equal || phm_check_smc_update_required_for_display_configuration(hwmgr)) {
phm_set_power_state(hwmgr, &pcurrent->hardware, &requested->hardware);
memcpy(hwmgr->current_ps, hwmgr->request_ps, hwmgr->ps_size);
}
}
Reported by FlawFinder.
drivers/char/applicom.c
7 issues
Line: 307
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
for (i = 0; i < MAX_BOARD; i++) {
int serial;
char boardname[(SERIAL_NUMBER - TYPE_CARD) + 1];
if (!apbs[i].RamIO)
continue;
for (serial = 0; serial < SERIAL_NUMBER - TYPE_CARD; serial++)
Reported by FlawFinder.
Line: 514
Column: 43
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printk("Read from applicom card #%d. struct st_ram_io follows:", NumCard);
for (c = 0; c < sizeof(struct st_ram_io);) {
printk("\n%5.5X: %2.2X", c, ((unsigned char *)st_loc)[c]);
for (c++; c % 8 && c < sizeof(struct st_ram_io); c++) {
printk(" %2.2X", ((unsigned char *)st_loc)[c]);
}
}
Reported by FlawFinder.
Line: 517
Column: 33
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printk("\n%5.5X: %2.2X", c, ((unsigned char *)st_loc)[c]);
for (c++; c % 8 && c < sizeof(struct st_ram_io); c++) {
printk(" %2.2X", ((unsigned char *)st_loc)[c]);
}
}
printk("\nstruct mailbox follows:");
Reported by FlawFinder.
Line: 524
Column: 43
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printk("\nstruct mailbox follows:");
for (c = 0; c < sizeof(struct mailbox);) {
printk("\n%5.5X: %2.2X", c, ((unsigned char *)mailbox)[c]);
for (c++; c % 8 && c < sizeof(struct mailbox); c++) {
printk(" %2.2X", ((unsigned char *)mailbox)[c]);
}
}
Reported by FlawFinder.
Line: 527
Column: 33
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printk("\n%5.5X: %2.2X", c, ((unsigned char *)mailbox)[c]);
for (c++; c % 8 && c < sizeof(struct mailbox); c++) {
printk(" %2.2X", ((unsigned char *)mailbox)[c]);
}
}
printk("\n");
#endif
return (sizeof(struct st_ram_io) + sizeof(struct mailbox));
Reported by FlawFinder.
Line: 729
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
case 0:
pmem = apbs[IndexCard].RamIO;
for (i = 0; i < sizeof(struct st_ram_io); i++)
((unsigned char *)adgl)[i]=readb(pmem++);
if (copy_to_user(argp, adgl, sizeof(struct st_ram_io)))
ret = -EFAULT;
break;
case 1:
pmem = apbs[IndexCard].RamIO + CONF_END_TEST;
Reported by FlawFinder.
Line: 794
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
printk(KERN_INFO "Interrupt IRQ number ....... %d\n", (int) irq);
for (i = 0; i < MAX_BOARD; i++) {
int serial;
char boardname[(SERIAL_NUMBER - TYPE_CARD) + 1];
if (!apbs[i].RamIO)
continue;
for (serial = 0; serial < SERIAL_NUMBER - TYPE_CARD; serial++)
Reported by FlawFinder.
drivers/bus/fsl-mc/fsl-mc-bus.c
7 issues
Line: 156
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor,
mc_dev->obj_desc.type);
}
static DEVICE_ATTR_RO(modalias);
static ssize_t driver_override_store(struct device *dev,
Reported by FlawFinder.
Line: 926
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
int state, err;
mc_bus_dev = to_fsl_mc_device(mc_dev->dev.parent);
strcpy(endpoint1.type, mc_dev->obj_desc.type);
endpoint1.id = mc_dev->obj_desc.id;
err = dprc_get_connection(mc_bus_dev->mc_io, 0,
mc_bus_dev->mc_handle,
&endpoint1, &endpoint2,
Reported by FlawFinder.
Line: 942
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return ERR_PTR(err);
}
strcpy(endpoint_desc.type, endpoint2.type);
endpoint_desc.id = endpoint2.id;
endpoint = fsl_mc_device_lookup(&endpoint_desc, mc_bus_dev);
/*
* We know that the device has an endpoint because we verified by
Reported by FlawFinder.
Line: 278
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
root_mc_dev = to_fsl_mc_device(dev);
sprintf(buf, "%d\n", get_dprc_irq_state(root_mc_dev));
exit:
return 0;
}
static ssize_t autorescan_store(struct bus_type *bus,
Reported by FlawFinder.
Line: 1168
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto error_cleanup_mc_io;
obj_desc.vendor = FSL_MC_VENDOR_FREESCALE;
strcpy(obj_desc.type, "dprc");
obj_desc.id = container_id;
obj_desc.irq_count = 1;
obj_desc.region_count = 0;
error = fsl_mc_device_add(&obj_desc, mc_io, &pdev->dev, &mc_bus_dev);
Reported by FlawFinder.
Line: 183
Column: 6
CWE codes:
126
if (cp)
*cp = '\0';
if (strlen(driver_override)) {
mc_dev->driver_override = driver_override;
} else {
kfree(driver_override);
mc_dev->driver_override = NULL;
}
Reported by FlawFinder.
Line: 294
Column: 9
CWE codes:
126
static ssize_t autorescan_show(struct bus_type *bus, char *buf)
{
bus_for_each_dev(bus, NULL, (void *)buf, fsl_mc_bus_get_autorescan);
return strlen(buf);
}
static BUS_ATTR_RW(autorescan);
static struct attribute *fsl_mc_bus_attrs[] = {
Reported by FlawFinder.
drivers/bluetooth/hci_h5.c
7 issues
Line: 102
Column: 9
CWE codes:
362
struct h5_vnd {
int (*setup)(struct h5 *h5);
void (*open)(struct h5 *h5);
void (*close)(struct h5 *h5);
int (*suspend)(struct h5 *h5);
int (*resume)(struct h5 *h5);
const struct acpi_gpio_mapping *acpi_gpio_map;
};
Reported by FlawFinder.
Line: 136
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void h5_timed_event(struct timer_list *t)
{
const unsigned char sync_req[] = { 0x01, 0x7e };
unsigned char conf_req[3] = { 0x03, 0xfc };
struct h5 *h5 = from_timer(h5, t, timer);
struct hci_uart *hu = h5->hu;
struct sk_buff *skb;
unsigned long flags;
Reported by FlawFinder.
Line: 226
Column: 26
CWE codes:
362
h5->tx_win = H5_TX_WIN_MAX;
if (h5->vnd && h5->vnd->open)
h5->vnd->open(h5);
set_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags);
/* Send initial sync request */
Reported by FlawFinder.
Line: 227
Column: 12
CWE codes:
362
h5->tx_win = H5_TX_WIN_MAX;
if (h5->vnd && h5->vnd->open)
h5->vnd->open(h5);
set_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags);
/* Send initial sync request */
h5_link_control(hu, sync, sizeof(sync));
Reported by FlawFinder.
Line: 317
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct h5 *h5 = hu->priv;
const unsigned char sync_req[] = { 0x01, 0x7e };
const unsigned char sync_rsp[] = { 0x02, 0x7d };
unsigned char conf_req[3] = { 0x03, 0xfc };
const unsigned char conf_rsp[] = { 0x04, 0x7b };
const unsigned char wakeup_req[] = { 0x05, 0xfa };
const unsigned char woken_req[] = { 0x06, 0xf9 };
const unsigned char sleep_req[] = { 0x07, 0x78 };
const unsigned char *hdr = h5->rx_skb->data;
Reported by FlawFinder.
Line: 624
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void h5_slip_one_byte(struct sk_buff *skb, u8 c)
{
const char esc_delim[2] = { SLIP_ESC, SLIP_ESC_DELIM };
const char esc_esc[2] = { SLIP_ESC, SLIP_ESC_ESC };
switch (c) {
case SLIP_DELIMITER:
skb_put_data(skb, &esc_delim, 2);
Reported by FlawFinder.
Line: 625
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void h5_slip_one_byte(struct sk_buff *skb, u8 c)
{
const char esc_delim[2] = { SLIP_ESC, SLIP_ESC_DELIM };
const char esc_esc[2] = { SLIP_ESC, SLIP_ESC_ESC };
switch (c) {
case SLIP_DELIMITER:
skb_put_data(skb, &esc_delim, 2);
break;
Reported by FlawFinder.
drivers/bluetooth/btrtl.c
7 issues
Line: 404
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buf)
return -ENOMEM;
memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4);
memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
*_buf = buf;
return len;
}
Reported by FlawFinder.
Line: 405
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4);
memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
*_buf = buf;
return len;
}
Reported by FlawFinder.
Line: 440
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dl_cmd->index |= 0x80; /* data end */
frag_len = fw_len % RTL_FRAG_LEN;
}
memcpy(dl_cmd->data, data, frag_len);
/* Send download command */
skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd,
HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
Reported by FlawFinder.
Line: 492
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = fw->size;
*buff = kvmalloc(fw->size, GFP_KERNEL);
if (*buff)
memcpy(*buff, fw->data, ret);
else
ret = -ENOMEM;
release_firmware(fw);
Reported by FlawFinder.
Line: 537
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(tbuff, fw_data, ret);
kvfree(fw_data);
memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len);
ret += btrtl_dev->cfg_len;
Reported by FlawFinder.
Line: 540
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(tbuff, fw_data, ret);
kvfree(fw_data);
memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len);
ret += btrtl_dev->cfg_len;
fw_data = tbuff;
}
Reported by FlawFinder.
Line: 569
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct btrtl_device_info *btrtl_dev;
struct sk_buff *skb;
struct hci_rp_read_local_version *resp;
char cfg_name[40];
u16 hci_rev, lmp_subver;
u8 hci_ver;
int ret;
u16 opcode;
u8 cmd[2];
Reported by FlawFinder.
drivers/block/paride/pd.c
7 issues
Line: 226
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct pd_unit {
struct pi_adapter pia; /* interface to paride layer */
struct pi_adapter *pi;
int access; /* count of active opens ... */
int capacity; /* Size of this volume in sectors */
int heads; /* physical geometry */
int sectors;
int cylinders;
int can_lba;
Reported by FlawFinder.
Line: 845
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct pd_unit *disk = p->private_data;
mutex_lock(&pd_mutex);
if (!--disk->access && disk->removable)
pd_special_command(disk, pd_door_unlock);
mutex_unlock(&pd_mutex);
}
static unsigned int pd_check_events(struct gendisk *p, unsigned int clearing)
Reported by FlawFinder.
Line: 901
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
disk->gd = p;
strcpy(p->disk_name, disk->name);
p->fops = &pd_fops;
p->major = major;
p->first_minor = (disk - pd) << PD_BITS;
p->minors = 1 << PD_BITS;
p->events = DISK_EVENT_MEDIA_CHANGE;
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int removable; /* removable media device ? */
int standby;
int alt_geom;
char name[PD_NAMELEN]; /* pda, pdb, etc ... */
struct gendisk *gd;
struct blk_mq_tag_set tag_set;
struct list_head rq_list;
};
Reported by FlawFinder.
Line: 250
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum action (*func)(struct pd_unit *disk);
};
static char pd_scratch[512]; /* scratch block buffer */
static char *pd_errs[17] = { "ERR", "INDEX", "ECC", "DRQ", "SEEK", "WRERR",
"READY", "BUSY", "AMNF", "TK0NF", "ABRT", "MCR",
"IDNF", "MC", "UNC", "???", "TMO"
};
Reported by FlawFinder.
Line: 252
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char pd_scratch[512]; /* scratch block buffer */
static char *pd_errs[17] = { "ERR", "INDEX", "ECC", "DRQ", "SEEK", "WRERR",
"READY", "BUSY", "AMNF", "TK0NF", "ABRT", "MCR",
"IDNF", "MC", "UNC", "???", "TMO"
};
static void *par_drv; /* reference of parport driver */
Reported by FlawFinder.
Line: 701
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static enum action pd_identify(struct pd_unit *disk)
{
int j;
char id[PD_ID_LEN + 1];
/* WARNING: here there may be dragons. reset() applies to both drives,
but we call it only on probing the MASTER. This should allow most
common configurations to work, but be warned that a reset can clear
settings on the SLAVE drive.
Reported by FlawFinder.
drivers/bluetooth/btqca.c
7 issues
Line: 72
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (soc_type >= QCA_WCN3991)
memcpy(ver, edl->data + 1, sizeof(*ver));
else
memcpy(ver, &edl->data, sizeof(*ver));
bt_dev_info(hdev, "QCA Product ID :0x%08x",
le32_to_cpu(ver->product_id));
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (soc_type >= QCA_WCN3991)
memcpy(ver, edl->data + 1, sizeof(*ver));
else
memcpy(ver, &edl->data, sizeof(*ver));
bt_dev_info(hdev, "QCA Product ID :0x%08x",
le32_to_cpu(ver->product_id));
bt_dev_info(hdev, "QCA SOC Version :0x%08x",
le32_to_cpu(ver->soc_id));
Reported by FlawFinder.
Line: 101
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct sk_buff *skb;
struct edl_event_hdr *edl;
char cmd, build_label[QCA_FW_BUILD_VER_LEN];
int build_lbl_len, err = 0;
bt_dev_dbg(hdev, "QCA read fw build info");
cmd = EDL_GET_BUILD_INFO_CMD;
Reported by FlawFinder.
Line: 133
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
build_lbl_len = edl->data[0];
if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) {
memcpy(build_label, edl->data + 1, build_lbl_len);
*(build_label + build_lbl_len) = '\0';
}
hci_set_fw_info(hdev, "%s", build_label);
Reported by FlawFinder.
Line: 317
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd[0] = EDL_PATCH_TLV_REQ_CMD;
cmd[1] = seg_size;
memcpy(cmd + 2, data, seg_size);
if (mode == QCA_SKIP_EVT_VSE_CC || mode == QCA_SKIP_EVT_VSE)
return __hci_cmd_send(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2,
cmd);
Reported by FlawFinder.
Line: 446
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(data, fw->data, size);
release_firmware(fw);
qca_tlv_check_data(hdev, config, data, soc_type);
segment = data;
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd[0] = EDL_NVM_ACCESS_SET_REQ_CMD;
cmd[1] = 0x02; /* TAG ID */
cmd[2] = sizeof(bdaddr_t); /* size */
memcpy(cmd + 3, bdaddr, sizeof(bdaddr_t));
skb = __hci_cmd_sync_ev(hdev, EDL_NVM_ACCESS_OPCODE, sizeof(cmd), cmd,
HCI_EV_VENDOR, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
err = PTR_ERR(skb);
bt_dev_err(hdev, "QCA Change address command failed (%d)", err);
Reported by FlawFinder.
drivers/bluetooth/bt3c_cs.c
7 issues
Line: 428
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Prepend skb with frame type */
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
skb_queue_tail(&(info->txq), skb);
spin_lock_irqsave(&(info->lock), flags);
bt3c_write_wakeup(info);
Reported by FlawFinder.
Line: 450
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int count)
{
char *ptr = (char *) firmware;
char b[9];
unsigned int iobase, tmp, tn;
unsigned long size, addr, fcs;
int i, err = 0;
iobase = info->p_dev->resource[0]->start;
Reported by FlawFinder.
Line: 476
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(b, 0, sizeof(b));
memcpy(b, ptr + 2, 2);
if (kstrtoul(b, 16, &size) < 0)
return -EINVAL;
memset(b, 0, sizeof(b));
memcpy(b, ptr + 4, 8);
Reported by FlawFinder.
Line: 481
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
memset(b, 0, sizeof(b));
memcpy(b, ptr + 4, 8);
if (kstrtoul(b, 16, &addr) < 0)
return -EINVAL;
memset(b, 0, sizeof(b));
memcpy(b, ptr + (size * 2) + 2, 2);
Reported by FlawFinder.
Line: 486
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
memset(b, 0, sizeof(b));
memcpy(b, ptr + (size * 2) + 2, 2);
if (kstrtoul(b, 16, &fcs) < 0)
return -EINVAL;
memset(b, 0, sizeof(b));
for (tmp = 0, i = 0; i < size; i++) {
Reported by FlawFinder.
Line: 492
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(b, 0, sizeof(b));
for (tmp = 0, i = 0; i < size; i++) {
memcpy(b, ptr + (i * 2) + 2, 2);
if (kstrtouint(b, 16, &tn))
return -EINVAL;
tmp += tn;
}
Reported by FlawFinder.
Line: 509
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(b, 0, sizeof(b));
for (i = 0; i < (size - 4) / 2; i++) {
memcpy(b, ptr + (i * 4) + 12, 4);
if (kstrtouint(b, 16, &tmp))
return -EINVAL;
bt3c_put(iobase, tmp);
}
}
Reported by FlawFinder.
drivers/block/aoe/aoe.h
7 issues
Line: 40
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct aoe_hdr {
unsigned char dst[6];
unsigned char src[6];
__be16 type;
unsigned char verfl;
unsigned char err;
__be16 major;
Reported by FlawFinder.
Line: 41
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct aoe_hdr {
unsigned char dst[6];
unsigned char src[6];
__be16 type;
unsigned char verfl;
unsigned char err;
__be16 major;
unsigned char minor;
Reported by FlawFinder.
Line: 62
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char lba3;
unsigned char lba4;
unsigned char lba5;
unsigned char res[2];
};
struct aoe_cfghdr {
__be16 bufcnt;
__be16 fwver;
Reported by FlawFinder.
Line: 70
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be16 fwver;
unsigned char scnt;
unsigned char aoeccmd;
unsigned char cslen[2];
};
enum {
DEVFL_UP = 1, /* device is installed in system and ready for AoE->ATA commands */
DEVFL_TKILL = (1<<1), /* flag for timer to know when to kill self */
Reported by FlawFinder.
Line: 139
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct aoetgt {
unsigned char addr[6];
ushort nframes; /* cap on frames to use */
struct aoedev *d; /* parent device I belong to */
struct list_head ffree; /* list of free frames */
struct aoeif ifs[NAOEIFS];
struct aoeif *ifp; /* current aoeif in use */
Reported by FlawFinder.
Line: 193
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ulong ntargets; /* number of allocated aoetgt pointers */
struct aoetgt **tgt; /* target in use when working */
ulong kicked;
char ident[512];
};
/* kthread tracking */
struct ktstate {
struct completion rendez;
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct task_struct *task;
wait_queue_head_t *waitq;
int (*fn) (int);
char name[12];
spinlock_t *lock;
int id;
int active;
};
Reported by FlawFinder.
drivers/block/ps3disk.c
7 issues
Line: 473
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
gendisk->minors = PS3DISK_MINORS;
gendisk->fops = &ps3disk_fops;
gendisk->private_data = dev;
snprintf(gendisk->disk_name, sizeof(gendisk->disk_name), PS3DISK_NAME,
devidx+'a');
priv->blocking_factor = dev->blk_size >> 9;
set_capacity(gendisk,
dev->regions[dev->region_idx].size*priv->blocking_factor);
Reported by FlawFinder.
Line: 37
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int blocking_factor;
struct request *req;
u64 raw_capacity;
unsigned char model[ATA_ID_PROD_LEN+1];
};
#define LV1_STORAGE_SEND_ATA_COMMAND (2)
#define LV1_STORAGE_ATA_HDDOUT (0x23)
Reported by FlawFinder.
Line: 99
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = bvec.bv_len;
buf = bvec_kmap_irq(&bvec, &flags);
if (gather)
memcpy(dev->bounce_buf+offset, buf, size);
else
memcpy(buf, dev->bounce_buf+offset, size);
offset += size;
flush_kernel_dcache_page(bvec.bv_page);
bvec_kunmap_irq(buf, &flags);
Reported by FlawFinder.
Line: 101
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (gather)
memcpy(dev->bounce_buf+offset, buf, size);
else
memcpy(buf, dev->bounce_buf+offset, size);
offset += size;
flush_kernel_dcache_page(bvec.bv_page);
bvec_kunmap_irq(buf, &flags);
i++;
}
Reported by FlawFinder.
Line: 216
Column: 11
CWE codes:
120
20
struct ps3_storage_device *dev = data;
struct ps3disk_private *priv;
struct request *req;
int res, read;
blk_status_t error;
u64 tag, status;
const char *op;
res = lv1_storage_get_async_status(dev->sbd.dev_id, &tag, &status);
Reported by FlawFinder.
Line: 250
Column: 8
CWE codes:
120
20
op = "flush";
} else {
read = !rq_data_dir(req);
op = read ? "read" : "write";
}
if (status) {
dev_dbg(&dev->sbd.core, "%s:%u: %s failed 0x%llx\n", __func__,
__LINE__, op, status);
error = BLK_STS_IOERR;
Reported by FlawFinder.
Line: 260
Column: 7
CWE codes:
120
20
dev_dbg(&dev->sbd.core, "%s:%u: %s completed\n", __func__,
__LINE__, op);
error = 0;
if (read)
ps3disk_scatter_gather(dev, req, 0);
}
spin_lock(&priv->lock);
priv->req = NULL;
Reported by FlawFinder.