The following issues were found
kernel/trace/ftrace.c
31 issues
Line: 507
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int function_stat_show(struct seq_file *m, void *v)
{
struct ftrace_profile *rec = v;
char str[KSYM_SYMBOL_LEN];
int ret = 0;
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
static struct trace_seq s;
unsigned long long avg;
unsigned long long stddev;
Reported by FlawFinder.
Line: 933
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftrace_profile_read(struct file *filp, char __user *ubuf,
size_t cnt, loff_t *ppos)
{
char buf[64]; /* big enough to hold a number */
int r;
r = sprintf(buf, "%u\n", ftrace_profile_enabled);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
}
Reported by FlawFinder.
Line: 936
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[64]; /* big enough to hold a number */
int r;
r = sprintf(buf, "%u\n", ftrace_profile_enabled);
return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
}
static const struct file_operations ftrace_profile_fops = {
.open = tracing_open_generic,
Reported by FlawFinder.
Line: 1970
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_ip_ins(const char *fmt, const unsigned char *p)
{
char ins[MCOUNT_INSN_SIZE];
int i;
if (copy_from_kernel_nofault(ins, p, MCOUNT_INSN_SIZE)) {
printk(KERN_CONT "%s[FAULT] %px\n", fmt, p);
return;
Reported by FlawFinder.
Line: 3968
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftrace_match_record(struct dyn_ftrace *rec, struct ftrace_glob *func_g,
struct ftrace_glob *mod_g, int exclude_mod)
{
char str[KSYM_SYMBOL_LEN];
char *modname;
kallsyms_lookup(rec->ip, NULL, NULL, &modname, str);
if (mod_g) {
Reported by FlawFinder.
Line: 4118
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
/* All modules have the symbol __this_module */
static const char this_mod[] = "__this_module";
char modname[MAX_PARAM_PREFIX_LEN + sizeof(this_mod) + 2];
unsigned long val;
int n;
n = snprintf(modname, sizeof(modname), "%s:%s", module, this_mod);
Reported by FlawFinder.
Line: 4668
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ftrace_hash *hash = NULL;
struct hlist_node *tmp;
struct hlist_head hhd;
char str[KSYM_SYMBOL_LEN];
int count = 0;
int i, ret = -ENODEV;
int size;
if (!glob || !strlen(glob) || !strcmp(glob, "*"))
Reported by FlawFinder.
Line: 5513
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* command line interface to allow users to set filters on boot up.
*/
#define FTRACE_FILTER_SIZE COMMAND_LINE_SIZE
static char ftrace_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
static char ftrace_filter_buf[FTRACE_FILTER_SIZE] __initdata;
/* Used by function selftest to not test if filter is set */
bool ftrace_filter_param __initdata;
Reported by FlawFinder.
Line: 5514
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
#define FTRACE_FILTER_SIZE COMMAND_LINE_SIZE
static char ftrace_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
static char ftrace_filter_buf[FTRACE_FILTER_SIZE] __initdata;
/* Used by function selftest to not test if filter is set */
bool ftrace_filter_param __initdata;
static int __init set_ftrace_notrace(char *str)
Reported by FlawFinder.
Line: 5536
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__setup("ftrace_filter=", set_ftrace_filter);
#ifdef CONFIG_FUNCTION_GRAPH_TRACER
static char ftrace_graph_buf[FTRACE_FILTER_SIZE] __initdata;
static char ftrace_graph_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
static int ftrace_graph_set_hash(struct ftrace_hash *hash, char *buffer);
static int __init set_graph_function(char *str)
{
Reported by FlawFinder.
tools/perf/builtin-daemon.c
31 issues
Line: 1113
Column: 31
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return 0;
}
if (perf_config_system() && !access(perf_etc_perfconfig(), R_OK))
daemon->config_real = strdup(perf_etc_perfconfig());
else if (perf_config_global() && perf_home_perfconfig())
daemon->config_real = strdup(perf_home_perfconfig());
return daemon->config_real ? 0 : -1;
Reported by FlawFinder.
Line: 1103
Column: 16
CWE codes:
120/785!
Suggestion:
Ensure that the destination buffer is at least of size MAXPATHLEN, andto protect against implementation problems, the input argument should also be checked to ensure it is no larger than MAXPATHLEN
}
if (daemon->config) {
char *real = realpath(daemon->config, NULL);
if (!real) {
perror("failed: realpath");
return -1;
}
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *base;
struct list_head sessions;
FILE *out;
char perf[PATH_MAX];
int signal_fd;
time_t start;
};
static struct daemon __daemon = {
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int session_config(struct daemon *daemon, const char *var, const char *value)
{
struct daemon_session *session;
char name[100];
if (get_session_name(var, name, sizeof(name) - 1))
return -EINVAL;
var = strchr(var, '.');
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int daemon_session__run(struct daemon_session *session,
struct daemon *daemon)
{
char buf[PATH_MAX];
char **argv;
int argc, fd;
if (asprintf(&session->base, "%s/session-%s",
daemon->base, session->name) < 0) {
Reported by FlawFinder.
Line: 354
Column: 7
CWE codes:
362
return -1;
}
fd = open("/dev/null", O_RDONLY);
if (fd < 0) {
perror("failed: open /dev/null");
return -1;
}
Reported by FlawFinder.
Line: 363
Column: 7
CWE codes:
362
dup2(fd, 0);
close(fd);
fd = open(SESSION_OUTPUT, O_RDWR|O_CREAT|O_TRUNC, 0644);
if (fd < 0) {
perror("failed: open session output");
return -1;
}
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *msg, bool do_ack)
{
struct pollfd pollfd = { .events = POLLIN, };
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
Reported by FlawFinder.
Line: 515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct pollfd pollfd = { .events = POLLIN, };
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char control_path[PATH_MAX];
char ack_path[PATH_MAX];
int control, ack = -1, len;
char buf[20];
int ret = -1;
ssize_t err;
/* open the control file */
scnprintf(control_path, sizeof(control_path), "%s/%s",
Reported by FlawFinder.
drivers/staging/greybus/tools/loopback_test.c
31 issues
Line: 578
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
char file[MAX_SYSFS_PATH];
snprintf(file, MAX_SYSFS_PATH, "%s%s/iteration_count", path, node);
if (access(file, F_OK) == 0)
return 1;
return 0;
}
int find_loopback_devices(struct loopback_test *t)
Reported by FlawFinder.
Line: 899
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
memset(&t, 0, sizeof(t));
while ((o = getopt(argc, argv,
"t:s:i:S:D:m:v::d::r::p::a::l::x::o:O:c:w:z::f::")) != -1) {
switch (o) {
case 't':
snprintf(t.test_name, MAX_STR_LEN, "%s", optarg);
break;
Reported by FlawFinder.
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct loopback_device {
char name[MAX_STR_LEN];
char sysfs_entry[MAX_SYSFS_PATH];
char debugfs_entry[MAX_SYSFS_PATH];
struct loopback_results results;
};
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct loopback_device {
char name[MAX_STR_LEN];
char sysfs_entry[MAX_SYSFS_PATH];
char debugfs_entry[MAX_SYSFS_PATH];
struct loopback_results results;
};
struct loopback_test {
Reported by FlawFinder.
Line: 73
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct loopback_device {
char name[MAX_STR_LEN];
char sysfs_entry[MAX_SYSFS_PATH];
char debugfs_entry[MAX_SYSFS_PATH];
struct loopback_results results;
};
struct loopback_test {
int verbose;
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int file_output;
int stop_all;
int poll_count;
char test_name[MAX_STR_LEN];
char sysfs_prefix[MAX_SYSFS_PREFIX];
char debugfs_prefix[MAX_SYSFS_PREFIX];
struct timespec poll_timeout;
struct loopback_device devices[MAX_NUM_DEVICES];
struct loopback_results aggregate_results;
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int stop_all;
int poll_count;
char test_name[MAX_STR_LEN];
char sysfs_prefix[MAX_SYSFS_PREFIX];
char debugfs_prefix[MAX_SYSFS_PREFIX];
struct timespec poll_timeout;
struct loopback_device devices[MAX_NUM_DEVICES];
struct loopback_results aggregate_results;
struct pollfd fds[MAX_NUM_DEVICES];
Reported by FlawFinder.
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int poll_count;
char test_name[MAX_STR_LEN];
char sysfs_prefix[MAX_SYSFS_PREFIX];
char debugfs_prefix[MAX_SYSFS_PREFIX];
struct timespec poll_timeout;
struct loopback_device devices[MAX_NUM_DEVICES];
struct loopback_results aggregate_results;
struct pollfd fds[MAX_NUM_DEVICES];
};
Reported by FlawFinder.
Line: 248
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int open_sysfs(const char *sys_pfx, const char *node, int flags)
{
int fd;
char path[MAX_SYSFS_PATH];
snprintf(path, sizeof(path), "%s%s", sys_pfx, node);
fd = open(path, flags);
if (fd < 0) {
fprintf(stderr, "unable to open %s\n", path);
Reported by FlawFinder.
Line: 251
Column: 7
CWE codes:
362
char path[MAX_SYSFS_PATH];
snprintf(path, sizeof(path), "%s%s", sys_pfx, node);
fd = open(path, flags);
if (fd < 0) {
fprintf(stderr, "unable to open %s\n", path);
abort();
}
return fd;
Reported by FlawFinder.
drivers/hwmon/adt7462.c
31 issues
Line: 870
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct adt7462_data *data = adt7462_update_device(dev);
return sprintf(buf, "%s\n", temp_label(data, attr->index));
}
static ssize_t volt_max_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 972
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct adt7462_data *data = adt7462_update_device(dev);
return sprintf(buf, "%s\n", voltage_label(data, attr->index));
}
static ssize_t alarm_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 785
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct adt7462_data *data = adt7462_update_device(dev);
if (!temp_enabled(data, attr->index))
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", 1000 * (data->temp_min[attr->index] - 64));
}
static ssize_t temp_min_store(struct device *dev,
Reported by FlawFinder.
Line: 787
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!temp_enabled(data, attr->index))
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", 1000 * (data->temp_min[attr->index] - 64));
}
static ssize_t temp_min_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 821
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct adt7462_data *data = adt7462_update_device(dev);
if (!temp_enabled(data, attr->index))
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", 1000 * (data->temp_max[attr->index] - 64));
}
static ssize_t temp_max_store(struct device *dev,
Reported by FlawFinder.
Line: 823
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!temp_enabled(data, attr->index))
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", 1000 * (data->temp_max[attr->index] - 64));
}
static ssize_t temp_max_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 858
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u8 frac = data->temp_frac[attr->index] >> TEMP_FRAC_OFFSET;
if (!temp_enabled(data, attr->index))
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", 1000 * (data->temp[attr->index] - 64) +
250 * frac);
}
Reported by FlawFinder.
Line: 860
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!temp_enabled(data, attr->index))
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", 1000 * (data->temp[attr->index] - 64) +
250 * frac);
}
static ssize_t temp_label_show(struct device *dev,
struct device_attribute *devattr, char *buf)
Reported by FlawFinder.
Line: 883
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
x *= data->volt_max[attr->index];
x /= 1000; /* convert from uV to mV */
return sprintf(buf, "%d\n", x);
}
static ssize_t volt_max_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 923
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
x *= data->volt_min[attr->index];
x /= 1000; /* convert from uV to mV */
return sprintf(buf, "%d\n", x);
}
static ssize_t volt_min_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/gpu/drm/drm_dp_mst_topology.c
31 issues
Line: 397
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
buf[idx] = (req->u.dpcd_write.num_bytes);
idx++;
memcpy(&buf[idx], req->u.dpcd_write.bytes, req->u.dpcd_write.num_bytes);
idx += req->u.dpcd_write.num_bytes;
break;
case DP_REMOTE_I2C_READ:
buf[idx] = (req->u.i2c_read.port_number & 0xf) << 4;
buf[idx] |= (req->u.i2c_read.num_transactions & 0x3);
Reported by FlawFinder.
Line: 409
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
buf[idx] = req->u.i2c_read.transactions[i].num_bytes;
idx++;
memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes);
idx += req->u.i2c_read.transactions[i].num_bytes;
buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4;
buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf);
idx++;
Reported by FlawFinder.
Line: 429
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
buf[idx] = (req->u.i2c_write.num_bytes);
idx++;
memcpy(&buf[idx], req->u.i2c_write.bytes, req->u.i2c_write.num_bytes);
idx += req->u.i2c_write.num_bytes;
break;
case DP_QUERY_STREAM_ENC_STATUS: {
const struct drm_dp_query_stream_enc_status *msg;
Reported by FlawFinder.
Line: 438
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg = &req->u.enc_status;
buf[idx] = msg->stream_id;
idx++;
memcpy(&buf[idx], msg->client_id, sizeof(msg->client_id));
idx += sizeof(msg->client_id);
buf[idx] = 0;
buf[idx] |= FIELD_PREP(GENMASK(1, 0), msg->stream_event);
buf[idx] |= msg->valid_stream_event ? BIT(2) : 0;
buf[idx] |= FIELD_PREP(GENMASK(4, 3), msg->stream_behavior);
Reported by FlawFinder.
Line: 691
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct drm_dp_sideband_msg_tx *txmsg)
{
struct drm_dp_sideband_msg_req_body req;
char buf[64];
int ret;
int i;
drm_dp_mst_rad_to_str(txmsg->dst->rad, txmsg->dst->lct, buf,
sizeof(buf));
Reported by FlawFinder.
Line: 763
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return false;
if (hdr->somt) {
memcpy(&msg->initial_hdr, hdr,
sizeof(struct drm_dp_sideband_msg_hdr));
msg->have_somt = true;
}
if (hdr->eomt)
msg->have_eomt = true;
Reported by FlawFinder.
Line: 779
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u8 crc4;
memcpy(&msg->chunk[msg->curchunk_idx], replybuf, replybuflen);
msg->curchunk_idx += replybuflen;
if (msg->curchunk_idx >= msg->curchunk_len) {
/* do CRC */
crc4 = drm_dp_msg_data_crc4(msg->chunk, msg->curchunk_len - 1);
Reported by FlawFinder.
Line: 790
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DUMP_PREFIX_NONE, 16, 1,
msg->chunk, msg->curchunk_len, false);
/* copy chunk into bigger msg */
memcpy(&msg->msg[msg->curlen], msg->chunk, msg->curchunk_len - 1);
msg->curlen += msg->curchunk_len - 1;
}
return true;
}
Reported by FlawFinder.
Line: 803
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int idx = 1;
int i;
memcpy(repmsg->u.link_addr.guid, &raw->msg[idx], 16);
idx += 16;
repmsg->u.link_addr.nports = raw->msg[idx] & 0xf;
idx++;
if (idx > raw->curlen)
goto fail_len;
Reported by FlawFinder.
Line: 831
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
idx++;
if (idx > raw->curlen)
goto fail_len;
memcpy(repmsg->u.link_addr.ports[i].peer_guid, &raw->msg[idx], 16);
idx += 16;
if (idx > raw->curlen)
goto fail_len;
repmsg->u.link_addr.ports[i].num_sdp_streams = (raw->msg[idx] >> 4) & 0xf;
repmsg->u.link_addr.ports[i].num_sdp_stream_sinks = (raw->msg[idx] & 0xf);
Reported by FlawFinder.
drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
31 issues
Line: 595
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (clk_type) {
case SMU_OD_SCLK:
if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
size = sprintf(buf, "%s:\n", "OD_SCLK");
size += sprintf(buf + size, "0: %10uMhz\n",
(smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
size += sprintf(buf + size, "1: %10uMhz\n",
(smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
}
Reported by FlawFinder.
Line: 613
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
case SMU_OD_RANGE:
if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
size = sprintf(buf, "%s:\n", "OD_RANGE");
size += sprintf(buf + size, "SCLK: %7uMhz %10uMhz\n",
smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
size += sprintf(buf + size, "CCLK: %7uMhz %10uMhz\n",
smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
}
Reported by FlawFinder.
Line: 659
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
if (!value)
continue;
size += sprintf(buf + size, "%d: %uMhz %s\n", i, value,
cur_value == value ? "*" : "");
if (cur_value == value)
cur_value_match_level = true;
}
Reported by FlawFinder.
Line: 694
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (clk_type) {
case SMU_OD_SCLK:
if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
size = sprintf(buf, "%s:\n", "OD_SCLK");
size += sprintf(buf + size, "0: %10uMhz\n",
(smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
size += sprintf(buf + size, "1: %10uMhz\n",
(smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
}
Reported by FlawFinder.
Line: 712
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
case SMU_OD_RANGE:
if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
size = sprintf(buf, "%s:\n", "OD_RANGE");
size += sprintf(buf + size, "SCLK: %7uMhz %10uMhz\n",
smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
size += sprintf(buf + size, "CCLK: %7uMhz %10uMhz\n",
smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
}
Reported by FlawFinder.
Line: 758
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
if (!value)
continue;
size += sprintf(buf + size, "%d: %uMhz %s\n", i, value,
cur_value == value ? "*" : "");
if (cur_value == value)
cur_value_match_level = true;
}
Reported by FlawFinder.
Line: 1038
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (workload_type < 0)
continue;
size += sprintf(buf + size, "%2d %14s%s\n",
i, profile_name[i], (i == smu->power_profile_mode) ? "*" : " ");
}
return size;
}
Reported by FlawFinder.
Line: 330
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*value = metrics->Voltage[1];
break;
case METRICS_AVERAGE_CPUCLK:
memcpy(value, &metrics->CoreFrequency[0],
smu->cpu_core_num * sizeof(uint16_t));
break;
default:
*value = UINT_MAX;
break;
Reported by FlawFinder.
Line: 405
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*value = metrics->Current.Voltage[1];
break;
case METRICS_AVERAGE_CPUCLK:
memcpy(value, &metrics->Current.CoreFrequency[0],
smu->cpu_core_num * sizeof(uint16_t));
break;
default:
*value = UINT_MAX;
break;
Reported by FlawFinder.
Line: 596
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case SMU_OD_SCLK:
if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
size = sprintf(buf, "%s:\n", "OD_SCLK");
size += sprintf(buf + size, "0: %10uMhz\n",
(smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
size += sprintf(buf + size, "1: %10uMhz\n",
(smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
}
break;
Reported by FlawFinder.
arch/parisc/kernel/firmware.c
31 issues
Line: 265
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long flags;
spin_lock_irqsave(&pdc_lock, flags);
memcpy(&pdc_result, chassis_info, sizeof(*chassis_info));
memcpy(&pdc_result2, led_info, len);
retval = mem_pdc_call(PDC_CHASSIS, PDC_RETURN_CHASSIS_INFO,
__pa(pdc_result), __pa(pdc_result2), len);
memcpy(chassis_info, pdc_result, sizeof(*chassis_info));
memcpy(led_info, pdc_result2, len);
Reported by FlawFinder.
Line: 266
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&pdc_lock, flags);
memcpy(&pdc_result, chassis_info, sizeof(*chassis_info));
memcpy(&pdc_result2, led_info, len);
retval = mem_pdc_call(PDC_CHASSIS, PDC_RETURN_CHASSIS_INFO,
__pa(pdc_result), __pa(pdc_result2), len);
memcpy(chassis_info, pdc_result, sizeof(*chassis_info));
memcpy(led_info, pdc_result2, len);
spin_unlock_irqrestore(&pdc_lock, flags);
Reported by FlawFinder.
Line: 269
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&pdc_result2, led_info, len);
retval = mem_pdc_call(PDC_CHASSIS, PDC_RETURN_CHASSIS_INFO,
__pa(pdc_result), __pa(pdc_result2), len);
memcpy(chassis_info, pdc_result, sizeof(*chassis_info));
memcpy(led_info, pdc_result2, len);
spin_unlock_irqrestore(&pdc_lock, flags);
return retval;
}
Reported by FlawFinder.
Line: 270
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
retval = mem_pdc_call(PDC_CHASSIS, PDC_RETURN_CHASSIS_INFO,
__pa(pdc_result), __pa(pdc_result2), len);
memcpy(chassis_info, pdc_result, sizeof(*chassis_info));
memcpy(led_info, pdc_result2, len);
spin_unlock_irqrestore(&pdc_lock, flags);
return retval;
}
Reported by FlawFinder.
Line: 400
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
index, __pa(pdc_result2), iodc_data_size);
convert_to_wide(pdc_result);
*actcnt = pdc_result[0];
memcpy(iodc_data, pdc_result2, iodc_data_size);
spin_unlock_irqrestore(&pdc_lock, flags);
return retval;
}
EXPORT_SYMBOL(pdc_iodc_read);
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
retval = mem_pdc_call(PDC_SYSTEM_MAP, PDC_FIND_MODULE, __pa(pdc_result),
__pa(pdc_result2), mod_index);
convert_to_wide(pdc_result);
memcpy(pdc_mod_info, pdc_result, sizeof(*pdc_mod_info));
memcpy(mod_path, pdc_result2, sizeof(*mod_path));
spin_unlock_irqrestore(&pdc_lock, flags);
pdc_mod_info->mod_addr = f_extend(pdc_mod_info->mod_addr);
return retval;
Reported by FlawFinder.
Line: 427
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__pa(pdc_result2), mod_index);
convert_to_wide(pdc_result);
memcpy(pdc_mod_info, pdc_result, sizeof(*pdc_mod_info));
memcpy(mod_path, pdc_result2, sizeof(*mod_path));
spin_unlock_irqrestore(&pdc_lock, flags);
pdc_mod_info->mod_addr = f_extend(pdc_mod_info->mod_addr);
return retval;
}
Reported by FlawFinder.
Line: 453
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
retval = mem_pdc_call(PDC_SYSTEM_MAP, PDC_FIND_ADDRESS, __pa(pdc_result),
mod_index, addr_index);
convert_to_wide(pdc_result);
memcpy(pdc_addr_info, pdc_result, sizeof(*pdc_addr_info));
spin_unlock_irqrestore(&pdc_lock, flags);
pdc_addr_info->mod_addr = f_extend(pdc_addr_info->mod_addr);
return retval;
}
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&pdc_lock, flags);
retval = mem_pdc_call(PDC_MODEL, PDC_MODEL_INFO, __pa(pdc_result), 0);
convert_to_wide(pdc_result);
memcpy(model, pdc_result, sizeof(*model));
spin_unlock_irqrestore(&pdc_lock, flags);
return retval;
}
Reported by FlawFinder.
Line: 618
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&pdc_lock, flags);
retval = mem_pdc_call(PDC_CACHE, PDC_CACHE_INFO, __pa(pdc_result), 0);
convert_to_wide(pdc_result);
memcpy(cache_info, pdc_result, sizeof(*cache_info));
spin_unlock_irqrestore(&pdc_lock, flags);
return retval;
}
Reported by FlawFinder.
drivers/net/wireless/intel/iwlegacy/3945-mac.c
31 issues
Line: 1835
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Ask kernel firmware_class module to get the boot firmware off disk.
* request_firmware() is synchronous, file is in memory on return. */
for (idx = api_max; idx >= api_min; idx--) {
sprintf(buf, "%s%u%s", name_pre, idx, ".ucode");
ret = request_firmware(&ucode_raw, buf, &il->pci_dev->dev);
if (ret < 0) {
IL_ERR("%s firmware file req failed: %d\n", buf, ret);
if (ret == -ENOENT)
continue;
Reported by FlawFinder.
Line: 137
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&il->sta_lock, flags);
il->stations[sta_id].keyinfo.cipher = keyconf->cipher;
il->stations[sta_id].keyinfo.keylen = keyconf->keylen;
memcpy(il->stations[sta_id].keyinfo.key, keyconf->key, keyconf->keylen);
memcpy(il->stations[sta_id].sta.key.key, keyconf->key, keyconf->keylen);
if ((il->stations[sta_id].sta.key.
key_flags & STA_KEY_FLG_ENCRYPT_MSK) == STA_KEY_FLG_NO_ENC)
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
il->stations[sta_id].keyinfo.keylen = keyconf->keylen;
memcpy(il->stations[sta_id].keyinfo.key, keyconf->key, keyconf->keylen);
memcpy(il->stations[sta_id].sta.key.key, keyconf->key, keyconf->keylen);
if ((il->stations[sta_id].sta.key.
key_flags & STA_KEY_FLG_ENCRYPT_MSK) == STA_KEY_FLG_NO_ENC)
il->stations[sta_id].sta.key.key_offset =
il_get_free_ucode_key_idx(il);
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
il->stations[sta_id].sta.key.key_flags = STA_KEY_FLG_NO_ENC;
il->stations[sta_id].sta.sta.modify_mask = STA_MODIFY_KEY_MASK;
il->stations[sta_id].sta.mode = STA_CONTROL_MODIFY_MSK;
memcpy(&sta_cmd, &il->stations[sta_id].sta,
sizeof(struct il_addsta_cmd));
spin_unlock_irqrestore(&il->sta_lock, flags);
D_INFO("hwcrypto: clear ucode station key info\n");
return il_send_add_sta(il, &sta_cmd, CMD_SYNC);
Reported by FlawFinder.
Line: 305
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (il->beacon_skb->len > left)
return 0;
memcpy(hdr, il->beacon_skb->data, il->beacon_skb->len);
return il->beacon_skb->len;
}
static int
Reported by FlawFinder.
Line: 359
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (keyinfo->cipher) {
case WLAN_CIPHER_SUITE_CCMP:
tx_cmd->sec_ctl = TX_CMD_SEC_CCM;
memcpy(tx_cmd->key, keyinfo->key, keyinfo->keylen);
D_TX("tx_cmd with AES hwcrypto\n");
break;
case WLAN_CIPHER_SUITE_TKIP:
break;
Reported by FlawFinder.
Line: 375
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hw_key_idx & TX_CMD_SEC_MSK) <<
TX_CMD_SEC_SHIFT;
memcpy(&tx_cmd->key[3], keyinfo->key, keyinfo->keylen);
D_TX("Configuring packet for WEP encryption " "with key %d\n",
info->control.hw_key->hw_key_idx);
break;
Reported by FlawFinder.
Line: 542
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(QUEUE_TO_SEQ(txq_id) | IDX_TO_SEQ(q->write_ptr)));
/* Copy MAC header from skb into command buffer */
memcpy(tx_cmd->hdr, hdr, hdr_len);
if (info->control.hw_key)
il3945_build_tx_cmd_hwcrypto(il, info, out_cmd, skb, sta_id);
/* TODO need this for burst mode later on */
Reported by FlawFinder.
Line: 732
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (palive->ver_subtype == INITIALIZE_SUBTYPE) {
D_INFO("Initialization Alive received.\n");
memcpy(&il->card_alive_init, &pkt->u.alive_frame,
sizeof(struct il_alive_resp));
pwork = &il->init_alive_start;
} else {
D_INFO("Runtime Alive received.\n");
memcpy(&il->card_alive, &pkt->u.alive_frame,
Reported by FlawFinder.
Line: 737
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pwork = &il->init_alive_start;
} else {
D_INFO("Runtime Alive received.\n");
memcpy(&il->card_alive, &pkt->u.alive_frame,
sizeof(struct il_alive_resp));
pwork = &il->alive_start;
il3945_disable_events(il);
}
Reported by FlawFinder.
drivers/scsi/ips.c
31 issues
Line: 1418
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bp = &buffer[0];
memset(bp, 0, sizeof (buffer));
sprintf(bp, "%s%s%s Build %d", "IBM PCI ServeRAID ",
IPS_VERSION_HIGH, IPS_VERSION_LOW, IPS_BUILD_IDENT);
if (ha->ad_type > 0 && ha->ad_type <= MAX_ADAPTER_NAME) {
strcat(bp, " <");
strcat(bp, ips_adapter_name[ha->ad_type - 1]);
Reported by FlawFinder.
Line: 1423
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (ha->ad_type > 0 && ha->ad_type <= MAX_ADAPTER_NAME) {
strcat(bp, " <");
strcat(bp, ips_adapter_name[ha->ad_type - 1]);
strcat(bp, ">");
}
return (bp);
}
Reported by FlawFinder.
Line: 1404
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
ips_info(struct Scsi_Host *SH)
{
static char buffer[256];
char *bp;
ips_ha_t *ha;
METHOD_TRACE("ips_info", 1);
Reported by FlawFinder.
Line: 1422
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
IPS_VERSION_HIGH, IPS_VERSION_LOW, IPS_BUILD_IDENT);
if (ha->ad_type > 0 && ha->ad_type <= MAX_ADAPTER_NAME) {
strcat(bp, " <");
strcat(bp, ips_adapter_name[ha->ad_type - 1]);
strcat(bp, ">");
}
return (bp);
Reported by FlawFinder.
Line: 1609
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (pt->CoppCmd) {
case IPS_NUMCTRLS:
memcpy(ha->ioctl_data + sizeof (ips_passthru_t),
&ips_num_controllers, sizeof (int));
ips_scmd_buf_write(SC, ha->ioctl_data,
sizeof (ips_passthru_t) + sizeof (int));
SC->result = DID_OK << 16;
Reported by FlawFinder.
Line: 1708
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ha->flash_data)
return IPS_FAILURE;
pt->BasicStatus = 0;
memcpy(&ha->flash_data[ha->flash_datasize], pt + 1,
pt->CoppCP.cmd.flashfw.count);
ha->flash_datasize += pt->CoppCP.cmd.flashfw.count;
if (pt->CoppCP.cmd.flashfw.packet_num ==
pt->CoppCP.cmd.flashfw.total_packets - 1) {
if (pt->CoppCP.cmd.flashfw.type == IPS_BIOS_IMAGE)
Reported by FlawFinder.
Line: 1849
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sg_list.list = scb->sg_list.list;
cmd_busaddr = scb->scb_busaddr;
/* copy in the CP */
memcpy(&scb->cmd, &pt->CoppCP.cmd, sizeof (IPS_IOCTL_CMD));
/* FIX stuff that might be wrong */
scb->sg_list.list = sg_list.list;
scb->scb_busaddr = cmd_busaddr;
scb->bus = scb->scsi_cmd->device->channel;
scb->target_id = scb->scsi_cmd->device->id;
Reported by FlawFinder.
Line: 1916
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sg_list.list = scb->sg_list.list;
cmd_busaddr = scb->scb_busaddr;
/* copy in the CP */
memcpy(&scb->cmd, &pt->CoppCP.cmd, sizeof (IPS_IOCTL_CMD));
memcpy(&scb->dcdb, &pt->CoppCP.dcdb, sizeof (IPS_DCDB_TABLE));
/* FIX stuff that might be wrong */
scb->sg_list.list = sg_list.list;
scb->scb_busaddr = cmd_busaddr;
Reported by FlawFinder.
Line: 1917
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_busaddr = scb->scb_busaddr;
/* copy in the CP */
memcpy(&scb->cmd, &pt->CoppCP.cmd, sizeof (IPS_IOCTL_CMD));
memcpy(&scb->dcdb, &pt->CoppCP.dcdb, sizeof (IPS_DCDB_TABLE));
/* FIX stuff that might be wrong */
scb->sg_list.list = sg_list.list;
scb->scb_busaddr = cmd_busaddr;
scb->bus = scb->scsi_cmd->device->channel;
Reported by FlawFinder.
Line: 2006
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy data back to the user */
if (scb->cmd.dcdb.op_code == IPS_CMD_DCDB) /* Copy DCDB Back to Caller's Area */
memcpy(&pt->CoppCP.dcdb, &scb->dcdb, sizeof (IPS_DCDB_TABLE));
pt->BasicStatus = scb->basic_status;
pt->ExtendedStatus = scb->extended_status;
pt->AdapterType = ha->ad_type;
Reported by FlawFinder.
drivers/staging/rtl8712/rtl871x_mlme.c
31 issues
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u16 s_cap, d_cap;
memcpy((u8 *)&s_cap, r8712_get_capability_from_ie(src->IEs), 2);
memcpy((u8 *)&d_cap, r8712_get_capability_from_ie(dst->IEs), 2);
return (src->Ssid.SsidLength == dst->Ssid.SsidLength) &&
(src->Configuration.DSConfig ==
dst->Configuration.DSConfig) &&
((!memcmp(src->MacAddress, dst->MacAddress,
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u16 s_cap, d_cap;
memcpy((u8 *)&s_cap, r8712_get_capability_from_ie(src->IEs), 2);
memcpy((u8 *)&d_cap, r8712_get_capability_from_ie(dst->IEs), 2);
return (src->Ssid.SsidLength == dst->Ssid.SsidLength) &&
(src->Configuration.DSConfig ==
dst->Configuration.DSConfig) &&
((!memcmp(src->MacAddress, dst->MacAddress,
ETH_ALEN))) &&
Reported by FlawFinder.
Line: 312
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
src->Rssi = (src->Rssi + dst->Rssi) / 2;
}
memcpy((u8 *)dst, (u8 *)src, r8712_get_wlan_bssid_ex_sz(src));
}
static void update_current_network(struct _adapter *adapter,
struct wlan_bssid_ex *pnetwork)
{
Reported by FlawFinder.
Line: 369
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pnetwork = oldest;
target->Rssi = (pnetwork->network.Rssi +
target->Rssi) / 2;
memcpy(&pnetwork->network, target,
r8712_get_wlan_bssid_ex_sz(target));
pnetwork->last_scanned = jiffies;
} else {
/* Otherwise just pull from the free list */
/* update scan_time */
Reported by FlawFinder.
Line: 380
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
bssid_ex_sz = r8712_get_wlan_bssid_ex_sz(target);
target->Length = bssid_ex_sz;
memcpy(&pnetwork->network, target, bssid_ex_sz);
list_add_tail(&pnetwork->list, &queue->queue);
}
} else {
/* we have an entry and we are going to update it. But
* this entry may be already expired. In this case we
Reported by FlawFinder.
Line: 491
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pnetwork->MacAddress, ETH_ALEN)) {
struct wlan_network *ibss_wlan = NULL;
memcpy(pmlmepriv->cur_network.network.IEs,
pnetwork->IEs, 8);
ibss_wlan = r8712_find_network(
&pmlmepriv->scanned_queue,
pnetwork->MacAddress);
if (ibss_wlan) {
Reported by FlawFinder.
Line: 497
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&pmlmepriv->scanned_queue,
pnetwork->MacAddress);
if (ibss_wlan) {
memcpy(ibss_wlan->network.IEs,
pnetwork->IEs, 8);
goto exit;
}
}
}
Reported by FlawFinder.
Line: 509
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rtl8711_add_network(adapter, pnetwork);
} else {
pnetwork->Ssid.SsidLength = 8;
memcpy(pnetwork->Ssid.Ssid, "<hidden>", 8);
rtl8711_add_network(adapter, pnetwork);
}
}
exit:
spin_unlock_irqrestore(&pmlmepriv->lock2, flags);
Reported by FlawFinder.
Line: 545
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
adapter->registrypriv.
dev_network.MacAddress;
pmlmepriv->fw_state ^= _FW_UNDER_SURVEY;
memcpy(&pdev_network->Ssid,
&pmlmepriv->assoc_ssid,
sizeof(struct
ndis_802_11_ssid));
r8712_update_registrypriv_dev_network
(adapter);
Reported by FlawFinder.
Line: 667
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pnetwork = kmalloc(sizeof(struct wlan_network), GFP_ATOMIC);
if (!pnetwork)
return;
memcpy((u8 *)pnetwork + 16, (u8 *)pbuf + 8,
sizeof(struct wlan_network) - 16);
} else {
pnetwork = (struct wlan_network *)pbuf;
}
Reported by FlawFinder.