The following issues were found
drivers/infiniband/hw/ocrdma/ocrdma_stats.c
6 issues
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ocrdma_add_stat(char *start, char *pcur,
char *name, u64 count)
{
char buff[128] = {0};
int cpy_len = 0;
snprintf(buff, 128, "%s: %llu\n", name, count);
cpy_len = strlen(buff);
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
}
memcpy(pcur, buff, cpy_len);
return cpy_len;
}
bool ocrdma_alloc_stats_resources(struct ocrdma_dev *dev)
{
Reported by FlawFinder.
Line: 638
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user *buffer,
size_t count, loff_t *ppos)
{
char tmp_str[32];
long reset;
int status;
struct ocrdma_stats *pstats = filp->private_data;
struct ocrdma_dev *dev = pstats->dev;
Reported by FlawFinder.
Line: 56
Column: 12
CWE codes:
126
int cpy_len = 0;
snprintf(buff, 128, "%s: %llu\n", name, count);
cpy_len = strlen(buff);
if (pcur + cpy_len > start + OCRDMA_MAX_DBGFS_MEM) {
pr_err("%s: No space in stats buff\n", __func__);
return 0;
}
Reported by FlawFinder.
Line: 739
Column: 20
CWE codes:
126
goto exit;
}
if (usr_buf_len < strlen(data)) {
status = -ENOSPC;
goto exit;
}
status = simple_read_from_buffer(buffer, usr_buf_len, ppos, data,
Reported by FlawFinder.
Line: 745
Column: 7
CWE codes:
126
}
status = simple_read_from_buffer(buffer, usr_buf_len, ppos, data,
strlen(data));
exit:
mutex_unlock(&dev->stats_lock);
return status;
}
Reported by FlawFinder.
drivers/infiniband/hw/irdma/ctrl.c
6 issues
Line: 1772
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (copy_len)
memcpy(termhdr + 1, pkt, copy_len);
return sizeof(struct irdma_terminate_hdr) + copy_len;
}
/**
Reported by FlawFinder.
Line: 3473
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (compl_info)
memcpy(compl_info, &info, sizeof(*compl_info));
return ret_code;
}
/**
Reported by FlawFinder.
Line: 4471
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mem_entries) {
offset = wqe_idx * IRDMA_UPDATE_SD_BUFF_SIZE;
memcpy(((char *)sdbuf->va + offset), &info->entry[3], mem_entries << 4);
data = (u64)sdbuf->pa + offset;
} else {
data = 0;
}
Reported by FlawFinder.
Line: 5653
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
IRDMA_STATS_DELTA(gather_stats->rxnpecnmrkpkts,
last_gather_stats->rxnpecnmrkpkts,
IRDMA_MAX_STATS_48);
memcpy(last_gather_stats, gather_stats, sizeof(*last_gather_stats));
}
Reported by FlawFinder.
Line: 1465
Column: 53
CWE codes:
120
20
* @qp: sc qp struct
* @read: Do read0 or write0
*/
void irdma_sc_send_rtt(struct irdma_sc_qp *qp, bool read)
{
__le64 *wqe;
u64 hdr;
struct irdma_qp_uk *qp_uk;
Reported by FlawFinder.
Line: 1476
Column: 6
CWE codes:
120
20
set_64bit_val(wqe, 0, 0);
set_64bit_val(wqe, 16, 0);
if (read) {
if (qp->qp_uk.uk_attrs->hw_rev == IRDMA_GEN_1) {
set_64bit_val(wqe, 8,
FIELD_PREP(IRDMAQPSQ_GEN1_FRAG_STAG, 0xabcd));
} else {
set_64bit_val(wqe, 8,
Reported by FlawFinder.
drivers/lightnvm/pblk-core.c
6 issues
Line: 1003
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill metadata among lines */
if (cur) {
memcpy(line->lun_bitmap, cur->lun_bitmap, lm->lun_bitmap_len);
smeta_buf->prev_id = cpu_to_le32(cur->id);
cur->emeta->buf->next_id = cpu_to_le32(line->id);
} else {
smeta_buf->prev_id = cpu_to_le32(PBLK_LINE_EMPTY);
}
Reported by FlawFinder.
Line: 1016
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
smeta_buf->crc = cpu_to_le32(pblk_calc_smeta_crc(pblk, smeta_buf));
/* End metadata */
memcpy(&emeta_buf->header, &smeta_buf->header,
sizeof(struct line_header));
emeta_buf->header.version_major = EMETA_VERSION_MAJOR;
emeta_buf->header.version_minor = EMETA_VERSION_MINOR;
emeta_buf->header.crc = cpu_to_le32(
Reported by FlawFinder.
Line: 1797
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct wa_counters *wa = emeta_to_wa(lm, emeta_buf);
/* No need for exact vsc value; avoid a big line lock and take aprox. */
memcpy(emeta_to_vsc(pblk, emeta_buf), l_mg->vsc_list, lm->vsc_list_len);
memcpy(emeta_to_bb(emeta_buf), line->blk_bitmap, lm->blk_bitmap_len);
wa->user = cpu_to_le64(atomic64_read(&pblk->user_wa));
wa->pad = cpu_to_le64(atomic64_read(&pblk->pad_wa));
wa->gc = cpu_to_le64(atomic64_read(&pblk->gc_wa));
Reported by FlawFinder.
Line: 1798
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* No need for exact vsc value; avoid a big line lock and take aprox. */
memcpy(emeta_to_vsc(pblk, emeta_buf), l_mg->vsc_list, lm->vsc_list_len);
memcpy(emeta_to_bb(emeta_buf), line->blk_bitmap, lm->blk_bitmap_len);
wa->user = cpu_to_le64(atomic64_read(&pblk->user_wa));
wa->pad = cpu_to_le64(atomic64_read(&pblk->pad_wa));
wa->gc = cpu_to_le64(atomic64_read(&pblk->gc_wa));
Reported by FlawFinder.
Line: 1842
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct pblk_emeta *emeta = line->emeta;
w_err_gc->lba_list = kvmalloc(lba_list_size, GFP_KERNEL);
memcpy(w_err_gc->lba_list, emeta_to_lbas(pblk, emeta->buf),
lba_list_size);
}
void pblk_line_close_ws(struct work_struct *work)
{
Reported by FlawFinder.
Line: 2148
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
page = page_to_virt(rqd->bio->bi_io_vec[rqd->bio->bi_vcnt - 1].bv_page);
/* We need to fill oob meta buffer with data from packed metadata */
for (; i < rqd->nr_ppas; i++)
memcpy(pblk_get_meta(pblk, meta_list, i),
page + (i * sizeof(struct pblk_sec_meta)),
sizeof(struct pblk_sec_meta));
}
Reported by FlawFinder.
drivers/hwmon/pmbus/adm1266.c
6 issues
Line: 55
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct adm1266_data {
struct pmbus_driver_info info;
struct gpio_chip gc;
const char *gpio_names[ADM1266_GPIO_NR + ADM1266_PDIO_NR];
struct i2c_client *client;
struct dentry *debugfs_dir;
struct nvmem_config nvmem_config;
struct nvmem_device *nvmem;
u8 *dev_mem;
Reported by FlawFinder.
Line: 108
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msgs[0].buf[0] = cmd;
msgs[0].buf[1] = w_len;
memcpy(&msgs[0].buf[2], data_w, w_len);
ret = i2c_transfer(client->adapter, msgs, 2);
if (ret != 2) {
if (ret >= 0)
ret = -EPROTO;
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(data_r, &msgs[1].buf[1], msgs[1].buf[0]);
ret = msgs[1].buf[0];
mutex_unlock(&data->buf_mutex);
return ret;
Reported by FlawFinder.
Line: 155
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{9, 7},
};
static const char *adm1266_names[ADM1266_GPIO_NR + ADM1266_PDIO_NR] = {
"GPIO1", "GPIO2", "GPIO3", "GPIO4", "GPIO5", "GPIO6", "GPIO7", "GPIO8",
"GPIO9", "PDIO1", "PDIO2", "PDIO3", "PDIO4", "PDIO5", "PDIO6",
"PDIO7", "PDIO8", "PDIO9", "PDIO10", "PDIO11", "PDIO12", "PDIO13",
"PDIO14", "PDIO15", "PDIO16",
};
Reported by FlawFinder.
Line: 397
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(val, data->dev_mem + offset, bytes);
return 0;
}
static int adm1266_config_nvmem(struct adm1266_data *data)
Reported by FlawFinder.
Line: 433
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int adm1266_set_rtc(struct adm1266_data *data)
{
time64_t kt;
char write_buf[6];
int i;
kt = ktime_get_seconds();
memset(write_buf, 0, sizeof(write_buf));
Reported by FlawFinder.
drivers/infiniband/hw/irdma/uk.c
6 issues
Line: 175
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
push = (__le64 *)((uintptr_t)qp->push_wqe +
(wqe_idx & 0x7) * 0x20);
memcpy(push, wqe, quanta * IRDMA_QP_WQE_MIN_SIZE);
irdma_qp_ring_push_db(qp, wqe_idx);
}
}
/**
Reported by FlawFinder.
Line: 581
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 polarity)
{
if (len <= 16) {
memcpy(dest, src, len);
} else {
memcpy(dest, src, 16);
src += 16;
dest = dest + 32;
memcpy(dest, src, len - 16);
Reported by FlawFinder.
Line: 583
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len <= 16) {
memcpy(dest, src, len);
} else {
memcpy(dest, src, 16);
src += 16;
dest = dest + 32;
memcpy(dest, src, len - 16);
}
}
Reported by FlawFinder.
Line: 586
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dest, src, 16);
src += 16;
dest = dest + 32;
memcpy(dest, src, len - 16);
}
}
/**
* irdma_inline_data_size_to_quanta_gen_1 - based on inline data, quanta
Reported by FlawFinder.
Line: 630
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest += 8;
if (len <= 8) {
memcpy(dest, src, len);
return;
}
*((u64 *)dest) = *((u64 *)src);
len -= 8;
Reported by FlawFinder.
Line: 641
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (len) {
copy_size = len < 31 ? len : 31;
memcpy(dest, src, copy_size);
*(dest + 31) = inline_valid;
len -= copy_size;
dest += 32;
src += copy_size;
}
Reported by FlawFinder.
drivers/md/dm-cache-metadata.c
6 issues
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool changed:1;
bool clean_when_opened:1;
char policy_name[CACHE_POLICY_NAME_SIZE];
unsigned policy_version[CACHE_POLICY_VERSION_SIZE];
size_t policy_hint_size;
struct dm_cache_statistics stats;
/*
Reported by FlawFinder.
Line: 322
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void __copy_sm_root(struct dm_cache_metadata *cmd,
struct cache_disk_superblock *disk_super)
{
memcpy(&disk_super->metadata_space_map_root,
&cmd->metadata_space_map_root,
sizeof(cmd->metadata_space_map_root));
}
static bool separate_dirty_bits(struct dm_cache_metadata *cmd)
Reported by FlawFinder.
Line: 594
Column: 2
CWE codes:
120
cmd->discard_nr_blocks = to_dblock(le64_to_cpu(disk_super->discard_nr_blocks));
cmd->data_block_size = le32_to_cpu(disk_super->data_block_size);
cmd->cache_blocks = to_cblock(le32_to_cpu(disk_super->cache_blocks));
strncpy(cmd->policy_name, disk_super->policy_name, sizeof(cmd->policy_name));
cmd->policy_version[0] = le32_to_cpu(disk_super->policy_version[0]);
cmd->policy_version[1] = le32_to_cpu(disk_super->policy_version[1]);
cmd->policy_version[2] = le32_to_cpu(disk_super->policy_version[2]);
cmd->policy_hint_size = le32_to_cpu(disk_super->policy_hint_size);
Reported by FlawFinder.
Line: 704
Column: 2
CWE codes:
120
disk_super->discard_block_size = cpu_to_le64(cmd->discard_block_size);
disk_super->discard_nr_blocks = cpu_to_le64(from_dblock(cmd->discard_nr_blocks));
disk_super->cache_blocks = cpu_to_le32(from_cblock(cmd->cache_blocks));
strncpy(disk_super->policy_name, cmd->policy_name, sizeof(disk_super->policy_name));
disk_super->policy_version[0] = cpu_to_le32(cmd->policy_version[0]);
disk_super->policy_version[1] = cpu_to_le32(cmd->policy_version[1]);
disk_super->policy_version[2] = cpu_to_le32(cmd->policy_version[2]);
disk_super->policy_hint_size = cpu_to_le32(cmd->policy_hint_size);
Reported by FlawFinder.
Line: 1717
Column: 7
CWE codes:
126
const unsigned *policy_version = dm_cache_policy_get_version(policy);
if (!policy_name[0] ||
(strlen(policy_name) > sizeof(cmd->policy_name) - 1))
return -EINVAL;
strncpy(cmd->policy_name, policy_name, sizeof(cmd->policy_name));
memcpy(cmd->policy_version, policy_version, sizeof(cmd->policy_version));
Reported by FlawFinder.
Line: 1720
Column: 2
CWE codes:
120
(strlen(policy_name) > sizeof(cmd->policy_name) - 1))
return -EINVAL;
strncpy(cmd->policy_name, policy_name, sizeof(cmd->policy_name));
memcpy(cmd->policy_version, policy_version, sizeof(cmd->policy_version));
hint_size = dm_cache_policy_get_hint_size(policy);
if (!hint_size)
return 0; /* short-circuit hints initialization */
Reported by FlawFinder.
drivers/input/keyboard/hil_kbd.c
6 issues
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int idx4; /* four counts per packet */
/* Raw device info records from HIL bus, see hil.h for fields. */
char idd[HIL_PACKET_MAX_LENGTH]; /* DID byte and IDD record */
char rsc[HIL_PACKET_MAX_LENGTH]; /* RSC record */
char exd[HIL_PACKET_MAX_LENGTH]; /* EXD record */
char rnm[HIL_PACKET_MAX_LENGTH + 1]; /* RNM record + NULL term. */
struct completion cmd_done;
Reported by FlawFinder.
Line: 79
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Raw device info records from HIL bus, see hil.h for fields. */
char idd[HIL_PACKET_MAX_LENGTH]; /* DID byte and IDD record */
char rsc[HIL_PACKET_MAX_LENGTH]; /* RSC record */
char exd[HIL_PACKET_MAX_LENGTH]; /* EXD record */
char rnm[HIL_PACKET_MAX_LENGTH + 1]; /* RNM record + NULL term. */
struct completion cmd_done;
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Raw device info records from HIL bus, see hil.h for fields. */
char idd[HIL_PACKET_MAX_LENGTH]; /* DID byte and IDD record */
char rsc[HIL_PACKET_MAX_LENGTH]; /* RSC record */
char exd[HIL_PACKET_MAX_LENGTH]; /* EXD record */
char rnm[HIL_PACKET_MAX_LENGTH + 1]; /* RNM record + NULL term. */
struct completion cmd_done;
bool is_pointer;
Reported by FlawFinder.
Line: 81
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char idd[HIL_PACKET_MAX_LENGTH]; /* DID byte and IDD record */
char rsc[HIL_PACKET_MAX_LENGTH]; /* RSC record */
char exd[HIL_PACKET_MAX_LENGTH]; /* EXD record */
char rnm[HIL_PACKET_MAX_LENGTH + 1]; /* RNM record + NULL term. */
struct completion cmd_done;
bool is_pointer;
/* Extra device details needed for pointing devices. */
Reported by FlawFinder.
Line: 346
Column: 20
CWE codes:
126
input_dev->keycodesize = sizeof(hil_kbd_set1[0]);
input_dev->keycode = hil_kbd_set1;
input_dev->name = strlen(kbd->rnm) ? kbd->rnm : "HIL keyboard";
input_dev->phys = "hpkbd/input0";
printk(KERN_INFO PREFIX "HIL keyboard found (did = 0x%02x, lang = %s)\n",
did, hil_language[did & HIL_IDD_DID_TYPE_KB_LANG_MASK]);
}
Reported by FlawFinder.
Line: 433
Column: 20
CWE codes:
126
ptr->btnmap[2] = BTN_RIGHT;
}
input_dev->name = strlen(ptr->rnm) ? ptr->rnm : "HIL pointer device";
printk(KERN_INFO PREFIX
"HIL pointer device found (did: 0x%02x, axis: %s)\n",
did, txt);
printk(KERN_INFO PREFIX
Reported by FlawFinder.
drivers/gpu/drm/rcar-du/rcar_du_crtc.c
6 issues
Line: 891
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (i = 0; i < rcrtc->vsp->num_planes; ++i) {
struct drm_plane *plane = &rcrtc->vsp->planes[i].plane;
char name[16];
sprintf(name, "plane%u", plane->base.id);
sources[i + 1] = kstrdup(name, GFP_KERNEL);
if (!sources[i + 1])
goto error;
Reported by FlawFinder.
Line: 893
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct drm_plane *plane = &rcrtc->vsp->planes[i].plane;
char name[16];
sprintf(name, "plane%u", plane->base.id);
sources[i + 1] = kstrdup(name, GFP_KERNEL);
if (!sources[i + 1])
goto error;
}
Reported by FlawFinder.
Line: 1203
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct drm_plane *primary;
unsigned int irqflags;
struct clk *clk;
char clk_name[9];
char *name;
int irq;
int ret;
/* Get the CRTC clock and the optional external clock. */
Reported by FlawFinder.
Line: 1210
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Get the CRTC clock and the optional external clock. */
if (rcar_du_has(rcdu, RCAR_DU_FEATURE_CRTC_IRQ_CLOCK)) {
sprintf(clk_name, "du.%u", hwindex);
name = clk_name;
} else {
name = NULL;
}
Reported by FlawFinder.
Line: 1222
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return PTR_ERR(rcrtc->clock);
}
sprintf(clk_name, "dclkin.%u", hwindex);
clk = devm_clk_get(rcdu->dev, clk_name);
if (!IS_ERR(clk)) {
rcrtc->extclock = clk;
} else if (PTR_ERR(clk) == -EPROBE_DEFER) {
return -EPROBE_DEFER;
Reported by FlawFinder.
Line: 1023
Column: 34
CWE codes:
126
*source = VSP1_DU_CRC_PLANE;
ret = kstrtouint(source_name + strlen("plane"), 10, &index);
if (ret < 0)
return ret;
for (i = 0; i < rcrtc->vsp->num_planes; ++i) {
if (index == rcrtc->vsp->planes[i].plane.base.id)
Reported by FlawFinder.
drivers/infiniband/hw/ocrdma/ocrdma_ah.c
6 issues
Line: 119
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eth_sz = sizeof(struct ocrdma_eth_basic);
}
/* MAC */
memcpy(ð.smac[0], &dev->nic_info.mac_addr[0], ETH_ALEN);
status = ocrdma_resolve_dmac(dev, attr, ð.dmac[0]);
if (status)
return status;
ib_grh = rdma_ah_read_grh(attr);
ah->sgid_index = ib_grh->sgid_index;
Reported by FlawFinder.
Line: 126
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ib_grh = rdma_ah_read_grh(attr);
ah->sgid_index = ib_grh->sgid_index;
/* Eth HDR */
memcpy(&ah->av->eth_hdr, ð, eth_sz);
if (ah->hdr_type == RDMA_NETWORK_IPV4) {
*((__be16 *)&ipv4) = htons((4 << 12) | (5 << 8) |
ib_grh->traffic_class);
ipv4.id = cpu_to_be16(pdid);
ipv4.frag_off = htons(IP_DF);
Reported by FlawFinder.
Line: 139
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ipv4.saddr = sgid_addr._sockaddr_in.sin_addr.s_addr;
rdma_gid2ip((struct sockaddr*)&dgid_addr, &ib_grh->dgid);
ipv4.daddr = dgid_addr._sockaddr_in.sin_addr.s_addr;
memcpy((u8 *)ah->av + eth_sz, &ipv4, sizeof(struct iphdr));
} else {
memcpy(&grh.sgid[0], sgid->raw, sizeof(union ib_gid));
grh.tclass_flow = cpu_to_be32((6 << 28) |
(ib_grh->traffic_class << 24) |
ib_grh->flow_label);
Reported by FlawFinder.
Line: 141
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ipv4.daddr = dgid_addr._sockaddr_in.sin_addr.s_addr;
memcpy((u8 *)ah->av + eth_sz, &ipv4, sizeof(struct iphdr));
} else {
memcpy(&grh.sgid[0], sgid->raw, sizeof(union ib_gid));
grh.tclass_flow = cpu_to_be32((6 << 28) |
(ib_grh->traffic_class << 24) |
ib_grh->flow_label);
memcpy(&grh.dgid[0], ib_grh->dgid.raw,
sizeof(ib_grh->dgid.raw));
Reported by FlawFinder.
Line: 145
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
grh.tclass_flow = cpu_to_be32((6 << 28) |
(ib_grh->traffic_class << 24) |
ib_grh->flow_label);
memcpy(&grh.dgid[0], ib_grh->dgid.raw,
sizeof(ib_grh->dgid.raw));
grh.pdid_hoplimit = cpu_to_be32((pdid << 16) |
(nxthdr << 8) |
ib_grh->hop_limit);
memcpy((u8 *)ah->av + eth_sz, &grh, sizeof(struct ocrdma_grh));
Reported by FlawFinder.
Line: 150
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
grh.pdid_hoplimit = cpu_to_be32((pdid << 16) |
(nxthdr << 8) |
ib_grh->hop_limit);
memcpy((u8 *)ah->av + eth_sz, &grh, sizeof(struct ocrdma_grh));
}
if (*isvlan)
ah->av->valid |= OCRDMA_AV_VLAN_VALID;
ah->av->valid = cpu_to_le32(ah->av->valid);
return status;
Reported by FlawFinder.
drivers/input/joystick/sidewinder.c
6 issues
Line: 683
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case 48: /* Ambiguous */
if (j == 14) { /* ID length 14*3 -> FFP */
sw->type = SW_ID_FFP;
sprintf(comment, " [AC %s]", sw_get_bits(idbuf,38,1,3) ? "off" : "on");
} else
sw->type = SW_ID_PP;
break;
case 66:
sw->bits = 3;
Reported by FlawFinder.
Line: 101
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sw {
struct gameport *gameport;
struct input_dev *dev[4];
char name[64];
char phys[4][32];
int length;
int type;
int bits;
int number;
Reported by FlawFinder.
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gameport *gameport;
struct input_dev *dev[4];
char name[64];
char phys[4][32];
int length;
int type;
int bits;
int number;
int fail;
Reported by FlawFinder.
Line: 411
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sw_read(struct sw *sw)
{
unsigned char buf[SW_LENGTH];
int i;
i = sw_read_packet(sw->gameport, buf, sw->length, 0);
if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
Reported by FlawFinder.
Line: 530
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void sw_3dp_id(unsigned char *buf, char *comment, size_t size)
{
int i;
char pnp[8], rev[9];
for (i = 0; i < 7; i++) /* ASCII PnP ID */
pnp[i] = sw_get_bits(buf, 24+8*i, 8, 1);
for (i = 0; i < 8; i++) /* ASCII firmware revision */
Reported by FlawFinder.
Line: 579
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *buf = NULL; /* [SW_LENGTH] */
unsigned char *idbuf = NULL; /* [SW_LENGTH] */
unsigned char m = 1;
char comment[40];
comment[0] = 0;
sw = kzalloc(sizeof(struct sw), GFP_KERNEL);
buf = kmalloc(SW_LENGTH, GFP_KERNEL);
Reported by FlawFinder.