The following issues were found
drivers/staging/media/atomisp/pci/sh_css_version.c
5 issues
Line: 36
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
return -EINVAL;
strscpy(version, css_version, max_size);
strcat(version, "FW:");
strcat(version, sh_css_get_fw_version());
strcat(version, "; ");
return 0;
}
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (max_size <= (int)strlen(css_version) + (int)strlen(sh_css_get_fw_version()) + 5)
return -EINVAL;
strscpy(version, css_version, max_size);
strcat(version, "FW:");
strcat(version, sh_css_get_fw_version());
strcat(version, "; ");
return 0;
}
Reported by FlawFinder.
Line: 37
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strscpy(version, css_version, max_size);
strcat(version, "FW:");
strcat(version, sh_css_get_fw_version());
strcat(version, "; ");
return 0;
}
Reported by FlawFinder.
Line: 32
Column: 23
CWE codes:
126
else
css_version = ISP2401_CSS_VERSION_STRING;
if (max_size <= (int)strlen(css_version) + (int)strlen(sh_css_get_fw_version()) + 5)
return -EINVAL;
strscpy(version, css_version, max_size);
strcat(version, "FW:");
strcat(version, sh_css_get_fw_version());
strcat(version, "; ");
Reported by FlawFinder.
Line: 32
Column: 50
CWE codes:
126
else
css_version = ISP2401_CSS_VERSION_STRING;
if (max_size <= (int)strlen(css_version) + (int)strlen(sh_css_get_fw_version()) + 5)
return -EINVAL;
strscpy(version, css_version, max_size);
strcat(version, "FW:");
strcat(version, sh_css_get_fw_version());
strcat(version, "; ");
Reported by FlawFinder.
drivers/staging/media/meson/vdec/codec_vp9.c
5 issues
Line: 417
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 mode_ref_delta_update;
/*0 = Intra, Last, GF, ARF*/
signed char ref_deltas[MAX_REF_LF_DELTAS];
signed char last_ref_deltas[MAX_REF_LF_DELTAS];
/*0 = ZERO_MV, MV*/
signed char mode_deltas[MAX_MODE_LF_DELTAS];
signed char last_mode_deltas[MAX_MODE_LF_DELTAS];
Reported by FlawFinder.
Line: 418
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*0 = Intra, Last, GF, ARF*/
signed char ref_deltas[MAX_REF_LF_DELTAS];
signed char last_ref_deltas[MAX_REF_LF_DELTAS];
/*0 = ZERO_MV, MV*/
signed char mode_deltas[MAX_MODE_LF_DELTAS];
signed char last_mode_deltas[MAX_MODE_LF_DELTAS];
};
Reported by FlawFinder.
Line: 421
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
signed char last_ref_deltas[MAX_REF_LF_DELTAS];
/*0 = ZERO_MV, MV*/
signed char mode_deltas[MAX_MODE_LF_DELTAS];
signed char last_mode_deltas[MAX_MODE_LF_DELTAS];
};
struct vp9_frame {
struct list_head list;
Reported by FlawFinder.
Line: 422
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*0 = ZERO_MV, MV*/
signed char mode_deltas[MAX_MODE_LF_DELTAS];
signed char last_mode_deltas[MAX_MODE_LF_DELTAS];
};
struct vp9_frame {
struct list_head list;
struct vb2_v4l2_buffer *vbuf;
Reported by FlawFinder.
Line: 2122
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(unsigned int *)cur_prob_b,
(unsigned int *)count_b);
memcpy(prev_prob_b, cur_prob_b, ADAPT_PROB_SIZE);
amvdec_write_dos(core, VP9_ADAPT_PROB_REG, 0);
}
/* Invalidate first 3 refs */
for (i = 0; i < REFS_PER_FRAME ; ++i)
Reported by FlawFinder.
drivers/staging/most/dim2/dim2.c
5 issues
Line: 845
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
else
fmt = "dim2-%016x";
snprintf(dev->name, sizeof(dev->name), fmt, res->start);
}
dev->most_iface.interface = ITYPE_MEDIALB_DIM2;
dev->most_iface.description = dev->name;
dev->most_iface.num_channels = DMA_CHANNELS;
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @data_type: channel data type
*/
struct hdm_channel {
char name[sizeof "caNNN"];
bool is_initialized;
struct dim_channel ch;
u16 *reset_dbr_size;
struct list_head pending_list; /* before dim_enqueue_buffer() */
struct list_head started_list; /* after dim_enqueue_buffer() */
Reported by FlawFinder.
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hdm_channel hch[DMA_CHANNELS];
struct most_channel_capability capabilities[DMA_CHANNELS];
struct most_interface most_iface;
char name[16 + sizeof "dim2-"];
void __iomem *io_base;
u8 clk_speed;
struct clk *clk;
struct clk *clk_pll;
struct task_struct *netinfo_task;
Reported by FlawFinder.
Line: 99
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct task_struct *netinfo_task;
wait_queue_head_t netinfo_waitq;
int deliver_netinfo;
unsigned char mac_addrs[6];
unsigned char link_state;
int atx_idx;
struct medialb_bus bus;
void (*on_netinfo)(struct most_interface *most_iface,
unsigned char link_state, unsigned char *addrs);
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_info("Node Address: 0x%03x\n", (u16)data[16] << 8 | data[17]);
dev->link_state = data[18];
pr_info("NIState: %d\n", dev->link_state);
memcpy(dev->mac_addrs, data + 19, 6);
dev->deliver_netinfo++;
wake_up_interruptible(&dev->netinfo_waitq);
}
/**
Reported by FlawFinder.
drivers/staging/olpc_dcon/olpc_dcon.c
5 issues
Line: 395
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dcon_priv *dcon = dev_get_drvdata(dev);
return sprintf(buf, "%4.4X\n", dcon->disp_mode);
}
static ssize_t dcon_sleep_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 404
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dcon_priv *dcon = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dcon->asleep);
}
static ssize_t dcon_freeze_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 413
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dcon_priv *dcon = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dcon->curr_src == DCON_SOURCE_DCON ? 1 : 0);
}
static ssize_t dcon_mono_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 422
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dcon_priv *dcon = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dcon->mono);
}
static ssize_t dcon_resumeline_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 429
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", resumeline);
}
static ssize_t dcon_mono_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/staging/rtl8188eu/include/rtw_mlme_ext.h
5 issues
Line: 161
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
chplan == RT_CHANNEL_DOMAIN_REALTEK_DEFINE)
struct rt_channel_plan {
unsigned char Channel[MAX_CHANNEL_NUM];
unsigned char Len;
};
struct rt_channel_plan_2g {
unsigned char Channel[MAX_CHANNEL_NUM_2G];
Reported by FlawFinder.
Line: 166
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct rt_channel_plan_2g {
unsigned char Channel[MAX_CHANNEL_NUM_2G];
unsigned char Len;
};
struct rt_channel_plan_map {
unsigned char Index2G;
Reported by FlawFinder.
Line: 266
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 status;
u32 rx_pkt;
u32 retry;
unsigned char SupportedRates[NDIS_802_11_LENGTH_RATES_EX];
};
/*
* Usage:
* When one iface acted as AP mode and the other iface is STA mode and scanning,
Reported by FlawFinder.
Line: 404
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char max_chan_nums;
struct rt_channel_info channel_set[MAX_CHANNEL_NUM];
struct p2p_channels channel_list;
unsigned char basicrate[NumRates];
unsigned char datarate[NumRates];
struct ss_res sitesurvey_res;
struct mlme_ext_info mlmext_info;/* for sta/adhoc mode, including
* current scan/connecting/connected
Reported by FlawFinder.
Line: 405
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rt_channel_info channel_set[MAX_CHANNEL_NUM];
struct p2p_channels channel_list;
unsigned char basicrate[NumRates];
unsigned char datarate[NumRates];
struct ss_res sitesurvey_res;
struct mlme_ext_info mlmext_info;/* for sta/adhoc mode, including
* current scan/connecting/connected
* related info. For ap mode,
Reported by FlawFinder.
drivers/staging/rtl8188eu/os_dep/rtw_android.c
5 issues
Line: 15
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <osdep_service.h>
#include <rtw_ioctl_set.h>
static const char *android_wifi_cmd_str[ANDROID_WIFI_CMD_MAX] = {
"START",
"STOP",
"SCAN-ACTIVE",
"SCAN-PASSIVE",
"RSSI",
Reported by FlawFinder.
Line: 115
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int total_len)
{
/* We use the same address as our HW MAC address */
memcpy(command, net->dev_addr, ETH_ALEN);
return ETH_ALEN;
}
int rtw_android_priv_cmd(struct net_device *net, struct ifreq *ifr, int cmd)
{
Reported by FlawFinder.
Line: 60
Column: 6
CWE codes:
126
for (cmd_num = 0; cmd_num < ANDROID_WIFI_CMD_MAX; cmd_num++)
if (!strncasecmp(cmdstr, android_wifi_cmd_str[cmd_num],
strlen(android_wifi_cmd_str[cmd_num])))
break;
return cmd_num;
}
static int rtw_android_get_rssi(struct net_device *net, char *command,
Reported by FlawFinder.
Line: 104
Column: 33
CWE codes:
126
int total_len)
{
struct adapter *adapter = netdev_priv(net);
char *country_code = command + strlen(android_wifi_cmd_str[ANDROID_WIFI_CMD_COUNTRY]) + 1;
int ret;
ret = rtw_set_country(adapter, country_code);
return (ret == _SUCCESS) ? 0 : -1;
}
Reported by FlawFinder.
Line: 203
Column: 19
CWE codes:
126
break;
default:
snprintf(command, 3, "OK");
bytes_written = strlen("OK");
}
response:
if (bytes_written >= 0) {
if ((bytes_written == 0) && (priv_cmd.total_len > 0))
Reported by FlawFinder.
drivers/staging/rtl8192e/rtllib_tx.c
5 issues
Line: 163
Column: 27
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
struct lib80211_crypt_data *crypt = NULL;
int res;
crypt = ieee->crypt_info.crypt[ieee->crypt_info.tx_keyidx];
if (!(crypt && crypt->ops)) {
netdev_info(ieee->dev, "=========>%s(), crypt is null\n",
__func__);
return -1;
Reported by FlawFinder.
Line: 165
Column: 8
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
crypt = ieee->crypt_info.crypt[ieee->crypt_info.tx_keyidx];
if (!(crypt && crypt->ops)) {
netdev_info(ieee->dev, "=========>%s(), crypt is null\n",
__func__);
return -1;
}
/* To encrypt, frame format is:
Reported by FlawFinder.
Line: 643
Column: 28
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
}
skb->priority = rtllib_classify(skb, IsAmsdu);
crypt = ieee->crypt_info.crypt[ieee->crypt_info.tx_keyidx];
encrypt = !(ether_type == ETH_P_PAE && ieee->ieee802_1x) &&
ieee->host_encrypt && crypt && crypt->ops;
if (!encrypt && ieee->ieee802_1x &&
ieee->drop_unencrypted && ether_type != ETH_P_PAE) {
stats->tx_dropped++;
Reported by FlawFinder.
Line: 645
Column: 26
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
skb->priority = rtllib_classify(skb, IsAmsdu);
crypt = ieee->crypt_info.crypt[ieee->crypt_info.tx_keyidx];
encrypt = !(ether_type == ETH_P_PAE && ieee->ieee802_1x) &&
ieee->host_encrypt && crypt && crypt->ops;
if (!encrypt && ieee->ieee802_1x &&
ieee->drop_unencrypted && ether_type != ETH_P_PAE) {
stats->tx_dropped++;
goto success;
}
Reported by FlawFinder.
Line: 651
Column: 7
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
stats->tx_dropped++;
goto success;
}
if (crypt && !encrypt && ether_type == ETH_P_PAE) {
struct eapol *eap = (struct eapol *)(skb->data +
sizeof(struct ethhdr) - SNAP_SIZE -
sizeof(u16));
netdev_dbg(ieee->dev,
"TX: IEEE 802.11 EAPOL frame: %s\n",
Reported by FlawFinder.
drivers/staging/rtl8192u/ieee80211/ieee80211_crypt_wep.c
5 issues
Line: 107
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*pos++ = wep->key_idx << 6;
/* Copy rest of the WEP key (the secret part) */
memcpy(key + 3, wep->key, wep->key_len);
if (!tcb_desc->bHwSec) {
/* Append little-endian CRC32 and encrypt it to produce ICV */
crc = ~crc32_le(~0, pos, len);
icv = skb_put(skb, 4);
Reported by FlawFinder.
Line: 157
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
klen = 3 + wep->key_len;
/* Copy rest of the WEP key (the secret part) */
memcpy(key + 3, wep->key, wep->key_len);
/* Apply RC4 to data and compute CRC32 over decrypted data */
plen = skb->len - hdr_len - 8;
if (!tcb_desc->bHwSec) {
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len < 0 || len > WEP_KEY_LEN)
return -1;
memcpy(wep->key, key, len);
wep->key_len = len;
return 0;
}
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len < wep->key_len)
return -1;
memcpy(key, wep->key, wep->key_len);
return wep->key_len;
}
Reported by FlawFinder.
Line: 216
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct prism2_wep_data *wep = priv;
p += sprintf(p, "key[%d] alg=WEP len=%d\n",
wep->key_idx, wep->key_len);
return p;
}
Reported by FlawFinder.
drivers/staging/rtl8712/mlme_linux.c
5 issues
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* disconnect with AP for 60 seconds.
*/
memcpy(&backupPMKIDList[0],
&adapter->securitypriv.PMKIDList[0],
sizeof(struct RT_PMKID_LIST) * NUM_PMKID_CACHE);
backupPMKIDIndex = adapter->securitypriv.PMKIDIndex;
backupTKIPCountermeasure =
adapter->securitypriv.btkip_countermeasure;
Reported by FlawFinder.
Line: 115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Restore the PMK information to securitypriv structure
* for the following connection.
*/
memcpy(&adapter->securitypriv.PMKIDList[0],
&backupPMKIDList[0],
sizeof(struct RT_PMKID_LIST) * NUM_PMKID_CACHE);
adapter->securitypriv.PMKIDIndex = backupPMKIDIndex;
adapter->securitypriv.btkip_countermeasure =
backupTKIPCountermeasure;
Reported by FlawFinder.
Line: 147
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!buff)
return;
p = buff;
p += sprintf(p, "ASSOCINFO(ReqIEs=");
len = sec_ie[1] + 2;
len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
for (i = 0; i < len; i++)
p += sprintf(p, "%02x", sec_ie[i]);
p += sprintf(p, ")");
Reported by FlawFinder.
Line: 151
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sec_ie[1] + 2;
len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
for (i = 0; i < len; i++)
p += sprintf(p, "%02x", sec_ie[i]);
p += sprintf(p, ")");
memset(&wrqu, 0, sizeof(wrqu));
wrqu.data.length = p - buff;
wrqu.data.length = (wrqu.data.length < IW_CUSTOM_MAX) ?
wrqu.data.length : IW_CUSTOM_MAX;
Reported by FlawFinder.
Line: 152
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
for (i = 0; i < len; i++)
p += sprintf(p, "%02x", sec_ie[i]);
p += sprintf(p, ")");
memset(&wrqu, 0, sizeof(wrqu));
wrqu.data.length = p - buff;
wrqu.data.length = (wrqu.data.length < IW_CUSTOM_MAX) ?
wrqu.data.length : IW_CUSTOM_MAX;
wireless_send_event(adapter->pnetdev, IWEVCUSTOM, &wrqu, buff);
Reported by FlawFinder.
drivers/staging/rtl8712/os_intfs.c
5 issues
Line: 33
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_DESCRIPTION("rtl871x wireless lan driver");
MODULE_AUTHOR("Larry Finger");
static char ifname[IFNAMSIZ] = "wlan%d";
/* module param defaults */
static int chip_version = RTL8712_2ndCUT;
static int rfintfs = HWPI;
static int lbkmode = RTL8712_AIR_TRX;
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
registry_par->lbkmode = (u8)lbkmode;
registry_par->hci = (u8)hci;
registry_par->network_mode = (u8)network_mode;
memcpy(registry_par->ssid.Ssid, "ANY", 3);
registry_par->ssid.SsidLength = 3;
registry_par->channel = (u8)channel;
registry_par->wireless_mode = (u8)wireless_mode;
registry_par->vrtl_carrier_sense = (u8)vrtl_carrier_sense;
registry_par->vcs_type = (u8)vcs_type;
Reported by FlawFinder.
Line: 206
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!pnetdev)
return NULL;
if (dev_alloc_name(pnetdev, ifname) < 0) {
strcpy(ifname, "wlan%d");
dev_alloc_name(pnetdev, ifname);
}
padapter = netdev_priv(pnetdev);
padapter->pnetdev = pnetdev;
pr_info("r8712u: register rtl8712_netdev_ops to netdev_ops\n");
Reported by FlawFinder.
Line: 384
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto netdev_open_error;
if (!r8712_initmac) {
/* Use the mac address stored in the Efuse */
memcpy(pnetdev->dev_addr,
padapter->eeprompriv.mac_addr, ETH_ALEN);
} else {
/* We have to inform f/w to use user-supplied MAC
* address.
*/
Reported by FlawFinder.
Line: 401
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the eeprompriv.mac_addr should store the mac which
* users specify.
*/
memcpy(padapter->eeprompriv.mac_addr,
pnetdev->dev_addr, ETH_ALEN);
}
if (start_drv_threads(padapter) != _SUCCESS)
goto netdev_open_error;
if (!padapter->dvobjpriv.inirp_init)
Reported by FlawFinder.