The following issues were found
drivers/staging/rtl8712/rtl871x_event.h
5 issues
Line: 55
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* It is used in AP/Ad-HoC(M) mode.
*/
struct stassoc_event {
unsigned char macaddr[6];
unsigned char rsvd[2];
__le32 cam_id;
};
struct stadel_event {
Reported by FlawFinder.
Line: 56
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct stassoc_event {
unsigned char macaddr[6];
unsigned char rsvd[2];
__le32 cam_id;
};
struct stadel_event {
unsigned char macaddr[6];
Reported by FlawFinder.
Line: 61
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct stadel_event {
unsigned char macaddr[6];
unsigned char rsvd[2];
};
struct addba_event {
unsigned int tid;
Reported by FlawFinder.
Line: 62
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct stadel_event {
unsigned char macaddr[6];
unsigned char rsvd[2];
};
struct addba_event {
unsigned int tid;
};
Reported by FlawFinder.
Line: 101
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct ADDBA_Req_Report_parm {
unsigned char MacAddress[ETH_ALEN];
unsigned short StartSeqNum;
unsigned char tid;
};
#include "rtl8712_event.h"
Reported by FlawFinder.
drivers/staging/rtl8723bs/include/rtw_mlme_ext.h
5 issues
Line: 201
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define rtw_is_channel_plan_valid(chplan) (chplan < RT_CHANNEL_DOMAIN_MAX || chplan == RT_CHANNEL_DOMAIN_REALTEK_DEFINE)
struct rt_channel_plan {
unsigned char Channel[MAX_CHANNEL_NUM];
unsigned char Len;
};
struct rt_channel_plan_2g {
unsigned char Channel[MAX_CHANNEL_NUM_2G];
Reported by FlawFinder.
Line: 206
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct rt_channel_plan_2g {
unsigned char Channel[MAX_CHANNEL_NUM_2G];
unsigned char Len;
};
struct rt_channel_plan_map {
unsigned char Index2G;
Reported by FlawFinder.
Line: 419
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char max_chan_nums;
struct rt_channel_info channel_set[MAX_CHANNEL_NUM];
struct p2p_channels channel_list;
unsigned char basicrate[NumRates];
unsigned char datarate[NumRates];
unsigned char default_supported_mcs_set[16];
struct ss_res sitesurvey_res;
struct mlme_ext_info mlmext_info;/* for sta/adhoc mode, including current scanning/connecting/connected related info. */
Reported by FlawFinder.
Line: 420
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rt_channel_info channel_set[MAX_CHANNEL_NUM];
struct p2p_channels channel_list;
unsigned char basicrate[NumRates];
unsigned char datarate[NumRates];
unsigned char default_supported_mcs_set[16];
struct ss_res sitesurvey_res;
struct mlme_ext_info mlmext_info;/* for sta/adhoc mode, including current scanning/connecting/connected related info. */
/* for ap mode, network includes ap's cap_info */
Reported by FlawFinder.
Line: 421
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct p2p_channels channel_list;
unsigned char basicrate[NumRates];
unsigned char datarate[NumRates];
unsigned char default_supported_mcs_set[16];
struct ss_res sitesurvey_res;
struct mlme_ext_info mlmext_info;/* for sta/adhoc mode, including current scanning/connecting/connected related info. */
/* for ap mode, network includes ap's cap_info */
struct timer_list survey_timer;
Reported by FlawFinder.
drivers/staging/rtl8723bs/os_dep/os_intfs.c
5 issues
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* registry_par->hci = (u8)hci; */
registry_par->network_mode = (u8)rtw_network_mode;
memcpy(registry_par->ssid.Ssid, "ANY", 3);
registry_par->ssid.SsidLength = 3;
registry_par->channel = (u8)rtw_channel;
registry_par->wireless_mode = (u8)rtw_wireless_mode;
Reported by FlawFinder.
Line: 307
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!padapter->bup) {
/* addr->sa_data[4], addr->sa_data[5]); */
memcpy(padapter->eeprompriv.mac_addr, addr->sa_data, ETH_ALEN);
/* memcpy(pnetdev->dev_addr, addr->sa_data, ETH_ALEN); */
/* padapter->bset_hwaddr = true; */
}
return 0;
Reported by FlawFinder.
Line: 388
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 priority;
u8 *pdata = skb->data;
memcpy(ð_type, pdata + (ETH_ALEN << 1), 2);
switch (be16_to_cpu(eth_type)) {
case ETH_P_IP:
piphdr = (struct iphdr *)(pdata + ETH_HLEN);
Reported by FlawFinder.
Line: 815
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rtw_init_netdev_name(pnetdev, name))
return _FAIL;
memcpy(pnetdev->dev_addr, padapter->eeprompriv.mac_addr, ETH_ALEN);
/* Tell the network stack we exist */
if (register_netdev(pnetdev) != 0) {
ret = _FAIL;
goto error_register_netdev;
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
120
struct adapter *adapter = rtw_netdev_priv(dev);
netdev_dbg(dev, FUNC_ADPT_FMT "\n", FUNC_ADPT_ARG(adapter));
strncpy(adapter->old_ifname, dev->name, IFNAMSIZ);
return 0;
}
static void rtw_ndev_uninit(struct net_device *dev)
Reported by FlawFinder.
drivers/staging/rts5208/rtsx_transport.c
5 issues
Line: 52
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sgbuffer = (unsigned char *)scsi_sglist(srb) + *offset;
if (dir == TO_XFER_BUF)
memcpy(sgbuffer, buffer, cnt);
else
memcpy(buffer, sgbuffer, cnt);
*offset += cnt;
/*
Reported by FlawFinder.
Line: 54
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dir == TO_XFER_BUF)
memcpy(sgbuffer, buffer, cnt);
else
memcpy(buffer, sgbuffer, cnt);
*offset += cnt;
/*
* Using scatter-gather. We have to go through the list one entry
* at a time. Each s-g entry contains some number of pages, and
Reported by FlawFinder.
Line: 98
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char *ptr = kmap(page);
if (dir == TO_XFER_BUF)
memcpy(ptr + poff, buffer + cnt, plen);
else
memcpy(buffer + cnt, ptr + poff, plen);
kunmap(page);
/* Start at the beginning of the next page */
Reported by FlawFinder.
Line: 100
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dir == TO_XFER_BUF)
memcpy(ptr + poff, buffer + cnt, plen);
else
memcpy(buffer + cnt, ptr + poff, plen);
kunmap(page);
/* Start at the beginning of the next page */
poff = 0;
++page;
Reported by FlawFinder.
Line: 184
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (result == TRANSPORT_FAILED) {
/* set the result so the higher layers expect this data */
srb->result = SAM_STAT_CHECK_CONDITION;
memcpy(srb->sense_buffer,
(unsigned char *)&chip->sense_buffer[SCSI_LUN(srb)],
sizeof(struct sense_data_t));
}
return;
Reported by FlawFinder.
drivers/staging/rts5208/sd.c
5 issues
Line: 255
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (rsp && rsp_len)
memcpy(rsp, ptr, rsp_len);
return STATUS_SUCCESS;
}
static int sd_read_data(struct rtsx_chip *chip,
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i == 6)
return STATUS_FAIL;
memcpy(sd_card->raw_csd, rsp + 1, 15);
dev_dbg(rtsx_dev(chip), "CSD Response:\n");
dev_dbg(rtsx_dev(chip), "%*ph\n", 16, sd_card->raw_csd);
csd_ver = (rsp[1] & 0xc0) >> 6;
Reported by FlawFinder.
Line: 967
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return STATUS_FAIL;
}
memcpy(sd_card->raw_scr, buf, 8);
if ((buf[0] & 0x0F) == 0)
return STATUS_FAIL;
return STATUS_SUCCESS;
Reported by FlawFinder.
Line: 3694
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (rsp && rsp_len)
memcpy(rsp, ptr, rsp_len);
return STATUS_SUCCESS;
}
int ext_sd_get_rsp(struct rtsx_chip *chip, int len, u8 *rsp, u8 rsp_type)
Reported by FlawFinder.
Line: 3731
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rsp) {
int min_len = (rsp_len < len) ? rsp_len : len;
memcpy(rsp, rtsx_get_cmd_data(chip), min_len);
dev_dbg(rtsx_dev(chip), "min_len = %d\n", min_len);
dev_dbg(rtsx_dev(chip), "Response in cmd buf: 0x%x 0x%x 0x%x 0x%x\n",
rsp[0], rsp[1], rsp[2], rsp[3]);
}
Reported by FlawFinder.
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
5 issues
Line: 252
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int vchiq_dump_platform_state(void *dump_context)
{
char buf[80];
int len;
len = snprintf(buf, sizeof(buf),
" Platform: 2835 (VC master)");
return vchiq_dump(dump_context, buf, len + 1);
Reported by FlawFinder.
Line: 531
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (head_bytes > actual)
head_bytes = actual;
memcpy((char *)kmap(pages[0]) +
pagelist->offset,
fragments,
head_bytes);
kunmap(pages[0]);
}
Reported by FlawFinder.
Line: 531
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (head_bytes > actual)
head_bytes = actual;
memcpy((char *)kmap(pages[0]) +
pagelist->offset,
fragments,
head_bytes);
kunmap(pages[0]);
}
Reported by FlawFinder.
Line: 539
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if ((actual >= 0) && (head_bytes < actual) &&
(tail_bytes != 0)) {
memcpy((char *)kmap(pages[num_pages - 1]) +
((pagelist->offset + actual) &
(PAGE_SIZE - 1) & ~(g_cache_line_size - 1)),
fragments + g_cache_line_size,
tail_bytes);
kunmap(pages[num_pages - 1]);
Reported by FlawFinder.
Line: 539
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if ((actual >= 0) && (head_bytes < actual) &&
(tail_bytes != 0)) {
memcpy((char *)kmap(pages[num_pages - 1]) +
((pagelist->offset + actual) &
(PAGE_SIZE - 1) & ~(g_cache_line_size - 1)),
fragments + g_cache_line_size,
tail_bytes);
kunmap(pages[num_pages - 1]);
Reported by FlawFinder.
drivers/staging/vt6656/rxtx.c
5 issues
Line: 313
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (tx_key->cipher) {
case WLAN_CIPHER_SUITE_WEP40:
case WLAN_CIPHER_SUITE_WEP104:
memcpy(fifo->tx_key, iv, 3);
memcpy(fifo->tx_key + 3, tx_key->key, tx_key->keylen);
if (tx_key->keylen == WLAN_KEY_LEN_WEP40) {
memcpy(fifo->tx_key + 8, iv, 3);
memcpy(fifo->tx_key + 11,
Reported by FlawFinder.
Line: 314
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case WLAN_CIPHER_SUITE_WEP40:
case WLAN_CIPHER_SUITE_WEP104:
memcpy(fifo->tx_key, iv, 3);
memcpy(fifo->tx_key + 3, tx_key->key, tx_key->keylen);
if (tx_key->keylen == WLAN_KEY_LEN_WEP40) {
memcpy(fifo->tx_key + 8, iv, 3);
memcpy(fifo->tx_key + 11,
tx_key->key, WLAN_KEY_LEN_WEP40);
Reported by FlawFinder.
Line: 317
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(fifo->tx_key + 3, tx_key->key, tx_key->keylen);
if (tx_key->keylen == WLAN_KEY_LEN_WEP40) {
memcpy(fifo->tx_key + 8, iv, 3);
memcpy(fifo->tx_key + 11,
tx_key->key, WLAN_KEY_LEN_WEP40);
}
fifo->frag_ctl |= cpu_to_le16(FRAGCTL_LEGACY);
Reported by FlawFinder.
Line: 318
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tx_key->keylen == WLAN_KEY_LEN_WEP40) {
memcpy(fifo->tx_key + 8, iv, 3);
memcpy(fifo->tx_key + 11,
tx_key->key, WLAN_KEY_LEN_WEP40);
}
fifo->frag_ctl |= cpu_to_le16(FRAGCTL_LEGACY);
break;
Reported by FlawFinder.
Line: 368
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ieee80211_has_a4(hdr->frame_control))
ether_addr_copy(mic_hdr->addr4, hdr->addr4);
memcpy(fifo->tx_key, tx_key->key, WLAN_KEY_LEN_CCMP);
fifo->frag_ctl |= cpu_to_le16(FRAGCTL_AES);
return true;
default:
break;
Reported by FlawFinder.
drivers/staging/wlan-ng/p80211netdev.c
5 issues
Line: 162
Column: 15
CWE codes:
362
return -ENODEV;
/* Tell the MSD to open */
if (wlandev->open) {
result = wlandev->open(wlandev);
if (result == 0) {
netif_start_queue(wlandev->netdev);
wlandev->state = WLAN_DEVICE_OPEN;
}
Reported by FlawFinder.
Line: 163
Column: 21
CWE codes:
362
/* Tell the MSD to open */
if (wlandev->open) {
result = wlandev->open(wlandev);
if (result == 0) {
netif_start_queue(wlandev->netdev);
wlandev->state = WLAN_DEVICE_OPEN;
}
} else {
Reported by FlawFinder.
Line: 641
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&dot11req, 0, sizeof(dot11req));
dot11req.msgcode = DIDMSG_DOT11REQ_MIBSET;
dot11req.msglen = sizeof(dot11req);
memcpy(dot11req.devname,
((struct wlandevice *)dev->ml_priv)->name,
WLAN_DEVNAMELEN_MAX - 1);
/* Set up the mibattribute argument */
mibattr->did = DIDMSG_DOT11REQ_MIBSET_MIBATTRIBUTE;
Reported by FlawFinder.
Line: 654
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
macaddr->status = P80211ENUM_msgitem_status_data_ok;
macaddr->len = sizeof(macaddr->data);
macaddr->data.len = ETH_ALEN;
memcpy(&macaddr->data.data, new_addr->sa_data, ETH_ALEN);
/* Set up the resultcode argument */
resultcode->did = DIDMSG_DOT11REQ_MIBSET_RESULTCODE;
resultcode->status = P80211ENUM_msgitem_status_no_value;
resultcode->len = sizeof(resultcode->data);
Reported by FlawFinder.
Line: 673
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
result = -EADDRNOTAVAIL;
} else {
/* everything's ok, change the addr in netdev */
memcpy(dev->dev_addr, new_addr->sa_data, dev->addr_len);
}
return result;
}
Reported by FlawFinder.
drivers/staging/wlan-ng/prism2mgmt.c
5 issues
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* set up the ssid, if present. */
scanreq.ssid.len = cpu_to_le16(msg->ssid.data.len);
memcpy(scanreq.ssid.data, msg->ssid.data.data, msg->ssid.data.len);
/* Enable the MAC port if it's not already enabled */
result = hfa384x_drvr_getconfig16(hw, HFA384x_RID_PORTSTATUS, &word);
if (result) {
netdev_err(wlandev->netdev,
Reported by FlawFinder.
Line: 427
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* BSSID */
req->bssid.status = P80211ENUM_msgitem_status_data_ok;
req->bssid.data.len = WLAN_BSSID_LEN;
memcpy(req->bssid.data.data, item->bssid, WLAN_BSSID_LEN);
/* SSID */
req->ssid.status = P80211ENUM_msgitem_status_data_ok;
req->ssid.data.len = le16_to_cpu(item->ssid.len);
req->ssid.data.len = min_t(u16, req->ssid.data.len, WLAN_SSID_MAXLEN);
Reported by FlawFinder.
Line: 433
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->ssid.status = P80211ENUM_msgitem_status_data_ok;
req->ssid.data.len = le16_to_cpu(item->ssid.len);
req->ssid.data.len = min_t(u16, req->ssid.data.len, WLAN_SSID_MAXLEN);
memcpy(req->ssid.data.data, item->ssid.data, req->ssid.data.len);
/* supported rates */
for (count = 0; count < 10; count++)
if (item->supprates[count] == 0)
break;
Reported by FlawFinder.
Line: 558
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wlandev->macmode = WLAN_MACMODE_NONE;
/* Set the SSID */
memcpy(&wlandev->ssid, &msg->ssid.data, sizeof(msg->ssid.data));
/*** ADHOC IBSS ***/
/* see if current f/w is less than 8c3 */
if (HFA384x_FIRMWARE_VERSION(hw->ident_sta_fw.major,
hw->ident_sta_fw.minor,
Reported by FlawFinder.
Line: 1059
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wlandev->macmode = WLAN_MACMODE_NONE;
/* Set the SSID */
memcpy(&wlandev->ssid, &msg->ssid.data, sizeof(msg->ssid.data));
/* Disable the Port */
hfa384x_drvr_disable(hw, 0);
/*** STATION ***/
Reported by FlawFinder.
drivers/target/iscsi/iscsi_target_tpg.c
5 issues
Line: 611
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto out;
if (!strncmp(none + 4, ",", 1)) {
if (!strcmp(buf1, none))
sprintf(buf2, "%s", none+5);
else {
none--;
*none = '\0';
len = sprintf(buf2, "%s", buf1);
none += 5;
Reported by FlawFinder.
Line: 615
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else {
none--;
*none = '\0';
len = sprintf(buf2, "%s", buf1);
none += 5;
sprintf(buf2 + len, "%s", none);
}
} else {
none--;
Reported by FlawFinder.
Line: 617
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*none = '\0';
len = sprintf(buf2, "%s", buf1);
none += 5;
sprintf(buf2 + len, "%s", none);
}
} else {
none--;
*none = '\0';
sprintf(buf2, "%s", buf1);
Reported by FlawFinder.
Line: 622
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
} else {
none--;
*none = '\0';
sprintf(buf2, "%s", buf1);
}
if (iscsi_update_param_value(param, buf2) < 0)
return -EINVAL;
} else {
snprintf(buf1, sizeof(buf1), "%s", param->value);
Reported by FlawFinder.
Line: 586
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int iscsit_ta_authentication(struct iscsi_portal_group *tpg, u32 authentication)
{
unsigned char buf1[256], buf2[256], *none = NULL;
int len;
struct iscsi_param *param;
struct iscsi_tpg_attrib *a = &tpg->tpg_attrib;
if ((authentication != 1) && (authentication != 0)) {
Reported by FlawFinder.