The following issues were found
drivers/net/wireless/ralink/rt2x00/rt2x00crypto.c
5 issues
Line: 99
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
/* Copy IV/EIV data */
memcpy(skbdesc->iv, skb->data + txdesc->iv_offset, txdesc->iv_len);
}
void rt2x00crypto_tx_remove_iv(struct sk_buff *skb, struct txentry_desc *txdesc)
{
struct skb_frame_desc *skbdesc = get_skb_frame_desc(skb);
Reported by FlawFinder.
Line: 110
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
/* Copy IV/EIV data */
memcpy(skbdesc->iv, skb->data + txdesc->iv_offset, txdesc->iv_len);
/* Move ieee80211 header */
memmove(skb->data + txdesc->iv_len, skb->data, txdesc->iv_offset);
/* Pull buffer to correct size */
Reported by FlawFinder.
Line: 138
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memmove(skb->data, skb->data + iv_len, header_length);
/* Copy IV/EIV data */
memcpy(skb->data + header_length, skbdesc->iv, iv_len);
/* IV/EIV data has returned into the frame */
skbdesc->flags &= ~SKBDESC_IV_STRIPPED;
}
Reported by FlawFinder.
Line: 213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy IV/EIV data */
memcpy(skb->data + transfer, rxdesc->iv, iv_len);
transfer += iv_len;
/*
* Move payload for alignment purposes. Note that
* this is only needed when no l2 padding is present.
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* 4 bytes, but mac80211 doesn't care about what
* we provide here anyway and strips it immediately.
*/
memcpy(skb->data + transfer, &rxdesc->icv, 4);
transfer += icv_len;
/* IV/EIV/ICV has been inserted into frame */
rxdesc->size = transfer;
rxdesc->flags &= ~RX_FLAG_IV_STRIPPED;
Reported by FlawFinder.
drivers/pci/pci.c
5 issues
Line: 1760
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cap = state->cap;
hlist_for_each_entry(tmp, &dev->saved_cap_space, next) {
size_t len = sizeof(struct pci_cap_saved_data) + tmp->cap.size;
memcpy(cap, &tmp->cap, len);
cap = (struct pci_cap_saved_data *)((u8 *)cap + len);
}
/* Empty cap_save terminates list */
return state;
Reported by FlawFinder.
Line: 1784
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!state)
return 0;
memcpy(dev->saved_config_space, state->config_space,
sizeof(state->config_space));
cap = state->cap;
while (cap->size) {
struct pci_cap_saved_state *tmp;
Reported by FlawFinder.
Line: 1795
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!tmp || tmp->cap.size != cap->size)
return -EINVAL;
memcpy(tmp->cap.data, cap->data, tmp->cap.size);
cap = (struct pci_cap_saved_data *)((u8 *)cap +
sizeof(struct pci_cap_saved_data) + cap->size);
}
dev->state_saved = true;
Reported by FlawFinder.
Line: 4554
Column: 12
CWE codes:
120
20
raw_spin_lock_irqsave(&pci_lock, flags);
bus->ops->read(bus, dev->devfn, PCI_COMMAND, 4, &cmd_status_dword);
irq_pending = (cmd_status_dword >> 16) & PCI_STATUS_INTERRUPT;
/*
* Check interrupt status register to see whether our device
Reported by FlawFinder.
Line: 6482
Column: 6
CWE codes:
126
spin_lock(&resource_alignment_lock);
old = resource_alignment_param;
if (strlen(param)) {
resource_alignment_param = param;
} else {
kfree(param);
resource_alignment_param = NULL;
}
Reported by FlawFinder.
drivers/s390/block/dasd_int.h
5 issues
Line: 254
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dasd_uid {
__u8 type;
char vendor[4];
char serial[15];
__u16 ssid;
__u8 real_unit_addr;
__u8 base_unit_addr;
char vduit[33];
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dasd_uid {
__u8 type;
char vendor[4];
char serial[15];
__u16 ssid;
__u8 real_unit_addr;
__u8 base_unit_addr;
char vduit[33];
};
Reported by FlawFinder.
Line: 259
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u16 ssid;
__u8 real_unit_addr;
__u8 base_unit_addr;
char vduit[33];
};
/*
* the struct dasd_discipline is
* sth like a table of virtual functions, if you think of dasd_eckd
Reported by FlawFinder.
Line: 270
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct dasd_discipline {
struct module *owner;
char ebcname[8]; /* a name used for tagging and printks */
char name[8]; /* a name used for tagging and printks */
struct list_head list; /* used for list of disciplines */
/*
Reported by FlawFinder.
Line: 271
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dasd_discipline {
struct module *owner;
char ebcname[8]; /* a name used for tagging and printks */
char name[8]; /* a name used for tagging and printks */
struct list_head list; /* used for list of disciplines */
/*
* Device recognition functions. check_device is used to verify
Reported by FlawFinder.
drivers/pci/xen-pcifront.c
5 issues
Line: 123
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&pdev->sh_info_lock, irq_flags);
memcpy(active_op, op, sizeof(struct xen_pci_op));
/* Go */
wmb();
set_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags);
notify_remote_via_evtchn(port);
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
schedule_pcifront_aer_op(pdev);
}
memcpy(op, active_op, sizeof(struct xen_pci_op));
err = op->err;
out:
spin_unlock_irqrestore(&pdev->sh_info_lock, irq_flags);
return err;
Reported by FlawFinder.
Line: 851
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int err = -EFAULT;
int i, num_roots, len;
char str[64];
unsigned int domain, bus;
/* Only connect once */
if (xenbus_read_driver_state(pdev->xdev->nodename) !=
Reported by FlawFinder.
Line: 947
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int err = -EFAULT;
int i, num_roots, len;
unsigned int domain, bus;
char str[64];
if (xenbus_read_driver_state(pdev->xdev->nodename) !=
XenbusStateReconfiguring)
goto out;
Reported by FlawFinder.
Line: 1011
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int i, num_devs;
unsigned int domain, bus, slot, func;
struct pci_dev *pci_dev;
char str[64];
if (xenbus_read_driver_state(pdev->xdev->nodename) !=
XenbusStateConnected)
goto out;
Reported by FlawFinder.
drivers/net/wireless/intersil/p54/eeprom.c
5 issues
Line: 442
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(*dst) * curve_data->points_per_channel;
priv->curve_data->offset = offsetof(struct pda_pa_curve_data, data);
priv->curve_data->len = cd_len;
memcpy(priv->curve_data->data, curve_data, sizeof(*curve_data));
source = curve_data->data;
target = ((struct pda_pa_curve_data *) priv->curve_data->data)->data;
for (i = 0; i < curve_data->channels; i++) {
__le16 *freq = source;
source += sizeof(__le16);
Reported by FlawFinder.
Line: 494
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(*dst) * curve_data->points_per_channel;
priv->curve_data->offset = offsetof(struct pda_pa_curve_data, data);
priv->curve_data->len = cd_len;
memcpy(priv->curve_data->data, curve_data, sizeof(*curve_data));
source = curve_data->data;
target = ((struct pda_pa_curve_data *) priv->curve_data->data)->data;
for (i = 0; i < curve_data->channels; i++) {
__le16 *freq = source;
source += sizeof(__le16);
Reported by FlawFinder.
Line: 503
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*((__le16 *)target) = *freq;
target += sizeof(__le16);
for (j = 0; j < curve_data->points_per_channel; j++) {
memcpy(target, source, sizeof(*src));
target += sizeof(*dst);
source += sizeof(*src);
}
source++;
Reported by FlawFinder.
Line: 696
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->output_limit->entries +
priv->output_limit->offset;
memcpy(priv->output_limit->data, &data[2],
data[1] * sizeof(struct pda_channel_output_limit));
return 0;
}
Reported by FlawFinder.
Line: 725
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst->offset = offset;
dst->len = payload_len;
memcpy(dst->data, src->data, payload_len);
return dst;
}
int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len)
{
Reported by FlawFinder.
drivers/scsi/a2091.h
5 issues
Line: 30
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define A2091_XFER_MASK (0xff000001)
struct a2091_scsiregs {
unsigned char pad1[64];
volatile unsigned short ISTR;
volatile unsigned short CNTR;
unsigned char pad2[60];
volatile unsigned int WTC;
volatile unsigned long ACR;
Reported by FlawFinder.
Line: 33
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char pad1[64];
volatile unsigned short ISTR;
volatile unsigned short CNTR;
unsigned char pad2[60];
volatile unsigned int WTC;
volatile unsigned long ACR;
unsigned char pad3[6];
volatile unsigned short DAWR;
unsigned char pad4;
Reported by FlawFinder.
Line: 36
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char pad2[60];
volatile unsigned int WTC;
volatile unsigned long ACR;
unsigned char pad3[6];
volatile unsigned short DAWR;
unsigned char pad4;
volatile unsigned char SASR;
unsigned char pad5;
volatile unsigned char SCMD;
Reported by FlawFinder.
Line: 42
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
volatile unsigned char SASR;
unsigned char pad5;
volatile unsigned char SCMD;
unsigned char pad6[76];
volatile unsigned short ST_DMA;
volatile unsigned short SP_DMA;
volatile unsigned short CINT;
unsigned char pad7[2];
volatile unsigned short FLUSH;
Reported by FlawFinder.
Line: 46
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
volatile unsigned short ST_DMA;
volatile unsigned short SP_DMA;
volatile unsigned short CINT;
unsigned char pad7[2];
volatile unsigned short FLUSH;
};
#define DAWR_A2091 (3)
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
5 issues
Line: 365
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_LIST_HEAD(&new_node->list);
new_node->tid = tid;
memcpy(new_node->ta, ta, ETH_ALEN);
new_node->start_win = seq_num;
new_node->init_win = seq_num;
new_node->flags = 0;
spin_lock_bh(&priv->sta_list_spinlock);
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->command = cpu_to_le16(HostCmd_CMD_11N_ADDBA_REQ);
cmd->size = cpu_to_le16(sizeof(*add_ba_req) + S_DS_GEN);
memcpy(add_ba_req, data_buf, sizeof(*add_ba_req));
return 0;
}
/*
Reported by FlawFinder.
Line: 498
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->command = cpu_to_le16(HostCmd_CMD_11N_ADDBA_RSP);
cmd->size = cpu_to_le16(sizeof(*add_ba_rsp) + S_DS_GEN);
memcpy(add_ba_rsp->peer_mac_addr, cmd_addba_req->peer_mac_addr,
ETH_ALEN);
add_ba_rsp->dialog_token = cmd_addba_req->dialog_token;
add_ba_rsp->block_ack_tmo = cmd_addba_req->block_ack_tmo;
add_ba_rsp->ssn = cmd_addba_req->ssn;
Reported by FlawFinder.
Line: 541
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->command = cpu_to_le16(HostCmd_CMD_11N_DELBA);
cmd->size = cpu_to_le16(sizeof(*del_ba) + S_DS_GEN);
memcpy(del_ba, data_buf, sizeof(*del_ba));
return 0;
}
/*
Reported by FlawFinder.
Line: 783
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct host_cmd_ds_11n_delba delba;
memset(&delba, 0, sizeof(struct host_cmd_ds_11n_delba));
memcpy(delba.peer_mac_addr, event->peer_mac_addr, ETH_ALEN);
delba.del_ba_param_set |=
cpu_to_le16((u16) event->tid << DELBA_TID_POS);
delba.del_ba_param_set |= cpu_to_le16(
(u16) event->origninator << DELBA_INITIATOR_POS);
Reported by FlawFinder.
drivers/scsi/lpfc/lpfc_mbox.c
5 issues
Line: 785
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sparam = mp->virt;
/* Copy param's into a new buffer */
memcpy(sparam, param, sizeof (struct serv_parm));
/* save address for completion */
pmb->ctx_buf = (uint8_t *)mp;
mb->mbxCommand = MBX_REG_LOGIN64;
Reported by FlawFinder.
Line: 903
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mb->un.varRegVpi.vfi = phba->sli4_hba.vfi_ids[vport->vfi];
else
mb->un.varRegVpi.vfi = vport->vfi + vport->phba->vfi_base;
memcpy(mb->un.varRegVpi.wwn, &vport->fc_portname,
sizeof(struct lpfc_name));
mb->un.varRegVpi.wwn[0] = cpu_to_le32(mb->un.varRegVpi.wwn[0]);
mb->un.varRegVpi.wwn[1] = cpu_to_le32(mb->un.varRegVpi.wwn[1]);
mb->mbxCommand = MBX_REG_VPI;
Reported by FlawFinder.
Line: 1436
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lpfc_hba_init(phba, hbainit);
memcpy(&mb->un.varCfgPort.hbainit, hbainit, 20);
}
/* Swap PCB if needed */
lpfc_sli_pcimem_bcopy(phba->pcb, phba->pcb, sizeof(PCB_t));
}
Reported by FlawFinder.
Line: 2170
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phba->sli4_hba.vfi_ids[vport->vfi]);
bf_set(lpfc_reg_vfi_fcfi, reg_vfi, phba->fcf.fcfi);
bf_set(lpfc_reg_vfi_vpi, reg_vfi, phba->vpi_ids[vport->vpi]);
memcpy(reg_vfi->wwn, &vport->fc_portname, sizeof(struct lpfc_name));
reg_vfi->wwn[0] = cpu_to_le32(reg_vfi->wwn[0]);
reg_vfi->wwn[1] = cpu_to_le32(reg_vfi->wwn[1]);
reg_vfi->e_d_tov = phba->fc_edtov;
reg_vfi->r_a_tov = phba->fc_ratov;
if (phys) {
Reported by FlawFinder.
Line: 2323
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mb->mbxStatus)
goto mbx_failed;
memcpy(&rdp_context->link_stat, &mb->un.varRdLnk, sizeof(READ_LNK_VAR));
rc = SUCCESS;
mbx_failed:
lpfc_sli4_mbox_cmd_free(phba, mboxq);
Reported by FlawFinder.
drivers/scsi/bfa/bfa_fcs_fcpim.c
5 issues
Line: 277
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum bfa_fcs_itnim_event event)
{
struct bfad_s *bfad = (struct bfad_s *)itnim->fcs->bfad;
char lpwwn_buf[BFA_STRING_32];
char rpwwn_buf[BFA_STRING_32];
bfa_trc(itnim->fcs, itnim->rport->pwwn);
bfa_trc(itnim->fcs, event);
Reported by FlawFinder.
Line: 278
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct bfad_s *bfad = (struct bfad_s *)itnim->fcs->bfad;
char lpwwn_buf[BFA_STRING_32];
char rpwwn_buf[BFA_STRING_32];
bfa_trc(itnim->fcs, itnim->rport->pwwn);
bfa_trc(itnim->fcs, event);
switch (event) {
Reported by FlawFinder.
Line: 315
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum bfa_fcs_itnim_event event)
{
struct bfad_s *bfad = (struct bfad_s *)itnim->fcs->bfad;
char lpwwn_buf[BFA_STRING_32];
char rpwwn_buf[BFA_STRING_32];
bfa_trc(itnim->fcs, itnim->rport->pwwn);
bfa_trc(itnim->fcs, event);
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct bfad_s *bfad = (struct bfad_s *)itnim->fcs->bfad;
char lpwwn_buf[BFA_STRING_32];
char rpwwn_buf[BFA_STRING_32];
bfa_trc(itnim->fcs, itnim->rport->pwwn);
bfa_trc(itnim->fcs, event);
switch (event) {
Reported by FlawFinder.
Line: 789
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (itnim == NULL)
return BFA_STATUS_NO_FCPIM_NEXUS;
memcpy(stats, &itnim->stats, sizeof(struct bfa_itnim_stats_s));
return BFA_STATUS_OK;
}
bfa_status_t
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/efuse.c
5 issues
Line: 423
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!efuse_shadow_update_chk(hw)) {
efuse_read_all_map(hw, &rtlefuse->efuse_map[EFUSE_INIT_MAP][0]);
memcpy(&rtlefuse->efuse_map[EFUSE_MODIFY_MAP][0],
&rtlefuse->efuse_map[EFUSE_INIT_MAP][0],
rtlpriv->cfg->maps[EFUSE_HWSET_MAX_SIZE]);
rtl_dbg(rtlpriv, COMP_EFUSE, DBG_LOUD,
"efuse out of capacity!!\n");
Reported by FlawFinder.
Line: 459
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (word_en != 0x0F) {
u8 tmpdata[8];
memcpy(tmpdata,
&rtlefuse->efuse_map[EFUSE_MODIFY_MAP][base],
8);
RT_PRINT_DATA(rtlpriv, COMP_INIT, DBG_LOUD,
"U-efuse\n", tmpdata, 8);
Reported by FlawFinder.
Line: 477
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
efuse_power_switch(hw, true, false);
efuse_read_all_map(hw, &rtlefuse->efuse_map[EFUSE_INIT_MAP][0]);
memcpy(&rtlefuse->efuse_map[EFUSE_MODIFY_MAP][0],
&rtlefuse->efuse_map[EFUSE_INIT_MAP][0],
rtlpriv->cfg->maps[EFUSE_HWSET_MAX_SIZE]);
rtl_dbg(rtlpriv, COMP_EFUSE, DBG_LOUD, "\n");
return true;
Reported by FlawFinder.
Line: 496
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
efuse_read_all_map(hw, &rtlefuse->efuse_map[EFUSE_INIT_MAP][0]);
memcpy(&rtlefuse->efuse_map[EFUSE_MODIFY_MAP][0],
&rtlefuse->efuse_map[EFUSE_INIT_MAP][0],
rtlpriv->cfg->maps[EFUSE_HWSET_MAX_SIZE]);
}
EXPORT_SYMBOL(rtl_efuse_shadow_map_update);
Reported by FlawFinder.
Line: 1236
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
}
memcpy(hwinfo, &rtlefuse->efuse_map[EFUSE_INIT_MAP][0], max_size);
RT_PRINT_DATA(rtlpriv, COMP_INIT, DBG_DMESG, "MAP",
hwinfo, max_size);
eeprom_id = *((u16 *)&hwinfo[0]);
Reported by FlawFinder.