The following issues were found
drivers/scsi/aic94xx/aic94xx_scb.c
4 issues
Line: 150
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
struct sas_identify_frame *idframe =
(void *) phy->sas_phy.frame_rcvd;
memcpy(sas_addr, idframe->sas_addr, SAS_ADDR_SIZE);
}
}
static void asd_form_port(struct asd_ha_struct *asd_ha, struct asd_phy *phy)
{
Reported by FlawFinder.
Line: 187
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i >= ASD_MAX_PHYS) {
port = free_port;
BUG_ON(!port);
memcpy(port->sas_addr, sas_phy->sas_addr,
SAS_ADDR_SIZE);
memcpy(port->attached_sas_addr,
sas_phy->attached_sas_addr,
SAS_ADDR_SIZE);
}
Reported by FlawFinder.
Line: 189
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(!port);
memcpy(port->sas_addr, sas_phy->sas_addr,
SAS_ADDR_SIZE);
memcpy(port->attached_sas_addr,
sas_phy->attached_sas_addr,
SAS_ADDR_SIZE);
}
port->num_phys++;
port->phy_mask |= (1U << sas_phy->id);
Reported by FlawFinder.
Line: 231
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = min(size, (u16) sizeof(phy->frame_rcvd));
spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags);
memcpy(phy->sas_phy.frame_rcvd, edb->vaddr, size);
phy->sas_phy.frame_rcvd_size = size;
asd_get_attached_sas_addr(phy, phy->sas_phy.attached_sas_addr);
spin_unlock_irqrestore(&phy->sas_phy.frame_rcvd_lock, flags);
asd_dump_frame_rcvd(phy, dl);
asd_form_port(ascb->ha, phy);
Reported by FlawFinder.
drivers/pnp/pnpbios/core.c
4 issues
Line: 122
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* action: add, remove */
envp[i++] = scratch;
scratch += sprintf(scratch, "ACTION=%s", dock ? "add" : "remove") + 1;
/* Report the ident for the dock */
envp[i++] = scratch;
scratch += sprintf(scratch, "DOCK=%x/%x/%x",
info->location_id, info->serial, info->capabilities);
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pnp_dock_event(int dock, struct pnp_docking_station_info *info)
{
static char const sbin_pnpbios[] = "/sbin/pnpbios";
char *argv[3], **envp, *buf, *scratch;
int i = 0, value;
if (!(envp = kcalloc(20, sizeof(char *), GFP_KERNEL)))
return -ENOMEM;
if (!(buf = kzalloc(256, GFP_KERNEL))) {
Reported by FlawFinder.
Line: 126
Column: 13
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Report the ident for the dock */
envp[i++] = scratch;
scratch += sprintf(scratch, "DOCK=%x/%x/%x",
info->location_id, info->serial, info->capabilities);
envp[i] = NULL;
value = call_usermodehelper(sbin_pnpbios, argv, envp, UMH_WAIT_EXEC);
kfree(buf);
Reported by FlawFinder.
Line: 302
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __init insert_device(struct pnp_bios_node *node)
{
struct pnp_dev *dev;
char id[8];
int error;
/* check if the device is already added */
list_for_each_entry(dev, &pnpbios_protocol.devices, protocol_list) {
if (dev->number == node->handle)
Reported by FlawFinder.
drivers/pci/iov.c
4 issues
Line: 140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int pci_iov_sysfs_link(struct pci_dev *dev,
struct pci_dev *virtfn, int id)
{
char buf[VIRTFN_ID_LEN];
int rc;
sprintf(buf, "virtfn%u", id);
rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf);
if (rc)
Reported by FlawFinder.
Line: 143
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[VIRTFN_ID_LEN];
int rc;
sprintf(buf, "virtfn%u", id);
rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf);
if (rc)
goto failed;
rc = sysfs_create_link(&virtfn->dev.kobj, &dev->dev.kobj, "physfn");
if (rc)
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void pci_iov_remove_virtfn(struct pci_dev *dev, int id)
{
char buf[VIRTFN_ID_LEN];
struct pci_dev *virtfn;
virtfn = pci_get_domain_bus_and_slot(pci_domain_nr(dev->bus),
pci_iov_virtfn_bus(dev, id),
pci_iov_virtfn_devfn(dev, id));
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!virtfn)
return;
sprintf(buf, "virtfn%u", id);
sysfs_remove_link(&dev->dev.kobj, buf);
/*
* pci_stop_dev() could have been called for this virtfn already,
* so the directory for the virtfn may have been removed before.
* Double check to avoid spurious sysfs warnings.
Reported by FlawFinder.
drivers/pci/p2pdma.c
4 issues
Line: 1012
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!p2p_dev)
return sprintf(page, "1\n");
return sprintf(page, "%s\n", pci_name(p2p_dev));
}
EXPORT_SYMBOL_GPL(pci_p2pdma_enable_show);
Reported by FlawFinder.
Line: 461
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int acs_cnt = 0;
int dist_a = 0;
int dist_b = 0;
char buf[128];
seq_buf_init(&acs_list, buf, sizeof(buf));
/*
* Note, we don't need to take references to devices returned by
Reported by FlawFinder.
Line: 1007
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bool use_p2pdma)
{
if (!use_p2pdma)
return sprintf(page, "0\n");
if (!p2p_dev)
return sprintf(page, "1\n");
return sprintf(page, "%s\n", pci_name(p2p_dev));
Reported by FlawFinder.
Line: 1010
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(page, "0\n");
if (!p2p_dev)
return sprintf(page, "1\n");
return sprintf(page, "%s\n", pci_name(p2p_dev));
}
EXPORT_SYMBOL_GPL(pci_p2pdma_enable_show);
Reported by FlawFinder.
drivers/scsi/aic94xx/aic94xx_hwi.c
4 issues
Line: 46
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
ASD_DPRINTK("setting phy%d addr to %llx\n", i,
SAS_ADDR(asd_ha->hw_prof.sas_addr));
memcpy(asd_ha->hw_prof.phy_desc[i].sas_addr,
asd_ha->hw_prof.sas_addr, SAS_ADDR_SIZE);
}
}
/* ---------- PHY initialization ---------- */
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy->identify_frame->initiator_bits = phy->sas_phy.iproto;
if (phy->sas_phy.role & PHY_ROLE_TARGET)
phy->identify_frame->target_bits = phy->sas_phy.tproto;
memcpy(phy->identify_frame->sas_addr, phy->phy_desc->sas_addr,
SAS_ADDR_SIZE);
phy->identify_frame->phy_id = phy->sas_phy.id;
}
static int asd_init_phy(struct asd_phy *phy)
Reported by FlawFinder.
Line: 809
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void asd_arp2_err(struct asd_ha_struct *asd_ha, u32 dchstatus)
{
static const char *halt_code[256] = {
"UNEXPECTED_INTERRUPT0",
"UNEXPECTED_INTERRUPT1",
"UNEXPECTED_INTERRUPT2",
"UNEXPECTED_INTERRUPT3",
"UNEXPECTED_INTERRUPT4",
Reported by FlawFinder.
Line: 1138
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list);
struct asd_dma_tok t = ascb->dma_scb;
memcpy(seq->next_scb.vaddr, ascb->scb, sizeof(*ascb->scb));
ascb->dma_scb = seq->next_scb;
ascb->scb = ascb->dma_scb.vaddr;
seq->next_scb = t;
last->scb->header.next_scb =
cpu_to_le64(((u64)seq->next_scb.dma_handle));
Reported by FlawFinder.
drivers/net/wireless/microchip/wilc1000/netdev.c
4 issues
Line: 941
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
vif = netdev_priv(ndev);
ndev->ieee80211_ptr = &vif->priv.wdev;
strcpy(ndev->name, name);
vif->wilc = wl;
vif->ndev = ndev;
ndev->ml_priv = vif;
ndev->netdev_ops = &wilc_netdev_ops;
Reported by FlawFinder.
Line: 524
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (wilc_wlan_cfg_get(vif, 1, WID_FIRMWARE_VERSION, 1, 0)) {
int size;
char firmware_ver[20];
size = wilc_wlan_cfg_get_val(wl, WID_FIRMWARE_VERSION,
firmware_ver,
sizeof(firmware_ver));
firmware_ver[size] = '\0';
Reported by FlawFinder.
Line: 635
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wilc_vif *vif = netdev_priv(dev);
struct wilc *wilc = vif->wilc;
struct sockaddr *addr = (struct sockaddr *)p;
unsigned char mac_addr[ETH_ALEN];
struct wilc_vif *tmp_vif;
int srcu_idx;
if (!is_valid_ether_addr(addr->sa_data))
return -EADDRNOTAVAIL;
Reported by FlawFinder.
Line: 700
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur_mc = mc_list;
i = 0;
netdev_for_each_mc_addr(ha, dev) {
memcpy(cur_mc, ha->addr, ETH_ALEN);
netdev_dbg(dev, "Entry[%d]: %pM\n", i, cur_mc);
i++;
cur_mc += ETH_ALEN;
}
Reported by FlawFinder.
drivers/scsi/esas2r/esas2r_int.c
4 issues
Line: 182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* occurred and setup a callback to do error processing.
*/
if (unlikely(rq->req_stat != RS_SUCCESS)) {
memcpy(&rq->func_rsp, &rsp->func_rsp, sizeof(rsp->func_rsp));
if (rq->req_stat == RS_ABORTED) {
if (rq->timeout > RQ_MAX_TIMEOUT)
rq->req_stat = RS_TIMEOUT;
} else if (rq->req_stat == RS_SCSI_ERROR) {
Reported by FlawFinder.
Line: 285
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Copy the outbound completion struct for non-I/O
* requests.
*/
memcpy(&rq->func_rsp, &rsp->func_rsp,
sizeof(rsp->func_rsp));
}
/* Queue the request for completion. */
list_add_tail(&rq->comp_list, &comp_list);
Reported by FlawFinder.
Line: 739
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (t->new_target_state != TS_INVALID) {
memcpy(&t->lu_event, &ae->lu, cplen);
esas2r_disc_queue_event(a, DCDE_DEV_CHANGE);
}
spin_unlock_irqrestore(&a->mem_lock, flags);
Reported by FlawFinder.
Line: 891
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (snslen) {
if (rq->sense_buf)
memcpy(rq->sense_buf, rq->data_buf, snslen);
else
rq->sense_buf = (u8 *)rq->data_buf;
/* See about possible sense data */
if (snslen2 > 0x0c) {
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
4 issues
Line: 363
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 2:
case 3:
/*boxcontent[0] &= ~(BIT(7));*/
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, cmd_len);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 376
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 6:
case 7:
/*boxcontent[0] |= (BIT(7));*/
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index+3, cmd_len-3);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 3);
for (idx = 0; idx < 4; idx++) {
Reported by FlawFinder.
Line: 378
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*boxcontent[0] |= (BIT(7));*/
memcpy((u8 *)(boxextcontent),
cmdbuffer + buf_index+3, cmd_len-3);
memcpy((u8 *)(boxcontent) + 1,
cmdbuffer + buf_index, 3);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
Reported by FlawFinder.
Line: 428
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(tmp_cmdbuf, 0, 8);
memcpy(tmp_cmdbuf, cmdbuffer, cmd_len);
_rtl8821ae_fill_h2c_command(hw, element_id, cmd_len, (u8 *)&tmp_cmdbuf);
}
void rtl8821ae_firmware_selfreset(struct ieee80211_hw *hw)
{
Reported by FlawFinder.
drivers/platform/olpc/olpc-xo175-ec.c
4 issues
Line: 248
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *pwrbtn;
/* Debug handling. */
char logbuf[LOG_BUF_SIZE];
int logbuf_len;
};
static struct platform_device *olpc_ec;
Reported by FlawFinder.
Line: 280
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int ret;
memcpy(&priv->tx_buf, cmd, cmdlen);
priv->xfer.len = cmdlen;
spi_message_init_with_transfers(&priv->msg, &priv->xfer, 1);
priv->msg.complete = olpc_xo175_ec_complete;
Reported by FlawFinder.
Line: 524
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->cmd.command = cmd;
priv->cmd.nr_args = inlen;
priv->cmd.data_len = 0;
memcpy(priv->cmd.args, inbuf, inlen);
priv->expected_resp_len = nr_bytes;
priv->resp_len = 0;
/* Tickle the cmd gpio to get things started */
gpiod_set_value_cansleep(priv->gpio_cmd, 1);
Reported by FlawFinder.
Line: 563
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* bytes, give them that. We've guaranteed that
* resp_len <= priv->resp_len and priv->resp_len == nr_bytes.
*/
memcpy(resp, priv->resp_data, resp_len);
}
/* This should already be low, but just in case. */
gpiod_set_value_cansleep(priv->gpio_cmd, 0);
priv->cmd_running = false;
Reported by FlawFinder.
drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
4 issues
Line: 145
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 2:
case 3:
/*boxcontent[0] &= ~(BIT(7));*/
memcpy((u8 *)(boxcontent) + 1,
p_cmdbuffer + buf_index, cmd_len);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_reg + idx,
boxcontent[idx]);
Reported by FlawFinder.
Line: 158
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 6:
case 7:
/*boxcontent[0] |= (BIT(7));*/
memcpy((u8 *)(boxextcontent),
p_cmdbuffer + buf_index+3, cmd_len-3);
memcpy((u8 *)(boxcontent) + 1,
p_cmdbuffer + buf_index, 3);
for (idx = 0; idx < 4; idx++) {
Reported by FlawFinder.
Line: 160
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*boxcontent[0] |= (BIT(7));*/
memcpy((u8 *)(boxextcontent),
p_cmdbuffer + buf_index+3, cmd_len-3);
memcpy((u8 *)(boxcontent) + 1,
p_cmdbuffer + buf_index, 3);
for (idx = 0; idx < 4; idx++) {
rtl_write_byte(rtlpriv, box_extreg + idx,
boxextcontent[idx]);
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memset(tmp_cmdbuf, 0, 8);
memcpy(tmp_cmdbuf, p_cmdbuffer, cmd_len);
_rtl8723be_fill_h2c_command(hw, element_id, cmd_len,
(u8 *)&tmp_cmdbuf);
return;
}
Reported by FlawFinder.