The following issues were found
drivers/staging/rtl8188eu/core/rtw_efuse.c
3 issues
Line: 244
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
limit = min_t(u16, len - 2, limit);
memcpy(pos, ((u8 *)&lo32) + 2, (limit >= count + 2) ? 2 : limit - count);
count += (limit >= count + 2) ? 2 : limit - count;
pos = content + count;
} else {
memcpy(pos, ((u8 *)&lo32), (limit >= count + 4) ? 4 : limit - count);
Reported by FlawFinder.
Line: 249
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos = content + count;
} else {
memcpy(pos, ((u8 *)&lo32), (limit >= count + 4) ? 4 : limit - count);
count += (limit >= count + 4) ? 4 : limit - count;
pos = content + count;
}
if (limit > count && len - 2 > count) {
Reported by FlawFinder.
Line: 255
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (limit > count && len - 2 > count) {
memcpy(pos, (u8 *)&hi32, (limit >= count + 4) ? 4 : limit - count);
count += (limit >= count + 4) ? 4 : limit - count;
pos = content + count;
}
if (limit <= count || len - 2 <= count)
Reported by FlawFinder.
drivers/staging/greybus/bootrom.c
3 issues
Line: 166
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
*
* XXX Name it properly..
*/
snprintf(firmware_name, sizeof(firmware_name),
FW_NAME_PREFIX "%08x_%08x_%08x_%08x_s2l.tftf",
intf->ddbl1_manufacturer_id, intf->ddbl1_product_id,
intf->vendor_id, intf->product_id);
// FIXME:
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct gb_connection *connection = bootrom->connection;
struct gb_interface *intf = connection->bundle->intf;
char firmware_name[49];
int rc;
/* Already have a firmware, free it */
free_firmware(bootrom);
Reported by FlawFinder.
Line: 291
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
firmware_response = op->response->payload;
memcpy(firmware_response->data, fw->data + offset, size);
dev_dbg(dev, "responding with firmware (offs = %u, size = %u)\n",
offset, size);
unlock:
Reported by FlawFinder.
drivers/spi/spi-bcm2835.c
3 issues
Line: 166
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void bcm2835_debugfs_create(struct bcm2835_spi *bs,
const char *dname)
{
char name[64];
struct dentry *dir;
/* get full name */
snprintf(name, sizeof(name), "spi-bcm2835-%s", dname);
Reported by FlawFinder.
Line: 258
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do {
val = bcm2835_rd(bs, BCM2835_SPI_FIFO);
len = min(count, 4);
memcpy(bs->rx_buf, &val, len);
bs->rx_buf += len;
count -= 4;
} while (count > 0);
}
Reported by FlawFinder.
Line: 284
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do {
if (bs->tx_buf) {
len = min(count, 4);
memcpy(&val, bs->tx_buf, len);
bs->tx_buf += len;
} else {
val = 0;
}
bcm2835_wr(bs, BCM2835_SPI_FIFO, val);
Reported by FlawFinder.
drivers/staging/rtl8192u/ieee80211/ieee80211_crypt.c
3 issues
Line: 73
Column: 39
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
}
void ieee80211_crypt_delayed_deinit(struct ieee80211_device *ieee,
struct ieee80211_crypt_data **crypt)
{
struct ieee80211_crypt_data *tmp;
unsigned long flags;
if (!(*crypt))
Reported by FlawFinder.
Line: 78
Column: 9
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
struct ieee80211_crypt_data *tmp;
unsigned long flags;
if (!(*crypt))
return;
tmp = *crypt;
*crypt = NULL;
Reported by FlawFinder.
Line: 81
Column: 9
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
if (!(*crypt))
return;
tmp = *crypt;
*crypt = NULL;
/* must not run ops->deinit() while there may be pending encrypt or
* decrypt operations. Use a list of delayed deinits to avoid needing
* locking.
Reported by FlawFinder.
drivers/soundwire/sysfs_slave_dpn.c
3 issues
Line: 75
Column: 11
CWE codes:
134
Suggestion:
Make format string constant
i = 0; \
for_each_set_bit(bit, &mask, 32) { \
if (bit == N) { \
return sprintf(buf, format_string, \
dpn[i].field); \
} \
i++; \
} \
return -EINVAL; \
Reported by FlawFinder.
Line: 138
Column: 13
CWE codes:
134
Suggestion:
Make format string constant
for_each_set_bit(bit, &mask, 32) { \
if (bit == N) { \
for (j = 0; j < dpn[i].num_##field; j++) \
size += sprintf(buf + size, \
format_string, \
dpn[i].field[j]); \
size += sprintf(buf + size, "\n"); \
return size; \
} \
Reported by FlawFinder.
Line: 141
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
size += sprintf(buf + size, \
format_string, \
dpn[i].field[j]); \
size += sprintf(buf + size, "\n"); \
return size; \
} \
i++; \
} \
return -EINVAL; \
Reported by FlawFinder.
drivers/staging/axis-fifo/axis-fifo.c
3 issues
Line: 175
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct axis_fifo *fifo = dev_get_drvdata(dev);
unsigned int read_val;
unsigned int len;
char tmp[32];
read_val = ioread32(fifo->base_addr + addr_offset);
len = snprintf(tmp, sizeof(tmp), "0x%x\n", read_val);
memcpy(buf, tmp, len);
Reported by FlawFinder.
Line: 179
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
read_val = ioread32(fifo->base_addr + addr_offset);
len = snprintf(tmp, sizeof(tmp), "0x%x\n", read_val);
memcpy(buf, tmp, len);
return len;
}
static ssize_t isr_store(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 816
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device *dev = &pdev->dev; /* OS device (from device tree) */
struct axis_fifo *fifo = NULL;
char device_name[32];
int rc = 0; /* error return value */
/* ----------------------------
* init wrapper device
Reported by FlawFinder.
drivers/usb/gadget/udc/fsl_usb2_udc.h
3 issues
Line: 465
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ep_queue_head *qh;
struct usb_gadget *gadget;
char name[14];
unsigned stopped:1;
};
#define EP_DIR_IN 1
#define EP_DIR_OUT 0
Reported by FlawFinder.
Line: 522
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void dump_msg(const char *label, const u8 * buf, unsigned int length)
{
unsigned int start, num, i;
char line[52], *p;
if (length >= 512)
return;
DBG("%s, length %u:\n", label, length);
start = 0;
Reported by FlawFinder.
Line: 534
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < num; ++i) {
if (i == 8)
*p++ = ' ';
sprintf(p, " %02x", buf[i]);
p += 3;
}
*p = 0;
printk(KERN_DEBUG "%6x: %s\n", start, line);
buf += num;
Reported by FlawFinder.
drivers/staging/wlan-ng/p80211netdev.h
3 issues
Line: 162
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *priv; /* private data for MSD */
/* Subsystem State */
char name[WLAN_DEVNAMELEN_MAX]; /* Dev name, from register_wlandev() */
char *nsdname;
u32 state; /* Device I/F state (open/closed) */
u32 msdstate; /* state of underlying driver */
u32 hwremoved; /* Has the hw been yanked out? */
Reported by FlawFinder.
Line: 179
Column: 8
CWE codes:
362
unsigned int ethconv;
/* device methods (init by MSD, used by p80211 */
int (*open)(struct wlandevice *wlandev);
int (*close)(struct wlandevice *wlandev);
void (*reset)(struct wlandevice *wlandev);
int (*txframe)(struct wlandevice *wlandev, struct sk_buff *skb,
union p80211_hdr *p80211_hdr,
struct p80211_metawep *p80211_wep);
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* jkriegl: iwspy fields */
u8 spy_number;
char spy_address[IW_MAX_SPY][ETH_ALEN];
struct iw_quality spy_stat[IW_MAX_SPY];
};
/* WEP stuff */
int wep_change_key(struct wlandevice *wlandev, int keynum, u8 *key, int keylen);
Reported by FlawFinder.
drivers/staging/wlan-ng/p80211wep.c
3 issues
Line: 81
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
wlandev->wep_keylens[keynum] = keylen;
memcpy(wlandev->wep_keys[keynum], key, keylen);
return 0;
}
/*
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -3;
/* copy the rest of the key over from the designated key */
memcpy(key + 3, wlandev->wep_keys[keyidx], keylen);
keylen += 3; /* add in IV bytes */
/* set up the RC4 state */
for (i = 0; i < 256; i++)
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
key[2] = iv[2];
/* copy the rest of the key over from the designated key */
memcpy(key + 3, wlandev->wep_keys[keynum], keylen);
keylen += 3; /* add in IV bytes */
/* set up the RC4 state */
for (i = 0; i < 256; i++)
Reported by FlawFinder.
drivers/usb/gadget/udc/max3420_udc.c
3 issues
Line: 161
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_ep ep_usb;
struct max3420_udc *udc;
struct list_head queue;
char name[MAX3420_EPNAME_SIZE];
unsigned int maxpacket;
spinlock_t lock;
int halted;
u32 todo;
int id;
Reported by FlawFinder.
Line: 292
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spi_message_add_tail(&transfer, &msg);
spi_sync(spi, &msg);
memcpy(buf, &local_buf[1], len);
}
static void spi_wr_buf(struct max3420_udc *udc, u8 reg, void *buf, u8 len)
{
struct spi_device *spi = udc->spi;
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spi_message_init(&msg);
local_buf[0] = MAX3420_SPI_CMD_WR(reg);
memcpy(&local_buf[1], buf, len);
transfer.tx_buf = local_buf;
transfer.len = len + 1;
spi_message_add_tail(&transfer, &msg);
Reported by FlawFinder.