The following issues were found
drivers/tty/ipwireless/network.c
3 issues
Line: 114
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* were handed, then we can add the header efficiently.
*/
if (skb_headroom(skb) >= 2) {
memcpy(skb_push(skb, 2), header, 2);
ret = ipwireless_send_packet(network->hardware,
IPW_CHANNEL_RAS, skb->data,
skb->len,
notify_packet_sent,
network);
Reported by FlawFinder.
Line: 129
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf = kmalloc(skb->len + 2, GFP_ATOMIC);
if (!buf)
return 0;
memcpy(buf + 2, skb->data, skb->len);
memcpy(buf, header, 2);
ret = ipwireless_send_packet(network->hardware,
IPW_CHANNEL_RAS, buf,
skb->len + 2,
notify_packet_sent,
Reported by FlawFinder.
Line: 130
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buf)
return 0;
memcpy(buf + 2, skb->data, skb->len);
memcpy(buf, header, 2);
ret = ipwireless_send_packet(network->hardware,
IPW_CHANNEL_RAS, buf,
skb->len + 2,
notify_packet_sent,
network);
Reported by FlawFinder.
drivers/staging/rtl8188eu/include/wifi.h
3 issues
Line: 233
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ht_param;
unsigned short operation_mode;
unsigned short stbc_param;
unsigned char basic_set[16];
} __packed;
struct HT_info_element {
unsigned char primary_channel;
unsigned char infos[5];
Reported by FlawFinder.
Line: 238
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct HT_info_element {
unsigned char primary_channel;
unsigned char infos[5];
unsigned char MCS_rate[16];
} __packed;
struct AC_param {
unsigned char ACI_AIFSN;
Reported by FlawFinder.
Line: 239
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct HT_info_element {
unsigned char primary_channel;
unsigned char infos[5];
unsigned char MCS_rate[16];
} __packed;
struct AC_param {
unsigned char ACI_AIFSN;
unsigned char CW;
Reported by FlawFinder.
drivers/video/fbdev/aty/aty128fb.c
3 issues
Line: 1833
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct backlight_properties props;
struct fb_info *info = pci_get_drvdata(par->pdev);
struct backlight_device *bd;
char name[12];
/* Could be extended to Rage128Pro LVDS output too */
if (par->chip_gen != rage_M3)
return;
Reported by FlawFinder.
Line: 1903
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fb_info *info = pci_get_drvdata(pdev);
struct aty128fb_par *par = info->par;
struct fb_var_screeninfo var;
char video_card[50];
u8 chip_rev;
u32 dac;
/* Get the chip revision */
chip_rev = (aty_ld_le32(CNFG_CNTL) >> 16) & 0x1F;
Reported by FlawFinder.
Line: 1910
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* Get the chip revision */
chip_rev = (aty_ld_le32(CNFG_CNTL) >> 16) & 0x1F;
strcpy(video_card, "Rage128 XX ");
video_card[8] = ent->device >> 8;
video_card[9] = ent->device & 0xFF;
/* range check to make sure */
if (ent->driver_data < ARRAY_SIZE(r128_family))
Reported by FlawFinder.
drivers/tty/n_hdlc.c
3 issues
Line: 397
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy received data to HDLC buffer */
memcpy(buf->buf, data, count);
buf->count = count;
/* add HDLC buffer to list of received frames */
n_hdlc_buf_put(&n_hdlc->rx_buf_list, buf);
Reported by FlawFinder.
Line: 486
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = rbuf->count - offset;
if (ret > nr)
ret = nr;
memcpy(kbuf, rbuf->buf+offset, ret);
offset += ret;
/* If we still have data left, we leave the rbuf in the cookie */
if (offset < rbuf->count)
return ret;
Reported by FlawFinder.
Line: 560
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!error) {
/* Retrieve the user's buffer */
memcpy(tbuf->buf, data, count);
/* Send the data */
tbuf->count = error = count;
n_hdlc_buf_put(&n_hdlc->tx_buf_list, tbuf);
n_hdlc_send_frames(n_hdlc, tty);
Reported by FlawFinder.
drivers/video/fbdev/aty/radeon_base.c
3 issues
Line: 940
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
v.transp.offset = v.transp.length =
v.transp.msb_right = 0;
memcpy(var, &v, sizeof(v));
return 0;
}
Reported by FlawFinder.
Line: 1926
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* do it! */
if (!rinfo->asleep) {
memcpy(&rinfo->state, newmode, sizeof(*newmode));
radeon_write_mode (rinfo, newmode, 0);
/* (re)initialize the engine */
if (!(info->flags & FBINFO_HWACCEL_DISABLED))
radeonfb_engine_init (rinfo);
}
Reported by FlawFinder.
Line: 2458
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* so we can restore this upon __exit
*/
radeon_save_state (rinfo, &rinfo->init_state);
memcpy(&rinfo->state, &rinfo->init_state, sizeof(struct radeon_regs));
/* Setup Power Management capabilities */
if (default_dynclk < -1) {
/* -2 is special: means ON on mobility chips and do not
* change on others
Reported by FlawFinder.
drivers/scsi/nsp32.h
3 issues
Line: 563
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct Scsi_Host *Host;
spinlock_t Lock;
char info_str[100];
/* allocated memory region */
nsp32_sglun *sg_list; /* sglist virtuxal address */
dma_addr_t sg_paddr; /* physical address of hw_sg_table */
nsp32_autoparam *autoparam; /* auto parameter transfer region */
Reported by FlawFinder.
Line: 589
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int syncnum; /* the max number of synct element */
/* message buffer */
unsigned char msgoutbuf[MSGOUTBUF_MAX]; /* msgout buffer */
char msgout_len; /* msgoutbuf length */
unsigned char msginbuf [MSGINBUF_MAX]; /* megin buffer */
char msgin_len; /* msginbuf length */
} nsp32_hw_data;
Reported by FlawFinder.
Line: 591
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* message buffer */
unsigned char msgoutbuf[MSGOUTBUF_MAX]; /* msgout buffer */
char msgout_len; /* msgoutbuf length */
unsigned char msginbuf [MSGINBUF_MAX]; /* megin buffer */
char msgin_len; /* msginbuf length */
} nsp32_hw_data;
/*
Reported by FlawFinder.
drivers/video/fbdev/broadsheetfb.c
3 issues
Line: 643
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* now we copy our data into the right place in the sector buffer */
memcpy(sector_buffer + data_start_addr, data, data_len);
/*
* now we check if there is a tail section of the sector that we need to
* readback.
*/
Reported by FlawFinder.
Line: 1148
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* set cmap */
for (i = 0; i < 16; i++)
info->cmap.red[i] = (((2*i)+1)*(0xFFFF))/32;
memcpy(info->cmap.green, info->cmap.red, sizeof(u16)*16);
memcpy(info->cmap.blue, info->cmap.red, sizeof(u16)*16);
retval = par->board->setup_irq(info);
if (retval < 0)
goto err_cmap;
Reported by FlawFinder.
Line: 1149
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < 16; i++)
info->cmap.red[i] = (((2*i)+1)*(0xFFFF))/32;
memcpy(info->cmap.green, info->cmap.red, sizeof(u16)*16);
memcpy(info->cmap.blue, info->cmap.red, sizeof(u16)*16);
retval = par->board->setup_irq(info);
if (retval < 0)
goto err_cmap;
Reported by FlawFinder.
drivers/video/fbdev/cyber2000fb.h
3 issues
Line: 26
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
va_list ap;
va_start(ap, fmt);
vsprintf(buffer, fmt, ap);
va_end(ap);
printascii(buffer);
}
#else
Reported by FlawFinder.
Line: 22
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void debug_printf(char *fmt, ...)
{
extern void printascii(const char *);
char buffer[128];
va_list ap;
va_start(ap, fmt);
vsprintf(buffer, fmt, ap);
va_end(ap);
Reported by FlawFinder.
Line: 468
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_adapter *i2c;
unsigned char __iomem *regs;
char __iomem *fb;
char dev_name[32];
unsigned int fb_size;
unsigned int chip_id;
unsigned int irq;
/*
Reported by FlawFinder.
drivers/staging/media/atomisp/pci/atomisp_drvfs.c
3 issues
Line: 99
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t iunit_dbglvl_show(struct device_driver *drv, char *buf)
{
iunit_debug.dbglvl = dbg_level;
return sprintf(buf, "dtrace level:%u\n", iunit_debug.dbglvl);
}
static ssize_t iunit_dbglvl_store(struct device_driver *drv, const char *buf,
size_t size)
{
Reported by FlawFinder.
Line: 118
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t iunit_dbgfun_show(struct device_driver *drv, char *buf)
{
iunit_debug.dbgfun = atomisp_get_css_dbgfunc();
return sprintf(buf, "dbgfun opt:%u\n", iunit_debug.dbgfun);
}
static ssize_t iunit_dbgfun_store(struct device_driver *drv, const char *buf,
size_t size)
{
Reported by FlawFinder.
Line: 142
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t iunit_dbgopt_show(struct device_driver *drv, char *buf)
{
return sprintf(buf, "option:0x%x\n", iunit_debug.dbgopt);
}
static ssize_t iunit_dbgopt_store(struct device_driver *drv, const char *buf,
size_t size)
{
Reported by FlawFinder.
drivers/staging/media/atomisp/pci/atomisp_ioctl.c
3 issues
Line: 2334
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ctrls_num; i++) {
if (ci_v4l2_controls[i].id == qc->id) {
memcpy(qc, &ci_v4l2_controls[i],
sizeof(struct v4l2_queryctrl));
qc->reserved[0] = 0;
ret = 0;
break;
}
Reported by FlawFinder.
Line: 589
Column: 15
CWE codes:
126
else
motor = isp->motor;
if (motor && strlen(motor->name) > 0) {
const int cur_len = strlen(input->name);
const int max_size = sizeof(input->name) - cur_len - 1;
if (max_size > 1) {
input->name[cur_len] = '+';
Reported by FlawFinder.
Line: 590
Column: 23
CWE codes:
126
motor = isp->motor;
if (motor && strlen(motor->name) > 0) {
const int cur_len = strlen(input->name);
const int max_size = sizeof(input->name) - cur_len - 1;
if (max_size > 1) {
input->name[cur_len] = '+';
strscpy(&input->name[cur_len + 1],
Reported by FlawFinder.