The following issues were found
drivers/scsi/bfa/bfad_bsg.c
20 issues
Line: 95
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
iocmd->host = im_port->shost->host_no;
spin_unlock_irqrestore(&bfad->bfad_lock, flags);
strcpy(iocmd->name, bfad->adapter_name);
strcpy(iocmd->port_name, bfad->port_name);
strcpy(iocmd->hwpath, bfad->pci_name);
/* set adapter hw path */
strcpy(iocmd->adapter_hwpath, bfad->pci_name);
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
spin_unlock_irqrestore(&bfad->bfad_lock, flags);
strcpy(iocmd->name, bfad->adapter_name);
strcpy(iocmd->port_name, bfad->port_name);
strcpy(iocmd->hwpath, bfad->pci_name);
/* set adapter hw path */
strcpy(iocmd->adapter_hwpath, bfad->pci_name);
for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32; i++)
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(iocmd->name, bfad->adapter_name);
strcpy(iocmd->port_name, bfad->port_name);
strcpy(iocmd->hwpath, bfad->pci_name);
/* set adapter hw path */
strcpy(iocmd->adapter_hwpath, bfad->pci_name);
for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32; i++)
;
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(iocmd->hwpath, bfad->pci_name);
/* set adapter hw path */
strcpy(iocmd->adapter_hwpath, bfad->pci_name);
for (i = 0; iocmd->adapter_hwpath[i] != ':' && i < BFA_STRING_32; i++)
;
for (; iocmd->adapter_hwpath[++i] != ':' && i < BFA_STRING_32; )
;
iocmd->adapter_hwpath[i] = '\0';
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
spin_unlock_irqrestore(&bfad->bfad_lock, flags);
/* fill in driver attr info */
strcpy(iocmd->ioc_attr.driver_attr.driver, BFAD_DRIVER_NAME);
strlcpy(iocmd->ioc_attr.driver_attr.driver_ver,
BFAD_DRIVER_VERSION, BFA_VERSION_LEN);
strcpy(iocmd->ioc_attr.driver_attr.fw_ver,
iocmd->ioc_attr.adapter_attr.fw_ver);
strcpy(iocmd->ioc_attr.driver_attr.bios_ver,
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(iocmd->ioc_attr.driver_attr.driver, BFAD_DRIVER_NAME);
strlcpy(iocmd->ioc_attr.driver_attr.driver_ver,
BFAD_DRIVER_VERSION, BFA_VERSION_LEN);
strcpy(iocmd->ioc_attr.driver_attr.fw_ver,
iocmd->ioc_attr.adapter_attr.fw_ver);
strcpy(iocmd->ioc_attr.driver_attr.bios_ver,
iocmd->ioc_attr.adapter_attr.optrom_ver);
/* copy chip rev info first otherwise it will be overwritten */
Reported by FlawFinder.
Line: 126
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
BFAD_DRIVER_VERSION, BFA_VERSION_LEN);
strcpy(iocmd->ioc_attr.driver_attr.fw_ver,
iocmd->ioc_attr.adapter_attr.fw_ver);
strcpy(iocmd->ioc_attr.driver_attr.bios_ver,
iocmd->ioc_attr.adapter_attr.optrom_ver);
/* copy chip rev info first otherwise it will be overwritten */
memcpy(bfad->pci_attr.chip_rev, iocmd->ioc_attr.pci_attr.chip_rev,
sizeof(bfad->pci_attr.chip_rev));
Reported by FlawFinder.
Line: 203
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct bfa_bsg_ioc_name_s *iocmd = (struct bfa_bsg_ioc_name_s *) cmd;
if (v_cmd == IOCMD_IOC_SET_ADAPTER_NAME)
strcpy(bfad->adapter_name, iocmd->name);
else if (v_cmd == IOCMD_IOC_SET_PORT_NAME)
strcpy(bfad->port_name, iocmd->name);
iocmd->status = BFA_STATUS_OK;
return 0;
Reported by FlawFinder.
Line: 205
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (v_cmd == IOCMD_IOC_SET_ADAPTER_NAME)
strcpy(bfad->adapter_name, iocmd->name);
else if (v_cmd == IOCMD_IOC_SET_PORT_NAME)
strcpy(bfad->port_name, iocmd->name);
iocmd->status = BFA_STATUS_OK;
return 0;
}
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy chip rev info first otherwise it will be overwritten */
memcpy(bfad->pci_attr.chip_rev, iocmd->ioc_attr.pci_attr.chip_rev,
sizeof(bfad->pci_attr.chip_rev));
memcpy(&iocmd->ioc_attr.pci_attr, &bfad->pci_attr,
sizeof(struct bfa_ioc_pci_attr_s));
iocmd->status = BFA_STATUS_OK;
return 0;
}
Reported by FlawFinder.
drivers/base/regmap/regmap.c
20 issues
Line: 288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u16 v = val << shift;
memcpy(buf, &v, sizeof(v));
}
static void regmap_format_24(void *buf, unsigned int val, unsigned int shift)
{
u8 *b = buf;
Reported by FlawFinder.
Line: 317
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 v = val << shift;
memcpy(buf, &v, sizeof(v));
}
#ifdef CONFIG_64BIT
static void regmap_format_64_be(void *buf, unsigned int val, unsigned int shift)
{
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u64 v = (u64) val << shift;
memcpy(buf, &v, sizeof(v));
}
#endif
static void regmap_parse_inplace_noop(void *buf)
{
Reported by FlawFinder.
Line: 365
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u16 v = get_unaligned_be16(buf);
memcpy(buf, &v, sizeof(v));
}
static void regmap_parse_16_le_inplace(void *buf)
{
u16 v = get_unaligned_le16(buf);
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u16 v = get_unaligned_le16(buf);
memcpy(buf, &v, sizeof(v));
}
static unsigned int regmap_parse_16_native(const void *buf)
{
u16 v;
Reported by FlawFinder.
Line: 407
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 v = get_unaligned_be32(buf);
memcpy(buf, &v, sizeof(v));
}
static void regmap_parse_32_le_inplace(void *buf)
{
u32 v = get_unaligned_le32(buf);
Reported by FlawFinder.
Line: 414
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 v = get_unaligned_le32(buf);
memcpy(buf, &v, sizeof(v));
}
static unsigned int regmap_parse_32_native(const void *buf)
{
u32 v;
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u64 v = get_unaligned_be64(buf);
memcpy(buf, &v, sizeof(v));
}
static void regmap_parse_64_le_inplace(void *buf)
{
u64 v = get_unaligned_le64(buf);
Reported by FlawFinder.
Line: 447
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u64 v = get_unaligned_le64(buf);
memcpy(buf, &v, sizeof(v));
}
static unsigned int regmap_parse_64_native(const void *buf)
{
u64 v;
Reported by FlawFinder.
Line: 1721
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* writes of single registers optimise that case.
*/
if (val != work_val && val_len == map->format.val_bytes) {
memcpy(work_val, val, map->format.val_bytes);
val = work_val;
}
if (map->async && map->bus->async_write) {
struct regmap_async *async;
Reported by FlawFinder.
drivers/net/wireless/intel/iwlegacy/common.c
20 issues
Line: 1103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dtim_period = il->vif ? il->vif->bss_conf.dtim_period : 0;
if (dtim_period <= 2) {
memcpy(cmd->sleep_interval, interval[0], sizeof(interval[0]));
no_dtim = 2;
} else if (dtim_period <= 10) {
memcpy(cmd->sleep_interval, interval[1], sizeof(interval[1]));
no_dtim = 2;
} else {
Reported by FlawFinder.
Line: 1106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cmd->sleep_interval, interval[0], sizeof(interval[0]));
no_dtim = 2;
} else if (dtim_period <= 10) {
memcpy(cmd->sleep_interval, interval[1], sizeof(interval[1]));
no_dtim = 2;
} else {
memcpy(cmd->sleep_interval, interval[2], sizeof(interval[2]));
no_dtim = 0;
}
Reported by FlawFinder.
Line: 1109
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cmd->sleep_interval, interval[1], sizeof(interval[1]));
no_dtim = 2;
} else {
memcpy(cmd->sleep_interval, interval[2], sizeof(interval[2]));
no_dtim = 0;
}
if (dtim_period == 0) {
dtim_period = 1;
Reported by FlawFinder.
Line: 1176
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
/* scan complete use sleep_power_next, need to be updated */
memcpy(&il->power_data.sleep_cmd_next, cmd, sizeof(*cmd));
if (test_bit(S_SCANNING, &il->status) && !force) {
D_INFO("Defer power set mode while scanning\n");
return 0;
}
Reported by FlawFinder.
Line: 1197
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"calibration running: %d\n",
il->chain_noise_data.state);
memcpy(&il->power_data.sleep_cmd, cmd, sizeof(*cmd));
} else
IL_ERR("set power fail, ret = %d", ret);
return ret;
}
Reported by FlawFinder.
Line: 1626
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
frame->frame_control = cpu_to_le16(IEEE80211_STYPE_PROBE_REQ);
eth_broadcast_addr(frame->da);
memcpy(frame->sa, ta, ETH_ALEN);
eth_broadcast_addr(frame->bssid);
frame->seq_ctrl = 0;
len += 24;
Reported by FlawFinder.
Line: 1648
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return len;
if (ies && ie_len) {
memcpy(pos, ies, ie_len);
len += ie_len;
}
return (u16) len;
}
Reported by FlawFinder.
Line: 1976
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set up the C_ADD_STA command to send to device */
memset(&station->sta, 0, sizeof(struct il_addsta_cmd));
memcpy(station->sta.sta.addr, addr, ETH_ALEN);
station->sta.mode = 0;
station->sta.sta.sta_id = sta_id;
station->sta.station_flags = 0;
/*
Reported by FlawFinder.
Line: 2041
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
il->stations[sta_id].used |= IL_STA_UCODE_INPROGRESS;
memcpy(&sta_cmd, &il->stations[sta_id].sta,
sizeof(struct il_addsta_cmd));
spin_unlock_irqrestore(&il->sta_lock, flags_spin);
/* Add station to device's station table */
ret = il_send_add_sta(il, &sta_cmd, CMD_SYNC);
Reported by FlawFinder.
Line: 2099
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&rm_sta_cmd, 0, sizeof(rm_sta_cmd));
rm_sta_cmd.num_sta = 1;
memcpy(&rm_sta_cmd.addr, addr, ETH_ALEN);
cmd.flags |= CMD_WANT_SKB;
ret = il_send_cmd(il, &cmd);
Reported by FlawFinder.
include/linux/bcm963xx_tag.h
20 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bcm_tag {
/* 0-3: Version of the image tag */
char tag_version[TAGVER_LEN];
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 0-3: Version of the image tag */
char tag_version[TAGVER_LEN];
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
Reported by FlawFinder.
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
Reported by FlawFinder.
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
char flash_image_start[ADDRESS_LEN];
/* 106-115: Size of rootfs */
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
char flash_image_start[ADDRESS_LEN];
/* 106-115: Size of rootfs */
char root_length[IMAGE_LEN];
/* 116-127: Address in memory of kernel */
char kernel_address[ADDRESS_LEN];
/* 128-137: Size of kernel */
Reported by FlawFinder.
drivers/crypto/qat/qat_common/qat_algs.c
20 issues
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sha256_state sha256;
struct sha512_state sha512;
};
char ipad[SHA512_BLOCK_SIZE]; /* sufficient for SHA-1/SHA-256 as well */
char opad[SHA512_BLOCK_SIZE];
};
struct qat_alg_skcipher_ctx {
struct icp_qat_hw_cipher_algo_blk *enc_cd;
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sha512_state sha512;
};
char ipad[SHA512_BLOCK_SIZE]; /* sufficient for SHA-1/SHA-256 as well */
char opad[SHA512_BLOCK_SIZE];
};
struct qat_alg_skcipher_ctx {
struct icp_qat_hw_cipher_algo_blk *enc_cd;
struct icp_qat_hw_cipher_algo_blk *dec_cd;
Reported by FlawFinder.
Line: 146
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(ctx->opad, ctx->ipad, digest_size);
} else {
memcpy(ctx->ipad, auth_key, auth_keylen);
memcpy(ctx->opad, auth_key, auth_keylen);
}
Reported by FlawFinder.
Line: 148
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ctx->opad, ctx->ipad, digest_size);
} else {
memcpy(ctx->ipad, auth_key, auth_keylen);
memcpy(ctx->opad, auth_key, auth_keylen);
}
for (i = 0; i < block_size; i++) {
char *ipad_ptr = ctx->ipad + i;
Reported by FlawFinder.
Line: 149
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ctx->opad, ctx->ipad, digest_size);
} else {
memcpy(ctx->ipad, auth_key, auth_keylen);
memcpy(ctx->opad, auth_key, auth_keylen);
}
for (i = 0; i < block_size; i++) {
char *ipad_ptr = ctx->ipad + i;
char *opad_ptr = ctx->opad + i;
Reported by FlawFinder.
Line: 270
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* CD setup */
cipher->aes.cipher_config.val = QAT_AES_HW_CONFIG_ENC(alg, mode);
memcpy(cipher->aes.key, keys->enckey, keys->enckeylen);
hash->sha.inner_setup.auth_config.config =
ICP_QAT_HW_AUTH_CONFIG_BUILD(ICP_QAT_HW_AUTH_MODE1,
ctx->qat_hash_alg, digestsize);
hash->sha.inner_setup.auth_counter.counter =
cpu_to_be32(crypto_shash_blocksize(ctx->hash_tfm));
Reported by FlawFinder.
Line: 356
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* CD setup */
cipher->aes.cipher_config.val = QAT_AES_HW_CONFIG_DEC(alg, mode);
memcpy(cipher->aes.key, keys->enckey, keys->enckeylen);
hash->sha.inner_setup.auth_config.config =
ICP_QAT_HW_AUTH_CONFIG_BUILD(ICP_QAT_HW_AUTH_MODE1,
ctx->qat_hash_alg,
digestsize);
hash->sha.inner_setup.auth_counter.counter =
Reported by FlawFinder.
Line: 445
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Store both XTS keys in CD, only the first key is sent
* to the HW, the second key is used for tweak calculation
*/
memcpy(cd->ucs_aes.key, key, keylen);
keylen = keylen / 2;
} else if (aes_v2_capable && mode == ICP_QAT_HW_CIPHER_CTR_MODE) {
ICP_QAT_FW_LA_SLICE_TYPE_SET(header->serv_specif_flags,
ICP_QAT_FW_LA_USE_UCS_SLICE_TYPE);
keylen = round_up(keylen, 16);
Reported by FlawFinder.
Line: 451
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ICP_QAT_FW_LA_SLICE_TYPE_SET(header->serv_specif_flags,
ICP_QAT_FW_LA_USE_UCS_SLICE_TYPE);
keylen = round_up(keylen, 16);
memcpy(cd->ucs_aes.key, key, keylen);
} else {
memcpy(cd->aes.key, key, keylen);
}
/* Cipher CD config setup */
Reported by FlawFinder.
Line: 453
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
keylen = round_up(keylen, 16);
memcpy(cd->ucs_aes.key, key, keylen);
} else {
memcpy(cd->aes.key, key, keylen);
}
/* Cipher CD config setup */
cd_ctrl->cipher_key_sz = keylen >> 3;
cd_ctrl->cipher_state_sz = AES_BLOCK_SIZE >> 3;
Reported by FlawFinder.
drivers/net/wireless/atmel/at76c50x-usb.c
20 issues
Line: 298
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dfu_status {
unsigned char status;
unsigned char poll_timeout[3];
unsigned char state;
unsigned char string;
} __packed;
static inline int at76_is_intersil(enum board_type board)
Reported by FlawFinder.
Line: 440
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
at76_dbg(DBG_DFU, "DFU IDLE");
bsize = min_t(int, size, FW_BLOCK_SIZE);
memcpy(block, buf, bsize);
at76_dbg(DBG_DFU, "int fw, size left = %5d, "
"bsize = %4d, blockno = %2d", size, bsize,
blockno);
ret =
at76_load_int_fw_block(udev, blockno, block, bsize);
Reported by FlawFinder.
Line: 620
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(hwcfg->i));
if (ret < 0)
goto exit;
memcpy(priv->mac_addr, hwcfg->i.mac_addr, ETH_ALEN);
priv->regulatory_domain = hwcfg->i.regulatory_domain;
} else if (at76_is_503rfmd(priv->board_type)) {
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r3));
if (ret < 0)
goto exit;
Reported by FlawFinder.
Line: 626
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r3));
if (ret < 0)
goto exit;
memcpy(priv->mac_addr, hwcfg->r3.mac_addr, ETH_ALEN);
priv->regulatory_domain = hwcfg->r3.regulatory_domain;
} else {
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r5));
if (ret < 0)
goto exit;
Reported by FlawFinder.
Line: 632
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r5));
if (ret < 0)
goto exit;
memcpy(priv->mac_addr, hwcfg->r5.mac_addr, ETH_ALEN);
priv->regulatory_domain = hwcfg->r5.regulatory_domain;
}
exit:
kfree(hwcfg);
Reported by FlawFinder.
Line: 733
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_buf->cmd = cmd;
cmd_buf->reserved = 0;
cmd_buf->size = cpu_to_le16(buf_size);
memcpy(cmd_buf->data, buf, buf_size);
at76_dbg_dump(DBG_CMD, cmd_buf, sizeof(struct at76_command) + buf_size,
"issuing command %s (0x%02x)",
at76_get_cmd_string(cmd), cmd);
Reported by FlawFinder.
Line: 1283
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* for fw >= 0.100, the device needs an extra empty block */
do {
bsize = min_t(int, size, FW_BLOCK_SIZE);
memcpy(block, buf, bsize);
at76_dbg(DBG_DEVSTART,
"ext fw, size left = %5d, bsize = %4d, blockno = %2d",
size, bsize, blockno);
ret = at76_load_ext_fw_block(udev, blockno, block, bsize);
if (ret != bsize) {
Reported by FlawFinder.
Line: 1398
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ccfg->rts_threshold = cpu_to_le16(priv->rts_threshold);
ccfg->fragmentation_threshold = cpu_to_le16(priv->frag_threshold);
memcpy(ccfg->basic_rate_set, hw_rates, 4);
/* jal: really needed, we do a set_mib for autorate later ??? */
ccfg->auto_rate_fallback = (priv->txrate == TX_RATE_AUTO ? 1 : 0);
ccfg->channel = priv->channel;
ccfg->privacy_invoked = priv->wep_enabled;
memcpy(ccfg->current_ssid, priv->essid, IW_ESSID_MAX_SIZE);
Reported by FlawFinder.
Line: 1403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ccfg->auto_rate_fallback = (priv->txrate == TX_RATE_AUTO ? 1 : 0);
ccfg->channel = priv->channel;
ccfg->privacy_invoked = priv->wep_enabled;
memcpy(ccfg->current_ssid, priv->essid, IW_ESSID_MAX_SIZE);
ccfg->ssid_len = priv->essid_size;
ccfg->wep_default_key_id = priv->wep_key_id;
memcpy(ccfg->wep_default_key_value, priv->wep_keys,
sizeof(priv->wep_keys));
Reported by FlawFinder.
Line: 1407
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ccfg->ssid_len = priv->essid_size;
ccfg->wep_default_key_id = priv->wep_key_id;
memcpy(ccfg->wep_default_key_value, priv->wep_keys,
sizeof(priv->wep_keys));
ccfg->short_preamble = priv->preamble_type;
ccfg->beacon_period = cpu_to_le16(priv->beacon_period);
Reported by FlawFinder.
drivers/net/wireless/ath/wil6210/debugfs.c
20 issues
Line: 463
CWE codes:
682
switch (tbl[i].type) {
case doff_u32:
debugfs_create_u32(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
case doff_x32:
debugfs_create_x32(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
Reported by Cppcheck.
Line: 467
CWE codes:
682
break;
case doff_x32:
debugfs_create_x32(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
case doff_ulong:
debugfs_create_file_unsafe(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
&wil_fops_ulong);
Reported by Cppcheck.
Line: 471
CWE codes:
682
break;
case doff_ulong:
debugfs_create_file_unsafe(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
&wil_fops_ulong);
break;
case doff_io32:
wil_debugfs_create_iomem_x32(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
Reported by Cppcheck.
Line: 476
CWE codes:
682
break;
case doff_io32:
wil_debugfs_create_iomem_x32(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
wil);
break;
case doff_u8:
debugfs_create_u8(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
Reported by Cppcheck.
Line: 481
CWE codes:
682
break;
case doff_u8:
debugfs_create_u8(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
}
}
}
Reported by Cppcheck.
Line: 151
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int used = (ring->size + swhead - swtail)
% ring->size;
int avail = ring->size - used - 1;
char name[10];
char sidle[10];
/* performance monitoring */
cycles_t now = get_cycles();
uint64_t idle = txdata->idle * 100;
uint64_t total = now - txdata->begin;
Reported by FlawFinder.
Line: 152
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
% ring->size;
int avail = ring->size - used - 1;
char name[10];
char sidle[10];
/* performance monitoring */
cycles_t now = get_cycles();
uint64_t idle = txdata->idle * 100;
uint64_t total = now - txdata->begin;
Reported by FlawFinder.
Line: 333
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
le16_to_cpu(hdr.seq), len,
le16_to_cpu(hdr.type), hdr.flags);
if (len <= MAX_MBOXITEM_SIZE) {
unsigned char databuf[MAX_MBOXITEM_SIZE];
void __iomem *src = wmi_buffer(wil, d.addr) +
sizeof(struct wil6210_mbox_hdr);
/*
* No need to check @src for validity -
* we already validated @d.addr while
Reported by FlawFinder.
Line: 783
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wil6210_priv *wil = file->private_data;
int rc;
char *kbuf = kmalloc(len + 1, GFP_KERNEL);
char cmd[9];
int p1, p2, p3;
if (!kbuf)
return -ENOMEM;
Reported by FlawFinder.
Line: 880
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wil6210_priv *wil = file->private_data;
int rc;
char *kbuf = kmalloc(len + 1, GFP_KERNEL);
char cmd[9];
int num_descs, desc_size;
if (!kbuf)
return -ENOMEM;
Reported by FlawFinder.
drivers/net/wireless/ath/wil6210/wmi.c
20 issues
Line: 2635
CWE codes:
562
} __packed evt;
int rc;
memset(&evt, 0, sizeof(evt));
if (wdev->iftype == NL80211_IFTYPE_MONITOR) {
struct ieee80211_channel *ch = wil->monitor_chandef.chan;
cmd.sniffer_cfg.mode = cpu_to_le32(WMI_SNIFFER_ON);
Reported by Cppcheck.
Line: 2662
CWE codes:
562
/* typical time for secure PCP is 840ms */
rc = wmi_call(wil, WMI_CFG_RX_CHAIN_CMDID, vif->mid, &cmd, sizeof(cmd),
WMI_CFG_RX_CHAIN_DONE_EVENTID, &evt, sizeof(evt), 2000);
if (rc)
return rc;
if (le32_to_cpu(evt.evt.status) != WMI_CFG_RX_CHAIN_SUCCESS)
rc = -EINVAL;
Reported by Cppcheck.
Line: 3652
CWE codes:
562
memcpy(cmd->payload, buf, len);
rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, vif->mid, cmd, total,
WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
wil_dbg_wmi(wil, "mgmt_tx failed with status %d\n",
evt.evt.status);
rc = -EAGAIN;
}
Reported by Cppcheck.
Line: 3706
CWE codes:
562
cmd->duration_ms = cpu_to_le16(duration_ms);
rc = wmi_call(wil, WMI_SW_TX_REQ_EXT_CMDID, vif->mid, cmd, total,
WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
wil_dbg_wmi(wil, "mgmt_tx_ext failed with status %d\n",
evt.evt.status);
rc = -EAGAIN;
}
Reported by Cppcheck.
Line: 4039
CWE codes:
562
if (rssi_thold > S8_MAX || rssi_thold < S8_MIN || rssi_hyst > U8_MAX)
return -EINVAL;
rc = wmi_call(wil, WMI_SET_LINK_MONITOR_CMDID, vif->mid, &cmd,
sizeof(cmd), WMI_SET_LINK_MONITOR_EVENTID,
&reply, sizeof(reply), WIL_WMI_CALL_GENERAL_TO_MS);
if (rc) {
wil_err(wil, "WMI_SET_LINK_MONITOR_CMDID failed, rc %d\n", rc);
return rc;
Reported by Cppcheck.
Line: 1995
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (wil->reply_id && wil->reply_id == id &&
wil->reply_mid == mid) {
if (wil->reply_buf) {
memcpy(wil->reply_buf, wmi,
min(len, wil->reply_size));
immed_reply = true;
}
if (id == WMI_TRAFFIC_SUSPEND_EVENTID) {
wil_dbg_wmi(wil,
Reported by FlawFinder.
Line: 2288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ssid_len > sizeof(cmd.ssid))
return -EINVAL;
memcpy(cmd.ssid, ssid, ssid_len);
return wmi_send(wil, WMI_SET_SSID_CMDID, vif->mid, &cmd, sizeof(cmd));
}
int wmi_get_ssid(struct wil6210_vif *vif, u8 *ssid_len, void *ssid)
Reported by FlawFinder.
Line: 2316
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
*ssid_len = len;
memcpy(ssid, reply.cmd.ssid, len);
return 0;
}
int wmi_set_channel(struct wil6210_priv *wil, int channel)
Reported by FlawFinder.
Line: 2459
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
};
if (mac_addr)
memcpy(cmd.mac, mac_addr, WMI_MAC_LEN);
return wmi_send(wil, WMI_DELETE_CIPHER_KEY_CMDID, vif->mid,
&cmd, sizeof(cmd));
}
Reported by FlawFinder.
Line: 2485
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
if (key)
memcpy(cmd.key, key, key_len);
if (mac_addr)
memcpy(cmd.mac, mac_addr, WMI_MAC_LEN);
return wmi_send(wil, WMI_ADD_CIPHER_KEY_CMDID, vif->mid,
Reported by FlawFinder.
net/ipv4/devinet.c
20 issues
Line: 1267
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (len < size)
break;
memset(&ifr, 0, sizeof(struct ifreq));
strcpy(ifr.ifr_name, ifa->ifa_label);
(*(struct sockaddr_in *)&ifr.ifr_addr).sin_family = AF_INET;
(*(struct sockaddr_in *)&ifr.ifr_addr).sin_addr.s_addr =
ifa->ifa_local;
Reported by FlawFinder.
Line: 1496
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
dot = old;
}
if (strlen(dot) + strlen(dev->name) < IFNAMSIZ)
strcat(ifa->ifa_label, dot);
else
strcpy(ifa->ifa_label + (IFNAMSIZ - strlen(dot) - 1), dot);
skip:
rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
}
Reported by FlawFinder.
Line: 1498
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strlen(dot) + strlen(dev->name) < IFNAMSIZ)
strcat(ifa->ifa_label, dot);
else
strcpy(ifa->ifa_label + (IFNAMSIZ - strlen(dot) - 1), dot);
skip:
rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
}
}
Reported by FlawFinder.
Line: 885
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tb[IFA_LABEL])
nla_strscpy(ifa->ifa_label, tb[IFA_LABEL], IFNAMSIZ);
else
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (tb[IFA_RT_PRIORITY])
ifa->ifa_rt_priority = nla_get_u32(tb[IFA_RT_PRIORITY]);
if (tb[IFA_CACHEINFO]) {
Reported by FlawFinder.
Line: 1023
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ifr->ifr_name[IFNAMSIZ - 1] = 0;
/* save original address for comparison */
memcpy(&sin_orig, sin, sizeof(*sin));
colon = strchr(ifr->ifr_name, ':');
if (colon)
*colon = 0;
Reported by FlawFinder.
Line: 1157
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
INIT_HLIST_NODE(&ifa->hash);
if (colon)
memcpy(ifa->ifa_label, ifr->ifr_name, IFNAMSIZ);
else
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
} else {
ret = 0;
if (ifa->ifa_local == sin->sin_addr.s_addr)
Reported by FlawFinder.
Line: 1159
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (colon)
memcpy(ifa->ifa_label, ifr->ifr_name, IFNAMSIZ);
else
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
} else {
ret = 0;
if (ifa->ifa_local == sin->sin_addr.s_addr)
break;
inet_del_ifa(in_dev, ifap, 0);
Reported by FlawFinder.
Line: 1484
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int named = 0;
in_dev_for_each_ifa_rtnl(ifa, in_dev) {
char old[IFNAMSIZ], *dot;
memcpy(old, ifa->ifa_label, IFNAMSIZ);
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (named++ == 0)
goto skip;
Reported by FlawFinder.
Line: 1486
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in_dev_for_each_ifa_rtnl(ifa, in_dev) {
char old[IFNAMSIZ], *dot;
memcpy(old, ifa->ifa_label, IFNAMSIZ);
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (named++ == 0)
goto skip;
dot = strchr(old, ':');
if (!dot) {
Reported by FlawFinder.
Line: 1487
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char old[IFNAMSIZ], *dot;
memcpy(old, ifa->ifa_label, IFNAMSIZ);
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (named++ == 0)
goto skip;
dot = strchr(old, ':');
if (!dot) {
sprintf(old, ":%d", named);
Reported by FlawFinder.
drivers/tty/vt/vt.c
20 issues
Line: 401
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char32_t *ln = uniscr->lines[vc->state.y];
unsigned int x = vc->state.x, cols = vc->vc_cols;
memcpy(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln));
memset32(&ln[cols - nr], ' ', nr);
}
}
static void vc_uniscr_clear_line(struct vc_data *vc, unsigned int x,
Reported by FlawFinder.
Line: 481
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char32_t *src_line = src->lines[src_top_row];
char32_t *dst_line = dst->lines[dst_row];
memcpy(dst_line, src_line, src_cols * sizeof(char32_t));
if (dst_cols - src_cols)
memset32(dst_line + src_cols, ' ', dst_cols - src_cols);
src_top_row++;
dst_row++;
}
Reported by FlawFinder.
Line: 565
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
row = (pos - vc->vc_origin) / vc->vc_size_row;
col = ((pos - vc->vc_origin) % vc->vc_size_row) / 2;
memcpy(dest, &uniscr->lines[row][col], nr * sizeof(char32_t));
} else {
/*
* Scrollback is active. For now let's simply backtranslate
* the screen glyphs until the unicode screen buffer does
* synchronize with console display drivers for a scrollback
Reported by FlawFinder.
Line: 1824
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void cursor_report(struct vc_data *vc, struct tty_struct *tty)
{
char buf[40];
int len;
len = sprintf(buf, "\033[%d;%dR", vc->state.y +
(vc->vc_decom ? vc->vc_top + 1 : 1),
vc->state.x + 1);
Reported by FlawFinder.
Line: 1827
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[40];
int len;
len = sprintf(buf, "\033[%d;%dR", vc->state.y +
(vc->vc_decom ? vc->vc_top + 1 : 1),
vc->state.x + 1);
respond_string(buf, len, tty->port);
}
Reported by FlawFinder.
Line: 1850
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void mouse_report(struct tty_struct *tty, int butt, int mrx, int mry)
{
char buf[8];
int len;
len = sprintf(buf, "\033[M%c%c%c", (char)(' ' + butt),
(char)('!' + mrx), (char)('!' + mry));
respond_string(buf, len, tty->port);
Reported by FlawFinder.
Line: 1853
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[8];
int len;
len = sprintf(buf, "\033[M%c%c%c", (char)(' ' + butt),
(char)('!' + mrx), (char)('!' + mry));
respond_string(buf, len, tty->port);
}
/* invoked via ioctl(TIOCLINUX) and through set_selection_user */
Reported by FlawFinder.
Line: 2045
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* console_lock is held (except via vc_init->reset_terminal */
static void save_cur(struct vc_data *vc)
{
memcpy(&vc->saved_state, &vc->state, sizeof(vc->state));
}
/* console_lock is held */
static void restore_cur(struct vc_data *vc)
{
Reported by FlawFinder.
Line: 3537
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t show_tty_active(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "tty%d\n", fg_console + 1);
}
static DEVICE_ATTR(active, S_IRUGO, show_tty_active, NULL);
static struct attribute *vt_dev_attrs[] = {
&dev_attr_active.attr,
Reported by FlawFinder.
Line: 4007
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Set the initial LINES variable if it is not already set */
if (vc->vc_rows < 999) {
int linecount;
char lns[4];
const char *setargs[3] = {
"set",
"LINES",
lns,
};
Reported by FlawFinder.