The following issues were found
drivers/nvme/target/admin-cmd.c
3 issues
Line: 369
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
id->vid = 0;
id->ssvid = 0;
memcpy(id->sn, ctrl->subsys->serial, NVMET_SN_MAX_SIZE);
memcpy_and_pad(id->mn, sizeof(id->mn), subsys->model_number,
strlen(subsys->model_number), ' ');
memcpy_and_pad(id->fr, sizeof(id->fr),
UTS_RELEASE, strlen(UTS_RELEASE), ' ');
Reported by FlawFinder.
Line: 371
Column: 10
CWE codes:
126
memcpy(id->sn, ctrl->subsys->serial, NVMET_SN_MAX_SIZE);
memcpy_and_pad(id->mn, sizeof(id->mn), subsys->model_number,
strlen(subsys->model_number), ' ');
memcpy_and_pad(id->fr, sizeof(id->fr),
UTS_RELEASE, strlen(UTS_RELEASE), ' ');
id->rab = 6;
Reported by FlawFinder.
Line: 373
Column: 23
CWE codes:
126
memcpy_and_pad(id->mn, sizeof(id->mn), subsys->model_number,
strlen(subsys->model_number), ' ');
memcpy_and_pad(id->fr, sizeof(id->fr),
UTS_RELEASE, strlen(UTS_RELEASE), ' ');
id->rab = 6;
/*
* XXX: figure out how we can assign a IEEE OUI, but until then
Reported by FlawFinder.
drivers/remoteproc/remoteproc_elf_helpers.h
3 issues
Line: 114
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return 0;
ret = idx;
strcpy((strtab + idx), name);
idx += strlen(name) + 1;
if (index)
*index = idx;
return ret;
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void elf_hdr_init_ident(struct elf32_hdr *hdr, u8 class)
{
memcpy(hdr->e_ident, ELFMAG, SELFMAG);
hdr->e_ident[EI_CLASS] = class;
hdr->e_ident[EI_DATA] = ELFDATA2LSB;
hdr->e_ident[EI_VERSION] = EV_CURRENT;
hdr->e_ident[EI_OSABI] = ELFOSABI_NONE;
}
Reported by FlawFinder.
Line: 115
Column: 9
CWE codes:
126
ret = idx;
strcpy((strtab + idx), name);
idx += strlen(name) + 1;
if (index)
*index = idx;
return ret;
}
Reported by FlawFinder.
drivers/nvme/target/core.c
3 issues
Line: 1375
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler);
INIT_DELAYED_WORK(&ctrl->ka_work, nvmet_keep_alive_timer);
memcpy(ctrl->subsysnqn, subsysnqn, NVMF_NQN_SIZE);
memcpy(ctrl->hostnqn, hostnqn, NVMF_NQN_SIZE);
kref_init(&ctrl->ref);
ctrl->subsys = subsys;
WRITE_ONCE(ctrl->aen_enabled, NVMET_AEN_CFG_OPTIONAL);
Reported by FlawFinder.
Line: 1376
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_DELAYED_WORK(&ctrl->ka_work, nvmet_keep_alive_timer);
memcpy(ctrl->subsysnqn, subsysnqn, NVMF_NQN_SIZE);
memcpy(ctrl->hostnqn, hostnqn, NVMF_NQN_SIZE);
kref_init(&ctrl->ref);
ctrl->subsys = subsys;
WRITE_ONCE(ctrl->aen_enabled, NVMET_AEN_CFG_OPTIONAL);
Reported by FlawFinder.
Line: 1515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum nvme_subsys_type type)
{
struct nvmet_subsys *subsys;
char serial[NVMET_SN_MAX_SIZE / 2];
int ret;
subsys = kzalloc(sizeof(*subsys), GFP_KERNEL);
if (!subsys)
return ERR_PTR(-ENOMEM);
Reported by FlawFinder.
drivers/net/xen-netback/interface.c
3 issues
Line: 397
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static const struct xenvif_stat {
char name[ETH_GSTRING_LEN];
u16 offset;
} xenvif_stats[] = {
{
"rx_gso_checksum_fixup",
offsetof(struct xenvif_stats, rx_gso_checksum_fixup)
Reported by FlawFinder.
Line: 468
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
for (i = 0; i < ARRAY_SIZE(xenvif_stats); i++)
memcpy(data + i * ETH_GSTRING_LEN,
xenvif_stats[i].name, ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
Line: 500
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int err;
struct net_device *dev;
struct xenvif *vif;
char name[IFNAMSIZ] = {};
snprintf(name, IFNAMSIZ - 1, "vif%u.%u", domid, handle);
/* Allocate a netdev with the max. supported number of queues.
* When the guest selects the desired number, it will be updated
* via netif_set_real_num_*_queues().
Reported by FlawFinder.
drivers/nvme/target/nvmet.h
3 issues
Line: 202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 *changed_ns_list;
u32 nr_changed_ns;
char subsysnqn[NVMF_NQN_FIELD_LEN];
char hostnqn[NVMF_NQN_FIELD_LEN];
struct device *p2p_client;
struct radix_tree_root p2p_ns_map;
Reported by FlawFinder.
Line: 203
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 nr_changed_ns;
char subsysnqn[NVMF_NQN_FIELD_LEN];
char hostnqn[NVMF_NQN_FIELD_LEN];
struct device *p2p_client;
struct radix_tree_root p2p_ns_map;
spinlock_t error_lock;
Reported by FlawFinder.
Line: 234
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 max_qid;
u64 ver;
char serial[NVMET_SN_MAX_SIZE];
bool subsys_discovered;
char *subsysnqn;
bool pi_support;
struct config_group group;
Reported by FlawFinder.
drivers/nvme/target/tcp.c
3 issues
Line: 991
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
req = &queue->cmd->req;
memcpy(req->cmd, nvme_cmd, sizeof(*nvme_cmd));
if (unlikely(!nvmet_req_init(req, &queue->nvme_cq,
&queue->nvme_sq, &nvmet_tcp_ops))) {
pr_err("failed cmd %p id %d opcode %d, data_len: %d\n",
req->cmd, req->cmd->common.command_id,
Reported by FlawFinder.
Line: 1791
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
container_of(req, struct nvmet_tcp_cmd, req);
struct nvmet_tcp_queue *queue = cmd->queue;
sprintf(traddr, "%pISc", (struct sockaddr *)&queue->sockaddr);
} else {
memcpy(traddr, nport->disc_addr.traddr, NVMF_TRADDR_SIZE);
}
}
Reported by FlawFinder.
Line: 1793
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sprintf(traddr, "%pISc", (struct sockaddr *)&queue->sockaddr);
} else {
memcpy(traddr, nport->disc_addr.traddr, NVMF_TRADDR_SIZE);
}
}
static const struct nvmet_fabrics_ops nvmet_tcp_ops = {
.owner = THIS_MODULE,
Reported by FlawFinder.
drivers/pnp/isapnp/compat.c
3 issues
Line: 16
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static void pnp_convert_id(char *buf, unsigned short vendor,
unsigned short device)
{
sprintf(buf, "%c%c%c%x%x%x%x",
'A' + ((vendor >> 2) & 0x3f) - 1,
'A' + (((vendor & 3) << 3) | ((vendor >> 13) & 7)) - 1,
'A' + ((vendor >> 8) & 0x1f) - 1,
(device >> 4) & 0x0f, device & 0x0f,
(device >> 12) & 0x0f, (device >> 8) & 0x0f);
Reported by FlawFinder.
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pnp_dev *pnp_find_dev(struct pnp_card *card, unsigned short vendor,
unsigned short function, struct pnp_dev *from)
{
char id[8];
char any[8];
pnp_convert_id(id, vendor, function);
pnp_convert_id(any, ISAPNP_ANY_ID, ISAPNP_ANY_ID);
if (card == NULL) { /* look for a logical device from all cards */
Reported by FlawFinder.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short function, struct pnp_dev *from)
{
char id[8];
char any[8];
pnp_convert_id(id, vendor, function);
pnp_convert_id(any, ISAPNP_ANY_ID, ISAPNP_ANY_ID);
if (card == NULL) { /* look for a logical device from all cards */
struct list_head *list;
Reported by FlawFinder.
drivers/nvmem/core.c
3 issues
Line: 195
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct nvmem_device *nvmem = to_nvmem_device(dev);
return sprintf(buf, "%s\n", nvmem_type_str[nvmem->type]);
}
static DEVICE_ATTR_RO(type);
static struct attribute *nvmem_attrs[] = {
Reported by FlawFinder.
Line: 1452
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buf)
return ERR_PTR(-ENOMEM);
memcpy(buf, _buf, len);
p = b = buf;
if (bit_offset) {
pbyte = *b;
*b <<= bit_offset;
Reported by FlawFinder.
Line: 1551
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nvmem_cell_put(cell);
return -EINVAL;
}
memcpy(val, buf, count);
kfree(buf);
nvmem_cell_put(cell);
return 0;
}
Reported by FlawFinder.
drivers/remoteproc/remoteproc_coredump.c
3 issues
Line: 171
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_iomem)
memcpy_fromio(dest, ptr, size);
else
memcpy(dest, ptr, size);
}
}
}
static ssize_t rproc_coredump_read(char *buffer, loff_t offset, size_t count,
Reported by FlawFinder.
Line: 377
Column: 17
CWE codes:
126
shnum = 2;
/* the extra byte is for the null character at index 0 */
strtbl_size += strlen(str_tbl) + 2;
list_for_each_entry(segment, &rproc->dump_segments, node) {
data_size += elf_size_of_shdr(class);
strtbl_size += strlen(segment->priv) + 1;
if (dump_conf == RPROC_COREDUMP_ENABLED)
Reported by FlawFinder.
Line: 381
Column: 18
CWE codes:
126
list_for_each_entry(segment, &rproc->dump_segments, node) {
data_size += elf_size_of_shdr(class);
strtbl_size += strlen(segment->priv) + 1;
if (dump_conf == RPROC_COREDUMP_ENABLED)
data_size += segment->size;
shnum++;
}
Reported by FlawFinder.
drivers/net/xen-netback/common.h
3 issues
Line: 140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xenvif_queue { /* Per-queue data for xenvif */
unsigned int id; /* Queue ID, 0-based */
char name[QUEUE_NAME_SIZE]; /* DEVNAME-qN */
struct xenvif *vif; /* Parent VIF */
/*
* TX/RX common EOI handling.
* When feature-split-event-channels = 0, interrupt handler sets
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* When feature-split-event-channels = 0, tx_irq = rx_irq. */
unsigned int tx_irq;
/* Only used when feature-split-event-channels = 1 */
char tx_irq_name[IRQ_NAME_SIZE]; /* DEVNAME-qN-tx */
struct xen_netif_tx_back_ring tx;
struct sk_buff_head tx_queue;
struct page *mmap_pages[MAX_PENDING_REQS];
pending_ring_idx_t pending_prod;
pending_ring_idx_t pending_cons;
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* When feature-split-event-channels = 0, tx_irq = rx_irq. */
unsigned int rx_irq;
/* Only used when feature-split-event-channels = 1 */
char rx_irq_name[IRQ_NAME_SIZE]; /* DEVNAME-qN-rx */
struct xen_netif_rx_back_ring rx;
struct sk_buff_head rx_queue;
unsigned int rx_queue_max;
unsigned int rx_queue_len;
Reported by FlawFinder.