The following issues were found
drivers/net/wireless/st/cw1200/wsm.c
3 issues
Line: 38
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do { \
if ((buf)->data + size > (buf)->end) \
goto underflow; \
memcpy(ptr, (buf)->data, size); \
(buf)->data += size; \
} while (0)
#define __WSM_GET(buf, type, type2, cvt) \
({ \
Reported by FlawFinder.
Line: 61
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((buf)->data + size > (buf)->end) \
if (wsm_buf_reserve((buf), size)) \
goto nomem; \
memcpy((buf)->data, ptr, size); \
(buf)->data += size; \
} while (0)
#define __WSM_PUT(buf, val, type, type2, cvt) \
do { \
Reported by FlawFinder.
Line: 1244
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wsm_buf buf;
u32 reason;
u32 reg[18];
char fname[48];
unsigned int i;
static const char * const reason_str[] = {
"undefined instruction",
"prefetch abort",
Reported by FlawFinder.
drivers/rtc/rtc-rc5t583.c
3 issues
Line: 86
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int rc5t583_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
struct rc5t583 *rc5t583 = dev_get_drvdata(dev->parent);
unsigned char rtc_data[NUM_TIME_REGS];
int ret;
rtc_data[0] = bin2bcd(tm->tm_sec);
rtc_data[1] = bin2bcd(tm->tm_min);
rtc_data[2] = bin2bcd(tm->tm_hour);
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int rc5t583_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alm)
{
struct rc5t583 *rc5t583 = dev_get_drvdata(dev->parent);
unsigned char alarm_data[NUM_YAL_REGS];
u32 interrupt_enable;
int ret;
ret = regmap_bulk_read(rc5t583->regmap, RC5T583_RTC_AY_MIN, alarm_data,
NUM_YAL_REGS);
Reported by FlawFinder.
Line: 142
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int rc5t583_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alm)
{
struct rc5t583 *rc5t583 = dev_get_drvdata(dev->parent);
unsigned char alarm_data[NUM_YAL_REGS];
int ret;
ret = rc5t583_rtc_alarm_irq_enable(dev, 0);
if (ret)
return ret;
Reported by FlawFinder.
drivers/net/wireless/intersil/p54/txrx.c
3 issues
Line: 503
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ;
if (priv->fw_var >= 0x509) {
memcpy(priv->eeprom, eeprom->v2.data,
le16_to_cpu(eeprom->v2.len));
} else {
memcpy(priv->eeprom, eeprom->v1.data,
le16_to_cpu(eeprom->v1.len));
}
Reported by FlawFinder.
Line: 506
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(priv->eeprom, eeprom->v2.data,
le16_to_cpu(eeprom->v2.len));
} else {
memcpy(priv->eeprom, eeprom->v1.data,
le16_to_cpu(eeprom->v1.len));
}
priv->eeprom = NULL;
tmp = p54_find_and_unlink_skb(priv, hdr->req_id);
Reported by FlawFinder.
Line: 910
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (info->control.hw_key) {
txhdr->key_type = p54_convert_algo(info->control.hw_key->cipher);
txhdr->key_len = min((u8)16, info->control.hw_key->keylen);
memcpy(txhdr->key, info->control.hw_key->key, txhdr->key_len);
if (info->control.hw_key->cipher == WLAN_CIPHER_SUITE_TKIP) {
/* reserve space for the MIC key */
len += 8;
skb_put_data(skb,
&(info->control.hw_key->key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY]),
Reported by FlawFinder.
drivers/s390/scsi/zfcp_aux.c
3 issues
Line: 94
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char *token;
char *str, *str_saved;
char busid[ZFCP_BUS_ID_SIZE];
u64 wwpn, lun;
/* duplicate devstr and keep the original for sysfs presentation*/
str_saved = kstrdup(devstr, GFP_KERNEL);
str = str_saved;
Reported by FlawFinder.
Line: 315
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int zfcp_setup_adapter_work_queue(struct zfcp_adapter *adapter)
{
char name[TASK_COMM_LEN];
snprintf(name, sizeof(name), "zfcp_q_%s",
dev_name(&adapter->ccw_device->dev));
adapter->work_queue = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
Reported by FlawFinder.
Line: 104
Column: 16
CWE codes:
126
return;
token = strsep(&str, ",");
if (!token || strlen(token) >= ZFCP_BUS_ID_SIZE)
goto err_out;
strlcpy(busid, token, ZFCP_BUS_ID_SIZE);
token = strsep(&str, ",");
if (!token || kstrtoull(token, 0, (unsigned long long *) &wwpn))
Reported by FlawFinder.
drivers/s390/net/smsgiucv.c
3 issues
Line: 57
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct smsg_callback *cb;
unsigned char *buffer;
unsigned char sender[9];
int rc, i;
buffer = kmalloc(msg->length + 1, GFP_ATOMIC | GFP_DMA);
if (!buffer) {
iucv_message_reject(path, msg);
Reported by FlawFinder.
Line: 69
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc == 0) {
buffer[msg->length] = 0;
EBCASC(buffer, msg->length);
memcpy(sender, buffer, 8);
sender[8] = 0;
/* Remove trailing whitespace from the sender name. */
for (i = 7; i >= 0; i--) {
if (sender[i] != ' ' && sender[i] != '\t')
break;
Reported by FlawFinder.
Line: 97
Column: 12
CWE codes:
126
if (!cb)
return -ENOMEM;
cb->prefix = prefix;
cb->len = strlen(prefix);
cb->callback = callback;
spin_lock_bh(&smsg_list_lock);
list_add_tail(&cb->list, &smsg_list);
spin_unlock_bh(&smsg_list_lock);
return 0;
Reported by FlawFinder.
drivers/ptp/ptp_vclock.c
3 issues
Line: 154
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ptp_get_vclocks_index(int pclock_index, int **vclock_index)
{
char name[PTP_CLOCK_NAME_LEN] = "";
struct ptp_clock *ptp;
struct device *dev;
int num = 0;
if (pclock_index < 0)
Reported by FlawFinder.
Line: 178
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(*vclock_index))
goto out;
memcpy(*vclock_index, ptp->vclock_index, sizeof(int) * ptp->n_vclocks);
num = ptp->n_vclocks;
out:
mutex_unlock(&ptp->n_vclocks_mux);
put_device(dev);
return num;
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ptp_convert_timestamp(struct skb_shared_hwtstamps *hwtstamps,
int vclock_index)
{
char name[PTP_CLOCK_NAME_LEN] = "";
struct ptp_vclock *vclock;
struct ptp_clock *ptp;
unsigned long flags;
struct device *dev;
u64 ns;
Reported by FlawFinder.
drivers/s390/char/sclp_cmd.c
3 issues
Line: 628
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = -EIO;
goto out;
}
memcpy(info->recognized, sccb->recognized, SCLP_CHP_INFO_MASK_SIZE);
memcpy(info->standby, sccb->standby, SCLP_CHP_INFO_MASK_SIZE);
memcpy(info->configured, sccb->configured, SCLP_CHP_INFO_MASK_SIZE);
out:
free_page((unsigned long) sccb);
return rc;
Reported by FlawFinder.
Line: 629
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(info->recognized, sccb->recognized, SCLP_CHP_INFO_MASK_SIZE);
memcpy(info->standby, sccb->standby, SCLP_CHP_INFO_MASK_SIZE);
memcpy(info->configured, sccb->configured, SCLP_CHP_INFO_MASK_SIZE);
out:
free_page((unsigned long) sccb);
return rc;
}
Reported by FlawFinder.
Line: 630
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(info->recognized, sccb->recognized, SCLP_CHP_INFO_MASK_SIZE);
memcpy(info->standby, sccb->standby, SCLP_CHP_INFO_MASK_SIZE);
memcpy(info->configured, sccb->configured, SCLP_CHP_INFO_MASK_SIZE);
out:
free_page((unsigned long) sccb);
return rc;
}
Reported by FlawFinder.
drivers/net/wireless/quantenna/qtnfmac/core.c
3 issues
Line: 167
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct qtnf_vif *vif = qtnf_netdev_get_priv(ndev);
struct sockaddr *sa = addr;
int ret;
unsigned char old_addr[ETH_ALEN];
memcpy(old_addr, sa->sa_data, sizeof(old_addr));
ret = eth_mac_addr(ndev, sa);
if (ret)
Reported by FlawFinder.
Line: 182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sa->sa_data);
if (ret)
memcpy(ndev->dev_addr, old_addr, ETH_ALEN);
return ret;
}
static int qtnf_netdev_port_parent_id(struct net_device *ndev,
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct qtnf_bus *bus = vif->mac->bus;
ppid->id_len = sizeof(bus->hw_id);
memcpy(&ppid->id, bus->hw_id, ppid->id_len);
return 0;
}
static int qtnf_netdev_alloc_pcpu_stats(struct net_device *dev)
Reported by FlawFinder.
drivers/net/wireless/rsi/rsi_91x_sdio.c
3 issues
Line: 562
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__func__, status);
dev->write_fail = 2;
} else {
memcpy(dev->prev_desc, data, FRAME_DESC_SZ);
}
return status;
}
static int rsi_sdio_load_data_master_write(struct rsi_hw *adapter,
Reported by FlawFinder.
Line: 596
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (offset = 0, i = 0; i < num_blocks; i++, offset += block_size) {
memcpy(temp_buf, ta_firmware + offset, block_size);
lsb_address = (u16)base_address;
status = rsi_sdio_write_register_multiple
(adapter,
lsb_address | RSI_SD_REQUEST_MASTER,
temp_buf, block_size);
Reported by FlawFinder.
Line: 626
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (instructions_sz % block_size) {
memset(temp_buf, 0, block_size);
memcpy(temp_buf, ta_firmware + offset,
instructions_sz % block_size);
lsb_address = (u16)base_address;
status = rsi_sdio_write_register_multiple
(adapter,
lsb_address | RSI_SD_REQUEST_MASTER,
Reported by FlawFinder.
drivers/net/wireless/rsi/rsi_91x_mac80211.c
3 issues
Line: 1154
CWE codes:
788
case IEEE80211_AMPDU_TX_START:
if ((vif->type == NL80211_IFTYPE_STATION) ||
(vif->type == NL80211_IFTYPE_P2P_CLIENT))
common->vif_info[ii].seq_start = seq_no;
else if ((vif->type == NL80211_IFTYPE_AP) ||
(vif->type == NL80211_IFTYPE_P2P_GO))
rsta->seq_start[tid] = seq_no;
status = IEEE80211_AMPDU_TX_START_IMMEDIATE;
break;
Reported by Cppcheck.
Line: 937
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(&common->edca_params[idx],
params,
sizeof(struct ieee80211_tx_queue_params));
if (params->uapsd)
common->uapsd_bitmap |= idx;
Reported by FlawFinder.
Line: 1591
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((vif->type == NL80211_IFTYPE_STATION) ||
(vif->type == NL80211_IFTYPE_P2P_CLIENT)) {
/* Resetting all the fields to default values */
memcpy((u8 *)bss->bssid, (u8 *)sta->addr, ETH_ALEN);
bss->qos = sta->wme;
common->bitrate_mask[NL80211_BAND_2GHZ] = 0;
common->bitrate_mask[NL80211_BAND_5GHZ] = 0;
common->min_rate = 0xffff;
common->vif_info[0].is_ht = false;
Reported by FlawFinder.