The following issues were found
drivers/usb/storage/isd200.c
20 issues
Line: 208
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char WriteData1F5;
unsigned char WriteData1F6;
unsigned char WriteData1F7;
unsigned char Reserved[3];
} generic;
struct {
unsigned char SignatureByte0;
unsigned char SignatureByte1;
Reported by FlawFinder.
Line: 225
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char CylinderHighByte;
unsigned char DeviceHeadByte;
unsigned char StatusByte;
unsigned char Reserved[3];
} read;
struct {
unsigned char SignatureByte0;
unsigned char SignatureByte1;
Reported by FlawFinder.
Line: 242
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char CylinderHighByte;
unsigned char DeviceHeadByte;
unsigned char CommandByte;
unsigned char Reserved[3];
} write;
};
/*
Reported by FlawFinder.
Line: 268
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char Versions;
unsigned char Format;
unsigned char AdditionalLength;
unsigned char Reserved[2];
unsigned char Capability;
unsigned char VendorId[8];
unsigned char ProductId[16];
unsigned char ProductRevisionLevel[4];
unsigned char VendorSpecific[20];
Reported by FlawFinder.
Line: 270
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char AdditionalLength;
unsigned char Reserved[2];
unsigned char Capability;
unsigned char VendorId[8];
unsigned char ProductId[16];
unsigned char ProductRevisionLevel[4];
unsigned char VendorSpecific[20];
unsigned char Reserved3[40];
} __attribute__ ((packed));
Reported by FlawFinder.
Line: 271
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char Reserved[2];
unsigned char Capability;
unsigned char VendorId[8];
unsigned char ProductId[16];
unsigned char ProductRevisionLevel[4];
unsigned char VendorSpecific[20];
unsigned char Reserved3[40];
} __attribute__ ((packed));
Reported by FlawFinder.
Line: 272
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char Capability;
unsigned char VendorId[8];
unsigned char ProductId[16];
unsigned char ProductRevisionLevel[4];
unsigned char VendorSpecific[20];
unsigned char Reserved3[40];
} __attribute__ ((packed));
/*
Reported by FlawFinder.
Line: 273
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char VendorId[8];
unsigned char ProductId[16];
unsigned char ProductRevisionLevel[4];
unsigned char VendorSpecific[20];
unsigned char Reserved3[40];
} __attribute__ ((packed));
/*
* INQUIRY data buffer size
Reported by FlawFinder.
Line: 274
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char ProductId[16];
unsigned char ProductRevisionLevel[4];
unsigned char VendorSpecific[20];
unsigned char Reserved3[40];
} __attribute__ ((packed));
/*
* INQUIRY data buffer size
*/
Reported by FlawFinder.
Line: 323
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 *id;
struct isd200_config ConfigData;
unsigned char *RegsBuf;
unsigned char ATARegs[8];
unsigned char DeviceHead;
unsigned char DeviceFlags;
/* maximum number of LUNs supported */
unsigned char MaxLUNs;
Reported by FlawFinder.
net/ipv4/devinet.c
20 issues
Line: 1267
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (len < size)
break;
memset(&ifr, 0, sizeof(struct ifreq));
strcpy(ifr.ifr_name, ifa->ifa_label);
(*(struct sockaddr_in *)&ifr.ifr_addr).sin_family = AF_INET;
(*(struct sockaddr_in *)&ifr.ifr_addr).sin_addr.s_addr =
ifa->ifa_local;
Reported by FlawFinder.
Line: 1496
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
dot = old;
}
if (strlen(dot) + strlen(dev->name) < IFNAMSIZ)
strcat(ifa->ifa_label, dot);
else
strcpy(ifa->ifa_label + (IFNAMSIZ - strlen(dot) - 1), dot);
skip:
rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
}
Reported by FlawFinder.
Line: 1498
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strlen(dot) + strlen(dev->name) < IFNAMSIZ)
strcat(ifa->ifa_label, dot);
else
strcpy(ifa->ifa_label + (IFNAMSIZ - strlen(dot) - 1), dot);
skip:
rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
}
}
Reported by FlawFinder.
Line: 885
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tb[IFA_LABEL])
nla_strscpy(ifa->ifa_label, tb[IFA_LABEL], IFNAMSIZ);
else
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (tb[IFA_RT_PRIORITY])
ifa->ifa_rt_priority = nla_get_u32(tb[IFA_RT_PRIORITY]);
if (tb[IFA_CACHEINFO]) {
Reported by FlawFinder.
Line: 1023
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ifr->ifr_name[IFNAMSIZ - 1] = 0;
/* save original address for comparison */
memcpy(&sin_orig, sin, sizeof(*sin));
colon = strchr(ifr->ifr_name, ':');
if (colon)
*colon = 0;
Reported by FlawFinder.
Line: 1157
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
INIT_HLIST_NODE(&ifa->hash);
if (colon)
memcpy(ifa->ifa_label, ifr->ifr_name, IFNAMSIZ);
else
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
} else {
ret = 0;
if (ifa->ifa_local == sin->sin_addr.s_addr)
Reported by FlawFinder.
Line: 1159
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (colon)
memcpy(ifa->ifa_label, ifr->ifr_name, IFNAMSIZ);
else
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
} else {
ret = 0;
if (ifa->ifa_local == sin->sin_addr.s_addr)
break;
inet_del_ifa(in_dev, ifap, 0);
Reported by FlawFinder.
Line: 1484
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int named = 0;
in_dev_for_each_ifa_rtnl(ifa, in_dev) {
char old[IFNAMSIZ], *dot;
memcpy(old, ifa->ifa_label, IFNAMSIZ);
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (named++ == 0)
goto skip;
Reported by FlawFinder.
Line: 1486
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in_dev_for_each_ifa_rtnl(ifa, in_dev) {
char old[IFNAMSIZ], *dot;
memcpy(old, ifa->ifa_label, IFNAMSIZ);
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (named++ == 0)
goto skip;
dot = strchr(old, ':');
if (!dot) {
Reported by FlawFinder.
Line: 1487
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char old[IFNAMSIZ], *dot;
memcpy(old, ifa->ifa_label, IFNAMSIZ);
memcpy(ifa->ifa_label, dev->name, IFNAMSIZ);
if (named++ == 0)
goto skip;
dot = strchr(old, ':');
if (!dot) {
sprintf(old, ":%d", named);
Reported by FlawFinder.
drivers/base/regmap/regmap.c
20 issues
Line: 288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u16 v = val << shift;
memcpy(buf, &v, sizeof(v));
}
static void regmap_format_24(void *buf, unsigned int val, unsigned int shift)
{
u8 *b = buf;
Reported by FlawFinder.
Line: 317
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 v = val << shift;
memcpy(buf, &v, sizeof(v));
}
#ifdef CONFIG_64BIT
static void regmap_format_64_be(void *buf, unsigned int val, unsigned int shift)
{
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u64 v = (u64) val << shift;
memcpy(buf, &v, sizeof(v));
}
#endif
static void regmap_parse_inplace_noop(void *buf)
{
Reported by FlawFinder.
Line: 365
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u16 v = get_unaligned_be16(buf);
memcpy(buf, &v, sizeof(v));
}
static void regmap_parse_16_le_inplace(void *buf)
{
u16 v = get_unaligned_le16(buf);
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u16 v = get_unaligned_le16(buf);
memcpy(buf, &v, sizeof(v));
}
static unsigned int regmap_parse_16_native(const void *buf)
{
u16 v;
Reported by FlawFinder.
Line: 407
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 v = get_unaligned_be32(buf);
memcpy(buf, &v, sizeof(v));
}
static void regmap_parse_32_le_inplace(void *buf)
{
u32 v = get_unaligned_le32(buf);
Reported by FlawFinder.
Line: 414
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u32 v = get_unaligned_le32(buf);
memcpy(buf, &v, sizeof(v));
}
static unsigned int regmap_parse_32_native(const void *buf)
{
u32 v;
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u64 v = get_unaligned_be64(buf);
memcpy(buf, &v, sizeof(v));
}
static void regmap_parse_64_le_inplace(void *buf)
{
u64 v = get_unaligned_le64(buf);
Reported by FlawFinder.
Line: 447
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
u64 v = get_unaligned_le64(buf);
memcpy(buf, &v, sizeof(v));
}
static unsigned int regmap_parse_64_native(const void *buf)
{
u64 v;
Reported by FlawFinder.
Line: 1721
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* writes of single registers optimise that case.
*/
if (val != work_val && val_len == map->format.val_bytes) {
memcpy(work_val, val, map->format.val_bytes);
val = work_val;
}
if (map->async && map->bus->async_write) {
struct regmap_async *async;
Reported by FlawFinder.
drivers/ata/libata-scsi.c
20 issues
Line: 1785
CWE codes:
908
static void *ata_scsi_rbuf_get(struct scsi_cmnd *cmd, bool copy_in,
unsigned long *flags)
{
spin_lock_irqsave(&ata_scsi_rbuf_lock, *flags);
memset(ata_scsi_rbuf, 0, ATA_SCSI_RBUF_SIZE);
if (copy_in)
sg_copy_to_buffer(scsi_sglist(cmd), scsi_sg_count(cmd),
ata_scsi_rbuf, ATA_SCSI_RBUF_SIZE);
Reported by Cppcheck.
Line: 320
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ata_device *dev = ata_scsi_find_dev(ap, sdev);
u16 __user *dst = arg;
char buf[40];
if (!dev)
return -ENOMSG;
if (copy_to_user(dst, dev->id, ATA_ID_WORDS * sizeof(u16)))
Reported by FlawFinder.
Line: 1908
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr[2] = 0x7; /* claim SPC-5 version compatibility */
}
memcpy(rbuf, hdr, sizeof(hdr));
memcpy(&rbuf[8], "ATA ", 8);
ata_id_string(args->id, &rbuf[16], ATA_ID_PROD, 16);
/* From SAT, use last 2 words from fw rev unless they are spaces */
ata_id_string(args->id, &rbuf[32], ATA_ID_FW_REV + 2, 4);
Reported by FlawFinder.
Line: 1909
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(rbuf, hdr, sizeof(hdr));
memcpy(&rbuf[8], "ATA ", 8);
ata_id_string(args->id, &rbuf[16], ATA_ID_PROD, 16);
/* From SAT, use last 2 words from fw rev unless they are spaces */
ata_id_string(args->id, &rbuf[32], ATA_ID_FW_REV + 2, 4);
if (strncmp(&rbuf[32], " ", 4) == 0)
Reported by FlawFinder.
Line: 1918
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ata_id_string(args->id, &rbuf[32], ATA_ID_FW_REV, 4);
if (rbuf[32] == 0 || rbuf[32] == ' ')
memcpy(&rbuf[32], "n/a ", 4);
if (ata_id_zoned_cap(args->id) || args->dev->class == ATA_DEV_ZAC)
memcpy(rbuf + 58, versions_zbc, sizeof(versions_zbc));
else
memcpy(rbuf + 58, versions, sizeof(versions));
Reported by FlawFinder.
Line: 1921
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&rbuf[32], "n/a ", 4);
if (ata_id_zoned_cap(args->id) || args->dev->class == ATA_DEV_ZAC)
memcpy(rbuf + 58, versions_zbc, sizeof(versions_zbc));
else
memcpy(rbuf + 58, versions, sizeof(versions));
return 0;
}
Reported by FlawFinder.
Line: 1923
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ata_id_zoned_cap(args->id) || args->dev->class == ATA_DEV_ZAC)
memcpy(rbuf + 58, versions_zbc, sizeof(versions_zbc));
else
memcpy(rbuf + 58, versions, sizeof(versions));
return 0;
}
/**
Reported by FlawFinder.
Line: 1956
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(args->dev->flags & ATA_DFLAG_ZAC))
num_pages--;
rbuf[3] = num_pages; /* number of supported VPD pages */
memcpy(rbuf + 4, pages, num_pages);
return 0;
}
/**
* ata_scsiop_inq_80 - Simulate INQUIRY VPD page 80, device serial number
Reported by FlawFinder.
Line: 1979
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ATA_ID_SERNO_LEN, /* page len */
};
memcpy(rbuf, hdr, sizeof(hdr));
ata_id_string(args->id, (unsigned char *) &rbuf[4],
ATA_ID_SERNO, ATA_ID_SERNO_LEN);
return 0;
}
Reported by FlawFinder.
Line: 2020
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rbuf[num + 1] = 1;
rbuf[num + 3] = sat_model_serial_desc_len;
num += 4;
memcpy(rbuf + num, "ATA ", 8);
num += 8;
ata_id_string(args->id, (unsigned char *) rbuf + num, ATA_ID_PROD,
ATA_ID_PROD_LEN);
num += ATA_ID_PROD_LEN;
ata_id_string(args->id, (unsigned char *) rbuf + num, ATA_ID_SERNO,
Reported by FlawFinder.
drivers/net/wireless/atmel/at76c50x-usb.c
20 issues
Line: 298
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dfu_status {
unsigned char status;
unsigned char poll_timeout[3];
unsigned char state;
unsigned char string;
} __packed;
static inline int at76_is_intersil(enum board_type board)
Reported by FlawFinder.
Line: 440
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
at76_dbg(DBG_DFU, "DFU IDLE");
bsize = min_t(int, size, FW_BLOCK_SIZE);
memcpy(block, buf, bsize);
at76_dbg(DBG_DFU, "int fw, size left = %5d, "
"bsize = %4d, blockno = %2d", size, bsize,
blockno);
ret =
at76_load_int_fw_block(udev, blockno, block, bsize);
Reported by FlawFinder.
Line: 620
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(hwcfg->i));
if (ret < 0)
goto exit;
memcpy(priv->mac_addr, hwcfg->i.mac_addr, ETH_ALEN);
priv->regulatory_domain = hwcfg->i.regulatory_domain;
} else if (at76_is_503rfmd(priv->board_type)) {
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r3));
if (ret < 0)
goto exit;
Reported by FlawFinder.
Line: 626
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r3));
if (ret < 0)
goto exit;
memcpy(priv->mac_addr, hwcfg->r3.mac_addr, ETH_ALEN);
priv->regulatory_domain = hwcfg->r3.regulatory_domain;
} else {
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r5));
if (ret < 0)
goto exit;
Reported by FlawFinder.
Line: 632
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = at76_get_hw_cfg(priv->udev, hwcfg, sizeof(hwcfg->r5));
if (ret < 0)
goto exit;
memcpy(priv->mac_addr, hwcfg->r5.mac_addr, ETH_ALEN);
priv->regulatory_domain = hwcfg->r5.regulatory_domain;
}
exit:
kfree(hwcfg);
Reported by FlawFinder.
Line: 733
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_buf->cmd = cmd;
cmd_buf->reserved = 0;
cmd_buf->size = cpu_to_le16(buf_size);
memcpy(cmd_buf->data, buf, buf_size);
at76_dbg_dump(DBG_CMD, cmd_buf, sizeof(struct at76_command) + buf_size,
"issuing command %s (0x%02x)",
at76_get_cmd_string(cmd), cmd);
Reported by FlawFinder.
Line: 1283
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* for fw >= 0.100, the device needs an extra empty block */
do {
bsize = min_t(int, size, FW_BLOCK_SIZE);
memcpy(block, buf, bsize);
at76_dbg(DBG_DEVSTART,
"ext fw, size left = %5d, bsize = %4d, blockno = %2d",
size, bsize, blockno);
ret = at76_load_ext_fw_block(udev, blockno, block, bsize);
if (ret != bsize) {
Reported by FlawFinder.
Line: 1398
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ccfg->rts_threshold = cpu_to_le16(priv->rts_threshold);
ccfg->fragmentation_threshold = cpu_to_le16(priv->frag_threshold);
memcpy(ccfg->basic_rate_set, hw_rates, 4);
/* jal: really needed, we do a set_mib for autorate later ??? */
ccfg->auto_rate_fallback = (priv->txrate == TX_RATE_AUTO ? 1 : 0);
ccfg->channel = priv->channel;
ccfg->privacy_invoked = priv->wep_enabled;
memcpy(ccfg->current_ssid, priv->essid, IW_ESSID_MAX_SIZE);
Reported by FlawFinder.
Line: 1403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ccfg->auto_rate_fallback = (priv->txrate == TX_RATE_AUTO ? 1 : 0);
ccfg->channel = priv->channel;
ccfg->privacy_invoked = priv->wep_enabled;
memcpy(ccfg->current_ssid, priv->essid, IW_ESSID_MAX_SIZE);
ccfg->ssid_len = priv->essid_size;
ccfg->wep_default_key_id = priv->wep_key_id;
memcpy(ccfg->wep_default_key_value, priv->wep_keys,
sizeof(priv->wep_keys));
Reported by FlawFinder.
Line: 1407
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ccfg->ssid_len = priv->essid_size;
ccfg->wep_default_key_id = priv->wep_key_id;
memcpy(ccfg->wep_default_key_value, priv->wep_keys,
sizeof(priv->wep_keys));
ccfg->short_preamble = priv->preamble_type;
ccfg->beacon_period = cpu_to_le16(priv->beacon_period);
Reported by FlawFinder.
drivers/net/wireless/ath/wil6210/wmi.c
20 issues
Line: 2635
CWE codes:
562
} __packed evt;
int rc;
memset(&evt, 0, sizeof(evt));
if (wdev->iftype == NL80211_IFTYPE_MONITOR) {
struct ieee80211_channel *ch = wil->monitor_chandef.chan;
cmd.sniffer_cfg.mode = cpu_to_le32(WMI_SNIFFER_ON);
Reported by Cppcheck.
Line: 2662
CWE codes:
562
/* typical time for secure PCP is 840ms */
rc = wmi_call(wil, WMI_CFG_RX_CHAIN_CMDID, vif->mid, &cmd, sizeof(cmd),
WMI_CFG_RX_CHAIN_DONE_EVENTID, &evt, sizeof(evt), 2000);
if (rc)
return rc;
if (le32_to_cpu(evt.evt.status) != WMI_CFG_RX_CHAIN_SUCCESS)
rc = -EINVAL;
Reported by Cppcheck.
Line: 3652
CWE codes:
562
memcpy(cmd->payload, buf, len);
rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, vif->mid, cmd, total,
WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
wil_dbg_wmi(wil, "mgmt_tx failed with status %d\n",
evt.evt.status);
rc = -EAGAIN;
}
Reported by Cppcheck.
Line: 3706
CWE codes:
562
cmd->duration_ms = cpu_to_le16(duration_ms);
rc = wmi_call(wil, WMI_SW_TX_REQ_EXT_CMDID, vif->mid, cmd, total,
WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
wil_dbg_wmi(wil, "mgmt_tx_ext failed with status %d\n",
evt.evt.status);
rc = -EAGAIN;
}
Reported by Cppcheck.
Line: 4039
CWE codes:
562
if (rssi_thold > S8_MAX || rssi_thold < S8_MIN || rssi_hyst > U8_MAX)
return -EINVAL;
rc = wmi_call(wil, WMI_SET_LINK_MONITOR_CMDID, vif->mid, &cmd,
sizeof(cmd), WMI_SET_LINK_MONITOR_EVENTID,
&reply, sizeof(reply), WIL_WMI_CALL_GENERAL_TO_MS);
if (rc) {
wil_err(wil, "WMI_SET_LINK_MONITOR_CMDID failed, rc %d\n", rc);
return rc;
Reported by Cppcheck.
Line: 1995
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (wil->reply_id && wil->reply_id == id &&
wil->reply_mid == mid) {
if (wil->reply_buf) {
memcpy(wil->reply_buf, wmi,
min(len, wil->reply_size));
immed_reply = true;
}
if (id == WMI_TRAFFIC_SUSPEND_EVENTID) {
wil_dbg_wmi(wil,
Reported by FlawFinder.
Line: 2288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ssid_len > sizeof(cmd.ssid))
return -EINVAL;
memcpy(cmd.ssid, ssid, ssid_len);
return wmi_send(wil, WMI_SET_SSID_CMDID, vif->mid, &cmd, sizeof(cmd));
}
int wmi_get_ssid(struct wil6210_vif *vif, u8 *ssid_len, void *ssid)
Reported by FlawFinder.
Line: 2316
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
*ssid_len = len;
memcpy(ssid, reply.cmd.ssid, len);
return 0;
}
int wmi_set_channel(struct wil6210_priv *wil, int channel)
Reported by FlawFinder.
Line: 2459
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
};
if (mac_addr)
memcpy(cmd.mac, mac_addr, WMI_MAC_LEN);
return wmi_send(wil, WMI_DELETE_CIPHER_KEY_CMDID, vif->mid,
&cmd, sizeof(cmd));
}
Reported by FlawFinder.
Line: 2485
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
if (key)
memcpy(cmd.key, key, key_len);
if (mac_addr)
memcpy(cmd.mac, mac_addr, WMI_MAC_LEN);
return wmi_send(wil, WMI_ADD_CIPHER_KEY_CMDID, vif->mid,
Reported by FlawFinder.
drivers/crypto/inside-secure/safexcel_cipher.c
20 issues
Line: 86
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* 32 bit nonce */
cdesc->control_data.token[0] = ctx->nonce;
/* 64 bit IV part */
memcpy(&cdesc->control_data.token[1], iv, 8);
/* 32 bit counter, start at 0 or 1 (big endian!) */
cdesc->control_data.token[3] =
(__force u32)cpu_to_be32(ctx->ctrinit);
return 4;
}
Reported by FlawFinder.
Line: 95
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ctx->alg == SAFEXCEL_CHACHA20) {
cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
/* 96 bit nonce part */
memcpy(&cdesc->control_data.token[0], &iv[4], 12);
/* 32 bit counter */
cdesc->control_data.token[3] = *(u32 *)iv;
return 4;
}
Reported by FlawFinder.
Line: 102
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
cdesc->control_data.options |= ctx->ivmask;
memcpy(cdesc->control_data.token, iv, ctx->blocksz);
return ctx->blocksz / sizeof(u32);
}
static void safexcel_skcipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
struct safexcel_command_desc *cdesc,
Reported by FlawFinder.
Line: 143
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* 32 bit nonce */
cdesc->control_data.token[0] = ctx->nonce;
/* 64 bit IV part */
memcpy(&cdesc->control_data.token[1], iv, 8);
/* 32 bit counter, start at 0 or 1 (big endian!) */
cdesc->control_data.token[3] =
(__force u32)cpu_to_be32(ctx->ctrinit);
return;
}
Reported by FlawFinder.
Line: 151
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (ctx->xcm == EIP197_XCM_MODE_GCM || ctx->alg == SAFEXCEL_CHACHA20) {
/* 96 bit IV part */
memcpy(&cdesc->control_data.token[0], iv, 12);
/* 32 bit counter, start at 0 or 1 (big endian!) */
cdesc->control_data.token[3] =
(__force u32)cpu_to_be32(ctx->ctrinit);
return;
}
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
/* CBC */
memcpy(cdesc->control_data.token, iv, ctx->blocksz);
}
static void safexcel_aead_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
struct safexcel_command_desc *cdesc,
struct safexcel_token *atoken,
Reported by FlawFinder.
Line: 192
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((assocadj > 0) << 6) |
((digestsize - 2) << 2));
/* 64 bit IV part */
memcpy(&cdesc->control_data.token[1], iv, 8);
memcpy(cbcmaciv + 4, iv, 8);
/* Start counter at 0 */
cdesc->control_data.token[3] = 0;
/* Message length */
*(__be32 *)(cbcmaciv + 12) = cpu_to_be32(cryptlen);
Reported by FlawFinder.
Line: 193
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((digestsize - 2) << 2));
/* 64 bit IV part */
memcpy(&cdesc->control_data.token[1], iv, 8);
memcpy(cbcmaciv + 4, iv, 8);
/* Start counter at 0 */
cdesc->control_data.token[3] = 0;
/* Message length */
*(__be32 *)(cbcmaciv + 12) = cpu_to_be32(cryptlen);
} else {
Reported by FlawFinder.
Line: 200
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*(__be32 *)(cbcmaciv + 12) = cpu_to_be32(cryptlen);
} else {
/* Variable length IV part */
memcpy(final_iv, iv, 15 - iv[0]);
memcpy(cbcmaciv, iv, 15 - iv[0]);
/* Start variable length counter at 0 */
memset(final_iv + 15 - iv[0], 0, iv[0] + 1);
memset(cbcmaciv + 15 - iv[0], 0, iv[0] - 1);
/* fixup flags byte */
Reported by FlawFinder.
Line: 201
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
/* Variable length IV part */
memcpy(final_iv, iv, 15 - iv[0]);
memcpy(cbcmaciv, iv, 15 - iv[0]);
/* Start variable length counter at 0 */
memset(final_iv + 15 - iv[0], 0, iv[0] + 1);
memset(cbcmaciv + 15 - iv[0], 0, iv[0] - 1);
/* fixup flags byte */
cbcmaciv[0] |= ((assocadj > 0) << 6) |
Reported by FlawFinder.
include/linux/bcm963xx_tag.h
20 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bcm_tag {
/* 0-3: Version of the image tag */
char tag_version[TAGVER_LEN];
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 0-3: Version of the image tag */
char tag_version[TAGVER_LEN];
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
Reported by FlawFinder.
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 4-23: Company Line 1 */
char sig_1[SIG1_LEN];
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 24-37: Company Line 2 */
char sig_2[SIG2_LEN];
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 38-43: Chip this image is for */
char chip_id[CHIPID_LEN];
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
Reported by FlawFinder.
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 44-59: Board name */
char board_id[BOARDID_LEN];
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
Reported by FlawFinder.
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 60-61: Map endianness -- 1 BE 0 LE */
char big_endian[ENDIANFLAG_LEN];
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 62-71: Total length of image */
char total_length[IMAGE_LEN];
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 72-83: Address in memory of CFE */
char cfe__address[ADDRESS_LEN];
/* 84-93: Size of CFE */
char cfe_length[IMAGE_LEN];
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
char flash_image_start[ADDRESS_LEN];
/* 106-115: Size of rootfs */
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 94-105: Address in memory of image start
* (kernel for OpenWRT, rootfs for stock firmware)
*/
char flash_image_start[ADDRESS_LEN];
/* 106-115: Size of rootfs */
char root_length[IMAGE_LEN];
/* 116-127: Address in memory of kernel */
char kernel_address[ADDRESS_LEN];
/* 128-137: Size of kernel */
Reported by FlawFinder.
drivers/net/wireless/ath/wil6210/debugfs.c
20 issues
Line: 463
CWE codes:
682
switch (tbl[i].type) {
case doff_u32:
debugfs_create_u32(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
case doff_x32:
debugfs_create_x32(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
Reported by Cppcheck.
Line: 467
CWE codes:
682
break;
case doff_x32:
debugfs_create_x32(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
case doff_ulong:
debugfs_create_file_unsafe(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
&wil_fops_ulong);
Reported by Cppcheck.
Line: 471
CWE codes:
682
break;
case doff_ulong:
debugfs_create_file_unsafe(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
&wil_fops_ulong);
break;
case doff_io32:
wil_debugfs_create_iomem_x32(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
Reported by Cppcheck.
Line: 476
CWE codes:
682
break;
case doff_io32:
wil_debugfs_create_iomem_x32(tbl[i].name, tbl[i].mode,
dbg, base + tbl[i].off,
wil);
break;
case doff_u8:
debugfs_create_u8(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
Reported by Cppcheck.
Line: 481
CWE codes:
682
break;
case doff_u8:
debugfs_create_u8(tbl[i].name, tbl[i].mode, dbg,
base + tbl[i].off);
break;
}
}
}
Reported by Cppcheck.
Line: 151
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int used = (ring->size + swhead - swtail)
% ring->size;
int avail = ring->size - used - 1;
char name[10];
char sidle[10];
/* performance monitoring */
cycles_t now = get_cycles();
uint64_t idle = txdata->idle * 100;
uint64_t total = now - txdata->begin;
Reported by FlawFinder.
Line: 152
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
% ring->size;
int avail = ring->size - used - 1;
char name[10];
char sidle[10];
/* performance monitoring */
cycles_t now = get_cycles();
uint64_t idle = txdata->idle * 100;
uint64_t total = now - txdata->begin;
Reported by FlawFinder.
Line: 333
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
le16_to_cpu(hdr.seq), len,
le16_to_cpu(hdr.type), hdr.flags);
if (len <= MAX_MBOXITEM_SIZE) {
unsigned char databuf[MAX_MBOXITEM_SIZE];
void __iomem *src = wmi_buffer(wil, d.addr) +
sizeof(struct wil6210_mbox_hdr);
/*
* No need to check @src for validity -
* we already validated @d.addr while
Reported by FlawFinder.
Line: 783
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wil6210_priv *wil = file->private_data;
int rc;
char *kbuf = kmalloc(len + 1, GFP_KERNEL);
char cmd[9];
int p1, p2, p3;
if (!kbuf)
return -ENOMEM;
Reported by FlawFinder.
Line: 880
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wil6210_priv *wil = file->private_data;
int rc;
char *kbuf = kmalloc(len + 1, GFP_KERNEL);
char cmd[9];
int num_descs, desc_size;
if (!kbuf)
return -ENOMEM;
Reported by FlawFinder.
drivers/scsi/3w-9xxx.c
20 issues
Line: 283
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int twa_aen_drain_queue(TW_Device_Extension *tw_dev, int no_check_reset)
{
int request_id = 0;
unsigned char cdb[TW_MAX_CDB_LEN];
TW_SG_Entry sglist[1];
int finished = 0, count = 0;
TW_Command_Full *full_command_packet;
TW_Command_Apache_Header *header;
unsigned short aen;
Reported by FlawFinder.
Line: 376
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 local_time;
TW_Event *event;
unsigned short aen;
char host[16];
char *error_str;
tw_dev->aen_count++;
/* Fill out event info */
Reported by FlawFinder.
Line: 387
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Check for clobber */
host[0] = '\0';
if (tw_dev->host) {
sprintf(host, " scsi%d:", tw_dev->host->host_no);
if (event->retrieved == TW_AEN_NOT_RETRIEVED)
tw_dev->aen_clobber = 1;
}
aen = le16_to_cpu(header->status_block.error);
Reported by FlawFinder.
Line: 409
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
header->err_specific_desc[sizeof(header->err_specific_desc) - 1] = '\0';
event->parameter_len = strlen(header->err_specific_desc);
memcpy(event->parameter_data, header->err_specific_desc, event->parameter_len + (error_str[0] == '\0' ? 0 : (1 + strlen(error_str))));
if (event->severity != TW_AEN_SEVERITY_DEBUG)
printk(KERN_WARNING "3w-9xxx:%s AEN: %s (0x%02X:0x%04X): %s:%s.\n",
host,
twa_aen_severity_lookup(TW_SEV_OUT(header->status_block.severity__reserved)),
TW_MESSAGE_SOURCE_CONTROLLER_EVENT, aen,
Reported by FlawFinder.
Line: 428
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This function will read the aen queue from the isr */
static int twa_aen_read_queue(TW_Device_Extension *tw_dev, int request_id)
{
unsigned char cdb[TW_MAX_CDB_LEN];
TW_SG_Entry sglist[1];
TW_Command_Full *full_command_packet;
int retval = 1;
full_command_packet = tw_dev->command_packet_virt[request_id];
Reported by FlawFinder.
Line: 505
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
local_time = (ktime_get_real_seconds() - (sys_tz.tz_minuteswest * 60));
div_u64_rem(local_time - (3 * 86400), 604800, &schedulertime);
memcpy(param->data, &(__le32){cpu_to_le32(schedulertime)}, sizeof(__le32));
/* Mark internal command */
tw_dev->srb[request_id] = NULL;
/* Now post the command */
Reported by FlawFinder.
Line: 709
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Load request id and sglist for both command types */
twa_load_sgl(tw_dev, full_command_packet, request_id, dma_handle, data_buffer_length_adjusted);
memcpy(tw_dev->command_packet_virt[request_id], &(tw_ioctl->firmware_command), sizeof(TW_Command_Full));
/* Now post the command packet to the controller */
twa_post_command_packet(tw_dev, request_id, 1);
spin_unlock_irqrestore(tw_dev->host->host_lock, flags);
Reported by FlawFinder.
Line: 732
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Now copy in the command packet response */
memcpy(&(tw_ioctl->firmware_command), tw_dev->command_packet_virt[request_id], sizeof(TW_Command_Full));
/* Now complete the io */
spin_lock_irqsave(tw_dev->host->host_lock, flags);
tw_dev->posted_request_count--;
tw_dev->state[request_id] = TW_S_COMPLETED;
Reported by FlawFinder.
Line: 745
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tw_ioctl->driver_command.status = 0;
/* Copy compatibility struct into ioctl data buffer */
tw_compat_info = (TW_Compatibility_Info *)tw_ioctl->data_buffer;
memcpy(tw_compat_info, &tw_dev->tw_compat_info, sizeof(TW_Compatibility_Info));
break;
case TW_IOCTL_GET_LAST_EVENT:
if (tw_dev->event_queue_wrapped) {
if (tw_dev->aen_clobber) {
tw_ioctl->driver_command.status = TW_IOCTL_ERROR_STATUS_AEN_CLOBBER;
Reported by FlawFinder.
Line: 762
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tw_ioctl->driver_command.status = 0;
}
event_index = (tw_dev->error_index - 1 + TW_Q_LENGTH) % TW_Q_LENGTH;
memcpy(tw_ioctl->data_buffer, tw_dev->event_queue[event_index], sizeof(TW_Event));
tw_dev->event_queue[event_index]->retrieved = TW_AEN_RETRIEVED;
break;
case TW_IOCTL_GET_FIRST_EVENT:
if (tw_dev->event_queue_wrapped) {
if (tw_dev->aen_clobber) {
Reported by FlawFinder.