The following issues were found
tools/objtool/elf.c
18 issues
Line: 762
CWE codes:
401
sym->sym.st_name = elf_add_string(elf, NULL, sym->name);
if (sym->sym.st_name == -1)
return NULL;
sym->sym.st_info = GELF_ST_INFO(STB_GLOBAL, STT_NOTYPE);
// st_other 0
// st_shndx 0
// st_value 0
Reported by Cppcheck.
Line: 773
CWE codes:
401
symtab = find_section_by_name(elf, ".symtab");
if (!symtab) {
WARN("can't find .symtab");
return NULL;
}
s = elf_getscn(elf->elf, symtab->idx);
if (!s) {
WARN_ELF("elf_getscn");
Reported by Cppcheck.
Line: 779
CWE codes:
401
s = elf_getscn(elf->elf, symtab->idx);
if (!s) {
WARN_ELF("elf_getscn");
return NULL;
}
data = elf_newdata(s);
if (!data) {
WARN_ELF("elf_newdata");
Reported by Cppcheck.
Line: 785
CWE codes:
401
data = elf_newdata(s);
if (!data) {
WARN_ELF("elf_newdata");
return NULL;
}
data->d_buf = &sym->sym;
data->d_size = sizeof(sym->sym);
data->d_align = 1;
Reported by Cppcheck.
Line: 922
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
return NULL;
}
strcpy(relocname, ".rel");
strcat(relocname, base->name);
sec = elf_create_section(elf, relocname, 0, sizeof(GElf_Rel), 0);
free(relocname);
if (!sec)
return NULL;
Reported by FlawFinder.
Line: 952
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
return NULL;
}
strcpy(relocname, ".rela");
strcat(relocname, base->name);
sec = elf_create_section(elf, relocname, 0, sizeof(GElf_Rela), 0);
free(relocname);
if (!sec)
return NULL;
Reported by FlawFinder.
Line: 426
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Create parent/child links for any cold subfunctions */
list_for_each_entry(sec, &elf->sections, list) {
list_for_each_entry(sym, &sec->symbol_list, list) {
char pname[MAX_NAME_LEN + 1];
size_t pnamelen;
if (sym->type != STT_FUNC)
continue;
if (sym->pfunc == NULL)
Reported by FlawFinder.
Line: 667
Column: 12
CWE codes:
362
INIT_LIST_HEAD(&elf->sections);
elf->fd = open(name, flags);
if (elf->fd == -1) {
fprintf(stderr, "objtool: Can't open '%s': %s\n",
name, strerror(errno));
goto err;
}
Reported by FlawFinder.
Line: 921
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
perror("malloc");
return NULL;
}
strcpy(relocname, ".rel");
strcat(relocname, base->name);
sec = elf_create_section(elf, relocname, 0, sizeof(GElf_Rel), 0);
free(relocname);
if (!sec)
Reported by FlawFinder.
Line: 951
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
perror("malloc");
return NULL;
}
strcpy(relocname, ".rela");
strcat(relocname, base->name);
sec = elf_create_section(elf, relocname, 0, sizeof(GElf_Rela), 0);
free(relocname);
if (!sec)
Reported by FlawFinder.
drivers/net/ethernet/qlogic/qede/qede_ethtool.c
18 issues
Line: 296
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < QEDE_NUM_TQSTATS; i++) {
if (txq->is_xdp)
sprintf(*buf, "%d [XDP]: %s",
QEDE_TXQ_XDP_TO_IDX(edev, txq),
qede_tqstats_arr[i].string);
else
sprintf(*buf, "%d_%d: %s", txq->index, txq->cos,
qede_tqstats_arr[i].string);
Reported by FlawFinder.
Line: 300
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
QEDE_TXQ_XDP_TO_IDX(edev, txq),
qede_tqstats_arr[i].string);
else
sprintf(*buf, "%d_%d: %s", txq->index, txq->cos,
qede_tqstats_arr[i].string);
*buf += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 312
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i;
for (i = 0; i < QEDE_NUM_RQSTATS; i++) {
sprintf(*buf, "%d: %s", rxq->rxq_id,
qede_rqstats_arr[i].string);
*buf += ETH_GSTRING_LEN;
}
}
Reported by FlawFinder.
Line: 353
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
for (i = 0; i < QEDE_NUM_STATS; i++) {
if (qede_is_irrelevant_stat(edev, i))
continue;
strcpy(buf, qede_stats_arr[i].string);
buf += ETH_GSTRING_LEN;
}
}
static void qede_get_strings(struct net_device *dev, u32 stringset, u8 *buf)
Reported by FlawFinder.
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const struct {
u64 offset;
char string[ETH_GSTRING_LEN];
} qede_rqstats_arr[] = {
QEDE_RQSTAT(rcv_pkts),
QEDE_RQSTAT(rx_hw_errors),
QEDE_RQSTAT(rx_alloc_errors),
QEDE_RQSTAT(rx_ip_frags),
Reported by FlawFinder.
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define QEDE_NUM_TQSTATS ARRAY_SIZE(qede_tqstats_arr)
static const struct {
u64 offset;
char string[ETH_GSTRING_LEN];
} qede_tqstats_arr[] = {
QEDE_TQSTAT(xmit_pkts),
QEDE_TQSTAT(stopped_cnt),
QEDE_TQSTAT(tx_mem_alloc_err),
};
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
BIT(QEDE_STAT_PF_ONLY) | BIT(QEDE_STAT_AH_ONLY))
static const struct {
u64 offset;
char string[ETH_GSTRING_LEN];
unsigned long attr;
#define QEDE_STAT_PF_ONLY 0
#define QEDE_STAT_BB_ONLY 1
#define QEDE_STAT_AH_ONLY 2
} qede_stats_arr[] = {
Reported by FlawFinder.
Line: 174
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
QEDE_PRI_FLAG_LEN,
};
static const char qede_private_arr[QEDE_PRI_FLAG_LEN][ETH_GSTRING_LEN] = {
"Coupled-Function",
"SmartAN capable",
"Recover on error",
};
Reported by FlawFinder.
Line: 190
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
QEDE_ETHTOOL_TEST_MAX
};
static const char qede_tests_str_arr[QEDE_ETHTOOL_TEST_MAX][ETH_GSTRING_LEN] = {
"Internal loopback (offline)",
"Interrupt (online)\t",
"Memory (online)\t\t",
"Register (online)\t",
"Clock (online)\t\t",
Reported by FlawFinder.
Line: 367
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qede_get_strings_stats(edev, buf);
break;
case ETH_SS_PRIV_FLAGS:
memcpy(buf, qede_private_arr,
ETH_GSTRING_LEN * QEDE_PRI_FLAG_LEN);
break;
case ETH_SS_TEST:
memcpy(buf, qede_tests_str_arr,
ETH_GSTRING_LEN * QEDE_ETHTOOL_TEST_MAX);
Reported by FlawFinder.
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
18 issues
Line: 7998
CWE codes:
476
is_scaling_state_different(const struct dm_connector_state *dm_state,
const struct dm_connector_state *old_dm_state)
{
if (dm_state->scaling != old_dm_state->scaling)
return true;
if (!dm_state->underscan_enable && old_dm_state->underscan_enable) {
if (old_dm_state->underscan_hborder != 0 && old_dm_state->underscan_vborder != 0)
return true;
} else if (dm_state->underscan_enable && !old_dm_state->underscan_enable) {
Reported by Cppcheck.
Line: 7998
CWE codes:
476
is_scaling_state_different(const struct dm_connector_state *dm_state,
const struct dm_connector_state *old_dm_state)
{
if (dm_state->scaling != old_dm_state->scaling)
return true;
if (!dm_state->underscan_enable && old_dm_state->underscan_enable) {
if (old_dm_state->underscan_hborder != 0 && old_dm_state->underscan_vborder != 0)
return true;
} else if (dm_state->underscan_enable && !old_dm_state->underscan_enable) {
Reported by Cppcheck.
Line: 9382
CWE codes:
476
{
struct mod_freesync_config config = {0};
struct amdgpu_dm_connector *aconnector =
to_amdgpu_dm_connector(new_con_state->base.connector);
struct drm_display_mode *mode = &new_crtc_state->base.mode;
int vrefresh = drm_mode_vrefresh(mode);
bool fs_vid_mode = false;
new_crtc_state->vrr_supported = new_con_state->freesync_capable &&
Reported by Cppcheck.
Line: 7998
CWE codes:
476
is_scaling_state_different(const struct dm_connector_state *dm_state,
const struct dm_connector_state *old_dm_state)
{
if (dm_state->scaling != old_dm_state->scaling)
return true;
if (!dm_state->underscan_enable && old_dm_state->underscan_enable) {
if (old_dm_state->underscan_hborder != 0 && old_dm_state->underscan_vborder != 0)
return true;
} else if (dm_state->underscan_enable && !old_dm_state->underscan_enable) {
Reported by Cppcheck.
Line: 9382
CWE codes:
476
{
struct mod_freesync_config config = {0};
struct amdgpu_dm_connector *aconnector =
to_amdgpu_dm_connector(new_con_state->base.connector);
struct drm_display_mode *mode = &new_crtc_state->base.mode;
int vrefresh = drm_mode_vrefresh(mode);
bool fs_vid_mode = false;
new_crtc_state->vrr_supported = new_con_state->freesync_capable &&
Reported by Cppcheck.
Line: 9387
CWE codes:
476
int vrefresh = drm_mode_vrefresh(mode);
bool fs_vid_mode = false;
new_crtc_state->vrr_supported = new_con_state->freesync_capable &&
vrefresh >= aconnector->min_vfreq &&
vrefresh <= aconnector->max_vfreq;
if (new_crtc_state->vrr_supported) {
new_crtc_state->stream->ignore_msa_timing_param = true;
Reported by Cppcheck.
Line: 9707
CWE codes:
476
&new_crtc_state->mode, dm_new_conn_state, dm_new_crtc_state->stream);
/* ABM settings */
dm_new_crtc_state->abm_level = dm_new_conn_state->abm_level;
/*
* Color management settings. We also update color properties
* when a modeset is needed, to ensure it gets reprogrammed.
*/
Reported by Cppcheck.
Line: 645
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} while (notify.pending_notification);
if (adev->dm.dmub_notify)
memcpy(adev->dm.dmub_notify, ¬ify, sizeof(struct dmub_notification));
if (notify.type == DMUB_NOTIFICATION_AUX_REPLY)
complete(&adev->dm.dmub_aux_transfer_done);
// TODO : HPD Implementation
} else {
Reported by FlawFinder.
Line: 753
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*enabled = true;
ret = drm_eld_size(connector->eld);
memcpy(buf, connector->eld, min(max_bytes, ret));
break;
}
drm_connector_list_iter_end(&conn_iter);
Reported by FlawFinder.
Line: 925
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* will be done by dm_dmub_hw_init
*/
if (adev->firmware.load_type != AMDGPU_FW_LOAD_PSP) {
memcpy(fb_info->fb[DMUB_WINDOW_0_INST_CONST].cpu_addr, fw_inst_const,
fw_inst_const_size);
}
if (fw_bss_data_size)
memcpy(fb_info->fb[DMUB_WINDOW_2_BSS_DATA].cpu_addr,
Reported by FlawFinder.
fs/hpfs/ea.c
18 issues
Line: 260
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ea->namelen = strlen(key);
ea->valuelen_lo = size;
ea->valuelen_hi = size >> 8;
strcpy(ea->name, key);
memcpy(ea_data(ea), data, size);
fnode->ea_size_s = cpu_to_le16(le16_to_cpu(fnode->ea_size_s) + strlen(key) + size + 5);
goto ret;
}
/* Most the code here is 99.9993422% unused. I hope there are no bugs.
Reported by FlawFinder.
Line: 19
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned pos = 0;
while (pos < len) {
char ex[4 + 255 + 1 + 8];
struct extended_attribute *ea = (struct extended_attribute *)ex;
if (pos + 4 > len) {
hpfs_error(s, "EAs don't end correctly, %s %08x, len %08x",
ano ? "anode" : "sectors", a, len);
return;
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned pos;
int ano, len;
secno a;
char ex[4 + 255 + 1 + 8];
struct extended_attribute *ea;
struct extended_attribute *ea_end = fnode_end_ea(fnode);
for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
if (!strcmp(ea->name, key)) {
if (ea_indirect(ea))
Reported by FlawFinder.
Line: 89
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto indirect;
if (ea_valuelen(ea) >= size)
return -EINVAL;
memcpy(buf, ea_data(ea), ea_valuelen(ea));
buf[ea_valuelen(ea)] = 0;
return 0;
}
a = le32_to_cpu(fnode->ea_secno);
len = le32_to_cpu(fnode->ea_size_l);
Reported by FlawFinder.
Line: 146
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("out of memory for EA\n");
return NULL;
}
memcpy(ret, ea_data(ea), ea_valuelen(ea));
ret[ea_valuelen(ea)] = 0;
return ret;
}
a = le32_to_cpu(fnode->ea_secno);
len = le32_to_cpu(fnode->ea_size_l);
Reported by FlawFinder.
Line: 155
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ano = fnode_in_anode(fnode);
pos = 0;
while (pos < len) {
char ex[4 + 255 + 1 + 8];
ea = (struct extended_attribute *)ex;
if (pos + 4 > len) {
hpfs_error(s, "EAs don't end correctly, %s %08x, len %08x",
ano ? "anode" : "sectors", a, len);
return NULL;
Reported by FlawFinder.
Line: 198
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned pos;
int ano, len;
secno a;
unsigned char h[4];
struct extended_attribute *ea;
struct extended_attribute *ea_end = fnode_end_ea(fnode);
for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
if (!strcmp(ea->name, key)) {
if (ea_indirect(ea)) {
Reported by FlawFinder.
Line: 207
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ea_len(ea) == size)
set_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), data, size);
} else if (ea_valuelen(ea) == size) {
memcpy(ea_data(ea), data, size);
}
return;
}
a = le32_to_cpu(fnode->ea_secno);
len = le32_to_cpu(fnode->ea_size_l);
Reported by FlawFinder.
Line: 216
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ano = fnode_in_anode(fnode);
pos = 0;
while (pos < len) {
char ex[4 + 255 + 1 + 8];
ea = (struct extended_attribute *)ex;
if (pos + 4 > len) {
hpfs_error(s, "EAs don't end correctly, %s %08x, len %08x",
ano ? "anode" : "sectors", a, len);
return;
Reported by FlawFinder.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ea->valuelen_lo = size;
ea->valuelen_hi = size >> 8;
strcpy(ea->name, key);
memcpy(ea_data(ea), data, size);
fnode->ea_size_s = cpu_to_le16(le16_to_cpu(fnode->ea_size_s) + strlen(key) + size + 5);
goto ret;
}
/* Most the code here is 99.9993422% unused. I hope there are no bugs.
But what .. HPFS.IFS has also bugs in ea management. */
Reported by FlawFinder.
drivers/md/md-bitmap.c
18 issues
Line: 2528
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
if (mddev_is_clustered(mddev))
return sprintf(page, "clustered\n");
return sprintf(page, "%s\n", (mddev->bitmap_info.external
? "external" : "internal"));
}
static ssize_t metadata_store(struct mddev *mddev, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 2556
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len;
spin_lock(&mddev->lock);
if (mddev->bitmap)
len = sprintf(page, "%s\n", (mddev->bitmap->need_sync ?
"false" : "true"));
else
len = sprintf(page, "\n");
spin_unlock(&mddev->lock);
return len;
Reported by FlawFinder.
Line: 564
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* keep the array size field of the bitmap superblock up to date */
sb->sync_size = cpu_to_le64(bitmap->mddev->resync_max_sectors);
memcpy(sb->uuid, bitmap->mddev->uuid, 16);
set_bit(BITMAP_STALE, &bitmap->flags);
sb->state = cpu_to_le32(bitmap->flags);
bitmap->events_cleared = bitmap->mddev->events;
sb->events_cleared = cpu_to_le64(bitmap->mddev->events);
Reported by FlawFinder.
Line: 2139
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bitmap->storage.file = NULL;
if (store.sb_page && bitmap->storage.sb_page)
memcpy(page_address(store.sb_page),
page_address(bitmap->storage.sb_page),
sizeof(bitmap_super_t));
spin_lock_irq(&bitmap->counts.lock);
md_bitmap_file_unmap(&bitmap->storage);
bitmap->storage = store;
Reported by FlawFinder.
Line: 2262
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
ssize_t len;
if (mddev->bitmap_info.file)
len = sprintf(page, "file");
else if (mddev->bitmap_info.offset)
len = sprintf(page, "%+lld", (long long)mddev->bitmap_info.offset);
else
len = sprintf(page, "none");
len += sprintf(page+len, "\n");
Reported by FlawFinder.
Line: 2264
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mddev->bitmap_info.file)
len = sprintf(page, "file");
else if (mddev->bitmap_info.offset)
len = sprintf(page, "%+lld", (long long)mddev->bitmap_info.offset);
else
len = sprintf(page, "none");
len += sprintf(page+len, "\n");
return len;
}
Reported by FlawFinder.
Line: 2266
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (mddev->bitmap_info.offset)
len = sprintf(page, "%+lld", (long long)mddev->bitmap_info.offset);
else
len = sprintf(page, "none");
len += sprintf(page+len, "\n");
return len;
}
static ssize_t
Reported by FlawFinder.
Line: 2381
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
space_show(struct mddev *mddev, char *page)
{
return sprintf(page, "%lu\n", mddev->bitmap_info.space);
}
static ssize_t
space_store(struct mddev *mddev, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 2418
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
unsigned long secs = mddev->bitmap_info.daemon_sleep / HZ;
unsigned long jifs = mddev->bitmap_info.daemon_sleep % HZ;
len = sprintf(page, "%lu", secs);
if (jifs)
len += sprintf(page+len, ".%03u", jiffies_to_msecs(jifs));
len += sprintf(page+len, "\n");
return len;
}
Reported by FlawFinder.
Line: 2420
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = sprintf(page, "%lu", secs);
if (jifs)
len += sprintf(page+len, ".%03u", jiffies_to_msecs(jifs));
len += sprintf(page+len, "\n");
return len;
}
static ssize_t
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
18 issues
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[16];
int pos, budget;
if (!iwl_mvm_is_ctdp_supported(mvm))
return -EOPNOTSUPP;
Reported by FlawFinder.
Line: 212
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[16];
int pos;
if (!mvm->temperature_test)
pos = scnprintf(buf , sizeof(buf), "disabled\n");
else
Reported by FlawFinder.
Line: 279
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[16];
int pos, ret;
s32 temp;
if (!iwl_mvm_firmware_running(mvm))
return -EIO;
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[256];
int pos = 0;
int bufsz = sizeof(buf);
int tbl_idx;
u8 *value;
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct iwl_mvm *mvm = file->private_data;
struct ieee80211_sta *sta;
char buf[400];
int i, pos = 0, bufsz = sizeof(buf);
mutex_lock(&mvm->mutex);
for (i = 0; i < mvm->fw->ucode_capa.num_stations; i++) {
Reported by FlawFinder.
Line: 451
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ieee80211_sta *sta = file->private_data;
struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
char buf[32];
int pos;
pos = scnprintf(buf, sizeof(buf), "current %d ", sta->max_amsdu_len);
pos += scnprintf(buf + pos, sizeof(buf) - pos, "stored %d\n",
mvmsta->orig_amsdu_len);
Reported by FlawFinder.
Line: 466
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
char buf[64];
int bufsz = sizeof(buf);
int pos = 0;
pos += scnprintf(buf+pos, bufsz-pos, "disable_power_off_d0=%d\n",
mvm->disable_power_off);
Reported by FlawFinder.
Line: 614
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct iwl_mvm *mvm = file->private_data;
struct iwl_bt_coex_ci_cmd *cmd = &mvm->last_bt_ci_cmd;
char buf[256];
int bufsz = sizeof(buf);
int pos = 0;
mutex_lock(&mvm->mutex);
Reported by FlawFinder.
Line: 653
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
iwl_dbgfs_bt_force_ant_write(struct iwl_mvm *mvm, char *buf,
size_t count, loff_t *ppos)
{
static const char * const modes_str[BT_FORCE_ANT_MAX] = {
[BT_FORCE_ANT_DIS] = "dis",
[BT_FORCE_ANT_AUTO] = "auto",
[BT_FORCE_ANT_BT] = "bt",
[BT_FORCE_ANT_WIFI] = "wifi",
};
Reported by FlawFinder.
Line: 1053
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct iwl_mvm *mvm = file->private_data;
int pos = 0;
char buf[32];
const size_t bufsz = sizeof(buf);
/* print which antennas were set for the scan command by the user */
pos += scnprintf(buf + pos, bufsz - pos, "Antennas for scan: ");
if (mvm->scan_rx_ant & ANT_A)
Reported by FlawFinder.
drivers/staging/rtl8723bs/core/rtw_wlan_util.c
18 issues
Line: 25
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char RALINK_OUI[] = {0x00, 0x0c, 0x43};
static unsigned char REALTEK_OUI[] = {0x00, 0xe0, 0x4c};
static unsigned char AIRGOCAP_OUI[] = {0x00, 0x0a, 0xf5};
static unsigned char RSN_TKIP_CIPHER[4] = {0x00, 0x0f, 0xac, 0x02};
static unsigned char WPA_TKIP_CIPHER[4] = {0x00, 0x50, 0xf2, 0x02};
#define R2T_PHY_DELAY (0)
/* define WAIT_FOR_BCN_TO_MIN (3000) */
Reported by FlawFinder.
Line: 26
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned char REALTEK_OUI[] = {0x00, 0xe0, 0x4c};
static unsigned char AIRGOCAP_OUI[] = {0x00, 0x0a, 0xf5};
static unsigned char RSN_TKIP_CIPHER[4] = {0x00, 0x0f, 0xac, 0x02};
static unsigned char WPA_TKIP_CIPHER[4] = {0x00, 0x50, 0xf2, 0x02};
#define R2T_PHY_DELAY (0)
/* define WAIT_FOR_BCN_TO_MIN (3000) */
#define WAIT_FOR_BCN_TO_MIN (6000)
Reported by FlawFinder.
Line: 186
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void get_rate_set(struct adapter *padapter, unsigned char *pbssrate, int *bssrate_len)
{
unsigned char supportedrates[NumRates];
memset(supportedrates, 0, NumRates);
*bssrate_len = ratetbl2rateset(padapter, supportedrates);
memcpy(pbssrate, supportedrates, *bssrate_len);
}
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(supportedrates, 0, NumRates);
*bssrate_len = ratetbl2rateset(padapter, supportedrates);
memcpy(pbssrate, supportedrates, *bssrate_len);
}
void set_mcs_rate_by_mask(u8 *mcs_set, u32 mask)
{
u8 mcs_rate_1r = (u8)(mask&0xff);
Reported by FlawFinder.
Line: 282
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
#ifdef DBG_CH_SWITCH
const int len = 128;
char msg[128] = {0};
int cnt = 0;
int i = 0;
#endif /* DBG_CH_SWITCH */
struct dvobj_priv *dvobj = adapter_to_dvobj(adapter);
Reported by FlawFinder.
Line: 400
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le16 val;
memcpy((unsigned char *)&val, rtw_get_beacon_interval_from_ie(bss->IEs), 2);
return le16_to_cpu(val);
}
int is_client_associated_to_ap(struct adapter *padapter)
Reported by FlawFinder.
Line: 494
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (j = 0; j < 6; j++) {
cmd = _ReadCAM(padapter, addr+j);
if (j > 1) /* get key from cam */
memcpy(get_key+(j-2)*4, &cmd, 4);
}
}
void _write_cam(struct adapter *padapter, u8 entry, u16 ctrl, u8 *mac, u8 *key)
{
Reported by FlawFinder.
Line: 555
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_bh(&cam_ctl->lock);
dvobj->cam_cache[id].ctrl = ctrl;
memcpy(dvobj->cam_cache[id].mac, mac, ETH_ALEN);
memcpy(dvobj->cam_cache[id].key, key, 16);
spin_unlock_bh(&cam_ctl->lock);
}
Reported by FlawFinder.
Line: 556
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dvobj->cam_cache[id].ctrl = ctrl;
memcpy(dvobj->cam_cache[id].mac, mac, ETH_ALEN);
memcpy(dvobj->cam_cache[id].key, key, 16);
spin_unlock_bh(&cam_ctl->lock);
}
void clear_cam_cache(struct adapter *adapter, u8 id)
Reported by FlawFinder.
Line: 758
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!memcmp(&(pmlmeinfo->WMM_param), (pIE->data + 6), sizeof(struct WMM_para_element)))
return false;
else
memcpy(&(pmlmeinfo->WMM_param), (pIE->data + 6), sizeof(struct WMM_para_element));
pmlmeinfo->WMM_enable = 1;
return true;
}
Reported by FlawFinder.
tools/perf/tests/builtin-test.c
18 issues
Line: 590
Column: 8
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (verbose)
strncat(script, " -v", sizeof(script) - strlen(script) - 1);
err = system(script);
if (!err)
return TEST_OK;
return WEXITSTATUS(err) == 2 ? TEST_SKIP : TEST_FAIL;
}
Reported by FlawFinder.
Line: 400
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int run_test(struct test *test, int subtest)
{
int status, err = -1, child = dont_fork ? 0 : fork();
char sbuf[STRERR_BUFSIZE];
if (child < 0) {
pr_err("failed to fork test: %s\n",
str_error_r(errno, sbuf, sizeof(sbuf)));
return -1;
Reported by FlawFinder.
Line: 413
Column: 18
CWE codes:
362
pr_debug("test child forked, pid %d\n", getpid());
if (verbose <= 0) {
int nullfd = open("/dev/null", O_WRONLY);
if (nullfd >= 0) {
close(STDERR_FILENO);
close(STDOUT_FILENO);
Reported by FlawFinder.
Line: 498
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *path, const char *name)
{
FILE *fp;
char filename[PATH_MAX];
path__join(filename, sizeof(filename), path, name);
fp = fopen(filename, "r");
if (!fp)
return NULL;
Reported by FlawFinder.
Line: 501
Column: 7
CWE codes:
362
char filename[PATH_MAX];
path__join(filename, sizeof(filename), path, name);
fp = fopen(filename, "r");
if (!fp)
return NULL;
/* Skip shebang */
while (fgetc(fp) != '\n');
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dirent **entlist;
struct dirent *ent;
int n_dirs, e;
char path_dir[PATH_MAX];
const char *path = shell_tests__dir(path_dir, sizeof(path_dir));
int width = 0;
if (path == NULL)
return -1;
Reported by FlawFinder.
Line: 557
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return -1;
for_each_shell_test(entlist, n_dirs, path, ent) {
char bf[256];
const char *desc = shell_test__description(bf, sizeof(bf), path, ent->d_name);
if (desc) {
int len = strlen(desc);
Reported by FlawFinder.
Line: 582
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int shell_test__run(struct test *test, int subdir __maybe_unused)
{
int err;
char script[PATH_MAX];
struct shell_test *st = test->priv;
path__join(script, sizeof(script) - 3, st->dir, st->file);
if (verbose)
Reported by FlawFinder.
Line: 602
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dirent **entlist;
struct dirent *ent;
int n_dirs, e;
char path_dir[PATH_MAX];
struct shell_test st = {
.dir = shell_tests__dir(path_dir, sizeof(path_dir)),
};
if (st.dir == NULL)
Reported by FlawFinder.
Line: 619
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for_each_shell_test(entlist, n_dirs, st.dir, ent) {
int curr = i++;
char desc[256];
struct test test = {
.desc = shell_test__description(desc, sizeof(desc), st.dir, ent->d_name),
.func = shell_test__run,
.priv = &st,
};
Reported by FlawFinder.
drivers/scsi/megaraid/megaraid_sas_base.c
18 issues
Line: 380
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
format_timestamp(uint32_t timestamp)
{
static char buffer[32];
if ((timestamp & 0xff000000) == 0xff000000)
snprintf(buffer, sizeof(buffer), "boot + %us", timestamp &
0x00ffffff);
else
Reported by FlawFinder.
Line: 393
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *
format_class(int8_t class)
{
static char buffer[6];
switch (class) {
case MFI_EVT_CLASS_DEBUG:
return "debug";
case MFI_EVT_CLASS_PROGRESS:
Reported by FlawFinder.
Line: 1447
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pthru->flags = cpu_to_le16(flags);
pthru->data_xfer_len = cpu_to_le32(scsi_bufflen(scp));
memcpy(pthru->cdb, scp->cmnd, scp->cmd_len);
/*
* If the command is for the tape device, set the
* pthru timeout to the os layer timeout value.
*/
Reported by FlawFinder.
Line: 2440
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_warn(&instance->pdev->dev, "SR-IOV: "
"Got new LD/VF affiliation for scsi%d\n",
instance->host->host_no);
memcpy(instance->vf_affiliation_111,
new_affiliation_111,
sizeof(struct MR_LD_VF_AFFILIATION_111));
retval = 1;
goto out;
}
Reported by FlawFinder.
Line: 2610
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (doscan) {
dev_warn(&instance->pdev->dev, "SR-IOV: Got new LD/VF "
"affiliation for scsi%d\n", instance->host->host_no);
memcpy(instance->vf_affiliation, new_affiliation,
new_affiliation->size);
retval = 1;
}
if (new_affiliation)
Reported by FlawFinder.
Line: 3318
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] +
(buff_offset % dmachunk);
memcpy(buf, (void *)src_addr, size);
spin_unlock_irqrestore(&instance->crashdump_lock, flags);
return size;
}
Reported by FlawFinder.
Line: 3668
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (hdr->scsi_status == SAM_STAT_CHECK_CONDITION) {
memset(cmd->scmd->sense_buffer, 0,
SCSI_SENSE_BUFFERSIZE);
memcpy(cmd->scmd->sense_buffer, cmd->sense,
hdr->sense_len);
}
break;
Reported by FlawFinder.
Line: 8277
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* overwritten when we copy from user's frames. So set that value
* alone separately
*/
memcpy(cmd->frame, ioc->frame.raw, 2 * MEGAMFI_FRAME_SIZE);
cmd->frame->hdr.context = cpu_to_le32(cmd->index);
cmd->frame->hdr.pad_0 = 0;
cmd->frame->hdr.flags &= (~MFI_FRAME_IEEE);
Reported by FlawFinder.
Line: 8693
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t support_poll_for_event_show(struct device_driver *dd, char *buf)
{
return sprintf(buf, "%u\n", support_poll_for_event);
}
static DRIVER_ATTR_RO(support_poll_for_event);
static ssize_t support_device_change_show(struct device_driver *dd, char *buf)
{
Reported by FlawFinder.
Line: 8699
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t support_device_change_show(struct device_driver *dd, char *buf)
{
return sprintf(buf, "%u\n", support_device_change);
}
static DRIVER_ATTR_RO(support_device_change);
static ssize_t dbg_lvl_show(struct device_driver *dd, char *buf)
{
Reported by FlawFinder.
drivers/scsi/esas2r/atioctl.h
17 issues
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct __packed atto_param_rw_request {
u16 code;
char data_buffer[512];
};
#define MAX_CHANNEL 256
struct __packed atto_channel_list {
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* CSMI class independent structures */
struct atto_csmi_get_driver_info {
char name[81];
char description[81];
u16 major_rev;
u16 minor_rev;
u16 build_rev;
u16 release_rev;
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* CSMI class independent structures */
struct atto_csmi_get_driver_info {
char name[81];
char description[81];
u16 major_rev;
u16 minor_rev;
u16 build_rev;
u16 release_rev;
u16 csmi_major_rev;
Reported by FlawFinder.
Line: 236
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 reserved[32];
};
char serial_num[81];
u16 major_rev;
u16 minor_rev;
u16 build_rev;
u16 release_rev;
u16 bios_major_rev;
Reported by FlawFinder.
Line: 314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct atto_csmi_raid_drives {
char model[40];
char firmware[8];
char serial_num[40];
u8 sas_addr[8];
u8 lun[8];
u8 drive_sts;
Reported by FlawFinder.
Line: 315
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct atto_csmi_raid_drives {
char model[40];
char firmware[8];
char serial_num[40];
u8 sas_addr[8];
u8 lun[8];
u8 drive_sts;
#define CSMI_DRV_STS_OK 0
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct atto_csmi_raid_drives {
char model[40];
char firmware[8];
char serial_num[40];
u8 sas_addr[8];
u8 lun[8];
u8 drive_sts;
#define CSMI_DRV_STS_OK 0
#define CSMI_DRV_STS_REBUILDING 1
Reported by FlawFinder.
Line: 588
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
signed char tx_amplitude;
signed char tx_preemphasis;
signed char tx_slew_rate;
signed char tx_reserved[13];
u8 tx_vendor_unique[64];
u32 rx_flags;
#define CSMI_PC_RXF_EQ_DIS 0x00000001
signed char rx_threshold;
Reported by FlawFinder.
Line: 595
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
signed char rx_threshold;
signed char rx_equalization_gain;
signed char rx_reserved[14];
u8 rx_vendor_unique[64];
u32 pattern_flags;
#define CSMI_PC_PATF_FIXED 0x00000001
#define CSMI_PC_PATF_DIS_SCR 0x00000002
#define CSMI_PC_PATF_DIS_ALIGN 0x00000004
Reported by FlawFinder.
Line: 741
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 drvr_rev_minor;
u8 drvr_revsub_minor;
u8 drvr_rev_build;
char drvr_rev_ascii[16];
char drvr_name[32];
char firmware_rev[16];
char flash_rev[16];
char model_name_short[16];
char model_name[32];
Reported by FlawFinder.