The following issues were found
net/tipc/crypto.c
17 issues
Line: 84
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* TIPC crypto statistics' header */
static const char *hstats[MAX_STATS] = {"ok", "nok", "async", "async_ok",
"async_nok", "badmsgs", "nokeys",
"switches"};
/* Max TFMs number per key */
int sysctl_tipc_max_tfms __read_mostly = TIPC_MAX_TFMS_DEF;
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 salt;
u8 authsize;
u8 mode;
char hint[2 * TIPC_AEAD_HINT_LEN + 1];
struct rcu_head rcu;
struct tipc_aead_key *key;
u16 gen;
atomic64_t seqno ____cacheline_aligned;
Reported by FlawFinder.
Line: 220
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 rekeying_intv;
struct tipc_crypto_stats __percpu *stats;
char name[48];
atomic64_t sndnxt ____cacheline_aligned;
unsigned long timer1;
unsigned long timer2;
union {
Reported by FlawFinder.
Line: 600
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmp->cloned = NULL;
tmp->authsize = TIPC_AES_GCM_TAG_SIZE;
tmp->key = kmemdup(ukey, tipc_aead_key_size(ukey), GFP_KERNEL);
memcpy(&tmp->salt, ukey->key + keylen, TIPC_AES_GCM_SALT_SIZE);
atomic_set(&tmp->users, 0);
atomic64_set(&tmp->seqno, 0);
refcount_set(&tmp->refcnt, 1);
*aead = tmp;
Reported by FlawFinder.
Line: 651
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*per_cpu_ptr(src->tfm_entry, cpu);
}
memcpy(aead->hint, src->hint, sizeof(src->hint));
aead->mode = src->mode;
aead->salt = src->salt;
aead->authsize = src->authsize;
atomic_set(&aead->users, 0);
atomic64_set(&aead->seqno, 0);
Reported by FlawFinder.
Line: 804
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
salt ^= __be32_to_cpu(ehdr->addr);
else if (__dnode)
salt ^= tipc_node_get_addr(__dnode);
memcpy(iv, &salt, 4);
memcpy(iv + 4, (u8 *)&ehdr->seqno, 8);
/* Prepare request */
ehsz = tipc_ehdr_size(ehdr);
aead_request_set_tfm(req, tfm);
Reported by FlawFinder.
Line: 805
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (__dnode)
salt ^= tipc_node_get_addr(__dnode);
memcpy(iv, &salt, 4);
memcpy(iv + 4, (u8 *)&ehdr->seqno, 8);
/* Prepare request */
ehsz = tipc_ehdr_size(ehdr);
aead_request_set_tfm(req, tfm);
aead_request_set_ad(req, ehsz);
Reported by FlawFinder.
Line: 819
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tx_ctx = (struct tipc_crypto_tx_ctx *)ctx;
tx_ctx->aead = aead;
tx_ctx->bearer = b;
memcpy(&tx_ctx->dst, dst, sizeof(*dst));
/* Hold bearer */
if (unlikely(!tipc_bearer_hold(b))) {
rc = -ENODEV;
goto exit;
Reported by FlawFinder.
Line: 929
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
salt ^= __be32_to_cpu(ehdr->addr);
else if (ehdr->destined)
salt ^= tipc_own_addr(net);
memcpy(iv, &salt, 4);
memcpy(iv + 4, (u8 *)&ehdr->seqno, 8);
/* Prepare request */
ehsz = tipc_ehdr_size(ehdr);
aead_request_set_tfm(req, tfm);
Reported by FlawFinder.
Line: 930
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (ehdr->destined)
salt ^= tipc_own_addr(net);
memcpy(iv, &salt, 4);
memcpy(iv + 4, (u8 *)&ehdr->seqno, 8);
/* Prepare request */
ehsz = tipc_ehdr_size(ehdr);
aead_request_set_tfm(req, tfm);
aead_request_set_ad(req, ehsz);
Reported by FlawFinder.
drivers/scsi/dpt_i2o.c
17 issues
Line: 369
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scb[5] = 0;
// Don't care about the rest of scb
memcpy(mptr, scb, sizeof(scb));
mptr+=4;
lenptr=mptr++; /* Remember me - fill in when we know */
/* Now fill in the SGList and command */
*lenptr = len;
Reported by FlawFinder.
Line: 389
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
// Send it on it's way
rcode = adpt_i2o_post_wait(pHba, msg, reqlen<<2, 120);
if (rcode != 0) {
sprintf(pHba->detail, "Adaptec I2O RAID");
printk(KERN_INFO "%s: Inquiry Error (%d)\n",pHba->name,rcode);
if (rcode != -ETIME && rcode != -EINTR)
dma_free_coherent(&pHba->pDev->dev, 80, buf, addr);
} else {
memset(pHba->detail, 0, sizeof(pHba->detail));
Reported by FlawFinder.
Line: 395
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dma_free_coherent(&pHba->pDev->dev, 80, buf, addr);
} else {
memset(pHba->detail, 0, sizeof(pHba->detail));
memcpy(&(pHba->detail), "Vendor: Adaptec ", 16);
memcpy(&(pHba->detail[16]), " Model: ", 8);
memcpy(&(pHba->detail[24]), (u8*) &buf[16], 16);
memcpy(&(pHba->detail[40]), " FW: ", 4);
memcpy(&(pHba->detail[44]), (u8*) &buf[32], 4);
pHba->detail[48] = '\0'; /* precautionary */
Reported by FlawFinder.
Line: 396
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
memset(pHba->detail, 0, sizeof(pHba->detail));
memcpy(&(pHba->detail), "Vendor: Adaptec ", 16);
memcpy(&(pHba->detail[16]), " Model: ", 8);
memcpy(&(pHba->detail[24]), (u8*) &buf[16], 16);
memcpy(&(pHba->detail[40]), " FW: ", 4);
memcpy(&(pHba->detail[44]), (u8*) &buf[32], 4);
pHba->detail[48] = '\0'; /* precautionary */
dma_free_coherent(&pHba->pDev->dev, 80, buf, addr);
Reported by FlawFinder.
Line: 397
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(pHba->detail, 0, sizeof(pHba->detail));
memcpy(&(pHba->detail), "Vendor: Adaptec ", 16);
memcpy(&(pHba->detail[16]), " Model: ", 8);
memcpy(&(pHba->detail[24]), (u8*) &buf[16], 16);
memcpy(&(pHba->detail[40]), " FW: ", 4);
memcpy(&(pHba->detail[44]), (u8*) &buf[32], 4);
pHba->detail[48] = '\0'; /* precautionary */
dma_free_coherent(&pHba->pDev->dev, 80, buf, addr);
}
Reported by FlawFinder.
Line: 398
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&(pHba->detail), "Vendor: Adaptec ", 16);
memcpy(&(pHba->detail[16]), " Model: ", 8);
memcpy(&(pHba->detail[24]), (u8*) &buf[16], 16);
memcpy(&(pHba->detail[40]), " FW: ", 4);
memcpy(&(pHba->detail[44]), (u8*) &buf[32], 4);
pHba->detail[48] = '\0'; /* precautionary */
dma_free_coherent(&pHba->pDev->dev, 80, buf, addr);
}
adpt_i2o_status_get(pHba);
Reported by FlawFinder.
Line: 399
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&(pHba->detail[16]), " Model: ", 8);
memcpy(&(pHba->detail[24]), (u8*) &buf[16], 16);
memcpy(&(pHba->detail[40]), " FW: ", 4);
memcpy(&(pHba->detail[44]), (u8*) &buf[32], 4);
pHba->detail[48] = '\0'; /* precautionary */
dma_free_coherent(&pHba->pDev->dev, 80, buf, addr);
}
adpt_i2o_status_get(pHba);
return ;
Reported by FlawFinder.
Line: 754
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
adpt_hba* pHba;
int rcode;
char name[32];
pHba = (adpt_hba*)cmd->device->host->hostdata[0];
strncpy(name, pHba->name, sizeof(name));
printk(KERN_WARNING"%s: Hba Reset: scsi id %d: tid: %d\n", name, cmd->device->channel, pHba->channel[cmd->device->channel].tid);
rcode = adpt_hba_reset(pHba);
Reported by FlawFinder.
Line: 977
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
pHba->next = NULL;
pHba->unit = hba_count;
sprintf(pHba->name, "dpti%d", hba_count);
hba_count++;
mutex_unlock(&adpt_configuration_lock);
pHba->pDev = pDev;
Reported by FlawFinder.
Line: 1474
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
d->controller = pHba;
d->next = NULL;
memcpy(&d->lct_data, &lct->lct_entry[i], sizeof(i2o_lct_entry));
d->flags = 0;
tid = d->lct_data.tid;
adpt_i2o_report_hba_unit(pHba, d);
adpt_i2o_install_device(pHba, d);
Reported by FlawFinder.
drivers/pcmcia/i82365.c
17 issues
Line: 1119
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t show_info(struct class_device *class_dev, char *buf)
{
struct i82365_socket *s = container_of(class_dev, struct i82365_socket, socket.dev);
return sprintf(buf, "type: %s\npsock: %d\n",
pcic[s->type].name, s->psock);
}
static ssize_t show_exca(struct class_device *class_dev, char *buf)
{
Reported by FlawFinder.
Line: 1135
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ISA_LOCK(sock, flags);
for (i = 0; i < 0x40; i += 4) {
ret += sprintf(buf, "%02x %02x %02x %02x%s",
i365_get(sock,i), i365_get(sock,i+1),
i365_get(sock,i+2), i365_get(sock,i+3),
((i % 16) == 12) ? "\n" : " ");
buf += ret;
}
Reported by FlawFinder.
Line: 332
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
flip(p->misc2, PD67_MC2_DYNAMIC_MODE, dynamic_mode);
flip(p->misc2, PD67_MC2_FREQ_BYPASS, freq_bypass);
if (p->misc2 & PD67_MC2_IRQ15_RI)
strcat(buf, " [ring]");
if (p->misc2 & PD67_MC2_DYNAMIC_MODE)
strcat(buf, " [dyn mode]");
if (p->misc2 & PD67_MC2_FREQ_BYPASS)
strcat(buf, " [freq bypass]");
if (p->misc1 & PD67_MC1_INPACK_ENA)
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (p->misc2 & PD67_MC2_IRQ15_RI)
strcat(buf, " [ring]");
if (p->misc2 & PD67_MC2_DYNAMIC_MODE)
strcat(buf, " [dyn mode]");
if (p->misc2 & PD67_MC2_FREQ_BYPASS)
strcat(buf, " [freq bypass]");
if (p->misc1 & PD67_MC1_INPACK_ENA)
strcat(buf, " [inpack]");
if (p->misc2 & PD67_MC2_IRQ15_RI)
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (p->misc2 & PD67_MC2_DYNAMIC_MODE)
strcat(buf, " [dyn mode]");
if (p->misc2 & PD67_MC2_FREQ_BYPASS)
strcat(buf, " [freq bypass]");
if (p->misc1 & PD67_MC1_INPACK_ENA)
strcat(buf, " [inpack]");
if (p->misc2 & PD67_MC2_IRQ15_RI)
mask &= ~0x8000;
if (has_led > 0) {
Reported by FlawFinder.
Line: 338
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (p->misc2 & PD67_MC2_FREQ_BYPASS)
strcat(buf, " [freq bypass]");
if (p->misc1 & PD67_MC1_INPACK_ENA)
strcat(buf, " [inpack]");
if (p->misc2 & PD67_MC2_IRQ15_RI)
mask &= ~0x8000;
if (has_led > 0) {
strcat(buf, " [led]");
mask &= ~0x1000;
Reported by FlawFinder.
Line: 342
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (p->misc2 & PD67_MC2_IRQ15_RI)
mask &= ~0x8000;
if (has_led > 0) {
strcat(buf, " [led]");
mask &= ~0x1000;
}
if (has_dma > 0) {
strcat(buf, " [dma]");
mask &= ~0x0600;
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
mask &= ~0x1000;
}
if (has_dma > 0) {
strcat(buf, " [dma]");
mask &= ~0x0600;
}
if (!(t->flags & IS_VIA)) {
if (setup_time >= 0)
p->timer[0] = p->timer[3] = setup_time;
Reported by FlawFinder.
Line: 364
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (recov_time >= 0)
p->timer[2] = p->timer[5] = recov_time;
buf += strlen(buf);
sprintf(buf, " [%d/%d/%d] [%d/%d/%d]", p->timer[0], p->timer[1],
p->timer[2], p->timer[3], p->timer[4], p->timer[5]);
}
return mask;
}
Reported by FlawFinder.
Line: 401
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
flip(p->ctl, VG468_CTL_ASYNC, async_clock);
flip(p->ema, VG469_MODE_CABLE, cable_mode);
if (p->ctl & VG468_CTL_ASYNC)
strcat(buf, " [async]");
if (p->ctl & VG468_CTL_INPACK)
strcat(buf, " [inpack]");
if (socket[s].type == IS_VG469) {
u_char vsel = i365_get(s, VG469_VSELECT);
if (vsel & VG469_VSEL_EXT_STAT) {
Reported by FlawFinder.
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
17 issues
Line: 3168
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ath_dbg(common, EEPROM,
"Restore at %d: spot=%d offset=%d length=%d\n",
it, spot, offset, length);
memcpy(&mptr[spot], &block[it+2], length);
spot += length;
} else if (length > 0) {
ath_dbg(common, EEPROM,
"Bad restore at %d: spot=%d offset=%d length=%d\n",
it, spot, offset, length);
Reported by FlawFinder.
Line: 3198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mdata_size, length);
return -1;
}
memcpy(mptr, word + COMP_HDR_LEN, length);
ath_dbg(common, EEPROM,
"restored eeprom %d: uncompressed, length %d\n",
it, length);
break;
case _CompressBlock:
Reported by FlawFinder.
Line: 3212
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
reference);
return -1;
}
memcpy(mptr, eep, mdata_size);
}
ath_dbg(common, EEPROM,
"restore eeprom %d: block, reference %d, length %d\n",
it, reference, length);
ar9300_uncompress_block(ah, mptr, mdata_size,
Reported by FlawFinder.
Line: 3299
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!word)
return -ENOMEM;
memcpy(mptr, &ar9300_default, mdata_size);
read = ar9300_read_eeprom;
if (AR_SREV_9485(ah))
cptr = AR9300_BASE_ADDR_4K;
else if (AR_SREV_9330(ah))
Reported by FlawFinder.
Line: 5485
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ALL_TARGET_HT20_0_8_16;
if (!ah->paprd_table_write_done) {
memcpy(target_power_val_t2_eep, targetPowerValT2,
sizeof(targetPowerValT2));
for (i = 0; i < 24; i++) {
pwr_idx = mcsidx_to_tgtpwridx(i, min_pwridx);
if (ah->paprd_ratemask & (1 << i)) {
if (targetPowerValT2[pwr_idx] &&
Reported by FlawFinder.
Line: 5498
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
}
memcpy(target_power_val_t2_eep, targetPowerValT2,
sizeof(targetPowerValT2));
}
ar9003_hw_set_power_per_rate_table(ah, chan,
targetPowerValT2, cfgCtl,
Reported by FlawFinder.
Line: 5507
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
twiceAntennaReduction,
powerLimit);
memcpy(targetPowerValT2_tpc, targetPowerValT2,
sizeof(targetPowerValT2));
if (ar9003_is_paprd_enabled(ah)) {
for (i = 0; i < ar9300RateSize; i++) {
if ((ah->paprd_ratemask & (1 << i)) &&
Reported by FlawFinder.
Line: 3236
Column: 74
CWE codes:
120
20
return !(*word == 0 || *word == ~0);
}
static bool ar9300_check_eeprom_header(struct ath_hw *ah, eeprom_read_op read,
int base_addr)
{
u8 header[4];
if (!read(ah, base_addr, header, 4))
Reported by FlawFinder.
Line: 3280
Column: 17
CWE codes:
120
20
u16 checksum, mchecksum;
struct ath_common *common = ath9k_hw_common(ah);
struct ar9300_eeprom *eep;
eeprom_read_op read;
if (ath9k_hw_use_flash(ah)) {
u8 txrx;
if (ar9300_eeprom_restore_flash(ah, mptr, mdata_size))
Reported by FlawFinder.
sound/soc/intel/skylake/skl-topology.c
17 issues
Line: 401
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (i = 0; i < w->num_kcontrols; i++) {
k = &w->kcontrol_news[i];
if (k->access & SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK) {
sb = (void *) k->private_value;
bc = (struct skl_algo_data *)sb->dobj.private;
if (bc->set_params == SKL_PARAM_SET) {
ret = skl_set_module_params(skl,
Reported by FlawFinder.
Line: 434
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (i = 0; i < w->num_kcontrols; i++) {
k = &w->kcontrol_news[i];
if (k->access & SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK) {
sb = (struct soc_bytes_ext *)k->private_value;
bc = (struct skl_algo_data *)sb->dobj.private;
if (bc->set_params != SKL_PARAM_INIT)
continue;
Reported by FlawFinder.
Line: 816
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (i = 0; i < w->num_kcontrols; i++) {
k = &w->kcontrol_news[i];
if (k->access & SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK) {
sb = (void *) k->private_value;
bc = (struct skl_algo_data *)sb->dobj.private;
if (bc->set_params == SKL_PARAM_BIND) {
params = kmemdup(bc->params, bc->max, GFP_KERNEL);
Reported by FlawFinder.
Line: 912
Column: 28
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return;
for (i = 0; i < w->num_kcontrols; i++)
if ((w->kcontrol_news[i].access &
SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK) &&
(skl_tplg_find_moduleid_from_uuid(skl,
&w->kcontrol_news[i]) < 0))
dev_err(skl->dev,
"%s: invalid kpb post bind params\n",
Reported by FlawFinder.
Line: 3118
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
case SND_SOC_TPLG_CTL_BYTES:
tplg_bc = container_of(hdr,
struct snd_soc_tplg_bytes_control, hdr);
if (kctl->access & SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK) {
sb = (struct soc_bytes_ext *)kctl->private_value;
if (tplg_bc->priv.size)
return skl_init_algo_data(
bus->dev, sb, tplg_bc);
}
Reported by FlawFinder.
Line: 3129
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
case SND_SOC_TPLG_CTL_ENUM:
tplg_ec = container_of(hdr,
struct snd_soc_tplg_enum_control, hdr);
if (kctl->access & SNDRV_CTL_ELEM_ACCESS_READ) {
se = (struct soc_enum *)kctl->private_value;
if (tplg_ec->priv.size)
skl_init_enum_data(bus->dev, se, tplg_ec);
}
Reported by FlawFinder.
Line: 1521
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mic_cfg->mic_switch = SKL_MIC_SEL_SWITCH;
mic_cfg->flags = 0;
memcpy(sp_cfg->caps, mic_cfg, sp_cfg->caps_size);
return 0;
}
static int skl_tplg_mic_control_set(struct snd_kcontrol *kcontrol,
Reported by FlawFinder.
Line: 1626
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pipe->p_params->format = params->format;
} else {
memcpy(pipe->p_params, params, sizeof(*params));
}
}
/*
* The FE params are passed by hw_params of the DAI.
Reported by FlawFinder.
Line: 2861
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GFP_KERNEL);
if (!mconfig->formats_config.caps)
return -ENOMEM;
memcpy(mconfig->formats_config.caps, dfw->caps.caps,
dfw->caps.caps_size);
}
return 0;
}
Reported by FlawFinder.
Line: 2935
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
--num_blocks;
} else {
if (mconfig->formats_config.caps_size > 0)
memcpy(mconfig->formats_config.caps, data,
mconfig->formats_config.caps_size);
--num_blocks;
ret = mconfig->formats_config.caps_size;
}
off += ret;
Reported by FlawFinder.
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
17 issues
Line: 807
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = hclge_tqps_get_strings(handle, p);
} else if (stringset == ETH_SS_TEST) {
if (handle->flags & HNAE3_SUPPORT_APP_LOOPBACK) {
memcpy(p, hns3_nic_test_strs[HNAE3_LOOP_APP],
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
if (handle->flags & HNAE3_SUPPORT_SERDES_SERIAL_LOOPBACK) {
memcpy(p, hns3_nic_test_strs[HNAE3_LOOP_SERIAL_SERDES],
Reported by FlawFinder.
Line: 812
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += ETH_GSTRING_LEN;
}
if (handle->flags & HNAE3_SUPPORT_SERDES_SERIAL_LOOPBACK) {
memcpy(p, hns3_nic_test_strs[HNAE3_LOOP_SERIAL_SERDES],
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
if (handle->flags & HNAE3_SUPPORT_SERDES_PARALLEL_LOOPBACK) {
memcpy(p,
Reported by FlawFinder.
Line: 817
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += ETH_GSTRING_LEN;
}
if (handle->flags & HNAE3_SUPPORT_SERDES_PARALLEL_LOOPBACK) {
memcpy(p,
hns3_nic_test_strs[HNAE3_LOOP_PARALLEL_SERDES],
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
if (handle->flags & HNAE3_SUPPORT_PHY_LOOPBACK) {
Reported by FlawFinder.
Line: 823
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += ETH_GSTRING_LEN;
}
if (handle->flags & HNAE3_SUPPORT_PHY_LOOPBACK) {
memcpy(p, hns3_nic_test_strs[HNAE3_LOOP_PHY],
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
}
}
Reported by FlawFinder.
Line: 4565
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->hash_config |= (key_offset << HCLGE_RSS_HASH_KEY_OFFSET_B);
key_size = min(HCLGE_RSS_HASH_KEY_NUM, key_counts);
memcpy(req->hash_key,
key + key_offset * HCLGE_RSS_HASH_KEY_NUM, key_size);
key_counts -= key_size;
key_offset++;
ret = hclge_cmd_send(&hdev->hw, &desc, 1);
Reported by FlawFinder.
Line: 4724
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Get the RSS Key required by the user */
if (key)
memcpy(key, vport->rss_hash_key, HCLGE_RSS_KEY_SIZE);
/* Get indirect table */
if (indir)
for (i = 0; i < ae_dev->dev_specs.rss_ind_tbl_size; i++)
indir[i] = vport->rss_indirection_tbl[i];
Reported by FlawFinder.
Line: 4764
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
/* Update the shadow RSS key with user specified qids */
memcpy(vport->rss_hash_key, key, HCLGE_RSS_KEY_SIZE);
vport->rss_algo = hash_algo;
}
/* Update the shadow RSS table with user specified qids */
for (i = 0; i < ae_dev->dev_specs.rss_ind_tbl_size; i++)
Reported by FlawFinder.
Line: 5076
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
vport->rss_indirection_tbl = rss_ind_tbl;
memcpy(vport->rss_hash_key, hclge_hash_key, HCLGE_RSS_KEY_SIZE);
hclge_rss_indir_init_cfg(hdev);
return 0;
}
Reported by FlawFinder.
Line: 5330
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
new_rule->rule_node.next = old_rule->rule_node.next;
new_rule->rule_node.pprev = old_rule->rule_node.pprev;
memcpy(old_rule, new_rule, sizeof(*old_rule));
kfree(new_rule);
break;
case HCLGE_FD_DELETED:
hclge_fd_dec_rule_cnt(hdev, old_rule->location);
hclge_fd_free_node(hdev, old_rule);
Reported by FlawFinder.
Line: 8315
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hclge_cmd_setup_basic_desc(&desc, HCLGE_OPC_MAC_VLAN_REMOVE, false);
memcpy(desc.data, req, sizeof(struct hclge_mac_vlan_tbl_entry_cmd));
ret = hclge_cmd_send(&hdev->hw, &desc, 1);
if (ret) {
dev_err(&hdev->pdev->dev,
"del mac addr failed for cmd_send, ret =%d.\n",
Reported by FlawFinder.
tools/power/acpi/os_specific/service_layers/oslinuxtbl.c
17 issues
Line: 13
#include "acpidump.h"
#define _COMPONENT ACPI_OS_SERVICES
ACPI_MODULE_NAME("oslinuxtbl")
#ifndef PATH_MAX
#define PATH_MAX 256
#endif
/* List of information about obtained ACPI tables */
Reported by Cppcheck.
Line: 411
Column: 7
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
snprintf(format, 32, "%s=%s", keyword, "%llx");
fseek(file, 0, SEEK_SET);
while (fgets(buffer, 80, file)) {
if (sscanf(buffer, format, &address) == 1) {
break;
}
}
return ((acpi_physical_address)(address));
Reported by FlawFinder.
Line: 1352
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* Create the table pathname */
if (instance != 0) {
sprintf(table_filename, "%s/%4.4s%d", pathname,
temp_name, instance);
} else {
sprintf(table_filename, "%s/%4.4s", pathname,
temp_name);
}
Reported by FlawFinder.
Line: 1355
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(table_filename, "%s/%4.4s%d", pathname,
temp_name, instance);
} else {
sprintf(table_filename, "%s/%4.4s", pathname,
temp_name);
}
break;
}
Reported by FlawFinder.
Line: 22
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct osl_table_info {
struct osl_table_info *next;
u32 instance;
char signature[ACPI_NAMESEG_SIZE];
} osl_table_info;
/* Local prototypes */
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit;
}
memcpy(local_table, mapped_table, table_length);
exit:
osl_unmap_table(mapped_table);
*table = local_table;
return (status);
Reported by FlawFinder.
Line: 404
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static acpi_physical_address
osl_find_rsdp_via_efi_by_keyword(FILE * file, const char *keyword)
{
char buffer[80];
unsigned long long address = 0;
char format[32];
snprintf(format, 32, "%s=%s", keyword, "%llx");
fseek(file, 0, SEEK_SET);
Reported by FlawFinder.
Line: 406
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char buffer[80];
unsigned long long address = 0;
char format[32];
snprintf(format, 32, "%s=%s", keyword, "%llx");
fseek(file, 0, SEEK_SET);
while (fgets(buffer, 80, file)) {
if (sscanf(buffer, format, &address) == 1) {
Reported by FlawFinder.
Line: 436
Column: 9
CWE codes:
362
FILE *file;
acpi_physical_address address = 0;
file = fopen(EFI_SYSTAB, "r");
if (file) {
address = osl_find_rsdp_via_efi_by_keyword(file, "ACPI20");
if (!address) {
address =
osl_find_rsdp_via_efi_by_keyword(file, "ACPI");
Reported by FlawFinder.
Line: 500
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gbl_rsdp_address =
rsdp_base + (ACPI_CAST8(mapped_table) - rsdp_address);
memcpy(&gbl_rsdp, mapped_table, sizeof(struct acpi_table_rsdp));
acpi_os_unmap_memory(rsdp_address, rsdp_size);
return (AE_OK);
}
Reported by FlawFinder.
tools/power/acpi/tools/acpidbg/acpidbg.c
17 issues
Line: 59
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
do { \
_ret = acpi_aml_##_op(_fd, &acpi_aml_##_buf##_crc); \
if (_ret == 0) { \
fprintf(stderr, \
"%s %s pipe closed.\n", #_buf, #_op); \
return; \
} \
} while (0)
#define ACPI_AML_BATCH_DO(_fd, _op, _buf, _ret) \
Reported by FlawFinder.
Line: 386
Column: 15
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int len;
int ret = EXIT_SUCCESS;
while ((ch = getopt(argc, argv, "b:f:h")) != -1) {
switch (ch) {
case 'b':
if (acpi_aml_batch_cmd) {
fprintf(stderr, "Already specify %s\n",
acpi_aml_batch_cmd);
Reported by FlawFinder.
Line: 73
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} while (0)
static char acpi_aml_cmd_buf[ACPI_AML_BUF_SIZE];
static char acpi_aml_log_buf[ACPI_AML_BUF_SIZE];
static struct circ_buf acpi_aml_cmd_crc = {
.buf = acpi_aml_cmd_buf,
.head = 0,
.tail = 0,
Reported by FlawFinder.
Line: 74
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char acpi_aml_cmd_buf[ACPI_AML_BUF_SIZE];
static char acpi_aml_log_buf[ACPI_AML_BUF_SIZE];
static struct circ_buf acpi_aml_cmd_crc = {
.buf = acpi_aml_cmd_buf,
.head = 0,
.tail = 0,
};
Reported by FlawFinder.
Line: 147
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = &crc->buf[crc->head];
len = circ_space_to_end(crc);
if (len > remained) {
memcpy(p, acpi_aml_batch_pos, remained);
acpi_aml_batch_pos += remained;
len = remained;
} else {
memcpy(p, acpi_aml_batch_pos, len);
acpi_aml_batch_pos += len;
Reported by FlawFinder.
Line: 151
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
acpi_aml_batch_pos += remained;
len = remained;
} else {
memcpy(p, acpi_aml_batch_pos, len);
acpi_aml_batch_pos += len;
}
if (len > 0)
crc->head = (crc->head + len) & (ACPI_AML_BUF_SIZE - 1);
return len;
Reported by FlawFinder.
Line: 402
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = EXIT_FAILURE;
goto exit;
}
memcpy(acpi_aml_batch_cmd, optarg, len);
acpi_aml_batch_cmd[len] = '\n';
acpi_aml_mode = ACPI_AML_BATCH;
break;
case 'f':
acpi_aml_file_path = optarg;
Reported by FlawFinder.
Line: 422
Column: 7
CWE codes:
362
}
}
fd = open(acpi_aml_file_path, O_RDWR | O_NONBLOCK);
if (fd < 0) {
perror("open");
ret = EXIT_FAILURE;
goto exit;
}
Reported by FlawFinder.
Line: 130
Column: 8
CWE codes:
120
20
p = &crc->buf[crc->head];
len = circ_space_to_end(crc);
len = read(fd, p, len);
if (len < 0)
perror("read");
else if (len > 0)
crc->head = (crc->head + len) & (ACPI_AML_BUF_SIZE - 1);
return len;
Reported by FlawFinder.
Line: 142
Column: 17
CWE codes:
126
{
char *p;
int len;
int remained = strlen(acpi_aml_batch_pos);
p = &crc->buf[crc->head];
len = circ_space_to_end(crc);
if (len > remained) {
memcpy(p, acpi_aml_batch_pos, remained);
Reported by FlawFinder.
tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c
17 issues
Line: 85
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!strncmp(tmp, "NHM-", 4)) {
switch (num) {
case 1:
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
Reported by FlawFinder.
Line: 88
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
}
Reported by FlawFinder.
Line: 91
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
}
} else if (!strncmp(tmp, "SNB-", 4)) {
switch (num) {
case 1:
Reported by FlawFinder.
Line: 97
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
} else if (!strncmp(tmp, "SNB-", 4)) {
switch (num) {
case 1:
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
Reported by FlawFinder.
Line: 100
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
case 4:
Reported by FlawFinder.
Line: 103
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
case 4:
strcpy(tmp, "C7");
break;
}
Reported by FlawFinder.
Line: 106
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C6");
break;
case 4:
strcpy(tmp, "C7");
break;
}
} else if (!strncmp(tmp, "ATM-", 4)) {
switch (num) {
case 1:
Reported by FlawFinder.
Line: 112
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
} else if (!strncmp(tmp, "ATM-", 4)) {
switch (num) {
case 1:
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C2");
break;
case 3:
Reported by FlawFinder.
Line: 115
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C2");
break;
case 3:
strcpy(tmp, "C4");
break;
case 4:
Reported by FlawFinder.
Line: 118
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C2");
break;
case 3:
strcpy(tmp, "C4");
break;
case 4:
strcpy(tmp, "C6");
break;
}
Reported by FlawFinder.
drivers/net/ethernet/freescale/fec_main.c
17 issues
Line: 2034
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
phy_id = 0;
}
snprintf(phy_name, sizeof(phy_name),
PHY_ID_FMT, mdio_bus_id, phy_id);
phy_dev = phy_connect(ndev, phy_name, &fec_enet_adjust_link,
fep->phy_interface);
}
Reported by FlawFinder.
Line: 192
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
MODULE_DEVICE_TABLE(of, fec_dt_ids);
static unsigned char macaddr[ETH_ALEN];
module_param_array(macaddr, byte, NULL, 0);
MODULE_PARM_DESC(macaddr, "FEC Ethernet MAC address");
#if defined(CONFIG_M5272)
/*
Reported by FlawFinder.
Line: 436
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
index = fec_enet_get_bd_index(bdp, &txq->bd);
if (((unsigned long) bufaddr) & fep->tx_align ||
fep->quirks & FEC_QUIRK_SWAP_FRAME) {
memcpy(txq->tx_bounce[index], bufaddr, frag_len);
bufaddr = txq->tx_bounce[index];
if (fep->quirks & FEC_QUIRK_SWAP_FRAME)
swap_buffer(bufaddr, frag_len);
}
Reported by FlawFinder.
Line: 512
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
index = fec_enet_get_bd_index(bdp, &txq->bd);
if (((unsigned long) bufaddr) & fep->tx_align ||
fep->quirks & FEC_QUIRK_SWAP_FRAME) {
memcpy(txq->tx_bounce[index], skb->data, buflen);
bufaddr = txq->tx_bounce[index];
if (fep->quirks & FEC_QUIRK_SWAP_FRAME)
swap_buffer(bufaddr, buflen);
}
Reported by FlawFinder.
Line: 617
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (((unsigned long) data) & fep->tx_align ||
fep->quirks & FEC_QUIRK_SWAP_FRAME) {
memcpy(txq->tx_bounce[index], data, size);
data = txq->tx_bounce[index];
if (fep->quirks & FEC_QUIRK_SWAP_FRAME)
swap_buffer(data, size);
}
Reported by FlawFinder.
Line: 679
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dmabuf = txq->tso_hdrs_dma + index * TSO_HEADER_SIZE;
if (((unsigned long)bufaddr) & fep->tx_align ||
fep->quirks & FEC_QUIRK_SWAP_FRAME) {
memcpy(txq->tx_bounce[index], skb->data, hdr_len);
bufaddr = txq->tx_bounce[index];
if (fep->quirks & FEC_QUIRK_SWAP_FRAME)
swap_buffer(bufaddr, hdr_len);
Reported by FlawFinder.
Line: 972
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* enet-mac reset will reset mac address registers too,
* so need to reconfigure it.
*/
memcpy(&temp_mac, ndev->dev_addr, ETH_ALEN);
writel((__force u32)cpu_to_be32(temp_mac[0]),
fep->hwp + FEC_ADDR_LOW);
writel((__force u32)cpu_to_be32(temp_mac[1]),
fep->hwp + FEC_ADDR_HIGH);
Reported by FlawFinder.
Line: 1398
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FEC_ENET_RX_FRSIZE - fep->rx_align,
DMA_FROM_DEVICE);
if (!swap)
memcpy(new_skb->data, (*skb)->data, length);
else
swap_buffer2(new_skb->data, (*skb)->data, length);
*skb = new_skb;
return true;
Reported by FlawFinder.
Line: 1671
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int fec_get_mac(struct net_device *ndev)
{
struct fec_enet_private *fep = netdev_priv(ndev);
unsigned char *iap, tmpaddr[ETH_ALEN];
int ret;
/*
* try to get mac address in following order:
*
Reported by FlawFinder.
Line: 1734
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
}
memcpy(ndev->dev_addr, iap, ETH_ALEN);
/* Adjust MAC if using macaddr */
if (iap == macaddr)
ndev->dev_addr[ETH_ALEN-1] = macaddr[ETH_ALEN-1] + fep->dev_id;
Reported by FlawFinder.